Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE Script] HTTP probe for /etc/passwd

From: "Kris Katterjohn" <katterjohn () gmail com>
Date: Sat, 21 Jul 2007 23:15:35 -0500
On 7/21/07, Brandon Enright <bmenrigh () ucsd edu> wrote:


On Sat, 21 Jul 2007 19:05:29 -0500 plus or minus some time Kris Katterjohn
<katterjohn () gmail com> wrote:


Okay, I made a couple more changes:

1) Use //etc/passwd instead of /etc/passwd


On the webserver I have access to that was actually return /etc/passwd
when
requested, adding the extra '/' makes it not work.  Go figure.  I'm not
sure which is better and both might be a few too many probes.




Well, crap! :)

Yeah, both would be too many I think.   I guess we'll just see how things
turn up.




2) Added the one that uses \/


This should work for poorly designed webservers that check against a
blacklist like '../' before going through an 'unescape' function.  I'll
run
a scan later today to see if I can get anything turns up with this.



3) Made httpget() to avoid repeating "GET" and "HTTP/1.0\r\n\r\n"


Looks good.




That makes five tests.  If people like it, I'll add it to SVN.  Unless
you have some more good ideas for me before I do :)


If we're taking a vote, count mine early and often :-p



Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: