Hi – I am trying to configure a Drupal 7 or 8 instance on a Raspberry Pi to demonstrate to some of our customers how easy it is to exploit as a general push to get them to keep up to date with security issues.
Problem being it isn’t that easy to exploit – I have tried various versions of Drupal on Raspbian/Apache/MySQL/PHP – keeping evryhting as default as possible with clean URLs but it is proving un-exploitable using the various DrupalGeddon 2 scripts/metasploit for CVE-2018-7600 – i can see the exploit looks to be successful (I get a 200 returned) but the commands I send aren’t run.
I tried the same Drupal Installs on a Intel CPU laptop running Ubuntu and was able to use the exploit with no issues.
So have kind of narrowed it down to ARM architecture or the PI (although could well be a lack of talent as well) – would anybody have any ideas why this may be?
We bought a couple of pi’s precisely for this type of demonstration so would be good to make use of them.
thanks for any suggestions