5.-Drupal-discovery-and-enumeration

1. Basic Drupal Identification:

curl -s http://drupal.inlanefreight.local | grep Drupal
#   - Check HTML source for Drupal metadata.
curl -s http://drupal.inlanefreight.local/robots.txt
#   - Analyze robots.txt for disallowed directories and node references.
curl -s http://drupal.inlanefreight.local/node/1
#   - Check for node paths (common Drupal URL structure).
curl -s http://drupal.inlanefreight.local/CHANGELOG.txt
#   - Check for version information (may be blocked).

2. Drupal Version Enumeration:

droopescan scan drupal -u http://drupal.inlanefreight.local
#   - Use droopescan for automated version detection and module/theme enumeration.
curl -s http://drupal.inlanefreight.local/core/assets/vendor/jquery/jquery.min.js | grep "Drupal"
#   - Check JavaScript files for version information.
curl -s http://drupal.inlanefreight.local/rss.xml | grep generator
#   - Check RSS feeds for generator metadata.

Database Version check (if access gained):

SELECT version FROM system;

3. Drupal Module Enumeration:

curl -s http://drupal.inlanefreight.local/modules/
#   - List modules directory contents.
curl -s http://drupal.inlanefreight.local/modules/[module_name]/[module_file].js
#   - Check for module-specific JavaScript files.
curl -s http://drupal.inlanefreight.local/modules/[module_name]/[module_file].css
#   - Check for module-specific CSS files.
curl -s http://drupal.inlanefreight.local/modules/[module_name]/[module_file].info.yml
#   - Check for module version information.

4. Drupal Theme Enumeration:

curl -s http://drupal.inlanefreight.local/themes/
#   - List themes directory contents.
curl -s http://drupal.inlanefreight.local/themes/[theme_name]/style.css
#   - Check style.css for theme version.
curl -s http://drupal.inlanefreight.local/themes/[theme_name]/[theme_file].info.yml
#   - Check for theme version information.

5. Drupal Configuration File Check:

curl -s http://drupal.inlanefreight.local/sites/default/settings.php
#   - Check for exposed settings.php or other configuration files.

6. Drupal User Enumeration:

curl -s http://drupal.inlanefreight.local/?q=user
#   - Check for publicly visible user profiles.
curl -s http://drupal.inlanefreight.local/user/1
#   - Test default admin user enumeration.

7. Drupal REST API Enumeration:

curl -s http://drupal.inlanefreight.local/rest/user/login_status?_format=json
#   - Enumerate the Drupal REST API if enabled.
curl -s http://drupal.inlanefreight.local/rest/
curl -s http://drupal.inlanefreight.local/rest/export?_format=json
#   - Check for publicly accessible REST export endpoints.

8. Drupal Content Enumeration:

curl -s http://drupal.inlanefreight.local/node/2
#   - Check if sequential node IDs exist.
curl -s http://drupal.inlanefreight.local/node.json
#   - Check if Drupal JSON API is enabled.

9. Drupal Backup & Debug Files Enumeration:

curl -s http://drupal.inlanefreight.local/sites/default/files/backup.sql
#   - Check for exposed database backups.
curl -s http://drupal.inlanefreight.local/phpinfo.php
#   - Test for exposed phpinfo() (debugging enabled).

10. Drupal Admin Panel Access Check:

curl -s http://drupal.inlanefreight.local/user/login
#   - Check if login page is accessible.
curl -s http://drupal.inlanefreight.local/admin
#   - Check for direct access to admin panel.

11. Drupal GraphQL API Enumeration (if enabled):

curl -X POST http://drupal.inlanefreight.local/graphql -H "Content-Type: application/json" --data '{"query":"{__schema { types { name } }}"}'
#   - Check for exposed GraphQL endpoint.

12. Robots.txt Analysis:

curl -s http://drupal.inlanefreight.local/robots.txt
#   - Analyze robots.txt for sensitive disallows or revealing paths.

Important Details & Considerations:

  • JavaScript Versioning: Check core and theme JavaScript for Drupal version.

  • Module Versioning: Find exact module versions using .info.yml or similar files.

  • Theme Versioning: Check style.css or .info.yml for theme versions.

  • Drupal File Structure: Understand core directories like /modules/, /themes/, and /sites/.

  • robots.txt: Pay close attention to disallowed directories that may reveal sensitive information.

  • Drupal REST API: If enabled, thoroughly enumerate the REST API.

  • Database Version: If database access is gained, query the system table for the Drupal version.

  • User Enumeration: Identify publicly accessible user profiles and potential admin accounts.

  • Service Endpoints: Check REST endpoints for exposed sensitive data.

  • Content Enumeration: Investigate sequential node IDs and JSON API exposure.

  • Backup & Debug Files: Identify any misconfigured backups or exposed debugging information.

  • Admin Access: Determine if direct access to the admin panel is possible.

  • GraphQL API: Enumerate GraphQL endpoints for schema exposure.

Previous4.-Attacking-joomlaNext6.-Attacking-drupal

Last updated