Medusa bug and how to fix
As I posted today (I can't see my post, I think it wasn't approved, but ok), I was facing a problem with medusa, as is described here.
The bug occurs with web-form mod. When you specify the username and password names as specified in the form input with -m FORM-DATA, medusa ignores it and assumes the default value, so medusa fails when the right user/pass is used in the form.
Lets say theres a index.php at localhost, with a form like this:
<form action='access.php' method='post'>
<input type='textfield' name='user'/>
<input type='password' name='pass'/>
<input type='hidden' name='sec' value='login'/>
And access.php does the auth validation via post, and returns login_fail in the response if auth goes wrong, and login_ok for right credentials.
So, the medusa command is:
medusa -w 10 -h localhost -u test_user -P passwd.txt -f -M web-form -m FORM:"access.php" -m DENY-SIGNAL:"login_fail" -m FORM-DATA:"post?user=&pass&sec=login"
The passwd.txt have the following passwords:
pass_ok (the right one)
Debugging the first try (pass = test1), we get something like this:
DEBUG MODULE [B74D3B90]: [web-form.mod] User-supplied Form User Field: user=
DEBUG MODULE [B74D3B90]: [web-form.mod] User-supplied Form Pass Field: pass=
DEBUG MODULE [B74D3B90]: [web-form.mod] User-supplied Form Rest Field: sec=login
And the post request to the server goes ok, but the authentication fails.
So, for the next attempts, in debug we get the message:
DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form User Field: (null)
DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Pass Field: (null)
DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Rest Field: (null)
WARNING: Invalid FORM-DATA format. Using default format: "post?username=&password="
The authentication fails because the request with the right pass goes wrong in the post request.
To fix it, i simply installed the medusa 1.5 (backtrack 4 comes with medusa 1.4), and now it is working fine for all requests.
New member's posts are moderated for the first 3 days.
Originally Posted by enonym
See also the rules.
I am updating to 1.5 in the repo. Just so every one knows its reports and posts like these that get things updated faster so keep them coming. Its hard for us to follow the progress of 400 security tools so we need some community involvement. Thanks to the OP.