Nmap Development mailing list archives
Update to http-wp-enum.nse
From: Duarte Silva <duarte.silva () serializing me>
Date: Sun, 18 Sep 2011 19:41:04 +0100
Hi, I was testing this script against a vulnerable Wordpress instalation and found out that the script wasn't returning all the users that were available on that instalation. I decided to investigate why this was happening and found out that Wordpress, responds with a 200 HTTP status code when a user is found, but doesn't has any posts. After looking at the returned web page source code, I found out that it is possible to extract the user login name from the RSS feed link. Something in the lines of
... href="http://scanme.insecure.org/author/<user login>/feed/" />
I have updated the script (the current version only checks for the redirect that contains the user login) and got alot more results :P Also the original advisory [1] states the following:
WordPress version 3.1.3 fixes the redirection problem, but user names are still been disclosed in the HTML code. No solution was provided for this last problem.
Checked against the latest version of Wordpress, and it is possible to obtain the user login using the RSS feed link. Also updated the script to support blogs served over HTTPS. [1] http://www.talsoft.com.ar/index.php/research/security- advisories/wordpress-user-id-and-user-name-disclosure Regards, Duarte Silva
Index: scripts/http-wp-enum.nse =================================================================== --- scripts/http-wp-enum.nse (revision 26589) +++ scripts/http-wp-enum.nse (working copy) @@ -51,8 +51,11 @@ if req.status then stdnse.print_debug(1, "%s: User id #%s returned status %s", SCRIPT_NAME, id, req.status) if req.status == 301 then - local _, _, user = string.find(req.header.location, 'http://.*/.*/(.*)/') + local _, _, user = string.find(req.header.location, 'https?://.*/.*/(.*)/') return user + elseif req.status == 200 then + local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/') + return user end end return false
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Update to http-wp-enum.nse Duarte Silva (Sep 18)
- Re: Update to http-wp-enum.nse David Fifield (Sep 30)