Creating evil module for Drupal

During few pentests I saw that there is a Drupal installed on remote box. I was wondering if there is a way to get a shell when we already have admin's credentials. Below you will find a way that worked for me few times. Here we go...

Let's say you already have your credentials to Drupal admin's panel:

Next thing you'll need is to prepare your 0wn module.

You can find a way how to do it after reading those pages[1, 2, 3] but below you'll find few hints from me:

Let's start from creating new directory where we will place our module files - mine was called  sample_module2. 

We will need to create 3 files inside that dir:

- form_example.info  
 

- form.example.module  

- form_example.module

 Next thing to do is to zip this module directory and move the archive file to our web rootdir to download it in the future:

Now we will install our new module:

Let's "install from a URL":

Now our example module is ready to use:

 Let's enable it if needed:

 Looks good:

Our example form is ready to use:

We need to add an 'x' parameter with our command as a value and click to run the code:

Checking:

'Click Here!'

As you can see now you have a valid basic webshell. :)

Remember to use it only during legal pentests.
Other cool places where you can try to use your new created module you will find described here. ;)

See you next time.

Cheers