Re: [NSE] http-drupal-modules.nse

[Hani Benhabiles <kroosec () gmail com>]

On 05/17/2012 09:31 AM, Hani Benhabiles wrote:
> On 05/11/2012 09:03 PM, Hani Benhabiles wrote:
> > On 05/11/2012 04:21 PM, Patrik Karlsson wrote:
> > > On Fri, May 11, 2012 at 2:21 PM, Hani Benhabiles <kroosec () gmail com 
> > > <mailto:kroosec () gmail com>> wrote:
> > >
> > >     Hi list,
> > >
> > >     description = [[
> > >     Enumerates the installed Drupal modules by using a list of known
> > >     modules.
> > >
> > >     The script works by requesting
> > >     /sites/all/modules/MODULE_NAME/LICENSE.txt.
> > >     If the response status code is 200, it means that the module is
> > >     installed.
> > >     By default, the script checks for the top 100 modules (by
> > >     downloads), given the huge number of existing modules (~10k).
> > >     ]]
> > >
> > >     From what I have found so far, requesting the LICENSE.txt file
> > >     is the best option because it is added for every module uploaded
> > >     on drupal.org <http://drupal.org> (normal way to get drupal
> > >     modules). Other possible options are:
> > >
> > >     - Requesting MODULE_NAME/ And checking against the status code
> > >     of a response for an obviously non-existing module request.
> > >
> > >     - Building a DB with records specific for each module (some
> > >     modules have .js, .css  files or subfolders etc...) which is
> > >     cumbersome.
> > >
> > >     I have also attached a list of Drupal modules ranked by number
> > >     of downloads (extracted from [1]) that should be copied in
> > >     nselib/data/
> > >
> > >     Any input is welcome.
> > >
> > >     [1] http://drupal.org/project/usage
> > >
> > >     Cheers,
> > >     Hani.
> > >
> > >     -- 
> > >     Hani Benhabiles
> > >     President, OWASP Algeria Student Chapter
> > >     http://www.owaspalgeriasc.org
> > >     https://www.owasp.org/index.php/Algeria_Student_Chapter
> > >     Email: hani.benhabiles () owasp org <mailto:hani.benhabiles () owasp org>
> > >
> > >     Twitter: https://twitter.com/#!/kroosec
> > >     <https://twitter.com/#%21/kroosec>
> > >     Blog: http://kroosec.blogspot.com
> > >
> > >
> > >     _______________________________________________
> > >     Sent through the nmap-dev mailing list
> > >     http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > >     Archived at http://seclists.org/nmap-dev/
> > >
> > >
> > > Hi Hani,
> > >
> > > This looks like a useful script. I haven't tested it yet, but I 
> > > looked through it briefly and I think it could benefit from 
> > > detecting a common "problem" where errors or 404 are detected as 200 
> > > OK. The http-enum is using http.identify_404 to do this.
> > >
> > > I'll try to find a Drupal installation later today and give it a go.
> > >
> > > Cheers,
> > > Patrik
> > > --
> > > Patrik Karlsson
> > > http://www.cqure.net
> > > http://twitter.com/nevdull77
> > This would have been true if we were relying on the first option 
> > (requests to MODULE_NAME/  and checking responses status codes) but 
> > in the current case, we are requesting static resources (LICENSE.txt) 
> > and so far, with all installations I have seen, none caused a 
> > problem. Maybe we could add simple string matching or checking the 
> > hash of the response body.
> >
> > If you come across any installations where http.identify_404 is 
> > really needed, please let me know.
> >
> > On 05/11/2012 07:14 PM, Henri Doreau wrote:
> > > Hi Hani,
> > >
> > > Thanks for the good work!
> > > Additionally to what Patrik mentioned, I have a couple (minor)
> > > observations concerning the script:
> > >    - get_modules_path should be declared as "local".
> > >    - the bfqueries variable in the action function is never used.
> > >    - indentation is broken from line 115 to 118
> > >
> > > Beside this it looks good to me.
> > >
> > > Regards.
> >
> > Fixed! thanks.
> >
> > --
> > Hani Benhabiles
> > President, OWASP Algeria Student Chapter
> > http://www.owaspalgeriasc.org
> > https://www.owasp.org/index.php/Algeria_Student_Chapter
> > Email:hani.benhabiles () owasp org
> >
> > Twitter:https://twitter.com/#!/kroosec
> > Blog:http://kroosec.blogspot.com
> I have committed this after fixing all remaining issues as r28586.
>
> Cheers,
> Hani.
>
>
> --
> Hani Benhabiles
>
> Twitter:https://twitter.com/#!/kroosec
> Blog:http://kroosec.blogspot.com

After tests done by Patrik, I have added added fallback to GET request 
methods + response body matching for servers that return non 404 status 
codes for non-existing files as r28601.

Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/