Drupal

• Security advisories

Admin page

Drupal 6 and 7:
http://yourdomain.com/?q=user

Drupal 8:
https://yourdomain.com/user/login

Default password

There is no default. When installing you are directed through the forms to set up the 1st created account including userid, email and password.

For demo site

Username: admin
Password: admin@123

Drupal User Enumeration

Admin user

This endpoint can show the administrator user. Access might be denied.

http://yourdomain.com/user/1

User enumeration

This API can list all users.

http://yourdomain.com/jsonapi/user/user

User enumeration via password reset API

Drupal does not consider user enumeration as a vulnerability…

http://yourdomain.com/user/reset/1/1/1
http://yourdomain.com/user/reset/2/1/1
http://yourdomain.com/user/reset/3/1/1
http://yourdomain.com/user/reset/4/1/1
http://yourdomain.com/user/reset/5/1/1
http://yourdomain.com/user/reset/.../1/1

User enumeration using Drupwn

python3 drupwn --mode enum --users --target $URL

Drupal version

Click View-Source on the page.

<meta name="generator" content="Drupal 7 (http://drupal.org)" />

When having an account in the Drupal platform, log in and go to:

http://yourdomain.com/admin/reports/status

Scan

Drupwn

Installation

git clone https://github.com/immunIT/drupwn.git

cd drupwn

pip3 install -r requirements.txt

python3 drupwn --help

Enumeration

Run Drupwn in enum mode to obtain version, themes and plugins.

python3 drupwn --mode enum --target $URL

python3 drupwn --mode enum --users --target