Nmap Development mailing list archives
Re: .htaccess + php sec bypass
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 10 Sep 2012 18:55:35 -0500
On 07/09/2012 09:15 a.m., David Fifield wrote:
On Fri, Aug 17, 2012 at 05:19:42PM -0500, Paulino Calderon wrote:On 04/08/2012 08:11 p.m., Paulino Calderon wrote:On 30/07/2012 07:49 p.m., Arturo 'Buanzo' Busleiman wrote:Hey, thank you MK! On Mon, Jul 30, 2012 at 8:24 PM, Matias Katz<matias () matiaskatz com> wrote:If you need any feedback from me, please ask. I'd be happy to reply, and help in any part of the script writing process :)I've looked into this tool and realized that we sort of have a similar script that can accomplish this task. The tool released in BH basically attempts to access a resource using a non-existing HTTP method (AKA HTTP verb tampering). Not too long ago, Hani released http-method-tamper which performs a similar test but is focused on the JBoss vulnerablity (CVE-2010-0738). I'm attaching a new version of the script http-method-tamper. It has the following advantages over the previous version: * Supports http spidering. The idea is that users can run the script with no arguments and it will crawl the webserver, identify protected resources and attempt to bypass the authentication. * Supports checks to specific paths. If a user know what paths need to be checked, we can do so by setting an argument. No spidering is done when we specify paths. * The test to identify the vulnerability is more comprehensive in this script. First, we try with "HEAD", then "POST" and finally a random string (Non-existing method) as the HTTP verbs. IMO the existing script works perfectly for checking CVE 2010-0738 but since this is a general check, the specific JBoss information should be moved a separate script. Feel free to test it against my test installation at 106.187.53.215: nmap -p80 --script http-method-tamper --script-args paths=/method-tamper/protected/pass.txt 106.187.53.215Did anyone have a chance to test this update? What are your opinions regarding these two scripts and their names? Recap: 1.- Current http-method-tamper does not detect misconfigured htaccess files and seems to be too specific for that jboss vuln. 2.- New script has spidering support and improved detecting. But I'm hesitant to name it as the old one "http-method-tamper" as users might unintentionally crawl webservers thinking it still works as before. Feel free to try against the test server mentioned above.I can see the value in spidering to find paths but it's also useful for a script to have a list of paths like /jmx-console that are good candidates to test. You can commit your new http-method-tamper with spidering, however it should not be in the safe category. Move the existing http-method-tamper to something named after the vulnerability advisory, and leave it in safe. David Fifield
Hi David,An interesting aspect about these vulnerabilities is that the most common scenarios are PHP servers with misconfigured .htaccess files that use incorrectly the directive "LIMIT". These servers will return status 401 if the requested URI is a path but it will bypass the authentication if an URI to a file is used. That is the reason the tool "HTExploit" tries to guess common files in PHP servers via bruteforcing.
Does anyone would like to see this functionality ported to Nmap?We can detect these vulnerable installations now by setting the argument "paths": $nmap -p80 --script http-method-tamper --script-args paths="/index.php" <target>
But the script won't go as far as trying to brute force file names and by default it uses the root folder "/".
Cheers. -- Paulino Calderón Pale Website:http://calderonpale.com Twitter:http://twitter.com/calderpwn _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)
- Re: .htaccess + php sec bypass Matias Katz (Aug 01)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Paulino Calderon (Aug 04)
- Re: .htaccess + php sec bypass Paulino Calderon (Aug 17)
- Re: .htaccess + php sec bypass David Fifield (Sep 07)
- Re: .htaccess + php sec bypass Paulino Calderon (Sep 10)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)