Changeset 282

Timestamp:

01/27/2010 04:58:21 AM (3 years ago)

Author:

sullo

Message:

This wasn't actually working ($mark wasn't passed around), and the prefix wasn't properly assigned if it was using cgiwrap to scan

File:

• trunk/plugins/nikto_user_enum_apache.plugin (modified) (9 diffs)

trunk/plugins/nikto_user_enum_apache.plugin

@@ -47 +47 @@
    my ($mark) = @_;
    my $url;
-   my @cgiwraps, @cfgcgi=split(/ /, $VARIABLES{"\@CGIDIRS"});
-   
+   my @cgiwraps;
+   my @cfgcgi=split(/ /, $VARIABLES{"\@CGIDIRS"});
+
    # Set the URL according to the mutate version
    my @mutates=split(//,$CLI{'mutate'});
@@ -60 +61 @@
          {
             # We have options - assume it is a dictionary attack
-            nikto_user_enum_apache_dictionary($url);
+            nikto_user_enum_apache_dictionary($url, $mark);
          }
          else
          {
-            nikto_user_enum_apache_brute($url);
+            nikto_user_enum_apache_brute($url, $mark);
          }
       }
@@ -88 +89 @@
             {
                # We have options - assume it is a dictionary attack
-               nikto_user_enum_apache_dictionary($url);
+               nikto_user_enum_apache_dictionary($url, $mark);
             }
             else
             {
-               nikto_user_enum_apache_brute($url);
+               nikto_user_enum_apache_brute($url, $mark);
             }
          }
@@ -113 +114 @@
    # be 'brute force' would it? (jfs)
 
+   my $url=shift;
+   my ($mark)=@_;
    my $text = "a";
    my $ctr  = 0;
@@ -121 +124 @@
    {
       if (($ctr % 500) eq 0) { nprint("- User enumeration guess $ctr ($text)", "v"); }
-      (my $result, $content) = nfetch($mark,"/~" . $text, "HEAD");
+      (my $result, $content) = nfetch($mark, $url . $text, "HEAD");
       my $user = nikto_user_enum_apache_check($result, $text);
       if (defined $user)
@@ -132 +135 @@
    if ($found)
    {
-      add_vulnerability($mark, $message . join(' ',@foundusers), 999997, "637", "HEAD", "/");
+      add_vulnerability($mark, $message . join(', ',@foundusers), 999997, "637", "HEAD", "/");
    }
    
@@ -140 +143 @@
 {
    my $filename=$CLI{'mutate-options'};
+   my $url=shift;
+   my ($mark)=@_;
    my $message="Valid users found via Apache enumeration: ";
    my @foundusers=();
@@ -160 +165 @@
       if ($_ eq "" ) { next };
       if (($ctr % 500) == 0) { nprint("- User enumeration guess $ctr ($_)", "v"); }
-      (my $result, $content) = nfetch($mark,"/~" . $_, "HEAD");
+      (my $result, $content) = nfetch($mark, $url . $_, "HEAD");
       my $user = nikto_user_enum_apache_check($result, $_);
       if ($user)
@@ -171 +176 @@
    if (scalar(@foundusers))
    {
-      add_vulnerability($mark, $message . join(' ',@foundusers), 999997, "637", "HEAD", "/");
+      add_vulnerability($mark, $message . join(', ',@foundusers), 999997, "637", "HEAD", "/");
    }
 }