Drupalgeddon

This repository is a penetration testing lab focused on exploiting a vulnerable Drupal 7.x installation (CVE-2014-3704, also known as Drupalgeddon). The main exploit is a Python script (script/exploit-drupal-cve-2014-3704.py) that performs a SQL injection attack against a Drupal 7.x instance, allowing the attacker to create a new administrator user and assign admin privileges. The script requires the attacker to specify the target URL, desired username, and password for the new admin account. The README.md provides a detailed walkthrough of the attack chain, including initial reconnaissance, exploitation of the SQL injection, post-exploitation steps (such as obtaining a reverse shell via the PHP Filter module and escalating privileges to root), and recommendations for remediation. The exploit is operational and demonstrates a full compromise of a vulnerable Drupal 7.x system. The only code file is the Python exploit script, which targets the web interface of the Drupal installation via HTTP POST requests.

This repository contains a Python 3 exploit script (CVE-2014-3704.py) targeting the Drupal 7.x SQL injection vulnerability (CVE-2014-3704, also known as 'Drupalgeddon'). The exploit allows a remote attacker to create a new administrator user on a vulnerable Drupal 7.x site by sending a specially crafted HTTP POST request to the user login form. The script generates a Drupal-compatible password hash, constructs a malicious SQL injection payload, and submits it to the target site. If successful, it reports the creation of the new admin user and provides the credentials. The repository also includes a README.md with usage instructions and a LICENSE file. The main exploit file is self-contained, does not rely on external frameworks, and demonstrates a practical, operational exploit for this critical vulnerability.

This repository contains a Python 3 proof-of-concept exploit for CVE-2014-3704 (Drupalgeddon), targeting Drupal 7.x versions 7.0 through 7.31. The exploit leverages a pre-authenticated SQL injection vulnerability to create a new administrator user on the target Drupal instance. The main file, 'drupalgeddon.py', is a direct port of a well-known exploit to Python 3, requiring the attacker to specify the target URL, desired username, and password for the new admin account. The script constructs a malicious POST request to the Drupal login endpoint, injecting SQL commands to insert a new user and assign administrative privileges. The README provides background on the vulnerability and usage instructions. No hardcoded IPs or domains are present; the target is specified at runtime. The exploit is a functional POC and does not include advanced features or payload customization.