Make sure we are only grabbing hidden inputs

wchen-r7 · wchen-r7 · commit 3fc25a00d84b · 2015-04-09T01:09:00.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/http.rb b/lib/metasploit/framework/login_scanner/http.rb
@@ -257,6 +257,9 @@ def get_hidden_inputs(res)
           noko.search("form").each_entry do |form|
             found_inputs = {}
             form.search("input").each_entry do |input|
+              input_type = input.attributes['type'] ? input.attributes['type'].value : ''
+              next if input_type !~ /hidden/i
+
               input_name = input.attributes['name'] ? input.attributes['name'].value : ''
               input_value = input.attributes['value'] ? input.attributes['value'].value : ''
               found_inputs[input_name] = input_value unless input_name.empty?
diff --git a/spec/lib/metasploit/framework/login_scanner/http_spec.rb b/spec/lib/metasploit/framework/login_scanner/http_spec.rb
@@ -41,6 +41,7 @@
         <input name="input_1" type="hidden" value="some_value_1" />
       </form>
       <form>
+        <input name="input_0" type="text" value="Not a hidden input" />
         <input name="input_1" type="hidden" value="some_value_1" />
         <INPUT name="input_2" type="hidden" value="" />
       </form>
