Hacktricks-skills drupal-pentest
How to perform security assessments and penetration testing on Drupal websites. Use this skill whenever the user mentions Drupal, wants to enumerate a Drupal site, check for Drupal vulnerabilities, test Drupal security, or perform any kind of Drupal penetration testing. This includes version detection, user enumeration, module discovery, RCE exploitation, and post-exploitation activities on Drupal installations.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/network-services-pentesting/pentesting-web/drupal/drupal/SKILL.MDDrupal Penetration Testing
A comprehensive guide for security testing Drupal websites, from discovery through post-exploitation.
Discovery
Check Drupal Meta Tags
Verify if a site is running Drupal by checking meta tags:
curl https://www.drupal.org/ | grep 'content="Drupal'
Node Enumeration
Drupal indexes content using nodes. Pages are typically at
/node/<nodeid>curl drupal-site.com/node/1
Enumeration
Version Detection
Check for exposed changelog files:
curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 ""
Note: Newer Drupal installations block access to
CHANGELOG.txtREADME.txtUsername Enumeration
Drupal has three default user types:
- Administrator - Complete control
- Authenticated User - Can log in and perform operations based on permissions
- Anonymous - Read-only access
Enumeration techniques:
- Sequential user IDs: Access
,/user/1
,/user/2
until errors indicate non-existent users/user/3 - Registration check: Visit
and attempt to create a username - errors indicate taken names/user/register - Password reset: Try resetting passwords - errors reveal whether users exist
Hidden Page Discovery
Enumerate nodes by fuzzing numeric IDs:
# Check nodes 1-1000 for hidden content for i in $(seq 1 1000); do curl -s drupal-site.com/node/$i | grep -q "content" && echo "Found: /node/$i"; done
Module Information Discovery
Check for exposed configuration files:
# Get installed modules info curl https://example.com/config/sync/core.extension.yml curl https://example.com/core/core.services.yml # Download exposed configuration files curl https://example.com/config/sync/swiftmailer.transport.yml
Automated Scanning
Droopescan
Use droopescan for automated Drupal vulnerability scanning:
droopescan scan drupal -u http://drupal-site.local
Remote Code Execution (RCE)
If you have access to the Drupal web console, check for RCE vectors. Common Drupal RCE techniques include:
- Drupalgeddon2 (Drupal 7.x < 7.32)
- Drupalgeddon3 (Drupal 7.x < 7.32)
- Drupal 8/9/10 form builder vulnerabilities
- Template injection attacks
XSS to RCE Escalation
Drupalwned Tool
Drupalwned is an exploitation script that elevates XSS to RCE:
Supported versions: Drupal 7.X.X, 8.X.X, 9.X.X, 10.X.X
Capabilities:
- Privilege Escalation: Creates administrative users
- RCE via Template Upload: Uploads backdoored templates
Post-Exploitation
Extract Database Credentials
Find and parse
settings.phpfind / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
Dump User Database
Extract user data from the Drupal database:
mysql -u drupaluser --password='PASSWORD' -e 'use drupal; select * from users'
Best Practices
- Always verify Drupal version before attempting exploits - vulnerabilities are version-specific
- Check for exposed configuration files - misconfigured Drupal sites often leak sensitive data
- Use automated scanners like droopescan for initial reconnaissance
- Document findings - track which nodes, users, and modules you discover
- Test responsibly - only test systems you have authorization to assess
Common Vulnerabilities to Check
- Drupalgeddon2 (CVE-2018-7600) - Drupal 7.x < 7.32
- Drupalgeddon3 (CVE-2018-7598) - Drupal 7.x < 7.32
- Drupal 8/9/10 - Form builder and template injection vulnerabilities
- Exposed configuration files -
directory access/config/sync/ - User enumeration - Weak user ID sequences
- XSS vulnerabilities - Can lead to RCE via Drupalwned