📄 nikto_core.plugin
字号:
if ($name ne "") { $dn=$name; } else { $dn=$ip; } # set this 'host' $request{'whisker'}{'host'} = $name; return $name,$ip,$dn;}#################################################################################sub set_targets{ if ($CLI{host} eq "") { usage(); } my $host_ctr=1; # if -p is not set, see if each line hast its own ports. if not push 80 to ports_in if (-e $CLI{host}) { nprint("Reading from file '$CLI{host}'","v"); open(IN,"<$CLI{host}") || die print "Cannot open '$CLI{host}':$@\n"; while(<IN>) { chomp; s/\#.*$//; if ($_ eq "") { next; } s/\s+//g; $COUNTERS{hosts_total}++; if (/(\:|\,)/) # at least one port is set for host { my @h=split(/\:|\,/); $TARGETS{$host_ctr}{ident}=$h[0]; # preppend anything from CLI -- careful not to duplcate port 80 (default) my $p=""; my $has_eighty=0; for (my $i=1;$i<=$#h;$i++) { $p.="$h[$i],"; if ($h[$i] eq 80) { $has_eighty=1;} } if (($has_eighty eq 0) || ($CLI{ports} ne 80)) { $p = "$CLI{ports},$p"; } $p=~s/\,$//; $TARGETS{$host_ctr}{ports_in}=$p; } else { $TARGETS{$host_ctr}{ports_in} = $CLI{ports}; if ($TARGETS{$host_ctr}{ports_in} eq "") { $TARGETS{$host_ctr}{ports_in} = 80; } $TARGETS{$host_ctr}{ident} = $_; } nprint("- Target id:$host_ctr:ident:$TARGETS{$host_ctr}{ident}:ports_in:$TARGETS{$host_ctr}{ports_in}:","d"); $host_ctr++; } close(IN); } # if it's not a file, set it as the ident & set the ports. resolve() will figure out if its name or IP # if -p is not set, push 80 to ports_in else { $COUNTERS{hosts_total}++; $TARGETS{$host_ctr}{ident}=$CLI{host}; if ($CLI{ports} eq "") { $TARGETS{$host_ctr}{ports_in}=80;} else { $TARGETS{$host_ctr}{ports_in}=$CLI{ports}; } nprint("- Target id:$host_ctr:ident:$TARGETS{$host_ctr}{ident}:ports_in:$TARGETS{$host_ctr}{ports_in}:","d"); } return;}#################################################################################sub host_config{ ($TARGETS{$CURRENT_HOST_ID}{hostname}, $TARGETS{$CURRENT_HOST_ID}{ip}, $TARGETS{$CURRENT_HOST_ID}{display_name}) = resolve($TARGETS{$CURRENT_HOST_ID}{ident}); if ($TARGETS{$CURRENT_HOST_ID}{ident} eq "") { return; } port_scan($TARGETS{$CURRENT_HOST_ID}{ports_in}); # make sure we have open ports on this target if (keys(%{$TARGETS{$CURRENT_HOST_ID}{ports}}) eq 0) { nprint("+ No HTTP(s) ports found on $TARGETS{$CURRENT_HOST_ID}{ident} / $TARGETS{$CURRENT_HOST_ID}{ports_in}"); } return;}################################################################################## perform a port scan#################################################################################sub port_scan{ my $portopts=$_[0] || return; my (@t) = (); my %portlist; # if we're using nmap, skip this & let nmap handle port ranges... unless proxied if (!(-X $CONFIG{NMAP}) || $CLI{useproxy}) { # break out , items if ($portopts =~ /,/) { foreach (split(/\,/,$portopts)) { push(@t,$_); } } else { push(@t,$portopts); } # ranges for (@t) { s/^\s+//; s/\s+$//; if ($_ !~ /-/) { $portlist{$_}=0; } else { my @x=split(/\-/,$_); for (my $i=$x[0];$i<=$x[1];$i++) { $portlist{$i}=0; } } } # last check for only null lists (i.e., user put in 4-1 as a range) my $invalid= my $have_valid = 0; foreach my $p (keys %portlist) { if (($p =~/[^0-9]/)||($p eq "")) { $invalid=1; last; } $have_valid++; } if ($invalid|!$have_valid) { nprint("+ ERROR: Invalid port option '$CLI{ports}'"); exit; } } # end if not NMAP # if NMAP is defined & no proxy, use that... if not, we do it the hard way if ((-X $CONFIG{NMAP}) && !$CLI{useproxy}) { nprint("- Calling nmap:$CONFIG{NMAP} -oG - -p $portopts $TARGETS{$CURRENT_HOST_ID}{ip}","v"); foreach my $line (split(/\n/,`$CONFIG{NMAP} -oG - -p $portopts $TARGETS{$CURRENT_HOST_ID}{ip}`)) { if ($line !~ /^Host/) { next; } $line =~ s/^.*Ports: //; $line =~ s/Ignored.*$//; $line =~ s/^\s+//; $line =~ s/\s+$//; foreach my $PORTSTRING (parse_csv($line)) { $portlist{(split(/\//,$PORTSTRING))[0]}=0; } } } # test each port... nprint("- Testing open ports for web servers","v"); foreach $p (sort keys %portlist) { if ($p !~ /[0-9]/) { next; } $p =~ s/\s+$//; $p =~ s/^\s+//; foreach my $skip (split(/ /,$CONFIG{SKIPPORTS})) { if ($skip eq $p) { $p=""; last; } } if ($p eq "") { next; } port_check($p); } return;}#################################################################################sub get_banner{ (my $RES, $CONTENT) = fetch("/","HEAD"); $TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{banner}=$result{'server'}; return;}#################################################################################sub port_check{ my $port=$_[0] || return 0; $port=~s/(^\s+|\s+$)//g; my $oldhost=$request{'whisker'}->{'host'}; $request{'whisker'}->{'uri'}="/"; $request{'whisker'}->{'method'}="HEAD"; # test for proxy proxy_check() unless $PROXYCHECKED; # try http nprint("- Checking for HTTP on port $TARGETS{$CURRENT_HOST_ID}{ip}:$port","v"); if (!$CLI{ssl}) { $request{'whisker'}->{'ssl'}=0; $request{'whisker'}->{'port'}= $port; LW::http_fixup_request(\%request); dump_request_hash(); if (!LW::http_do_request(\%request,\%result)) { # this will fix for some Apaches that are smart enough to answer non ssl reqs on an ssl server if ($result{'whisker'}->{'data'} !~ /speaking plain HTTP to an SSL/) { $TARGETS{$CURRENT_HOST_ID}{ports}{$port}{ssl}=0; nprint("- Server found: $TARGETS{$CURRENT_HOST_ID}{ip}:$port \t$result{'server'}","d"); $request{'whisker'}->{'host'}=$oldhost; dump_result_hash(); return; } } else { dump_result_hash(); } } # try https nprint("- Checking for HTTPS on port $TARGETS{$CURRENT_HOST_ID}{ip}:$port","v"); $request{'whisker'}->{'ssl'}=1; $request{whisker}->{save_ssl_info}=1; $request{'whisker'}->{'port'}= $port; LW::http_fixup_request(\%request); dump_request_hash(); if (!LW::http_do_request(\%request,\%result)) { $TARGETS{$CURRENT_HOST_ID}{ports}{$port}{ssl}=1; $request{'whisker'}->{'host'}=$oldhost; nprint("- Server found: $TARGETS{$CURRENT_HOST_ID}{ip}:$port \t$result{'server'}","d"); dump_result_hash(); return; } else { dump_result_hash(); } return;}#################################################################################sub open_output{ if ($CLI{file} eq "") { return; } open(OUT,">>$CLI{file}") || die print "+ ERROR: Unable to open '$CLI{file}' for write: $@\n"; select(OUT); $|++; select(STDERR); $|++; select(STDOUT); $|++; if ($CLI{format} =~ /^htm/) { print OUT "<html>\n<body bgcolor=white>\n"; print OUT "<title>$NIKTO{name} Results</title>\n"; print OUT "<!-- generated by $NIKTO{name} v$NIKTO{version} c$NIKTO{core_version}\n http://www.cirt.net/ -->\n"; print OUT "<center><a href=\"http://www.cirt.net/code/nikto.shtml\"><font size=+1>$NIKTO{name} v$NIKTO{version}/$NIKTO{core_version}</font></a><br>\n"; print OUT "<a href=\"http://www.cirt.net/\"><font size=-1>CIRT.net</font></a></center>\n"; } elsif ($CLI{format} =~ /^txt/) { print OUT "- $NIKTO{name} v$NIKTO{version}/$NIKTO{core_version}\n"; } elsif ($CLI{format} =~ /^csv/) { print OUT "\"$NIKTO{name} v$NIKTO{version}\",\"Core v$NIKTO{core_version}\"\n"; } return;}#################################################################################sub close_output{ my $t=join(" ",@OPTS); if ($CLI{format} =~ /^htm/) { print OUT "Test Options: $t<br>\n"; print OUT "<hr>\n</html>\n"; } elsif ($CLI{format} =~ /^txt/) { print OUT "\nTest Options: $t\n"; print OUT "$DIV\n"; } elsif ($CLI{format} =~ /^csv/) { print OUT "\n\"Test Options\",\"$t\"\n"; } close(OUT); return;}################################################################################## print the output & write to the save file#################################################################################sub nprint{ my $line=$_[0]; chomp($line); # don't print debug & verbose to output file... if ($_[1] eq "d" && $OUTPUT{debug}) { print "D: $line\n"; return; } # debug if ($_[1] eq "v" && $OUTPUT{verbose}) { print "V: $line\n"; return; } # verbose if ($_[1] eq "v" || $_[1] eq "d") { return; } # print to STDOUT print "$line\n"; # if no file saving, return if ($CLI{file} eq "") { return; } if ($CLI{format} eq "txt") # plaintext output { $line =~ s/((CVE|CAN)\-[0-9]{4}-[0-9]{4})/http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name\=$1/g; $line =~ s/(CA\-[0-9]{4}-[0-9]{2})/http:\/\/www.cert.org\/advisories\/$1.html/g; $line =~ s/(BID\-[0-9]{4})/http:\/\/www.securityfocus.com\/bid\/$1/g; $line =~ s/(IN\-[0-9]{4}\-[0-9]{2})/http:\/\/www.cert.org\/incident_notes\/$1.html/gi; $line =~ s/(MS[0-9]{2}\-[0-9]{3})/http:\/\/www.microsoft.com\/technet\/security\/bulletin\/$1.asp/gi; print OUT "$line\n"; } elsif ($CLI{format} =~ /csv/) # if csv output { chomp($line); if ($line =~ /-------------/) { $line="\"$DIV\",\"$DIV\""; } $line =~ s/((CVE|CAN)\-[0-9]{4}-[0-9]{4})/http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name\=$1/g; $line =~ s/(CA\-[0-9]{4}-[0-9]{2})/http:\/\/www.cert.org\/advisories\/$1.html/g; $line =~ s/(BID\-[0-9]{4})/http\:\/\/www.securityfocus.com\/bid\/$1/g; $line =~ s/(IN\-[0-9]{4}\-[0-9]{2})/http:\/\/www.cert.org\/incident_notes\/$1.html/gi; $line =~ s/(MS[0-9]{2}\-[0-9]{3})/http:\/\/www.microsoft.com\/technet\/security\/bulletin\/$1.asp/gi; if ($line =~ /^\+/) { $line =~ s/^\+ (.*) - (.*)/"$1","$2"/; } $line =~ s/Target IP: (.*)/"Target IP","$1"/; $line =~ s/Target Hostname: (.*)/"Target Hostname","$1"/; $line =~ s/Target Port: (.*)/"Target Port","$1"/; $line =~ s/Start Time: (.*)/"Start Time","$1"/; $line =~ s/End Time: (.*)/"End Time","$1"/; $line =~ s/ERROR: (.*)/"ERROR","$1"/; chomp($line); $line =~ s/\t/ /g; $line =~ s/Server: ([^ ]*)(.*$)/"Server","$1","$2"/; $line =~ s/Test Options: (.*)/"Test Options","$1\n"/; $line =~ s/Allowed HTTP Methods: (.*)/"Allowed HTTP Methods","$1"/; $line =~ s/^\+//; $line =~ s/^\- //; $line =~ s/^\s+//; if ($line !~ /^\"/) { $line = "\"\",\"$line\""; } $line =~ s/\n\r//g; $line =~ s/\"\"/\"/g; print OUT "-- $line--\n"; } elsif ($CLI{format} =~ /^htm/) # if htm(l) output { $protocol="http"; if ($TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{ssl}) { $protocol .= "s"; } if ($line =~ /------------/) { print OUT "<hr>\n"; return; } elsif ($line =~ /^\+ Target IP/) { $line =~ s/$TARGETS{$CURRENT_HOST_ID}{ip}/<a href=\"$protocol\:\/\/$TARGETS{$CURRENT_HOST_ID}{ip}:$CURRENT_PORT\/\">$TARGETS{$CURRENT_HOST_ID}{ip}<\/a>/; } elsif ($line =~ /^\+ Target Host/) { $line =~ s/$TARGETS{$CURRENT_HOST_ID}{hostname}/<a href=\"$protocol\:\/\/$TARGETS{$CURRENT_HOST_ID}{hostname}:$CURRENT_PORT\/\">$TARGETS{$CURRENT_HOST_ID}{hostname}<\/a>/; } elsif ($line =~ /^\+ Target Port/) { $line =~ s/$CURRENT_PORT/<a href=\"http\:\/\/www\.cirt\.net\/cgi\-bin\/ports\.pl\?port\=$CURRENT_PORT\">$CURRENT_PORT<\/a>/; } elsif ($line =~ /^\+ \//) # item { if ($line =~ /\((GET|TRACE|TRACK|Needs Auth)\)/) { my @TEMP=split(/ /,$line); my $r=$TEMP[1]; my $disp=$r; $disp =~ s/\</\<\;/g; $disp =~ s/\>/\>\;/g; $TEMP[1] =~ s/([^a-zA-Z0-9\s])/\\$1/g; $line =~ s/$TEMP[1]/<a href=\"$protocol\:\/\/$TARGETS{$CURRENT_HOST_ID}{display_name}:$CURRENT_PORT$r\">$disp<\/a>/; } $line =~ s/[^\"]http(s)?\:\/\/[\w\.\!\@\~\#\$\%\^\&\*\(\)\_\-\=\+\'\.\,\/\?\\\{\}\;\:]+/<a href\=\"$&\">$&<\/a>/ig; $line =~ s/to<a href=\" /to <a href=\"/g; # ugly kluge # make a link for CVE/CAN/CA/IN/BID/MS identifiers $line =~ s/((CVE|CAN)\-[0-9]{4}-[0-9]{4})/<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name\=$1\">$1<\/a>/g; $line =~ s/(CA\-[0-9]{4}-[0-9]{2})/<a href=\"http:\/\/www.cert.org\/advisories\/$1.html\">$1<\/a>/g; $line =~ s/(BID\-[0-9]{4})/<a href=\"http:\/\/www.securityfocus.com\/bid\/$1\">$1<\/a>/g; $line =~ s/(IN\-[0-9]{4}\-[0-9]{2})/<a href=\"http:\/\/www.cert.org\/incident_notes\/$1.html\">$1<\/a>/gi; $line =~ s/(MS[0-9]{2}\-[0-9]{3})/<a href=\"http:\/\/www.microsoft.com\/technet\/security\/bulletin\/$1.asp\">$1<\/a>/gi; } $line =~ s/^\- /<li>/; $line =~ s/^\+ /<li>/; print OUT "$line<br>\n"; } return;}#################################################################################⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -