Download your Drupal site without server access

  • Posted By: steve
  • Comments: 0

Recently I've had some clients come to me because their previous developer just kind of dropped out of sight. This happens every now and then when you rely on one-person shops. It's also also familiar to me on a personal level: a vanishing dev is largely why I got into this line of work again in the early 2000s, after a few years' hiatus. The problem in these recent cases was complicated because not only did this dev build the sites, but also hosted them. This meant that, for one (live) site, no much-needed code or template changes were possible, and another (dev) site couldn't launch. Pretty big problems.

It is, however, possible to retrieve both your codebase and your database from a Drupal install without having access to the server or the file system. And the fact that this is possible is also a security lesson. Here's how it works.

If you don't have enough admin privileges to enable modules and change permissions, however, stop right there. You need to be able to do these things:

  • enable the PHP filter module
  • allow some (trusted) role to use it, and make sure you have that role
  • create a content type, perhaps called "PHP page"
  • ... whose body is set to use the PHP filter

So, to retrieve your files and DB, just create a PHP page and use PHP commands to make the files and DB web-accessible. My approach was something like this. First, get the important files:

<?php
system('tar czf /tmp/sites.tgz sites');
system('cp /tmp/sites.tgz sites/default/files');
?>

You can then download the tarball from domain.name.tld/sites/default/files/sites.tgz. The settings file will give you DB credentials, which you can use in your PHP page like so:

<?php
system('mysqldump DB_USER -pDB_PASS DB_NAME > sites/default/files/DB.sql');
?>

And then download the database dump from domain.name.tld/sites/default/files/DB.sql. (Oh, and clean up after yourself by deleting those files in PHP again, assuming the site is publicly accessible.)

The security lesson? The PHP filter is all-powerful. Never, ever use it. You should never have to put PHP in content; take the extra 10 minutes and create a custom module or work with template.php.

Add new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.