Re: [NSE Script] HTTP probe for /etc/passwd

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 21 Jul 2007 19:05:29 -0500 plus or minus some time Kris Katterjohn
<katterjohn () gmail com> wrote:

> Kris Katterjohn wrote:
> > I added a few of your ideas, and separated it into functions.  It's 
> > really easy to add any other ideas now.
>
> Okay, I made a couple more changes:
>
> 1) Use //etc/passwd instead of /etc/passwd

On the webserver I have access to that was actually return /etc/passwd when
requested, adding the extra '/' makes it not work.  Go figure.  I'm not
sure which is better and both might be a few too many probes.

> 2) Added the one that uses \/

This should work for poorly designed webservers that check against a
blacklist like '../' before going through an 'unescape' function.  I'll run
a scan later today to see if I can get anything turns up with this.

> 3) Made httpget() to avoid repeating "GET" and "HTTP/1.0\r\n\r\n"

Looks good.

> That makes five tests.  If people like it, I'll add it to SVN.  Unless 
> you have some more good ideas for me before I do :)

If we're taking a vote, count mine early and often :-p

> Thanks,
> Kris Katterjohn

Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGoqJZqaGPzAsl94IRAszwAJ4jBbXNhvL1jSienB+w6myZ0pCz3gCeO/J1
gNiV11QIWC0UEcPGQ7+dHNA=
=07gp
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org