[NSE] http-passwd: payloads update and new vector proposal

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi list,

I've worked on http-passwd today and added some payloads against some
webservers (and also some comments to illustrate the specifics
payloads). That's for the maintenance.

I've also added a new vector to reach the file disclosure condition
(etc/passwd or boot.ini), which highlights a directory traversal in this
script (it is used as a PoC against false-positives).
Until now, this script only use the classical GET
../..<something>/ect/passwd query.
This improvement proposal searches the root page for a variable which
calls a page or a file, i.e. technicaly speaking
"?|&VARIABLE=<something>DOT<something>", for example
"/index.php?page=next.php"

Then, it rolls again through the previously tested payloads, calling
them with the file variable found, itself attacked with a trailing
poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte
for details)

That is, after testing GET <payload>, it now also tests GET
/?<variable>=<payload>%00

Can I dare ask if we shouldn't consider changing the name of this script
? I'm not sure that "passwd" is still self-speaking about what this
script actually does.

Anyway, please find attached my script proposal

Regards,

A.G.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkxyoAUACgkQ3aDTTO0ha7hvnQCeObRXeEo6krXakfY/Oy2KmC2m
9MkAnAmXeMPv2WkOehxwO3Q8XWhofSWI
=6cE5
-----END PGP SIGNATURE-----

Attachment: http-passwd-nullbyte.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/