Nmap Development mailing list archives
Re: [PATCH] sql-injection.nse arguments
From: David Fifield <david () bamsoftware com>
Date: Sat, 18 Jul 2009 21:19:59 -0600
On Thu, Jul 16, 2009 at 08:07:40PM -0300, Joao Correa wrote:
On Sat, Jul 11, 2009 at 2:33 PM, Joao Correa<joao () livewire com br> wrote:I was making a few tests with sql-injection.nse and, due to some restrictions, I started getting annoyed about the big number of websites that the script was unable to scan. The way sql-injection.nse works makes it unable to scan virtually hosted websites for sql injections, due to the script being unable to retrieve the website hostname. This patch creates an argument (sql-injection.host) for the hostname, so if the user wants to scan a virtually hosted website, he can just specify which is the website's hostname. Also, I've introduced a second argument, called sql-injection.start, which specifies the starting point for the scan (sometimes, it is useful avoiding initial pages with only flash introductions, or only scanning part of a large website tree).I've been discussing about this changes with Fyodor and we both agreed that it would be better if, instead of arguments, that the script could resolve the hostname by itself. I'm sending a new patch that allows the code to resolve the hostname, exactly as it is done in http.lua, enabling the script to scan virtually hosted websites.
The change looks fine to me. The only change I would make is a better description and example of the sql-inject.start argument. -- @args sql-injection.start The starting page for the script -- nmap --script sql-injection.nse \ -- --script-args sql-injection.start=<start>
From that description it is not clear if it should be a URL or a path.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] sql-injection.nse arguments Joao Correa (Jul 11)
- Re: [PATCH] sql-injection.nse arguments Joao Correa (Jul 16)
- Re: [PATCH] sql-injection.nse arguments David Fifield (Jul 18)
- Re: [PATCH] sql-injection.nse arguments Joao Correa (Jul 16)