Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Webservers Directory Traversal Vulnerability (under windows)

From: Gutek <ange.gutek () gmail com>
Date: Mon, 24 May 2010 18:22:16 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the Windows world there seems to be a lot of tiny webservers.
Many of them are so tiny that they do not filter anything in the
requests, making them some kind of *stars* of the Full Disclosure...

Here is a script that launches a bunch of published payloads against an
open webserver, trying to parse the BootLoader (boot.ini) in order to
reveal a Directory Traversal vulnerability.

There is an anti-false positive mechanism embedded :the script only
return results if it was able to parse the Boot.ini.

Output :
linux-pb94:/home/Gutek # nmap  -PS -n -p80
--script=http-win-dir-traversal.nse 192.168.1.13

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-05-24 18:09 CEST
NSE: Script Scanning completed.
Nmap scan report for 192.168.1.13
Host is up (0.0014s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-win-dir-traversal: Dir Traversal Found !
| Payload: ..\\..\\..\..\\..\..\\..\..\\\boot.ini
|_PoC: Microsoft Windows XP \x90dition familiale

The script was tested against all vulnerable webservers found at
http://hack0wn.com/exploits/remote.php?paginacion=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkv6p7gACgkQ3aDTTO0ha7g0mgCfW1v9MY3vpZyZRzRTvdlDb+37
sfEAn3JHYnHVF+muIN/mCIGWRT//e3no
=AiY9
-----END PGP SIGNATURE-----

Attachment: http-win-dir-traversal.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: