Changeset 143

Timestamp:

08/04/09 21:52:29 (4 years ago)

Author:

deity

Message:

Added test for DEBUG HTTP verb

Location:

trunk

Files:

• docs/CHANGES.txt (modified) (1 diff)
• plugins/nikto_core.plugin (modified) (2 diffs)
• plugins/nikto_httpoptions.plugin (modified) (3 diffs)

trunk/docs/CHANGES.txt

@@ -1 +1 @@
 2009-08-04 plugin/nikto_core
         - Patch to actually report the URI when it works out a password
+        - Added test for DEBUG HTTP verb
 2009-08-03 plugin/nikto.pl
         - Put in a quick catch for port ranges (e.g. 80-90) if people use the

trunk/plugins/nikto_core.plugin

@@ -461 +461 @@
        -dbcheck            check database and other key files for syntax errors (cannot be abbreviated)
        -evasion+           ids evasion technique
-       -Format+         save file (-o) format
-       -host+           target host
-       -Help            Extended help information
+       -Format+            save file (-o) format
+       -host+              target host
+       -Help               Extended help information
        -id+                host authentication to use, format is userid:password
        -mutate+            Guess additional file names
-       -mutate-options+         Provide extra information for mutations
-       -output+            write output to this file
-       -nossl                   disables using SSL
-       -no404        disables 404 checks
-       -port+           port to use (default 80)
-       -Display+           turn on/off display outputs
-       -ssl             force ssl mode on port
+       -mutate-options+    Provide extra information for mutations
+       -output+            Write output to this file
+       -nossl              Disables using SSL
+       -no404              Disables 404 checks
+       -port+              Port to use (default 80)
+       -Display+           Turn on/off display outputs
+       -ssl                Force ssl mode on port
        -Single             Single request mode
-       -timeout+           timeout (default 2 seconds)
-       -Tuning+            scan tuning
-       -update          update databases and plugins from cirt.net (cannot be abbreviated)
-       -Version            print plugin and database versions
-       -vhost+             virtual host (for Host header)
+       -timeout+           Timeout (default 2 seconds)
+       -Tuning+            Scan tuning
+       -update             Update databases and plugins from cirt.net (cannot be abbreviated)
+       -Version            Print plugin and database versions
+       -vhost+             Virtual host (for Host header)
    + requires a value
    ";
@@ -484 +484 @@
  $NIKTO{options}="
    Options:
-       -config+            use this config file
-       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like \"/cgi/ /cgi-a/\"
-       -Display+           turn on/off display outputs:\n";
+       -config+            Use this config file
+       -Cgidirs+           Scan these CGI dirs: 'none', 'all', or values like \"/cgi/ /cgi-a/\"
+       -Display+           Turn on/off display outputs:\n";
    foreach my $k (sort keys %{$NIKTO{display}}) 
       { $NIKTO{options} .= "                               $k     $NIKTO{display}{$k}\n"; }
 
- $NIKTO{options}.="       -dbcheck           check database and other key files for syntax errors (cannot be abbreviated)
-       -evasion+           ids evasion technique:\n";
+ $NIKTO{options}.="       -dbcheck           Check database and other key files for syntax errors (cannot be abbreviated)
+       -evasion+          IDS evasion technique:\n";
    foreach my $k (sort keys %{$NIKTO{anti_ids}}) 
       { $NIKTO{options} .= "                               $k     $NIKTO{anti_ids}{$k}\n"; }
 
- $NIKTO{options}.="       -findonly          find http(s) ports only, don't perform a full scan
-       -Format+         save file (-o) format:
+ $NIKTO{options}.="       -findonly          Find http(s) ports only, don't perform a full scan
+       -Format+           Save file (-o) format:
                                 htm   HTML Format
                                 csv   Comma-separated-value
                                 txt   Plain text (default if not specified)
-                                   xml   XML Format
-       -host+           target host
-       -Help            Extended help information
-       -id+                host authentication to use, format is userid:password
-       -mutate+            Guess additional file names:\n";
+                                xml   XML Format
+       -host+             Target host
+       -Help              Extended help information
+       -id+               Host authentication to use, format is userid:password
+       -mutate+           Guess additional file names:\n";
    foreach my $k (sort keys %{$NIKTO{mutate_opts}}) 
       { $NIKTO{options} .= "                               $k     $NIKTO{mutate_opts}{$k}\n"; }
 
  $NIKTO{options}.="       -mutate-options    Provide information for mutates
-       -nolookup           skip name lookup
-       -nossl                   disables using SSL
-       -no404        disables nikto attempting to guess a 404 page
-       -output+            write output to this file
-       -port+           port to use (default 80)
-       -Pause+             pause between tests (seconds)\n";
-
- $NIKTO{options}.="       -root+             prepend root value to all requests, format is /directory
-       -ssl             force ssl mode on port
-       -Single             Single request mode
-       -timeout+           timeout (default 2 seconds)
-       -Tuning+            scan tuning:\n";
+       -nolookup          Skip name lookup
+       -nossl             Disables using SSL
+       -no404             Disables nikto attempting to guess a 404 page
+       -output+           Write output to this file
+       -port+             Port to use (default 80)
+       -Pause+            Pause between tests (seconds)\n";
+
+ $NIKTO{options}.="       -root+             Prepend root value to all requests, format is /directory
+       -ssl               Force ssl mode on port
+       -Single            Single request mode
+       -timeout+          Timeout (default 2 seconds)
+       -Tuning+           Scan tuning:\n";
    foreach my $k (sort keys %{$NIKTO{tuning}}) 
       { $NIKTO{options} .= "                               $k     $NIKTO{tuning}{$k}\n"; }
 
- $NIKTO{options}.="       -useproxy          use the proxy defined in config.txt
-       -update          update databases and plugins from cirt.net (cannot be abbreviated)
-       -Version            print plugin and database versions
-       -vhost+             virtual host (for Host header)
+ $NIKTO{options}.="       -useproxy          Use the proxy defined in config.txt
+       -update            Update databases and plugins from cirt.net (cannot be abbreviated)
+       -Version           Print plugin and database versions
+       -vhost+            Virtual host (for Host header)
    + requires a value
    ";

trunk/plugins/nikto_httpoptions.plugin

@@ -77 +77 @@
 
    # Check for other weirdness
+   # IIS Debug
+
+   ($RES, $CONTENT) = fetch("/","DEBUG",);
+   if ($RES == 200) 
+   {
+      add_vulnerability($mark,"DEBUG HTTP verb may show server debugging information",999972,0,"DEBUG");
+   }
    # IIS PROPFIND HEADER
    my %headers=(
@@ -90 +97 @@
          $ipfound =~ s/^.*<a:href>//g;
          $ipfound =~ s/<\/a:href>.*$//g;
-         add_vulnerability($mark,"PROPFIND may show the server's internal IP address: $ipfound",999973,13431);
+         add_vulnerability($mark,"PROPFIND HTTP verb may show the server's internal IP address: $ipfound",999973,13431);
       }
    } 
@@ -109 +116 @@
             if ($CONTENT =~ "Nikto")
             {
-               add_vulnerability($mark,"HTTP $method method is active, suggesting the host is vulnerable to XST",999974,877);
+               add_vulnerability($mark,"HTTP $method method is active, suggesting the host is vulnerable to XST",999971,877);
                # now we know its vulnerable stop testing
                last;