local http = require "http"
local io = require "io"
local nmap = require "nmap"
local pcre = require "pcre"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Enumerates the installed Drupal modules by using a list of known modules.
The script works by iterating over module names and requesting
MODULES_PATH/MODULE_NAME/LICENSE.txt. MODULES_PATH is either provied by the
user, grepped for in the html body or defaulting to sites/all/modules/. If the
response status code is 200, it means that the module is installed. By
default, the script checks for the top 100 modules (by downloads), given the
huge number of existing modules (~10k).
]]
---
-- @args http-drupal-modules.root The base path. Defaults to <code>/</code>.
-- @args http-drupal-modules.number Number of modules to check.
-- Use this option with a number or "all" as an argument to test for all modules.
-- Defaults to <code>100</code>.
-- @args http-drupal-modules.modules_path The path to the modules folder. If not set, the script will try to
-- find the path or default to <code>sites/all/modules/</code>
--
-- @usage
-- nmap --script=http-drupal-modules --script-args http-drupal-modules.root="/path/",http-drupal-modules.number=1000 <targets>
--
--@output
-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-drupal-modules:
-- | views
-- | token
-- | cck
-- | pathauto
-- | ctools
-- | admin_menu
-- | imageapi
-- | filefield
-- | date
-- | imagecache
-- | imagefield
-- | google_analytics
-- | webform
-- | jquery_ui
-- |_ link
author = "Hani Benhabiles"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive"}
portrule = shortport.service("http")
--- Attempts to find modules path
--@param host nmap host table
--@param port nmap port table
--@param root Where to grep for the modules base path
local get_modules_path = function(host, port, root)
local default_path = "sites/all/modules/"
local modules_path = stdnse.get_script_args(SCRIPT_NAME .. '.modules_path')
if modules_path == nil then
-- greps response body for sign of the modules path
local pathregex = "sites/[a-zA-Z0-9.-]*/modules/"
local body = http.get(host, port, root).body
local regex = pcre.new(pathregex, 0, "C")
local limit, limit2, matches = regex:match(body)
if limit ~= nil then
modules_path = body:sub(limit, limit2)
end
end
return modules_path or default_path
end
action = function(host, port)
local root = stdnse.get_script_args(SCRIPT_NAME .. '.root') or "/"
local result = stdnse.output_table()
local all = {}
local requests = {}
local count = 0
local method = "HEAD"
local identification_string = "GNU GENERAL PUBLIC LICENSE"
-- Default number of modules to be checked.
local modules_limit = stdnse.get_script_args(SCRIPT_NAME .. '.number')
if modules_limit == 'all' then
modules_limit = nil
elseif modules_limit == nil then
modules_limit = 100
else
modules_limit = tonumber(modules_limit)
end
local modules_path = get_modules_path(host, port, root)
--Check modules list
local drupal_modules_list = nmap.fetchfile("nselib/data/drupal-modules.lst")
if not drupal_modules_list then
return false, "Couldn't find nselib/data/drupal-modules.lst"
end
-- We default to HEAD requests unless the server returns
-- non 404 (200 or other) status code
local response = http.head(host,port,root .. modules_path .. "randomaBcD/LICENSE.txt")
if response.status ~= 404 then
method = "GET"
end
for module_name in io.lines(drupal_modules_list) do
count = count + 1
if modules_limit and count>modules_limit then break end
-- add request to pipeline
all = http.pipeline_add(root .. modules_path.. module_name .. "/LICENSE.txt",
nil, all, method)
-- add to requests buffer
table.insert(requests, module_name)
end
-- send requests
local pipeline_responses = http.pipeline_go(host, port, all)
if not pipeline_responses then
stdnse.print_debug(1, "No answers from pipelined requests", SCRIPT_NAME)
return nil
end
for i, response in pairs(pipeline_responses) do
-- Module exists if 200 on HEAD
-- or contains identification string for GET
if method == "HEAD" and response.status == 200 or
method == "GET" and response.status == 200 and
string.match(response.body, identification_string) then
table.insert(result, requests[i])
end
end
return result
end
@KyuuKazami