Re: http-wordpress-enum or (http-wordpress-users)

[Paulino Calderon Pale <calderon () websec mx>]

Hey Thierry,

Thanks for the idea. I remember I got that URL from an advisory and it worked well during testing. I will implement 
your patch and test it.

Ps. I’m cc’ing the mailing list in case anyone know other links we could use to extract users.

Cheers!

> On Feb 11, 2015, at 8:08 AM, thierry schmit <thierry.schmit () gmail com> wrote:
>
> Hello,
>
> I would like to suggest an improvement to your scrip in the function get_wp_user
>
> local function get_wp_user(host, port, path, id)
>   stdnse.print_debug(2, "%s: Trying to get username with id %s", SCRIPT_NAME, id)
>   local req = http.get(host, port, path.."?author="..id, { no_cache = true})
>   if req.status then
>     stdnse.print_debug(1, "%s: User id #%s returned status %s", SCRIPT_NAME, id, req.status)
>     if req.status == 301 then
>       local _, _, user = string.find(req.header.location, 'https?://.*/.*/(.*)/')
>       return user
>     elseif req.status == 200 then
>       -- Users with no posts get a 200 response, but the name is in an RSS link.
>       -- http://seclists.org/nmap-dev/2011/q3/812 <http://seclists.org/nmap-dev/2011/q3/812>
>       local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/')
>       if user == nil then
>           _, _, user = string.find(req.body, 'body .- author%-(%a-) ')
>       end
>       return user
>     end
>   end
>   return false
> end
>
> this allows to the script to work with at least wordpress 4.0
>
> thank you for the script
>
> thierry

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/