Let’s go for fun exploiting time.
Firstly, I will download any poc for this vulnerability from GitHub (CVE-2018-7600 Drupal RCE)
I will do minor changes with this poc to show you alternative methods:

1.Changing poc to get interactive reverse shell

2.Using wget command to download php shell file that will be hosted in attacker machine to print simple web shell that will be saved in drupal server by used wget command. Why use this technique because wget command actually save the result after rendering process that has been happened in application server not saved the script itself.

3. Do it manually by using hack bar. The exploitation for this vulnerability based on post request and inject one of them parameters with system command

Drupal 7 x and 8 x Vulnerability

Let’s “get off the island” and look at Drupal security from the point of view of an outsider.

The OWASP Top Ten is an industry standard list of the most common vulnerabilities that can affect web sites. This session will start with an overview of the Top Ten, and then take a more detailed look at a few of these vulnerabilities. We will review some actual Drupal security advisories:

What the vulnerability looks like
How the Drupal security team communicates the problem
The code that was updated to fix the ptoblem
The presenter is a provisional member of the Drupal security team.

Presenter
Benji Fisher

https://www.drupalcampnj.org/sessions/security-drupal-what-can-go-wrong

Let’s “get off the island” and look at Drupal security from the point of view of an outsider.

The OWASP Top Ten is an industry standard list of the most common vulnerabilities that can affect web sites. This session will start with an overview of the Top Ten, and then take a more detailed look at a few of these vulnerabilities. We will review some actual Drupal security advisories:

What the vulnerability looks like
How the Drupal security team communicates the problem
The code that was updated to fix the problem
Only a few of the slides fall under the last bullet point. You do not need to be a developer to appreciate the rest.

The audience for security is “all of the above”, or it should be. Owners care if their sites are hacked, or if information is stolen. Builders and administrators need to know and follow best practices. Developers and project managers have to think about what can go wrong.

This session will help teach you about good “web hygiene” and what you can do to make your site more secure. It will also help you recognize when you need to rely on an expert.

Benji Fisher
Senior Developer
I have been working with Drupal since 2012, and I have contributed to open source software for longer than that. I am an active member of the Drupal community:

member of the Drupal security team
co-maintainer of the migration subsystem in Drupal core (Migrate API)
member of the Drupal usability team
I choose to work with Drupal, and other open-source software, because I hate the idea of duplicated effort. When I solve a problem, I want to share my solution so that no one else has to struggle with it.

https://www.midcamp.org/2023/topic-proposal/security-drupal-what-can-go-wrong