Re: [NSE] http-drupal-modules.nse

[Hani Benhabiles <kroosec () gmail com>]

On 05/11/2012 04:21 PM, Patrik Karlsson wrote:
> On Fri, May 11, 2012 at 2:21 PM, Hani Benhabiles <kroosec () gmail com 
> <mailto:kroosec () gmail com>> wrote:
>
>     Hi list,
>
>     description = [[
>     Enumerates the installed Drupal modules by using a list of known
>     modules.
>
>     The script works by requesting
>     /sites/all/modules/MODULE_NAME/LICENSE.txt.
>     If the response status code is 200, it means that the module is
>     installed.
>     By default, the script checks for the top 100 modules (by
>     downloads), given the huge number of existing modules (~10k).
>     ]]
>
>     From what I have found so far, requesting the LICENSE.txt file is
>     the best option because it is added for every module uploaded on
>     drupal.org <http://drupal.org> (normal way to get drupal modules).
>     Other possible options are:
>
>     - Requesting MODULE_NAME/ And checking against the status code of
>     a response for an obviously non-existing module request.
>
>     - Building a DB with records specific for each module (some
>     modules have .js, .css  files or subfolders etc...) which is
>     cumbersome.
>
>     I have also attached a list of Drupal modules ranked by number of
>     downloads (extracted from [1]) that should be copied in nselib/data/
>
>     Any input is welcome.
>
>     [1] http://drupal.org/project/usage
>
>     Cheers,
>     Hani.
>
>     -- 
>     Hani Benhabiles
>     President, OWASP Algeria Student Chapter
>     http://www.owaspalgeriasc.org
>     https://www.owasp.org/index.php/Algeria_Student_Chapter
>     Email: hani.benhabiles () owasp org <mailto:hani.benhabiles () owasp org>
>
>     Twitter: https://twitter.com/#!/kroosec
>     <https://twitter.com/#%21/kroosec>
>     Blog: http://kroosec.blogspot.com
>
>
>     _______________________________________________
>     Sent through the nmap-dev mailing list
>     http://cgi.insecure.org/mailman/listinfo/nmap-dev
>     Archived at http://seclists.org/nmap-dev/
>
>
> Hi Hani,
>
> This looks like a useful script. I haven't tested it yet, but I looked 
> through it briefly and I think it could benefit from detecting a 
> common "problem" where errors or 404 are detected as 200 OK. The 
> http-enum is using http.identify_404 to do this.
>
> I'll try to find a Drupal installation later today and give it a go.
>
> Cheers,
> Patrik
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77
This would have been true if we were relying on the first option 
(requests to MODULE_NAME/  and checking responses status codes) but in 
the current case, we are requesting static resources (LICENSE.txt) and 
so far, with all installations I have seen, none caused a problem. Maybe 
we could add simple string matching or checking the hash of the response 
body.

If you come across any installations where http.identify_404 is really 
needed, please let me know.

On 05/11/2012 07:14 PM, Henri Doreau wrote:
> Hi Hani,
>
> Thanks for the good work!
> Additionally to what Patrik mentioned, I have a couple (minor)
> observations concerning the script:
>    - get_modules_path should be declared as "local".
>    - the bfqueries variable in the action function is never used.
>    - indentation is broken from line 115 to 118
>
> Beside this it looks good to me.
>
> Regards.

Fixed! thanks.

--
Hani Benhabiles
President, OWASP Algeria Student Chapter
http://www.owaspalgeriasc.org
https://www.owasp.org/index.php/Algeria_Student_Chapter
Email: hani.benhabiles () owasp org

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

Attachment: http-drupal-modules.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/