PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-11 18:29:03 +00:00
Code Issues Projects Releases Wiki Activity

Applied a patch to WebDAV checks created by Andrew Orr:

Browse Source 
1) Checks if the root folder is protected and aborts if it is (we can't scan folders if the root folder is protected)
2) Checks if WebDAV is enabled on the server and aborts if it isn't. The check works on IIS 5, 5.1, and 6.0 (hasn't been tested on others)
3) Added support for finding the vulnerability on IIS 5.1 (Windows XP) -- 5.0 doesn't appear to be vulnerable in our tests
This commit is contained in:
ron
2009-05-20 18:44:01 +00:00
parent 4df611ff9b
commit 9f21ec234c
1 changed files with 38 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
scripts/http-iis-webdav-vuln.nse
View File

@@ -1,9 +1,9 @@
description = [[ description = [[
Checks for a vulnerability in IIS6 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. As of May 2009, this vulnerability is unpatched. Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. As of May 2009, this vulnerability is unpatched.
A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable.
The module is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module. This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.
]] ]]
--- ---
@@ -12,14 +12,14 @@ The module is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_we
-- --
-- @output -- @output
-- 80/tcp open http syn-ack -- 80/tcp open http syn-ack
-- |_ http-iis-webdav-vuln: Vulnerable folders discovered: /secret, /webdav -- |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
-- --
-- @args webdavfolder Selects a single folder to use, instead of using a built-in list -- @args webdavfolder Selects a single folder to use, instead of using a built-in list
-- @args folderdb The filename of an alternate list of folders. -- @args folderdb The filename of an alternate list of folders.
-- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx" -- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx"
----------------------------------------------------------------------- -----------------------------------------------------------------------
author = "Ron Bowes <ron@skullsecurity.net> and Andrew Orr" author = "Ron Bowes <ron@skullsecurity.net> and Andrew Orr <andrew@andreworr.ca>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"} categories = {"vuln", "intrusive"}
@@ -61,15 +61,20 @@ local function go_single(host, port, folder)
response = get_response(host, port, folder) response = get_response(host, port, folder)
if(response.status == 401) then if(response.status == 401) then
local vuln_response local vuln_response
local check_folder
stdnse.print_debug(1, "http-iis-webdav-vuln: Found protected folder (401): %s", folder) stdnse.print_debug(1, "http-iis-webdav-vuln: Found protected folder (401): %s", folder)
vuln_response = get_response(host, port, "/%c0%af" .. string.sub(folder, 2)) -- check for IIS 6.0 and 5.1
-- doesn't appear to work on 5.0
-- /secret/ becomes /s%c0%afecret/
check_folder = string.sub(folder, 1, 2) .. "%c0%af" .. string.sub(folder, 3)
vuln_response = get_response(host, port, check_folder)
if(vuln_response.status == 207) then if(vuln_response.status == 207) then
stdnse.print_debug(1, "http-iis-webdav-vuln: Folder seems vulnerable: %s", folder) stdnse.print_debug(1, "http-iis-webdav-vuln: Folder seems vulnerable: %s", folder)
return enum_results.VULNERABLE return enum_results.VULNERABLE
else else
stdnse.print_debug(2, "http-iis-webdav-vuln: Folder not vulnerable: %s", folder) stdnse.print_debug(1, "http-iis-webdav-vuln: Folder does not seem vulnerable: %s", folder)
return enum_results.NOT_VULNERABLE return enum_results.NOT_VULNERABLE
end end
else else
@@ -131,19 +136,39 @@ action = function(host, port)
-- Start by checking if '/' is protected -- if it is, we can't do the tests -- Start by checking if '/' is protected -- if it is, we can't do the tests
local result = go_single(host, port, "/") local result = go_single(host, port, "/")
if(result == enum_results.NOT_VULNERABLE) then if(result == enum_results.NOT_VULNERABLE) then
stdnse.print_debug(1, "http-iis-webdav-vuln: Root folder is password protected, aborting.")
return "Could not determine vulnerability, since root folder is password protected" return "Could not determine vulnerability, since root folder is password protected"
end end
stdnse.print_debug(1, "http-iis-webdav-vuln: Root folder is not password protected, continuing...")
response = get_response(host, port, "/")
if(response.status == 501) then
-- WebDAV is disabled
stdnse.pring_debug(1, "http-iis-webdav-vuln: WebDAV is DISABLED (PROPFIND failed).")
return "WebDAV is DISABLED. Server is not currently vulnerable."
else
if(response.status == 207) then
-- PROPFIND works, WebDAV is enabled
stdnse.print_debug(1, "http-iis-webdav-vuln: WebDAV is ENABLED (PROPFIND was successful).")
else
-- probably not running IIS 5.0/5.1/6.0
stdnse.print_debug(1, "http-iis-webdav-vuln: PROPFIND request failed with \"%s\".", response['status-line'])
return "ERROR: This web server is not supported."
end
end
if(nmap.registry.args.webdavfolder ~= nil) then if(nmap.registry.args.webdavfolder ~= nil) then
local folder = nmap.registry.args.webdavfolder local folder = nmap.registry.args.webdavfolder
local result = go_single(host, port, "/" .. folder) local result = go_single(host, port, "/" .. folder)
if(result == enum_results.VULNERABLE) then if(result == enum_results.VULNERABLE) then
return string.format("Folder is vulnerable: %s", folder) return string.format("WebDAV is ENABLED. Folder is vulnerable: %s", folder)
elseif(result == enum_results.NOT_VULNERABLE) then elseif(result == enum_results.NOT_VULNERABLE) then
return string.format("Folder is NOT vulnerable: %s", folder) return string.format("WebDAV is ENABLED. Folder is NOT vulnerable: %s", folder)
else else
return string.format("Could not determine vulnerability of folder: %s", folder) return string.format("WebDAV is ENABLED. Could not determine vulnerability of folder: %s", folder)
end end
else else
@@ -154,12 +179,12 @@ action = function(host, port)
else else
if(#results == 0) then if(#results == 0) then
if(is_vulnerable == false) then if(is_vulnerable == false) then
return "Server does not appear to be vulnerable." return "WebDAV is ENABLED. Protected folder found but could not be exploited. Server does not appear to be vulnerable."
else else
return "No vulnerable folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>" return "WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>"
end end
else else
return "Vulnerable folders discovered: " .. stdnse.strjoin(", ", results) return "WebDAV is ENABLED. Vulnerable folders discovered: " .. stdnse.strjoin(", ", results)
end end
end end
end end