id: drupal-user-enum-ajax

info:
  name: Drupal User Enumration [Ajax]
  author: 0w4ys
  severity: info
  metadata:
    max-request: 4
    shodan-query:
      - http.component:"drupal"
      - cpe:"cpe:2.3:a:drupal:drupal"
    product: drupal
    vendor: drupal
  tags: drupal,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '":"a.'
          - '":"A.'
        part: body

      - type: word
        words:
          - "application/json"
        part: header

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        regex:
          - '"[\w \-\_\@\.]+\"'
# digest: 4a0a0047304502207a9e8cc2fd2db8980a147d3d8be10568afae9c1e3f23a6447e3cfc9ef8f37a3b022100d6029729efec11f6988e32ede6e4db05f0b4e69ae2a164246fc32a161e747393:922c64590222798bb761d5b6d8e72950