| 1 | #VERSION,2.02 |
|---|
| 2 | # $Id$ |
|---|
| 3 | ############################################################################### |
|---|
| 4 | # Copyright (C) 2004 CIRT, Inc. |
|---|
| 5 | # |
|---|
| 6 | # This program is free software; you can redistribute it and/or |
|---|
| 7 | # modify it under the terms of the GNU General Public License |
|---|
| 8 | # as published by the Free Software Foundation; version 2 |
|---|
| 9 | # of the License only. |
|---|
| 10 | # |
|---|
| 11 | # This program is distributed in the hope that it will be useful, |
|---|
| 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|---|
| 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|---|
| 14 | # GNU General Public License for more details. |
|---|
| 15 | # |
|---|
| 16 | # You should have received a copy of the GNU General Public License |
|---|
| 17 | # along with this program; if not, write to the Free Software |
|---|
| 18 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
|---|
| 19 | ############################################################################### |
|---|
| 20 | # PURPOSE: |
|---|
| 21 | # Check out the robots.txt file |
|---|
| 22 | ############################################################################### |
|---|
| 23 | sub nikto_robots_init { |
|---|
| 24 | my $id = { |
|---|
| 25 | name => "robots", |
|---|
| 26 | full_name => "Robots", |
|---|
| 27 | author => "Sullo", |
|---|
| 28 | description => |
|---|
| 29 | "Checks whether there's anything within the robots.txt file and analyses it for other paths to pass to other scripts.", |
|---|
| 30 | recon_method => \&nikto_robots, |
|---|
| 31 | recon_weight => 49, |
|---|
| 32 | copyright => "2008 CIRT Inc." |
|---|
| 33 | }; |
|---|
| 34 | return $id; |
|---|
| 35 | } |
|---|
| 36 | |
|---|
| 37 | sub nikto_robots { |
|---|
| 38 | my ($mark) = @_; |
|---|
| 39 | my %headers; |
|---|
| 40 | (my $RES, $CONTENT) = nfetch($mark, "/robots.txt", "GET", "", \%headers, "", "robots"); |
|---|
| 41 | |
|---|
| 42 | if (($RES eq 200) || ($RES eq $FoF{'okay'}{'response'})) { |
|---|
| 43 | if (is_404("robots.txt", $CONTENT, $RES, $headers{'location'})) { return; } |
|---|
| 44 | |
|---|
| 45 | my ($DIRS, $RFILES) = ""; |
|---|
| 46 | my $DISCTR = 0; |
|---|
| 47 | my @DOC = split(/\n/, $CONTENT); |
|---|
| 48 | foreach my $line (@DOC) { |
|---|
| 49 | $line = quotemeta($line); |
|---|
| 50 | if ($line =~ /allow/i) { |
|---|
| 51 | chomp($line); |
|---|
| 52 | $line =~ s/\#.*$//; |
|---|
| 53 | $line =~ s/(?:^\s+|\s+$)//g; |
|---|
| 54 | $line =~ s/\s+/ /g; |
|---|
| 55 | $line =~ s/\\t/ /g; |
|---|
| 56 | $line =~ s/(?:dis)?allow(?:\\:)?\s?//i; |
|---|
| 57 | $line =~ s/\*//g; |
|---|
| 58 | $line =~ s/\/+/\//g; |
|---|
| 59 | |
|---|
| 60 | if ($line eq "") { next; } |
|---|
| 61 | |
|---|
| 62 | # try to figure out file vs dir... just guess... |
|---|
| 63 | if (($line !~ /\./) && ($line !~ /\/$/)) { $line .= "/"; } |
|---|
| 64 | |
|---|
| 65 | $line = LW2::uri_normalize($line); |
|---|
| 66 | |
|---|
| 67 | # figure out dirs/files... |
|---|
| 68 | my $realdir = LW2::uri_get_dir($line); |
|---|
| 69 | my $realfile = $line; |
|---|
| 70 | $realfile =~ s/^$realdir//; |
|---|
| 71 | |
|---|
| 72 | nprint("- robots.txt entry dir:$realdir -- file:$realfile", "d"); |
|---|
| 73 | if (($realdir ne "") && ($realdir ne "/")) { $DIRS{$realdir}++; } |
|---|
| 74 | if (($realfile ne "") && ($realfile ne "/")) { $RFILES{$realfile}++; } |
|---|
| 75 | $DISCTR++; |
|---|
| 76 | } # end if $line =~ disallow |
|---|
| 77 | } # end foreach my $line (@DOC)_ |
|---|
| 78 | |
|---|
| 79 | # add them to mutate dir/file |
|---|
| 80 | my $raw; |
|---|
| 81 | foreach $raw (sort keys %DIRS) { |
|---|
| 82 | $raw =~ s/\\//g; |
|---|
| 83 | if ($VARIABLES{"\@MUTATEDIRS"} !~ /$raw/) { |
|---|
| 84 | $VARIABLES{"\@MUTATEDIRS"} .= " $raw"; |
|---|
| 85 | } |
|---|
| 86 | if ($raw =~ /cgi/ && $VARIABLES{"\@CGIDIRS"} !~ /$raw/) { |
|---|
| 87 | $VARIABLES{"\@CGIDIRS"} .= " $raw"; |
|---|
| 88 | } |
|---|
| 89 | if ($raw =~ /forum/ && $VARIABLES{"\@NUKE"} !~ /$raw/) { |
|---|
| 90 | $VARIABLES{"\@NUKE"} .= " $raw"; |
|---|
| 91 | } |
|---|
| 92 | if ($raw =~ /pass/ && $VARIABLES{"\@PASSWORDDIRS"} !~ /$raw/) { |
|---|
| 93 | $VARIABLES{"\@PASSWORDDIRS"} .= " $raw"; |
|---|
| 94 | } |
|---|
| 95 | } |
|---|
| 96 | |
|---|
| 97 | foreach $raw (sort keys %RFILES) { |
|---|
| 98 | $raw =~ s/\\//g; |
|---|
| 99 | if ($VARIABLES{"\@MUTATEFILES"} !~ /$raw/) { |
|---|
| 100 | $VARIABLES{"\@MUTATEFILES"} .= " $raw"; |
|---|
| 101 | } |
|---|
| 102 | if ($raw =~ /pass/ && $VARIABLES{"\@PASSWORDFILES"} !~ /$raw/) { |
|---|
| 103 | $VARIABLES{"\@PASSWORDFILES"} .= " $raw"; |
|---|
| 104 | } |
|---|
| 105 | } |
|---|
| 106 | |
|---|
| 107 | my $msg; |
|---|
| 108 | if ($DISCTR eq 1) { $msg = "contains $DISCTR entry which should be manually viewed."; } |
|---|
| 109 | elsif ($DISCTR > 1) { $msg = "contains $DISCTR entries which should be manually viewed."; } |
|---|
| 110 | else { $msg = "retrieved but it does not contain any 'disallow' entries (which is odd)."; } |
|---|
| 111 | |
|---|
| 112 | add_vulnerability($mark, "robots.txt $msg", 999996, 0, "GET", "/robots.txt", \%result); |
|---|
| 113 | } |
|---|
| 114 | } |
|---|
| 115 | |
|---|
| 116 | 1; |
|---|
