Nmap Development mailing list archives
[NSE] http-passwd: payloads update and new vector proposal
From: Gutek <ange.gutek () gmail com>
Date: Mon, 23 Aug 2010 18:21:25 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi list, I've worked on http-passwd today and added some payloads against some webservers (and also some comments to illustrate the specifics payloads). That's for the maintenance. I've also added a new vector to reach the file disclosure condition (etc/passwd or boot.ini), which highlights a directory traversal in this script (it is used as a PoC against false-positives). Until now, this script only use the classical GET ../..<something>/ect/passwd query. This improvement proposal searches the root page for a variable which calls a page or a file, i.e. technicaly speaking "?|&VARIABLE=<something>DOT<something>", for example "/index.php?page=next.php" Then, it rolls again through the previously tested payloads, calling them with the file variable found, itself attacked with a trailing poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte for details) That is, after testing GET <payload>, it now also tests GET /?<variable>=<payload>%00 Can I dare ask if we shouldn't consider changing the name of this script ? I'm not sure that "passwd" is still self-speaking about what this script actually does. Anyway, please find attached my script proposal Regards, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxyoAUACgkQ3aDTTO0ha7hvnQCeObRXeEo6krXakfY/Oy2KmC2m 9MkAnAmXeMPv2WkOehxwO3Q8XWhofSWI =6cE5 -----END PGP SIGNATURE-----
Attachment:
http-passwd-nullbyte.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-passwd: payloads update and new vector proposal Gutek (Aug 23)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Sep 27)