Lucene search
Pierre LaletNMAP:HTTP-LS.NSEHistorySep 04, 2015 - 12:52 p.m.
http-ls NSE Script
2015-09-0412:52:10
Pierre Lalet
nmap.org
351
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Shows the content of an “index” Web page.
TODO: - add support for more page formats
Script Arguments
http-ls.url
base URL path to use (default: /)
http-ls.checksum
compute a checksum for each listed file. Requires OpenSSL. (default: false)
slaxml.debug
See the documentation for the slaxml library.
ls.checksum, ls.empty, ls.errors, ls.human, ls.maxdepth, ls.maxfiles
See the documentation for the ls library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -n -p 80 --script http-ls test-debit.free.fr
Script Output
PORT STATE SERVICE
80/tcp open http
| http-ls:
| Volume /
| maxfiles limit reached (10)
| SIZE TIME FILENAME
| 524288 02-Oct-2013 18:26 512.rnd
| 1048576 02-Oct-2013 18:26 1024.rnd
| 2097152 02-Oct-2013 18:26 2048.rnd
| 4194304 02-Oct-2013 18:26 4096.rnd
| 8388608 02-Oct-2013 18:26 8192.rnd
| 16777216 02-Oct-2013 18:26 16384.rnd
| 33554432 02-Oct-2013 18:26 32768.rnd
| 67108864 02-Oct-2013 18:26 65536.rnd
| 1073741824 03-Oct-2013 16:46 1048576.rnd
| 188 03-Oct-2013 17:15 README.html
|_
Requires
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local ls = require "ls"
local have_ssl, openssl = pcall(require,'openssl')
description = [[
Shows the content of an "index" Web page.
TODO:
- add support for more page formats
]]
author = "Pierre Lalet"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
---
-- @usage
-- nmap -n -p 80 --script http-ls test-debit.free.fr
--
-- @args http-ls.checksum compute a checksum for each listed file. Requires OpenSSL.
-- (default: false)
-- @args http-ls.url base URL path to use (default: /)
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-ls:
-- | Volume /
-- | maxfiles limit reached (10)
-- | SIZE TIME FILENAME
-- | 524288 02-Oct-2013 18:26 512.rnd
-- | 1048576 02-Oct-2013 18:26 1024.rnd
-- | 2097152 02-Oct-2013 18:26 2048.rnd
-- | 4194304 02-Oct-2013 18:26 4096.rnd
-- | 8388608 02-Oct-2013 18:26 8192.rnd
-- | 16777216 02-Oct-2013 18:26 16384.rnd
-- | 33554432 02-Oct-2013 18:26 32768.rnd
-- | 67108864 02-Oct-2013 18:26 65536.rnd
-- | 1073741824 03-Oct-2013 16:46 1048576.rnd
-- | 188 03-Oct-2013 17:15 README.html
-- |_
--
-- @xmloutput
-- <table key="volumes">
-- <table>
-- <elem key="volume">/</elem>
-- <table key="files">
-- <table>
-- <elem key="size">524288</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">512.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">1048576</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">1024.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">2097152</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">2048.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">4194304</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">4096.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">8388608</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">8192.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">16777216</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">16384.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">33554432</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">32768.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">67108864</elem>
-- <elem key="time">02-Oct-2013 18:26</elem>
-- <elem key="filename">65536.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">1073741824</elem>
-- <elem key="time">03-Oct-2013 16:46</elem>
-- <elem key="filename">1048576.rnd</elem>
-- </table>
-- <table>
-- <elem key="size">188</elem>
-- <elem key="time">03-Oct-2013 17:15</elem>
-- <elem key="filename">README.html</elem>
-- </table>
-- </table>
-- <table key="info">
-- <elem>maxfiles limit reached (10)</elem>
-- </table>
-- </table>
-- </table>
-- <table key="total">
-- <elem key="files">10</elem>
-- <elem key="bytes">1207435452</elem>
-- </table>
portrule = shortport.http
local function isdir(fname, size)
-- we consider a file is (probably) a directory if its name
-- terminates with a '/' or if the string representing its size is
-- either empty or a single dash ('-').
if string.sub(fname, -1, -1) == '/' then
return true
end
if size == '' or size == '-' then
return true
end
return false
end
local function list_files(host, port, url, output, maxdepth, basedir)
basedir = basedir or ""
local resp = http.get(host, port, url)
if resp.location or not resp.body then
return true
end
if not string.match(resp.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*> *[Ii][Nn][Dd][Ee][Xx] +[Oo][Ff]") then
return true
end
local patterns = {
'<[Aa] [Hh][Rr][Ee][Ff]="([^"]+)">[^<]+</[Aa]> *</[Tt][Dd]><[Tt][Dd][^>]*> *([0-9]+-[A-Za-z0-9]+-[0-9]+ [0-9]+:[0-9]+) *</[Tt][Dd]><[Tt][Dd][^>]*> *([^<]-) *</[Tt][Dd]>',
'<[Aa] [Hh][Rr][Ee][Ff]="([^"]+)">[^<]+</[Aa]> *([0-9]+-[A-Za-z0-9]+-[0-9]+ [0-9]+:[0-9]+) *([^ \r\n]+)',
}
for _, pattern in ipairs(patterns) do
for fname, date, size in string.gmatch(resp.body, pattern) do
local continue = true
local directory = isdir(fname, size)
if have_ssl and ls.config('checksum') and not directory then
local checksum = ""
local resp = http.get(host, port, url .. fname)
if not resp.location and resp.body then
checksum = stdnse.tohex(openssl.sha1(resp.body))
end
continue = ls.add_file(output, {size, date, basedir .. fname, checksum})
else
continue = ls.add_file(output, {size, date, basedir .. fname})
end
if not continue then
return false
end
if directory then
if string.sub(fname, -1, -1) ~= "/" then fname = fname .. '/' end
continue = true
if maxdepth > 0 then
continue = list_files(host, port, url .. fname, output, maxdepth - 1,
basedir .. fname)
elseif maxdepth < 0 then
continue = list_files(host, port, url .. fname, output, -1,
basedir .. fname)
end
if not continue then
return false
end
end
end
end
return true
end
action = function(host, port)
local url = stdnse.get_script_args(SCRIPT_NAME .. '.url') or "/"
local output = ls.new_listing()
ls.new_vol(output, url, false)
local continue = list_files(host, port, url, output, ls.config('maxdepth'))
if not continue then
ls.report_info(
output,
string.format("maxfiles limit reached (%d)", ls.config('maxfiles')))
end
ls.end_vol(output)
return ls.end_listing(output)
end
Related
nmap
nmap
smb-webexec-exploit NSE Script
2018-10-24 16:14:43
http-chrono NSE Script
2012-03-23 19:29:44
mrinfo NSE Script
2012-08-03 22:58:29
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:HTTP-LS.NSE