Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Webservers Directory Traversal Vulnerability (under windows)

From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Jun 2010 20:41:15 -0600
On Sun, Jun 20, 2010 at 08:52:12AM +0200, Gutek wrote:

just a small change (proposal) to keep a clean output.
Now the output depends on verbosity.

When -v < 1:
PORT   STATE SERVICE
80/tcp open  http
| http-passwd: Directory Traversal Found.
|_Payload: "../../../../../../../../../../etc/passwd"

When -v > 1:
PORT   STATE SERVICE
80/tcp open  http
| http-passwd: Directory Traversal Found.
| Payload: "../../../../../../../../../../etc/passwd"
| Printing first 250 bytes:
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
| sshd:*:65532:65534::/:/bin/false
| ftp:*:65533:65534::/:/bin/false
|_nobody:*:65534:65534::/:/bin/false

BTW and for the record, after -iR tons of webservers so as to test the
script I've noticed a probability to find a vulnerable one of about 1
per 50000 (0.002%).
2/3 are Windows boxes, revealed by the 'boot.ini' payloads, 1/3 are *nix
ones. And among those last ones, many are Dreamboxes (see
http://en.wikipedia.org/wiki/Dreambox )


I committed your changes in r18357. I left out the sensitivity to
verbosity. I also put all the payloads in one table, and just called
hexify on the ones that need it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: