Script http-litespeed-sourcecode-download

Script types: portrule
Categories: vuln, intrusive, exploit
Download: https://svn.nmap.org/nmap/scripts/http-litespeed-sourcecode-download.nse

Script Summary

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:

• /index.php\00.txt

References:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2333
• http://www.exploit-db.com/exploits/13850/

Script Arguments

http-litespeed-sourcecode-download.uri

URI path to remote file

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script http-litespeed-sourcecode-download --script-args http-litespeed-sourcecode-download.uri=/phpinfo.php <host>
nmap -p8088 --script http-litespeed-sourcecode-download <host>

Script Output

PORT     STATE SERVICE    REASON
8088/tcp open  radan-http syn-ack
| http-litespeed-sourcecode-download.nse: /phpinfo.php source code:
| <HTML>
| <BODY>
|    <?php phpinfo() ?>
| </BODY>
|_</HTML>

Requires

• http
• nmap
• shortport
• stdnse
• string
• table

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html