[Nikto-discuss] Bug: Nikto eating input from non-tty stdin
Serge van den Boom
svdb at madison-gurkha.com
Tue Apr 19 05:11:29 CDT 2011
On Tue, 19 Apr 2011, dave at cirt.net wrote:
> Quoting Serge van den Boom <svdb at madison-gurkha.com>:
>> There is no generateTargets script; I just used that as a placeholder
>> for any command which produces the targets. I can reproduce the issue
>> using the following oneliner:
>> printf '127.0.0.1\n127.0.0.1\n127.0.0.1\n' | while read -r TARGET; do
>> echo TARGET: "$TARGET"; nikto.pl -host "$TARGET" -output
>> nikto-"$TARGET".txt; done
> I've raised this as a bug:
You write "or buffer up all of stdin at initiation" in that ticket.
Do you mean that Nikto would read everything that it can from stdin?
I don't see how that would solve anything in a batch run; you can't put
the data back in stdin after Nikto ends.
> As I'm a bit short of time at the moment I don't have time to fix it fully.
> Certainly the description of ReadKey implies that it may read from stdin -
> but what I don't get is why it's only reading some characters.
Now that you mention it, I have actually seen that the scans stop
unexpectedly after scanning a host, which would fit with Nikto eating
all further input. It may have something to do with whether the HTTP
service is accessible at all.
I don't know how Nikto works internally, but if it just checks for a key
before sending a request, and it can't connect at all, then it will only
read a single byte (as long as stdio isn't buffered).
So then the next scan would probably fail too, because the starting
digit of the IP address is eaten, and then a single byte more would be
But on a succesful scan, Nikto would have had the opportunity to eat all
input, and no further scans are performed.
> The quickest way to resolve this may just be to add a -batch switch to
> disable interactive features, though then you could only quit via CTRL+C.
I suspect that most users would not find out about this switch until
things have gone wrong, and it may cost them a lot of time in the
meantime. There is no reason why Nikto would need to read from stdin
when it is not a tty, so a simple isatty() check would be enough.
More information about the Nikto-discuss