Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http-fileupload-exploiter can not find pixel.gif #1608

Closed
rtaylor777 opened this issue May 23, 2019 · 4 comments
Closed

http-fileupload-exploiter can not find pixel.gif #1608

rtaylor777 opened this issue May 23, 2019 · 4 comments
Assignees

Comments

@rtaylor777
Copy link

nmap -v -d -sV --script http-fileupload-exploiter 10.0.0.21

Against OWASP_BROKEN_WEB_APPS_VM_1.2.

---snip---
NSE: http-fileupload-exploiter against 10.0.0.21:443 threw an error!
.../bin/../share/nmap/scripts/http-fileupload-exploiter.nse:303: nselib/data/pixel.gif: No such file or directory
stack traceback:
[C]: in function 'assert'
.../bin/../share/nmap/scripts/http-fileupload-exploiter.nse:303: in function <.../bin/../share/nmap/scripts/http-fileupload-exploiter.nse:201>
(...tail calls...)

NSE Timing: About 99.73% done; ETC: 13:35 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:35 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:36 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:36 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:37 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:37 (0:00:00 remaining)
NSE Timing: About 99.73% done; ETC: 13:38 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:38 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:39 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:39 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:40 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:40 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:41 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:41 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:42 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:42 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:43 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:43 (0:00:01 remaining)
NSE Timing: About 99.73% done; ETC: 13:44 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:44 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:45 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:45 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:46 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:46 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:47 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:47 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:48 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:48 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:49 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:49 (0:00:02 remaining)
NSE Timing: About 99.73% done; ETC: 13:50 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:50 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:51 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:51 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:52 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:52 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:53 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:53 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:54 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:54 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:55 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:55 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:56 (0:00:03 remaining)
NSE Timing: About 99.73% done; ETC: 13:56 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:57 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:57 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:58 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:58 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:59 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 13:59 (0:00:04 remaining)
NSE Timing: About 99.73% done; ETC: 14:00 (0:00:04 remaining)
---snip---

I ran into this originally doing a 'vuln' scan on a pentest. I started out using the
parameter --script-timeout 100 so that the scan would eventually finish.

Then I decided to take a look at the http-fileupload-exploiter script to see if I could figure out how to fix it. I tried putting the full path (/usr/share/nmap/nselib/data/pixel.gif) into the line:
local inp = assert(io.open("nselib/data/pixel.gif", "rb"))

Then I started seeing output in my vuln scan that I don't recall ever seeing before:
http-fileupload-exploiter:
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
|_ Failed to upload and execute a payload.

Assuming that this fixes the issue.
Thanks,
Rob

@rtaylor777
Copy link
Author

It also seems to work to put a relative path that makes sense:
local inp = assert(io.open("../nselib/data/pixel.gif", "rb"))

@nnposter
Copy link

There seems to be a bug in that the file location is not properly searched for. Could you please give this patch a spin and report results?

--- a/scripts/http-fileupload-exploiter.nse
+++ b/scripts/http-fileupload-exploiter.nse
@@ -56,6 +56,7 @@
 
 local http = require "http"
 local io = require "io"
+local nmap = require "nmap"
 local string = require "string"
 local httpspider = require "httpspider"
 local shortport = require "shortport"
@@ -211,6 +212,16 @@
   local foundfield = 0
   local fail = 0
 
+  local pixel
+  local pixelfn = nmap.fetchfile("nselib/data/pixel.gif")
+  if pixelfn then
+    local fh = io.open(pixelfn, "rb")
+    pixel = fh:read("a")
+    fh:close()
+  else
+    stdnse.debug1("Warning: Test file nselib/data/pixel.gif not found")
+    pixel = nil
+  end
 
   local crawler = httpspider.Crawler:new( host, port, '/', { scriptname = SCRIPT_NAME } )
 
@@ -300,16 +311,15 @@
             end
 
             -- Method (3).
-            local inp = assert(io.open("nselib/data/pixel.gif", "rb"))
-            local image = inp:read("a")
-
-            buildRequests(host, port, submission, filefield["name"], "image/gif", partofrequest, uploadspaths, image)
+            if pixel then
+              buildRequests(host, port, submission, filefield["name"], "image/gif", partofrequest, uploadspaths, pixel)
 
-            result = makeAndCheckRequests(uploadspaths)
-            if result then
-              table.insert(returntable, result)
-            else
-              fail = 1
+              result = makeAndCheckRequests(uploadspaths)
+              if result then
+                table.insert(returntable, result)
+              else
+                fail = 1
+              end
             end
           end
         else

@rtaylor777
Copy link
Author

root@kali:/usr/share/nmap# patch -Np1 -i /root/nmpatch.txt
patching file scripts/http-fileupload-exploiter.nse

Ran nmap:
nmap -v -d -sV --script http-fileupload-exploiter 10.0.0.21

Output looks good:
--snip---
| http-fileupload-exploiter:
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
|_ Failed to upload and execute a payload.
---snip---

Thanks for the fix.
Rob

@nnposter
Copy link

Fix committed as r37632. Thank you for contributing to nmap.

@nnposter nnposter self-assigned this Jul 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants