Nmap Development mailing list archives

[NSE] http-fileupload-exploiter.nse

From: George Chatzisofroniou <sophron () latthi com>
Date: Tue, 11 Jun 2013 23:14:11 +0300

The attached script attempts to exploit insecure file upload forms in
web applications using various techniques like changing the
Content-type header or creating some proper GIF images that contain
the payload in the comment.

To use it make sure to add the pixel.gif (also attached) in the
nselib/data directory.

Here are some common use cases:

- Let's say we want to test the upload form we just created. The form
is in the "/upload.php" page and the uploaded files are moved to the
"/uploads" directory. We should run the script like this:

 ./nmap -p80 -n -Pn --script http-fileupload-exploiter.nse
--script-args 'http-comments-displayer.singlepages={"/upload.php"}',
http-fileupload-exploiter.uploadspaths={"/uploads"}' example.com

- Now let's say we also have a registration form and we let the users
upload an avatar when filling out this form. We need to test this form
but some of the fields there are necessary for our request to proceed
(like username, password and email). The script will automatically try
to fill all the fields in the form with the 'Sampledata0' string.
Unfortunately, the 'email' field has some restrictions and accepts
only valid email addresses, so 'Sampledata0' is not acceptable. If
that's the case, we should run the script as follows:

./nmap -p80 -n -Pn --script http-fileupload-exploiter.nse
--script-args ''http-comments-displayer.singlepages={"/upload.php"}',
http-fileupload-exploiter.uploadspaths={"/avatars"},
http-fileupload-exploiter.fieldvalues={email= "foo () bar com"}' test.com

Now when the script is encountering the 'email' field it will fill it
with the "foo () bar com" string.

- Finally, we want to test the whole application (all the upload
forms) but we are too lazy to pass any arguments. So, we run the
script without any arguments:

./nmap -p80 -n -Pn --script http-fileupload-exploiter.nse test.com

Now, the script will crawl the pages of the web application and test
every upload form it encounters. It will later check the effectiveness
of the payloads by checking some common directories like "/uploads" or
"/files".

Feedback is welcome,

--
George Chatzisofroniou
sophron.latthi.com

Attachment: http-fileupload-exploiter.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-fileupload-exploiter.nse George Chatzisofroniou (Jun 11)
- Re: [NSE] http-fileupload-exploiter.nse George Chatzisofroniou (Jun 22)