http-axis2-dir-traversal exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter <code>xsd</code> (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service <code>'/conf/axis2.xml'</code> using the path <code>'/axis2/services/'</code> to return the username and password of the admin account.
http-litespeed-sourcecode-download.nse exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:
* <code>/index.php\00.txt</code>
References:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2333
* http://www.exploit-db.com/exploits/13850/
library. The cvs-brute-repository script allows for guessing possible
repository names needed in order to perform password guessing using the
cvs-brute.nse script. [Patrik]
It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found.
This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.
Attempts to retrieve the configuration settings from the MySQL database
dump on a Barracuda Networks Spam & Virus Firewall device using the
directory traversal vulnerability in the "locale" parameter of
"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi".
The web administration interface runs on port 8000 by default.
Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval
Original exploit by ShadowHatesYou <Shadow@SquatThis.net>
For more information, see:
http://seclists.org/fulldisclosure/2010/Oct/119http://www.exploit-db.com/exploits/15130/
- broadcast-netbios-master-browser attempts to discover master browsers in
the broadcast domain
- smb-mbenum lists servers registered with the master browser
[Patrik]
These scripts got removed from default:
dhcp-discover
dns-zone-transfer
These scripts got removed from intrusive:
dns-recursion
ftp-bounce
http-open-proxy
socks-open-proxy
Thanks to Toni for noticing these.
This was really lame compared to http-brute, only guessing two
username/password combinations. Also we shouldn't be guessing any
passwords in a default script.
