Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign uphttp-sql-injection broken in Nmap 7.70 #1191
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rtaylor777
Apr 21, 2018
I'm seeing issues with detection of XSS as well. The course shows that I should be getting results:
https://www.javacrypt.com/images/results.jpg
But instead I am seeing(note that without using debug I don't even see that phpself did anything):
root@kali:/usr/share/nmap/scripts# nmap -debug -p80 --script http-stored-xss.nse,http-dombased-
xss,http-phpself-xss --script-args httpspider.maxpagecount=200 10.0.0.20 10.0.0.21 10.0.0.23
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-21 13:07 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: httpspider.maxpagecount=200
NSE: Arguments parsed: httpspider.maxpagecount=200
NSE: Loaded 3 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:07
Completed NSE at 13:07, 0.00s elapsed
Initiating ARP Ping Scan at 13:07
Scanning 3 hosts [1 port/host]
Packet capture filter (device eth1): arp and arp[18:4] = 0x08002793 and arp[22:2] = 0x0BC1
Completed ARP Ping Scan at 13:07, 0.04s elapsed (3 total hosts)
Overall sending rates: 81.45 packets / s, 3421.03 bytes / s.
mass_rdns: Using DNS server 10.10.77.254
Initiating Parallel DNS resolution of 3 hosts. at 13:07
mass_rdns: 0.01s 0/3 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 3]
Completed Parallel DNS resolution of 3 hosts. at 13:07, 0.01s elapsed
DNS resolution of 3 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 3, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 13:07
Scanning 3 hosts [1 port/host]
Packet capture filter (device eth1): dst host 10.0.0.22 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.0.0.20 or src host 10.0.0.21 or src host 10.0.0.23)))
Discovered open port 80/tcp on 10.0.0.21
Discovered open port 80/tcp on 10.0.0.23
Discovered open port 80/tcp on 10.0.0.20
Completed SYN Stealth Scan at 13:07, 0.04s elapsed (3 total ports)
Overall sending rates: 69.45 packets / s, 3055.91 bytes / s.
NSE: Script scanning 3 hosts.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:07
NSE: Starting http-phpself-xss against 10.0.0.23:80.
NSE: Starting http-phpself-xss against 10.0.0.21:80.
NSE: Starting http-dombased-xss against 10.0.0.23:80.
NSE: Starting http-phpself-xss against 10.0.0.20:80.
NSE: Starting http-stored-xss against 10.0.0.20:80.
NSE: Starting http-stored-xss against 10.0.0.21:80.
NSE: Starting http-dombased-xss against 10.0.0.21:80.
NSE: Starting http-dombased-xss against 10.0.0.20:80.
NSE: Starting http-stored-xss against 10.0.0.23:80.
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /cat.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /all.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /cat.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /all.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /admin/index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /admin/index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /show.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /show.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: Finished http-phpself-xss against 10.0.0.21:80.
NSE: Finished http-phpself-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.20:80.
NSE: Finished http-phpself-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.21:80.
NSE: Finished http-phpself-xss against 10.0.0.21:80.
NSE: Finished http-dombased-xss against 10.0.0.21:80.
NSE: Finished http-dombased-xss against 10.0.0.20:80.
NSE: Finished http-dombased-xss against 10.0.0.21:80.
NSE: Finished http-dombased-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.21:80.
NSE: Finished http-stored-xss against 10.0.0.21:80.
NSE: Finished http-stored-xss against 10.0.0.20:80.
NSE: Finished http-phpself-xss against 10.0.0.23:80.
NSE: Finished http-dombased-xss against 10.0.0.23:80.
NSE: Finished http-phpself-xss against 10.0.0.23:80.
NSE: Finished http-dombased-xss against 10.0.0.23:80.
NSE: Finished http-stored-xss against 10.0.0.23:80.
NSE: Finished http-stored-xss against 10.0.0.23:80.
NSE: Finished http-stored-xss against 10.0.0.23:80.
Completed NSE at 13:07, 3.63s elapsed
Nmap scan report for 10.0.0.20
Host is up, received arp-response (0.00043s latency).
Scanned at 2018-04-21 13:07:12 PDT for 1s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:68:6D:A0 (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 430 rttvar: 3784 to: 100000
Nmap scan report for 10.0.0.21
Host is up, received arp-response (0.00055s latency).
Scanned at 2018-04-21 13:07:12 PDT for 1s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:58:EA:54 (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 553 rttvar: 3846 to: 100000
Nmap scan report for 10.0.0.23
Host is up, received arp-response (0.00042s latency).
Scanned at 2018-04-21 13:07:12 PDT for 4s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:D0:BD:5F (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 425 rttvar: 3786 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:07
Completed NSE at 13:07, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 3 IP addresses (3 hosts up) scanned in 4.08 seconds
Raw packets sent: 6 (216B) | Rcvd: 6 (216B)
If you want me to report this as a separate bug let me know. I think the problem is related.
rtaylor777
commented
Apr 21, 2018
|
I'm seeing issues with detection of XSS as well. The course shows that I should be getting results: If you want me to report this as a separate bug let me know. I think the problem is related. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
dmiller-nmap
May 16, 2018
Thanks for the report! I have a few questions to help diagnose the problem:
- What version of Nmap are they using in the video, and what is the intended output?
- Does Nmap 6.47 or earlier work for you? That is the last time that this script was functionally changed.
- Can you (using Nmap 7.70) run the http-sql-injection scan with --script-trace and verify if the error message is returned from the server like in the curl command? You could also use Wireshark for this, comparing what Nmap does to what Curl does and see if it looks like they send different requests or if they receive different responses.
Thanks.
dmiller-nmap
commented
May 16, 2018
|
Thanks for the report! I have a few questions to help diagnose the problem:
Thanks. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
dmiller-nmap
May 16, 2018
Regarding the XSS detection, it doesn't look like the vulnerable path is being requested. The http-phpself-xss script uses the httpspider library to crawl through the target finding links. If the /xss/example8.php path is not linked, then the script won't see it. Can you verify that you can find that page linked from the web pages you are targeting? The same goes for http-dombased-xss and the /xss/example9.php path.
dmiller-nmap
commented
May 16, 2018
|
Regarding the XSS detection, it doesn't look like the vulnerable path is being requested. The |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rtaylor777
May 19, 2018
Hi Daniel,
Thanks for the replies. Referring to the original post... The version of nmap that the video is using is 6.49BETA4. I tried version 6.47 and I am still not seeing what I hoped for. This is one of the last streams in wireshark when trying again using Nmap 7.70:
GET /cat.php HTTP/1.1
Connection: close
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Host: 10.0.0.21
HTTP/1.1 200 OK
Date: Sat, 19 May 2018 04:40:02 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze14
Vary: Accept-Encoding
Content-Length: 1858
Connection: close
Content-Type: text/html
<html>
<head>
<link rel="stylesheet" id="base" href="css/default.css" type="text/css" media="screen" />
<title>My awesome Photoblog</title>
</head>
<body>
<div id="header">
<div id="logo">
<h1><a href="index.php">My Awesome Photoblog</a></h1>
</div>
<div id="menu">
<ul>
<li class="active">
<a href="/"> Home |</a>
</li>
<li><a href="cat.php?id=1">test | </a></li>
<li><a href="cat.php?id=2">ruxcon | </a></li>
<li><a href="cat.php?id=3">2010 | </a></li>
<li>
<a href="/all.php">All pictures |</a>
</li>
I can see that the vulnerable URL cat.php?id=1 is in the returned packet stream but there is no further effort by nmap to access these URLs. I suspect the issue is that spidering is not really happening, since I am not seeing any effort to inject anything.
rtaylor777
commented
May 19, 2018
|
Hi Daniel, I can see that the vulnerable URL cat.php?id=1 is in the returned packet stream but there is no further effort by nmap to access these URLs. I suspect the issue is that spidering is not really happening, since I am not seeing any effort to inject anything. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rtaylor777
May 19, 2018
Hi Daniel,
Please disregard the 2nd post concerning XSS detection. I am able to get results now thanks.
rtaylor777
commented
May 19, 2018
|
Hi Daniel, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rtaylor777
May 19, 2018
Hi Daniel,
I forgot to run the test with sqltrace. I am seeing evidence that it got the error results that should have indicated an injection, here is a small bit of it:
000002e0: 70 68 70 3f 69 64 3d 33 22 3e 32 30 31 30 20 7c php?id=3">2010 |
000002f0: 20 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 </a></li>
00000300: 20 20 20 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20 <li>
00000310: 20 20 3c 61 20 68 72 65 66 3d 22 2f 61 6c 6c 2e <a href="/all.
00000320: 70 68 70 22 3e 41 6c 6c 20 70 69 63 74 75 72 65 php">All picture
00000330: 73 20 7c 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 s |</a>
00000340: 3c 2f 6c 69 3e 0a 20 0a 20 20 20 20 20 20 20 20 </li>
00000350: 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 3c <li> <
00000360: 61 20 68 72 65 66 3d 22 2f 61 64 6d 69 6e 2f 22 a href="/admin/"
00000370: 3e 41 64 6d 69 6e 3c 2f 61 3e 0a 20 20 20 20 20 >Admin</a>
00000380: 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 </li>
00000390: 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 3c 2f 64 </ul> </d
000003a0: 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 20 0a iv> </div>
000003b0: 0a 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c </div> <
000003c0: 64 69 76 20 69 64 3d 22 70 61 67 65 22 3e 0a 20 div id="page">
000003d0: 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f <div id="co
000003e0: 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 ntent">
000003f0: 0a 0a 20 20 0a 59 6f 75 20 68 61 76 65 20 61 6e You have an
00000400: 20 65 72 72 6f 72 20 69 6e 20 79 6f 75 72 20 53 error in your S
00000410: 51 4c 20 73 79 6e 74 61 78 3b 20 63 68 65 63 6b QL syntax; check
00000420: 20 74 68 65 20 6d 61 6e 75 61 6c 20 74 68 61 74 the manual that
00000430: 20 63 6f 72 72 65 73 70 6f 6e 64 73 20 74 6f 20 corresponds to
00000440: 79 6f 75 72 20 4d 79 53 51 4c 20 73 65 72 76 65 your MySQL serve
00000450: 72 20 76 65 72 73 69 6f 6e 20 66 6f 72 20 74 68 r version for th
00000460: 65 20 72 69 67 68 74 20 73 79 6e 74 61 78 20 74 e right syntax t
00000470: 6f 20 75 73 65 20 6e 65 61 72 20 27 27 20 4f 52 o use near '' OR
00000480: 20 73 71 6c 73 70 69 64 65 72 27 20 61 74 20 6c sqlspider' at l
00000490: 69 6e 65 20 31 20 20 20 20 3c 64 69 76 20 63 6c ine 1 <div cl
000004a0: 61 73 73 3d 22 62 6c 6f 63 6b 22 20 69 64 3d 22 ass="block" id="
000004b0: 62 6c 6f 63 6b 2d 74 65 78 74 22 3e 0a 20 20 20 block-text">
000004c0: 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 65 63 <div class="sec
000004d0: 6f 6e 64 61 72 79 2d 6e 61 76 69 67 61 74 69 6f ondary-navigatio
000004e0: 6e 22 3e 0a 0a 20 20 20 20 3c 2f 64 69 76 3e 0a n"> </div>
000004f0: 20 20 3c 2f 64 69 76 3e 0a 0a 0a 0a 0a 20 20 20 </div>
00000500: 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 66 6f <div id="fo
00000510: 6f 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 oter">
00000520: 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6c 6f <div class="blo
00000530: 63 6b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 ck">
00000540: 20 3c 70 3e 4e 6f 20 43 6f 70 79 72 69 67 68 74 <p>No Copyright
00000550: 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 </p>
00000560: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c </div> <
00000570: 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 0a 20 /div>
00000580: 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 </div>
00000590: 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a </div> </div>
000005a0: 0a 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 </body> </ht
000005b0: 6d 6c 3e 0a 20 0a ml>
rtaylor777
commented
May 19, 2018
|
Hi Daniel, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rtaylor777
May 19, 2018
Ignore the bit about not seeing it in wireshark. I am now... just a bit of a brain shortage. So I guess the only issue is it is not reported as being found despite performing the injection and receiving the error indicating an injection occured.
rtaylor777
commented
May 19, 2018
|
Ignore the bit about not seeing it in wireshark. I am now... just a bit of a brain shortage. So I guess the only issue is it is not reported as being found despite performing the injection and receiving the error indicating an injection occured. |
cldrn
self-assigned this
May 25, 2018
cldrn
added
enhancement
NSE
labels
May 25, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
cldrn
May 28, 2018
Member
The problem here was the error detection string generated by this instance of MySQL was missing in our DB. Remember that Nmap as a project can't ship larger databases so it is always a good idea to keep a larger list that you can use for these cases.
In this case I will add two additional error strings taken from this VM to improve detection with the default DB and close this ticket.
|
The problem here was the error detection string generated by this instance of MySQL was missing in our DB. Remember that Nmap as a project can't ship larger databases so it is always a good idea to keep a larger list that you can use for these cases. In this case I will add two additional error strings taken from this VM to improve detection with the default DB and close this ticket. |
nmap-bot
closed this
in
711d210
May 28, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
rtaylor777 commentedApr 20, 2018
I was trying to follow an SQL injection tutorial (Web Application Penetration Testing course on Cybrary.it) which showed downloading a VM ISO from https://pentesterlab.com/exercises/from_sqli_to_shell. The tutorial showed using nmap to check for SQLI and in the video it returned lots of results. I have not been able to get it to work and I show using curl below to prove there is an SQLI on the target.
root@kali:~# nmap -debug -p80 --script http-sql-injection --script-args
'httpspider.maxpagecount=200,http-sql-injection.url=/cat.php' 10.0.0.21
root@kali:~# curl "10.0.0.21/cat.php?id=1'"