Nmap Development mailing list archives
Re: [SCRIPT] http-wordpress-enum.nse: improvements.
From: Ron <ron () skullsecurity net>
Date: Sat, 4 Aug 2012 08:51:01 -0500
Check out how http-enum.nse handles 404 errors - it grabs a sample 404 page and matches other pages against it using functions I wrote in http.lua. Ron On 2012-08-04 15:41, Eugenio Delfa wrote:
Hi, I've found some cases (due to wp themes) that instead of 404/30x expected code, I get a 200 HTTP code and "http://www.example.com/author/feed/" HREF link for a non existant ID. With ([^/]*) instead of (.-) pattern, this problem is solved. On the other hand, in some pentesting process, we may need to retrieve all usernames. So for this I added 'threshold' parameter, for limit=0 value. In this particular case, we still enumerating until reach 'threshold' invalid ID's . diff http-wordpress-enum.nse http-wordpress-enum-improvements.nse 27a28--- @args http-wordpress-enum.threshold Maximum identifiers numberswithout related username to end enumeration process (just useful for limit=0 parameter). 59c60 < local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed') ---local _, _, user = string.find(req.body,'https?://.-/author/([^/]*)/feed') 120,125c121,147 < for i=1, tonumber(limit) do < local user = get_wp_user(host, port, basepath, i) < if user then < stdnse.print_debug(1, "%s: Username found -> %s", SCRIPT_NAME, user) < output[#output+1] = string.format("Username found: %s", user) < users[#users+1] = user ---local notFounds = 0 local LastUsernameReached = 0 local id = 1 if (tonumber(limit) == 0) then repeat LastUsernameReached = tonumber(threshold) - notFounds if (LastUsernameReached > 0) then local user = get_wp_user(host, port, basepath, id) if user then stdnse.print_debug(1, "%s: Username found -> %s",SCRIPT_NAME, user)output[#output+1] = string.format("Username found: %s", user) users[#users+1] = user notFounds = 0 else notFounds = notFounds + 1 end id = id + 1 end until LastUsernameReached==0 else for i=1, tonumber(limit) do local user = get_wp_user(host, port, basepath, i) if user then stdnse.print_debug(1, "%s: Username found -> %s", SCRIPT_NAME,user)output[#output+1] = string.format("Username found: %s", user) users[#users+1] = user endMaybe this minor changes can be useful for anyone! Cheers, ed _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [SCRIPT] http-wordpress-enum.nse: improvements. Eugenio Delfa (Aug 04)
- Re: [SCRIPT] http-wordpress-enum.nse: improvements. Ron (Aug 04)
- Re: [SCRIPT] http-wordpress-enum.nse: improvements. David Fifield (Aug 07)