Re: [NSE] [patch] Big changes to http-enum.nse

[David Fifield <david () bamsoftware com>]

On Tue, Oct 19, 2010 at 04:32:15PM -0700, David Fifield wrote:
> On Tue, Oct 19, 2010 at 03:15:16PM -0500, Ron wrote:
> > On Mon, 18 Oct 2010 14:50:26 -0500 Ron <ron () skullsecurity net> wrote:
> > > Sure, that's a do-able change. I like the idea of expanding a
> > > 'probes' table like that, it means we can add extra stuff to probes
> > > fairly easily, if it becomes necessary (maybe a HTTP header or
> > > something). 
> > >
> > > I also want to move 'severity' into the match table, so each match
> > > can have a different severity rating. Right now, the severities are
> > > ignored, and maybe we'll never use them, but it's there if we want
> > > it. 
> > >
> > > I'll work on this tonight and post an updated patch, if I finish it. 
> >
> > Attaching current version of http-fingerprints.lua. The current revision in
> > my nmap-http branch reads this and makes the checks properly. 
>
> I'll give it a try tonight but I suspect this will be ready to commit.

Just a few things before you commit:

There are some whitespace inconsistencies in the patch:

     body = options.content
-       elseif request_method_needs_content_length(method) then
-               body = ""
+  elseif request_method_needs_content_length(method) then
+    body = ""
   end

Make sure that whitespace is consistent throughout any functions you
edited.

Let's use the term "method" instead of "verb," especially in http.lua.

In response_contains, I think I see what you're doing:

+  result, _, m[1], m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9] = string.find(case(response['status-line']), pattern)

You can do it more robustly with this: (maybe someone else knows an even
better way)

  local function matches(...) return table.remove(arg, 1), table.remove(arg, 1), arg end
  result, _, m = matches(string.find(case(response['status-line']), pattern))

The parse_url function has already been written as
http://nmap.org/nsedoc/lib/url#parse; can you use that instead?

Finally, I'm getting an error when a page can't be retrieved:

nmap-http$ ./nmap --datadir . --script=http-enum www.bamsoftware.com -d -p80
NSE: HTTP: Page was '200 OK', it exists! (/images/)
NSE: HTTP: HTTP request failed (is the host still up?)
NSE: 'http-enum' (thread: 0x9bf68b8) against 69.164.193.231:80 threw an error!
./nselib/http.lua:1864: attempt to index local 'response' (a nil value)
stack traceback:
        ./nselib/http.lua:1864: in function 'response_contains'
        ./scripts/http-enum.nse:385: in function <./scripts/http-enum.nse:305>
        (tail call): ?

Once these things are addressed you're good to commit.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/