On Monday 26 August 2002 17:09, Renaud Deraison wrote:
> Now, honnestly, I don't really know what to do with that - should we
> follow the redirections and be prone to false positives very often, or
> not follow them and be prone to false negatives less often ?
What CGI scripts does Nessus currently check for that have to be executed
as a directory, or return a redirect when requested? I wasn't sure why it
was following the redirects in the first place. Is there a small enough
number of them that the checks could be rewritten to look for a specific
signature of that application?
Maybe have a no302.nasl which requests a non-existent file and looks for
the redirect message, if one is found then it disables the
redirect-follow in nessus-libs?
-HD
(attached is the latest no404, not sure if you already have this one)
#
# This script was written by Renaud Deraison <[EMAIL PROTECTED]>
# - rewritten in parts by H D Moore <[EMAIL PROTECTED]>
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10386);
script_version ("$Revision: 1.20 $");
name["english"] = "No 404 check";
name["francais"] = "No 404 check";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
Some web servers are [mis]configured in that they
do not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map or search page instead.
This script will retrieve the default page which
is issued when a non-existent file is requested, and
will use this information to minimize the risks
of false positives for the other tests.";
desc["francais"] = "
Certains serveurs web n'affichent pas d'erreur 404
lorsqu'un client leur demande une page qui n'existe
pas.
Ce script r�cup�re donc la page d'erreur qui est
affich�e et la garde en m�moire afin de pouvoir
minimiser par la suite les risques d'erreur
dus a ce comportement";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Checks if the remote webserver issues 404 errors";
summary["francais"] = "V�rifie que le serveur web distant sort des erreurs 404";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison",
francais:"Ce script est Copyright (C) 2000 Renaud Deraison");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "httpver.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
function check(url, port)
{
req = http_get(item:url, port:port);
soc = open_sock_tcp(port:port);
if (!soc) { return (0); }
send(socket:soc, data:req);
result = recv(socket:soc, length:8192, timeout:20);
close(soc);
return(result);
}
function find_err_msg(buffer)
{
cmsg = 0;
for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1)
{
cpat = errmsg[cmsg];
if (ereg(pattern:cpat, string:buffer, icase:TRUE))
{
return(cpat);
}
}
return (0);
}
# build list of test urls
badurl[0] = string("/TEST_no404.html");
badurl[1] = string("/TEST_no404.cgi");
badurl[2] = string("/TEST_no404.sh");
badurl[3] = string("/TEST_no404.pl");
badurl[4] = string("/TEST_no404.inc");
badurl[5] = string("/TEST_no404.shtml");
badurl[6] = string("/cgi-bin/TEST_no404.html");
badurl[7] = string("/cgi-bin/TEST_no404.cgi");
badurl[8] = string("/cgi-bin/TEST_no404.sh");
badurl[9] = string("/cgi-bin/TEST_no404.pl");
badurl[10] = string("/cgi-bin/TEST_no404.inc");
badurl[11] = string("/cgi-bin/TEST_no404.shtml");
errmsg[0] = "not found";
errmsg[1] = "404";
errmsg[2] = "error has occurred";
errmsg[3] = "firewall-1 message";
errmsg[4] = "Reload acp_userinfo database";
errmsg[5] = "IMail Server Web Messaging";
errmsg[6] = "HP Web JetAdmin";
errmsg[7] = "Error processing SSI file";
errmsg[8] = "ExtendNet DX Configuration";
errmsg[9] = "Unable to complete your request due to added security features";
errmsg[10] = "Client Authentication Remote Service</font>";
errmsg[11] = "Error - Bad Request";
errmsg[12] = "Webmin server";
debug = 0;
port = get_kb_item("Services/www");
if(!port)port = 80;
for (c = 0; badurl[c]; c = c + 1)
{
url = badurl[c];
if(debug) display("Checking URL ", url, "\n");
ret = check(url:url, port:port);
if (ret != 0)
{
raw_http_line = egrep(pattern:"^HTTP/", string:ret);
# check for a 200 OK
if(ereg(pattern:"^HTTP.*200", string:raw_http_line))
{
# look for common "not found": indications
not_found = find_err_msg(buffer:ret);
if (not_found != 0)
{
found = string("www/no404/", port);
set_kb_item(name:found, value:string(not_found));
security_note(port:port, data:string(not_found));
if(debug) display("200: Using string: ", not_found, "\n");
exit(0);
} else {
# try to match the title
title = egrep(pattern:"<title", string:ret, icase:TRUE);
if (title)
{
title = ereg_replace(string:title, pattern:"<title>(.*)</title>",
replace:"\1", icase:TRUE);
if (title)
{
if(debug) display("using string from title: ", title, "\n");
set_kb_item(name:found, value:title);
security_note(port:port, data:title);
exit(0);
}
}
# try to match the body tag
body = egrep(pattern:"<body", string:ret, icase:TRUE);
if (body)
{
body = ereg_replace(string:body, pattern:"<body(.*)>",
replace:"\1", icase:TRUE);
if (body)
{
if(debug) display("using string from body: ", body, "\n");
set_kb_item(name:found, value:body);
security_note(port:port, data:body);
exit(0);
}
}
# get mad and give up
if(debug)display("argh! could not find something to match against.\n");
if(debug)display("[response]", ret, "\n");
exit(0);
}
}
# check for a 302 Moved
if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
{
# put the first line of the response as no404 msg ;)
found = string("www/no404/", port);
set_kb_item(name:found, value:raw_http_line);
security_note(port:port, data:raw_http_line);
if(debug) display("302: Using ", raw_http_line, "\n");
exit(0);
}
} else {
if(debug) display("An error occurred when trying to request: ", url, "\n");
}
}
