Script http-drupal-enum-users

Script types: portrule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-drupal-enum-users.nse

Script Summary

Enumerates Drupal users by exploiting an information disclosure vulnerability in Views, Drupal's most popular module.

Requests to admin/views/ajax/autocomplete/user/STRING return all usernames that begin with STRING. The script works by iterating STRING over letters to extract all usernames.

For more information,see:

• http://www.madirish.net/node/465

See also:

• http-vuln-cve2014-3704.nse

Script Arguments

http-drupal-enum-users.root

base path. Defaults to "/"

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script=http-drupal-enum-users --script-args http-drupal-enum-users.root="/path/" <targets>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-drupal-enum-users:
|   admin
|   alex
|   manager
|_  user

Requires

• http
• json
• shortport
• stdnse
• table

---

Author:

• Hani Benhabiles

License: Same as Nmap--See https://nmap.org/book/man-legal.html