Nmap Development mailing list archives

Re: [NSE] http-passwd: payloads update and new vector proposal

From: Gutek <ange.gutek () gmail com>
Date: Sat, 02 Oct 2010 10:20:51 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 27/09/2010 21:01, David Fifield a écrit :

On Mon, Aug 23, 2010 at 06:21:25PM +0200, Gutek wrote:

I've worked on http-passwd today and added some payloads against some
webservers (and also some comments to illustrate the specifics
payloads). That's for the maintenance.


Thanks, I committed these.

I've also added a new vector to reach the file disclosure condition
(etc/passwd or boot.ini), which highlights a directory traversal in this
script (it is used as a PoC against false-positives).
Until now, this script only use the classical GET
../..<something>/ect/passwd query.
This improvement proposal searches the root page for a variable which
calls a page or a file, i.e. technicaly speaking
"?|&VARIABLE=<something>DOT<something>", for example
"/index.php?page=next.php"

Then, it rolls again through the previously tested payloads, calling
them with the file variable found, itself attacked with a trailing
poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte
for details)

That is, after testing GET <payload>, it now also tests GET
/?<variable>=<payload>%00


I think this is pretty reasonable. I committed it too, with some style
changes. Would you add a script argument http-passwd.root that controls
where the query strings are searched for, instead of hardcoding "/"?

David Fifield

Done and attached.
o --script-args 'http-passwd.root=/path/' does the job and, if not
provided, defaults to /
o User-provided argument is also sanitized: besides it sould be /path/,
the script would add any missing (leading or trailing) slashes.
o added @usage and @args blocks

Regards,

A.G.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkym62MACgkQ3aDTTO0ha7iXOQCbBz5x/Avq27K9RWdMGFIsHnZi
V6wAn2ihc0wdpVaVY7M885n96iymK4VM
=hHLr
-----END PGP SIGNATURE-----

Attachment: http-passwd.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Oct 02)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 05)
  - Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Nov 11)
    - Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 11)