http-method-tamper
脚本使用类型:
portrule
脚本所属分类:
auth, vuln
脚本下载地址: http://nmap.org/svn/scripts/http-method-tamper.nse
Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.
The script determines if the protected URI is vulnerable by performing HTTP verb tampering and monitoring the status codes. First, it uses a HEAD request, then a POST request and finally a random generated string ( This last one is useful when web servers treat unknown request methods as a GET request. This is the case for PHP servers ).
If the table paths
is set, it will attempt to access the given URIs. Otherwise, a web crawler
is initiated to try to find protected resources. Note that in a PHP environment with .htacess files you need to specify a
path to a file rather than a directory to find misconfigured .htaccess files.
References:
Web crawler timeout. Default: 10s
Base URI to crawl. Not aplicable if http-method-tamper.paths
is set.
Array of paths to check. If not set, the script will crawl the web server.
执行格式
nmap -sV --script http-method-tamper <target>
nmap -p80 --script http-method-tamper --script-args 'http-method-tamper.paths={/protected/db.php,/protected/index.php}' <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-method-tamper: | VULNERABLE: | Authentication bypass by HTTP verb tampering | State: VULNERABLE (Exploitable) | Description: | This web server contains password protected resources vulnerable to authentication bypass | vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the | common HTTP methods and in misconfigured .htaccess files. | | Extra information: | | URIs suspected to be vulnerable to HTTP verb tampering: | /method-tamper/protected/pass.txt [POST] | | References: | http://www.imperva.com/resources/glossary/http_verb_tampering.html | http://www.mkit.com.ar/labs/htexploit/ | http://capec.mitre.org/data/definitions/274.html |_ https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
Author: Paulino Calderon <calderon()websec.mx>
License: VER007 整理 http://www.ver007.com