PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 06:01:28 +00:00
Code Issues Projects Releases Wiki Activity

http-form-fuzzer decrease max length if server report error 413 or 414

Browse Source
This commit is contained in:
gio
2015-08-18 16:25:12 +00:00
parent 730c9936bb
commit dd0c38778a
1 changed files with 20 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
scripts/http-form-fuzzer.nse
View File

@@ -47,7 +47,7 @@ determine if the fuzzing was successful.
-- defaults to 310000 -- defaults to 310000
-- --
author = "Piotr Olma" author = "Piotr Olma, Gioacchino Mazzurco"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"fuzzer", "intrusive"} categories = {"fuzzer", "intrusive"}
@@ -58,6 +58,9 @@ local string = require 'string'
local table = require 'table' local table = require 'table'
local url = require 'url' local url = require 'url'
local minlen_global = stdnse.get_script_args("http-form-fuzzer.minlength") or 300000
local maxlen_global = stdnse.get_script_args("http-form-fuzzer.maxlength") or 310000
-- generate a charset that will be used for fuzzing -- generate a charset that will be used for fuzzing
local function generate_charset(left_bound, right_bound, ...) local function generate_charset(left_bound, right_bound, ...)
local t = ... or {} local t = ... or {}
@@ -73,12 +76,12 @@ end
-- check if the response we got indicates that fuzzing was successful -- check if the response we got indicates that fuzzing was successful
local function check_response(response) local function check_response(response)
if not(response.body) or response.status==500 then if not(response.body) or response.status==500 then
return true return true, response.status
end end
if response.body:find("[Ss][Ee][Rr][Vv][Ee][Rr]%s*[Ee][Rr][Rr][Oo][Rr]") or response.body:find("[Ss][Qq][Ll]%s*[Ee][Rr][Rr][Oo][Rr]") then if response.body:find("[Ss][Ee][Rr][Vv][Ee][Rr]%s*[Ee][Rr][Rr][Oo][Rr]") or response.body:find("[Ss][Qq][Ll]%s*[Ee][Rr][Rr][Oo][Rr]") then
return true return true, response.status
end end
return false return false, response.status
end end
-- checks if a field is of type we want to fuzz -- checks if a field is of type we want to fuzz
@@ -117,11 +120,20 @@ local function fuzz_field(field, minlen, maxlen, postdata, sending_function)
postdata[field["name"]] = stdnse.generate_random_string(i, charset_number) postdata[field["name"]] = stdnse.generate_random_string(i, charset_number)
response_number = sending_function(postdata) response_number = sending_function(postdata)
if (check_response(response_string)) then local success, status_code = check_response(response_string)
if success then
affected_string[#affected_string+1]=i affected_string[#affected_string+1]=i
elseif status_code==413 or status_code==414 then
maxlen_global = i-1
break
end end
if (check_response(response_number)) then
success, status_code = check_response(response_number)
if success then
affected_int[#affected_int+1]=i affected_int[#affected_int+1]=i
elseif status_code==413 or status_code==414 then
maxlen_global = i-1
break
end end
end end
postdata[field["name"]] = "sampleString" postdata[field["name"]] = "sampleString"
@@ -172,8 +184,6 @@ end
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
function action(host, port) function action(host, port)
local minlen_global = stdnse.get_script_args("http-form-fuzzer.minlength") or 300000
local maxlen_global = stdnse.get_script_args("http-form-fuzzer.maxlength") or 310000
local targets = stdnse.get_script_args('http-form-fuzzer.targets') or {{path="/"}} local targets = stdnse.get_script_args('http-form-fuzzer.targets') or {{path="/"}}
local return_table = {} local return_table = {}