File http-passwd
Script types:
portrule
Categories:
intrusive, vuln
Download: http://nmap.org/svn/scripts/http-passwd.nse
User Summary
Checks if a web server is vulnerable to directory traversal by attempting to
retrieve /etc/passwd or \boot.ini.
The script uses several technique:
- Generic directory traversal by requesting paths like
../../../../etc/passwd. - Known specific traversals of several web servers.
- Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument
http-passwd.root.
Script Arguments
http-passwd.root
Query string tests will be done relative to this path.
The default value is /. Normally the value should contain a
leading slash. The queries will be sent with a trailing encoded null byte to
evade certain checks; see http://insecure.org/news/P55-01.txt.
http-max-cache-size, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap --script http-passwd --script-args http-passwd.root=/test/ <target>
Script Output
80/tcp open http | http-passwd: Directory traversal found. | Payload: "index.html?../../../../../boot.ini" | Printing first 250 bytes: | [boot loader] | timeout=30 | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | [operating systems] |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 80/tcp open http | http-passwd: Directory traversal found. | Payload: "../../../../../../../../../../etc/passwd" | Printing first 250 bytes: | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh | sshd:*:65532:65534::/:/bin/false | ftp:*:65533:65534::/:/bin/false |_nobody:*:65534:65534::/:/bin/false
Requires
Author: Kris Katterjohn, Ange Gutek
License: Same as Nmap--See http://nmap.org/book/man-legal.html
