Gyanendra MishraNMAP:XMLRPC-METHODS.NSExmlrpc-methods NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Performs XMLRPC Introspection via the system.listMethods method.
If the verbosity is > 1 then the script fetches the response of system.methodHelp for each method returned by listMethods.
Script Arguments
xmlrpc-methods.url
The URI path to request.
slaxml.debug
See the documentation for the slaxml library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
Example Usage
nmap -sV -sC <target>
Script Output
| xmlrpc-methods:
| Supported Methods:
| list
| system.listMethods
| system.methodHelp
|_ system.methodSignature
Requires
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local slaxml = require "slaxml"
local stdnse = require "stdnse"
local strbuf = require "strbuf"
local string = require "string"
local table = require "table"
local tableaux = require "tableaux"
description = [[
Performs XMLRPC Introspection via the system.listMethods method.
If the verbosity is > 1 then the script fetches the response
of system.methodHelp for each method returned by listMethods.
]]
---
-- @args xmlrpc-methods.url The URI path to request.
--
-- @output
-- | xmlrpc-methods:
-- | Supported Methods:
-- | list
-- | system.listMethods
-- | system.methodHelp
-- |_ system.methodSignature
--
-- @xmloutput
-- <table key="Supported Methods">
-- <elem>list</elem>
-- <elem>system.listMethods</elem>
-- <elem>system.methodHelp</elem>
-- <elem>system.methodSignature</elem>
-- </table>
author = "Gyanendra Mishra"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe", "discovery"}
portrule = shortport.http
local function set_80_columns(t)
local buffer = strbuf.new()
for method, description in pairs(t) do
buffer = (buffer .. string.format(" %s:\n\n", method))
local line, ll = {}, 0
local add_word = function(word)
if #word + ll + 1 < 78 then
table.insert(line, word)
ll = ll + #word + 1
else
buffer = buffer .. table.concat(line, " ") .. "\n"
ll = #word + 1
line = {word}
end
end
string.gsub(description, "(%S+)", add_word)
buffer = buffer .. table.concat(line, " ") .. "\n\n"
end
return "\n" .. strbuf.dump(buffer)
end
action = function(host, port)
local url = stdnse.get_script_args(SCRIPT_NAME .. ".url") or "/"
local data = '<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>'
local response = http.post(host, port, url, {header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, data )
if not (response and response.status and response.body) then
stdnse.debug1("HTTP POST failed")
return nil
end
local output = stdnse.output_table()
local parser = slaxml.parser:new()
local under_80 = {
__tostring = set_80_columns
}
if response.status == 200 and response.body:find("<value><string>system.listMethods</string></value>", nil, true) then
parser._call = {startElement = function(name)
parser._call.text = name == "string" and function(content) output["Supported Methods"] = output["Supported Methods"] or {} table.insert(output["Supported Methods"], content) end end,
closeElement = function(name) parser._call.text = function() return nil end end
}
parser:parseSAX(response.body, {stripWhitespace=true})
if nmap.verbosity() > 1 and tableaux.contains(output["Supported Methods"], "system.methodHelp") then
for i, method in ipairs(output["Supported Methods"]) do
data = '<methodCall> <methodName>system.methodHelp</methodName> <params> <param><value> <string>' .. method .. '</string> </value></param> </params> </methodCall>'
response = http.post(host, port, url, {header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, data)
if response and response.status == 200 then
parser._call.startElement = function(name)
parser._call.text = name == "string" and function(content)
content = parser.unescape(content)
output["Supported Methods"][i] = nil
output["Supported Methods"][method] = content
end
end
parser:parseSAX(response.body, {stripWhitespace=true})
end
-- useful in cases when the output returned by the above request is empty
-- or the <value><string></string></value> has no text in the string
-- element.
if output["Supported Methods"][i] then
output["Supported Methods"][i] = nil
output["Supported Methods"][method] = "Empty system.methodHelp output."
end
end
setmetatable(output["Supported Methods"], under_80)
end
return output
elseif response.body:find("<name>faultCode</name>", nil, true) then
output.error = "XMLRPC instance doesn't support introspection."
return output, output.error
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%