PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-10 09:49:05 +00:00
Code Issues Projects Releases Wiki Activity

The script has the http-methods update as discussed in the Script

Browse Source 
Ideas page. Basically this tests all the options not listed under
the public or allow headers of the OPTIONS response.
This commit is contained in:
gyani
2015-06-20 08:13:09 +00:00
parent eba83f60af
commit 39f75dddeb
1 changed files with 141 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

227
scripts/http-methods.nse
View File

@@ -3,12 +3,15 @@ local nmap = require "nmap"
local shortport = require "shortport" local shortport = require "shortport"
local stdnse = require "stdnse" local stdnse = require "stdnse"
local string = require "string" local string = require "string"
local table = require "table"
description = [[ description = [[
Finds out what options are supported by an HTTP server by sending an Finds out what options are supported by an HTTP server by sending an
OPTIONS request. Lists potentially risky methods. Optionally tests each OPTIONS request. Lists potentially risky methods. It tests those methods
method individually to see if they are subject to e.g. IP address not mentioned in the OPTIONS headers individually and sees if they are
restrictions. implemented. Any output other than 501/405 suggests that the method is
if not in the range 400 to 600. If the response falls under that range then
it is compared to the response from a randomly generated method.
In this script, "potentially risky" methods are anything except GET, In this script, "potentially risky" methods are anything except GET,
HEAD, POST, and OPTIONS. If the script reports potentially risky HEAD, POST, and OPTIONS. If the script reports potentially risky
@@ -24,105 +27,46 @@ only the potentially risky methods are shown.
]] ]]
--- ---
-- @args http-methods.url-path The path to request. Defaults to -- @args http.url-path The path to request. Defaults to
-- <code>/</code>. -- <code>/</code>.
-- @args http-methods.retest If defined, do a request using each method -- @args http.retest If defined, do a request using each method
-- individually and show the response code. Use of this argument can -- individually and show the response code. Use of this argument can
-- make this script unsafe; for example <code>DELETE /</code> is -- make this script unsafe; for example <code>DELETE /</code> is
-- possible. -- possible. All methods received through options are tested with generic
-- requests. Saved status lines are shown for rest.
-- @args http.test-all If set true tries all the unsafe methods as well.
-- --
-- @output -- @output
-- 80/tcp open http -- PORT STATE SERVICE REASON
-- | http-methods: GET HEAD POST OPTIONS TRACE -- 80/tcp open http syn-ack
-- | Potentially risky methods: TRACE -- | http-methods:
-- | See http://nmap.org/nsedoc/scripts/http-methods.html -- |_ Supported Methods: GET HEAD POST OPTIONS
-- | GET / -> HTTP/1.1 200 OK
-- | HEAD / -> HTTP/1.1 200 OK
-- | POST / -> HTTP/1.1 200 OK
-- | OPTIONS / -> HTTP/1.1 200 OK
-- |_TRACE / -> HTTP/1.1 200 OK
-- --
-- @usage -- @usage
-- nmap --script=http-methods.nse --script-args http-methods.retest=1 <target> -- nmap --script http-methods --script-args <target>
-- nmap --script=http-methods.nse --script-args http-methods.url-path=/website <target> -- nmap --script http-methods --script-args http.url-path='/website' <target>
--
-- @xmloutput
-- <elem key="Supported Methods">GET HEAD POST OPTIONS</elem>
author = "Bernd Stroessenreuther <berny1@users.sourceforge.net>"
author = {"Bernd Stroessenreuther <berny1@users.sourceforge.net>", "Gyanendra Mishra"}
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"} categories = {"default", "safe"}
local function check_allowed(random_resp, response)
-- We don't report these methods except with verbosity. if response.status == 405 or response.status == 501 then
local UNINTERESTING_METHODS = { return false
"GET", "HEAD", "POST", "OPTIONS"
}
local filter_out, merge_headers
portrule = shortport.http
action = function(host, port)
local url_path, retest_http_methods
local response, methods, options_status_line, output
-- default values for script-args
url_path = stdnse.get_script_args("http-methods.url-path") or "/"
retest_http_methods = stdnse.get_script_args("http-methods.retest") ~= nil
response = http.generic_request(host, port, "OPTIONS", url_path)
if not response.status then
stdnse.debug1("OPTIONS %s failed.", url_path)
return
end end
-- Cache in case retest is requested. if response.status < 600 and response.status >= 400 and response.status == random_resp.status then
options_status_line = response["status-line"] return false
stdnse.debug1("HTTP Status for OPTIONS is " .. response.status)
if not (response.header["allow"] or response.header["public"]) then
return string.format("No Allow or Public header in OPTIONS response (status code %d)", response.status)
end end
return true
-- The Public header is defined in RFC 2068, but was removed in its
-- successor RFC 2616. It is implemented by at least IIS 6.0.
methods = merge_headers(response.header, {"Allow", "Public"})
output = {}
if nmap.verbosity() > 0 then
output[#output + 1] = stdnse.strjoin(" ", methods)
end
local interesting = filter_out(methods, UNINTERESTING_METHODS)
if #interesting > 0 then
output[#output + 1] = "Potentially risky methods: " .. stdnse.strjoin(" ", interesting)
output[#output + 1] = "See http://nmap.org/nsedoc/scripts/http-methods.html"
end
-- retest http methods if requested
if retest_http_methods then
local _
for _, method in ipairs(methods) do
local str
if method == "OPTIONS" then
-- Use the saved value.
str = options_status_line
else
response = http.generic_request(host, port, method, url_path)
if not response.status then
str = "Error getting response"
else
str = response["status-line"]
end
end
output[#output + 1] = string.format("%s %s -> %s", method, url_path, str)
end
end
return #output > 0 and stdnse.strjoin("\n", output) or nil
end end
function filter_out(t, filter) local function filter_out(t, filter)
local result = {} local result = {}
local _, e, f local _, e, f
for _, e in ipairs(t) do for _, e in ipairs(t) do
@@ -133,8 +77,9 @@ function filter_out(t, filter)
return result return result
end end
-- Split header field contents on commas and return a table without duplicates. -- Split header field contents on commas and return a table without duplicates.
function merge_headers(headers, names) local function merge_headers(headers, names)
local seen = {} local seen = {}
local result = {} local result = {}
@@ -152,3 +97,113 @@ function merge_headers(headers, names)
return result return result
end end
-- We don't report these methods except with verbosity.
local SAFE_METHODS = {
"GET", "HEAD", "POST", "OPTIONS"
}
local UNSAFE_METHODS = {
"DELETE", "PUT", "CONNECT", "TRACE"
}
portrule = shortport.http
action = function(host, port)
local path, retest_http_methods, test_all_unsafe
local response, methods, options_status_line
local output = stdnse.output_table()
local options_status = true
-- default values for script-args
path = stdnse.get_script_args(SCRIPT_NAME .. ".url-path") or '/'
retest_http_methods = stdnse.get_script_args(SCRIPT_NAME .. ".retest") or false
test_all_unsafe = stdnse.get_script_args(SCRIPT_NAME .. ".test-all") or false
response = http.generic_request(host, port, "OPTIONS", path)
if not response.status then
options_status = false
stdnse.debug1("OPTIONS %s failed.", path)
end
-- Cache in case retest is requested.
if options_status then
options_status_line = response["status-line"]
stdnse.debug1("HTTP Status for OPTIONS is " .. response.status)
if not(response.header["allow"] or response.header["public"]) then
stdnse.debug1("No Allow or Public header in OPTIONS response (status code %d)", response.status)
end
end
-- The Public header is defined in RFC 2068, but was removed in its
-- successor RFC 2616. It is implemented by at least IIS 6.0.
methods = merge_headers(response.header, {"Allow", "Public"})
local to_test = {}
local status_lines = {}
for _, method in pairs(SAFE_METHODS) do
if not stdnse.contains(methods, method) then
table.insert(to_test, method)
end
end
if test_all_unsafe then
for _, method in pairs(UNSAFE_METHODS) do
if not stdnse.contains(methods, method) then
table.insert(to_test, method)
end
end
end
local random_resp = http.generic_request(host, port, stdnse.generate_random_string(4), path)
stdnse.debug1("Response Code to Random Method is %d", random_resp.status or nil)
for _, method in pairs(to_test) do
response = http.generic_request(host, port, method, path)
if response.status and check_allowed(random_resp, response) then
stdnse.debug2("Method %s not in OPTIONS found to exist. STATUS %d", method, response.status)
table.insert(methods, method)
status_lines[method] = response['status-line']
end
end
if nmap.verbosity() > 0 and #methods > 0 then
output["Supported Methods"] = stdnse.strjoin(" ", methods)
end
local interesting = filter_out(methods, SAFE_METHODS)
if #interesting > 0 then
output["Potentially risky methods"] = stdnse.strjoin(" ", interesting)
end
if path ~= '/' then
output["Path tested"] = path
end
-- retest http methods if requested
if retest_http_methods then
output["Status Lines"] = {}
for _, method in ipairs(methods) do
local str
if method == "OPTIONS" then
-- Use the saved value.
str = options_status_line
elseif stdnse.contains(to_test, method) then
-- use the value saved earlier.
str = status_lines[method]
-- this case arises when methods in the Public or Allow headers are retested.
else
response = http.generic_request(host, port, method, path)
if not response.status then
str = "Error getting response"
else
str = response["status-line"]
end
end
str = str:gsub('\r?\n?', "")
output["Status Lines"][method] = str
end
end
if #output > 0 then return output else return nil end
end