Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[SCRIPT] http-wordpress-enum.nse: improvements.

From: Eugenio Delfa <ed () isbox org>
Date: Sat, 04 Aug 2012 15:41:34 +0200
Hi,

I've found some cases (due to wp themes) that instead of 404/30x
expected code, I get a 200 HTTP code and
"http://www.example.com/author/feed/"; HREF link for a non existant ID.
With ([^/]*) instead of (.-) pattern, this problem is solved.

On the other hand, in some pentesting process, we may need to retrieve
all usernames. So for this I added 'threshold' parameter, for limit=0 value.
In this particular case, we still enumerating until reach 'threshold'
invalid ID's .

diff http-wordpress-enum.nse http-wordpress-enum-improvements.nse
27a28

--- @args http-wordpress-enum.threshold Maximum identifiers numbers

without related username to end enumeration process (just useful for
limit=0 parameter).
59c60
<       local _, _, user = string.find(req.body,
'https?://.-/author/(.-)/feed')
---

      local _, _, user = string.find(req.body,

'https?://.-/author/([^/]*)/feed')
120,125c121,147
<   for i=1, tonumber(limit) do
<     local user = get_wp_user(host, port, basepath, i)
<     if user then
<       stdnse.print_debug(1, "%s: Username found -> %s", SCRIPT_NAME, user)
<       output[#output+1] = string.format("Username found: %s", user)
<       users[#users+1] = user
---

  local notFounds = 0
  local LastUsernameReached = 0
  local id = 1
  if (tonumber(limit) == 0) then
    repeat
      LastUsernameReached = tonumber(threshold) - notFounds
      if (LastUsernameReached > 0) then
        local user = get_wp_user(host, port, basepath, id)
        if user then
          stdnse.print_debug(1, "%s: Username found -> %s",

SCRIPT_NAME, user)

          output[#output+1] = string.format("Username found: %s", user)
          users[#users+1] = user
          notFounds = 0
        else
          notFounds = notFounds + 1
        end
        id = id + 1
      end
    until LastUsernameReached==0
  else
    for i=1, tonumber(limit) do
      local user = get_wp_user(host, port, basepath, i)
      if user then
        stdnse.print_debug(1, "%s: Username found -> %s", SCRIPT_NAME,

user)

        output[#output+1] = string.format("Username found: %s", user)
        users[#users+1] = user
      end


Maybe this minor changes can be useful for anyone!

Cheers,
ed
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: