Nmap Development mailing list archives
[NSE] http-passwd improvements
From: George Chatzisofroniou <sophron () latthi com>
Date: Fri, 2 May 2014 16:31:09 +0300
Hi, While i was testing http-passwd i encountered some cases where the script won't work even if the target is vulnerable. These are the cases where target's 'include' function won't accept paths with NULL in them, hence all of the script's payloads would fail. For example, the NULL byte string vulnerability was fixed as of PHP 5.3.4 [1], and the script would have no effect there. I made a commit (r32855) that sends the same payloads to the target this time without appending the NULL byte. This will work against targets that allow user input to determine the file path without any sanitization or checks. There is more room for improvement on this script: * It should make use of NSE's HTTP crawler. * It should check for something that looks like a query referring to a file name not only in the HTTP body response but in the requested URL as well. * It should contain more payloads forcing the script to download itself. Check this thread [2]. * If the script is able to retrieve /etc/passwd, it should cache the usernames (for example the UNIX accounts with ID >= 1000) so that the brute library can make use of them later. [1]: http://svn.php.net/viewvc?view=revision&revision=305507 [2]: http://seclists.org/nmap-dev/2014/q1/177 Cheers, -- George Chatzisofroniou _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-passwd improvements George Chatzisofroniou (May 02)