DroopeScan Cheat Sheet
CMS scanner focused on Drupal, Silverstripe, and WordPress plugin enumeration.
Overview
DroopeScan (droopescan) enumerates Drupal (and other supported CMS) versions, modules, themes, and interesting URLs. Use on authorized Drupal assessments alongside manual testing.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
pip install droopescanor
git clone https://github.com/droope/droopescan.gitpip install -r droopescan/requirements.txtEssential commands
Drupal scan
droopescan scan drupal -u https://target.exampleEnumerate plugins (WordPress mode)
droopescan scan wordpress -u https://target.example -p popularCommon workflows
Drupal enumeration —
droopescan scan drupal -u https://target.example -t 32droopescan scan drupal -u https://target.example -o json -O drupal_scan.jsondroopescan scan drupal -u https://target.example --enumerate p,t,uThreaded multi-target (from file) —
droopescan scan drupal -U urls.txt -t 16Through proxy —
droopescan scan drupal -u https://target.example --proxy http://127.0.0.1:8080Flags reference
scan drupal | Drupal scanner |
|---|---|
scan wordpress | WordPress plugin scan |
scan silverstripe | Silverstripe scanner |
-u URL | Single URL |
-U FILE | URL list file |
-t N | Threads |
--enumerate | p (plugins), t (themes), u (users) |
-o json | JSON output |
-O FILE | Output file |
--proxy | Proxy URL |
-p | Plugin set (wordpress) |
Tips
- Drupal 8+ paths differ; ensure droopescan version supports target major version.
- Enumerated modules often map to known CVEs—verify version strings in /CHANGELOG.txt or headers manually.
- Use JSON output (-o json) for reporting pipelines.