Drupal Security Scanner

DPscan.py to DrupalScan

Recently I was in the need of a simple “drupal security scanner” which enumerates all modules of a drupal project so I can do a source code audit on them. The only thing I could found for this were some you-have-to-be-a-member sites and a script called WPscan.py. Because the author’s site of the script was not accessible I decided to write an own little tool in ruby which can be easily plugged into another project I’m currently realising.

DrupalScan

DrupalScan can be installed via rubygems:

$ gem install DrupalScan

You can also find this project on github.

After installation you can use it directly in the command line or by requiring the lib.

Command Line Usage

$ DrupalScan -h                  
Usage: DrupalScan <url> [--no-module-lookup]
    -u, --url URL                    URL of drupal project. Example: http://drupal.org
    -n, --no-module-lookup           Disable module lookup on drupal.org
    -h, --help                       Show this help
$ DrupalScan -u http://drupal.org
Version: Drupal 6.26, 2012-05-02
Found 'flot'
 -> This module provides an API and views integration for using the flot graphing library. It is designed to make it simple to add flot graphs or charts, it supports line, bar and pie charts.http://drupal.org/project/flot

Found 'drupalorg'
 -> Customizations used on drupal.org itself.  It is not meant to be useful to other sites, except as an educational example of the kinds of modifications you can make via a site-specific module.http://drupal.org/project/drupalorg

Found 'token'
 -> Tokens are small bits of text that can be placed into larger documents via simple placeholders, like %site-name or [user]. The Token module provides a central API for modules to use these tokens, and expose their own token values.http://drupal.org/project/token

Found 'httpbl'
 -> Implementation of http:BL for Drupal. http:BL can prevent email address harvesters and comment spammers from visiting your site by using a centralized DNS blacklist. It requires a free Project Honey Pot membership. This module provides efficient blacklist lookups and blocks malicious visitors effectively.http://drupal.org/project/httpbl

Using DrupalScan in your own script

require 'DrupalScan'
version = DrupalScan::getVersion("http://drupal.org")
modules = DrupalScan::enumerateModules("http://drupal.org")

Feel free to fork.

DPscan.py to DrupalScan

DrupalScan

Command Line Usage

Using DrupalScan in your own script

See Also

Cracking salted MD5 with Hashcat

security

EPLUS Group (mobile network operator) security issue (SMS flood, MSISDN verification)

security

Advanced INSERT INTO Injection by Taking Advantage of the Primary Key

security

myBloggie 2.1.6 SQL Injection and Persistent XSS

security

Drupal Security Scanner

DPscan.py to DrupalScan

DrupalScan

Command Line Usage

Using DrupalScan in your own script

See Also

Cracking salted MD5 with Hashcat security

EPLUS Group (mobile network operator) security issue (SMS flood, MSISDN verification) security

Advanced INSERT INTO Injection by Taking Advantage of the Primary Key security

myBloggie 2.1.6 SQL Injection and Persistent XSS security

Cracking salted MD5 with Hashcat

security

EPLUS Group (mobile network operator) security issue (SMS flood, MSISDN verification)

security

Advanced INSERT INTO Injection by Taking Advantage of the Primary Key

security

myBloggie 2.1.6 SQL Injection and Persistent XSS

security