PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-23 16:09:02 +00:00
Code Issues Projects Releases Wiki Activity

Add an http-passwd.root script argument. Patch by Ange Gutek.

Browse Source
This commit is contained in:
david
2010-11-05 21:18:23 +00:00
parent 79ab71577a
commit ccce86a1a7
1 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
scripts/http-passwd.nse
View File

@@ -1,10 +1,22 @@
description = [[ description = [[
Checks if a web server is vulnerable to directory traversal by attempting to Checks if a web server is vulnerable to directory traversal by attempting to
retrieve <code>/etc/passwd</code> or <code>\boot.ini</code> using various traversal methods such as retrieve <code>/etc/passwd</code> or <code>\boot.ini</code>.
requesting <code>../../../../etc/passwd</code>.
The script uses several technique:
* Generic directory traversal by requesting paths like <code>../../../../etc/passwd</code>.
* Known specific traversals of several web servers.
* Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument <code>http-passwd.root</code>.
]] ]]
--- ---
-- @usage
-- nmap --script http-passwd --script-args http-passwd.root=/test/ <target>
--
-- @args http-passwd.root Query string tests will be done relative to this path.
-- The default value is <code>/</code>. Normally the value should contain a
-- leading slash. The queries will be sent with a trailing encoded null byte to
-- evade certain checks; see http://insecure.org/news/P55-01.txt.
--
-- @output -- @output
-- 80/tcp open http -- 80/tcp open http
-- | http-passwd: Directory traversal found. -- | http-passwd: Directory traversal found.
@@ -39,6 +51,9 @@ requesting <code>../../../../etc/passwd</code>.
-- \boot.ini -- \boot.ini
-- * Added specific payloads according to vulnerabilities published against -- * Added specific payloads according to vulnerabilities published against
-- various specific products. -- various specific products.
--
-- 08/2010:
-- * Added Poison NULL Byte tests
author = "Kris Katterjohn, Ange Gutek" author = "Kris Katterjohn, Ange Gutek"
@@ -146,16 +161,17 @@ action = function(host, port)
end end
end end
local root = stdnse.get_script_args("http-passwd.root") or "/"
-- Check for something that looks like a query referring to a file name, like -- Check for something that looks like a query referring to a file name, like
-- "index.php?page=next.php". Replace the query value with each of the test -- "index.php?page=next.php". Replace the query value with each of the test
-- vectors. Add an encoded null byte at the end to bypass some checks; see -- vectors. Add an encoded null byte at the end to bypass some checks; see
-- http://insecure.ogr/news/P55-01.txt. -- http://insecure.org/news/P55-01.txt.
local ROOT = "/" local response = http.get(host, port, root)
local response = http.get(host, port, ROOT)
if response.body then if response.body then
local page_var = response.body:match ("[%?%&](%a-)=%a-%.%a") local page_var = response.body:match ("[%?%&](%a-)=%a-%.%a")
if page_var then if page_var then
local query_base = ROOT .. "?" .. page_var .. "=" local query_base = root .. "?" .. page_var .. "="
stdnse.print_debug(1, "%s: testing with query %s.", SCRIPT_NAME, query_base .. "...") stdnse.print_debug(1, "%s: testing with query %s.", SCRIPT_NAME, query_base .. "...")
for _, dir in ipairs(dirs) do for _, dir in ipairs(dirs) do