Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-drupal-modules.nse
From: Hani Benhabiles <kroosec () gmail com>
Date: Thu, 17 May 2012 12:48:10 +0100

On 05/17/2012 09:31 AM, Hani Benhabiles wrote:
On 05/11/2012 09:03 PM, Hani Benhabiles wrote:
On 05/11/2012 04:21 PM, Patrik Karlsson wrote:


On Fri, May 11, 2012 at 2:21 PM, Hani Benhabiles <kroosec () gmail com <mailto:kroosec () gmail com>> wrote:

    Hi list,

    description = [[
    Enumerates the installed Drupal modules by using a list of known
    modules.

    The script works by requesting
    /sites/all/modules/MODULE_NAME/LICENSE.txt.
    If the response status code is 200, it means that the module is
    installed.
    By default, the script checks for the top 100 modules (by
    downloads), given the huge number of existing modules (~10k).
    ]]

    From what I have found so far, requesting the LICENSE.txt file
    is the best option because it is added for every module uploaded
    on drupal.org <http://drupal.org> (normal way to get drupal
    modules). Other possible options are:

    - Requesting MODULE_NAME/ And checking against the status code
    of a response for an obviously non-existing module request.

    - Building a DB with records specific for each module (some
    modules have .js, .css  files or subfolders etc...) which is
    cumbersome.

    I have also attached a list of Drupal modules ranked by number
    of downloads (extracted from [1]) that should be copied in
    nselib/data/

    Any input is welcome.

    [1] http://drupal.org/project/usage

    Cheers,
    Hani.

-- Hani Benhabiles
    President, OWASP Algeria Student Chapter
    http://www.owaspalgeriasc.org
    https://www.owasp.org/index.php/Algeria_Student_Chapter
    Email: hani.benhabiles () owasp org <mailto:hani.benhabiles () owasp org>

    Twitter: https://twitter.com/#!/kroosec
    <https://twitter.com/#%21/kroosec>
    Blog: http://kroosec.blogspot.com


    _______________________________________________
    Sent through the nmap-dev mailing list
    http://cgi.insecure.org/mailman/listinfo/nmap-dev
    Archived at http://seclists.org/nmap-dev/


Hi Hani,

This looks like a useful script. I haven't tested it yet, but I looked through it briefly and I think it could benefit from detecting a common "problem" where errors or 404 are detected as 200 OK. The http-enum is using http.identify_404 to do this.

I'll try to find a Drupal installation later today and give it a go.

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77


This would have been true if we were relying on the first option (requests to MODULE_NAME/ and checking responses status codes) but in the current case, we are requesting static resources (LICENSE.txt) and so far, with all installations I have seen, none caused a problem. Maybe we could add simple string matching or checking the hash of the response body.

If you come across any installations where http.identify_404 is really needed, please let me know.

On 05/11/2012 07:14 PM, Henri Doreau wrote:
Hi Hani,

Thanks for the good work!
Additionally to what Patrik mentioned, I have a couple (minor)
observations concerning the script:
   - get_modules_path should be declared as "local".
   - the bfqueries variable in the action function is never used.
   - indentation is broken from line 115 to 118

Beside this it looks good to me.

Regards.


Fixed! thanks.

--
Hani Benhabiles
President, OWASP Algeria Student Chapter
http://www.owaspalgeriasc.org
https://www.owasp.org/index.php/Algeria_Student_Chapter
Email:hani.benhabiles () owasp org

Twitter:https://twitter.com/#!/kroosec
Blog:http://kroosec.blogspot.com
I have committed this after fixing all remaining issues as r28586.

Cheers,
Hani.


--
Hani Benhabiles

Twitter:https://twitter.com/#!/kroosec
Blog:http://kroosec.blogspot.com

After tests done by Patrik, I have added added fallback to GET request methods + response body matching for servers that return non 404 status codes for non-existing files as r28601.

Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]