When exploiting Drupal, the following are the attack vectors that we need to keep in mind:
- Enumerating Drupal users for brute-force attacks
- Exploiting Drupal via broken authentication (guessable passwords)
- Exploiting plugins, themes, or modules for arbitrary file disclosures and uploads, persistent Cross-Site Scripting (XSS), and more
- Exploiting Drupal core components for SQL injection and Remote Code Execution (RCE)
For different versions of Drupal, there are different public exploits that can be used. Sometimes, we can get access to a Drupal site using public exploits, and other times we have to change the exploits to make them work. It is always good practice to understand an exploit first and execute it later. Let's focus on the public exploits for Drupalgeddon2 for now.
