id: drupal-user-enum-ajax

info:
  name: Drupal User Enumration [Ajax]
  author: 0w4ys
  severity: info
  metadata:
    max-request: 4
    shodan-query: http.component:"drupal"
  tags: drupal,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '":"a.'
          - '":"A.'
        part: body

      - type: word
        words:
          - "application/json"
        part: header

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        regex:
          - '"[\w \-\_\@\.]+\"'

# digest: 4b0a00483046022100b24bebf70e77f409f945b33f983d381364a00650747ff7f26f5ebf3e2d371c5f02210088f7dc8d646e12702100e6f4c232278fff5b53f5ccf932dc9269e8ec07996ff8:922c64590222798bb761d5b6d8e72950