Changeset 152

Timestamp:

08/13/2009 07:37:44 PM (4 years ago)

Author:

deity

Message:

Various changes to move to nfetch

Location:

trunk

Files:

• docs/CHANGES.txt (modified) (1 diff)
• plugins/db_tests (modified) (1 diff)
• plugins/nikto_apache_expect_xss.plugin (modified) (1 diff)
• plugins/nikto_apacheusers.plugin (modified) (1 diff)
• plugins/nikto_cgi.plugin (modified) (1 diff)
• plugins/nikto_core.plugin (modified) (10 diffs)
• plugins/nikto_dictionary_attack.plugin (modified) (1 diff)
• plugins/nikto_favicon.plugin (modified) (1 diff)
• plugins/nikto_headers.plugin (modified) (3 diffs)
• plugins/nikto_httpoptions.plugin (modified) (3 diffs)
• plugins/nikto_msgs.plugin (modified) (2 diffs)
• plugins/nikto_multiple_index.plugin (modified) (1 diff)
• plugins/nikto_put_del_test.plugin (modified) (2 diffs)
• plugins/nikto_robots.plugin (modified) (1 diff)
• plugins/nikto_subdomain.plugin (modified) (1 diff)
• plugins/nikto_tests.plugin (modified) (1 diff)
• plugins/nikto_user_enum_apache.plugin (modified) (3 diffs)

trunk/docs/CHANGES.txt

@@ +1 @@
+2009-08-13 plugins/*
+        - Various fixes to use nfetch and fix proxy use
 2009-08-12 plugins/nikto_core
         - New fetch (nfetch) sub added which uses a local request/result hash.

trunk/plugins/db_tests

@@ -3591 +3591 @@
 "003589","0","b","/cgi-bin/webcgi/about","GET","/cgi/locale/about_en.xsl","","","","","Host seems to be a Dell Remote Access Controller (RAC).","",""
 "003590","0","b","/webservices/IlaWebServices","GET","200","","","","","Host has the Oracle iLearning environment installed.","",""
+"003591","0","a","/SoundBridgeStatus.html","GET","200","SoundBridge is running software version","","","","Host is running the SoundBridge web server which doesn't support identification.","",""

trunk/plugins/nikto_apache_expect_xss.plugin

@@ -42 +42 @@
    my ($mark) = @_;
    my %headers=('Expect', '<script>alert(xss)</script>');
-   (my $RES, $CONTENT) = nfetch("/", "GET", "", \%headers);
+   (my $RES, $CONTENT) = nfetch($mark,"/", "GET", "", \%headers);
 
    if ($CONTENT =~ /<script>alert\(xss\)<\/script>/)

trunk/plugins/nikto_apacheusers.plugin

@@ -41 +41 @@
 {
    my ($mark) = @_;
-   (my $RES, $CONTENT) = nfetch("/~root", "GET");
+   (my $RES, $CONTENT) = nfetch($mark,"/~root", "GET");
 
    $CONTENT = char_escape($CONTENT);
    if ($CONTENT =~ /forbidden/i)    # good on "root"
    {
-      (my $RES, $CONTENT) = nfetch("/~" . LW2::utils_randstr(8), "GET");
+      (my $RES, $CONTENT) = nfetch($mark,"/~" . LW2::utils_randstr(8), "GET");
 
       $CONTENT = char_escape($CONTENT);

trunk/plugins/nikto_cgi.plugin

@@ -65 +65 @@
       foreach $possiblecgidir (@CFGCGI)
       {
-         ($res, $CONTENT)=nfetch($possiblecgidir,"GET");
+         ($res, $CONTENT)=nfetch($mark,$possiblecgidir,"GET");
          nprint("Checked for CGI dir\t$possiblecgidir\tgot:$res","d");
          if (content_present($res) eq TRUE)

trunk/plugins/nikto_core.plugin

@@ -1107 +1107 @@
 {
    my ($mark) = @_;
+   my %headers;
    
-   (my $RES, $CONTENT) = fetch("/","HEAD");
-
-   return $result{'server'};
+   (my $res, $content) = nfetch($mark,"/","GET","",\%headers);
+
+   return $headers{server};
 }
 ###############################################################################
 sub port_check
 {
-   my ($ip, $port) = @_;
-   my %request;
-
-   LW2::http_init_request(\%request);
-   $request{'User-Agent'} = $NIKTO{useragent};
-   $request{'whisker'}->{'retry'} = 0;
-   $request{'whisker'}->{'uri'}="/";
+   my ($hostname, $ip, $port) = @_;
+   my %mark, %headers;
+   
+   $mark{hostname}=$hostname;
+   $mark{ip}=$ip;
+   $mark{port}=$port;
+   $mark{ssl}=0;
+   
+   if (defined $CLI{vhost}) { $mark{vhost} = $CLI{vhost} };
 
    # test for proxy
    proxy_check() unless $PROXYCHECKED;
+   setup_hash(\%request,\%mark);
 
    my @checktypes=('HTTP', 'HTTPS');
@@ -1136 +1140 @@
       {
          nprint("- Checking for $checkssl on port $ip:$port, using $method","v");
-         $request{'whisker'}->{'host'} = $ip;
-         $request{'whisker'}->{'ssl'}=($checkssl eq "HTTP")?0:1;
-         $request{'whisker'}->{'port'}= $port;
-         $request{'whisker'}->{'http_eol'}=$http_eol;
-         dump_var("Request Hash", \%request);
-         LW2::http_close(\%request);  # force-close any old connections
-         LW2::http_fixup_request(\%request);
-         if ($CLI{pause} > 0) { sleep $CLI{pause}; }
-
-         my $res=LW2::http_do_request_timeout(\%request,\%result);
-         if (!$res) 
+         
+         $mark{ssl}=($checkssl eq "HTTP")?0:1;
+         my ($res, $content)=nfetch(\%mark, "/", $method, "", \%headers);
+
+         if ($res) 
          { 
             # this will fix for some Apaches that are smart enough to answer non ssl reqs on an ssl server
-            if (defined $result{'whisker'}{'data'} && $result{'whisker'}->{'data'} =~ /speaking plain HTTP to an SSL/) 
+            if (defined $content &&
+                $content =~ /speaking plain HTTP to an SSL/) 
             {
                dump_var("Result Hash", \%result);
                next;
             }
-            nprint("- $checkssl Server found: $ip:$port \t$result{'server'}","d"); 
-            dump_var("Result Hash", \%result);
-            return $request{'whisker'}->{'ssl'}+1;
-         }
-         else
-         {
-            dump_var("Result Hash", \%result);
+            nprint("- $checkssl Server found: $ip:$port \t$headers{server}","d"); 
+            return $mark{ssl}+1;
          }
       }
@@ -1536 +1530 @@
          my $uridir=$request{whisker}->{uri};
          $uridir =~ s#/[^/]*$#/#g;
-         add_vulnerability($mark,"Blank credentials found at $uridir, $REALMS{$REALM}{realm}: $REALMS{$REALM}{msg}", $REALMS{$REALM}{tid},0,"GET",$uridir,\%result); 
+         add_vulnerability($mark,"Blank credentials found at $uridir ($request{whisker}->{uri}), $REALMS{$REALM}{realm}: $REALMS{$REALM}{msg}", $REALMS{$REALM}{tid},0,"GET",$uridir,\%result); 
       }
       else
@@ -1565 +1559 @@
                my $uridir=$request{whisker}->{uri};
                $uridir =~ s#/[^/]*$#/#g;
-               add_vulnerability($mark,"Default account found for '$realm' at $uridir (ID '$REALMS{$REALM}{id}', PW '$REALMS{$REALM}{pw}'). $REALMS{$REALM}{msg}",$REALMS{$REALM}{tid},0,"GET",$uridir,\%result);
+               add_vulnerability($mark,"Default account found for '$realm' at $uridir ($request{whisker}->{uri}) (ID '$REALMS{$REALM}{id}', PW '$REALMS{$REALM}{pw}'). $REALMS{$REALM}{msg}",$REALMS{$REALM}{tid},0,"GET",$uridir,\%result);
                $REALMS{$REALM}{checked}=1;
             }
@@ -1682 +1676 @@
 sub proxy_check
 {
- $request{'whisker'}->{'method'}="HEAD";
+ $request{'whisker'}->{'method'}="GET";
  $request{'whisker'}->{'uri'}="/";
+ $request{'whisker'}->{host}="www.cirt.net";
 
  if (defined $request{'whisker'}->{'proxy_host'})  # proxy is set up
@@ -1871 +1866 @@
 sub setup_hash
 {
-   my ($reqhash) = @_;
+   my ($reqhash,$mark) = @_;
 
    # Do the standard set up for the hash 
@@ -1884 +1879 @@
    $reqhash->{User-Agent}=$NIKTO{useragent};
    $reqhash->{whisker}->{retry}=0;
-
+   $reqhash->{whisker}->{host} = $mark->{hostname} || $mark->{ip};
+   if ($mark->{vhost})
+   {
+      $request{Host} = $mark->{vhost};
+   }
+   $request->{whisker}->{port}    = $mark->{port};
+   $request->{whisker}->{ssl}     = $mark->{ssl};
+   
+   # Proxy stuff
+   if ($PROXYCHECKED && defined $NIKTOCONFIG{PROXYHOST} &&
+       defined $CLI{useproxy})
+   {
+      $reqhash->{'whisker'}->{'proxy_host'}=$NIKTOCONFIG{PROXYHOST};
+      $reqhash->{'whisker'}->{'proxy_port'}=$NIKTOCONFIG{PROXYPORT};
+      LW2::auth_set("proxy-basic",$reqhash,$NIKTOCONFIG{PROXYUSER},
+                    $NIKTOCONFIG{PROXYPASS});   # set auth
+   }
+   
    return $reqhash;
 }
@@ -1890 +1902 @@
 sub nfetch
 {
-   my ($uri, $method, $data, $headers, $noclean) = @_;
+   my ($mark, $uri, $method, $data, $headers, $noclean) = @_;
    if ($CLI{pause} > 0) { sleep $CLI{pause}; }
 
    my %request, %result;
-   setup_hash(\%request);
+   setup_hash(\%request, $mark);
  
    $request{whisker}->{uri} = $uri;
@@ -1925 +1937 @@
    # Cache
    if (defined $CACHE{$uri} && !defined $CLI{nocache} &&
-     $CACHE{$uri}{method} eq $method)
+       $CACHE{$uri}{method} eq $method && $CACHE{$uri}{mark} eq $mark)
    {
       # Get from cache
-      nprint("- Retrieving $request{whisker}->{uri} from cache.","v");
-      $result{whisker}->{code}=$CACHE{$request{whisker}->{uri}}{res};
-      $result{whisker}->{data}=$CACHE{$request{whisker}->{uri}}{content};
+      nprint("- Retrieving $uri from cache.","v");
+      $result{whisker}->{code}=$CACHE{$uri}{res};
+      $result{whisker}->{data}=$CACHE{$uri}{content};
    }
    else
@@ -1938 +1950 @@
       unless (defined $CLI{nocache})
       {
-         $CACHE{$request{whisker}->{uri}}{method}=$result{whisker}->{method};
-         $CACHE{$request{whisker}->{uri}}{res}=$result{whisker}->{code};
-         $CACHE{$request{whisker}->{uri}}{content}=$result{whisker}->{data};
+         $CACHE{$uri}{method}=$result{whisker}->{method};
+         $CACHE{$uri}{res}=$result{whisker}->{code};
+         $CACHE{$uri}{content}=$result{whisker}->{data};
+         $CACHE{$uri}{mark}=$mark;
       }
       if ($OUTPUT{debug})

trunk/plugins/nikto_dictionary_attack.plugin

@@ -65 +65 @@
       my $dir=$_;
       if (($ctr % 100) == 0) { nprint("- Directory enumeration guess $ctr ($dir): /$dir/", "v"); }
-      (my $result, $content) = nfetch("/$dir/", "HEAD");
+      (my $result, $content) = nfetch($mark,"/$dir/", "HEAD");
       foreach my $found (split(/ /, $VARIABLES{"\@HTTPFOUND"}))
       {

trunk/plugins/nikto_favicon.plugin

@@ -41 +41 @@
 {
    my ($mark)=@_;
-   my ($RES, $CONTENT) = nfetch("/favicon.ico","GET");
+   my ($RES, $CONTENT) = nfetch($mark,"/favicon.ico","GET");
    my $dbarray = initialise_db("db_favicon");
 

trunk/plugins/nikto_headers.plugin

@@ -52 +52 @@
    foreach my $f (qw/\/index.php \/junk999.php \/ \/index.php3 \/ \/junk999.php3 \/index.cfm \/junk999.cfm \/index.asp \/junk999.asp \/index.aspx \/junk988.aspx/ )
    {
-      (my $RES, $CONTENT) = nfetch($f, "GET", "", \%headers);
+      (my $RES, $CONTENT) = nfetch($mark,$f, "GET", "", \%headers);
       if (defined $headers{x-powered-by}) { $xpb{ $headers{x-powered-by} } = 1; }
    }
@@ -147 +147 @@
    
    # First let's hit something we know should return something
-   my ($res, $content)=nfetch("/","GET","",\%headers);
+   my ($res, $content)=nfetch($mark,"/","GET","",\%headers);
 
    foreach my $header (@interesting_headers)
@@ -189 +189 @@
    foreach my $f (qw/\/index.html \/index.htm \/robots.txt/)
    {
-      (my $RES, $CONTENT) = nfetch($f, "GET","", \%headers);
+      (my $RES, $CONTENT) = nfetch($mark,$f, "GET","", \%headers);
    }
    

trunk/plugins/nikto_httpoptions.plugin

@@ -79 +79 @@
    # IIS Debug
 
-   ($RES, $CONTENT) = nfetch("/","DEBUG",);
+   ($RES, $CONTENT) = nfetch($mark,"/","DEBUG",);
    if ($RES == 200) 
    {
@@ -89 +89 @@
       "Content-Length" => "0",
    );
-   ($RES, $CONTENT) = nfetch("/","PROPFIND","",\%headers,1);
+   ($RES, $CONTENT) = nfetch($mark,"/","PROPFIND","",\%headers,1);
    if ($RES == 207)
    {
@@ -111 +111 @@
       {
          $request{whisker}{version} = $version; 
-         ($RES, $CONTENT) = nfetch("/","$method","",\%headers);
+         ($RES, $CONTENT) = nfetch($mark,"/","$method","",\%headers);
          if ($RES == 200)
          {

trunk/plugins/nikto_msgs.plugin

@@ -63 +63 @@
    if ($mark->{banner} =~ /(Agent-ListenServer-HttpSvr\/1\.0)\b/i) 
    { 
-      my ($RES, $CONTENT) = nfetch("/","GET"); 
+      my ($RES, $CONTENT) = nfetch($mark,"/","GET"); 
       next unless ($RES == 200); 
       # Computer name 
@@ -75 +75 @@
    if ($mark->{banner} =~ /(CompaqHTTPServer)/i) 
    { 
-      my ($RES, $CONTENT) = nfetch("/cpqlogin.htm","GET"); 
+      my ($RES, $CONTENT) = nfetch($mark,"/cpqlogin.htm","GET"); 
       next unless ($RES == 200); 
       my $ipaddrs=""; 

trunk/plugins/nikto_multiple_index.plugin

@@ -46 +46 @@
       # Use fetch to minimise extra code
       # First we need to mangle the host.
-      my ($res, $content) = nfetch("/$item->{index}", "GET");
+      my ($res, $content) = nfetch($mark,"/$item->{index}", "GET");
 
       if (($res == 200) || ($res == 302))

trunk/plugins/nikto_put_del_test.plugin

@@ -45 +45 @@
     # PUT a page
     my $uri = "/nikto-test-" . LW2::utils_randstr(8) . ".html";
-    (my $RES, $CONTENT) = nfetch($uri, "PUT", "This was a Nikto test.");
+    (my $RES, $CONTENT) = nfetch($mark,$uri, "PUT", "This was a Nikto test.");
 
     # Request it back
     if ($RES eq 201)
     {
-        (my $RES, $CONTENT) = nfetch($uri, "GET");
+        (my $RES, $CONTENT) = nfetch($mark,$uri, "GET");
         if ($CONTENT =~ /This was a Nikto test/)
         {
@@ -56 +56 @@
 
             # we were able to put it there--can we delete it?
-            (my $RES, $CONTENT) = nfetch($uri, "DELETE");
+            (my $RES, $CONTENT) = nfetch($mark,$uri, "DELETE");
             if ($RES eq 200)
             {
-                (my $RES, $CONTENT) = nfetch($uri, "GET");
+                (my $RES, $CONTENT) = nfetch($mark,$uri, "GET");
                 if ($CONTENT !~ /This was a Nikto test/)    # gone now
                 {

trunk/plugins/nikto_robots.plugin

@@ -42 +42 @@
 {
    my ($mark) = @_;
-   (my $RES, $CONTENT) = nfetch("/robots.txt", "GET");
+   (my $RES, $CONTENT) = nfetch($mark,"/robots.txt", "GET");
 
    if (($RES eq 200) || ($RES eq $FoF{okay}{response}))    # got one!

trunk/plugins/nikto_subdomain.plugin

@@ -64 +64 @@
       my $newhost=$item->{subdomain} . "." . $host;
       $request{whisker}{host} = $newhost;
-      my ($res, $content) = nfetch("/", "HEAD");
+      my ($res, $content) = nfetch($mark,"/", "HEAD");
 
       if (($res == 200) || ($res == 302))

trunk/plugins/nikto_tests.plugin

@@ -55 +55 @@
          (my $RES, $CONTENT) = fetch($uri,$TESTS{$CHECKID}{method},$TESTS{$CHECKID}{data});
          nprint("- $RES for $TESTS{$CHECKID}{method}:\t$request{whisker}{uri}","v");
-         # Check for errors to reduce false positives
-         if (defined $result{whisker}{error})
-         {
-            # An error occured, show in verbose mode and skip
-            nprint("- ERROR: $uri returned an error: $result{whisker}{error}\n");
-            next;
-         }
          $NIKTO{resp_counts}{$RES}{total}++;
    

trunk/plugins/nikto_user_enum_apache.plugin

@@ -76 +76 @@
          {
             my $curl = "$cgidir" . "cgiwrap";
-            (my $result, $content) = nfetch("$curl", "GET");
+            (my $result, $content) = nfetch($mark,"$curl", "GET");
             if ($content =~ /check your URL/i)
             {
@@ -124 +124 @@
    {
       if (($ctr % 500) eq 0) { nprint("- User enumeration guess $ctr ($text)", "v"); }
-      (my $result, $content) = nfetch("/~" . $text, "HEAD");
+      (my $result, $content) = nfetch($mark,"/~" . $text, "HEAD");
       my $user = nikto_user_enum_apache_check($result, $text);
       if (defined $user)
@@ -163 +163 @@
       if ($_ eq "" ) { next };
       if (($ctr % 500) == 0) { nprint("- User enumeration guess $ctr ($_)", "v"); }
-      (my $result, $content) = nfetch("/~" . $_, "HEAD");
+      (my $result, $content) = nfetch($mark,"/~" . $_, "HEAD");
       my $user = nikto_user_enum_apache_check($result, $_);
       if ($user)