Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http-fileupload-exploiter can not find pixel.gif #1608

Closed
rtaylor777 opened this issue May 23, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@rtaylor777
Copy link

commented May 23, 2019

nmap -v -d -sV --script http-fileupload-exploiter 10.0.0.21

Against OWASP_BROKEN_WEB_APPS_VM_1.2.

---snip---
NSE: http-fileupload-exploiter against 10.0.0.21:443 threw an error!
.../bin/../share/nmap/scripts/http-fileupload-exploiter.nse:303: nselib/data/pixel.gif: No such file or directory
stack traceback:
[C]: in function 'assert'
.../bin/../share/nmap/scripts/http-fileupload-exploiter.nse:303: in function <.../bin/../share/nmap/scripts/http-fileupload-exploiter.nse:201>
(...tail calls...)

NSE Timing: About 99.73% done; ETC: 13:35 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:35 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:36 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:36 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:37 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:37 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:38 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:38 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:39 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:39 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:40 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:40 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:41 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:41 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:42 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:42 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:43 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:43 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:44 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:44 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:45 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:45 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:46 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:46 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:47 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:47 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:48 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:48 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:49 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:49 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:50 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:50 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:51 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:51 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:52 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:52 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:53 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:53 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:54 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:54 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:55 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:55 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:56 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:56 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:57 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:57 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:58 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:58 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:59 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:59 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 14:00 (0:00:04 remaining)
---snip---

I ran into this originally doing a 'vuln' scan on a pentest. I started out using the
parameter --script-timeout 100 so that the scan would eventually finish.

Then I decided to take a look at the http-fileupload-exploiter script to see if I could figure out how to fix it. I tried putting the full path (/usr/share/nmap/nselib/data/pixel.gif) into the line:
local inp = assert(io.open("nselib/data/pixel.gif", "rb"))

Then I started seeing output in my vuln scan that I don't recall ever seeing before:
http-fileupload-exploiter:
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
|_ Failed to upload and execute a payload.

Assuming that this fixes the issue.
Thanks,
Rob

@rtaylor777

This comment has been minimized.

Copy link
Author

commented May 23, 2019

It also seems to work to put a relative path that makes sense:
local inp = assert(io.open("../nselib/data/pixel.gif", "rb"))

@nnposter

This comment has been minimized.

Copy link

commented May 23, 2019

There seems to be a bug in that the file location is not properly searched for. Could you please give this patch a spin and report results?

--- a/scripts/http-fileupload-exploiter.nse
+++ b/scripts/http-fileupload-exploiter.nse
@@ -56,6 +56,7 @@
 
 local http = require "http"
 local io = require "io"
+local nmap = require "nmap"
 local string = require "string"
 local httpspider = require "httpspider"
 local shortport = require "shortport"
@@ -211,6 +212,16 @@
   local foundfield = 0
   local fail = 0
 
+  local pixel
+  local pixelfn = nmap.fetchfile("nselib/data/pixel.gif")
+  if pixelfn then
+    local fh = io.open(pixelfn, "rb")
+    pixel = fh:read("a")
+    fh:close()
+  else
+    stdnse.debug1("Warning: Test file nselib/data/pixel.gif not found")
+    pixel = nil
+  end
 
   local crawler = httpspider.Crawler:new( host, port, '/', { scriptname = SCRIPT_NAME } )
 
@@ -300,16 +311,15 @@
             end
 
             -- Method (3).
-            local inp = assert(io.open("nselib/data/pixel.gif", "rb"))
-            local image = inp:read("a")
-
-            buildRequests(host, port, submission, filefield["name"], "image/gif", partofrequest, uploadspaths, image)
+            if pixel then
+              buildRequests(host, port, submission, filefield["name"], "image/gif", partofrequest, uploadspaths, pixel)
 
-            result = makeAndCheckRequests(uploadspaths)
-            if result then
-              table.insert(returntable, result)
-            else
-              fail = 1
+              result = makeAndCheckRequests(uploadspaths)
+              if result then
+                table.insert(returntable, result)
+              else
+                fail = 1
+              end
             end
           end
         else

@nnposter nnposter added bug NSE labels May 23, 2019

@rtaylor777

This comment has been minimized.

Copy link
Author

commented May 23, 2019

root@kali:/usr/share/nmap# patch -Np1 -i /root/nmpatch.txt
patching file scripts/http-fileupload-exploiter.nse

Ran nmap:
nmap -v -d -sV --script http-fileupload-exploiter 10.0.0.21

Output looks good:
--snip---
| http-fileupload-exploiter:
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
|_ Failed to upload and execute a payload.
---snip---

Thanks for the fix.
Rob

@nnposter

This comment has been minimized.

Copy link

commented May 24, 2019

Fix committed as r37632. Thank you for contributing to nmap.

@nmap-bot nmap-bot closed this in 168cbfd May 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.