id: drupal-user-enum-ajax

info:
  name: Drupal User Enumration [Ajax]
  author: 0w4ys
  severity: info
  metadata:
    max-request: 4
    shodan-query:
      - http.component:"drupal"
      - cpe:"cpe:2.3:a:drupal:drupal"
    product: drupal
    vendor: drupal
  tags: drupal,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
      - "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '":"a.'
          - '":"A.'
        part: body

      - type: word
        words:
          - "application/json"
        part: header

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        regex:
          - '"[\w \-\_\@\.]+\"'
# digest: 4b0a00483046022100bdbf76b56e073c28f8078a1eda9f062410bbcf8f306c39a15a1c63a8e6d429cb022100a3a55c3ec4bae976431606e3d60511a408532e4979474156cd10ff82e61e3f5d:922c64590222798bb761d5b6d8e72950