Nmap Development mailing list archives
Re: [NSE] New script to detect Joomla! Header RCE [2015-8562]
From: Gyanendra Mishra <anomaly.the () gmail com>
Date: Thu, 11 Feb 2016 01:34:36 +0530
Hi Johanna, Sorry I couldn't get back to earlier, academics and hackathons kept me busy :(. Sometime back I had written a script that tested for a vulnerability on elasticsearch, which wouldn't work if the server wasn't indexed. I was suggested to put 'Try with the invasive option' in a debug statement. I guess that should work with this too. If there isn't any result I can output 'Try with exploit turned on to be really sure', as exploiting by default is bad behavior. Hope to make changes in the code that reflect this behavior soon. Gyani ᐧ On Sat, Feb 6, 2016 at 10:21 PM, Johanna Curiel <johannapcuriel () gmail com> wrote:
What do you think about the following implementation? If exploit is setto true then the Joomla/PHP Checks aren't considered and the script tries to exploit and tell if the server is exploitable. In case headers are blocked and exploit isn't set true then a debug message saying 'headers missing, try with exploit set to true to confirm' or similar would appear . In this case, If server is exploitable but is hiding the information, the payload will work. In order to check the different possible PHP versions I was experimenting with a script like this to parse the PHP version found and compare it to a table local response = http.get(host, port, uri, options) if ( response.status == 200 ) then –Look for Ubuntu PHP version for h, v in pairs(response.header) do vl = v:lower() if h == “x-powered-by” and string.find(vl, “php/%d+.%d+.%d+”) then local versionphp = string.match(vl, “%d+.%d+.%d+”) stdnse.print_debug(1, versionphp) Then when I start testing I realised that if the server hided these headers but was exploitable, the script will be flawed. Again, this approach's disadvantage is that is the version is blocked by a reverse proxy or configuration settings/firewall , even when exploitable we wont know. Cheers Johanna On Wed, Jan 27, 2016 at 2:55 PM, Gyanendra Mishra <anomaly.the () gmail com> wrote:Hi Johanna, I had similar thoughts while developing the script. The headers can be blocked by the server and in such cases the script would return "safe", even though it may be vulnerable, but exploiting and checking by default isn't good behavior as well. What do you think about the following implementation? If exploit is set to true then the Joomla/PHP Checks aren't considered and the script tries to exploit and tell if the server is exploitable. In case headers are blocked and exploit isn't set true then a debug message saying 'headers missing, try with exploit set to true to confirm' or similar would appear . Regards, Gyani ᐧ On Wed, Jan 27, 2016 at 8:13 PM, Johanna Curiel <johannapcuriel () gmail comwrote:Hi Gyanendra Thank you for this awesome work. After taking look of the script, I see many of the recognition work relies on the identifying response headers info and identifying the administrator path console of Jommla. In case this information is hidden or not provided as in the request header, it will not be able to recognise PHP? and if the path has also been blocked (lets say by a firewall) then in that case recognition of wont be possible at all? Regards Johanna On Tue, Jan 26, 2016 at 6:36 PM, Gyanendra Mishra <anomaly.the () gmail comwrote:Hi list, #260 on Github called for the development of a script that detects CVE 2015-8562. This script performs checks for the same and can be used to optionally exploit the target. I tested this on ubuntu 10.04.1 running php 5.4.7 and Joomla! 3.4.3. Find the script in the link below. https://svn.nmap.org/nmap-exp/gyani/scripts/http-vuln-cve2015-8562.nse Cheers, Gyani ᐧ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] New script to detect Joomla! Header RCE [2015-8562] Gyanendra Mishra (Jan 26)
- Re: [NSE] New script to detect Joomla! Header RCE [2015-8562] Johanna Curiel (Jan 27)
- Re: [NSE] New script to detect Joomla! Header RCE [2015-8562] Gyanendra Mishra (Jan 27)
- Re: [NSE] New script to detect Joomla! Header RCE [2015-8562] Johanna Curiel (Feb 06)
- Re: [NSE] New script to detect Joomla! Header RCE [2015-8562] Gyanendra Mishra (Feb 10)
- Re: [NSE] New script to detect Joomla! Header RCE [2015-8562] Gyanendra Mishra (Jan 27)
- Re: [NSE] New script to detect Joomla! Header RCE [2015-8562] Johanna Curiel (Jan 27)