Nmap Development mailing list archives
[PATCH] http-open-proxy - improvement to pattern for matching response status-line
From: jah <jah () zadkiel plus com>
Date: Mon, 29 Jun 2009 01:53:16 +0100
Evening All, Attached is a patch for http-open-proxy which prevents some false positives when testing the http status-line in a response. (This usually happens when testing a target with the CONNECT method, but also if the user supplies --script-args openproxy.url, but not openproxy.pattern) The current patterns used to match the http status-line are not restricted to matching a valid http status-line. An example is the pattern "^http.*200.*" which matched the following in a response: http/1.1 501 not supported server: microsoft-iis/5.1 date: sun, 28 jun 200 and resulted in: 8080/tcp open http Microsoft IIS webserver 5.1 | http-open-proxy: Potentially OPEN proxy. |_ Methods succesfully tested: CONNECT The patch also tidies-up a few stray variables and typo's. Regards, jah
--- http-open-proxy.nse.orig 2009-06-28 01:17:28.390625000 +0100 +++ http-open-proxy.nse 2009-06-28 01:14:52.500000000 +0100 @@ -51,10 +51,8 @@ --@param result connection result --@return true if any of the status is found, otherwise false function check_code(result) - local status = false - if string.match(result:lower(),"^http.*200.*") then return true end - if string.match(result:lower(),"^http.*301.*") then return true end - if string.match(result:lower(),"^http.*302.*") then return true end + if string.match(result:lower(),"^http/%d\.%d%s*200") then return true end + if string.match(result:lower(),"^http/%d\.%d%s*30[12]") then return true end return false end @@ -63,9 +61,9 @@ --@param pattern The pattern to be searched --@return true if pattern is found, otherwise false function check_pattern(result, pattern) - lines = stdnse.strsplit("\n", result) - i = 1 - n = table.getn(lines) + local lines = stdnse.strsplit("\n", result) + local i = 1 + local n = table.getn(lines) while true do if i > n then return false end if string.match(lines[i]:lower(),pattern) then return true end @@ -90,14 +88,9 @@ portrule = shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'}) action = function(host, port) - local response - local i local retval - local supported_methods = "\nMethods succesfully tested: " + local supported_methods = "\nMethods successfully tested: " local fstatus = false - - -- Default url = nmap.org - -- Default host = nmap.org local test_url = "http://www.google.com" local hostname = "www.google.com" local pattern = "^server: gws"
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] http-open-proxy - improvement to pattern for matching response status-line jah (Jun 28)
- Re: [PATCH] http-open-proxy - improvement to pattern for matching response status-line Joao Correa (Jun 29)
- Re: [PATCH] http-open-proxy - improvement to pattern for matching response status-line jah (Jun 29)
- Re: [PATCH] http-open-proxy - improvement to pattern for matching response status-line Joao Correa (Jun 29)
- Re: [PATCH] http-open-proxy - improvement to pattern for matching response status-line Joao Correa (Jun 29)
- Re: [PATCH] http-open-proxy - improvement to pattern for matching response status-line jah (Jun 29)
- Re: [PATCH] http-open-proxy - improvement to pattern for matching response status-line Joao Correa (Jun 29)