 |
openvas: trunk/openvas-plugins/scripts/DDI_Directory_Scanner.nasl
##
# This plugin was written by H D Moore <hdm@digitaloffense.net>
##
if(description)
{
script_id(11032);
script_version ("$Revision$");
script_xref(name:"OWASP", value:"OWASP-CM-006");
name = "Directory Scanner";
script_name(name);
script_tag(name:"risk_factor", value:"None");
desc = "
This plugin attempts to determine the presence of various
common dirs on the remote web server";
script_description(desc);
summary = "Directory Scanner";
script_summary(summary);
script_category(ACT_GATHER_INFO);
script_copyright("This script is Copyright (C) 2002 Digital Defense Inc.");
script_family("Service detection");
script_dependencie("find_service.nes", "httpver.nasl", "embedded_web_server_detect.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_timeout(360);
exit(0);
}
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
function check_cgi_dir(dir)
{
local_var req, res;
req = http_get(item:dir + "/non-existant" + string(rand()), port:port);
res = http_keepalive_send_recv(data:req, port:port);
if(res == NULL)exit(0);
if(egrep(pattern:"^HTTP.* 404 .*", string:res))
return 1;
else
return 0;
}
function check_req_send(port, url)
{
soc = http_open_socket(port);
if(!soc)return(0);
req = http_get(item:url, port:port);
send(socket:soc, data:req);
return(soc);
}
function check_req_recv(soc)
{
if(soc == 0)
return(0);
if(fake404 == "BadString0987654321*DDI*")
http_resp = recv_line(socket:soc, length:255);
else
http_resp = http_recv(socket:soc);
http_close_socket(soc);
return(http_resp);
}
function check_dir_list (dir)
{
for (CDC=0; dirs[CDC]; CDC=CDC+1)
{
if (dirs[CDC] == dir)
{
return(1);
}
}
return(0);
}
function check_discovered_list (dir)
{
for (CDL=0; discovered[CDL]; CDL=CDL+1)
{
if (discovered[CDL] == dir)
{
return(1);
}
}
return(0);
}
function add_discovered_list (dir)
{
if (check_discovered_list(dir:dir) == 0)
{
discovered[discovered_last] = dir;
discovered_last = discovered_last + 1;
}
}
CGI_Dirs = make_list();
dirs[0] = ".cobalt"; score[0] = 1;
dirs[1] = "1";
dirs[2] = "10";
dirs[3] = "2";
dirs[4] = "3";
dirs[5] = "4";
dirs[6] = "5";
dirs[7] = "6";
dirs[8] = "7";
dirs[9] = "8";
dirs[10] = "9";
dirs[11] = "AdminWeb"; score[11] = 1;
dirs[12] = "Admin_files"; score[12] = 1;
dirs[13] = "Administration"; score[13] = 1;
dirs[14] = "AdvWebAdmin"; score[14] = 1;
dirs[15] = "Agent";
dirs[16] = "Agents";
dirs[17] = "Album";
dirs[18] = "CS";
dirs[19] = "CVS";
dirs[20] = "DMR";
dirs[21] = "DocuColor";
dirs[22] = "GXApp";
dirs[23] = "HB";
dirs[24] = "HBTemplates";
dirs[25] = "IBMWebAS";
dirs[26] = "Install"; score[26] = 1;
dirs[27] = "JBookIt";
dirs[28] = "Log";
dirs[29] = "Mail"; score[29] = 1;
dirs[30] = "Msword";
dirs[31] = "NSearch";
dirs[32] = "NetDynamic";
dirs[33] = "NetDynamics";
dirs[34] = "News"; score[34] = 1;
dirs[35] = "PDG_Cart"; score[35] = 1;
dirs[36] = "README"; score[36] = 1;
dirs[37] = "ROADS";
dirs[38] = "Readme"; score[38] = 1;
dirs[39] = "SilverStream";
dirs[40] = "Stats"; score[40] = 1;
dirs[41] = "StoreDB"; score[41] = 1;
dirs[42] = "Templates";
dirs[43] = "ToDo"; score[43] = 1;
dirs[44] = "WebBank";
dirs[45] = "WebCalendar"; score[45] = 1;
dirs[46] = "WebDB";
dirs[47] = "WebShop";
dirs[48] = "WebTrend"; score[48] = 1;
dirs[49] = "Web_store";
dirs[50] = "XSL";
dirs[51] = "_ScriptLibrary";
dirs[52] = "_backup"; score[52] = 1;
dirs[53] = "_derived";
dirs[54] = "_errors"; score[54] = 1;
dirs[55] = "_fpclass";
dirs[56] = "_mem_bin";
dirs[57] = "_notes";
dirs[58] = "_objects";
dirs[59] = "_old";
dirs[60] = "_pages";
dirs[61] = "_passwords"; score[61] = 1;
dirs[62] = "_private"; score[62] = 1;
dirs[63] = "_scripts"; score[63] = 1; exec[63] = 1;
dirs[64] = "_sharedtemplates";
dirs[65] = "_tests"; score[65] = 1;
dirs[66] = "_themes";
dirs[67] = "_vti_bin"; score[67] = 1;
dirs[68] = "_vti_bot"; score[68] = 1;
dirs[69] = "_vti_log"; score[69] = 1;
dirs[70] = "_vti_pvt"; score[70] = 1;
dirs[71] = "_vti_shm"; score[71] = 1;
dirs[72] = "_vti_txt"; score[72] = 1;
dirs[73] = "a";
dirs[74] = "acceso";
dirs[75] = "access"; score[75] = 1;
dirs[76] = "accesswatch";
dirs[77] = "acciones";
dirs[78] = "account"; score[78] = 1;
dirs[79] = "accounting"; score[79] = 1;
dirs[80] = "activex";
dirs[81] = "adm"; score[81] = 1;
dirs[82] = "admcgi";
dirs[83] = "admentor";
dirs[84] = "admin"; score[84] = 1;
dirs[85] = "admin-bak"; score[85] = 1;
dirs[86] = "admin-old"; score[86] = 1;
dirs[87] = "admin.back"; score[87] = 1;
dirs[88] = "admin_"; score[88] = 1;
dirs[89] = "administration"; score[89] = 1;
dirs[90] = "administrator"; score[90] = 1;
dirs[91] = "adminuser"; score[91] = 1;
dirs[92] = "adminweb"; score[92] = 1;
dirs[93] = "admisapi";
dirs[94] = "agentes";
dirs[95] = "analog"; score[95] = 1;
dirs[96] = "anthill";
dirs[97] = "apache";
dirs[98] = "app";
dirs[99] = "applets";
dirs[100] = "application";
dirs[101] = "applications";
dirs[102] = "apps";
dirs[103] = "ar";
dirs[104] = "archive"; score[104] = 1;
dirs[105] = "archives"; score[105] = 1;
dirs[106] = "asp"; score[106] = 1; exec[106] = 1;
dirs[107] = "atc";
dirs[108] = "auth"; score[108] = 1;
dirs[109] = "authadmin"; score[109] = 1;
dirs[110] = "aw";
dirs[111] = "ayuda";
dirs[112] = "b";
dirs[113] = "b2-include";
dirs[114] = "back";
dirs[115] = "backend";
dirs[116] = "backup"; score[116] = 1;
dirs[117] = "backups"; score[117] = 1;
dirs[118] = "bak"; score[118] = 1;
dirs[119] = "banca";
dirs[120] = "banco";
dirs[121] = "bank";
dirs[122] = "banner";
dirs[123] = "banner01";
dirs[124] = "banners";
dirs[125] = "batch";
dirs[126] = "bb-dnbd";
dirs[127] = "bbv";
dirs[128] = "bdata";
dirs[129] = "bdatos";
dirs[130] = "beta";
dirs[131] = "billpay";
dirs[132] = "bin";
dirs[133] = "boadmin";
dirs[134] = "boot";
dirs[135] = "btauxdir";
dirs[136] = "bug";
dirs[137] = "bugs";
dirs[138] = "bugzilla";
dirs[139] = "buy";
dirs[140] = "buynow";
dirs[141] = "c";
dirs[142] = "cache-stats";
dirs[143] = "caja";
dirs[144] = "card";
dirs[145] = "cards";
dirs[146] = "cart";
dirs[147] = "cash";
dirs[148] = "caspsamp";
dirs[149] = "catalog";
dirs[150] = "cbi-bin"; score[150] = 1 ; exec[150] = 1;
dirs[151] = "ccard"; score[151] = 1;
dirs[152] = "ccards"; score[152] = 1;
dirs[153] = "cd";
dirs[154] = "cd-cgi"; score[154] = 1; exec[154] = 1;
dirs[155] = "cdrom";
dirs[156] = "ce_html";
dirs[157] = "cert";
dirs[158] = "certificado";
dirs[159] = "certificate";
dirs[160] = "cfappman";
dirs[161] = "cfdocs";
dirs[162] = "cfide"; score[162] = 1; exec[162] = 1;
dirs[163] = "cgi"; score[163] = 1; exec[163] = 1;
dirs[164] = "cgi-auth"; score[164] = 1; exec[164] = 1;
dirs[165] = "cgi-bin"; score[165] = 1; exec[165] = 1;
dirs[166] = "cgi-bin2"; score[166] = 1; exec[166] = 1;
dirs[167] = "cgi-csc"; score[167] = 1; exec[167] = 1;
dirs[168] = "cgi-lib"; score[168] = 1; exec[168] = 1;
dirs[169] = "cgi-local"; score[169] = 1; exec[169] = 1;
dirs[170] = "cgi-scripts"; score[170] = 1; exec[170] = 1;
dirs[171] = "cgi-shl"; score[171] = 1; exec[171] = 1;
dirs[172] = "cgi-shop"; score[172] = 1; exec[172] = 1;
dirs[173] = "cgi-sys"; score[173] = 1; exec[173] = 1;
dirs[174] = "cgi-weddico"; score[174] = 1; exec[174] = 1;
dirs[175] = "cgi-win"; score[175] = 1; exec[175] = 1;
dirs[176] = "cgibin"; score[176] = 1; exec[176] = 1;
dirs[177] = "cgilib"; score[177] = 1; exec[177] = 1;
dirs[178] = "cgis"; score[178] = 1; exec[178] = 1;
dirs[179] = "cgiscripts"; score[179] = 1; exec[179] = 1;
dirs[180] = "cgiwin"; score[180] = 1; exec[180] = 1;
dirs[181] = "class"; score[181] = 1; exec[181] = 1;
dirs[182] = "classes"; score[182] = 1; exec[182] = 1;
dirs[183] = "cliente";
dirs[184] = "clientes";
dirs[185] = "cm";
dirs[186] = "cmsample";
dirs[187] = "cobalt-images";
dirs[188] = "code";
dirs[189] = "comments";
dirs[190] = "common";
dirs[191] = "communicator";
dirs[192] = "compra";
dirs[193] = "compras";
dirs[194] = "compressed";
dirs[195] = "conecta";
dirs[196] = "conf";
dirs[197] = "config"; score[197] = 1;
dirs[198] = "connect";
dirs[199] = "console";
dirs[200] = "controlpanel";
dirs[201] = "core";
dirs[202] = "corp";
dirs[203] = "correo";
dirs[204] = "counter";
dirs[205] = "credit"; score[205] = 1;
dirs[206] = "cron";
dirs[207] = "crons";
dirs[208] = "crypto";
dirs[209] = "csr";
dirs[210] = "css";
dirs[211] = "cuenta";
dirs[212] = "cuentas";
dirs[213] = "currency";
dirs[214] = "customers"; score[214] = 1;
dirs[215] = "cvsweb";
dirs[216] = "cybercash";
dirs[217] = "d";
dirs[218] = "darkportal";
dirs[219] = "dat";
dirs[220] = "data";
dirs[221] = "database"; score[221] = 1;
dirs[222] = "databases"; score[222] = 1;
dirs[223] = "datafiles"; score[223] = 1;
dirs[224] = "dato";
dirs[225] = "datos";
dirs[226] = "db"; score[226] = 1;
dirs[227] = "dbase"; score[227] = 1;
dirs[228] = "dcforum";
dirs[229] = "ddreport";
dirs[230] = "ddrint";
dirs[231] = "demo"; score[231] = 1;
dirs[232] = "demoauct";
dirs[233] = "demomall";
dirs[234] = "demos"; score[234] = 1;
dirs[235] = "design";
dirs[236] = "dev"; score[236] = 1;
dirs[237] = "devel"; score[237] = 1;
dirs[238] = "development";
dirs[239] = "dir";
dirs[240] = "directory"; score[240] = 1;
dirs[241] = "directorymanager";
dirs[242] = "dl";
dirs[243] = "dm";
dirs[244] = "dms";
dirs[245] = "dms0";
dirs[246] = "dmsdump";
dirs[247] = "doc"; score[247] = 1;
dirs[248] = "doc-html";
dirs[249] = "doc1";
dirs[250] = "docs";
dirs[251] = "docs1";
dirs[252] = "document"; score[252] = 1;
dirs[253] = "documents"; score[253] = 1;
dirs[254] = "down";
dirs[255] = "download"; score[255] = 1;
dirs[256] = "downloads"; score[256] = 1;
dirs[257] = "dump";
dirs[258] = "durep";
dirs[259] = "e";
dirs[260] = "easylog";
dirs[261] = "eforum";
dirs[262] = "ejemplo";
dirs[263] = "ejemplos";
dirs[264] = "email"; score[264] = 1;
dirs[265] = "emailclass";
dirs[266] = "employees";
dirs[267] = "empoyees";
dirs[268] = "empris";
dirs[269] = "envia";
dirs[270] = "enviamail";
dirs[271] = "error";
dirs[272] = "errors";
dirs[273] = "es";
dirs[274] = "estmt";
dirs[275] = "etc";
dirs[276] = "example";
dirs[277] = "examples";
dirs[278] = "exc";
dirs[279] = "excel";
dirs[280] = "exchange";
dirs[281] = "exe";
dirs[282] = "exec";
dirs[283] = "export";
dirs[284] = "external";
dirs[285] = "f";
dirs[286] = "fbsd";
dirs[287] = "fcgi-bin";
dirs[288] = "file";
dirs[289] = "filemanager";
dirs[290] = "files";
dirs[291] = "foldoc";
dirs[292] = "form";
dirs[293] = "form-totaller";
dirs[294] = "forms";
dirs[295] = "formsmgr";
dirs[296] = "forum";
dirs[297] = "forums";
dirs[298] = "foto";
dirs[299] = "fotos";
dirs[300] = "fpadmin";
dirs[301] = "fpdb";
dirs[302] = "fpsample";
dirs[303] = "framesets";
dirs[304] = "ftp";
dirs[305] = "ftproot";
dirs[306] = "g";
dirs[307] = "gfx";
dirs[308] = "global";
dirs[309] = "grocery";
dirs[310] = "guest";
dirs[311] = "guestbook";
dirs[312] = "guests";
dirs[313] = "help";
dirs[314] = "helpdesk";
dirs[315] = "hidden"; score[315] = 1;
dirs[316] = "hide";
dirs[317] = "hit_tracker";
dirs[318] = "hitmatic";
dirs[319] = "hlstats"; score[319] = 1;
dirs[320] = "home";
dirs[321] = "hostingcontroller";
dirs[322] = "ht";
dirs[323] = "htbin"; score[323] = 1; exec[323] = 1;
dirs[324] = "htdocs"; score[324] = 1;
dirs[325] = "html";
dirs[326] = "hyperstat";
dirs[327] = "ibank";
dirs[328] = "ibill";
dirs[329] = "icons";
dirs[330] = "idea";
dirs[331] = "ideas";
dirs[332] = "iisadmin"; score[332] = 1;
dirs[333] = "iissamples"; score[333] = 1;
dirs[334] = "image";
dirs[335] = "imagenes";
dirs[336] = "imagery";
dirs[337] = "images";
dirs[338] = "img";
dirs[339] = "imp";
dirs[340] = "import";
dirs[341] = "impreso";
dirs[342] = "inc";
dirs[343] = "include"; score[343] = 1;
dirs[344] = "includes"; score[344] = 1;
dirs[345] = "incoming"; score[345] = 1;
dirs[346] = "info";
dirs[347] = "information";
dirs[348] = "ingresa";
dirs[349] = "ingreso";
dirs[350] = "install";
dirs[351] = "internal";
dirs[352] = "intranet"; score[352] = 1;
dirs[353] = "inventory";
dirs[354] = "invitado";
dirs[355] = "isapi";
dirs[356] = "japidoc";
dirs[357] = "java";
dirs[358] = "javascript";
dirs[359] = "javasdk";
dirs[360] = "javatest";
dirs[361] = "jave";
dirs[362] = "jdbc";
dirs[363] = "job";
dirs[364] = "jrun";
dirs[365] = "js";
dirs[366] = "jserv";
dirs[367] = "jslib";
dirs[368] = "jsp";
dirs[369] = "junk";
dirs[370] = "kiva";
dirs[371] = "labs";
dirs[372] = "lcgi";
dirs[373] = "lib";
dirs[374] = "libraries";
dirs[375] = "library";
dirs[376] = "libro";
dirs[377] = "links";
dirs[378] = "linux";
dirs[379] = "loader";
dirs[380] = "log"; score[380] = 1;
dirs[381] = "logfile";
dirs[382] = "logfiles";
dirs[383] = "logg";
dirs[384] = "logger";
dirs[385] = "logging";
dirs[386] = "login"; score[386] = 1;
dirs[387] = "logon"; score[387] = 1;
dirs[388] = "logs"; score[388] = 1;
dirs[389] = "lost+found"; score[389] = 1;
dirs[390] = "mail";
dirs[391] = "mail_log_files";
dirs[392] = "mailman";
dirs[393] = "mailroot";
dirs[394] = "makefile";
dirs[395] = "mall_log_files";
dirs[396] = "manage";
dirs[397] = "manual";
dirs[398] = "marketing";
dirs[399] = "members";
dirs[400] = "message";
dirs[401] = "messaging";
dirs[402] = "metacart";
dirs[403] = "misc";
dirs[404] = "mkstats";
dirs[405] = "movimientos";
dirs[406] = "mqseries";
dirs[407] = "msql";
dirs[408] = "mysql";
dirs[409] = "mysql_admin"; score[409] = 1;
dirs[410] = "ncadmin";
dirs[411] = "nchelp";
dirs[412] = "ncsample";
dirs[413] = "netbasic";
dirs[414] = "netcat";
dirs[415] = "netmagstats";
dirs[416] = "netscape";
dirs[417] = "netshare";
dirs[418] = "nettracker";
dirs[419] = "new";
dirs[420] = "nextgeneration";
dirs[421] = "nl";
dirs[422] = "noticias";
dirs[423] = "objects";
dirs[424] = "odbc";
dirs[425] = "old"; score[425] = 1;
dirs[426] = "old_files"; score[426] = 1;
dirs[427] = "oldfiles"; score[427] = 1;
dirs[428] = "oprocmgr-service";
dirs[429] = "oprocmgr-status";
dirs[430] = "oracle"; score[430] = 1;
dirs[431] = "oradata";
dirs[432] = "order";
dirs[433] = "orders";
dirs[434] = "outgoing";
dirs[435] = "owners";
dirs[436] = "pages";
dirs[437] = "passport";
dirs[438] = "password"; score[438] = 1;
dirs[439] = "passwords"; score[439] = 1;
dirs[440] = "payment"; score[440] = 1;
dirs[441] = "payments"; score[441] = 1;
dirs[442] = "pccsmysqladm";
dirs[443] = "perl";
dirs[444] = "perl5";
dirs[445] = "personal";
dirs[446] = "pforum";
dirs[447] = "phorum";
dirs[448] = "php";
dirs[449] = "phpBB"; exec[449] = 1;
dirs[450] = "phpMyAdmin"; exec[450] = 1;
dirs[451] = "phpPhotoAlbum"; exec[451] = 1;
dirs[452] = "phpSecurePages"; exec[452] = 1;
dirs[453] = "php_classes"; exec[453] = 1;
dirs[454] = "phpclassifieds"; exec[454] = 1;
dirs[455] = "phpimageview"; exec[455] = 1;
dirs[456] = "phpnuke"; exec[456] = 1;
dirs[457] = "phpprojekt"; exec[457] = 1;
dirs[458] = "piranha";
dirs[459] = "pls";
dirs[460] = "poll";
dirs[461] = "polls";
dirs[462] = "postgres";
dirs[463] = "ppwb";
dirs[464] = "printers";
dirs[465] = "priv";
dirs[466] = "privado";
dirs[467] = "private"; score[467] = 1;
dirs[468] = "prod";
dirs[469] = "protected"; score[469] = 1;
dirs[470] = "prueba";
dirs[471] = "pruebas";
dirs[472] = "prv";
dirs[473] = "pub";
dirs[474] = "public";
dirs[475] = "publica";
dirs[476] = "publicar";
dirs[477] = "publico";
dirs[478] = "publish";
dirs[479] = "purchase";
dirs[480] = "purchases";
dirs[481] = "pw";
dirs[482] = "random_banner";
dirs[483] = "rdp";
dirs[484] = "register";
dirs[485] = "registered";
dirs[486] = "report";
dirs[487] = "reports";
dirs[488] = "reseller";
dirs[489] = "restricted";
dirs[490] = "retail";
dirs[491] = "reviews";
dirs[492] = "root";
dirs[493] = "rsrc";
dirs[494] = "sales";
dirs[495] = "sample";
dirs[496] = "samples";
dirs[497] = "save";
dirs[498] = "script";
dirs[499] = "scripts"; exec[499] = 1;
dirs[500] = "search";
dirs[501] = "search-ui";
dirs[502] = "secret"; score[502] = 1;
dirs[503] = "secure"; score[503] = 1;
dirs[504] = "secured"; score[504] = 1;
dirs[505] = "sell";
dirs[506] = "server-info";
dirs[507] = "server-status";
dirs[508] = "server_stats";
dirs[509] = "servers";
dirs[510] = "serverstats";
dirs[511] = "service";
dirs[512] = "services";
dirs[513] = "servicio";
dirs[514] = "servicios";
dirs[515] = "servlet";
dirs[516] = "servlets";
dirs[517] = "session";
dirs[518] = "setup";
dirs[519] = "share";
dirs[520] = "shared";
dirs[521] = "shell-cgi";
dirs[522] = "shipping";
dirs[523] = "shop";
dirs[524] = "shopper";
dirs[525] = "site";
dirs[526] = "siteadmin"; score[526] = 1;
dirs[527] = "sitemgr";
dirs[528] = "siteminder";
dirs[529] = "siteminderagent";
dirs[530] = "sites"; score[530] = 1;
dirs[531] = "siteserver";
dirs[532] = "sitestats";
dirs[533] = "siteupdate";
dirs[534] = "smreports";
dirs[535] = "smreportsviewer";
dirs[536] = "soap";
dirs[537] = "soapdocs";
dirs[538] = "software";
dirs[539] = "solaris";
dirs[540] = "source";
dirs[541] = "sql";
dirs[542] = "squid";
dirs[543] = "src";
dirs[544] = "srchadm";
dirs[545] = "ssi"; score[545] = 1;
dirs[546] = "ssl"; score[546] = 1;
dirs[547] = "sslkeys"; score[547] = 1;
dirs[548] = "staff";
dirs[549] = "stat"; score[549] = 1;
dirs[550] = "statistic"; score[550] = 1;
dirs[551] = "statistics"; score[551] = 1;
dirs[552] = "stats"; score[552] = 1;
dirs[553] = "stats-bin-p";
dirs[554] = "stats_old"; score[554] = 1;
dirs[555] = "status";
dirs[556] = "storage";
dirs[557] = "store";
dirs[558] = "storemgr";
dirs[559] = "stronghold-info";
dirs[560] = "stronghold-status";
dirs[561] = "stuff";
dirs[562] = "style";
dirs[563] = "styles";
dirs[564] = "stylesheet";
dirs[565] = "stylesheets";
dirs[566] = "subir";
dirs[567] = "sun";
dirs[568] = "super_stats";
dirs[569] = "support";
dirs[570] = "supporter";
dirs[571] = "sys"; score[571] = 1;
dirs[572] = "sysadmin"; score[572] = 1;
dirs[573] = "sysbackup"; score[573] = 1;
dirs[574] = "system";
dirs[575] = "tar";
dirs[576] = "tarjetas";
dirs[577] = "te_html";
dirs[578] = "tech";
dirs[579] = "technote";
dirs[580] = "temp";
dirs[581] = "template";
dirs[582] = "templates";
dirs[583] = "temporal";
dirs[584] = "test"; score[584] = 1;
dirs[585] = "test-cgi";
dirs[586] = "testing"; score[586] = 1;
dirs[587] = "tests"; score[587] = 1;
dirs[588] = "testweb";
dirs[589] = "ticket";
dirs[590] = "tickets";
dirs[591] = "tmp"; score[591] = 1;
dirs[592] = "tools";
dirs[593] = "tpv";
dirs[594] = "trabajo";
dirs[595] = "transito";
dirs[596] = "transpolar";
dirs[597] = "tree";
dirs[598] = "trees";
dirs[599] = "updates";
dirs[600] = "upload";
dirs[601] = "uploads";
dirs[602] = "us";
dirs[603] = "usage";
dirs[604] = "user";
dirs[605] = "userdb"; score[605] = 1;
dirs[606] = "users"; score[606] = 1;
dirs[607] = "usr";
dirs[608] = "ustats"; score[608] = 1;
dirs[609] = "usuario";
dirs[610] = "usuarios";
dirs[611] = "util";
dirs[612] = "utils";
dirs[613] = "vfs";
dirs[614] = "w-agora";
dirs[615] = "w3perl";
dirs[616] = "way-board";
dirs[617] = "web";
dirs[618] = "web800fo";
dirs[619] = "webMathematica";
dirs[620] = "web_usage"; score[620] = 1;
dirs[621] = "webaccess"; score[621] = 1;
dirs[622] = "webadmin"; score[622] = 1;
dirs[623] = "webalizer"; score[623] = 1;
dirs[624] = "webapps";
dirs[625] = "webboard";
dirs[626] = "webcart";
dirs[627] = "webcart-lite";
dirs[628] = "webdata";
dirs[629] = "webdb";
dirs[630] = "webimages";
dirs[631] = "webimages2";
dirs[632] = "weblog";
dirs[633] = "weblogs";
dirs[634] = "webmaster";
dirs[635] = "webmaster_logs";
dirs[636] = "webpub";
dirs[637] = "webpub-ui";
dirs[638] = "webreports";
dirs[639] = "webreps";
dirs[640] = "webshare";
dirs[641] = "website";
dirs[642] = "webstat"; score[642] = 1;
dirs[643] = "webstats"; score[643] = 1;
dirs[644] = "webtrace";
dirs[645] = "webtrends"; score[645] = 1;
dirs[646] = "windows";
dirs[647] = "word";
dirs[648] = "work";
dirs[649] = "wsdocs";
dirs[650] = "wstats"; score[650] = 1;
dirs[651] = "wusage"; score[651] = 1;
dirs[652] = "www";
dirs[653] = "www-sql";
dirs[654] = "wwwjoin";
dirs[655] = "wwwlog"; score[655] = 1;
dirs[656] = "wwwstat"; score[656] = 1;
dirs[657] = "wwwstats"; score[657] = 1;
dirs[658] = "xGB";
dirs[659] = "xml";
dirs[660] = "xtemp";
dirs[661] = "zb41";
dirs[662] = "zipfiles";
dirs[663] = "~1";
dirs[664] = "~admin"; score[664] = 1;
dirs[665] = "~log";
dirs[666] = "~root";
dirs[667] = "~stats"; score[667] = 1;
dirs[668] = "~webstats"; score[668] = 1;
dirs[669] = "~wsdocs";
dirs[670] = "track";
dirs[671] = "tracking";
dirs[672] = "BizTalkTracking";
dirs[673] = "BizTalkServerDocs";
dirs[674] = "BizTalkServerRepository";
dirs[675] = "MessagingManager";
dirs[676] = "iisprotect";
dirs[677] = "mp3"; score[667] = 1;
dirs[678] = "mp3s"; score[668] = 1;
dirs[679] = "acid";
dirs[680] = "chat";
dirs[681] = "eManager";
dirs[682] = "keyserver";
dirs[683] = "search97";
dirs[684] = "tarantella";
dirs[685] = "webmail";
dirs[686] = "flexcube@";
dirs[687] = "flexcubeat";
dirs[688] = "ganglia";
dirs[689] = "sitebuildercontent";
dirs[690] = "sitebuilderfiles";
dirs[691] = "sitebuilderpictures";
dirs[692] = "WSsamples";
dirs[693] = "mercuryboard";
dirs[694] = "tdbin";
dirs[695] = "AlbumArt_";
i = 696; # max_index(dirs);
# The three following directories exist on Resin default installation
dirs[i++] = "faq";
dirs[i++] = "ref";
dirs[i++] = "cmp";
# Phishing
dirs[i] = "cgi-bim"; exec[i++] = 1;
# Lite-serve
dirs[i] = "cgi-isapi"; exec[i++] = 1;
# HyperWave
dirs[i++] = "wavemaster.internal";
# Urchin
dirs[i++] = "urchin";
dirs[i++] = "urchin3";
dirs[i++] = "urchin5";
# CVE-2000-0237
dirs[i++] = "publisher";
# Common Locale
dirs[i++] = "en";
dirs[i++] = "en-US";
dirs[i++] = "fr";
dirs[i++] = "intl";
# Seen on Internet
dirs[i++] = "about";
dirs[i++] = "aspx";
dirs[i++] = "Boutiques";
dirs[i++] = "business";
dirs[i++] = "content";
dirs[i++] = "Corporate";
dirs[i++] = "company";
dirs[i++] = "client";
dirs[i++] = "DB4Web";
dirs[i] = "dll"; exec[i++] = 1;
dirs[i++] = "frameset";
dirs[i++] = "howto";
dirs[i++] = "legal";
dirs[i++] = "member";
dirs[i++] = "myaccount";
dirs[i++] = "obj";
dirs[i++] = "offers";
dirs[i++] = "personal_pages";
dirs[i++] = "rem";
dirs[i++] = "Remote";
dirs[i++] = "serve";
dirs[i++] = "shopping";
dirs[i++] = "slide";
dirs[i++] = "solutions";
dirs[i++] = "v4";
dirs[i++] = "wws"; # Sympa
dirs[i++] = "squirrelmail";
dirs[i++] = "dspam";
dirs[i++] = "cacti";
# Add domain name parts
hn = get_host_name();
if (! ereg(string: hn, pattern: "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$"))
{
hnp = split(hn, sep: ".");
foreach p (hnp)
{
n = max_index(dirs);
for (j = 0; j < n && dirs[j] != p; j ++)
;
if (j < n) dirs[n] = p;
}
}
# this needs to be updated to match the above list
dirs_last = i-1;
# these are the strings used by the 404 checks
errmsg[0] = "not found";
errmsg[1] = "404";
errmsg[2] = "error has occurred";
errmsg[3] = "FireWall-1 message";
errmsg[4] = "Reload acp_userinfo database";
errmsg[5] = "IMail Server Web Messaging";
errmsg[6] = "HP Web JetAdmin";
errmsg[7] = "Error processing SSI file";
errmsg[8] = "ExtendNet DX Configuration";
errmsg[9] = "Unable to complete your request due to added security features";
errmsg[10] = "Client Authentication Remote Service</font>";
errmsg[11] = "Error - Bad Request";
errmsg[12] = "Webmin server";
errmsg[13] = "unknown";
errmsg[14] = "Management Console";
errmsg[15] = "Insufficient Access";
errmsg[16] = "TYPE=password";
errmsg[17] = "The userid or password that was specified is not valid";
errmsg[18] = "Content-Length: 0";
debug = 0;
if(debug) display("\n::[ DDI Directory Scanner running in debug mode\n::\n");
report = string("The following directories were discovered:\n");
found = 0;
authreport = string("The following directories require authentication:\n");
authfound = 0;
fake404 = string("");
Check200 = 1;
Check401 = 1;
Check403 = 1;
# this array contains the results
discovered[0] = 0;
discovered_last = 0;
port = get_http_port(default:80);
if(!port || !get_port_state(port))
{
if(debug) display(":: Error: port ", port, " was not open on target.\n");
exit(0);
}
if ( get_kb_item("Services/www/" + port + "/embedded") && ! thorough_tests ) exit(0);
##
# pull the robots.txt file
##
if(debug)display(":: Checking for robots.txt...\n");
req = http_get(item:"/robots.txt", port:port);
http_data = http_keepalive_send_recv(port:port, data:req);
if (ereg(pattern:"^HTTP/1.[01] 200 ", string:http_data))
{
strings = split(http_data);
foreach string (strings)
{
if ( egrep(pattern:"disallow:.*/", string:string, icase:TRUE) &&
! egrep(pattern:"disallow:.*\.", string:string, icase:TRUE)
)
{
# yes, i suck at regex's in nasl. I want my \s+!
robot_dir = ereg_replace(pattern:"disallow:\W*/(.*)$", string:string, replace:"\1", icase:TRUE);
robot_dir = ereg_replace(pattern:"\W*$", string:robot_dir, replace:"", icase:TRUE);
robot_dir = ereg_replace(pattern:"/$|\?$", string:robot_dir, replace:"", icase:TRUE);
if (!check_dir_list(dir:robot_dir))
{
# add directory to the list
dirs_last = dirs_last + 1;
dirs[dirs_last] = robot_dir;
if (debug) display(":: Directory '", robot_dir, "' added to test list\n");
} else {
if (debug) display(":: Directory '", robot_dir, "' already exists in test list\n");
}
}
}
}
##
# pull the CVS/Entries file
##
if(debug)display(":: Checking for /CVS/Entries...\n");
req = http_get(item:"/CVS/Entries", port:port);
http_data = http_keepalive_send_recv(port:port, data:req);
if(http_data == NULL)exit(0);
if (ereg(pattern:"^HTTP/1.[01] 200 ", string:http_data))
{
strings = split(http_data, string("\n"));
foreach string (strings)
{
if (ereg(pattern:"^D/(.*)////", string:string, icase:TRUE))
{
cvs_dir = ereg_replace(pattern:"D/(.*)////.*", string:string, replace:"\1", icase:TRUE);
if (! check_dir_list(dir:cvs_dir))
{
# add directory to the list
dirs_last = dirs_last + 1;
dirs[dirs_last] = cvs_dir;
if (debug) display(":: Directory '", cvs_dir, "' added to test list\n");
} else {
if (debug) display(":: Directory '", cvs_dir, "' already exists in test list\n");
}
}
}
}
##
# test for servers which return 200/403/401 for everything
##
req = http_get(item:"/NonExistant" + rand() + "/", port:port);
http_resp = http_keepalive_send_recv(port:port, data:req);
if(http_resp == NULL)exit(0);
if(ereg(pattern:"^HTTP/1.[01] 200 ", string: http_resp))
{
fake404 = 0;
if(debug) display(":: This server returns 200 for non-existent directories.\n");
for(i=0;errmsg[i];i=i+1)
{
if (egrep(pattern:errmsg[i], string:http_resp, icase:TRUE) && !fake404)
{
fake404 = errmsg[i];
if(debug) display(":: Using '", fake404, "' as an indication of a 404 error\n");
}
}
if (!fake404)
{
if(debug) display(":: Could not find an error string to match against for the fake 404 response.\n");
if(debug) display(":: Checks which rely on 200 responses are being disabled\n");
Check200 = 0;
}
} else {
fake404 = string("BadString0987654321*DDI*");
}
if(ereg(pattern:"^HTTP/1.[01] 401 ", string: http_resp))
{
if(debug) display(":: This server requires authentication for non-existent directories, disabling 401 checks.\n");
Check401 = 0;
}
if(ereg(pattern:"^HTTP/1.[01] 403 ", string: http_resp))
{
if(debug) display(":: This server returns a 403 for non-existent directories, disabling 403 checks.\n");
Check403 = 0;
}
##
# start the actual directory scan
##
keep_scanning = 1;
ScanRootDir = "/";
max_recurse = 5;
# copy the directory test list
cdirs[0] = 0;
for (dcp=0; dirs[dcp] ; dcp=dcp+1)
{
cdirs[dcp] = dirs[dcp];
cdirs_last = dcp;
}
for ( pass = 0 ; pass < 2 ; pass ++ )
{
start_pass = unixtime();
if(debug)display(":: Starting the directory scan...\n");
for(i=0;cdirs[i] ;i = i + 1 )
{
if ( pass == 0 && score[i] == 0 ) continue;
if ( pass == 1 && score[i] != 0 ) continue;
res = http_keepalive_send_recv(port:port, data:http_get(item:string(ScanRootDir, cdirs[i], "/"), port:port));
if ( res == NULL ) exit(0);
http_code = int(substr(res, 9, 11));
if(!res)res = "BogusBogusBogus";
if( Check200 &&
http_code == 200 &&
! (egrep(pattern:fake404, string:res, icase:TRUE))
)
{
if(debug) display(":: Discovered: " , ScanRootDir, cdirs[i], "\n");
add_discovered_list(dir:string(ScanRootDir, cdirs[i]));
if(exec[i] != 0){
if(check_cgi_dir(dir:cdirs[i])) CGI_Dirs = make_list(CGI_Dirs, cdirs[i]);
}
if(found != 0)
{
report = report + ", " + ScanRootDir + cdirs[i];
} else {
report = report + ScanRootDir + cdirs[i];
}
found=found+1;
}
if(Check403 && http_code == 403 )
{
if (debug) display(":: Got a 403 for ", ScanRootDir, cdirs[i], ", checking for file in the directory...\n");
soc = check_req_send(port:port, url:string(ScanRootDir, cdirs[i], "/NonExistent.html"));
res2 = check_req_recv(soc:soc);
if(ereg(pattern:"^HTTP/1.[01] 403 ", string:res2))
{
# the whole directory appears to be protected
if (debug) display(":: 403 applies to the entire directory \n");
} else {
if (debug) display(":: 403 applies to just directory indexes \n");
# the directory just has indexes turned off
if(debug) display(":: Discovered: " , ScanRootDir, cdirs[i], "\n");
add_discovered_list(dir:string(ScanRootDir, cdirs[i]));
if(exec[i] != 0)CGI_Dirs = make_list(CGI_Dirs, cdirs[i]);
if(found != 0)
{
report = report + ", " + ScanRootDir + cdirs[i];
} else {
report = report + ScanRootDir + cdirs[i];
}
found=found+1;
}
}
if(Check401 && http_code == 401 )
{
if (debug) display(":: Got a 401 for ", ScanRootDir + cdirs[i], "\n");
if(authfound != 0)
{
authreport = authreport + ", " + ScanRootDir + cdirs[i];
} else {
authreport = authreport + ScanRootDir + cdirs[i];
}
authfound=authfound+1;
}
}
if ( pass == 0 && unixtime() - start_pass > 80 && ! thorough_tests ) break;
}
##
# reporting happens here
##
result = string("");
if (found)
{
result = report;
result += string("
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards\n");
}
if (authfound)
{
result = result + string("\n", authreport);
}
if (strlen(result))
{
security_note(port:port, data:result);
for (idx=0; idx < discovered_last; idx=idx+1)
{
dir_key = string("www/", port, "/content/directories");
if(debug) display("Setting KB key: ", dir_key, " to '", discovered[idx], "'\n");
set_kb_item(name:dir_key, value:discovered[idx]);
}
}
foreach d (CGI_Dirs)
{
cgi = cgi_dirs();
flag = 0;
foreach c (cgi)
{
if(c == "/" + d) {
flag = 1;
break;
}
}
if(flag == 0)set_kb_item(name:"/tmp/cgibin", value:"/" + d);
}
|
|
