Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] A few fixes for http-rfi-spider.nse

From: nnposter () users sourceforge net
Date: Wed, 10 Sep 2014 23:03:25 +0000
The reporting of vulnerable parameters from the query string appears
to be broken. Specifically, the vulnerable parameters are accumulated
in a table that is not a sequence but later on the output is generated
only if the length of the table is positive, which never happens. The
patch below removes the "if #suspects>0" conditional. (The patch appears
bigger due to indentation adjustments.)

--- scripts/http-rfi-spider.nse.orig    2014-09-10 14:57:16.858622500 -0600
+++ scripts/http-rfi-spider.nse 2014-09-10 14:57:52.350171300 -0600
@@ -216,12 +216,10 @@
       local new_urls = build_urls(injectable)
       local responses = inject(host, port, new_urls)
       local suspects = check_responses(new_urls, responses)
-      if #suspects > 0 then
-        for p,q in pairs(suspects) do
-          local vulnerable_fields = q
-          vulnerable_fields["name"] = "Possible RFI in parameters at path: "..p.." for queries:"
-          table.insert(return_table, vulnerable_fields)
-        end
+      for p,q in pairs(suspects) do
+        local vulnerable_fields = q
+        vulnerable_fields["name"] = "Possible RFI in parameters at path: "..p.." for queries:"
+        table.insert(return_table, vulnerable_fields)
       end
     end
   end


The default URL for file inclusion (http-rfi-spider.inclusionurl) is no
longer suitable for the script. The reason is that the script expects
to find a particular pattern (http-rfi-spider.pattern) in the body of
the tested URL but this default inclusion URL does not currently result
in HTTP/200 with a body but in a HTTP/301 cross-origin redirect. The
patch below replaces the defaults for the URL and the pattern with
reasonably immutable values from tools.ietf.org with the hope that they
will provide better long-term stability.

--- scripts/http-rfi-spider.nse.orig    2014-09-10 14:57:52.350171300 -0600
+++ scripts/http-rfi-spider.nse 2014-09-10 16:00:07.800338800 -0600
@@ -16,10 +16,10 @@
 -- |_    inc
 --
 -- @args http-rfi-spider.inclusionurl the url we will try to include, defaults
---       to <code>http://www.yahoo.com/search?p=rfi</code>
+--       to <code>http://tools.ietf.org/html/rfc13?</code>
 -- @args http-rfi-spider.pattern the pattern to search for in <code>response.body</code>
 --       to determine if the inclusion was successful, defaults to
---       <code>'<a href="http://search.yahoo.com/info/submit.html";>Submit Your Site</a>'</code>
+--       <code>'20 August 1969'</code>
 -- @args http-rfi-spider.maxdepth the maximum amount of directories beneath
 --       the initial url to spider. A negative value disables the limit.
 --       (default: 3)
@@ -158,8 +158,8 @@
 portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
 
 function action(host, port)
-  inclusion_url = stdnse.get_script_args('http-rfi-spider.inclusionurl') or 'http://www.yahoo.com/search?p=rfi&apos;
-  local pattern_to_search = stdnse.get_script_args('http-rfi-spider.pattern') or '<a 
href="http://search%.yahoo%.com/info/submit%.html";>Submit Your Site</a>'
+  inclusion_url = stdnse.get_script_args('http-rfi-spider.inclusionurl') or 'http://tools.ietf.org/html/rfc13?&apos;
+  local pattern_to_search = stdnse.get_script_args('http-rfi-spider.pattern') or '20 August 1969'
 
   -- once we know the pattern we'll be searching for, we can set up the function
   check_response = function(body) return string.find(body, pattern_to_search) end


The patch below provides a more robust path construction for submitting
forms by offloading the logic to url.absolute().

--- scripts/http-rfi-spider.nse.orig    2014-09-10 16:15:08.501338800 -0600
+++ scripts/http-rfi-spider.nse 2014-09-10 16:41:13.412328400 -0600
@@ -75,16 +75,7 @@
   local postdata = generate_safe_postdata(form)
   local sending_function, response
 
-  local action_absolute = string.find(form["action"], "^https?://")
-  -- determine the path where the form needs to be submitted
-  local form_submission_path
-  if action_absolute then
-    form_submission_path = form["action"]
-  else
-    local path_cropped = string.match(path, "(.*/).*")
-    path_cropped = path_cropped and path_cropped or ""
-    form_submission_path = path_cropped..form["action"]
-  end
+  local form_submission_path = url.absolute(path, form.action)
   if form["method"]=="post" then
     sending_function = function(data) return http.post(host, port, form_submission_path, nil, nil, data) end
   else



NOTE: The patch offsets may differ by 8 lines, depending whether the
patch from http://seclists.org/nmap-dev/2014/q3/427 has been already
applied or not.


Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: