Nmap Development mailing list archives
Update to http-wordpress-users.nse
From: Desenvolvimento via dev <dev () nmap org>
Date: Sat, 17 Aug 2019 15:45:54 +0200
Hi, Been a long time since my last post to this list :P I was making use of the http-wordpress-users.nse script when I noticed a bug. The regular expression for the case when the server returns a 200 HTTP status is too open, it needs to be more specific. When there is a link similar to the feed link that occurs before the feed link, the expression will include everything between that initial link and the feed link. An example output of when this happens follows below. 80/tcp open http syn-ack ttl 128 | http-wordpress-users: | Username found: administrator/" /> | <link rel="alternate" hreflang="nl-NL" href=" http://scanme.nmap.org/author/administrator/" /> | | (snipped for brevity) | | <link rel="alternate" type="application/rss+xml" title="ScanMe » Posts by Administrator Feed" href=" http://scanme.nmap.org/author/administrator/ To fix this, the group that matches/captures the author username will only do so until it finds a forward slash. Patch follows below, cheers, Duarte Index: scripts/http-wordpress-users.nse =================================================================== --- scripts/http-wordpress-users.nse (revision 37717) +++ scripts/http-wordpress-users.nse (working copy) @@ -64,7 +64,7 @@ elseif req.status == 200 then -- Users with no posts get a 200 response, but the name is in an RSS link. -- http://seclists.org/nmap-dev/2011/q3/812 - local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/') + local _, _, user = string.find(req.body, 'https?://.-/author/([^/]+)/feed/') return user end end
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Update to http-wordpress-users.nse Desenvolvimento via dev (Aug 17)
- Re: Update to http-wordpress-users.nse David Fifield (Aug 22)