Nmap Development mailing list archives
Re: http-lfi.nse
From: "Arturo 'Buanzo' Busleiman" <buanzo () buanzo com ar>
Date: Tue, 5 Jun 2012 10:53:23 -0300
+1 to Ron's comments. I was thinking the same yesterday. On 6/5/12, Ron <ron () skullsecurity net> wrote:
On Sat, 2 Jun 2012 20:21:19 +0530 SAN THO <saminside34 () gmail com> wrote:Hi Nmap-Dev, attaching my new NSE. looking forward to hear your feedback on this -- Thanks, SANTHO twitter : @sam34_ <http://twitter.com/sam34_>This code: local param = tostring(nmap.registry.args[SCRIPT_NAME .. '.param']) local cookie = tostring(nmap.registry.args[SCRIPT_NAME .. '.cookie']) local resource = tostring(nmap.registry.args[SCRIPT_NAME .. '.resource']) Should use stdnse.get_script_args(). I believe the syntax (it's been awhile since I've done this) should be: local param, cookie, resource = get_script_args('param', 'cookie', 'resource') That being said, it seems kinda pointless to have a script where the user has to provide a param/cookie/resource. If I already have an idea of which param is going to be vulnerable to LFI - and, worse yet, I already know which file I want to resource - I don't need Nmap to check it for me. I can just check it in a browser or Burp Suite or any number of tools. I can only see this being useful if it automatically checks all parameters discovered by http-spider.nse. Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Sent from my mobile device _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-lfi.nse SAN THO (Jun 02)
- Re: http-lfi.nse Ron (Jun 05)
- Re: http-lfi.nse Arturo 'Buanzo' Busleiman (Jun 05)
- <Possible follow-ups>
- Re: http-lfi.nse SAN THO (Jun 05)
- Re: http-lfi.nse Ron (Jun 05)