For a description of this category, see exploit NSE category in the Nmap documentation.

Scripts

afp-path-vuln

Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.

clamav-exec

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.

distcc-cve2004-2687

Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.

ftp-proftpd-backdoor

Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID 45150. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the ftp-proftpd-backdoor.cmd script argument.

ftp-vsftpd-backdoor

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

http-adobe-coldfusion-apsa1301

Attempts to exploit an authentication bypass vulnerability in Adobe Coldfusion servers to retrieve a valid administrator's session cookie.

http-avaya-ipoffice-users

Attempts to enumerate users in Avaya IP Office systems 7.x.

http-awstatstotals-exec

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

http-axis2-dir-traversal

Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter xsd (BID 40343). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account.

http-barracuda-dir-traversal

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.

http-coldfusion-subzero

Attempts to retrieve version, absolute path of administration panel and the file 'password.properties' from vulnerable installations of ColdFusion 9 and 10.

http-csrf

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.

http-dlink-backdoor

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router.

http-dombased-xss

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml

http-fileupload-exploiter

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.

http-huawei-hg5xx-vuln

Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values.

http-litespeed-sourcecode-download

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

http-majordomo2-dir-traversal

Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).

http-phpmyadmin-dir-traversal

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.

http-shellshock

Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.

http-stored-xss

Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.

http-tplink-dir-traversal

Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.

http-vuln-cve2006-3392

Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)

http-vuln-cve2009-3960

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

http-vuln-cve2012-1823

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

http-vuln-cve2013-0156

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

http-vuln-cve2013-6786

Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager Web server. The vulnerability has been assigned CVE-2013-6786.

http-vuln-cve2013-7091

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

http-vuln-cve2014-3704

Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32 of Drupal core are known to be affected.

http-vuln-cve2014-8877

Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.

http-vuln-cve2017-5689

Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).

http-vuln-wnr1000-creds

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA

irc-unrealircd-backdoor

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.

jdwp-exec

Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script abuses this to inject and execute a Java class file that executes the supplied shell command and returns its output.

jdwp-inject

Attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files.

qconn-exec

Attempts to identify whether a listening QNX QCONN daemon allows unauthenticated users to execute arbitrary operating system commands.

smb-vuln-conficker

Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems.

smb-vuln-cve2009-3103

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.

smb-vuln-ms06-025

Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.

smb-vuln-ms07-029

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

smb-vuln-ms08-067

Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems.

smb-vuln-regsvc-dos

Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work.

smb-webexec-exploit

Attempts to run a command via WebExService, using the WebExec vulnerability. Given a Windows account (local or domain), this will start an arbitrary executable with SYSTEM privileges over the SMB protocol.

smtp-vuln-cve2010-4344

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).

supermicro-ipmi-conf

Attempts to download an unprotected configuration file containing plain-text user credentials in vulnerable Supermicro Onboard IPMI controllers.