📄 nikto_core.plugin
字号:
if ($result{'whisker'}->{'data'} =~ /$ERRSTRINGS{$string}/i) { $FoF{$ext}{type}="CONTENT"; $FoF{$ext}{match}=$ERRSTRINGS{$string}; $done=1; last; } } if (!$done) # we have to get desperate... { if (length($result{'whisker'}->{'data'}) eq 0) # blank content { $FoF{$ext}{type}="BLANK"; $FoF{$ext}{match}=""; $done=1; } if (!$done) # md4! { my $content=rm_active_content($result{'whisker'}->{'data'}); $FoF{$ext}{match}=LW2::md4($content); $FoF{$ext}{type}="HASH"; } } } # lastly, get a hash of index.php so we can cut down on some false positives... $NIKTO{totalrequests}++; $request{'whisker'}->{'uri'} = "/index.php?"; $request{'whisker'}->{'method'} = GET; $request{'whisker'}->{'http_eol'}=$http_eol; LW2::http_close(\%request); # force-close any old connections delete $request{'whisker'}->{'data'}; delete $request{'Content-Encoding'}; delete $request{'Content-Length'}; LW2::http_fixup_request(\%request); dump_var("Request Hash", \%request); if ($CLI{pause} > 0) { sleep $CLI{pause}; } LW2::http_do_request_timeout(\%request,\%result); dump_var("Result Hash", \%result); my $content=rm_active_content($result{'whisker'}->{'data'}); $FoF{"index.php"}{match}=LW2::md4($content); $FoF{"index.php"}{type}="HASH"; # foreach $ext (keys %FoF) { print "$ext: mode $FoF{$ext}{mode}, response $FoF{$ext}{response}, type $FoF{$ext}{type}\n"; }return;}###############################################################################sub rm_active_content{ # Try to remove active content which could mess up the file's signature my $cont=$_[0]; # Dates $cont =~ s/([0-9]{4}|[0-9]{1,2})(\-|\.|\/)[0-9]{1,2}(\-|\.|\/)([0-9]{4}|[0-9]{1,2})//g; $cont =~ s/(([0-9]{2}:[0-9]{2}(:)?([0-9]{2})?)|([0-9]{8,14}|[0-9]{6}))//g; $cont =~ s/(mon|tue|wed|thu|fri|sat|sun)(,)? [0-9]{1,2} (jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) [0-9]{4} ([0-9]{2}:[0-9]{2}(:)?([0-9]{2})?)?//ig; $cont =~ s/([0-9]{2,4})? ?(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)([0-9]{2,4})?(\/)?([0-9]{2})?([0-9]{2})?//gi; # Page load times $cont =~ s/[0-9\.]+ second//gi; $cont =~ s/[0-9]+ queries//gi; # wordpress # Advertising # URI, if provided, plus encoded versions of it if ($_[1] ne '') { my $e = $_[1]; # match pages which link to themselves w/diff args $e =~ s/^\/index.php\??//; $e =~ s/([^a-zA-Z0-9\s])/\\$1/g; $cont =~ s/$e//gs; # again but with the index.php in place $e = $_[1]; $e =~ s/([^a-zA-Z0-9\s])/\\$1/g; $cont =~ s/$e//gs; # base 64 $e=LW2::encode_base64($_[1]); $cont =~ s/$e//gs; # hex encoded $e=LW2::encode_uri_hex($_[1]); $cont =~ s/$e//gs; # unicode encoded $e=LW2::encode_unicode($_[1]); $cont =~ s/$e//gs; # url encoding, full url $e = $_[1]; $e =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; $cont =~ s/$e//gs; # url encoding, query portion if ($_[1] =~ /\?/) { $e = $_[1]; $e =~ s/\?(.*$)//; my $qs = $1; $qs =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; $e .= "?$qs"; $cont =~ s/$e//gs; } } return $cont;}###############################################################################sub dump_target_info{ # print out initial connection info my $SSLPRINT=""; $TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{start_time_epoch}=time(); $TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{start_time_disp}=date_disp($TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{start_time_epoch}); if ($TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{ssl}) { my $SSLCIPHERS=$result{whisker}->{ssl_cipher} || "Unknown"; my $SSLISSUERS=$result{whisker}->{ssl_cert_issuer} || "Unknown"; my $SSLINFO=$result{whisker}->{ssl_cert_subject} || "Unknown"; $SSLPRINT="$DIV\n"; $SSLPRINT.="+ SSL Info: Ciphers: $SSLCIPHERS\n Info: $SSLISSUERS\n Subject: $SSLINFO"; } if ($TARGETS{$CURRENT_HOST_ID}{ip} =~ /[a-z]/i) { nprint("+ Target IP: (proxied)"); } else { nprint("+ Target IP: $TARGETS{$CURRENT_HOST_ID}{ip}"); } nprint("+ Target Hostname: $TARGETS{$CURRENT_HOST_ID}{hostname}"); nprint("+ Target Port: $CURRENT_PORT"); if (($CLI{vhost} ne $TARGETS{$CURRENT_HOST_ID}{hostname}) && ($CLI{vhost} ne "")) { nprint("+ Virtual Host: $CLI{vhost}"); } if ($request{'whisker'}->{'proxy_host'} ne "") { nprint("- Proxy: $request{'whisker'}->{'proxy_host'}:$request{'whisker'}->{'proxy_port'}"); } if ($NIKTO{hostid} ne "") { nprint("- Host Auth: ID: $NIKTO{hostid}, PW: $NIKTO{hostpw}, Realm: $NIKTO{hostdomain}","v"); } if ($TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{ssl}) { nprint($SSLPRINT); } for (my $i=1;$i<=(keys %{$NIKTO{anti_ids}});$i++) { if ($CLI{evasion} =~ /$i/) { nprint("+ Using IDS Evasion:\t$NIKTO{anti_ids}{$i}"); }} for (my $i=1;$i<=(keys %{$NIKTO{mutate_opts}});$i++) { if ($CLI{mutate} =~ /$i/) { nprint("+ Using Mutation:\t$NIKTO{mutate_opts}{$i}"); }} nprint("+ Start Time: $TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{start_time_disp}"); nprint($DIV); if ($TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{banner} ne "") { if ($CLI{format} =~ /^htm/) { nprint("+ Server: $TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{banner_disp}"); } # has < > escaped, JIC else { nprint("+ Server: $TARGETS{$CURRENT_HOST_ID}{ports}{$CURRENT_PORT}{banner}"); } } else { nprint("+ Server: No banner retrieved"); } return;}###############################################################################sub general_config{ ## gotta set these first $|=1; $NIKTO{anti_ids}{1}="Random URI encoding (non-UTF8)"; $NIKTO{anti_ids}{2}="Directory self-reference (/./)"; $NIKTO{anti_ids}{3}="Premature URL ending"; $NIKTO{anti_ids}{4}="Prepend long random string"; $NIKTO{anti_ids}{5}="Fake parameter"; $NIKTO{anti_ids}{6}="TAB as request spacer"; $NIKTO{anti_ids}{7}="Change the case of the URL"; $NIKTO{anti_ids}{8}="Use Windows directory separator (\\)"; $NIKTO{mutate_opts}{1}="Test all files with all root directories"; $NIKTO{mutate_opts}{2}="Guess for password file names"; $NIKTO{mutate_opts}{3}="Enumerate user names via Apache (/~user type requests)"; $NIKTO{mutate_opts}{4}="Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)"; $NIKTO{display}{1}="Show redirects"; $NIKTO{display}{2}="Show cookies received"; $NIKTO{display}{3}="Show all 200/OK responses"; $NIKTO{display}{4}="Show URLs which require authentication"; $NIKTO{display}{V}="Verbose Output"; $NIKTO{display}{D}="Debug Output"; $NIKTO{tuning}{1}="Interesting File / Seen in logs"; $NIKTO{tuning}{2}="Misconfiguration / Default File"; $NIKTO{tuning}{3}="Information Disclosure"; $NIKTO{tuning}{4}="Injection (XSS/Script/HTML)"; $NIKTO{tuning}{5}="Remote File Retrieval - Inside Web Root"; $NIKTO{tuning}{6}="Denial of Service"; $NIKTO{tuning}{7}="Remote File Retrieval - Server Wide"; $NIKTO{tuning}{8}="Command Execution / Remote Shell"; $NIKTO{tuning}{9}="SQL Injection"; $NIKTO{tuning}{0}="File Upload"; $NIKTO{tuning}{a}="Authentication Bypass"; $NIKTO{tuning}{b}="Software Identification"; $NIKTO{tuning}{c}="Remote Source Inclusion"; $NIKTO{tuning}{x}="Reverse Tuning Options (i.e., include all except specified)"; $NIKTO{options_short}= " -Cgidirs+ scan these CGI dirs: 'none', 'all', or values like \"/cgi/ /cgi-a/\" -dbcheck check database and other key files for syntax errors (cannot be abbreviated) -evasion+ ids evasion technique -Format+ save file (-o) format -host+ target host -Help Extended help information -id+ host authentication to use, format is userid:password -mutate+ Guess additional file names -output+ write output to this file -port+ port to use (default 80) -Display+ turn on/off display outputs -ssl force ssl mode on port -Single Single request mode -timeout+ timeout (default 2 seconds) -Tuning+ scan tuning -update update databases and plugins from cirt.net (cannot be abbreviated) -Version print plugin and database versions -vhost+ virtual host (for Host header) + requires a value "; $NIKTO{options}=" Options: -config+ use this config file -Cgidirs+ scan these CGI dirs: 'none', 'all', or values like \"/cgi/ /cgi-a/\" -Display+ turn on/off display outputs:\n"; foreach my $k (sort keys %{$NIKTO{display}}) { $NIKTO{options} .= " $k $NIKTO{display}{$k}\n"; } $NIKTO{options}.=" -dbcheck check database and other key files for syntax errors (cannot be abbreviated) -evasion+ ids evasion technique:\n"; foreach my $k (sort keys %{$NIKTO{anti_ids}}) { $NIKTO{options} .= " $k $NIKTO{anti_ids}{$k}\n"; } $NIKTO{options}.=" -findonly find http(s) ports only, don't perform a full scan -Format+ save file (-o) format: htm HTML Format csv Comma-separated-value txt Plain text (default if not specified) xml XML Format -host+ target host -Help Extended help information -id+ host authentication to use, format is userid:password -mutate+ Guess additional file names:\n"; foreach my $k (sort keys %{$NIKTO{mutate_opts}}) { $NIKTO{options} .= " $k $NIKTO{mutate_opts}{$k}\n"; } $NIKTO{options}.=" -nolookup skip name lookup -output+ write output to this file -port+ port to use (default 80) -Pause+ pause between tests (seconds)\n"; $NIKTO{options}.=" -root+ prepend root value to all requests, format is /directory -ssl force ssl mode on port -Single Single request mode -timeout+ timeout (default 2 seconds) -Tuning+ scan tuning:\n"; foreach my $k (sort keys %{$NIKTO{tuning}}) { $NIKTO{options} .= " $k $NIKTO{tuning}{$k}\n"; } $NIKTO{options}.=" -useproxy use the proxy defined in config.txt -update update databases and plugins from cirt.net (cannot be abbreviated) -Version print plugin and database versions -vhost+ virtual host (for Host header) + requires a value "; ### CLI STUFF $CLI{pause}=$CLI{html}=$OUTPUT{verbose}=$CLI{skiplookup}=$NIKTO{totalrequests}=0; $CLI{all_options}=join(" ",@ARGV); # preprocess CLI options which cannot be abbreviated for (my $i=0;$i<=$#ARGV;$i++) { if ($ARGV[$i] eq '-dbcheck') { dbcheck(); } elsif ($ARGV[$i] eq '-update') { check_updates(); } elsif ($ARGV[$i] eq '-verbose') { print STDERR "-verbose is deprecated, please use '-D V' instead (verbose enabled)\n"; $OUTPUT{verbose}=1; $ARGV[$i]=""; } elsif ($ARGV[$i] eq '-debug') { print STDERR "-debug is deprecated, please use '-D D' instead (debug enabled)\n"; $OUTPUT{debug}=1; $ARGV[$i]=""; } } GetOptions( "nolookup" => \$CLI{skiplookup}, "config=s" => \$CLI{config}, "Cgidirs=s" => \$CLI{forcecgi}, "mutate=s" => \$CLI{mutate}, "id=s" => \$CLI{hostauth}, "evasion=s" => \$CLI{evasion}, "port=s" => \$CLI{ports}, "findonly" => \$CLI{findonly}, "root=s" => \$CLI{root}, "timeout=s" => \$CLI{timeout}, "Pause=s" => \$CLI{pause}, "ssl" => \$CLI{ssl}, "useproxy" => \$CLI{useproxy}, "Help" => \$CLI{help}, "vhost=s" => \$CLI{vhost}, "host=s" => \$CLI{host}, "output=s" => \$CLI{file}, "Format=s" => \$CLI{format}, "Display=s" => \$CLI{display}, "Single" => \$CLI{Single}, "Tuning=s" => \$CLI{tuning}, "Version" => \$CLI{version}, ); if ($CLI{help}) { usage(2); } elsif ($CLI{version}) { version(); } elsif ($CLI{Single}) { single(); } # output file if (($CLI{format} ne "") && ($CLI{file} eq "")) { nprint("+ ERROR: Output format specified without output file."); exit; } if ($CLI{format} eq "") { $CLI{format}="txt"; } # default to txt elsif ($CLI{format} =~ /te?xt/i) { $CLI{format}="txt"; } elsif ($CLI{format} =~ /html?/i) { $CLI{format}="htm"; } elsif ($CLI{format} =~ /csv/i) { $CLI{format}="csv"; } elsif ($CLI{format} =~ /xml/i) { $CLI{format}="xml"; } else { nprint("+ ERROR: Invalid output format '$CLI{format}'"); exit; } # verify readable dtd if ($CLI{format} =~ /xml/i and !-r $NIKTOCONFIG{NIKTODTD}) { nprint("+ ERROR: reading DTD"); exit; } # screen output if ($CLI{display} =~ /d/i) { $OUTPUT{debug}=1; } if ($CLI{display} =~ /v/i) { $OUTPUT{verbose}=1; } # port(s) $CLI{ports}=~s/^\s+//; $CLI{ports}=~s/\s+$//; #if ($CLI{ports} eq "") { $CLI{ports}=80; } if ($CLI{ports} =~ /[^0-9\-\, ]/) { nprint("+ ERROR: Invalid port option '$CLI{ports}'"); exit; } # Fixup $CLI{root} =~ s/\/$//; if (($CLI{root} !~ /^\//) && ($CLI{root} ne "")) { $CLI{root} = "/$CLI{root}"; } if ($CLI{hostauth} ne "") { my @x=split(/:/,$CLI{hostauth}); if (($#x ne 1) || ($x[0] eq "")) { nprint("+ ERROR: '$CLI{hostauth}' (-i option) syntax is 'user:password' or 'user:password:domain' for host authentication.") } $NIKTO{hostid} = $x[0]; $NIKTO{hostpw} = $x[1]; $NIKTO{hostdomain} = $x[2]; } $CLI{evasion}=~s/[^0-9]//g; $NIKTO{useragent}="Mozilla/4.75 ($NIKTO{name}/$NIKTO{version} $request{'User-Agent'})"; # SSL Test if (!LW2::ssl_is_available()) { nprint("- ***** SSL support not available (see docs for SSL install instructions) *****"); } # Notices my $notice; if ($CLI{root} ne '') { $notice .= "Prepending '$CLI{root}' to requests"; } if ($CLI{pause} > 0) { $notice .= ", Pausing $CLI{pause} seconds per request"; } $notice =~ s/^, //; if ($notice ne '') { nprint("-***** $notice *****"); } # get core version open(FI,"<$NIKTO{plugindir}/nikto_core.plugin"); my @F=<FI>; close(FI); my @VERS=grep(/^#VERSION/,@F); $NIKTO{core_version}=$VERS[0]; $NIKTO{core_version}=~s/\#VERSION,//;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -