Skip to content

Allow partial HTTP response (default nil) due to timeout#12510

Merged
acammack-r7 merged 5 commits intorapid7:masterfrom
wvu:feature/http
Nov 5, 2019
Merged

Allow partial HTTP response (default nil) due to timeout#12510
acammack-r7 merged 5 commits intorapid7:masterfrom
wvu:feature/http

Conversation

@wvu
Copy link
Copy Markdown
Contributor

@wvu wvu commented Oct 30, 2019
edited
Loading

I also added a disconnect option to send_request_raw to match send_request_cgi.

  • See if pipelining is even functional, specifically through this API; remove from method definition and hardcode to false if it isn't? Refactored to avoid changing the user API!

Before

####################
# Request:
####################
GET /dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


execution expired

After

####################
# Request:
####################
GET /dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: max-age=86400, must-revalidate
Last-Modified: Wed, 18 Sep 2019 20:27:02 GMT
Content-Length: 41943040
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000

���������������������

#12007, #12220

@wvu wvu mentioned this pull request Oct 30, 2019
Merged
@wvu wvu changed the title Allow partial HTTP response (previously nil) due to timeout Allow partial HTTP response (default nil) due to timeout Oct 30, 2019
acammack-r7
acammack-r7 reviewed Oct 31, 2019
View reviewed changes
@wvu wvu added the blocked Blocked by one or more additional tasks label Oct 31, 2019
@wvu wvu removed the blocked Blocked by one or more additional tasks label Oct 31, 2019
@wvu
Copy link
Copy Markdown
Contributor Author

wvu commented Oct 31, 2019

@acammack-r7: Happy with this now. Let me know if there are any other changes to be made. Thanks!

@acammack-r7 acammack-r7 self-assigned this Oct 31, 2019
@acammack-r7
Copy link
Copy Markdown
Contributor

acammack-r7 commented Oct 31, 2019

Looks good! I'll take for a spin later.

@busterb
Copy link
Copy Markdown
Contributor

busterb commented Nov 4, 2019

ping @acammack-r7 anything else you wanted changed? If not I can move this forward too.

acammack-r7 added a commit that referenced this pull request Nov 5, 2019
@acammack-r7
Land #12510, Option to allow partial HTTP response
f4cea61
@acammack-r7 acammack-r7 merged commit f302df3 into rapid7:master Nov 5, 2019
@acammack-r7
Copy link
Copy Markdown
Contributor

acammack-r7 commented Nov 5, 2019

Sorry, was looking for a good candidate to test this between other stuff. Confirmed working against a server advertising a ridiculously long Content-Length it never filled.

msjenkins-r7 pushed a commit that referenced this pull request Nov 5, 2019
@acammack-r7 @msjenkins-r7
Land #12510, Option to allow partial HTTP response
b25a844
@acammack-r7
Copy link
Copy Markdown
Contributor

acammack-r7 commented Nov 5, 2019

Release Notes

Modules that use the Msf::Exploit::HttpClient mixin can now elect to receive a partial response to an HTTP request when the server times out before sending the total length advertised in the response headers.

@wvu wvu deleted the feature/http branch November 5, 2019 15:55
@tperry-r7 tperry-r7 added the rn-enhancement release notes enhancement label Nov 12, 2019
@wvu wvu mentioned this pull request Feb 21, 2020
Merged
4 tasks
@wvu wvu mentioned this pull request May 4, 2020
Merged
1 task
@wvu wvu mentioned this pull request Sep 16, 2020
Merged
@wvu wvu mentioned this pull request Jun 11, 2021
Closed
@wvu
Copy link
Copy Markdown
Contributor Author

wvu commented Jun 11, 2021
edited
Loading

This appears to be a sufficient workaround for #3865. This introduced an edge case:

msf6 auxiliary(scanner/http/http_header) > run

[*] 127.0.0.1:80         : requesting / via HEAD
####################
# Request:
####################
HEAD / HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0


####################
# Response:
####################
HTTP/1.1 200 OK


[!] 127.0.0.1:80         : all detected headers are defined in IGN_HEADER and were ignored
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/http_header) >

wvu@kharak:~$ ncat -lkv 80
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:63160.
HEAD / HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0

@wvu wvu mentioned this pull request Jun 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@acammack-r7 acammack-r7 acammack-r7 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@acammack-r7 acammack-r7

Labels

bug enhancement library rn-enhancement release notes enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wvu @acammack-r7 @busterb @tperry-r7