Nmap Development mailing list archives
[NSE] A few fixes for http-rfi-spider.nse
From: nnposter () users sourceforge net
Date: Wed, 10 Sep 2014 23:03:25 +0000
The reporting of vulnerable parameters from the query string appears to be broken. Specifically, the vulnerable parameters are accumulated in a table that is not a sequence but later on the output is generated only if the length of the table is positive, which never happens. The patch below removes the "if #suspects>0" conditional. (The patch appears bigger due to indentation adjustments.) --- scripts/http-rfi-spider.nse.orig 2014-09-10 14:57:16.858622500 -0600 +++ scripts/http-rfi-spider.nse 2014-09-10 14:57:52.350171300 -0600 @@ -216,12 +216,10 @@ local new_urls = build_urls(injectable) local responses = inject(host, port, new_urls) local suspects = check_responses(new_urls, responses) - if #suspects > 0 then - for p,q in pairs(suspects) do - local vulnerable_fields = q - vulnerable_fields["name"] = "Possible RFI in parameters at path: "..p.." for queries:" - table.insert(return_table, vulnerable_fields) - end + for p,q in pairs(suspects) do + local vulnerable_fields = q + vulnerable_fields["name"] = "Possible RFI in parameters at path: "..p.." for queries:" + table.insert(return_table, vulnerable_fields) end end end The default URL for file inclusion (http-rfi-spider.inclusionurl) is no longer suitable for the script. The reason is that the script expects to find a particular pattern (http-rfi-spider.pattern) in the body of the tested URL but this default inclusion URL does not currently result in HTTP/200 with a body but in a HTTP/301 cross-origin redirect. The patch below replaces the defaults for the URL and the pattern with reasonably immutable values from tools.ietf.org with the hope that they will provide better long-term stability. --- scripts/http-rfi-spider.nse.orig 2014-09-10 14:57:52.350171300 -0600 +++ scripts/http-rfi-spider.nse 2014-09-10 16:00:07.800338800 -0600 @@ -16,10 +16,10 @@ -- |_ inc -- -- @args http-rfi-spider.inclusionurl the url we will try to include, defaults --- to <code>http://www.yahoo.com/search?p=rfi</code> +-- to <code>http://tools.ietf.org/html/rfc13?</code> -- @args http-rfi-spider.pattern the pattern to search for in <code>response.body</code> -- to determine if the inclusion was successful, defaults to --- <code>'<a href="http://search.yahoo.com/info/submit.html">Submit Your Site</a>'</code> +-- <code>'20 August 1969'</code> -- @args http-rfi-spider.maxdepth the maximum amount of directories beneath -- the initial url to spider. A negative value disables the limit. -- (default: 3) @@ -158,8 +158,8 @@ portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") function action(host, port) - inclusion_url = stdnse.get_script_args('http-rfi-spider.inclusionurl') or 'http://www.yahoo.com/search?p=rfi' - local pattern_to_search = stdnse.get_script_args('http-rfi-spider.pattern') or '<a href="http://search%.yahoo%.com/info/submit%.html">Submit Your Site</a>' + inclusion_url = stdnse.get_script_args('http-rfi-spider.inclusionurl') or 'http://tools.ietf.org/html/rfc13?' + local pattern_to_search = stdnse.get_script_args('http-rfi-spider.pattern') or '20 August 1969' -- once we know the pattern we'll be searching for, we can set up the function check_response = function(body) return string.find(body, pattern_to_search) end The patch below provides a more robust path construction for submitting forms by offloading the logic to url.absolute(). --- scripts/http-rfi-spider.nse.orig 2014-09-10 16:15:08.501338800 -0600 +++ scripts/http-rfi-spider.nse 2014-09-10 16:41:13.412328400 -0600 @@ -75,16 +75,7 @@ local postdata = generate_safe_postdata(form) local sending_function, response - local action_absolute = string.find(form["action"], "^https?://") - -- determine the path where the form needs to be submitted - local form_submission_path - if action_absolute then - form_submission_path = form["action"] - else - local path_cropped = string.match(path, "(.*/).*") - path_cropped = path_cropped and path_cropped or "" - form_submission_path = path_cropped..form["action"] - end + local form_submission_path = url.absolute(path, form.action) if form["method"]=="post" then sending_function = function(data) return http.post(host, port, form_submission_path, nil, nil, data) end else NOTE: The patch offsets may differ by 8 lines, depending whether the patch from http://seclists.org/nmap-dev/2014/q3/427 has been already applied or not. Cheers, nnposter _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] A few fixes for http-rfi-spider.nse nnposter (Sep 10)