infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't save creds of anyuser:anypass 

If http accepts any user and any pass, it's not a real auth
there is no reason to create cred objects for this.
These creds have been confusing our users
unstable
David Maloney 2013-05-16 10:25:32 -05:00
parent c82bb73347
commit 4503a7af50
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
modules/auxiliary/scanner/http/http_login.rb
View File

@ -149,18 +149,20 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{target_url} - Random passwords are not allowed.") print_status("#{target_url} - Random passwords are not allowed.")
end end
report_auth_info( unless user == "anyuser" and pass == "anypass"
:host => rhost, report_auth_info(
:port => rport, :host => rhost,
:sname => (ssl ? 'https' : 'http'), :port => rport,
:user => user, :sname => (ssl ? 'https' : 'http'),
:pass => pass, :user => user,
:proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}", :pass => pass,
:source_type => "user_supplied", :proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
:active => true :source_type => "user_supplied",
) :active => true
)
end
return :abort if ([any_user,any_pass].include? :success) return :abort if ([any_user,any_pass].include? :success)
return :next_user return :next_user
else else
vprint_error("#{target_url} - Failed to login as '#{user}'") vprint_error("#{target_url} - Failed to login as '#{user}'")