Nmap Development mailing list archives
Re: [NSE] http-passwd: payloads update and new vector proposal
From: David Fifield <david () bamsoftware com>
Date: Mon, 27 Sep 2010 13:01:17 -0600
On Mon, Aug 23, 2010 at 06:21:25PM +0200, Gutek wrote:
I've worked on http-passwd today and added some payloads against some webservers (and also some comments to illustrate the specifics payloads). That's for the maintenance.
Thanks, I committed these.
I've also added a new vector to reach the file disclosure condition (etc/passwd or boot.ini), which highlights a directory traversal in this script (it is used as a PoC against false-positives). Until now, this script only use the classical GET ../..<something>/ect/passwd query. This improvement proposal searches the root page for a variable which calls a page or a file, i.e. technicaly speaking "?|&VARIABLE=<something>DOT<something>", for example "/index.php?page=next.php" Then, it rolls again through the previously tested payloads, calling them with the file variable found, itself attacked with a trailing poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte for details) That is, after testing GET <payload>, it now also tests GET /?<variable>=<payload>%00
I think this is pretty reasonable. I committed it too, with some style changes. Would you add a script argument http-passwd.root that controls where the query strings are searched for, instead of hardcoding "/"? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-passwd: payloads update and new vector proposal Gutek (Aug 23)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Sep 27)