Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Created NSE script to detect Zimbra 0 day
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Dec 2013 12:32:52 -0600

On 12/19/2013 12:10 PM, Ron wrote:
It works if I switch out the string.match() with "==".

I don't know why, though!

Ron

On 2013-12-19 11:57, Ron wrote:
>It is indeed returning that value. The string.match() doesn't seem to be
>working, though I don't understand why.
>
>If I change the code to this:
>
>if string.match(escape(detection_session.header['content-type']), "application/x-javascript") then
>   stdnse.print_debug(1, "The website may be vulnerable to the Zimbra 0-day.")
>   vuln.state = vulns.STATE.EXPLOIT
>   return vuln_report:make_output(detection_session.body)
>else
>   stdnse.print_debug(1, " \n'" .. escape(detection_session.header['content-type']) .. "' 
!=\n'application/x-javascript'")
>   stdnse.print_debug(1, "Bad content-type for the resource : " .. detection_session.header['content-type'])
>   return
>end
>
>It prints this:
>
>NSE: GET 
/zimbra/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
>NSE:
>'application/x-javascript' !=
>'application/x-javascript'
>
>Which makes absolutely no sense.
You need to escape the "-" in the pattern. Lua patterns use weird syntax, explained here: http://www.lua.org/manual/5.2/manual.html#6.4.1

The "-" means "ungreedy 0-or-more," similar to *? in PCRE. The escape character is "%", so your match should be: string.match( whatever, "application/x%-javascript" )

Or, as Ron pointed out, a more strict equality.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault