Re: [NSE] Created NSE script to detect Zimbra 0 day

[Daniel Miller <bonsaiviking () gmail com>]

On 12/19/2013 12:10 PM, Ron wrote:
> It works if I switch out the string.match() with "==".
>
> I don't know why, though!
>
> Ron
>
> On 2013-12-19 11:57, Ron wrote:
> > >It is indeed returning that value. The string.match() doesn't seem to be
> > >working, though I don't understand why.
> > >
> > >If I change the code to this:
> > >
> > >if string.match(escape(detection_session.header['content-type']), "application/x-javascript") then
> > >   stdnse.print_debug(1, "The website may be vulnerable to the Zimbra 0-day.")
> > >   vuln.state = vulns.STATE.EXPLOIT
> > >   return vuln_report:make_output(detection_session.body)
> > >else
> > >   stdnse.print_debug(1, " \n'" .. escape(detection_session.header['content-type']) .. "' 
> > !=\n'application/x-javascript'")
> > >   stdnse.print_debug(1, "Bad content-type for the resource : " .. detection_session.header['content-type'])
> > >   return
> > >end
> > >
> > >It prints this:
> > >
> > >NSE: GET 
> > /zimbra/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
> > >NSE:
> > >'application/x-javascript' !=
> > >'application/x-javascript'
> > >
> > >Which makes absolutely no sense.
You need to escape the "-" in the pattern. Lua patterns use weird 
syntax, explained here: http://www.lua.org/manual/5.2/manual.html#6.4.1

The "-" means "ungreedy 0-or-more," similar to *? in PCRE. The escape 
character is "%", so your match should be: string.match( whatever, 
"application/x%-javascript" )

Or, as Ron pointed out, a more strict equality.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/