Member-only story
Reproduce and Study Proof of Concept (PoC) with Nessus nasl
Most of my friends ask me, how Nessus can show the service is vulnerable if there no public PoC or exploit about it(eg: ms16–047). So, I write this article might help your understanding regard to vulnerability that you are interested.
As example below, I choose Etag Header Information Disclosure as example.As you can see, Nessus can extract Inode number and File Size with Etag value, I assume you don’t have knowledge about what is Etag about.
You can find nasl file by using locate and grep command as example below.Default plugin path will be /opt/nessus/lib/nessus/plugins/ . You can find most of the plugins here.You also can look to the plugin that you are interested.
Once open the file, Etag header is identify with regex. On line 87, it count max_index of Etag after splitting.If count is equal to 3 , nessus script will going to execute.
Line 97, we see the first part of splitting (etag[0]) is our Inode value, 2nd part is our File Size, and 3rd part is our Mtime, by this we know how the Etag is calculate.Inode and File Size is in hexdecimal, we just need to change to decimal based on code that we…
