Once we have CMSmap ready to run, start bee-box. In this example, it will have the IP address 192.168.56.12.

1. Browse to http://192.168.56.12/drupal/ to verify that there is a running version of Drupal. The result should be as shown:

2. Now, launch the scanner against the site. Open a Terminal, go to the directory where CMSmap was downloaded, and run the python cmsmap.py -t http://192.168.56.12/drupal command. The following screenshot displays how the result should look:

We can see some vulnerabilities ranked high (the red [H]). One of them is SA-CORE-2014-005; a quick Google search will tell us that it is an SQL injection and this vulnerability is also nicknamed Drupageddon (the same name as our target site, coincidentally).

3. Now, let's see if there's an easy way to exploit this well-known flaw. Open Metasploit's console (msfconsole) and search for drupageddon; you should find at least one exploit, shown as follows:

4. Use the multi/http/drupal_drupageddon module and set the options according to the scenario, using a generic reverse shell. The next screenshot shows the final setup:

5. Run the exploit and verify that we have command execution, shown as follows: