Drupal
Tips & Tricks
# Manual user enumeration
# Step 1 : check for existing user
# 403 --> User exist
# 404 --> User doesn't exist
https://www.site.com/user/x
# Then you can get username
https://www.site.com/reset/user/x/1/1
Droopescan
# Not Drupal specific but can work too (Wordpress, SilverStripe, Joomla, Moodle, Drupal)
droopescan --help
droopescan scan --help
# Target Identification
droopescan scan drupal -u example.org
droopescan scan drupal -U list_of_urls.txt
# You can also ommit the drupal argument, so it will trigger the cms identification
droopescan scan -u example.org
droopescan scan -U list_of_urls.txt
# Scan types
# By default, most of the time, 4 threads
droopescan scan drupal -u example.org --number xxx --threads xxx
# By default, all tests are done, but you can specify some manually
# - p : plugin checks
# - t : theme checks
# - v : version checks (files checksums)
# - i : interesting urls checks
droopescan scan drupal -u example.org --enumerate <type>
# Getting stats and capabilities for the scanner
droopescan stats
Drupwn
# Scanner and complete tool for Drupal 6 and 8
drupwn -h
____
/ __ \_______ ______ _ ______
/ / / / ___/ / / / __ \ | /| / / __ \
/ /_/ / / / /_/ / /_/ / |/ |/ / / / /
/_____/_/ \__,_/ .___/|__/|__/_/ /_/
/_/
usage: drupwn [-h] [--users] [--nodes] [--modules] [--dfiles] [--themes]
[--version VERSION] [--cookies COOKIES] [--thread THREAD]
[--range RANGE] [--ua UA] [--bauth BAUTH] [--delay DELAY]
[--log] [--proxy PROXY | --proxies PROXIES]
mode target
Drupwn aims to automate drupal information gathering.
positional arguments:
mode enum|exploit
target hostname to scan
optional arguments:
-h, --help show this help message and exit
--users user enumaration
--nodes node enumeration
--modules module enumeration
--dfiles default files enumeration
--themes theme enumeration
--version VERSION Drupal version
--cookies COOKIES cookies
--thread THREAD threads number
--range RANGE enumeration range
--ua UA User Agent
--bauth BAUTH Basic authentication
--delay DELAY request delay
--log file logging
--proxy PROXY [http|https|socks]://host:port
--proxies PROXIES Proxies file
# Attempt to detect version of Drupal Core
# Find Plugins in HTML response
# Identify theme in use
# List client side JS in page
# List iframes in page
# Test for directory indexing enabled on key locations
# Check Google Safe Browse for reputation
# Get IP information and Geolocation
https://hackertarget.com/drupal-security-scan/