Nmap Development mailing list archives
Re: [NSE] http-drupal-users
From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 21 Mar 2012 20:10:54 -0400
On Wed, Mar 21, 2012 at 6:52 AM, Djalal Harouni <tixxdz () opendz org> wrote:
On Tue, Mar 20, 2012 at 11:45:11PM -0400, Patrik Karlsson wrote:On Tue, Mar 20, 2012 at 4:26 AM, M. Hani Benhailes <kroosec () gmail com wrote:Hi list, Attached is a script for Drupal usernames enumeration. description = [[ Enumerates Drupal users by exploiting a an information disclosure vulnerability in Views, Drupal's most popular module. Requests to admin/views/ajax/autocomplete/**user/STRING return all usernames that begin with STRING. The script works by iterating STRING over letters to extract allusernames.For more information,see: * http://www.madirish.net/node/**465 <http://www.madirish.net/node/465>]] --@output -- Interesting ports on some.web.site (123.123.123.123): -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-drupal-users: -- | admin -- | alex -- | manager -- |_ user Cheers, Hani. -- M. Hani Benhabiles OWASP Algeria Student Chapter: Founder/President. http://www.owaspalgeriasc.org https://www.owasp.org/index.**php/Algeria_Student_Chapter<https://www.owasp.org/index.php/Algeria_Student_Chapter>Email: hani.benhabiles () owasp org Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/Great work Hani! I tested the script against a few sites and it worked great. I've committed the script as r28309 with some minor changes.Patrik the script was committed as http-drupal-users-enum.nse but usage examples and arguments are using 'http-drupal-users', output tag also. Thanks Hani, Patrik. -- tixxdz http://opendz.org
Thanks Djalal! Looking closer at the naming standard of other user enumeration scripts I decided to rename the script to: http-drupal-enum-users. I've changed the documentation accordingly. Thanks, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-drupal-users M. Hani Benhailes (Mar 20)
- Re: [NSE] http-drupal-users Patrik Karlsson (Mar 20)
- Re: [NSE] http-drupal-users Djalal Harouni (Mar 21)
- Re: [NSE] http-drupal-users Patrik Karlsson (Mar 21)
- Re: [NSE] http-drupal-users Djalal Harouni (Mar 21)
- Re: [NSE] http-drupal-users Patrik Karlsson (Mar 20)