Mailing List Archive: mod_php / mod

mod_php / mod_ssl plugin code

Mar 5, 2002, 7:16 PM

Post #1 of 4 (814 views)

Anyone see any problems with the plugins below? They seem to test out pretty
well, should I go ahead and send in the final versions? Also, theres a couple
dozen recent bugs that still dont have plugins written for them, how do yall
want to split these up? (yes i still owe a handful of ones, I will _really_
try to get these prettied up and sent to Renaud).

# mod_php plugin

port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
key = string("www/banner/", port);
banner = get_kb_item(key);
if(!banner)
{
soc = open_sock_tcp(port);
req = string("HEAD / HTTP/1.0\r\n\r\n");
send(socket:soc, data:req);
banner = recv(socket:soc, length:2000, timeout:20);
close(soc);
}

if( egrep(pattern:"(.*PHP/4\.0\.)",string:banner) ||
egrep(pattern:"(.*PHP/3\.0\.)",string:banner) ||
egrep(pattern:"(.*PHP/4\.1\.[0-1])",string:banner))
{
security_warning(port:port);
}
}

# mod_ssl plugin
port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
key = string("www/banner/", port);
banner = get_kb_item(key);
if(!banner)
{
soc = open_sock_tcp(port);
req = string("HEAD / HTTP/1.0\r\n\r\n");
send(socket:soc, data:req);
banner = recv(socket:soc, length:2000, timeout:20);
close(soc);
}

if( egrep(pattern:"(.*mod_ssl/[1-2].[0-8].[0-6])",string:banner))
{
security_warning(port:port, data:ddidata);
}
}

Re: mod_php / mod_ssl plugin code [ In reply to ]

hdm at digitaloffense

Mar 5, 2002, 7:17 PM

Post #2 of 4 (799 views)

Permalink

Oh, ignore the data:ddidata part in the bottom of the second plugin, we do
reporting a bit differently, which is also why "porting" a plugin to the
regular nessus format takes me some time ;)

On Tuesday 05 March 2002 08:16 pm, H D Moore wrote:
> Anyone see any problems with the plugins below? They seem to test out
> pretty well, should I go ahead and send in the final versions? Also, theres
> a couple dozen recent bugs that still dont have plugins written for them,
> how do yall want to split these up? (yes i still owe a handful of ones, I
> will _really_ try to get these prettied up and sent to Renaud).
>
> # mod_php plugin
>
> port = get_kb_item("Services/www");
> if(!port)port = 80;
> if(get_port_state(port))
> {
> key = string("www/banner/", port);
> banner = get_kb_item(key);
> if(!banner)
> {
> soc = open_sock_tcp(port);
> req = string("HEAD / HTTP/1.0\r\n\r\n");
> send(socket:soc, data:req);
> banner = recv(socket:soc, length:2000, timeout:20);
> close(soc);
> }
>
> if( egrep(pattern:"(.*PHP/4\.0\.)",string:banner) ||
> egrep(pattern:"(.*PHP/3\.0\.)",string:banner) ||
> egrep(pattern:"(.*PHP/4\.1\.[0-1])",string:banner))
> {
> security_warning(port:port);
> }
> }
>
> # mod_ssl plugin
> port = get_kb_item("Services/www");
> if(!port)port = 80;
> if(get_port_state(port))
> {
> key = string("www/banner/", port);
> banner = get_kb_item(key);
> if(!banner)
> {
> soc = open_sock_tcp(port);
> req = string("HEAD / HTTP/1.0\r\n\r\n");
> send(socket:soc, data:req);
> banner = recv(socket:soc, length:2000, timeout:20);
> close(soc);
> }
>
> if( egrep(pattern:"(.*mod_ssl/[1-2].[0-8].[0-6])",string:banner))
> {
> security_warning(port:port, data:ddidata);
> }
> }

Re: mod_php / mod_ssl plugin code [ In reply to ]

deraison at cvs

Mar 6, 2002, 1:24 AM

Post #3 of 4 (800 views)

Permalink

On Tue, Mar 05, 2002 at 08:16:17PM -0600, H D Moore wrote:
> Anyone see any problems with the plugins below? They seem to test out pretty
> well, should I go ahead and send in the final versions? Also, theres a couple
> dozen recent bugs that still dont have plugins written for them, how do yall
> want to split these up? (yes i still owe a handful of ones, I will _really_
> try to get these prettied up and sent to Renaud).
>
> # mod_php plugin

That one was already written by Thomas Reinke (see the plugins page for
info). I'd be interested in actually testing for the flaw, that'd be
better and more reliable (my servers have ServerToken = ProductOnly, so
they would not be tested).

> # mod_ssl plugin
> port = get_kb_item("Services/www");
> if(!port)port = 80;
> if(get_port_state(port))
> {
> key = string("www/banner/", port);
> banner = get_kb_item(key);
> if(!banner)
> {
> soc = open_sock_tcp(port);
> req = string("HEAD / HTTP/1.0\r\n\r\n");
> send(socket:soc, data:req);
> banner = recv(socket:soc, length:2000, timeout:20);
> close(soc);
> }
>
> if( egrep(pattern:"(.*mod_ssl/[1-2].[0-8].[0-6])",string:banner))

Seems wrong to me. It will match on version 1.1.6 but not on 1.9.7.

I think the following would be better :

.*mod_ssl/((1..*)|(2\.([0-7]\.[0-9]*)|(8\.[0-6]))).*

-- Renaud

Re: mod_php / mod_ssl plugin code [ In reply to ]

hdm at digitaloffense

Mar 6, 2002, 2:13 AM

Post #4 of 4 (800 views)

Permalink

On Wednesday 06 March 2002 02:24 am, Renaud Deraison wrote:
> That one was already written by Thomas Reinke (see the plugins page for
> info). I'd be interested in actually testing for the flaw, that'd be
> better and more reliable (my servers have ServerToken = ProductOnly, so
> they would not be tested).

Cool, didnt see it, I usually just check the CVS tree.

> > if( egrep(pattern:"(.*mod_ssl/[1-2].[0-8].[0-6])",string:banner))
>
> Seems wrong to me. It will match on version 1.1.6 but not on 1.9.7.
>
> I think the following would be better :
>
> .*mod_ssl/((1..*)|(2\.([0-7]\.[0-9]*)|(8\.[0-6]))).*

Much better, I knew I sucked at regular expressions. Heres some code to work
with, I will try to finish it up later. The two sticking points are finding a
php page and how long to wait for a response before determining the server is
dead.

php_page = "/index.php";
boundary1 = string("-NESSUS!");
boundary2 = string("--NESSUS!");
clen = "567";
dblq = raw_string(0x22);
badb = raw_string(0x12);

postdata = string("POST /", php_page, " HTTP/1.0\n");
postdata = string(postdata, "Referer: http://", get_host_name(), "/",
php_page, "\n");
postdata = string(postdata, "Content-type: multipart/form-data; boundary=",
boundary1, "\n");
postdata = string(postdata, "Content-Length: ", clen, "\n\n", boundary2,
"\n");
postdata = string(postdata, "Content-Disposition: form-data; name=");
postdata = string(postdata, dblq, badb, dblq);

port = 80;
soc = open_sock_tcp(port);
send(socket:soc, data:postdata);
r = recv(socket:soc, length:512);