Nmap Development mailing list archives
Re: .htaccess + php sec bypass
From: Paulino Calderon <paulino () calderonpale com>
Date: Sat, 04 Aug 2012 20:11:50 -0500
On 30/07/2012 07:49 p.m., Arturo 'Buanzo' Busleiman wrote:
Hey, thank you MK! On Mon, Jul 30, 2012 at 8:24 PM, Matias Katz <matias () matiaskatz com> wrote:If you need any feedback from me, please ask. I'd be happy to reply, and help in any part of the script writing process :)_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi list,I've looked into this tool and realized that we sort of have a similar script that can accomplish this task. The tool released in BH basically attempts to access a resource using a non-existing HTTP method (AKA HTTP verb tampering). Not too long ago, Hani released http-method-tamper which performs a similar test but is focused on the JBoss vulnerablity (CVE-2010-0738).
I'm attaching a new version of the script http-method-tamper. It has the following advantages over the previous version: * Supports http spidering. The idea is that users can run the script with no arguments and it will crawl the webserver, identify protected resources and attempt to bypass the authentication. * Supports checks to specific paths. If a user know what paths need to be checked, we can do so by setting an argument. No spidering is done when we specify paths. * The test to identify the vulnerability is more comprehensive in this script. First, we try with "HEAD", then "POST" and finally a random string (Non-existing method) as the HTTP verbs.
IMO the existing script works perfectly for checking CVE 2010-0738 but since this is a general check, the specific JBoss information should be moved a separate script.
Feel free to test it against my test installation at 106.187.53.215:nmap -p80 --script http-method-tamper --script-args paths=/method-tamper/protected/pass.txt 106.187.53.215
description = [[Crawls a web server looking for password protected resources (HTTP 401 status) and attempts to bypass
the authentication by performing HTTP verb tampering.The script determines if the protected URI is vulnerable by performing HTTP verb tampering and monitoring the status codes. First, it uses a HEAD request, then a POST request and finally a random generated string ( This last one is useful when web servers treat unknown request methods as a GET request). If the table <code>paths</code> is set, it will attempt to access the given URIs. Otherwise, a web crawler is initiated to try to find protected resources. Keep in mind that is more likely to find a resource
vulnerable to HTTP verb tampering when accessing a file. References: * http://www.imperva.com/resources/glossary/http_verb_tampering.html* https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
* http://www.mkit.com.ar/labs/htexploit/ * http://capec.mitre.org/data/definitions/274.html ]] --- -- @usage nmap -sV --script http-method-tamper <target>-- @usage nmap -p80 --script http-method-tamper --script-args 'http-method-tamper.paths={/protected/db.php,/protected/index.php}' <target>
-- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-method-tamper: -- | VULNERABLE: -- | Authentication bypass by HTTP verb tampering -- | State: VULNERABLE (Exploitable) -- | Description:-- | This web server contains password protected resources vulnerable to authentication bypass -- | vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
-- | common HTTP methods and in misconfigured .htaccess files. -- | -- | Extra information: -- | -- | URIs suspected to be vulnerable to HTTP verb tampering: -- | /method-tamper/protected/pass.txt [POST] -- | -- | References: -- | http://www.imperva.com/resources/glossary/http_verb_tampering.html -- | http://www.mkit.com.ar/labs/htexploit/ -- | http://capec.mitre.org/data/definitions/274.html-- |_ https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
---- @args http-method-tamper.uri Base URI to crawl. Not aplicable if <code>http-method-tamper.paths</code> is set. -- @args http-method-tamper.paths Array of paths to check. If not set, the script will crawl the web server.
-- @args http-method-tamper.timeout Web crawler timeout. Default: 10000ms -- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn
Attachment:
http-method-tamper.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)
- Re: .htaccess + php sec bypass Matias Katz (Aug 01)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Paulino Calderon (Aug 04)
- Re: .htaccess + php sec bypass Paulino Calderon (Aug 17)
- Re: .htaccess + php sec bypass David Fifield (Sep 07)
- Re: .htaccess + php sec bypass Paulino Calderon (Sep 10)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)