Browse Source

Fix bug causing all logins to appear valid

The headers we were looking for were a little too loose
and were incorrectly identifying all responses as successful
login attempts
James Barnett 1 year ago
parent
commit
e531dbc976
No account linked to committer's email address
1 changed files with 1 additions and 1 deletions
  1. 1
    1
      modules/auxiliary/scanner/http/owa_login.rb

+ 1
- 1
modules/auxiliary/scanner/http/owa_login.rb View File

@@ -232,7 +232,7 @@ class MetasploitModule < Msf::Auxiliary
232 232
       # No password change required moving on.
233 233
       # Check for valid login but no mailbox setup
234 234
       print_good("server type: #{res.headers["X-FEServer"]}")
235
-      if res.headers['location'] =~ /owa/
235
+      if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/
236 236
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
237 237
         report_cred(
238 238
           ip: res.peerinfo['addr'],

Loading…
Cancel
Save