Nmap Development mailing list archives
[NSE] http-fileupload-exploiter.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Tue, 11 Jun 2013 23:14:11 +0300
The attached script attempts to exploit insecure file upload forms in web applications using various techniques like changing the Content-type header or creating some proper GIF images that contain the payload in the comment. To use it make sure to add the pixel.gif (also attached) in the nselib/data directory. Here are some common use cases: - Let's say we want to test the upload form we just created. The form is in the "/upload.php" page and the uploaded files are moved to the "/uploads" directory. We should run the script like this: ./nmap -p80 -n -Pn --script http-fileupload-exploiter.nse --script-args 'http-comments-displayer.singlepages={"/upload.php"}', http-fileupload-exploiter.uploadspaths={"/uploads"}' example.com - Now let's say we also have a registration form and we let the users upload an avatar when filling out this form. We need to test this form but some of the fields there are necessary for our request to proceed (like username, password and email). The script will automatically try to fill all the fields in the form with the 'Sampledata0' string. Unfortunately, the 'email' field has some restrictions and accepts only valid email addresses, so 'Sampledata0' is not acceptable. If that's the case, we should run the script as follows: ./nmap -p80 -n -Pn --script http-fileupload-exploiter.nse --script-args ''http-comments-displayer.singlepages={"/upload.php"}', http-fileupload-exploiter.uploadspaths={"/avatars"}, http-fileupload-exploiter.fieldvalues={email= "foo () bar com"}' test.com Now when the script is encountering the 'email' field it will fill it with the "foo () bar com" string. - Finally, we want to test the whole application (all the upload forms) but we are too lazy to pass any arguments. So, we run the script without any arguments: ./nmap -p80 -n -Pn --script http-fileupload-exploiter.nse test.com Now, the script will crawl the pages of the web application and test every upload form it encounters. It will later check the effectiveness of the payloads by checking some common directories like "/uploads" or "/files". Feedback is welcome, -- George Chatzisofroniou sophron.latthi.com
Attachment:
http-fileupload-exploiter.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-fileupload-exploiter.nse George Chatzisofroniou (Jun 11)
- Re: [NSE] http-fileupload-exploiter.nse George Chatzisofroniou (Jun 22)