Nmap Development mailing list archives
Re: [NSE] PHP version disclosure (OSVDB 12184)
From: David Fifield <david () bamsoftware com>
Date: Thu, 27 May 2010 10:46:45 -0600
On Sat, May 22, 2010 at 11:01:10AM +0200, Gutek wrote:
Ref: http://osvdb.org/12184 Many webadmins when dealing with PHP and security use several tricks such as banner falsification etc. But many don't know about an hidden joke inside PHP : an Easteregg left behind by developpers. It can be revealed by sending a specialy crafted GET query. What's interresting is the fact that - - this Easteregg changes in time, - - on a multihosting scenario, thousands of web admins are dependant from a PHP configuration they can not access So, if we know the different existing eggs and the PHP versions they were hidded in, we can reveal a kind of information that the webadmin is not even aware of. Web Vuln Scanners like Nikto sometimes warn about this : "PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings." The queries - ----------- ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 -- shows a modified PHP logo (gif). That's what the script (attached) tries to fetch. ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 -- part of the phpinfo(), shows dev' credits ?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 -- shows the Zend logo The script - ---------- It tries to fetch the modified PHP logo by GETting the special query from the index page. There are 5 known modified logos as of today, all GIF pictures witch have their respective 9 first hex digits (right after the GIF89a header) different from each other. The script captures it, md5(it) and finaly compares it with already known signatures. Nmap scan report for 66.A5.236.132 Host is up (0.12s latency). PORT STATE SERVICE 80/tcp open http | php-easteregg: This EasterEgg Matches PHP Versions: | 5.1.4, |_5.2.0
This is an interesting script. Here are some ideas I have. First, you should use the http module instead of crafting your own HTTP request. You can express the lookup as a table instead of a big if/else and remove some duplication. local lookup = { ["22b3e09ce849d37ec897dc3f9491e3f8"] = {"4.3.11", "4.4.0", "4.4.4", "5.0.5-2ubuntu1.1", "5.0.5-pl3-gentoo", "5.1.0", "5.1.2"}, ["4e3838a1c92196cdfd9b20a3ffd09dad"] = {"4.3.1", "5.0.0", "5.0.3"}, ... } Where did you find out the version numbers? Just by sampling different web sites? I recommend hashing the entire file, not just 9 bytes of it. Then a future file that happens to match in those 9 bytes can also be detected. But it seems to me that the PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 (phpinfo) information is more likely to change with versions than the logo. What happens if you use that query instead? I think it would be more discriminating. For example, http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 reveals "PHP 5" and has a long list of people that might get updated with different versions. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 22)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)
- Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 27)
- Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 29)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Jun 18)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)