Re: [NSE Script] MySQL Server Information

[Thomas Buchanan <tbuchanan () thecompassgrp net>]

Kris Katterjohn wrote:
> jah wrote:
> > I noticed that too, but my testing showed that string.match(s,pattern) 
> > that I used, matched regardless of case.  (My testing involved changing 
> > the case of pattern rather than of anything in nmap-service-probes, 
> > which may have been flawed thinking).  What's the difference between 
> > string.match(s,pattern) and s:match(pattern), is it the same operation 
> > expressed differently?
>
> That's interesting about match().  I don't think your test was flawed, 
> because I would've tried that myself :) I haven't read anywhere that 
> explicitly states it's case-insensitive, and grepping in scripts/ shows 
> that HTTPAuth.nse contains a character set of "[Aa]" in there.. but 
> Thomas could just be as confused as me :)  I'll leave it for now since 
> I'm not sure (but if we can find a link showing that it is, in fact, 
> case insensitive I'll certainly remove it).

First off, sorry to be so late joining this thread.  I've been wanting 
to contribute, but I'm swamped right now, and just haven't been able to 
find time.

As far as I know, patterns in Lua are case-sensitive, although I can't 
find any specific online references that supports that statement. 
Here's a quick test from a command-line Lua interpreter:

D:\Scratch\lua5_1_2_Win32_bin>lua5.1.exe
Lua 5.1.2  Copyright (C) 1994-2007 Lua.org, PUC-Rio
> a = "a"
> m = string.match(a, "a")
> print(m)
a
> m = string.match(a, "A")
> print(m)
nil
>


> I hope people find it useful.  I'll look into adding other things, like 
> attempting logins, etc.


This was really the main reason I wanted to jump in.  About 3 weeks ago, 
I started working on a MySQL script myself.  Unfortunately, things got 
very busy, and I haven't had time to make significant progress on it. 
However, I was able to successfully login to MySQL servers using the 
extended login capabilities introduced in 4.1.  To login with a password 
requires the ability to create SHA1 hashes of the password and the salt 
received from the server, which was my motivation for the NSE/OpenSSL 
patches I posted to the list recently: 
http://seclists.org/nmap-dev/2007/q4/0472.html

I'm really busy through the end of the year, but I'd love to be able to 
help with this effort.  I can post the very rough code that I have 
cobbled together for you guys to look at, or I can try to integrate my 
login code into Kris's script once I have time.

Thanks,

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org