-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes nexpose_connect login failure when user or password contains an @ symbol #14962
Fixes nexpose_connect login failure when user or password contains an @ symbol #14962
Conversation
Verification steps in lieu of having a real nexpose running Create a fake listener for nexpose:
Trigger a login request
Verify that the nexpose got the auth details. BeforeRequest is sent the wrong credentials:
Listener's log:
AfterIt doesn't connect as expected:
And a break point shows the information isn't right either:
@cgranleese-r7 Looks like this needs a few more tweaks 👍 |
@adfoster-r7, Ah I see, it's taking host as the |
d04d111
to
4b8cdba
Compare
@adfoster-r7, got those changes added and tested using the method you outlined above, everything now seems to be working as expected 👍 |
Retested the above scenarios and it seems to be sending valid login credentials now. Also verified that the login credentials are correctly escaped too
|
Release NotesUpdated the |
This PR resolves #14865.
Previously if a user had an
@
symbol present in their username or password, it would fail to login. This was down to the previous code calling.split
on the string and this resulted in the string being split at the@
within the username/password.Using
.split
method:This fixes now uses
rpartition
instead of split. This results in the right most@
symbol being where the string is split. The right most@
symbol should always be the last occurrence in our string, just before the target IP address.rpartition
docs.Using
.rpartition
method:Added a small code change. Added an additional variable called
_split
, that will be used to just take the@
symbol out of the equation.Code change:
Output:
Note
This has yet to be tested on a Nexpose server, hence why it is in draft. This fix has been tested by replicating @adfoster-r7's comment below.
Verification
List the steps needed to make sure this thing works
msfconsole
ncat -lvnp 8000 --ssl
load nexpose
e.g. output: