Droopescan is a plugin-based scanner that aids security researchers in identifying issues with Drupal, SilverStripe, WordPress, Joomla (version enumeration & interesting URLs only), and Moodle (plugin & theme very limited).
Installation
Installation is easy using pip:
apt-get install python-pip pip install droopescan
Manual installation is as follows:
git clone https://github.com/droope/droopescan.git cd droopescan pip install -r requirements.txt ./droopescan scan --help
Features:
- Scan Types
- p — Plugin checks: Performs several thousand HTTP requests and returns a listing of all plugins found to be installed on the target host.
- t — Theme checks: As above, but for themes.
- v — Version checks: Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
- i — Interesting URL checks: Checks for interesting URLs (admin panels, readme files, etc.)
- Target Specification
droopescan scan drupal -u example.org
droopescan scan -u example.org
droopescan scan drupal -U list_of_urls.txt
droopescan scan -U list_of_urls.txt
The code block below contains an example list of URLs, one per line:
http://localhost/drupal/6.0/ http://localhost/drupal/6.1/ http://localhost/drupal/6.10/ http://localhost/drupal/6.11/ http://localhost/drupal/6.12/
A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below:
192.168.1.1 example.org http://192.168.1.1/ example.org http://192.168.1.2/drupal/ example.org
It is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version.
- Authentication
The application fully supports .netrc files and http_proxy environment variables.
Use a .netrc file for basic authentication. An example netrc (a file named .netrc placed in your root home directory) file could look as follows:
machine secret.google.com login [email protected] password Winter01
You can set the http_proxy and https_proxy variables. These allow you to set a parent HTTP proxy, in which you can handle more complex types of authentication (e.g. Fiddler, ZAP, Burp)
export http_proxy='user:password@localhost:8080' export https_proxy='user:password@localhost:8080' droopescan scan drupal --url http://localhost/drupal
WARNING: By design, to allow intercepting proxies and the testing of applications with bad SSL, droopescan allows self-signed or otherwise invalid certificates.
- Output
{ "themes": { "is_empty": true, "finds": [ ] }, "interesting urls": { "is_empty": false, "finds": [ { "url": "https://www.drupal.org/CHANGELOG.txt", "description": "Default changelog file." }, { "url": "https://www.drupal.org/user/login", "description": "Default admin." } ] }, "version": { "is_empty": false, "finds": [ "7.29", "7.30", "7.31" ] }, "plugins": { "is_empty": false, "finds": [ { "url": "https://www.drupal.org/sites/all/modules/views/", "name": "views" }, [...snip...] ] } }
$ droopescan scan drupal -U six_and_above.txt -e v {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}} {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}} {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}} {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}} {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}} {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}} {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}} {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}} {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}} {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}} {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}} {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}} {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}} {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}} {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}} {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}} {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}} {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}} {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}} {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}} {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}} {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}} {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}} {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}} {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}} {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}} {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}} {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}} {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}
- Debug
computer:~/droopescan# droopescan scan silverstripe -u http://localhost -n 10 -e p --debug-requests [head] http://localhost/framework/... 403 [head] http://localhost/cms/css/layout.css... 404 [head] http://localhost/framework/css/UploadField.css... 200 [head] http://localhost/misc/test/error/404/ispresent.html... 404 [head] http://localhost/widgetextensions/... 404 [head] http://localhost/orbit/... 404 [head] http://localhost/sitemap/... 404 [head] http://localhost/simplestspam/... 404 [head] http://localhost/ecommerce_modifier_example/... 404 [head] http://localhost/silverstripe-hashpath/... 404 [head] http://localhost/timeline/... 404 [head] http://localhost/silverstripe-hiddenfields/... 404 [head] http://localhost/addressable/... 404 [head] http://localhost/silverstripe-description/... 404 [+] No plugins found. [+] Scan finished (0:00:00.058422 elapsed)
The –debug parameter also exists and may be used to debug application internals.
- Stats
droopescan stats
Functionality available for ‘drupal’: - Enumerate plugins (XXXX plugins.) - Enumerate themes (XXXX themes.) - Enumerate interesting urls (X urls.) - Enumerate version (up to version X.X.X-alphaXX, X.XX, X.XX.) Functionality available for ‘joomla’: - Enumerate interesting urls (X urls.) - Enumerate version (up to version XX.X, X.X.X, X.X.XX.rcX.) Functionality available for ‘wordpress’: - Enumerate interesting urls (X urls.) - Enumerate version (up to version X.X.X, X.X.X, X.X.X.) Functionality available for ‘silverstripe’: - Enumerate plugins (XXX plugins.) - Enumerate themes (XX themes.) - Enumerate interesting urls (X urls.) - Enumerate version (up to version X.X.XX, X.X.XX, X.X.XX.)