⚠️ Overview

droopescan is an open‑source vulnerability scanner for content management systems (CMS), originally released in 2014 and maintained primarily by Sam Thomas (security researcher known as “g0tmi1k”) via its GitHub repository at https://github.com/droope/droopescan. It is purpose‑built for detecting known weaknesses in Drupal, Joomla, SilverStripe, and WordPress installations, and has become a staple tool for both legitimate penetration testers and malicious actors seeking exploitable public‑facing sites.

🔧 Technical Capabilities

The scanner operates by fingerprinting the CMS version, enumerating installed plugins, themes, and modules, and then probing for specific vulnerabilities such as SQL injection, cross‑site scripting (XSS), file inclusion, and remote code execution. It leverages a built‑in database of over 200 vulnerability signatures, many linked to CVEs like CVE‑2014‑3704 (Drupalgeddon), CVE‑2018‑7600 (Drupalgeddon2), and CVE‑2015‑8562 (Joomla). The tool supports multithreaded scanning for speed, proxy support (including SOCKS), and can output results in JSON or plain text. It also performs aggressive brute‑force attacks against common admin login paths (e.g., /admin, /wp‑admin) and checks for default credentials. Notably, droopescan can detect hidden or misconfigured files like .git directories, backup archives, and configuration leaks.

📜 History & Notable Incidents

First committed to GitHub in November 2014, droopescan gained notoriety during the rise of automated Drupal exploitation waves, particularly after the disclosure of Drupalgeddon in October 2014. It has been used in multiple large‑scale scanning campaigns observed by threat intelligence firms, including a 2019 wave targeting Joomla installations for CVE‑2019‑11831. The tool’s source code has been forked over 200 times, indicating widespread adoption by both ethical hackers and cybercriminals. In 2020, a modified version was implicated in a series of defacement attacks against WordPress sites using outdated plugins.

🔍 Detection Indicators

The default User‑Agent string is “droopescan/1.x” (with version numbers such as 1.5, 1.6, or 1.7), though it can be spoofed. Behavioral fingerprints include rapid successive HTTP requests to /CHANGELOG.txt, /readme.html, and /administrator/ endpoints, often with non‑standard headers like “Accept‑Encoding: gzip,deflate” missing typical browser entries. Traffic patterns show a single source IP making hundreds of requests per minute targeting multiple domains sequentially.

☠️ Risk & Impact

Successful exploitation by droopescan can lead to full site compromise, data exfiltration of user databases, privilege escalation to admin accounts, and installation of backdoors or webshells. The scanner’s brute‑force component enables credential theft, and its version‑enumeration ability allows attackers to tailor attacks to unpatched vulnerabilities, causing defacement, data leaks, or complete server takeover.

🛡️ Mitigation

droopescan is blocked immediately on detection because it systematically probes for exploitable weaknesses and is exclusively associated with intentional reconnaissance and attack activities—no legitimate web crawler or search engine uses this tool. Immediate IP blacklisting and User‑Agent filtering are recommended to prevent further scanning.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.