Script http-rfi-spider

Script types: portrule
Categories: intrusive
Download: https://svn.nmap.org/nmap/scripts/http-rfi-spider.nse

Script Summary

Crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query.

Script Arguments

http-rfi-spider.withinhost

only spider URLs within the same host. (default: true)

http-rfi-spider.url

the url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)

http-rfi-spider.withindomain

only spider URLs within the same domain. This widens the scope from withinhost and can not be used in combination. (default: false)

http-rfi-spider.inclusionurl

the url we will try to include, defaults to http://tools.ietf.org/html/rfc13?

http-rfi-spider.maxdepth

the maximum amount of directories beneath the initial url to spider. A negative value disables the limit. (default: 3)

http-rfi-spider.maxpagecount

the maximum amount of pages to visit. A negative value disables the limit (default: 20)

http-rfi-spider.pattern

the pattern to search for in response.body to determine if the inclusion was successful, defaults to '20 August 1969'

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-rfi-spider -p80 <host>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http
| http-rfi-spider:
|   Possible RFI in form fields
|     Form "(form 1)" at /experiments/rfihome.html (action rfi.pl) with fields:
|       inc
|     Form "someform" at /experiments/rfihome.html (action rfi.pl) with fields:
|       inc2
|   Possible RFI in query parameters
|     Path /experiments/rfi.pl with queries:
|_      inc=http%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc13%3f

Requires

• shortport
• http
• stdnse
• url
• httpspider
• string
• table
• tableaux

---

Author:

• Piotr Olma

License: Same as Nmap--See https://nmap.org/book/man-legal.html