Re: no404

From: H D Moore (hdmat_private)
Date: Tue May 07 2002 - 05:37:35 PDT

Next message: John Lampe: "(no subject)"

Previous message: H D Moore: "Re: no404"
In reply to: Noam Rathaus: "no404"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sunday 05 May 2002 03:40 pm, Noam Rathaus wrote:
> Hi,
>
> (This is long, but please bare with me)
>
> I am sorry to bring this up, but it seems that there are too many "trickle
> though" cases where Nessus will cause false positives when trying to access
> pages that are not answering a "404 File not found" response.

Had a similar issue, here is a modified version (not complete) which seems to 
work around most of these problems:

#
# The script code starts here
#

function check(url, port)
{
    req = http_get(item:url, port:port);

    soc = open_sock_tcp(port:port);
    if (!soc) { return (0); }

    send(socket:soc, data:req);
    result = recv(socket:soc, length:8192, timeout:20);
    close(soc);
    return(result);
}

function find_err_msg(buffer)
{
    cmsg = 0;
    for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1)
    {
        cpat = errmsg[cmsg];
        if (ereg(pattern:cpat, string:buffer, icase:TRUE))
        {
            return(cpat);
        }
    }

    return (0);
}

# build list of test urls

badurl[0] = string("/NESS_no404.html");
badurl[1] = string("/NESS_no404.cgi");
badurl[2] = string("/NESS_no404.sh");
badurl[3] = string("/NESS_no404.pl");
badurl[4] = string("/cgi-bin/NESS_no404.html");
badurl[5] = string("/cgi-bin/NESS_no404.cgi");
badurl[6] = string("/cgi-bin/NESS_no404.sh");
badurl[7] = string("/cgi-bin/NESS_no404.pl");

errmsg[0] = "not found";
errmsg[1] = "404";
errmsg[2] = "error has occurred";
errmsg[3] = "firewall-1 message";
errmsg[4] = "Reload acp_userinfo database";
errmsg[5] = "IMail Server Web Messaging";



debug = 1;

port = get_kb_item("Services/www");
if(!port)port = 80;

for (c = 0; badurl[c]; c = c + 1)
{
    url = badurl[c];

    if(debug) display("Checking URL ", url, "\n");

    ret = check(url,port);
    if (ret != 0)
    {

        raw_http_line = egrep(pattern:"^HTTP/", string:ret);

        # check for a 200 OK
        if(ereg(pattern:"^HTTP.*200", string:raw_http_line))
        {
             # look for common "not found": indications
             not_found = find_err_msg(buffer:ret);
             if (not_found != 0)
             {
                found = string("www/no404/", port);
                set_kb_item(name:found, value:not_found);
                security_note(port:port, data:not_found);
                if(debug) display("200: Using string: ", not_found, "\n");
                exit(0);
             }
        }

        # check for a 302 Moved
        if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
        {
             # put the first line of the response as no404 msg ;)
             found = string("www/no404/", port);
             set_kb_item(name:found, value:raw_http_line);
             security_note(port:port, data:raw_http_line);
             if(debug) display("302: Using ", raw_http_line, "\n");
             exit(0);
        }

    } else {
        if(debug) display("An error occurred when trying to request: ", url, 
"\n");
    }
}

Next message: John Lampe: "(no subject)"
Previous message: H D Moore: "Re: no404"
In reply to: Noam Rathaus: "no404"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 06 2002 - 21:56:20 PDT