Nmap Development mailing list archives

[patch] Make sql-injection.nse use httpspider

From: Lauri Kokkonen <lauri.u.kokkonen () gmail com>
Date: Fri, 3 Feb 2012 09:19:58 +0200

The attached patch (against r28007) gets rid of the HTTP crawling code in
sql-injection.nse and replaces it by using the Crawler interface. Everything
else is kept as it was.

I am using LinkExtractor to extract all links from the page returned by
crawl() so to avoid doing that twice it might be useful to add a method to
Crawler that returns all URLs encountered so far.

Also, while testing the script I found a bug in httpspider: checking that an
URL is within a host or domain should try to match the hostname only at the
beginning of the URL because it might also be embedded in a query.

Lauri

Attachment: sql-injection.nse.diff
Description:

Attachment: httpspider.lua.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[patch] Make sql-injection.nse use httpspider Lauri Kokkonen (Feb 02)
- Re: [patch] Make sql-injection.nse use httpspider Patrik Karlsson (Feb 05)
  - Re: [patch] Make sql-injection.nse use httpspider Lauri Kokkonen (Feb 05)
    - Re: [patch] Make sql-injection.nse use httpspider Duarte Silva (Feb 05)
    - Re: [patch] Make sql-injection.nse use httpspider Patrik Karlsson (Feb 05)