Re: [NSE] http-passwd: payloads update and new vector proposal

[David Fifield <david () bamsoftware com>]

On Mon, Aug 23, 2010 at 06:21:25PM +0200, Gutek wrote:
> I've worked on http-passwd today and added some payloads against some
> webservers (and also some comments to illustrate the specifics
> payloads). That's for the maintenance.

Thanks, I committed these.

> I've also added a new vector to reach the file disclosure condition
> (etc/passwd or boot.ini), which highlights a directory traversal in this
> script (it is used as a PoC against false-positives).
> Until now, this script only use the classical GET
> ../..<something>/ect/passwd query.
> This improvement proposal searches the root page for a variable which
> calls a page or a file, i.e. technicaly speaking
> "?|&VARIABLE=<something>DOT<something>", for example
> "/index.php?page=next.php"
>
> Then, it rolls again through the previously tested payloads, calling
> them with the file variable found, itself attacked with a trailing
> poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte
> for details)
>
> That is, after testing GET <payload>, it now also tests GET
> /?<variable>=<payload>%00

I think this is pretty reasonable. I committed it too, with some style
changes. Would you add a script argument http-passwd.root that controls
where the query strings are searched for, instead of hardcoding "/"?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/