From 260aa8dc222927ef81fdbf25d07a6f4ed01fe57b Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Oct 2014 10:23:20 -0500 Subject: [PATCH] Fix #3984 - Fix broken check for drupal_views_user_enum --- .../scanner/http/drupal_views_user_enum.rb | 32 ++++++++----------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb index a4c4cb34ed..4c959fa07c 100644 --- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb +++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb @@ -35,11 +35,15 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('PATH', [true, "Drupal Path", "/"]) + OptString.new('TARGETURI', [true, "Drupal Path", "/"]) ], self.class) end - def check(base_uri) + def base_uri + @base_uri ||= "#{normalize_uri(target_uri.path)}?q=admin/views/ajax/autocomplete/user/" + end + + def check_host(ip) res = send_request_cgi({ 'uri' => base_uri, 'method' => 'GET', @@ -47,31 +51,21 @@ class Metasploit3 < Msf::Auxiliary }, 25) if not res - return false + return Exploit::CheckCode::Unknown elsif res and res.body =~ /\Access denied/ # This probably means the Views Module actually isn't installed - print_error("#{rhost} - Access denied") - return false + vprint_error("#{rhost} - Access denied") + return Exploit::CheckCode::Safe elsif res and res.message != 'OK' or res.body != '[ ]' - return false + return Exploit::CheckCode::Safe else - return true + return Exploit::CheckCode::Appears end end def run_host(ip) - # Make sure the URIPATH begins with '/' - datastore['PATH'] = normalize_uri(datastore['PATH']) - - # Make sure the URIPATH ends with / - if datastore['PATH'][-1,1] != '/' - datastore['PATH'] = datastore['PATH'] + '/' - end - - enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/" - # Check if remote host is available or appears vulnerable - if not check(enum_uri) + unless check_host(ip) == Exploit::CheckCode::Appears print_error("#{ip} does not appear to be vulnerable, will not continue") return end @@ -83,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary vprint_status("Iterating on letter: #{l}") res = send_request_cgi({ - 'uri' => enum_uri+l, + 'uri' => base_uri+l, 'method' => 'GET', 'headers' => { 'Connection' => 'Close' } }, 25)