Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] POST path handling in http-default-accounts-fingerprints
From: nnposter () users sourceforge net
Date: Mon, 29 Jul 2013 22:58:25 +0000

George Chatzisofroniou wrote:
On Fri, Jul 26, 2013 at 11:10:25PM +0000, nnposter () users sourceforge net wrote:
The following patch allows http-default-accounts-fingerprints.lua to
correctly handle cases where the tested fingerprint path does not end
with "/". Without this patch such fingerprints are broken because
try_http_post_login() simply concatenates the path and the target when
building the login request.

As an example, the current fingerprint for Arris 2307 has path set to
"/logo_t.gif" while the target is "login.cgi". The current behavior is
causing the credentials to be submitted to "/logo_t.giflogin.cgi".
With the patch the credentials are sent to "/login.cgi".

I don't really like the concatenation that occurs there. Why not simply pass the
path of the login form?

Like this,

- return try_http_post_login(host, port, path, "index.php", "Invalid User Name/Password", {action="login", 
login_username=user, login_password=pass}, false)
+ return try_http_post_login(host, port, path, "/cacti/index.php", "Invalid User Name/Password", {action="login", 
login_username=user, login_password=pass}, false)

I do not think that this would work. The idea is that the fingerprint
can have multiple probe paths (see the Cisco fingerprint) and then to
test the login page that is in the same location as a probe path that
succeeded. Also, this would break the basepath feature.

Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]