Nmap Development mailing list archives

Re: [NSE] http-passwd: payloads update and new vector proposal

From: David Fifield <david () bamsoftware com>
Date: Fri, 5 Nov 2010 14:21:08 -0700

On Sat, Oct 02, 2010 at 10:20:51AM +0200, Gutek wrote:

Le 27/09/2010 21:01, David Fifield a écrit :

On Mon, Aug 23, 2010 at 06:21:25PM +0200, Gutek wrote:

I've worked on http-passwd today and added some payloads against some
webservers (and also some comments to illustrate the specifics
payloads). That's for the maintenance.


Thanks, I committed these.

I've also added a new vector to reach the file disclosure condition
(etc/passwd or boot.ini), which highlights a directory traversal in this
script (it is used as a PoC against false-positives).
Until now, this script only use the classical GET
../..<something>/ect/passwd query.
This improvement proposal searches the root page for a variable which
calls a page or a file, i.e. technicaly speaking
"?|&VARIABLE=<something>DOT<something>", for example
"/index.php?page=next.php"

Then, it rolls again through the previously tested payloads, calling
them with the file variable found, itself attacked with a trailing
poison null byte (see http://hakipedia.com/index.php/Poison_Null_Byte
for details)

That is, after testing GET <payload>, it now also tests GET
/?<variable>=<payload>%00


I think this is pretty reasonable. I committed it too, with some style
changes. Would you add a script argument http-passwd.root that controls
where the query strings are searched for, instead of hardcoding "/"?


Done and attached.
o --script-args 'http-passwd.root=/path/' does the job and, if not
provided, defaults to /
o User-provided argument is also sanitized: besides it sould be /path/,
the script would add any missing (leading or trailing) slashes.
o added @usage and @args blocks


Thanks. I disagree with automatically adding the slashes. A trailing
slash is wrong, for example, in
        --script-args http-passwd.root=/app/file.php
A leading slash makes more sense, but there might be cases when I want
to send a request without a beginning slash, for example starting with a
backslash.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Oct 02)
- Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 05)
  - Re: [NSE] http-passwd: payloads update and new vector proposal Gutek (Nov 11)
    - Re: [NSE] http-passwd: payloads update and new vector proposal David Fifield (Nov 11)