Re: http-wp-enum.nse - Wordpress user enumeration

[Paulino Calderon <paulino () calderonpale com>]

On 07/04/2011 08:23 PM, Paulino Calderon wrote:
> Hi nmap-dev,
>
> Here is my script to enumerate usernames in Wordpress installations. I 
> noticed some WAF's are blocking requests when using Nmap's default 
> user agent. If you see http errors with status 501, try changing the 
> user agent for the requests.
>
> description = [[
> http-wp-enum enumerates usernames in Wordpress installations by 
> exploiting an information disclosure vulnerability existing in 
> versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
>
> Original advisory:
> * 
> http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure 
>
> ]]
> -- @usage
> -- nmap -p80 --script http-wp-enum <host>
> --
> -- @output
> -- PORT   STATE SERVICE REASON
> -- 80/tcp open  http    syn-ack
> -- | http-wp-enum:
> -- | Username found: admin
> -- | Username found: mauricio
> -- | Username found: box
> -- | Username found: carlos
> -- | Username found: laura
> -- | Username found: fer
> -- | Username found: daniel
> -- | Username found: javi
> -- | Username found: daz
> -- | Username found: cesar
> -- | Username found: lean
> -- | Username found: alex
> -- | Username found: ricardo
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Here is the updated version that adds support for an argument to save 
the user list into a file.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Attachment: http-wp-enum.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/