source: trunk/plugins/nikto_tests.plugin @ 457

#VERSION,2.01
# $Id: nikto_tests.plugin 79 2008-09-21 15:34:39Z deity $
###############################################################################
#  Copyright (C) 2007 CIRT, Inc.
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; version 2
#  of the License only.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
###############################################################################
# PURPOSE:
# Perform the full database of nikto tests against a target
###############################################################################
sub nikto_tests_init {
    my $id = { name        => "tests",
               full_name   => "Nikto Tests",
               author      => "Sullo, Deity",
               description => "Test host with the standard Nikto tests",
               copyright   => "2008 CIRT Inc.",
               scan_method => \&nikto_tests,
               scan_weight => 99,
               options     => {
                         passfiles => "Flag to indicate whether to check for common password files",
                         all => "Flag to indicate whether to check all files with all directories",
                         report => "Report a status after the passed number of tests",
                         }
                 };
    return $id;
}

sub nikto_tests {
    my ($mark, $parameters) = @_;
    my $progress = 0;

    # this is the actual the looped code for all the checks
    foreach my $checkid (sort keys %TESTS) {
        if ($checkid >= 500000) { next; }    # skip TESTS added manually during run (for reports)
                                             # replace variables in the uri
        my @urilist = change_variables($TESTS{$checkid}{'uri'});

        # Now repeat for each uri
        foreach my $uri (@urilist) {
            my %headers;
            (my $res, $content, $error) =
              nfetch($mark, $uri,
                     $TESTS{$checkid}{'method'},
                     $TESTS{$checkid}{'data'},
                     \%headers, "", $checkid);

            # auth is now done in nfetch
            if ($res eq 200) {
                nprint("+ $uri - 200/OK Response could be $TESTS{$checkid}{'message'}")
                  if $OUTPUT{'show_ok'};
            }
            elsif ($res =~ /30(?:[0-3]|7)/) {
                nprint(  "+ $uri - Redirects ($res) to "
                       . $headers{'location'}
                       . " , $TESTS{$checkid}{'message'}")
                  if $OUTPUT{'show_redirects'};
            }

            my $m1_method = my $m1o_method = my $m1a_method = my $f2_method = my $f1_method =
              "content";
            my $positive = 0;

            # how to check each conditional
            if ($TESTS{$checkid}{'match_1'}     =~ /^[0-9]{3}$/) { $m1_method  = "code"; }
            if ($TESTS{$checkid}{'match_1_or'}  =~ /^[0-9]{3}$/) { $m1o_method = "code"; }
            if ($TESTS{$checkid}{'match_1_and'} =~ /^[0-9]{3}$/) { $m1a_method = "code"; }
            if ($TESTS{$checkid}{'fail_1'}      =~ /^[0-9]{3}$/) { $f1_method  = "code"; }
            if ($TESTS{$checkid}{'fail_2'}      =~ /^[0-9]{3}$/) { $f2_method  = "code"; }

            # basic match for positive result
            if ($m1_method eq "content") {
                if ($content =~ /$TESTS{$checkid}{'match_1'}/) {
                    $positive = 1;
                }
            }
            else {
                if (($res eq $TESTS{$checkid}{'match_1'}) || ($res eq $FoF{'okay'}{'response'})) {
                    $positive = 1;
                }
            }

            # no match, check optional match
            if ((!$positive) && ($TESTS{$checkid}{'match_1_or'} ne "")) {
                if ($m1o_method eq "content") {
                    if ($content =~ /$TESTS{$checkid}{'match_1_or'}/) {
                        $positive = 1;
                    }
                }
                else {
                    if (   ($res eq $TESTS{$checkid}{'match_1_or'})
                        || ($res eq $FoF{'okay'}{'response'})) {
                        $positive = 1;
                    }
                }
            }

            # matched on something, check fails/ands
            if ($positive) {
                if ($TESTS{$checkid}{'fail_1'} ne "") {
                    if ($f1_method eq "content") {
                        if ($content =~ /$TESTS{$checkid}{'fail_1'}/) { next; }
                    }
                    else {
                        if ($res eq $TESTS{$checkid}{'fail_1'}) { next; }
                    }
                }
                if ($TESTS{$checkid}{'fail_2'} ne "") {
                    if ($f2_method eq "content") {
                        if ($content =~ /$TESTS{$checkid}{'fail_2'}/) { next; }
                    }
                    else {
                        if ($res eq $TESTS{$checkid}{'fail_2'}) { next; }
                    }
                }
                if ($TESTS{$checkid}{'match_1_and'} ne "") {
                    if ($m1a_method eq "content") {
                        if ($content !~ /$TESTS{$checkid}{'match_1_and'}/) { next; }
                    }
                    else {
                        if ($res ne $TESTS{$checkid}{'match_1_and'}) { next; }
                    }
                }

                # if it's an index.php, check for normal /index.php to see if it's a FP
                if ($uri =~ /^\/index.php\?/) {
                    my $content = rm_active_content($content, $uri);
                    if (LW2::md4($content) eq $FoF{'index.php'}{'match'}) { next; }
                }

                # lastly check for a false positive based on file extension or type
                if (($m1_method eq "code") || ($m1o_method eq "code")) {
                    if (is_404($uri, $content, $res, $headers{'location'})) { next; }
                }

                $TESTS{$checkid}{'osvdb'} =~ s/\s+/ OSVDB\-/g;
                add_vulnerability($mark, "$uri: $TESTS{$checkid}{'message'}",
                                  $checkid,
                                  $TESTS{$checkid}{'osvdb'},
                                  $TESTS{$checkid}{'method'}, $uri);
            }
        }

        # Percentages
        if ($OUTPUT{'progress'}) {
            if ($parameters->{'report'}) {
                $progress++;
                if (($progress % $parameters->{'report'}) == 0) {
                    my $line = sprintf("- Tests completed: %d %.0f%%",
                                       $progress, ($progress / $NIKTO{total_checks}) * 100);
                    nprint($line);
                }
            }
        }
    }    # end check loop

    # Perform mutation tests
    if ($parameters->{'passfiles'}) {
        passchecks($mark);
    }
    if ($parameters->{'all'}) {
        allchecks($mark);
    }

    return;
}

sub passchecks {
    my ($mark) = @_;
    my @DIRS   = (split(/ /, $VARIABLES{"\@PASSWORDDIRS"}));
    my @PFILES = (split(/ /, $VARIABLES{"\@PASSWORDFILES"}));
    my @EXTS = qw(asp bak dat data dbc dbf exe htm html htx ini lst txt xml php php3 phtml);

    nprint("- Performing passfiles mutation", "v");

    foreach my $dir (@DIRS) {
        foreach my $file (@PFILES) {
            next if ($file eq "");

            # dir/file
            testfile($mark, "$dir$file", "passfiles", "299998");

            foreach my $ext (@EXTS) {

                # dir/file.ext
                testfile($mark, "$dir$file.$ext", "passfiles", "299998");

                foreach my $cgi (@CGIDIRS) {

                    # dir/file.ext
                    testfile($mark, "$cgi$dir$file.$ext", "passfiles", "299998");

                    # dir/file
                    testfile($mark, "$cgi$dir$file", "passfiles", "299998");
                }
            }
        }
    }
}

sub allchecks {
    my ($mark) = @_;

    # Hashes to temporarily store files/dirs in
    # We're using hashes to ensure that duplicates are removed
    my (%FILES, %DIRS);

    # build the arrays
    nprint("- Loading root level files", "v");
    foreach my $checkid (keys %TESTS) {

        # Expand out vars so we get full matches
        my @uris = change_variables($TESTS{$checkid}{'uri'});

        foreach my $uri (@uris) {
            my $dir  = LW2::uri_get_dir($uri);
            my $file = $uri;

            if ($dir ne "") {
                $DIRS{$dir} = "";
                $dir  =~ s/([^a-zA-Z0-9])/\\$1/g;
                $file =~ s/$dir//;
            }
            if (($file ne "") && ($file !~ /^\?/)) {
                $FILES{$file} = "";
            }
        }
    }

    # Now do a check for each item - just check the return status, nothing else
    foreach my $dir (keys %DIRS) {
        foreach my $file (keys %FILES) {
            testfile($mark, "$dir$file", "all checks", 299999);
        }
    }
}

sub testfile {
    my ($mark, $uri, $name, $tid) = @_;
    my ($res, $content, $error) = nfetch($mark, "$uri", "GET", "", "", "", "Tests: $name");
    nprint("- $res for $uri", "v");
    if ($error) {
        $mark->{'total_errors'}++;
        nprint("+ ERROR: $uri returned an error: $error", "e");
        return;
    }
    if ($res == 200) {
        add_vulnerability($mark, "$uri: file found during $name mutation", "$tid", "0", "GET");
    }
}

1;