mirror of
https://github.com/nmap/nmap.git
synced 2025-12-09 22:21:29 +00:00
Applied a patch to WebDAV checks created by Andrew Orr:
1) Checks if the root folder is protected and aborts if it is (we can't scan folders if the root folder is protected) 2) Checks if WebDAV is enabled on the server and aborts if it isn't. The check works on IIS 5, 5.1, and 6.0 (hasn't been tested on others) 3) Added support for finding the vulnerability on IIS 5.1 (Windows XP) -- 5.0 doesn't appear to be vulnerable in our tests
This commit is contained in:
ron
@@ -1,9 +1,9 @@
|
||||
description = [[
|
||||
Checks for a vulnerability in IIS6 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. As of May 2009, this vulnerability is unpatched.
|
||||
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. As of May 2009, this vulnerability is unpatched.
|
||||
|
||||
A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207),
|
||||
A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable.
|
||||
|
||||
The module is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.
|
||||
This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.
|
||||
]]
|
||||
|
||||
---
|
||||
@@ -12,14 +12,14 @@ The module is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_we
|
||||
--
|
||||
-- @output
|
||||
-- 80/tcp open http syn-ack
|
||||
-- |_ http-iis-webdav-vuln: Vulnerable folders discovered: /secret, /webdav
|
||||
-- |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
|
||||
--
|
||||
-- @args webdavfolder Selects a single folder to use, instead of using a built-in list
|
||||
-- @args folderdb The filename of an alternate list of folders.
|
||||
-- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx"
|
||||
-----------------------------------------------------------------------
|
||||
|
||||
author = "Ron Bowes <ron@skullsecurity.net> and Andrew Orr"
|
||||
author = "Ron Bowes <ron@skullsecurity.net> and Andrew Orr <andrew@andreworr.ca>"
|
||||
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
||||
categories = {"vuln", "intrusive"}
|
||||
|
||||
@@ -61,15 +61,20 @@ local function go_single(host, port, folder)
|
||||
response = get_response(host, port, folder)
|
||||
if(response.status == 401) then
|
||||
local vuln_response
|
||||
local check_folder
|
||||
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Found protected folder (401): %s", folder)
|
||||
|
||||
vuln_response = get_response(host, port, "/%c0%af" .. string.sub(folder, 2))
|
||||
-- check for IIS 6.0 and 5.1
|
||||
-- doesn't appear to work on 5.0
|
||||
-- /secret/ becomes /s%c0%afecret/
|
||||
check_folder = string.sub(folder, 1, 2) .. "%c0%af" .. string.sub(folder, 3)
|
||||
vuln_response = get_response(host, port, check_folder)
|
||||
if(vuln_response.status == 207) then
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Folder seems vulnerable: %s", folder)
|
||||
return enum_results.VULNERABLE
|
||||
else
|
||||
stdnse.print_debug(2, "http-iis-webdav-vuln: Folder not vulnerable: %s", folder)
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Folder does not seem vulnerable: %s", folder)
|
||||
return enum_results.NOT_VULNERABLE
|
||||
end
|
||||
else
|
||||
@@ -131,19 +136,39 @@ action = function(host, port)
|
||||
-- Start by checking if '/' is protected -- if it is, we can't do the tests
|
||||
local result = go_single(host, port, "/")
|
||||
if(result == enum_results.NOT_VULNERABLE) then
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Root folder is password protected, aborting.")
|
||||
return "Could not determine vulnerability, since root folder is password protected"
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Root folder is not password protected, continuing...")
|
||||
|
||||
response = get_response(host, port, "/")
|
||||
if(response.status == 501) then
|
||||
-- WebDAV is disabled
|
||||
stdnse.pring_debug(1, "http-iis-webdav-vuln: WebDAV is DISABLED (PROPFIND failed).")
|
||||
return "WebDAV is DISABLED. Server is not currently vulnerable."
|
||||
else
|
||||
if(response.status == 207) then
|
||||
-- PROPFIND works, WebDAV is enabled
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: WebDAV is ENABLED (PROPFIND was successful).")
|
||||
else
|
||||
-- probably not running IIS 5.0/5.1/6.0
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: PROPFIND request failed with \"%s\".", response['status-line'])
|
||||
return "ERROR: This web server is not supported."
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if(nmap.registry.args.webdavfolder ~= nil) then
|
||||
local folder = nmap.registry.args.webdavfolder
|
||||
local result = go_single(host, port, "/" .. folder)
|
||||
|
||||
if(result == enum_results.VULNERABLE) then
|
||||
return string.format("Folder is vulnerable: %s", folder)
|
||||
return string.format("WebDAV is ENABLED. Folder is vulnerable: %s", folder)
|
||||
elseif(result == enum_results.NOT_VULNERABLE) then
|
||||
return string.format("Folder is NOT vulnerable: %s", folder)
|
||||
return string.format("WebDAV is ENABLED. Folder is NOT vulnerable: %s", folder)
|
||||
else
|
||||
return string.format("Could not determine vulnerability of folder: %s", folder)
|
||||
return string.format("WebDAV is ENABLED. Could not determine vulnerability of folder: %s", folder)
|
||||
end
|
||||
|
||||
else
|
||||
@@ -154,12 +179,12 @@ action = function(host, port)
|
||||
else
|
||||
if(#results == 0) then
|
||||
if(is_vulnerable == false) then
|
||||
return "Server does not appear to be vulnerable."
|
||||
return "WebDAV is ENABLED. Protected folder found but could not be exploited. Server does not appear to be vulnerable."
|
||||
else
|
||||
return "No vulnerable folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>"
|
||||
return "WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>"
|
||||
end
|
||||
else
|
||||
return "Vulnerable folders discovered: " .. stdnse.strjoin(", ", results)
|
||||
return "WebDAV is ENABLED. Vulnerable folders discovered: " .. stdnse.strjoin(", ", results)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user