Nmap Development mailing list archives
Re: [NSE] PHP version disclosure (OSVDB 12184)
From: David Fifield <david () bamsoftware com>
Date: Fri, 18 Jun 2010 16:18:04 -0600
On Sat, May 29, 2010 at 06:24:47PM +0200, Gutek wrote:
Ok, here comes a new version. It now checks both the "special PHP logo" and the "Credits page". David was right, we have a far better granualrity when using the Credits as a fingerprint. However i'm still not quite sure if this Credits page is really phpinfo() dependant or not, while the logo does not seem to be. So, the script now checks both: results from the "logo" are now marked as "gives a range" (let's say, informational), and results from the Credits are marked "more accurate". In the end, to help collecting new hashes or to reveal at a glance if a banner seems really different from the "easteregg fingerprint", the scripts tries to grab the claimed PHP version from the Header. During this past week i've scanned hundreds of webservers and so the fingerprints database has grown and is now more mature. There should remain only a few unknown signatures but in this case the script will tell the user what to do. Here is the new Output : --- -- @output -- PORT STATE SERVICE -- 80/tcp open http -- | php-easteregg: This EasterEgg Matches PHP Versions: -- | ('logo' test, gives a range) -- | 4.3.11, -- | 4.4.0 to 4.4.4, -- | 5.0.5-2ubuntu1.1, -- | 5.0.5-pl3-gentoo, -- | 5.1.0 to 5.1.2 -- | ('credits' test, more accurate) -- | 5.0.5 -- |_(According to the Header, server claims to be running PHP/5.0.5)
I added your script in r18247. I renamed it to http-php-version.nse. I also reworked it for maintenance purposes. The main thing was that you built your hash databases backwards: hashes = { ["version1"] = "4b2c92409cf0bcf465d199e93a15ac3f", ["version2"] = "a57bd73e27be03a62dd6b3e1b537a72c", } When you write it that way, you have to have a loop to look up by hash. Also, you could never have two hashes for the exact same version. It should be like this so you can do the lookup with hashes[h]: hashes = { ["4b2c92409cf0bcf465d199e93a15ac3f"] = "version1", ["a57bd73e27be03a62dd6b3e1b537a72c"] = "version2", } I changed the output too; now it's PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-php-version: Versions from logo query (less accurate): 4.3.11, 4.4.0 - 4.4.4, 4.4.9, 5.0.5-2ubuntu1.1, 5.0.5-pl3-gentoo, 5.1.0 - 5.1.2 | Versions from credits query (more accurate): 5.0.5 |_Version from header x-powered-by: PHP/5.0.5 Thanks for the script! Please tell me if I have messed anything up in integrating it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 22)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)
- Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 27)
- Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 29)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Jun 18)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)