Nmap Development mailing list archives
Re: [NSE] http-passwd: payloads update and new vector proposal
From: Gutek <ange.gutek () gmail com>
Date: Sat, 02 Oct 2010 10:20:51 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 27/09/2010 21:01, David Fifield a écrit :
On Mon, Aug 23, 2010 at 06:21:25PM +0200, Gutek wrote:I've worked on http-passwd today and added some payloads against some webservers (and also some comments to illustrate the specifics payloads). That's for the maintenance.Thanks, I committed these.I've also added a new vector to reach the file disclosure condition (etc/passwd or boot.ini), which highlights a directory traversal in this script (it is used as a PoC against false-positives). Until now, this script only use the classical GET ../..<something>/ect/passwd query. This improvement proposal searches the root page for a variable which calls a page or a file, i.e. technicaly speaking "?|&VARIABLE=<something>DOT<something>", for example "/index.php?page=next.php" Then, it rolls again through the previously tested payloads, calling them with the file variable found, itself attacked with a trailing poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte for details) That is, after testing GET <payload>, it now also tests GET /?<variable>=<payload>%00I think this is pretty reasonable. I committed it too, with some style changes. Would you add a script argument http-passwd.root that controls where the query strings are searched for, instead of hardcoding "/"? David Fifield
Done and attached. o --script-args 'http-passwd.root=/path/' does the job and, if not provided, defaults to / o User-provided argument is also sanitized: besides it sould be /path/, the script would add any missing (leading or trailing) slashes. o added @usage and @args blocks Regards, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkym62MACgkQ3aDTTO0ha7iXOQCbBz5x/Avq27K9RWdMGFIsHnZi V6wAn2ihc0wdpVaVY7M885n96iymK4VM =hHLr -----END PGP SIGNATURE-----
Attachment:
http-passwd.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Oct 02)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 05)
- Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Nov 11)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 11)
- Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Nov 11)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 05)