Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] POST path handling in http-default-accounts-fingerprints
From: George Chatzisofroniou <sophron () latthi com>
Date: Tue, 30 Jul 2013 00:40:30 +0300

On Fri, Jul 26, 2013 at 11:10:25PM +0000, nnposter () users sourceforge net wrote:
The following patch allows http-default-accounts-fingerprints.lua to
correctly handle cases where the tested fingerprint path does not end
with "/". Without this patch such fingerprints are broken because
try_http_post_login() simply concatenates the path and the target when
building the login request.

As an example, the current fingerprint for Arris 2307 has path set to
"/logo_t.gif" while the target is "login.cgi". The current behavior is
causing the credentials to be submitted to "/logo_t.giflogin.cgi".
With the patch the credentials are sent to "/login.cgi".

I don't really like the concatenation that occurs there. Why not simply pass the
path of the login form?

Like this,

Index: nselib/data/http-default-accounts-fingerprints.lua
===================================================================
--- nselib/data/http-default-accounts-fingerprints.lua  (revision 31578)
+++ nselib/data/http-default-accounts-fingerprints.lua  (working copy)
@@ -47,14 +47,13 @@
 -- @return True if login in was successful
 ---
 local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects)
-    local req = http.post(host, port, path..target, {no_cache=true}, nil, params)
+    local req = http.post(host, port, target, {no_cache=true}, nil, params)
@@ -74,7 +73,7 @@
     {username = "admin", password = "admin"}
   },
   login_check = function (host, port, path, user, pass)
-    return try_http_post_login(host, port, path, "index.php", "Invalid User Name/Password", {action="login", 
login_username=user, login_password=pass}, false)
+    return try_http_post_login(host, port, path, "/cacti/index.php", "Invalid User Name/Password", {action="login", 
login_username=user, login_password=pass}, false)
   end
 })
 
@@ -108,7 +107,7 @@
     {username = "admin", password = "axis2"}
   },
   login_check = function (host, port, path, user, pass)
-    return try_http_post_login(host, port, path, "login", "Invalid auth credentials!", {submit="+Login+", 
userName=user, password=pass})
+    return try_http_post_login(host, port, path, "/axis2/axis2-admin/login", "Invalid auth credentials!", 
{submit="+Login+", userName=user, password=pass})
   end
 })
 ---
@@ -124,7 +123,7 @@
     {username = "", password = ""}
   },
   login_check = function (host, port, path, user, pass)
-    return try_http_post_login(host, port, path, "login.cgi", "Login Error !!", {action="submit", page="", logout="", 
pws=pass})
+    return try_http_post_login(host, port, path, "/login.cgi", "Login Error !!", {action="submit", page="", logout="", 
pws=pass})
   end
 })

-- 
George Chatzisofroniou
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]