This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a copy of the NSE I sent to nmap-dev on Friday night.
It attempts to detect web applications using a vulnerable version of the Telerik UI for ASP.NET AJAX library, which may lead to leaking the machine key (and subsequent view state compromise) and/or arbitrary file uploads (and subsequent RCE).
This is a nice script. It is simple enough, though, that it could be converted into a fingerprint in nselib/data/http-fingerprints.lua. In this format, we would only do the '?dp=////' request for each possible endpoint, since the fingerprints format doesn't currently allow sending followup requests. Would this be a problem? It seems as though just checking for the "Base-64" string might be a solid-enough check. Please let us know if you intend to convert it, if you have any concerns about it, or if you want us to convert it and credit you.
It's probably reasonable to assume that 404 pages and the like aren't going to generally discuss Base-64, and that hyphen would stop matches against data URIs that might be used, so I don't think it'll be a problem to just use the second check.
I've added a second commit that removes the NSE and adds the few appropriate lines to http-fingerprints.lua.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
This is a copy of the NSE I sent to nmap-dev on Friday night.
It attempts to detect web applications using a vulnerable version of the Telerik UI for ASP.NET AJAX library, which may lead to leaking the machine key (and subsequent view state compromise) and/or arbitrary file uploads (and subsequent RCE).
Comments/feedback/... welcome.