PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-15 20:29:03 +00:00
Code Issues Projects Releases Wiki Activity

Fixed global assignments with nse_check_globals

Browse Source 
All fixes made by hand. A couple real bugs/errors fixed, due to
copy-paste of code from other scripts without changing variable names.
This commit is contained in:
dmiller
2014-01-22 17:45:00 +00:00
parent 8a07146936
commit db1d82ad1f
39 changed files with 112 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
scripts/dns-ip6-arpa-scan.nse
View File

@@ -3,6 +3,7 @@ local dns = require "dns"
local ipOps = require "ipOps"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local tab = require "tab"
local table = require "table"

2
scripts/domino-enum-users.nse
View File

@@ -103,7 +103,7 @@ action = function(host, port)
helper:disconnect()
if ( status and data and path ) then
local filename = path .. "/" .. stdnse.filename_escape(u_details.fullname .. ".id")
local filename = path .. "/" .. stdnse.filename_escape(username .. ".id")
local status, err = saveIDFile( filename, data )
if ( status ) then

1
scripts/hadoop-secondary-namenode-info.nse
View File

@@ -1,4 +1,5 @@
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

2
scripts/hostmap-ip2hosts.nse
View File

@@ -46,8 +46,10 @@ categories = {"external", "discovery"}
local dns = require "dns"
local ipOps = require "ipOps"
local io = require "io"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local target = require "target"
local HOSTMAP_BING_SERVER = "www.ip2hosts.com"

1
scripts/http-adobe-coldfusion-apsa1301.nse
View File

@@ -23,6 +23,7 @@ categories = {"exploit", "vuln"}
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local url = require "url"
portrule = shortport.http

2
scripts/http-coldfusion-subzero.nse
View File

@@ -35,7 +35,9 @@ categories = {"exploit"}
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local url = require "url"
local openssl = stdnse.silent_require "openssl"
portrule = shortport.http

4
scripts/http-comments-displayer.nse
View File

@@ -59,7 +59,7 @@ local getLineNumber = function(body, comment)
local partofresponse = body:find(comment, 1, true)
partofresponse = body:sub(0, partofresponse)
_, count = string.gsub(partofresponse, "\n", "\n")
local _, count = string.gsub(partofresponse, "\n", "\n")
return count + 1
@@ -103,7 +103,7 @@ action = function(host, port)
path = target
else
status, r = crawler:crawl()
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if (not(status)) then

2
scripts/http-csrf.nse
View File

@@ -110,7 +110,7 @@ action = function(host, port)
path = target
else
status, r = crawler:crawl()
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if (not(status)) then

4
scripts/http-devframework.nse
View File

@@ -42,11 +42,13 @@ author = "George Chatzisofroniou"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local string = require "string"
local httpspider = require "httpspider"
local _G = require "_G"
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
@@ -113,7 +115,7 @@ action = function(host, port)
local response, path
status, r = crawler:crawl()
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if (not(status)) then

2
scripts/http-dombased-xss.nse
View File

@@ -91,7 +91,7 @@ action = function(host, port)
path = target
else
status, r = crawler:crawl()
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if (not(status)) then

2
scripts/http-errors.nse
View File

@@ -88,7 +88,7 @@ action = function(host, port)
local response, path
status, r = crawler:crawl()
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if (not(status)) then

5
scripts/http-feed.nse
View File

@@ -59,11 +59,10 @@ local findFeeds = function(body, path)
local c = string.match(body, pf)
if c then
local v = ""
-- Try to find feed's version.
if string.match(c, f["version"]) then
v = " (version " .. string.match(c, f["version"]) .. ")"
else
v = ""
end
feedsfound[path] = _ .. v .. ": "
end
@@ -102,7 +101,7 @@ action = function(host, port)
local index, k, target, response, path
while (true) do
status, r = crawler:crawl()
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if (not(status)) then

8
scripts/http-fileupload-exploiter.nse
View File

@@ -55,6 +55,7 @@ author = "George Chatzisofroniou"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
local http = require "http"
local io = require "io"
local string = require "string"
local httpspider = require "httpspider"
local shortport = require "shortport"
@@ -106,7 +107,7 @@ local function UploadRequest(host, port, submission, partofrequest, name, filena
success = 0;
make = function(self)
options = { header={} }
local options = { header={} }
options['header']['Content-Type'] = "multipart/form-data; boundary=AaB03x"
options['content'] = self.partofrequest .. '--AaB03x\nContent-Disposition: form-data; name="' .. self.name .. '"; filename="' .. self.filename .. '"\nContent-Type: ' .. self.mime .. '\n\n' .. self.payload .. '\n--AaB03x--'
@@ -119,7 +120,7 @@ local function UploadRequest(host, port, submission, partofrequest, name, filena
checkPayload = function(self, uploadspaths)
for _, uploadpath in ipairs(uploadspaths) do
response = http.get(host, port, uploadpath .. '/' .. filename, { no_cache = true } )
local response = http.get(host, port, uploadpath .. '/' .. filename, { no_cache = true } )
if response.status ~= 404 then
if (response.body:match(self.check)) then
@@ -260,6 +261,7 @@ action = function(host, port)
local action_absolute = string.find(form["action"], "https*://")
-- Determine the path where the form needs to be submitted.
local submission
if action_absolute then
submission = form["action"]
else
@@ -270,7 +272,7 @@ action = function(host, port)
foundform = 1
partofrequest, filefield = prepareRequest(form["fields"], fieldvalues)
local partofrequest, filefield = prepareRequest(form["fields"], fieldvalues)
if filefield ~= 0 then

3
scripts/http-iis-short-name-brute.nse
View File

@@ -51,6 +51,7 @@ categories = {"intrusive", "brute"}
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local http = require "http"
local vulns = require "vulns"
@@ -169,7 +170,7 @@ cause a denial of service condition.
end
--Vulnerable!
if #files>0 or #folders>0 then
results = {}
local results = {}
table.insert(results, folders)
table.insert(results, files)
vuln.state = vulns.STATE.EXPLOIT

10
scripts/http-mobileversion-checker.nse
View File

@@ -48,7 +48,7 @@ getLastLoc = function(host, port, useragent)
options['header']['User-Agent'] = useragent
response = http.get(host, port, '/', options)
local response = http.get(host, port, '/', options)
if response.location then
return response.location[#response.location] or false
@@ -67,13 +67,13 @@ action = function(host, port)
-- We don't crawl any site. We initialize a crawler to use its iswithinhost method.
local crawler = httpspider.Crawler:new(host, port, '/', { scriptname = SCRIPT_NAME } )
loc = getLastLoc(host, port, "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17")
mobloc = getLastLoc(host, port, "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30")
local loc = getLastLoc(host, port, "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17")
local mobloc = getLastLoc(host, port, "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30")
-- If the mobile browser request is redirected to a different page, that must be the mobile version's page.
if loc ~= mobloc then
msg = "Found mobile version: " .. mobloc
mobhost = http.parse_url(mobloc)
local msg = "Found mobile version: " .. mobloc
local mobhost = http.parse_url(mobloc)
if not crawler:iswithinhost(mobhost.host) then
msg = msg .. " (Redirected to a different host)"
if newtargets then

15
scripts/http-phpmyadmin-dir-traversal.nse
View File

@@ -1,6 +1,8 @@
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local http = require "http"
local io = require "io"
local vulns = require "vulns"
description = [[
@@ -92,12 +94,11 @@ local DEFAULT_DIR = "/phpMyAdmin-2.6.4-pl1/"
local EXPLOIT_PATH = "libraries/grab_globals.lib.php"
action = function(host, port)
local response, dir, file
dir = stdnse.get_script_args("http-phpmyadmin-dir-traversal.dir") or DEFAULT_DIR
evil_uri = dir..EXPLOIT_PATH
rfile = stdnse.get_script_args("http-phpmyadmin-dir-traversal.file") or DEFAULT_FILE
evil_postdata = EXPLOIT_QUERY:format(rfile)
filewrite = stdnse.get_script_args(SCRIPT_NAME..".outfile")
local dir = stdnse.get_script_args("http-phpmyadmin-dir-traversal.dir") or DEFAULT_DIR
local evil_uri = dir..EXPLOIT_PATH
local rfile = stdnse.get_script_args("http-phpmyadmin-dir-traversal.file") or DEFAULT_FILE
local evil_postdata = EXPLOIT_QUERY:format(rfile)
local filewrite = stdnse.get_script_args(SCRIPT_NAME..".outfile")
stdnse.print_debug(1, "%s: HTTP POST %s%s", SCRIPT_NAME, stdnse.get_hostname(host), evil_uri)
stdnse.print_debug(1, "%s: POST DATA %s", SCRIPT_NAME, evil_postdata)
@@ -117,7 +118,7 @@ action = function(host, port)
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
response = http.post(host, port, evil_uri,
local response = http.post(host, port, evil_uri,
{header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, evil_postdata)
if response.body and response.status==200 then
stdnse.print_debug(1, "%s: response : %s", SCRIPT_NAME, response.body)

11
scripts/http-stored-xss.nse
View File

@@ -57,6 +57,7 @@ author = "George Chatzisofroniou"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
local http = require "http"
local io = require "io"
local string = require "string"
local httpspider = require "httpspider"
local shortport = require "shortport"
@@ -90,9 +91,8 @@ local makeRequests = function(host, port, submission, fields, fieldvalues)
for __, field in ipairs(fields) do
if field["type"] == "text" or field["type"] == "textarea" or field["type"] == "radio" or field["type"] == "checkbox" then
if fieldvalues[field["name"]] ~= nil then
value = fieldvalues[field["name"]]
else
local value = fieldvalues[field["name"]]
if value == nil then
value = p.vector
end
@@ -121,10 +121,10 @@ end
-- Check if the payloads were succesfull by checking the content of pages in the uploadspaths array.
local checkRequests = function(body, target)
output = {}
local output = {}
for _, p in ipairs(payloads) do
if checkPayload(body, p.vector) then
report = " Payload: " .. p.vector .. "\n\t Uploaded on: " .. target
local report = " Payload: " .. p.vector .. "\n\t Uploaded on: " .. target
if p.description then
report = report .. "\n\t Description: " .. p.description
end
@@ -207,6 +207,7 @@ action = function(host, port)
local action_absolute = string.find(form["action"], "https*://")
-- Determine the path where the form needs to be submitted.
local submission
if action_absolute then
submission = form["action"]
else

14
scripts/http-useragent-tester.nse
View File

@@ -72,7 +72,7 @@ getLastLoc = function(host, port, useragent)
stdnse.print_debug(2, "Making a request with User-Agent: " .. useragent)
response = http.get(host, port, '/', options)
local response = http.get(host, port, '/', options)
if response.location then
return response.location[#response.location] or false
@@ -92,7 +92,7 @@ action = function(host, port)
-- We don't crawl any site. We initialize a crawler to use its iswithinhost method.
local crawler = httpspider.Crawler:new(host, port, '/', { scriptname = SCRIPT_NAME } )
HTTPlibs = {"libwww",
local HTTPlibs = {"libwww",
"lwp-trivial",
"libcurl-agent/1.0",
"PHP/",
@@ -117,18 +117,18 @@ action = function(host, port)
end
-- We perform a normal browser request and get the returned location
loc = getLastLoc(host, port, "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17")
local loc = getLastLoc(host, port, "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17")
allowed, forb = {}, {}
local allowed, forb = {}, {}
for _, l in ipairs(HTTPlibs) do
libloc = getLastLoc(host, port, l)
local libloc = getLastLoc(host, port, l)
-- If the library's request returned a different location, that means the request was redirected somewhere else, hence is forbidden.
if loc ~= libloc then
msg = l .. " redirected to: " .. libloc
libhost = http.parse_url(libloc)
local msg = l .. " redirected to: " .. libloc
local libhost = http.parse_url(libloc)
if not crawler:iswithinhost(libhost.host) then
msg = msg .. " (different host)"
if newtargets then

1
scripts/http-vhosts.nse
View File

@@ -1,5 +1,6 @@
local coroutine = require "coroutine"
local http = require "http"
local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"

7
scripts/http-xssed.nse
View File

@@ -28,6 +28,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "external", "discovery"}
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
@@ -46,19 +47,19 @@ action = function(host, port)
local fixed, unfixed
target = XSSED_SEARCH .. host.targetname
local target = XSSED_SEARCH .. host.targetname
-- Only one instantiation of the script should ping xssed at once.
local mutex = nmap.mutex("http-xssed")
mutex "lock"
response = http.get(XSSED_SITE, 80, target)
local response = http.get(XSSED_SITE, 80, target)
if string.find(response.body, XSSED_FOUND) then
fixed = {}
unfixed = {}
for m in string.gmatch(response.body, XSSED_MIRROR) do
mirror = http.get(XSSED_SITE, 80, m)
local mirror = http.get(XSSED_SITE, 80, m)
for v in string.gmatch(mirror.body, XSSED_URL) do
if string.find(mirror.body, XSSED_FIXED) then
table.insert(fixed, "\t" .. v .. "\n")

1
scripts/ip-geolocation-maxmind.nse
View File

@@ -2,6 +2,7 @@ local bit = require "bit"
local io = require "io"
local ipOps = require "ipOps"
local math = require "math"
local nmap = require "nmap"
local stdnse = require "stdnse"
local table = require "table"

1
scripts/murmur-version.nse
View File

@@ -71,6 +71,7 @@ action = function(host, port)
end
-- Detected; extract relevant data
local _
_, r.v_a, r.v_b, r.v_c, _, r.users, r.maxusers, r.bandwidth =
bin.unpack(">CCCLIII", result, 2)
end

1
scripts/qconn-exec.nse
View File

@@ -1,6 +1,7 @@
local comm = require("comm")
local vulns = require("vulns")
local stdnse = require("stdnse")
local string = require("string")
local shortport = require("shortport")
description = [[

2
scripts/rfc868-time.nse
View File

@@ -37,7 +37,7 @@ action = function(host, port)
_, stamp = bin.unpack(">I", result)
port.version.extrainfo = "64 bits"
else
stdnse.print_debug(1, "Odd response: %s", stdnse.filename_escape(response))
stdnse.print_debug(1, "Odd response: %s", stdnse.filename_escape(result))
return nil
end

2
scripts/smb-psexec.nse
View File

@@ -530,7 +530,7 @@ local function locate_file(filename, extension)
-- check for absolute path or relative to current directory
if(filename_full == nil) then
f, err = io.open(filename, "rb")
local f, err = io.open(filename, "rb")
if f == nil then
stdnse.print_debug(1, "%s: Error opening %s: %s", SCRIPT_NAME, filename, err)
f, err = io.open(filename .. "." .. extension, "rb")

4
scripts/socks-open-proxy.nse
View File

@@ -50,7 +50,7 @@ categories = {"default", "discovery", "external", "safe"}
-- @return status If any request succeeded
-- @return response Table with supported methods
local function custom_test(host, port, test_url, pattern)
local status4, status5, fstatus
local status4, status5, fstatus, cstatus4, cstatus5
local get_r4, get_r5
local methods
local response = {}
@@ -133,7 +133,7 @@ local function default_test(host, port)
if not (cstatus4 or cstatus5) then return false, nil end
stdnse.print_debug("Test 2 - Wikipedia.org: Received valid status codes, but pattern does not match")
redir_check_get = get_r4 or get_r5
local redir_check_get = get_r4 or get_r5
test_url = "/"
hostname = "www.computerhistory.org"

3
scripts/ssh-hostkey.nse
View File

@@ -5,6 +5,7 @@ local shortport = require "shortport"
local ssh1 = require "ssh1"
local ssh2 = require "ssh2"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local base64 = require "base64"
@@ -146,7 +147,7 @@ local function check_keys(host, keys, f)
local hostname = host.name == "" and nil or host.name
local possible_host_names = {hostname or nil, host.ip or nil, (hostname and host.ip) and ("%s,%s"):format(hostname, host.ip) or nil}
for _p, parts in ipairs(f) do
lnumber = parts.linenumber
local lnumber = parts.linenumber
parts = parts.entry
local foundhostname = false
if #parts >= 3 then

1
scripts/ssh2-enum-algos.nse
View File

@@ -1,6 +1,7 @@
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local openssl = stdnse.silent_require "openssl"

2
scripts/sslv2.nse
View File

@@ -228,7 +228,7 @@ action = function(host, port)
available_ciphers = ciphers(cipher_list, ciphers_len);
-- actually run some tests:
o = stdnse.output_table()
local o = stdnse.output_table()
if (ssl_version == string.char(0x00, 0x02)) then
table.insert(o, "SSLv2 supported")
o["ciphers"] = available_ciphers

3
scripts/teamspeak2-version.nse
View File

@@ -3,6 +3,7 @@ local shortport = require "shortport"
local nmap = require "nmap"
local bin = require "bin"
local stdnse = require "stdnse"
local string = require "string"
description = [[
Detects the TeamSpeak 2 voice communication server and attempts to determine version and configuration information.
@@ -44,7 +45,7 @@ action = function(host, port)
if name == "" then
port.version.version = "2"
else
_, v_a, v_b, v_c, v_d = bin.unpack("<SSSS", version)
local _, v_a, v_b, v_c, v_d = bin.unpack("<SSSS", version)
port.version.version = v_a .. "." .. v_b .. "." .. v_c .. "." .. v_d
port.version.extrainfo = "name: " .. name .. "; no password"
if platform == "Win32" then

2
scripts/telnet-brute.nse
View File

@@ -1,4 +1,6 @@
local comm = require "comm"
local coroutine = require "coroutine"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local strbuf = require "strbuf"

4
scripts/ventrilo-info.nse
View File

@@ -313,11 +313,11 @@ local dec_data = function(str, len, key)
-- skip the header (first 20 bytes)
local data = { string.byte(str, 21, 20 + len) }
a1 = bit.band(key, 0xFF)
local a1 = bit.band(key, 0xFF)
if a1 == 0 then
return table.concat(data)
end
a2 = bit.rshift(key, 8)
local a2 = bit.rshift(key, 8)
for i = 1,len do
data[i] = bit.band(data[i] - (crypt_data[a2 + 1] + ((i - 1) % 72)), 0xFF)

4
scripts/whois-domain.nse
View File

@@ -102,7 +102,7 @@ end
action = function( host )
mutexes = {}
local mutexes = {}
-- If the user has provided a domain name.
if host.targetname then
@@ -110,7 +110,7 @@ action = function( host )
local referral_patterns = {"refer:%s*(.-)\n", "Whois%sServer:%s*(.-)\n"}
-- Remove www prefix and add a newline.
query_data = string.gsub(host.targetname, "^www%.", "") .. "\n"
local query_data = string.gsub(host.targetname, "^www%.", "") .. "\n"
local result