Drupalgeddon2 not detected

[mathewmarcus]

I'm running droopescan, against Vulnhub's VulnOS: 2, which has a known Drupalgeddon2 vulnerability (verified by running the Metasploit module exploit/unix/webapp/drupal_drupalgeddon2).

However, based on the below output, droopescan does not appear to detect Drupalgeddon2. I tested this using droopescan installed via pip and manually. Also I can't include the debug output because it causes this issue to exceed the 65536 character limit.

root@kali:~# uname -a
Linux kali 4.16.0-kali2-amd64 #1 SMP Debian 4.16.16-2kali2 (2018-07-04) x86_64 GNU/Linux
root@kali:~# droopescan scan -u http://192.168.56.11/jabc/
[+] Site identified as drupal.
[+] Themes found:
    seven http://192.168.56.11/jabc/themes/seven/
    garland http://192.168.56.11/jabc/themes/garland/

[+] No interesting urls found.

[+] Possible version(s):
    7.22
    7.23
    7.24
    7.25
    7.26

[+] Plugins found:
    ctools http://192.168.56.11/jabc/sites/all/modules/ctools/
        http://192.168.56.11/jabc/sites/all/modules/ctools/CHANGELOG.txt
        http://192.168.56.11/jabc/sites/all/modules/ctools/LICENSE.txt
        http://192.168.56.11/jabc/sites/all/modules/ctools/API.txt
    views http://192.168.56.11/jabc/sites/all/modules/views/
        http://192.168.56.11/jabc/sites/all/modules/views/README.txt
        http://192.168.56.11/jabc/sites/all/modules/views/LICENSE.txt
    token http://192.168.56.11/jabc/sites/all/modules/token/
        http://192.168.56.11/jabc/sites/all/modules/token/README.txt
        http://192.168.56.11/jabc/sites/all/modules/token/LICENSE.txt
    libraries http://192.168.56.11/jabc/sites/all/modules/libraries/
        http://192.168.56.11/jabc/sites/all/modules/libraries/CHANGELOG.txt
        http://192.168.56.11/jabc/sites/all/modules/libraries/README.txt
        http://192.168.56.11/jabc/sites/all/modules/libraries/LICENSE.txt
    entity http://192.168.56.11/jabc/sites/all/modules/entity/
        http://192.168.56.11/jabc/sites/all/modules/entity/README.txt
        http://192.168.56.11/jabc/sites/all/modules/entity/LICENSE.txt
    ckeditor http://192.168.56.11/jabc/sites/all/modules/ckeditor/
        http://192.168.56.11/jabc/sites/all/modules/ckeditor/CHANGELOG.txt
        http://192.168.56.11/jabc/sites/all/modules/ckeditor/README.txt
        http://192.168.56.11/jabc/sites/all/modules/ckeditor/LICENSE.txt
    rules http://192.168.56.11/jabc/sites/all/modules/rules/
        http://192.168.56.11/jabc/sites/all/modules/rules/README.txt
        http://192.168.56.11/jabc/sites/all/modules/rules/LICENSE.txt
    addressfield http://192.168.56.11/jabc/sites/all/modules/addressfield/
        http://192.168.56.11/jabc/sites/all/modules/addressfield/LICENSE.txt
    plupload http://192.168.56.11/jabc/sites/all/modules/plupload/
        http://192.168.56.11/jabc/sites/all/modules/plupload/CHANGELOG.txt
        http://192.168.56.11/jabc/sites/all/modules/plupload/README.txt
        http://192.168.56.11/jabc/sites/all/modules/plupload/LICENSE.txt
    commerce http://192.168.56.11/jabc/sites/all/modules/commerce/
        http://192.168.56.11/jabc/sites/all/modules/commerce/README.txt
        http://192.168.56.11/jabc/sites/all/modules/commerce/LICENSE.txt
    image http://192.168.56.11/jabc/modules/image/
    profile http://192.168.56.11/jabc/modules/profile/
    php http://192.168.56.11/jabc/modules/php/

Given that Detects "Drupalgeddon 2" is included in the CHANGELOG, I'm confused. Am I missing something?

[SamJoan]

Hi @mathewmarcus

In the output above it shows the possible versions being 7.2x. If you look up that version you'll see it is one of the versions affected by the vulnerability.

Thinking about it now, I can see how this is confusing for new users, as droopescan doesn't really scan for any specific vulnerabilities but rather simply reports on the versions. Do you think a documentation change is warranted? I'm thinking of an additional sentence on the README.

Thanks, Pedro

[mathewmarcus]

Ah gotcha, that makes sense. And yeah, I think maybe an additional sentence could be beneficial. Thanks!