Refactor the script to address multiple issues

- Add support for HTTPS
  - Add support for IPv6
  - Add support for more than one path argument
  - Properly identify the Location header in the HTTP response
  - Properly identify the destination host in the Location header
  - Leverage normalized IP address comparison
  - Avoid processing the HTTP response body, possibly "endless"
  - Add the found IP address as a new scan target (optionally)
Close #3218, close #3191)

CHANGELOG

@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [GH#3191][GH#3218] Script http-internal-ip-disclosure has been enhanced,
+  including added support for IPv6 and HTTPS and more accurate processing
+  of target responses. [nnposter]
+
 o [GH#3194] RPC-based scripts were sporadically failing due to privileged
   port conflicts. [nnposter]
 

scripts/http-internal-ip-disclosure.nse

@@ -1,21 +1,30 @@
+local comm = require "comm"
+local ipOps = require "ipOps"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
-local ipOps = require "ipOps"
+local target = require "target"
+local url = require "url"
 
 description =  [[
-Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.
+Determines if the web server leaks its internal IP address when sending
+an HTTP/1.0 request without a Host header.
 
 Some misconfigured web servers leak their internal IP address in the response
 headers when returning a redirect response. This is a known issue for some
 versions of Microsoft IIS, but affects other web servers as well.
+
+If script argument <code>newtargets</code> is set, the script will
+add the found IP address as a new target into the scan queue. (See
+the documentation for NSE library <code>target</code> for details.)
 ]]
 
 ---
 -- @usage nmap --script http-internal-ip-disclosure <target>
--- @usage nmap --script http-internal-ip-disclosure --script-args http-internal-ip-disclosure.path=/path <target>
+-- @usage nmap --script http-internal-ip-disclosure --script-args http-internal-ip-disclosure.path=/mypath <target>
 --
--- @args http-internal-ip-disclosure.path Path to URI. Default: /
+-- @args http-internal-ip-disclosure.path Path (or a table of paths) to probe
+--                                        Default: /
 --
 -- @output
 -- 80/tcp open  http    syn-ack
@@ -27,61 +36,59 @@ versions of Microsoft IIS, but affects other web servers as well.
 --
 -- @see ssl-cert-intaddr.nse
 
-author = "Josh Amishav-Zlatin"
+author = {"Josh Amishav-Zlatin", "nnposter"}
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = { "vuln", "discovery", "safe" }
 
 portrule = shortport.http
 
-local function generateHttpV1_0Req(host, port, path)
+action = function(host, port)
-  local redirectIP, privateIP
+  local patharg = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
-  local socket = nmap.new_socket()
+  if type(patharg) ~= "table" then
-  socket:connect(host, port)
+    patharg = {patharg}
-
-  local cmd = "GET " .. path .. " HTTP/1.0\r\n\r\n"
-  socket:send(cmd)
-
-  while true do
-    local status, lines = socket:receive_lines(1)
-    if not status then
-      break
   end
-
+  local paths = stdnse.output_table()
-    -- Check if the response contains a location header
+  for _, path in ipairs(patharg) do
-    if lines:match("Location") then
+    paths[path] = 1
-      local locTarget = lines:match("Location: [%a%p%d]+")
-      -- Check if the redirect location contains an IP address
-      redirectIP = locTarget:match("[%d%.]+")
-      if redirectIP then
-        privateIP = ipOps.isPrivate(redirectIP)
   end
+  paths["/images"] = 1
 
-      stdnse.debug1("Location: %s", locTarget )
+  local socket
-      stdnse.debug1("Internal IP: %s", redirectIP )
+  local bopt = nil
+  local try = nmap.new_try(function () socket:close() end)
+  for path in pairs(paths) do
+    local req = "GET " .. path .. " HTTP/1.0\r\n\r\n"
+    local resp
+    if not bopt then
+      socket, resp, bopt = comm.tryssl(host, port, req)
+      if not socket then return end
+    else
+      try(socket:connect(host, port, bopt))
+      try(socket:send(req))
+      resp = ""
     end
+    local findhead = function (s)
+                       return s:find("\r?\n\r?\n")
+                     end
+    if not findhead(resp) then
+      resp = resp .. try(socket:receive_buf(findhead, true))
     end
-
     socket:close()
 
-  -- Only report if the internal IP leaked is different then the target IP
+    local loc = resp:lower():match("\nlocation:[ \t]+(%S+)")
-  if privateIP and redirectIP ~= host.ip then
+    local lochost = url.parse(loc or "").host
-    return redirectIP
+    if lochost and lochost ~= "" then
-  end
+      -- remove any IPv6 enclosure
-end
+      lochost = lochost:gsub("^%[(.*)%]$", "%1")
 
-action = function(host, port)
+      if ipOps.isPrivate(lochost) and ipOps.compare_ip(lochost, "ne", host.ip) then
+        if target.ALLOW_NEW_TARGETS then
+          target.add(lochost)
+        end
         local output = stdnse.output_table()
-  local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
+        output["Internal IP Leaked"] = lochost
-  local IP = generateHttpV1_0Req(host, port, path)
-
-  -- Check /images which is often vulnerable on some unpatched IIS servers
-  if not IP and path ~= "/images" then
-    path = "/images"
-    IP = generateHttpV1_0Req(host, port, path)
-  end
-
-  if IP then
-    output["Internal IP Leaked"] = IP
         return output
       end
     end
+  end
+end