PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 06:01:28 +00:00
Code Issues Projects Releases Wiki Activity
Files
25a54f58cb7a5bd737ec1b3ed7c6b543f002df2a
nmap/scripts/http-method-tamper.nse
patrik 25a54f58cb o [NSE] Applied patch that corrects an issue where the http-method-tamper 
script would fail to properly detect JBoss servers vulnerable to the
  CVE-2010-0738 vulnerability. [Hani Benhabiles]
2011-12-08 19:04:42 +00:00

74 lines
2.5 KiB
Lua
Raw Blame History

description = [[
Checks if a JBoss target is vulnerable to jmx console authentication bypass.
It works by checking if the target paths require authentication or redirect to a login page that could be
bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but
with no returned response body. The script also detects if the URL does not require authentication at all.
For more information, see:
* CVE-2010-0738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
* http://www.imperva.com/resources/glossary/http_verb_tampering.html
* https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
]]
---
-- @usage
-- nmap --script=http-method-tamper --script-args 'http-method-tamper.paths={/path1/,/path2/}' <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-method-tamper:
-- |_ /jmx-console/: Authentication bypass.
--
-- @args http-method-tamper.path Array of paths to check. Defaults
-- to <code>{"/jmx-console/"}</code>.
author = "Hani Benhabiles <kroosec@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "auth", "vuln"}
require 'shortport'
require 'http'
require 'stdnse'
portrule = shortport.http
action = function(host, port)
local paths = stdnse.get_script_args("http-method-tamper.paths")
local result = {}
-- convert single string entry to table
if ( "string" == type(paths) ) then
paths = { paths }
end
-- fallback to jmx-console
paths = paths or {"/jmx-console/"}
for _, path in ipairs(paths) do
local getstatus = http.get(host, port, path).status
-- Checks if HTTP authentication or a redirection to a login page is applied.
if getstatus == 401 or getstatus == 302 then
local headstatus = http.head(host, port, path).status
if headstatus == 500 and path == "/jmx-console/" then
-- JBoss authentication bypass.
table.insert(result, ("%s: Vulnerable to CVE-2010-0738."):format(path))
elseif headstatus == 200 then
-- Vulnerable to authentication bypass.
table.insert(result, ("%s: Authentication bypass possible"):format(path))
end
-- Checks if no authentication is required for Jmx console
-- which is default configuration and common.
elseif getstatus == 200 then
table.insert(result, ("%s: Authentication was not required"):format(path))
end
end
return stdnse.format_output(true, result)
end
Reference in New Issue View Git Blame Copy Permalink