description=[[ Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"]. This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHP_SELF cross site scripting vulnerabilities. PHP_SELF XSS refers to reflected cross site scripting vulnerabilities caused by the lack of sanitation of the variable $_SERVER["PHP_SELF"] in PHP scripts. This variable is commonly used in php scripts that display forms and when the script file name is needed. Examples of Cross Site Scripting vulnerabilities in the variable $_SERVER[PHP_SELF]: *http://www.securityfocus.com/bid/37351 *http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage *http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x The attack vector/probe used is: /'"/> ]] --- -- @usage -- nmap --script=http-phpself-xss -p80 -- nmap -sV --script http-self-xss -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-phpself-xss: -- | VULNERABLE: -- | Unsafe use of $_SERVER["PHP_SELF"] in PHP files -- | State: VULNERABLE (Exploitable) -- | Description: -- | PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities. -- | -- | Extra information: -- | -- | Vulnerable files with proof of concept: -- | http://calder0n.com/sillyapp/three.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | http://calder0n.com/sillyapp/secret/2.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | http://calder0n.com/sillyapp/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | http://calder0n.com/sillyapp/secret/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E -- | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=calder0n.com -- | References: -- | https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) -- |_ http://php.net/manual/en/reserved.variables.server.php -- @args http-phpself-xss.uri URI. Default: / -- @args http-phpself-xss.timeout Spidering timeout. (default 10s) author = "Paulino Calderon " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"fuzzer", "intrusive", "vuln"} local http = require 'http' local httpspider = require 'httpspider' local shortport = require 'shortport' local url = require 'url' local stdnse = require 'stdnse' local vulns = require 'vulns' local string = require 'string' local table = require 'table' portrule = shortport.http -- PHP_SELF Attack vector local PHP_SELF_PROBE = '/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E' local probes = {} --Checks if attack vector is in the response's body --@param response Response table --@return True if attack vector is found in response's body local function check_probe_response(response) stdnse.debug3("Probe response:\n%s", response.body) if string.find(response.body, "'\"/>", 1, true) ~= nil then return true end return false end --Launches probe request --@param host Hostname --@param port Port number --@param uri URL String --@return True if page is vulnerable/attack vector was found in body local function launch_probe(host, port, uri) local probe_response --We avoid repeating probes. --This is a temp fix since httpspider do not keep track of previously parsed links at the moment. if probes[uri] then return false end stdnse.debug1("HTTP GET %s%s", uri, PHP_SELF_PROBE) probe_response = http.get(host, port, uri .. PHP_SELF_PROBE) --save probe in list to avoid repeating it probes[uri] = true if check_probe_response(probe_response) then return true end return false end --- --main --- action = function(host, port) local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" local timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME..'.timeout')) timeout = (timeout or 10) * 1000 local crawler = httpspider.Crawler:new(host, port, uri, { scriptname = SCRIPT_NAME } ) crawler:set_timeout(timeout) local vuln = { title = 'Unsafe use of $_SERVER["PHP_SELF"] in PHP files', state = vulns.STATE.NOT_VULN, description = [[ PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities. ]], references = { 'http://php.net/manual/en/reserved.variables.server.php', 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' } } local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local vulnpages = {} local probed_pages= {} while(true) do local status, r = crawler:crawl() if ( not(status) ) then if ( r.err ) then return stdnse.format_output(true, "ERROR: %s", r.reason) else break end end local parsed = url.parse(tostring(r.url)) --Only work with .php files if ( parsed.path and parsed.path:match(".*.php") ) then --The following port/scheme code was seen in http-backup-finder and its neat =) local host, port = parsed.host, parsed.port if ( not(port) ) then port = (parsed.scheme == 'https') and 443 port = port or ((parsed.scheme == 'http') and 80) end local escaped_link = parsed.path:gsub(" ", "%%20") if launch_probe(host,port,escaped_link) then table.insert(vulnpages, parsed.scheme..'://'..host..escaped_link..PHP_SELF_PROBE) end end end if ( #vulnpages > 0 ) then vuln.state = vulns.STATE.EXPLOIT vulnpages.name = "Vulnerable files with proof of concept:" vuln.extra_info = stdnse.format_output(true, vulnpages)..crawler:getLimitations() end return vuln_report:make_output(vuln) end