-
Notifications
You must be signed in to change notification settings - Fork 50
/
http-vuln-cve2023-49103.nse
65 lines (58 loc) · 2.02 KB
/
http-vuln-cve2023-49103.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local string = require "string"
local vulns = require "vulns"
description = [[
This NSE script checks for ownCloud - Phpinfo Configuration Vulnerability (CVE-2023-49103).
]]
---
-- @usage
-- nmap --script http-vuln-cve2023-49103 -p <port> <host>
-- nmap --script http-vuln-cve2023-49103 -p <port> <host> --script-args http.host=<host>
--
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | http-vuln-cve2023-49103:
-- | Host is vulnerable to CVE-2023-49103
--
author = "Dhiraj Mishra (@RandomDhiraj)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln"}
portrule = shortport.portnumber(443)
action = function(host, port)
local vuln = {
title = 'ownCloud - Phpinfo Configuration Vulnerability (CVE-2023-49103)',
state = vulns.STATE.NOT_VULN,
description = [[
An issue was discovered in ownCloud where the graphapi app exposes sensitive information through a Phpinfo configuration file.
]],
references = {
'https://nvd.nist.gov/vuln/detail/CVE-2023-49103',
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local paths = {
"/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/input.css",
"/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/zero.css"
}
local response
local vulnerable = false
for _, path in ipairs(paths) do
response = http.get(host, port, path)
if response.status == 200 and
string.find(response.body, "PHP Extension") and
string.find(response.body, "PHP Version") and
string.find(response.body, "owncloud") then
stdnse.print_debug("%s: %s GET %s - 200 OK", SCRIPT_NAME, host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
vulnerable = true
break
end
end
if not vulnerable then
stdnse.print_debug("%s: The host does not appear to be vulnerable.", SCRIPT_NAME)
end
return vuln_report:make_output(vuln)
end