Script http-wordpress-users

Script types: portrule
Categories: auth, intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-wordpress-users.nse

Script Summary

Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.

Original advisory:

• http://www.talsoft.com.ar/site/research/security-advisories/wordpress-user-id-and-user-name-disclosure/

Script Arguments

http-wordpress-users.out

If set it saves the username list in this file.

http-wordpress-users.basepath

Base path to Wordpress. Default: /

http-wordpress-users.limit

Upper limit for ID search. Default: 25

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script http-wordpress-users <target>
nmap -sV --script http-wordpress-users --script-args limit=50 <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-wordpress-users:
| Username found: admin
| Username found: mauricio
| Username found: cesar
| Username found: lean
| Username found: alex
| Username found: ricardo
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'

Requires

• http
• io
• nmap
• shortport
• stdnse
• string
• table

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

MAIN

Parameters

host

 

port