CVE-2014-3704

EXPLOITED NUCLEI LAB

Drupal 7.0-7.31 - SQL Injection via Array Key in Database API

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-3704 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 11 public exploits from researchers including Stefan Horst, Dustin Dörr, Claudio Viviani, including a Metasploit module exploits/multi/http/drupal_drupageddon. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a pre-authentication SQL injection vulnerability in Drupal to inject a malicious serialized session payload, leading to remote code execution via session deserialization. The payload is delivered through a crafted cookie, bypassing authentication.

Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Exploits (11)

exploitdb WORKING POC VERIFIED
by Stefan Horst · phpwebappsphp
https://www.exploit-db.com/exploits/35150

This exploit leverages a pre-authentication SQL injection vulnerability in Drupal to inject a malicious serialized session payload, leading to remote code execution via session deserialization. The payload is delivered through a crafted cookie, bypassing authentication.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal < 7.32
No auth needed
Prerequisites: HTTPS URL of the target Drupal site · PHP environment to execute the script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Dustin Dörr · phpwebappsphp
https://www.exploit-db.com/exploits/34993

This exploit leverages a SQL injection vulnerability in Drupal 7.x prior to 7.32 by crafting a malicious POST request to modify the admin user's password. The payload updates the admin password to a known hash, allowing authentication bypass.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Drupal core 7.x versions prior to 7.32
No auth needed
Prerequisites: Target must be running vulnerable Drupal version · Access to the target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Claudio Viviani · pythonwebappsphp
https://www.exploit-db.com/exploits/34992

This exploit targets CVE-2014-3704, a SQL injection vulnerability in Drupal 7.x. It leverages the vulnerability to execute arbitrary SQL queries, potentially leading to authentication bypass or remote code execution.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
No auth needed
Prerequisites: Target must be running a vulnerable version of Drupal 7.x
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by stopstene · pythonwebappsphp
https://www.exploit-db.com/exploits/34984

This exploit leverages a SQL injection vulnerability in Drupal 7.x to reset the admin password by manipulating the 'name' parameter in a POST request. It uses the DrupalHash library to generate a valid password hash for the target user.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
No auth needed
Prerequisites: Target Drupal site URL · Desired username and password for the admin account
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Stefan Horst · phpwebappsphp
https://www.exploit-db.com/exploits/44355

This exploit leverages a pre-authentication SQL injection vulnerability in Drupal by crafting a malicious session cookie. It injects a UNION SELECT statement to create a session for a specified user ID, bypassing authentication.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal (versions prior to 7.32)
No auth needed
Prerequisites: HTTPS URL of the target Drupal site · User ID to impersonate (default is 1 for admin)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Neldeborg · remote
https://github.com/Neldeborg/Drupalgeddon-Python3

This is a Python3 rewrite of the original Drupalgeddon (CVE-2014-3704) exploit, which targets a pre-authentication SQL injection vulnerability in Drupal 7.x (7.0 to 7.31). The exploit creates a new administrator user by injecting malicious SQL into the 'name' parameter during login.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.0 to 7.31
No auth needed
Prerequisites: Target must be running vulnerable Drupal version (7.0-7.31) · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by happynote3966 · remote-auth
https://github.com/happynote3966/CVE-2014-3704

This is a Python-based exploit for CVE-2014-3704, a SQL injection vulnerability in Drupal 7.x. It automates the exploitation process by crafting malicious requests to extract user credentials and gain unauthorized access.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
No auth needed
Prerequisites: Target URL with vulnerable Drupal installation · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fbm31 · poc
https://github.com/fbm31/Audit-BlackBox-Web-to-Root

This repository contains a functional Python exploit for CVE-2014-3704 (Drupalgeddon), which performs SQL injection to create an admin user in Drupal 7.x. It includes a detailed writeup of a black-box audit leading to root access via additional misconfigurations.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
No auth needed
Prerequisites: Drupal 7.x installation with vulnerable API · Network access to target web server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by joaomorenorf · remote
https://github.com/joaomorenorf/CVE-2014-3704

This is a Python-based exploit for CVE-2014-3704, a SQL injection vulnerability in Drupal 7.x. It includes functionality to generate random user agents and perform password hashing for Drupal 7, likely to facilitate authentication bypass or privilege escalation.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
No auth needed
Prerequisites: Target Drupal 7.x installation · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by AleDiBen · poc
https://github.com/AleDiBen/Drupalgeddon

This PoC exploits CVE-2014-3704 (Drupalgeddon) by injecting malicious cache entries into Drupal's form cache, leading to remote code execution via PHP deserialization and eval. It includes a reverse shell payload targeting a specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.x
No auth needed
Prerequisites: Target running vulnerable Drupal 7.x · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by SektionEins, WhiteWinterWolf, Christian Mehlmauer, Brandon Perry · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/drupal_drupageddon.rb

This Metasploit module exploits CVE-2014-3704 (Drupageddon), a SQL injection vulnerability in Drupal 7.0-7.31, to achieve remote code execution via two methods: form-cache PHP injection and user-post PHP injection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 7.0 - 7.31
No auth needed
Prerequisites: Drupal installation with vulnerable version (7.0-7.31) · Access to the Drupal login page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Drupal SQL Injection
HIGHby princechaddha
Shodan: http.component:"drupal" || cpe:"cpe:2.3:a:drupal:drupal"

References (17)

Core 17
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-005
Exploit, Mailing List, Patch, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Oct/75
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/533706/100/0/threaded
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34984
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/35150
Exploit, Mailing List, Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/10/15/23
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59972
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34992
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3051
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70595
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34993
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/113371
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html

Scores

EPSS 0.9437
EPSS Percentile 100.0%

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/drupal:7.31
+3 more repos

Details

VulnCheck KEV 2021-04-12
CWE
CWE-89
Status published
Products (2)
debian/debian_linux 7.0
drupal/drupal 7.0 - 7.32
Published Oct 16, 2014
Tracked Since Feb 18, 2026