Admin page
Drupal 6 and 7:
http://yourdomain.com/?q=user
Drupal 8:
https://yourdomain.com/user/loginDefault password
There is no default. When installing you are directed through the forms to set up the 1st created account including userid, email and password.
For demo site
Username: admin
Password: admin@123Drupal User Enumeration
Admin user
This endpoint can show the administrator user. Access might be denied.
http://yourdomain.com/user/1User enumeration
This API can list all users.
http://yourdomain.com/jsonapi/user/userUser enumeration via password reset API
Drupal does not consider user enumeration as a vulnerability…
http://yourdomain.com/user/reset/1/1/1
http://yourdomain.com/user/reset/2/1/1
http://yourdomain.com/user/reset/3/1/1
http://yourdomain.com/user/reset/4/1/1
http://yourdomain.com/user/reset/5/1/1
http://yourdomain.com/user/reset/.../1/1User enumeration using Drupwn
python3 drupwn --mode enum --users --target $URLDrupal version
Click View-Source on the page.
<meta name="generator" content="Drupal 7 (http://drupal.org)" />When having an account in the Drupal platform, log in and go to:
http://yourdomain.com/admin/reports/statusScan
Drupwn
Installation
git clone https://github.com/immunIT/drupwn.gitcd drupwnpip3 install -r requirements.txtpython3 drupwn --helpEnumeration
Run Drupwn in enum mode to obtain version, themes and plugins.
python3 drupwn --mode enum --target $URLpython3 drupwn --mode enum --users --target