Nmap Development mailing list archives
[NSE] POST path handling in http-default-accounts-fingerprints
From: nnposter () users sourceforge net
Date: Fri, 26 Jul 2013 23:10:25 +0000
The following patch allows http-default-accounts-fingerprints.lua to correctly handle cases where the tested fingerprint path does not end with "/". Without this patch such fingerprints are broken because try_http_post_login() simply concatenates the path and the target when building the login request. As an example, the current fingerprint for Arris 2307 has path set to "/logo_t.gif" while the target is "login.cgi". The current behavior is causing the credentials to be submitted to "/logo_t.giflogin.cgi". With the patch the credentials are sent to "/login.cgi". Cheers, nnposter Patch against revision 31543 follows: --- nselib/data/http-default-accounts-fingerprints.lua.orig 2013-07-26 16:05:14.859375000 -0600 +++ nselib/data/http-default-accounts-fingerprints.lua 2013-07-26 16:51:47.859375000 -0600 @@ -47,7 +47,7 @@ -- @return True if login in was successful --- local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects) - local req = http.post(host, port, path..target, {no_cache=true}, nil, params) + local req = http.post(host, port, path:gsub("[^/]+$","")..target, {no_cache=true}, nil, params) local status = ( req and tonumber(req.status) ) or 0 if follow_redirects and ( status > 300 and status < 400 ) then _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] POST path handling in http-default-accounts-fingerprints nnposter (Jul 26)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints George Chatzisofroniou (Jul 29)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints nnposter (Jul 29)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints George Chatzisofroniou (Jul 29)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints nnposter (Aug 13)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints George Chatzisofroniou (Aug 15)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints nnposter (Jul 29)
- Re: [NSE] POST path handling in http-default-accounts-fingerprints George Chatzisofroniou (Jul 29)