source: trunk/plugins/nikto_subdomain.plugin @ 486

Revision 486, 2.8 KB checked in by deity, 3 years ago (diff)

Add LF to EXECDIR error and correct name of apache_expect_xss plugin
  • Property svn:executable set to *
  • Property svn:keywords set to Id
Line 
1#VERSION,2.00
2# $Id$
3###############################################################################
4#  Copyright (C) 2004 CIRT, Inc.
5#
6#  This program is free software; you can redistribute it and/or
7#  modify it under the terms of the GNU General Public License
8#  as published by the Free Software Foundation; version 2
9#  of the License only.
10#
11#  This program is distributed in the hope that it will be useful,
12#  but WITHOUT ANY WARRANTY; without even the implied warranty of
13#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#  GNU General Public License for more details.
15#
16#  You should have received a copy of the GNU General Public License
17#  along with this program; if not, write to the Free Software
18#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
19###############################################################################
20# PURPOSE:
21# Look for subdomains
22###############################################################################
23sub nikto_subdomain_init {
24    my $id = { name        => "subdomain",
25               full_name   => "Sub-domain forcer",
26               author      => "Ryan Dewhurst",
27               description => "Attempts to bruteforce commonly known sub-domains",
28               hooks       => {
29                                 scan => {
30                                    method => \&nikto_subdomain,
31                                    weight => 20,
32                                 },
33                              },
34               copyright   => "2009 Ryan Dewhurst"
35               };
36
37    return $id;
38}
39
40sub nikto_subdomain {
41    my ($mark) = @_;
42    my $dbarray = init_db("db_subdomains");
43
44    # Record the host for future use
45    my $host = $mark->{'hostname'};
46
47    # Check whether the host is an IP address
48    if (index($host, '.') < 0 || $host =~ /^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$/) {
49
50        # Host is an IP address, don't bother!
51        nprint("Host supply to subdomain is an IP address or an unqualified hostname; skipping",
52               "v");
53        return;
54    }
55
56    # Check if the start of the domain is "www"
57    if ($host =~ /^www\./) {
58
59        # Remove the www.
60        $host =~ s/^www\.//;
61    }
62
63    my $nocache_enabled = 0;
64    if ($CLI{'nocache'}) { $nocache_enabled = 1; }
65    $CLI{'nocache'} = 1;
66
67    foreach my $item (@$dbarray) {
68
69        # Use nfetch to minimize extra code
70        # First we need to mangle the host.
71        my $newhost = $item->{'subdomain'} . "." . $host;
72        $mark->{'hostname'} = $newhost;
73        my ($result, $content, $error) = nfetch($mark, "/", "GET", "", "subdomain");
74
75        if ($error eq "") {
76            add_vulnerability($mark, "Subdomain $item->{'subdomain'} found", $item->{'nikto_id'},
77                              0);
78        }    # End if
79
80    }    # End foreach
81    if (!$nocache_enabled) { undef $CLI{'nocache'}; }
82}    # End sub
83
841;
Note: See TracBrowser for help on using the repository browser.