Script http-passwd
Script types:
portrule
Categories:
intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse
Script Summary
Checks if a web server is vulnerable to directory traversal by attempting to
retrieve /etc/passwd
or \boot.ini
.
The script uses several technique:
- Generic directory traversal by requesting paths like
../../../../etc/passwd
. - Known specific traversals of several web servers.
- Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument
http-passwd.root
.
Script Arguments
- http-passwd.root
Query string tests will be done relative to this path. The default value is
/
. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt.- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap --script http-passwd --script-args http-passwd.root=/test/ <target>
Script Output
80/tcp open http | http-passwd: Directory traversal found. | Payload: "index.html?../../../../../boot.ini" | Printing first 250 bytes: | [boot loader] | timeout=30 | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | [operating systems] |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 80/tcp open http | http-passwd: Directory traversal found. | Payload: "../../../../../../../../../../etc/passwd" | Printing first 250 bytes: | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh | sshd:*:65532:65534::/:/bin/false | ftp:*:65533:65534::/:/bin/false |_nobody:*:65534:65534::/:/bin/false
Requires
Authors:
License: Same as Nmap--See https://nmap.org/book/man-legal.html