Comments (4)
g0tmi1k
commented on May 20, 2024
On the target, SSH in then do something like (btw, this is REALLY BAD IDEA IN PRODUCTION):
chown -R www-data:www-data /var/www/html/
chmod -R 0777 /var/www/html/
Not sure exactly how you set it all up.
For me:
$ ssh root@<REMOVED>
Last login: Wed Apr 18 11:39:52 2018 from <REMOVED>
root@ubuntu140045x64-drupal:~# cd /var/www/html/
root@ubuntu140045x64-drupal:/var/www/html#
root@ubuntu140045x64-drupal:/var/www/html# ls
drupal-7.55 drupal-7.55.tar.gz drupal-7.57 drupal-7.57.tar.gz drupal-8.4.5 drupal-8.4.5.tar.gz index.html
root@ubuntu140045x64-drupal:/var/www/html#
root@ubuntu140045x64-drupal:/var/www/html# chown -R www-data:www-data /var/www/html/
root@ubuntu140045x64-drupal:/var/www/html#
root@ubuntu140045x64-drupal:/var/www/html# chmod -R 0777 /var/www/html/
root@ubuntu140045x64-drupal:/var/www/html#
root@ubuntu140045x64-drupal:/var/www/html# chown -R www-data:www-data /var/www/html/
root@ubuntu140045x64-drupal:/var/www/html#
root@ubuntu140045x64-drupal:/var/www/html# ls -l
total 19520
drwxrwxrwx 9 www-data www-data 4096 Apr 18 15:08 drupal-7.55
-rwxrwxrwx 1 www-data www-data 3277355 Jun 7 2017 drupal-7.55.tar.gz
drwxrwxrwx 9 www-data www-data 4096 Apr 18 14:28 drupal-7.57
-rwxrwxrwx 1 www-data www-data 3279405 Feb 21 17:45 drupal-7.57.tar.gz
drwxrwxrwx 8 www-data www-data 4096 Apr 18 15:08 drupal-8.4.5
-rwxrwxrwx 1 www-data www-data 13414036 Feb 21 17:42 drupal-8.4.5.tar.gz
-rwxrwxrwx 1 www-data www-data 0 Apr 18 12:58 index.html
root@ubuntu140045x64-drupal:/var/www/html#
TL;DR
- Log in
- Move to the web root
- Set web user (e.g.
www-data) to own the web folders - Allow everyone & anyone to read/write/execute all the web root folders
from drupalgeddon2.
dreadlocked
commented on May 20, 2024
You can now use drupalgeddon-not-write-shell.rb which do not require write permissions to work.
from drupalgeddon2.
jedthe3rd
commented on May 20, 2024
This is what I get when I run the drupalgeddon-not-write-shell.rb before changing my permissions on my drupal 8.4.5:
This is what I get on my drupal 8.5.0:
Something must be weird with my setup...
Also there was a typo on line 70 http.request(req) needs to be @http.request(req) .
from drupalgeddon2.
g0tmi1k
commented on May 20, 2024
Please do not hijack other peoples issues.
Closing as @jedthe3rd hasn't replied.
Feel free to re-open this issue if required.
from drupalgeddon2.
Related Issues (20)
- False Positive: can't execute the commands through shell HOT 3
- Strange behavior with Drupal 7.34 HOT 4
- disabled PHP function? HOT 1
- Drupal 7.37 (form_id and form_build_id) HOT 2
- Drupal v8.x detected as v6.x? HOT 1
- Adapt to drupal 6 HOT 1
- Can not detect Drupal version cause it stops iterating when one of the possible URLs gets a 200 response HOT 2
- Feature Request: Control verbosity via Command-Line Argument HOT 2
- Feature Request: Support for Session-Cookie Form and POST-based Authentication HOT 2
- error when running HOT 4
- using the user/login instead user/password? HOT 2
- error HOT 1
- Not working for me :( please help!! HOT 3
- drupalgeddon2 options for insecure https HOT 1
- Target is not exploitabe HOT 1
- Drupal v7.54
- Help in determining injection path
- ModuleNotFoundError: No module named 'colorclass' HOT 1
- Connection reset by peer
- Connection reset by peer (Errno::ECONNRESET
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drupalgeddon2.