PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 05:01:29 +00:00
Code Issues Projects Releases Wiki Activity

Fix some missing requires, globals, whitespace

Browse Source
This commit is contained in:
dmiller
2017-08-12 03:48:09 +00:00
parent 987680e7b6
commit dd97499f04
2 changed files with 31 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
scripts/http-jsonp-detection.nse
View File

@@ -1,3 +1,4 @@
local nmap = require "nmap"
local http = require "http" local http = require "http"
local shortport = require "shortport" local shortport = require "shortport"
local stdnse = require "stdnse" local stdnse = require "stdnse"
@@ -12,8 +13,8 @@ Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be
used to bypass Same-origin Policy restrictions in web browsers. used to bypass Same-origin Policy restrictions in web browsers.
The script searches for callback functions in the response to detect JSONP The script searches for callback functions in the response to detect JSONP
endpoints. It also tries to determine callback function through URL(callback endpoints. It also tries to determine callback function through URL(callback
function may be fully or partially controllable from URL) and also tries to function may be fully or partially controllable from URL) and also tries to
bruteforce the most common callback variables through the URL. bruteforce the most common callback variables through the URL.
References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/ References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
@@ -26,18 +27,18 @@ References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
-- --
-- @output -- @output
-- 80/tcp open http syn-ack -- 80/tcp open http syn-ack
-- | http-jsonp-detection: -- | http-jsonp-detection:
-- | The following JSONP endpoints were detected: -- | The following JSONP endpoints were detected:
-- |_/rest/contactsjp.php Completely controllable from URL -- |_/rest/contactsjp.php Completely controllable from URL
-- --
-- --
-- @xmloutput -- @xmloutput
-- <table key='jsonp_endpoints'> -- <table key='jsonp_endpoints'>
-- <elem>/rest/contactsjp.php</elem> -- <elem>/rest/contactsjp.php</elem>
-- </table> -- </table>
-- --
-- @args http-jsonp-detection.path The URL path to request. The default path is "/". -- @args http-jsonp-detection.path The URL path to request. The default path is "/".
--- ---
author = {"Vinamra Bhatia"} author = {"Vinamra Bhatia"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html" license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
@@ -49,10 +50,9 @@ local callbacks = {"callback", "cb", "jsonp", "jsonpcallback", "jcb", "call"}
--Checks the body and returns if valid json data is present in callback function --Checks the body and returns if valid json data is present in callback function
local checkjson = function(body) local checkjson = function(body)
local func, json_data local _, _, _, func, json_data = string.find(body, "^(%S-)([%w_]+)%((.*)%);?$")
_, _, _, func, json_data = string.find(body, "^(%S-)([%w_]+)%((.*)%);?$")
--Check if the json_data is valid --Check if the json_data is valid
--If valid, we have a JSONP endpoint with func as the function name --If valid, we have a JSONP endpoint with func as the function name
@@ -80,7 +80,7 @@ local callback_url = function(host, port, target, callback_variable)
report = "Completely controllable from URL" report = "Completely controllable from URL"
else else
local p = string.find(func, value) local p = string.find(func, value)
if p then if p then
report = "Partially controllable from URL" report = "Partially controllable from URL"
end end
end end
@@ -92,18 +92,18 @@ end
--The function tries to bruteforce through the most common callback variable --The function tries to bruteforce through the most common callback variable
local callback_bruteforce = function(host, port, target) local callback_bruteforce = function(host, port, target)
local response, path, report local response, path, report
for _,p in ipairs(callbacks) do for _,p in ipairs(callbacks) do
path = target path = target
path = path .. "?" .. p .. "=test" path = path .. "?" .. p .. "=test"
response = http.get(host, port, path) response = http.get(host, port, path)
if response and response.body and response.status and response.status==200 then if response and response.body and response.status and response.status==200 then
local status, func local status, func
status, func = checkjson(response.body) status, func = checkjson(response.body)
if status == true then if status == true then
report = callback_url(host, port, target, p) report = callback_url(host, port, target, p)
if report ~= nil then if report ~= nil then
report = string.format("%s\t%s", target, report) report = string.format("%s\t%s", target, report)
else else
report = target report = target
@@ -111,16 +111,16 @@ local callback_bruteforce = function(host, port, target)
break break
end end
end end
end end
return report return report
end end
action = function(host, port) action = function(host, port)
local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
local output_xml = stdnse.output_table() local output_xml = stdnse.output_table()
output_xml = {} output_xml = {}
output_xml['jsonp-endpoints'] = {} output_xml['jsonp-endpoints'] = {}
local output_str = "\nThe following JSONP endpoints were detected: " local output_str = "\nThe following JSONP endpoints were detected: "
-- crawl to find jsonp endpoints urls -- crawl to find jsonp endpoints urls
local crawler = httpspider.Crawler:new(host, port, path, {scriptname = SCRIPT_NAME}) local crawler = httpspider.Crawler:new(host, port, path, {scriptname = SCRIPT_NAME})
@@ -136,7 +136,7 @@ action = function(host, port)
if (not(status)) then if (not(status)) then
if (r.err) then if (r.err) then
return stdnse.format_output(false, r.reason) return stdnse.format_output(false, r.reason)
else else
break break
end end
end end
@@ -145,7 +145,7 @@ action = function(host, port)
target = url.parse(target) target = url.parse(target)
target = target.path target = target.path
-- First we try to get the response and look for jsonp endpoint there -- First we try to get the response and look for jsonp endpoint there
if r.response and r.response.body and r.response.status and r.response.status==200 then if r.response and r.response.body and r.response.status and r.response.status==200 then
local status, func, report local status, func, report
@@ -154,16 +154,16 @@ action = function(host, port)
if status == true then if status == true then
--We have found JSONP endpoint --We have found JSONP endpoint
--Put it inside a returnable table. --Put it inside a returnable table.
output_str = string.format("%s\n%s", output_str, target) output_str = string.format("%s\n%s", output_str, target)
table.insert(output_xml['jsonp-endpoints'], target) table.insert(output_xml['jsonp-endpoints'], target)
--Try if the callback function is controllable from URL. --Try if the callback function is controllable from URL.
report = callback_url(host, port, target) report = callback_url(host, port, target)
if report ~= nil then if report ~= nil then
output_str = string.format("%s\t%s", output_str, report) output_str = string.format("%s\t%s", output_str, report)
end end
else else
--Try to bruteforce through most comman callback URLs --Try to bruteforce through most comman callback URLs
report = callback_bruteforce(host, port, target) report = callback_bruteforce(host, port, target)
@@ -171,14 +171,14 @@ action = function(host, port)
table.insert(output_xml['jsonp-endpoints'], target) table.insert(output_xml['jsonp-endpoints'], target)
output_str = string.format("%s\n%s", output_str, report) output_str = string.format("%s\n%s", output_str, report)
end end
end end
end end
end end
--A way to print returnable --A way to print returnable
if next(output_xml['jsonp-endpoints']) then if next(output_xml['jsonp-endpoints']) then
return output_xml, output_str return output_xml, output_str
else else
if nmap.verbosity() > 1 then if nmap.verbosity() > 1 then
@@ -186,4 +186,4 @@ action = function(host, port)
end end
end end
end end

1
scripts/puppet-naivesigning.nse
View File

@@ -1,5 +1,6 @@
local shortport = require "shortport" local shortport = require "shortport"
local stdnse = require "stdnse" local stdnse = require "stdnse"
local string = require "string"
local http = require "http" local http = require "http"
local table = require "table" local table = require "table"
local io = require "io" local io = require "io"