# # This script was written by Geoff Humes # if(description) { script_id(10759); script_name(english:"Content-Location HTTP Header"); script_description(english:"Content-Location HTTP Header"); summary["english"] = "Checks if the NAT exposes internal IP addresses"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Digital Defense Inc."); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes", "http_version.nasl", "webmirror.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/iis"); exit(0); } include("http_func.inc"); port = get_kb_item("Services/www"); if(!port)port = 80; state = get_kb_item(string("Ports/tcp/", port)); if(!state) exit(0); banner = ""; dir[0] = "/"; x = 0; y = 0; dir = get_kb_item(string("www/", port, "/content/directories/", x)); while(dir) { if(dir != "0") { dir[y] = dir; y = y + 1; } x = x + 1; dir = get_kb_item(string("www/", port, "/content/directories/", x)); } #content_location stores banner & return string as its being worked on content_location = ""; new_content_location = " "; #target_ip stores the IP address of the target to compare returned IP against target_ip = ""; #found is fake boolean set to 1 if 'ocation:' is found (in 302 Moved error) found = 0; #note_display is fake boolean set to 1 to indicate security note should be sent note_display = 0; #period is var to hold the character '.' period = raw_string(46); target_ip = string(get_host_ip()); #for each directory listed above open socket & request page for(n=0;(dir[n]) && (found == 0);n=n+1) { if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { req = http_get(item:dir[n], port:port); send(socket:soc, data:req); banner = http_recv(socket:soc); close(soc); } } if(banner) { #used 'ocation:' for match because some servers respond only with 'Location:', not 'Content-Location:' if("ocation:" >< banner) { #grab line containing location reference & set length to be total length of 'Location:' line content_location = egrep(pattern:".*http.*", string:banner); found = 1; length = strlen(content_location); #set start location after 'http://' for(a=0;a target_ip)) { #display("Verified IP difference.\n"); note_display = 1; } } #if location not in IP format, check for dot in hostname & security note if none. else { #display("Into alpha match, looking for: ", period, " in ", new_content_location, "\n"); if(period >< new_content_location) { #display("Found a period in alpha return, no note.\n"); } else { #display("No period, time to display host name.\n"); #but not if resolved hostname was returned target_ip = get_host_name(); if(!(target_ip == new_content_location)) note_display = 1; } } } #if 'ocation:' is not in banner else { content_location = ""; } } #set security note if vuln found if(note_display == 1) { #display("new_content_location length is: ", strlen(new_content_location), "\n"); security_note(port:port, data:new_content_location); } }