Re: [NSE] PHP version disclosure (OSVDB 12184)

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, here comes a new version.
It now checks both the "special PHP logo" and the "Credits page".
David was right, we have a far better granualrity when using the Credits
as a fingerprint.
However i'm still not quite sure if this Credits page is really
phpinfo() dependant or not, while the logo does not seem to be.

So, the script now checks both: results from the "logo" are now marked
as "gives a range" (let's say, informational), and results from the
Credits are marked "more accurate".

In the end, to help collecting new hashes or to reveal at a glance if a
banner seems really different from the "easteregg fingerprint", the
scripts tries to grab the claimed PHP version from the Header.

During this past week i've scanned hundreds of webservers and so the
fingerprints database has grown and is now more mature. There should
remain only a few unknown signatures but in this case the script will
tell the user what to do.

Here is the new Output :

- ---
- -- @output
- -- PORT   STATE SERVICE
- -- 80/tcp open  http
- -- | php-easteregg: This EasterEgg Matches PHP Versions:
- -- | ('logo' test, gives a range)
- -- | 4.3.11,
- -- | 4.4.0 to 4.4.4,
- -- | 5.0.5-2ubuntu1.1,
- -- | 5.0.5-pl3-gentoo,
- -- | 5.1.0 to 5.1.2
- -- | ('credits' test, more accurate)
- -- | 5.0.5
- -- |_(According to the Header, server claims to be running PHP/5.0.5)

Again, thanks for the advises :)

A.G
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkwBP88ACgkQ3aDTTO0ha7gtfQCfVhuZL04uMllXDE2wVhgJAr0x
is4An3lTddqYKbSdORaZ0OnSzk7BWdBq
=a5Eq
-----END PGP SIGNATURE-----

Attachment: php-easteregg.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/