Nmap Development mailing list archives
[SCRIPT] http-wordpress-enum.nse: improvements.
From: Eugenio Delfa <ed () isbox org>
Date: Sat, 04 Aug 2012 15:41:34 +0200
Hi, I've found some cases (due to wp themes) that instead of 404/30x expected code, I get a 200 HTTP code and "http://www.example.com/author/feed/" HREF link for a non existant ID. With ([^/]*) instead of (.-) pattern, this problem is solved. On the other hand, in some pentesting process, we may need to retrieve all usernames. So for this I added 'threshold' parameter, for limit=0 value. In this particular case, we still enumerating until reach 'threshold' invalid ID's . diff http-wordpress-enum.nse http-wordpress-enum-improvements.nse 27a28
--- @args http-wordpress-enum.threshold Maximum identifiers numbers
without related username to end enumeration process (just useful for limit=0 parameter). 59c60 < local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed') ---
local _, _, user = string.find(req.body,
'https?://.-/author/([^/]*)/feed') 120,125c121,147 < for i=1, tonumber(limit) do < local user = get_wp_user(host, port, basepath, i) < if user then < stdnse.print_debug(1, "%s: Username found -> %s", SCRIPT_NAME, user) < output[#output+1] = string.format("Username found: %s", user) < users[#users+1] = user ---
local notFounds = 0 local LastUsernameReached = 0 local id = 1 if (tonumber(limit) == 0) then repeat LastUsernameReached = tonumber(threshold) - notFounds if (LastUsernameReached > 0) then local user = get_wp_user(host, port, basepath, id) if user then stdnse.print_debug(1, "%s: Username found -> %s",
SCRIPT_NAME, user)
output[#output+1] = string.format("Username found: %s", user) users[#users+1] = user notFounds = 0 else notFounds = notFounds + 1 end id = id + 1 end until LastUsernameReached==0 else for i=1, tonumber(limit) do local user = get_wp_user(host, port, basepath, i) if user then stdnse.print_debug(1, "%s: Username found -> %s", SCRIPT_NAME,
user)
output[#output+1] = string.format("Username found: %s", user) users[#users+1] = user end
Maybe this minor changes can be useful for anyone! Cheers, ed _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [SCRIPT] http-wordpress-enum.nse: improvements. Eugenio Delfa (Aug 04)
- Re: [SCRIPT] http-wordpress-enum.nse: improvements. Ron (Aug 04)
- Re: [SCRIPT] http-wordpress-enum.nse: improvements. David Fifield (Aug 07)