Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems with 302 Redirects #3

Open
at-ACOnet-CERT opened this issue Mar 5, 2021 · 1 comment
Open

Problems with 302 Redirects #3

at-ACOnet-CERT opened this issue Mar 5, 2021 · 1 comment

Comments

@at-ACOnet-CERT
Copy link

at-ACOnet-CERT commented Mar 5, 2021
edited
Loading

Hi,
thank you for the fine .nse, we're getting tons of results already.
As we are scanning based on ip addresses, an issue comes up everytime a web server redirects the request to it's domain name.
Here's what happens (IP address redacted, obvioulsy):

/usr/local/bin/nmap -Pn --host-timeout 30s -n --script support/http-vuln-exchange.nse -p 443 -d 256.257.258.259
gives

[...]
NSE: http-vuln-exchange against 256.257.258.259:443 threw an error!
support/http-vuln-exchange.nse:131: attempt to concatenate field 'location' (a table value)
stack traceback:
        support/http-vuln-exchange.nse:121: in function <support/http-vuln-exchange.nse:115>
        (...tail calls...)
[...]

I'm completely new to .nse and lua, but as far as I understand it, there are actually two problems here:

  1. The default redirect_ok-script isn't fine with a redirect from ip address to fqdn (that's how I read the docs), thus http.get() returns an answer with status 302 instead of chasing the redirect
  2. The concatenation fails because answer.location is a table, not a string

I'd like to propose a patch that seems to fix the problem for me.

/!\ Be aware that this version, after chasing the redirects, might end up on another machine than the one originally called.

*** /home/acocert/lib/http-vuln-exchange.nse    2021-03-05 14:48:51.000000000 +0100
--- support/http-vuln-exchange.nse      2021-03-05 17:03:58.000000000 +0100
***************
*** 112,124 ****
    end
  end
  
  action = function(host, port)
    local dis_count, noun
!   options = {header={}}    options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
    local answer = http.get(host, port, "/owa", options )
  
    if answer.status == 302 then
!     return "Error 302 " .. answer.location
    elseif answer.status ~= 200 then
      return "Error " .. tostring(answer.status) .. " for /owa"
    end
--- 112,133 ----
    end
  end
  
+ redirect_ok = function(host,port)
+      local c = 3
+      return function(url)
+        if ( c==0 ) then return false end
+        c = c - 1
+        return true
+      end
+    end
+ 
  action = function(host, port)
    local dis_count, noun
!   options = {header={}, redirect_ok=redirect_ok}    options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
    local answer = http.get(host, port, "/owa", options )
  
    if answer.status == 302 then
!     return "Error 302 " .. answer.location[1]
    elseif answer.status ~= 200 then
      return "Error " .. tostring(answer.status) .. " for /owa"
    end

Credits: redirect_ok is blatantly stolen from https://github.com/nmap/nmap/blob/master/nselib/http.lua
@GossiTheDog GossiTheDog mentioned this issue Mar 8, 2021
Closed
@nider nider mentioned this issue Mar 17, 2021
Open
@nider
Copy link

nider commented Mar 18, 2021
edited
Loading

@at-ACOnet-CERT I'm curious what the other values of the array/table are for those cases where you've been redirected from IP to FQDN? cf. my further comments regarding redirects in #8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nider @at-ACOnet-CERT