PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
82df82b5fd2af1565bef8203d8e33e5ed115d112
nmap/scripts/hostmap-bfk.nse
fyodor f79a11aeeb o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. 
If you ran the (fortunately non-default) http-domino-enum-passwords
  script with the (fortunately also non-default)
  domino-enum-passwords.idpath parameter against a malicious server,
  it could cause an arbitrarily named file to to be written to the
  client system.  Thanks to Trustwave researcher Piotr Duszynski for
  discovering and reporting the problem.  We've fixed that script, and
  also updated several other scripts to use a new
  stdnse.filename_escape function for extra safety.  This breaks our
  record of never having a vulnerability in the 16 years that Nmap has
  existed, but that's still a fairly good run. [David, Fyodor]
2013-07-29 06:19:24 +00:00

130 lines
3.7 KiB
Lua
Raw Blame History

local dns = require "dns"
local http = require "http"
local io = require "io"
local ipOps = require "ipOps"
local stdnse = require "stdnse"
local string = require "string"
local target = require "target"
description = [[
Discovers hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html.
The script is in the "external" category because it sends target IPs to a third party in order to query their database.
This script was formerly (until April 2012) known as hostmap.nse.
]]
---
-- @args hostmap-bfk.prefix If set, saves the output for each host in a file
-- called "<prefix><target>". The file contains one entry per line.
-- @args newtargets If set, add the new hostnames to the scanning queue.
-- This the names presumably resolve to the same IP address as the
-- original target, this is only useful for services such as HTTP that
-- can change their behavior based on hostname.
--
-- @usage
-- nmap --script hostmap-bfk --script-args hostmap-bfk.prefix=hostmap- <targets>
--
-- @output
-- Host script results:
-- | hostmap-bfk:
-- | hosts:
-- | insecure.org
-- | 173.255.243.189
-- | images.insecure.org
-- | www.insecure.org
-- | nmap.org
-- | 189.243.255.173.in-addr.arpa
-- | mail.nmap.org
-- | svn.nmap.org
-- | www.nmap.org
-- | sectools.org
-- | seclists.org
-- |_ li253-189.members.linode.com
--
-- @xmloutput
-- <table key="hosts">
-- <elem>insecure.org</elem>
-- <elem>173.255.243.189</elem>
-- <elem>images.insecure.org</elem>
-- <elem>www.insecure.org</elem>
-- <elem>nmap.org</elem>
-- <elem>189.243.255.173.in-addr.arpa</elem>
-- <elem>mail.nmap.org</elem>
-- <elem>svn.nmap.org</elem>
-- <elem>www.nmap.org</elem>
-- <elem>sectools.org</elem>
-- <elem>seclists.org</elem>
-- <elem>li253-189.members.linode.com</elem>
-- </table>
---
author = "Ange Gutek"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"external", "discovery", "intrusive"}
local HOSTMAP_SERVER = "www.bfk.de"
local write_file
hostrule = function(host)
return not ipOps.isPrivate(host.ip)
end
action = function(host)
local query = "/bfk_dnslogger.html?query=" .. host.ip
local response
local output_tab = stdnse.output_table()
response = http.get(HOSTMAP_SERVER, 80, query)
if not response.status then
stdnse.print_debug(1, "Error: could not GET http://%s%s", HOSTMAP_SERVER, query)
return nil
end
local hostnames = {}
local hosts_log = {}
for entry in string.gmatch(response.body, "#result\" rel=\"nofollow\">(.-)</a></tt>") do
if not hostnames[entry] then
if target.ALLOW_NEW_TARGETS then
local status, err = target.add(entry)
end
hostnames[entry] = true
hosts_log[#hosts_log + 1] = entry
end
end
if #hosts_log == 0 then
if not string.find(response.body, "<p>The server returned no hits.</p>") then
stdnse.print_debug(1,"Error: found no hostnames but not the marker for \"no hostnames found\" (pattern error?)")
end
return nil
end
output_tab.hosts = hosts_log
local hostnames_str = stdnse.strjoin("\n", hostnames)
local filename_prefix = stdnse.get_script_args("hostmap-bfk.prefix")
if filename_prefix then
local filename = filename_prefix .. stdnse.filename_escape(host.targetname or host.ip)
local status, err = write_file(filename, hostnames_str .. "\n")
if status then
output_tab.filename = filename
else
stdnse.print_debug(1,"Error saving to %s: %s\n", filename, err)
end
end
return output_tab
end
function write_file(filename, contents)
local f, err = io.open(filename, "w")
if not f then
return f, err
end
f:write(contents)
f:close()
return true
end
Reference in New Issue View Git Blame Copy Permalink