Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[PATCH] http-open-proxy - improvement to pattern for matching response status-line
From: jah <jah () zadkiel plus com>
Date: Mon, 29 Jun 2009 01:53:16 +0100

Evening All,

Attached is a patch for http-open-proxy which prevents some false
positives when testing the http status-line in a response.
(This usually happens when testing a target with the CONNECT method, but
also if the user supplies --script-args openproxy.url, but not
openproxy.pattern)

The current patterns used to match the http status-line are not
restricted to matching a valid http status-line.
An example is the pattern "^http.*200.*" which matched the following in
a response:

http/1.1 501 not supported
server: microsoft-iis/5.1
date: sun, 28 jun 200

and resulted in:

8080/tcp open  http    Microsoft IIS webserver 5.1
|  http-open-proxy: Potentially OPEN proxy.
|_ Methods succesfully tested: CONNECT


The patch also tidies-up a few stray variables and typo's.

Regards,

jah


--- http-open-proxy.nse.orig    2009-06-28 01:17:28.390625000 +0100
+++ http-open-proxy.nse 2009-06-28 01:14:52.500000000 +0100
@@ -51,10 +51,8 @@
 -- () param result connection result
 -- () return true if any of the status is found, otherwise false
 function check_code(result)
-       local status = false
-       if string.match(result:lower(),"^http.*200.*") then return true end
-       if string.match(result:lower(),"^http.*301.*") then return true end     
-       if string.match(result:lower(),"^http.*302.*") then return true end
+       if string.match(result:lower(),"^http/%d\.%d%s*200") then return true end
+       if string.match(result:lower(),"^http/%d\.%d%s*30[12]") then return true end
        return false
 end
 
@@ -63,9 +61,9 @@
 -- () param pattern The pattern to be searched
 -- () return true if pattern is found, otherwise false
 function check_pattern(result, pattern)
-       lines = stdnse.strsplit("\n", result)
-       i = 1
-       n = table.getn(lines)
+       local lines = stdnse.strsplit("\n", result)
+       local i = 1
+       local n = table.getn(lines)
        while true do
                if i > n then return false end
                if string.match(lines[i]:lower(),pattern) then return true end
@@ -90,14 +88,9 @@
 portrule = shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'})
 
 action = function(host, port)
-       local response
-       local i
        local retval
-       local supported_methods = "\nMethods succesfully tested: "
+       local supported_methods = "\nMethods successfully tested: "
        local fstatus = false
-
-       -- Default url = nmap.org
-       -- Default host = nmap.org
        local test_url = "http://www.google.com";
        local hostname = "www.google.com"
        local pattern = "^server: gws"

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]