PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-20 14:39:02 +00:00
Code Issues Projects Releases Wiki Activity

Fix some issues with http-wordpress-brute

Browse Source 
1. When the hostname script-arg was used, the script would try to
*connect* to that host instead of the target. Now the argument is used
*only* for the Host: header.

2. The http options table is reused for each request, significantly
reducing the load on the garbage collector over many requests.

3. Do not use both creds.Credentials:new() and creds.Account:new(),
since this results in double-reporting found credentials.
This commit is contained in:
dmiller
2015-12-29 17:14:37 +00:00
parent 8a28707b32
commit e1cf78d57e
1 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
scripts/http-wordpress-brute.nse
View File

@@ -71,7 +71,15 @@ Driver = {
local o = {} local o = {}
setmetatable(o, self) setmetatable(o, self)
self.__index = self self.__index = self
o.host = stdnse.get_script_args('http-wordpress-brute.hostname') or host o.hostname = stdnse.get_script_args('http-wordpress-brute.hostname')
o.http_options = {
no_cache = true,
header = {
-- nil just means not set, so default http.lua behavior
Host = stdnse.get_script_args('http-wordpress-brute.hostname')
}
}
o.host = host
o.port = port o.port = port
o.uri = stdnse.get_script_args('http-wordpress-brute.uri') or DEFAULT_WP_URI o.uri = stdnse.get_script_args('http-wordpress-brute.uri') or DEFAULT_WP_URI
o.options = options o.options = options
@@ -86,13 +94,11 @@ Driver = {
end, end,
login = function( self, username, password ) login = function( self, username, password )
-- Note the no_cache directive stdnse.debug2("HTTP POST %s%s", self.http_options.header.Host or stdnse.get_hostname(self.host), self.uri)
stdnse.debug2("HTTP POST %s%s\n", self.host, self.uri) local response = http.post( self.host, self.port, self.uri, self.http_options,
local response = http.post( self.host, self.port, self.uri, { no_cache = true }, nil, { [self.options.uservar] = username, [self.options.passvar] = password } ) nil, { [self.options.uservar] = username, [self.options.passvar] = password } )
-- This redirect is taking us to /wp-admin -- This redirect is taking us to /wp-admin
if response.status == 302 then if response.status == 302 then
local c = creds.Credentials:new( SCRIPT_NAME, self.host, self.port )
c:add(username, password, creds.State.VALID )
return true, creds.Account:new( username, password, creds.State.VALID) return true, creds.Account:new( username, password, creds.State.VALID)
end end
@@ -104,8 +110,8 @@ Driver = {
end, end,
check = function( self ) check = function( self )
local response = http.get( self.host, self.port, self.uri ) local response = http.get( self.host, self.port, self.uri, self.http_options )
stdnse.debug1("HTTP GET %s%s", stdnse.get_hostname(self.host),self.uri) stdnse.debug1("HTTP GET %s%s", self.http_options.header.Host or stdnse.get_hostname(self.host), self.uri)
-- Check if password field is there -- Check if password field is there
if ( response.status == 200 and response.body:match('type=[\'"]password[\'"]')) then if ( response.status == 200 and response.body:match('type=[\'"]password[\'"]')) then
stdnse.debug1("Initial check passed. Launching brute force attack") stdnse.debug1("Initial check passed. Launching brute force attack")