Nmap Development mailing list archives
Re: [NSE] http-drupal-modules.nse
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 15 May 2012 18:57:34 +0200
On Fri, May 11, 2012 at 10:03 PM, Hani Benhabiles <kroosec () gmail com> wrote:
On 05/11/2012 04:21 PM, Patrik Karlsson wrote: On Fri, May 11, 2012 at 2:21 PM, Hani Benhabiles <kroosec () gmail com>wrote:Hi list, description = [[ Enumerates the installed Drupal modules by using a list of known modules. The script works by requesting /sites/all/modules/MODULE_NAME/LICENSE.txt. If the response status code is 200, it means that the module is installed. By default, the script checks for the top 100 modules (by downloads), given the huge number of existing modules (~10k). ]] From what I have found so far, requesting the LICENSE.txt file is the best option because it is added for every module uploaded on drupal.org(normal way to get drupal modules). Other possible options are: - Requesting MODULE_NAME/ And checking against the status code of a response for an obviously non-existing module request. - Building a DB with records specific for each module (some modules have .js, .css files or subfolders etc...) which is cumbersome. I have also attached a list of Drupal modules ranked by number of downloads (extracted from [1]) that should be copied in nselib/data/ Any input is welcome. [1] http://drupal.org/project/usage Cheers, Hani. -- Hani Benhabiles President, OWASP Algeria Student Chapter http://www.owaspalgeriasc.org https://www.owasp.org/index.php/Algeria_Student_Chapter Email: hani.benhabiles () owasp org Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/Hi Hani, This looks like a useful script. I haven't tested it yet, but I looked through it briefly and I think it could benefit from detecting a common "problem" where errors or 404 are detected as 200 OK. The http-enum is using http.identify_404 to do this. I'll try to find a Drupal installation later today and give it a go. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 This would have been true if we were relying on the first option (requests to MODULE_NAME/ and checking responses status codes) but in the current case, we are requesting static resources (LICENSE.txt) and so far, with all installations I have seen, none caused a problem. Maybe we could add simple string matching or checking the hash of the response body. If you come across any installations where http.identify_404 is really needed, please let me know. On 05/11/2012 07:14 PM, Henri Doreau wrote: Hi Hani, Thanks for the good work! Additionally to what Patrik mentioned, I have a couple (minor) observations concerning the script: - get_modules_path should be declared as "local". - the bfqueries variable in the action function is never used. - indentation is broken from line 115 to 118 Beside this it looks good to me. Regards. Fixed! thanks. -- Hani Benhabiles President, OWASP Algeria Student Chapterhttp://www.owaspalgeriasc.orghttps://www.owasp.org/index.php/Algeria_Student_Chapter Email: hani.benhabiles () owasp org Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com
I've had a chance to test this now and ran into some problems due to how the file drupal-modules.lst is formatted. When looking into the problem it turned out that each module ended with a a line-feed making breaking the path in the request to the server. Re-formatting the file to unix format solved the problem for me. Also, as a general observation (not specific to this script) I find pipelining great, as it's really quick, when it works that is. However, when it doesn't work, ie. the pipeline request consists of a single request, I think scripts could benefit from being threaded. I tested this script against a server having this problem/restriction and got roughly 1 request/sec, which is painful. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-drupal-modules.nse Hani Benhabiles (May 11)
- Re: [NSE] http-drupal-modules.nse Patrik Karlsson (May 11)
- Re: [NSE] http-drupal-modules.nse Hani Benhabiles (May 11)
- Re: [NSE] http-drupal-modules.nse Patrik Karlsson (May 15)
- Re: [NSE] http-drupal-modules.nse Hani Benhabiles (May 17)
- Re: [NSE] http-drupal-modules.nse Hani Benhabiles (May 17)
- Re: [NSE] http-drupal-modules.nse Hani Benhabiles (May 11)
- Re: [NSE] http-drupal-modules.nse Patrik Karlsson (May 11)
- Re: [NSE] http-drupal-modules.nse Henri Doreau (May 11)