Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: .htaccess + php sec bypass

From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 10 Sep 2012 18:55:35 -0500
On 07/09/2012 09:15 a.m., David Fifield wrote:

On Fri, Aug 17, 2012 at 05:19:42PM -0500, Paulino Calderon wrote:

On 04/08/2012 08:11 p.m., Paulino Calderon wrote:

On 30/07/2012 07:49 p.m., Arturo 'Buanzo' Busleiman wrote:

Hey, thank you MK!

On Mon, Jul 30, 2012 at 8:24 PM, Matias Katz<matias () matiaskatz com>   wrote:

If you need any feedback from me, please ask. I'd be happy to reply, and
help in any part of the script writing process :)

I've looked into this tool and realized that we sort of have a
similar script that can accomplish this task. The tool released in
BH basically attempts to access a resource using a non-existing
HTTP method (AKA HTTP verb tampering). Not too long ago, Hani
released http-method-tamper which performs a similar test but is
focused on the JBoss vulnerablity (CVE-2010-0738).

I'm attaching a new version of the script http-method-tamper. It
has the following advantages over the previous version:
* Supports http spidering. The idea is that users can run the
script with no arguments and it will crawl the webserver, identify
protected resources and attempt to bypass the authentication.
* Supports checks to specific paths. If a user know what paths
need to be checked, we can do so by setting an argument. No
spidering is done when we specify paths.
* The test to identify the vulnerability is more comprehensive in
this script. First, we try with "HEAD", then "POST" and finally a
random string (Non-existing method) as the HTTP verbs.

IMO the existing script works perfectly for checking CVE 2010-0738
but since this is a general check, the specific JBoss information
should be moved a separate script.

Feel free to test it against my test installation at 106.187.53.215:
nmap -p80 --script http-method-tamper --script-args
paths=/method-tamper/protected/pass.txt 106.187.53.215

Did anyone have a chance to test this update? What are your opinions
regarding these two scripts and their names?

Recap:
1.- Current http-method-tamper does not detect misconfigured
htaccess files and seems to be too specific for that jboss vuln.
2.- New script has spidering support and improved detecting. But I'm
hesitant to name it  as the old one "http-method-tamper" as users
might unintentionally crawl webservers thinking it still works as
before.

Feel free to try against the test server mentioned above.

I can see the value in spidering to find paths but it's also useful for
a script to have a list of paths like /jmx-console that are good
candidates to test.

You can commit your new http-method-tamper with spidering, however it
should not be in the safe category.

Move the existing http-method-tamper to something named after the
vulnerability advisory, and leave it in safe.

David Fifield

Hi David,
An interesting aspect about these vulnerabilities is that the most common scenarios are PHP servers with misconfigured .htaccess files that use incorrectly the directive "LIMIT". These servers will return status 401 if the requested URI is a path but it will bypass the authentication if an URI to a file is used. That is the reason the tool "HTExploit" tries to guess common files in PHP servers via bruteforcing. 

Does anyone would like to see this functionality ported to Nmap?
We can detect these vulnerable installations now by setting the argument "paths": $nmap -p80 --script http-method-tamper --script-args paths="/index.php" <target>
But the script won't go as far as trying to brute force file names and by default it uses the root folder "/". 

Cheers.

--
Paulino Calderón Pale
Website:http://calderonpale.com
Twitter:http://twitter.com/calderpwn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: