Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] 404 handling in http-default-accounts-fingerprints

From: nnposter () users sourceforge net
Date: Sat, 27 Jul 2013 01:33:25 +0000
The following patch allows http-default-accounts-fingerprints.lua to
correctly handle cases where the response in try_http_post_login() is
HTTP/404. Without this patch such cases can be misinterpreted as
authentication successes due to the fact that the response does not
contain the validation string, such as "Invalid auth credentials!" or
"Login Error !!".

Cheers,
nnposter


Patch against revision 31543 follows:

--- nselib/data/http-default-accounts-fingerprints.lua.orig     2013-07-26 16:05:14.859375000 -0600
+++ nselib/data/http-default-accounts-fingerprints.lua  2013-07-26 19:28:03.734375000 -0600
@@ -53,7 +53,7 @@
     if follow_redirects and ( status > 300 and status < 400 ) then
       req = http.get(host, port, url.absolute(path, req.header.location), { no_cache = true, redirect_ok = false })
     end
-    if not(http.response_contains(req, failstr)) then
+    if req.status and req.status ~= 404 and not(http.response_contains(req, failstr)) then
       return true
     end
     return false
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: