search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
8.14k stars 2.35k forks source link

drupal-files #9619

Closed ArjunChandarana closed 1 week ago

ArjunChandarana commented 3 weeks ago

Template Information:

Drupal CMS has many default of which few are interesting which gives can be used to identify that Drupal as CMS is being used and also it has files accessible which discloses information about what all plugins are being used and much more.

Nuclei Template:

id: drupal-files
info:
  name: Publicly Accessible Drupal Files
  author: ArjunChandarana
  severity: low
  metadata:
    verified: true
    shodan-query: http.component:Drupal

  tags: Drupal

requests:
  - method: GET
    path:
      - "{{BaseURL}}/sites/default/services.yml"
      - "{{BaseURL}}/contrib/views_data_export/README.md"
      - "{{BaseURL}}/core/install.php"
      - "{{BaseURL}}/core/INSTALL.txt"
      - "{{BaseURL}}/sites/README.txt"
      - "{{BaseURL}}/update.php"
      - "{{BaseURL}}/sites/default/settings.php"

    stop-at-first-match: false
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Views data export"
          - "Administer software update"
          - "parameters"
          - "Drupal"
          - "Installation"
          - "Requirements"
          - "app_root"
        condition: or

      - type: status
        status:
          - 200

success_result

ptyspawnbinbash commented 3 weeks ago

Weak matching with matchers-condition: or. Changing it to matchers-condition: and got me some valid results. Not sure if all the words in the matcher list are Drupal-specific, though.

GeorginaReeder commented 3 weeks ago

Thanks so much for this @ArjunChandarana , we'll take a look into it!

ArjunChandarana commented 3 weeks ago

Thanks team, let me know if it requires modification. Would be happy to help.

DhiyaneshGeek commented 3 weeks ago

Hi @ArjunChandarana , we already have these default files under these templates

http/technologies/drupal-detect.yaml

http/misconfiguration/installer/drupal-install.yaml

/update.php - Access denied (Since it requires a account to login` /sites/default/services.yml - Blank Page with no Information. /sites/default/settings.php - variable undefined error

Only these below mentioned endpoints are already present 

      - "{{BaseURL}}/core/install.php"
      - "{{BaseURL}}/core/INSTALL.txt"
      - "{{BaseURL}}/sites/README.txt"

Looking forward to hear back from you

Thanks

ArjunChandarana commented 3 weeks ago

Hi @DhiyaneshGeek , thanks for checking on this. While my testing phase I was able to get output for /sites/default/services.yml this endpoint with some of the information and this would vary from target to target. Regarding this /sites/default/settings.php endpoint I was able to get an error but sometimes it would be possible to get an default settings.php page. And in /update.php endpoint it was possible to get an response that it requires leveraged privileges such as Administrator which confirms that multiple user roles exists.

DhiyaneshGeek commented 3 weeks ago

Hi @ArjunChandarana what kinda of information is exposed in these files ?

If there is something sensitive information exposed , we can consider to have template

The existing template detects the default files as i mentioned already

Looking forward to hear back from you

Thanks

ArjunChandarana commented 3 weeks ago

Hi @DhiyaneshGeek , to my observation and understanding this file generally contains configuration related information which has session related configurations, twig related configurations, which protocols are allowed which are filtered. And additionally some CORS related configuration is disclosed. But this file may contain additional information regarding target configuration which depends on target to target.

ArjunChandarana commented 3 weeks ago

Also "{{BaseURL}}/core/INSTALL.txt" this endpoint was not found in above 2 templates could you please check on that also.

DhiyaneshGeek commented 3 weeks ago

Hi @ArjunChandarana , we can update the existing template and add /core/INSTALL.txt and co-author you there 😄

What do you think about it ?

Thanks

ArjunChandarana commented 3 weeks ago

Hey @DhiyaneshGeek , that would be great and much appreciated 😁 . Also was thinking out loud that why to miss on any default files which might have some relevant information about the host. If we can add sites/default/services.yml this endpoint in that would be great. Additionally if we can go ahead and create a template regarding improper error handling for this endpoint /sites/default/settings.php - variable undefined error. 👀

Thanks much !

DhiyaneshGeek commented 3 weeks ago

Hi @ArjunChandarana

We also have a Discord server, which you’re more than welcome to join. It's a great place to connect with fellow contributors and stay updated with the latest developments!

i'll update the existing template and let you know

Thanks

DhiyaneshGeek commented 1 week ago

Hi @ArjunChandarana we further examined that existing templates detects the drupal default files

Adding /core/INSTALL.txt , /sites/default/services.yml will increase the number of request sent.

so we are closing this issue

Thanks