Hello All,
While watching packets zip by for false positive analysis, I don't
think the tomcat_directory_listing_and_file_disclosure.nasl plugin
works as advertised.
This segment:
req = http_get(item:string("/", raw_string(0), ".jsp"), port:port);
Didn't show anything after the "/" for the "item" parameter via
tcpdump [1] on my system. Changing raw_string to have anything but
"0" seems to work (albeit defeating the purpose of the plugin).
I'm assuming http_get() sees the raw 0 as a NULL and stops w/ the
string.
Also, I noticed another interesting phenomenon. The F5 BigIP
caching servers would show two different responses, depending if
"Pragma: no-cache" was set. W/ it set, the page was returned. W/
it absent, an HTTP 500 error was sent.
Jon
[1]
15:36:31.228105 IP (tos 0x0, ttl 64, id 42402, offset 0, flags
[DF], length: 306) 127.0.0.1.50396 > 127.0.0.1.2345: P [tcp sum ok]
1:255(254) ack 1 win 8192 <nop,nop,timestamp 104429479 104429479>
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0132 a5a2 4000 4006 9621 7f00 0001 7f00 .2..@.@..!......
0x0020: 0001 c4dc 0929 baf5 d23a bb30 22c7 8018 .....)...:.0"...
0x0030: 2000 a512 0000 0101 080a 0639 77a7 0639 ...........9w..9
0x0040: 77a7 4745 5420 2f20 4854 5450 2f31 2e31 w.GET./.HTTP/1.1
0x0050: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 436c ..Connection:.Cl
0x0060: 6f73 650d 0a48 6f73 743a 2031 3237 2e30 ose..Host:.127.0
0x0070: 2e30 2e31 0d0a 5072 6167 6d61 3a20 6e6f .0.1..Pragma:.no
0x0080: 2d63 6163 6865 0d0a 5573 6572 2d41 6765 -cache..User-Age
0x0090: 6e74 3a20 4d6f 7a69 6c6c 612f 342e 3735 nt:.Mozilla/4.75
0x00a0: 205b 656e 5d20 2858 3131 2c20 553b 204e .[en].(X11,.U;.N
0x00b0: 6573 7375 7329 0d0a 4163 6365 7074 3a20 essus)..Accept:.
0x00c0: 696d 6167 652f 6769 662c 2069 6d61 6765 image/gif,.image
0x00d0: 2f78 2d78 6269 746d 6170 2c20 696d 6167 /x-xbitmap,.imag
0x00e0: 652f 6a70 6567 2c20 696d 6167 652f 706a e/jpeg,.image/pj
0x00f0: 7065 672c 2069 6d61 6765 2f70 6e67 2c20 peg,.image/png,.
0x0100: 2a2f 2a0d 0a41 6363 6570 742d 4c61 6e67 */*..Accept-Lang
0x0110: 7561 6765 3a20 656e 0d0a 4163 6365 7074 uage:.en..Accept
0x0120: 2d43 6861 7273 6574 3a20 6973 6f2d 3838 -Charset:.iso-88
0x0130: 3539 2d31 2c2a 2c75 7466 2d38 0d0a 0d0a 59-1,*,utf-8....
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
While watching packets zip by for false positive analysis, I don't
think the tomcat_directory_listing_and_file_disclosure.nasl plugin
works as advertised.
This segment:
req = http_get(item:string("/", raw_string(0), ".jsp"), port:port);
Didn't show anything after the "/" for the "item" parameter via
tcpdump [1] on my system. Changing raw_string to have anything but
"0" seems to work (albeit defeating the purpose of the plugin).
I'm assuming http_get() sees the raw 0 as a NULL and stops w/ the
string.
Also, I noticed another interesting phenomenon. The F5 BigIP
caching servers would show two different responses, depending if
"Pragma: no-cache" was set. W/ it set, the page was returned. W/
it absent, an HTTP 500 error was sent.
Jon
[1]
15:36:31.228105 IP (tos 0x0, ttl 64, id 42402, offset 0, flags
[DF], length: 306) 127.0.0.1.50396 > 127.0.0.1.2345: P [tcp sum ok]
1:255(254) ack 1 win 8192 <nop,nop,timestamp 104429479 104429479>
0x0000: 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.
0x0010: 0132 a5a2 4000 4006 9621 7f00 0001 7f00 .2..@.@..!......
0x0020: 0001 c4dc 0929 baf5 d23a bb30 22c7 8018 .....)...:.0"...
0x0030: 2000 a512 0000 0101 080a 0639 77a7 0639 ...........9w..9
0x0040: 77a7 4745 5420 2f20 4854 5450 2f31 2e31 w.GET./.HTTP/1.1
0x0050: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 436c ..Connection:.Cl
0x0060: 6f73 650d 0a48 6f73 743a 2031 3237 2e30 ose..Host:.127.0
0x0070: 2e30 2e31 0d0a 5072 6167 6d61 3a20 6e6f .0.1..Pragma:.no
0x0080: 2d63 6163 6865 0d0a 5573 6572 2d41 6765 -cache..User-Age
0x0090: 6e74 3a20 4d6f 7a69 6c6c 612f 342e 3735 nt:.Mozilla/4.75
0x00a0: 205b 656e 5d20 2858 3131 2c20 553b 204e .[en].(X11,.U;.N
0x00b0: 6573 7375 7329 0d0a 4163 6365 7074 3a20 essus)..Accept:.
0x00c0: 696d 6167 652f 6769 662c 2069 6d61 6765 image/gif,.image
0x00d0: 2f78 2d78 6269 746d 6170 2c20 696d 6167 /x-xbitmap,.imag
0x00e0: 652f 6a70 6567 2c20 696d 6167 652f 706a e/jpeg,.image/pj
0x00f0: 7065 672c 2069 6d61 6765 2f70 6e67 2c20 peg,.image/png,.
0x0100: 2a2f 2a0d 0a41 6363 6570 742d 4c61 6e67 */*..Accept-Lang
0x0110: 7561 6765 3a20 656e 0d0a 4163 6365 7074 uage:.en..Accept
0x0120: 2d43 6861 7273 6574 3a20 6973 6f2d 3838 -Charset:.iso-88
0x0130: 3539 2d31 2c2a 2c75 7466 2d38 0d0a 0d0a 59-1,*,utf-8....
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com