Add http-ls.nse. See #106

2025-12-15 20:29:03 +00:00 · 2015-09-04 12:52:10 +00:00
parent 998da3d070
commit b5cc57fbcc
3 changed files with 199 additions and 2 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added script http-ls. Parses web server directory index pages with
+  optional recursion. [Pierre Lalet]
+
 o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
  outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
  scripts have been converted to use this module. [Pierre Lalet]
--- a/scripts/http-ls.nse
+++ b/scripts/http-ls.nse
@@ -0,0 +1,193 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local openssl = require "openssl"
+local ls = require "ls"
+
+description = [[
+Shows the content of an "index" Web page.
+
+TODO:
+  - add support for more page formats
+]]
+
+author = "Pierre Lalet"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+---
+-- @usage
+-- nmap -n -p 80 --script http-ls test-debit.free.fr
+--
+-- @args http-ls.checksum compute a checksum for each listed file
+--       (default: false)
+-- @args http-ls.url base URL path to use (default: /)
+--
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | http-ls:
+-- | Volume /
+-- | maxfiles limit reached (10)
+-- | SIZE        TIME               FILENAME
+-- | 524288      02-Oct-2013 18:26  512.rnd
+-- | 1048576     02-Oct-2013 18:26  1024.rnd
+-- | 2097152     02-Oct-2013 18:26  2048.rnd
+-- | 4194304     02-Oct-2013 18:26  4096.rnd
+-- | 8388608     02-Oct-2013 18:26  8192.rnd
+-- | 16777216    02-Oct-2013 18:26  16384.rnd
+-- | 33554432    02-Oct-2013 18:26  32768.rnd
+-- | 67108864    02-Oct-2013 18:26  65536.rnd
+-- | 1073741824  03-Oct-2013 16:46  1048576.rnd
+-- | 188         03-Oct-2013 17:15  README.html
+-- |_
+--
+-- @xmloutput
+-- <table key="volumes">
+--   <table>
+--     <elem key="volume">/</elem>
+--     <table key="files">
+--       <table>
+--         <elem key="size">524288</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">512.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">1048576</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">1024.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">2097152</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">2048.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">4194304</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">4096.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">8388608</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">8192.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">16777216</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">16384.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">33554432</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">32768.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">67108864</elem>
+--         <elem key="time">02-Oct-2013 18:26</elem>
+--         <elem key="filename">65536.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">1073741824</elem>
+--         <elem key="time">03-Oct-2013 16:46</elem>
+--         <elem key="filename">1048576.rnd</elem>
+--       </table>
+--       <table>
+--         <elem key="size">188</elem>
+--         <elem key="time">03-Oct-2013 17:15</elem>
+--         <elem key="filename">README.html</elem>
+--       </table>
+--     </table>
+--     <table key="info">
+--       <elem>maxfiles limit reached (10)</elem>
+--     </table>
+--   </table>
+-- </table>
+-- <table key="total">
+--   <elem key="files">10</elem>
+--   <elem key="bytes">1207435452</elem>
+-- </table>
+
+portrule = shortport.http
+
+local function isdir(fname, size)
+  -- we consider a file is (probably) a directory if its name
+  -- terminates with a '/' or if the string representing its size is
+  -- either empty or a single dash ('-').
+  if string.sub(fname, -1, -1) == '/' then
+    return true
+  end
+  if size == '' or size == '-' then
+    return true
+  end
+  return false
+end
+
+local function list_files(host, port, url, output, maxdepth, basedir)
+  basedir = basedir or ""
+
+  local resp = http.get(host, port, url)
+
+  if resp.location or not resp.body then
+    return true
+  end
+
+  if not string.match(resp.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*> *[Ii][Nn][Dd][Ee][Xx] +[Oo][Ff]") then
+    return true
+  end
+
+  local patterns = {
+    '<[Aa] [Hh][Rr][Ee][Ff]="([^"]+)">[^<]+</[Aa]></[Tt][Dd]><[Tt][Dd][^>]*> *([0-9]+-[A-Za-z0-9]+-[0-9]+ [0-9]+:[0-9]+) *</[Tt][Dd]><[Tt][Dd][^>]*> *([^<]+)</[Tt][Dd]>',
+    '<[Aa] [Hh][Rr][Ee][Ff]="([^"]+)">[^<]+</[Aa]> *([0-9]+-[A-Za-z0-9]+-[0-9]+ [0-9]+:[0-9]+) *([^ \n]+)',
+  }
+  for _, pattern in ipairs(patterns) do
+    for fname, date, size in string.gmatch(resp.body, pattern) do
+      local continue = true
+      local directory = isdir(fname, size)
+      if ls.config('checksum') and not directory then
+        local checksum = ""
+        local resp = http.get(host, port, url .. fname)
+        if not resp.location and resp.body then
+          checksum = stdnse.tohex(openssl.sha1(resp.body))
+        end
+        continue = ls.add_file(output, {size, date, basedir .. fname, checksum})
+      else
+        continue = ls.add_file(output, {size, date, basedir .. fname})
+      end
+      if not continue then
+        return false
+      end
+      if directory then
+        if string.sub(fname, -1, -1) ~= "/" then fname = fname .. '/' end
+        continue = true
+        if maxdepth > 0 then
+          continue = list_files(host, port, url .. fname, output, maxdepth - 1,
+            basedir .. fname)
+        elseif maxdepth < 0 then
+          continue = list_files(host, port, url .. fname, output, -1,
+            basedir .. fname)
+        end
+        if not continue then
+          return false
+        end
+      end
+    end
+  end
+  return true
+end
+
+action = function(host, port)
+  local url = stdnse.get_script_args(SCRIPT_NAME .. '.url') or "/"
+
+  local output = ls.new_listing()
+  ls.new_vol(output, url, false)
+  local continue = list_files(host, port, url, output, ls.config('maxdepth'))
+  if not continue then
+    ls.report_info(
+      output,
+      string.format("maxfiles limit reached (%d)", ls.config('maxfiles')))
+  end
+  ls.end_vol(output)
+  return ls.end_listing(output)
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -161,8 +161,8 @@ Entry { filename = "http-devframework.nse", categories = { "discovery", "intrusi
 Entry { filename = "http-dlink-backdoor.nse", categories = { "exploit", "vuln", } }
 Entry { filename = "http-dombased-xss.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-domino-enum-passwords.nse", categories = { "auth", "intrusive", } }
-Entry { filename = "http-drupal-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-drupal-enum-users.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "http-drupal-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-enum.nse", categories = { "discovery", "intrusive", "vuln", } }
 Entry { filename = "http-errors.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-exif-spider.nse", categories = { "intrusive", } }
@@ -186,6 +186,7 @@ Entry { filename = "http-iis-short-name-brute.nse", categories = { "brute", "int
 Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } }
+Entry { filename = "http-ls.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-majordomo2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-malware-host.nse", categories = { "malware", "safe", } }
 Entry { filename = "http-method-tamper.nse", categories = { "auth", "vuln", } }
@@ -495,7 +496,7 @@ Entry { filename = "whois-domain.nse", categories = { "discovery", "external", "
 Entry { filename = "whois-ip.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "wsdd-discover.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "x11-access.nse", categories = { "auth", "default", "safe", } }
-Entry { filename = "xmlrpc-methods.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "xdmcp-discover.nse", categories = { "discovery", "safe", } }
+Entry { filename = "xmlrpc-methods.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "xmpp-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "xmpp-info.nse", categories = { "default", "discovery", "safe", "version", } }