Results 1 to 3 of 3

Thread: Medusa bug and how to fix

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default Medusa bug and how to fix

    Hi all.
    As I posted today (I can't see my post, I think it wasn't approved, but ok), I was facing a problem with medusa, as is described here.

    The bug occurs with web-form mod. When you specify the username and password names as specified in the form input with -m FORM-DATA, medusa ignores it and assumes the default value, so medusa fails when the right user/pass is used in the form.

    Example:
    Lets say theres a index.php at localhost, with a form like this:
    <form action='access.php' method='post'>
    <input type='textfield' name='user'/>
    <input type='password' name='pass'/>
    <input type='hidden' name='sec' value='login'/>
    <input type='submit'/>
    </form>

    And access.php does the auth validation via post, and returns login_fail in the response if auth goes wrong, and login_ok for right credentials.

    So, the medusa command is:
    medusa -w 10 -h localhost -u test_user -P passwd.txt -f -M web-form -m FORM:"access.php" -m DENY-SIGNAL:"login_fail" -m FORM-DATA:"post?user=&pass&sec=login"

    The passwd.txt have the following passwords:
    test1
    pass2
    pass_ok (the right one)

    Debugging the first try (pass = test1), we get something like this:
    DEBUG MODULE [B74D3B90]: [web-form.mod] User-supplied Form User Field: user=
    DEBUG MODULE [B74D3B90]: [web-form.mod] User-supplied Form Pass Field: pass=
    DEBUG MODULE [B74D3B90]: [web-form.mod] User-supplied Form Rest Field: sec=login

    And the post request to the server goes ok, but the authentication fails.

    So, for the next attempts, in debug we get the message:
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form User Field: (null)
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Pass Field: (null)
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Rest Field: (null)
    WARNING: Invalid FORM-DATA format. Using default format: "post?username=&password="


    The authentication fails because the request with the right pass goes wrong in the post request.

    To fix it, i simply installed the medusa 1.5 (backtrack 4 comes with medusa 1.4), and now it is working fine for all requests.

    Cheers

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by enonym View Post
    Hi all.
    As I posted today (I can't see my post, I think it wasn't approved, but ok),
    New member's posts are moderated for the first 3 days.
    See also the rules.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    I am updating to 1.5 in the repo. Just so every one knows its reports and posts like these that get things updated faster so keep them coming. Its hard for us to follow the progress of 400 security tools so we need some community involvement. Thanks to the OP.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •