forked from urbanadventurer/WhatWeb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTODO
783 lines (497 loc) · 39.5 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
TO-DO
Good luck understanding these notes for myself :) Some of this stuff has already been done.
[x] put whatweb on github
[x] JSON output plugin
[x] bug in verbose output. closing file
add IP plugin <-- can't get IP out of http object
add geoIP country plugin
precompile regular expressions for matching speed
[x] escape output in logs. <>"& for xml logs.
[x] add XML log initialisation and termination:
--log-full=FILE Log verbose output (might be removed in future)
Add CVE array and version matching:
Here's some CVE arrays.
Also, scrap this line from the TODO file:s
["6.0+", "CVE-1115, "XSS in asdf.php"], # All know versions from 6 to date
---
AWStats
CVEs [
# AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0116
["6.1", "CVE-2005-0116", "Remote Code Execution in aswtats.pl"],
# awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0435
["6.3-6.4", "CVE-2005-0435", "Information Disclosure vulnerability in the loadplugin and pluginmode parameters of awstats.pl."],
# Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0436
["6.3-6.4", "CVE-2005-0436", "Remote Code Execution vulnerability in the PluginMode parameter of awstats.pl" ],
# awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0438
["6.3-6.4", "CVE-2005-0438", "Information disclosure vulnerability in the debug parameter of awstats.pl."],
# The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1527
["6.4-", "CVE-2005-1527", "Remote Code Execution vulnerability in awstats.pl" ],
# Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2237
["6.4-6.5", "CVE-2006-2237", "Remote Code Execution vulnerability in the migrate parameter of awstats.pl."],
# awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3682
["6.5-", "CVE-2006-3682", "Information Disclosure vulnerability in the year, pluginmode and month parameters of awstats.pl."],
# Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter, (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) hostfilter, or (6) hostfilterex parameters, a different set of vectors than CVE-2006-1945.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3681
["6.5-", "CVE-2006-3681", "Cross Site Scripting vulnerability in the refererpagesfilter, refererpagesfilterex, urlfilterex, urlfilter, hostfilter, or hostfilterex parameters of awstats.pl." ],
# Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3714
["6.8", "CVE-2008-3714", "Cross Site Scripting vulnerability in awstats.pl" ],
# awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5080
["6.8-", "CVE-2008-5080", "Cross Site Scripting vulnerability in the query_string parameter of awstats.pl." ],
],
cmsimple
CVEs [
# Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0551
["2.7", "CVE-2007-0551", "Remote File Include vulnerability in cms.php"],
# Cross-site scripting (XSS) vulnerability in the mailform feature in CMSimple 2.7 fix1 allows remote attackers to inject arbitrary web script or HTML via the sender parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0610
["2.7 fix1", "CVE-2007-0610", "Cross Site Scripting vulnerability in cms.php"],
# Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2650
["3.1", "CVE-2008-2650", "Directory traversal vulnerability in cmsimple/cms.php"],
]
DUforum
CVEs [
# Multiple SQL injection vulnerabilities in DUware DUforum 3.1, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via the (1) iMsg parameter to messages.asp, iFor parameter to (2) post.asp or (3) forums.asp, or (4) id parameter to userEdit.asp. NOTE: vectors 1 and 3 were later reported to affect version 3.0.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2048
["3.1", "CVE-2005-2048", "SQL Injection vulnerability in iMsg parameter of messages.asp, iFor parameter of post.asp, iFor parameter of forums.asp and id parameter of userEdit.asp"],
# SQL injection vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to execute arbitrary SQL commands via the FOR_ID parameter in messages.asp, (2) MSG_ID parameter in messageDetail.asp, or (3) password parameter in the login form.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2201
["3.0-3.1", "CVE-2004-2201", "SQL Injection vulnerability in the FOR_ID parameter of messages.asp, MSG_ID parameter of messageDetail.asp and password parameter in the login form"],
# Cross-site scripting (XSS) vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to inject arbitrary web script or HTML via via the message text.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2200
["3.0-3.1", "CVE-2004-2200", "Cross Site Scripting vulnerability via the message text."],
],
DUGallery
CVEs [
# SQL injection vulnerability in admin_default.asp in DUGallery 2.x allows remote attackers to execute arbitrary SQL commands via the (1) Login or (2) password field.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2302
["2.x", "CVE-2006-2302", "SQL Injection vulnerability in the login or password fields." ],
],
Ezboo webstats
CVEs [
# Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass authentication and gain access via a direct request to (1) update.php and (2) config.php.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1043
["3.0.3", "CVE-2007-1043", "Authentication bypass vulnerability in update.php and config.php." ],
],
LimeSurvey
CVEs [
# PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5573
["1.5.2-", "CVE-2007-5573", "Remote File Inclusion vulnerability in classes/core/language.php." ],
#Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change arbitrary quotas as administrators via a "modify quota" action.
#http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2571
["1.7-", "CVE-2008-2571", "Cross Site Request Forgery vulnerability in classes/core/language.php." ],
# Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php in admin/classes/pear/; or (5) Worksheet.php, (6) Parser.php, (7) Workbook.php, (8) Format.php, or (9) BIFFwriter.php in admin/classes/pear/Spreadsheet/Excel/Writer/.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3632
["1.49RC2", "CVE-2007-3632", "Remote File Inclusion vulnerability in homedir parameter to OLE/PPS/File.php, OLE/PPS/Root.php, Spreadsheet/Excel/Writer.php, or OLE/PPS.php in admin/classes/pear/; or Worksheet.php, Parser.php, Workbook.php, Format.php, or BIFFwriter.php in admin/classes/pear/Spreadsheet/Excel/Writer/" ],
# Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change arbitrary quotas as administrators via a "modify quota" action.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2571
["1.7-", "CVE-2008-2571", "Cross Site Request Forgery vulnerability via a modify quota action." ],
# Unspecified vulnerability in LimeSurvey before 1.82 allows remote attackers to execute commands and obtain sensitive data via unknown attack vectors related to /admin/remotecontrol/.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1604
["1.81-", "CVE-2008-2571", "Remote Command Execution vulnerability in /admin/remotecontrol/." ],
],
SharePoint
CVEs [
# Cross-site scripting (XSS) vulnerability in Microsoft Windows SharePoint Services 2.0 allows remote attackers to inject arbitrary web script or HTML via the Picture Source (aka picture object source) field in the Rich Text Editor.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1888
["2.0", "CVE-2008-1888", "Cross Site Scripting vulnerability via the Picture Source (aka picture object source) field in the Rich Text Editor." ],
# Multiple cross-site scripting (XSS) vulnerabilities in Microsoft Windows SharePoint Services 3.0 for Windows Server 2003 and Office SharePoint Server 2007 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO (query string) in "every main page," as demonstrated by default.aspx.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2581
["3.0", "CVE-2007-2581", "Cross Site Scripting vulnerability in the PATH_INFO (query string) in 'every main page,' as demonstrated by default.aspx." ],
# The download functionality in Team Services in Microsoft Office SharePoint Server 2007 12.0.0.4518 and 12.0.0.6219 allows remote attackers to read ASP.NET source code via pathnames in the SourceUrl and Source parameters to _layouts/download.aspx.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3830
["12.0.0.4518-12.0.0.6219", "CVE-2009-3830", "Information Disclosure vulnerability in /admin/remotecontrol/." ],
],
OTRS
CVEs [
# Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3893
["1.0.0-1.3.2, 2.0.0", "CVE-2005-3893", "Remote Command execution vulnerability in the user parameter in the Login action, and remote authenticated users via the TicketID and ArticleID parameters of the AgentTicketPlain action." ],
# Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2) Action parameters.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3894
["1.0.0-1.3.2, 2.0.0-2.0.3", "CVE-2005-3894", "Cross Site Scripting vulnerability via hex-encoded values in the QueueID parameter and Action parameters of index.pl." ],
# Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML. NOTE: this particular issue is referred to as XSS by some sources.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3895
["1.0.0-1.3.2, 2.0.0-2.0.3", "CVE-2005-3895", "Cross Site Scripting vulnerability when AttachmentDownloadType is set to inline, OTRS renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML." ],
# Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2524
["2.0.x", "CVE-2007-2524", "Cross Site Scripting vulnerability via the Subaction parameter in an AgentTicketMailbox Action of index.pl." ],
# The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to 'read and modify objects' via SOAP requests, related to 'Missing security checks.'"
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1515
["2.1.0-2.1.7, 2.2.0-2.2.5", "CVE-2008-1515", "Missing security checks in the SOAP interface." ],
# Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0438
["2.1.0-2.1.8, 2.2.0-2.2.8, 2.3.0-2.3.4, 2.4.0-2.4.6", "CVE-2010-0438", "SQL Injection vulnerability in Kernel/System/Ticket.pm in OTRS-Core." ],
],
PHP-Fusion
CVEs [
# SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5335
["6.01.15, 7.00.1", "CVE-2008-5335", "SQL Injection vulnerability in messages.php." ],
# Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) comments field in comments_include.php.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0593
["6.00.303-", "CVE-2006-0593", "SQL Injection vulnerability in the shout_name field in shoutbox_panel.php and the comments field in comments_include.php." ],
# PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3.27 and PHP 4.3.3, allows remote authenticated users to upload files of arbitrary types using a filename that contains two or more extensions that ends in an assumed-valid extension such as .gif, which bypasses the validation, as demonstrated by uploading then executing an avatar file that ends in ".php.gif" and contains PHP code in EXIF metadata.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2330
["6.00.306-", "CVE-2006-2330", "Remote File Upload vulnerability resulting in Remote Code Execution." ],
# Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 allow remote attackers to include and execute arbitrary local files via (1) a .. (dot dot) in the settings[locale] parameter in infusions/last_seen_users_panel/last_seen_users_panel.php, and (2) a .. (dot dot) in the localeset parameter in setup.php.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2331
["6.00.306", "CVE-2006-2331", "Local file inclusion in the localeset parameter in setup.php." ],
# SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1918
["6.01.14, 6.00.307, 7.00.2", "CVE-2008-1918", "SQL Injection vulnerability in the shout_name field in the submit_info[] parameter in a link submission action." ],
# Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0692
["5.x", "CVE-2005-0692", "Cross Site Scripting vulnerability via a message with IMG bbcode containing character-encoded Javascript in fusion_core.php." ],
# SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 allows remote attackers to execute arbitrary SQL commands via the msg_send parameter, a different vulnerability than CVE-2005-3158 and CVE-2005-3159.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3157
["6.00.109", "CVE-2005-3157", "SQL Injection vulnerability in the msg_send parameter." ],
# Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3161
["6.00.110", "CVE-2005-3161", "SQL Injection vulnerability in the activate parameter in register.php and the cat_id parameter in faq.php." ],
# Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4673
["6.01.4", "CVE-2006-4673", "SQL Injection vulnerability in the activate parameter in thr _SERVER[REMOTE_ADDR] parameter of news.php." ],
# Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6850
["6.01.17,7.00.3", "CVE-2008-6850", "Cross Site Scripting vulnerability." ],
# Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3555
["6.01.2-", "CVE-2008-6850", "Cross Site Scripting vulnerability in submit.php by using edit_profile.php to upload a avatar or forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer." ],
# Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.00.107 and earlier allows remote attackers to inject arbitrary web script or HTML via nested, malformed URL BBCode tags.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2783
["6.00.107-", "CVE-2005-2783", "Cross Site Scripting vulnerability via nested, malformed URL BBCode tags." ],
# The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1724
["4.0", "CVE-2004-1724", "Information Disclosure vulnerability in fusion_admin/db_backups/." ],
# The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1723
["4.0", "CVE-2004-1723", "Information Disclosure vulnerability in updateuser.php and forums_prune.php." ],
# SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5946
["4.01", "CVE-2008-5946", "SQL Injection vulnerability via the news_id parameter." ],
# Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/shoutbox_panel.php in PHP-Fusion 6.01.10 and 6.01.9, when guest posts are enabled, allows remote authenticated users to inject arbitrary web script or HTML via the URI, related to the FUSION_QUERY constant.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3559
["6.01.9-6.01.10", "CVE-2007-3559, "Cross Site Scripting vulnerability in infusions/shoutbox_panel/shoutbox_panel.php via the URI, related to the FUSION_QUERY constant." ],
# SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2437
["4.01", "CVE-2004-2437", "SQL Injection vulnerability via the rowstart parameter of index.php or members.php, or comment_id parameter of comments.php." ],
# SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and earlier allows remote authenticated users to execute arbitrary SQL commands via the srch_where parameter.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2459
["6.00.307-", "CVE-2006-2459", "SQL Injection vulnerability via the srch_where parameter of messages.php." ],
# Cross-site scripting (XSS) vulnerability in PHP-Fusion 4.01 allows remote attackers to inject arbitrary web script or HTML via the (1) Submit News, (2) Submit Link or (3) Submit Article field.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2438
["4.01", "CVE-2004-2438", "Cross Site Scripting vulnerability via the Submit News, Submit Link or Submit Article field." ],
# viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter.
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0345
["4.x", "CVE-2005-0345", "Information Disclosure vulnerability in forum_id or forum_cat parameters of viewthread.php." ],
],
*********************************************************************************
# 6.00.307 and below
["6.00.307-", "CVE-2006-2459", "SQL Injection vulnerability via the srch_where parameter of messages.php." ],
# Version 4 point anything
["4.x", "CVE-2005-0345", "Information Disclosure vulnerability in forum_id or forum_cat parameters of viewthread.php." ],
# Only versions 6.01.14, 6.00.307, 7.00.2
["6.01.14, 6.00.307, 7.00.2", "CVE-2008-1918", "SQL Injection vulnerability in the shout_name field in the submit_info[] parameter in a link submission action." ],
# Versions 1.0.0-1.3.2 inclusive and versions 2.0.0-2.0.3 inclusive
["1.0.0-1.3.2, 2.0.0-2.0.3", "CVE-2005-3895", "Cross Site Scripting vulnerability when AttachmentDownloadType is set to inline, OTRS renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML." ],
Test Erik's patch:
# set up ANEMONE skip regex
# turn an array of extensions into a regexp
-$ANEMONE_SKIP_REGEX=Regexp.union($ANEMONE_SKIP_EXTENSIONS.map {|x| /\.#{x}$/ })
+$ANEMONE_SKIP_REGEX=Regexp.union(*$ANEMONE_SKIP_EXTENSIONS.map {|x| /\.#{x}$/ })
maybe make :url=>/foo be relative to the target, eg. scan fuck.com/bar/ and it checks fuck.com/bar/foo
context aware webroot:
# this is enough to identify that it's WordPress by guessing URLs but it's hardly subtle
# this can also be used to work out the wordpress webroot, eg. 1 dir up from wp-content/ or wp-includes/
files %w| license.txt wp-blog-header.php wp-content/ wp-load.php wp-register.php xmlrpc.php readme.html wp-comments-post.php wp-cron.php wp-login.php wp-rss2.php wp-admin/ wp-commentsrss2.php wp-feed.php wp-mail.php wp-rss.php wp-app.php wp-config.php wp-includes/ wp-pass.php wp-settings.php index.php wp-atom.php wp-config-sample.php wp-links-opml.php wp-rdf.php wp-trackback.php|
# drop Div-Span-Structure
# add a hash for tagpattern
# add :url=> to matches
CVE array
# :model=>
# :firmware=>
# :modules=>
# :credentials=>
# --wait time
# follow meta-refresh
# {:version=>/<meta name=\"generator\" content=\"(WordPress)[ ]?([0-9\.]+)\"/, :version_regexp_offset=>1, :name=>"meta generator tag" } #"
CVEs [
["1.0-1.4", "CVE-1111, "XSS in asdf.php"],
["2.0-", "CVE-1112, "CSRF in asdf.php"], # All versions prior to 2.0
["4.0", "CVE-1113, "SQL injection in asdf.php"], # version 4.0
["5.3-5.6", "CVE-1114, "RCE in asdf.php"], # versions 5.3 to 5.6
["6.0+", "CVE-1115, "XSS in asdf.php"], # All know versions from 6 to date
]
search for slow regexps. use examples in plugins
plugins for cisco-ios version, linksys version
#add variables for : :fwversion, :model, :modules (joomla, WP, etc)
only do aggressive checks that provide more infoz.. eg, if it's already matched and all it does is identify the system then skip it
make a webpage model and a website model
show which plugin is requesting a URL
add option to not thread - need to rewrite main loop 1st
should :text be case insensitive? maybe
# make plugin errors red. check out Zoph error on
option to not display hashes? Hashes are most useful with a large dataset to find similar systems or when manually pentesting. maybe leave it in
why does it crash with low connect timeouts? eg. 1 second
/usr/lib/ruby/1.8/timeout.rb:60:in `timeout': execution expired from /usr/lib/ruby/1.8/net/http.rb:560:in `connect'
from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'
from /usr/lib/ruby/1.8/net/http.rb:542:in `start'
from /usr/lib/ruby/1.8/net/http.rb:1035:in `request'
from ./whatweb:521:in `open_target'
from ./whatweb:899
from ./whatweb:830:in `initialize'
from ./whatweb:830:in `new'
from ./whatweb:830
#start using a new convention so this issue can be avoided when people learn by example:
pattern=/<meta name=\"generator\" content=\"WordPress[ ]?[0-9\.]+\"/
if @body =~ pattern
[email protected](pattern)[0][1]
m << ....
#custom plugins on the cmdline
# ./whatweb --custom-plugin ":text=>'powered by fuck'" -i ./targets
# ./whatweb --custom-plugin "{:text=>'powered by fuck'},{:regexp=>/meta generator/}" -i ./targets
#move tag pattern into main section so any plugin can use it
#move md5 into main section so any plugin can use it
Write a quick guide to writing plugins
change -example scanning. -e <plugin>,<plugin> <-- just where 2 take the targets from
--- nah
# add prefix, suffix, etc... for manual usage.
#make help wrap around a standard terminal size
option to not output hash plugins, footer, header, tag pattern, div span, md5. plugin groups? categories?
try to reconnect when a timeout is received
#add probability to XML output
#strip :probability requirement -- assume 100 if not specified.
#strip :name requirement -- same as regexp, etc if not specified.
#rename probability to certainty
make local plugin take precedence over installed location
Treat targets like a stack :: the stack is a global var
[a,r,r,a,y] pull next target from the array when the stack is empty
[s,t,a,c] pop from the stack until it's empty
[s,t,a,c,k] <-- plugins can push to the top of the stack. like links, css, js, whatever
option to supress 404s -- maybe they just just grep for 200 or -v 404
make plugins for http://trends.builtwith.com/cms
> one of the plugins attached, shoutcast administrator, doesn't work
> because it returns different HTTP 200 OK messages. is there some way to
> fix this or even use it for fingerprinting, rather than aborting the
> request?
>
> ~/proj/whatweb-0.4.4dev$ ./whatweb --log-brief=asdf.log -a 1
> 100.m2radio.fr:8000 <http://100.m2radio.fr:8000>
> http://100.m2radio.fr:8000 ERROR: wrong status line: "ICY 200 OK"
>
> ~/proj/whatweb-0.4.4dev$ ./whatweb --log-brief=asdf.log -a 1
> 128relay1.gothmetal.net:6666 <http://128relay1.gothmetal.net:6666>
> http://128relay1.gothmetal.net:6666 ERROR: wrong status line: "ICY 200 OK"
>
> ~/proj/whatweb-0.4.4dev$ ./whatweb --log-brief=asdf.log -a 1
> 160.79.128.30:7702 <http://160.79.128.30:7702>
> http://160.79.128.30:7702 ERROR: wrong status line: "ICY 400 Server Full"
>
> ~/proj/whatweb-0.4.4dev$ ./whatweb --log-brief=asdf.log -a 1
> aol-relay2.chuckeh.com:8026 <http://aol-relay2.chuckeh.com:8026>
> http://aol-relay2.chuckeh.com:8026 [302] Title[Redirect],
> RedirectLocation[http://scfire-ntc-aa03.stream.aol.com:80/stream/1051],
> MD5[2548da190bd45c8ab7b42f781b6d8b2c],
> Header-Hash[2548da190bd45c8ab7b42f781b6d8b2c]
> http://scfire-ntc-aa03.stream.aol.com:80/stream/1051 ERROR: wrong status
> line: "ICY 200 OK"
GUI
read XML and list urls by plugin
custom plugin defined on cmdline
each plugin should say what it identifies:
* presence of system
* version
* modules/components/plugins
* usernames/accountids/email addresses
* other
* find all pages
what methods it uses for each above task:
* identify patterns in headers and HTML of any page
* identify by pattern in guessed files
* identify by existance of guessed files
* identify by hash of guessed files
and whether the above are passive or aggressive functions.
possibly separate aggressive functions into:
def aggressive_identify
def aggressive_version
def aggressive_modules
def aggressive_users
def aggressive_other
i.e. someone should be able to turn on the aggression version test for joomla and not do the aggressive module test.
plugin identify file extensions in relative or same-site urls. eg. pl, asp, aspx, cfm, php, nsf, jsp, do.
we don't need 1 plugin per extension!
#change what verbose modes are.
# verbose 1. + names of plugin rules that match
verbose 2. show HTTP headers, connections, all results from plugins
list of filetypes to download and scan. useful ones are: css, js, favicon.ico. not links, but stuff that a browser would include on a page.
#target prefix and target suffix
joomla plugin aggressive tests should be relative to the site root.
now they're just relative to the site.
need finer control of which plugins are agressive, etc.
easily identify local vs remote links. eg. for passive joomla components
better error logging
when loading plugins, check they have unique names
-A, --accept=LIST comma-separated list of accepted extensions.
-R, --reject=LIST comma-separated list of rejected extensions.
improve the md5 hash identified of versions - download tgz versions into a folder
find smallest number of files that can be used to identify a specific version:
md5hash for each file suitable
whitelist of filetypes suitable - jpg, ini, cfg, css, js
blacklist of filetypes unsuitable - inc, php, .htaccess
show files with the most differences
should escape brackets in output eg. <title>SMC[231] Console</title> currently becomes title[SMC[231] Console]
add nikto, url guessing, except for certain types of servers, dont guess urls that don't exist. i.e. apache, iis, etc -
bundle anemone with whatweb so u dont need gems, etc and remove anemone's need to nokogiri
modules should return a static list of types of objects:
text, version, modules, usernames, userid,
- cms modules r just returned as a :string at the moment. could be improved on?
extract more info from https certificates, like hostnames
include IP in logs
more output types, like JSON,XML,YAML
make a distinction in colour between standard webpage things we find all the time like
title, meta generator, md5, server-header, Mailto and other matches, i.e. Joomla.
maybe plugins should return TEXT. i.e. type of default apache,etc
let ppl specific custom functions for plugins - like enumerating all drupal nodes.
BUG https://120.136.48.33/ ERROR: EOF error end of file reached
This redirects but doesn't have a proper certificate
whatweb doesn't understand websites, only URLs
lots of good info in /robots.txt - recognise major versions of drupal
get favicon
get /robots.txt
remove aggression level 2?
include some caching of downloaded links
say whether it has aggressive tests in the plugin list
* doesn't follow redirects (sometimes)
the plugin locking is ugly, might be better to make a new instance of the plugin for each test
should modify whatweb to run as a proxy and invoke wget
fast way:
use tiny proxy, or similar writtin in C.
capture the data and pass to ruby through a socket.
ruby just starts teh proxy, starts wget and collects the data.
the url guessing sux
eg. oscommerce
http://www.pokengirl.com/cart/catalog/index.php should guess http://www.pokengirl.com/cart/catalog/admin/login.php instead of http://www.pokengirl.com/admin/login.php
should list the file +dir strcuture so we can work out the base dir
need to log errors. in all registered logs, brief & verbose? separate log file?
add an error_out function to class OutputBrief, etc.
modify error function to call
output_list.each do |o|
o.error_out(target, err )
end
[x] dont sort targets. sorting each host in the input file is unsuitable for long files.
should just read 1 at a time, potentially from stdin
fix GHDB expressions
-- ghdb "abc def" doesn't match "abc <b>def</b>"
detect mobile versions
logs currently only log successful attempts. should be optional
maybe Make account, username, id, etc all username in output?
md5sums of files -identify favicon for mambo, joomla, apple, etc. have @md5_hash for plugins
Use NAMED GROUPS in regular expressions for stuff like version numbers
export plugin regexp matches to XML, separate program.
move plugin stuff into library
PHP plugin. take version from server meta string or x-powered-by, look for local links ending in .php
plugins for apache leaking win32 / unix, debian, redhat
alternative matches -- support/convert google dork/search stuff like intitle: ,
Colour Brief output according to plugin category & hilight versions
Plugin categories, i.e. javascript libraries for ( mootools, jquery, prototype)
server (IIS/ Apache)
cgi language (PHP, ASP, CFM)
CMS (Joomla, Mambo, ) / Blogging Platform (wordpress, typepad)
statistics (google analytics, quantcast)
Layers : Server, Language, Program, Javascript
Content: Contact
CMS is a type of Program,
Stats is a type of Javascript or Program
acclipse.rb CMS
blogger.rb CMS
blogsmithmedia.rb company?
drupal.rb CMS
echo.rb CMS
generic-server.rb ?
generic-x-powered-by.rb ?
google-analytics2.rb Stats
google-analytics.rb Stats
joomla.rb CMS
jquery.rb javascript
lightbox.rb javascript
mailto.rb contact
mambo.rb CMS
minify.rb Program
movable_type.rb CMS
plone.rb CMS
prototype.rb javascript
quantcast.rb stats
scriptaculous.rb javascript
typepad.rb CMS
wordpress.rb CMS
wordpress-spamfree.rb ?
update plugins, download from website
add plugin maturity, alpha, beta, stable, etc ?
- be useful when users submit plugins / make plugins on website
use curl lib, curb for:
add proxy support
add authentication basic/digest/form/cookie/ntlm
change agent behaviour
timeouts
let people pipe html + meta data straight from stdin, eg. curl -v securityfocus.com | ./whatweb --stdin
cache pages with sqlite or in files so they only have to be fetched once
make whatweb act as a proxy. so u can spider a site with wget, use firefox, etc.
add output plugins -
yml,
brief view. eg. JQuery v2.1.7, Joomla v1.5, probably Drupal.
'probably' refers to the top % match being >50% and <100%. shows version + other info in shorthand, space delimited
test this out on CMS showcase lists to expose errors. some movable type showcase sites are drupal
make simple regexp matches more portable so they can be exported and used in other programs. maybe have an array of regexp matches in the plugins.
firefox plugin that display the identity in the footer and sends data to my server, like wapplyzer but better
website
let ppl make plugins in website.
form fields = example urls, name, etc.
write regular expressions & test which of the
examples it matches
What are your thoughts on returning info for hardware? Often there's different information to return, such as hardware model, firmware version, software versions, enabled modules, etc.
The output starts to get messy.
ABC-Hardware[xx.xx.xx][Model: XYZ][Firmware: xx.xx.xx][Modules:asdf,ghkj,zxcv]
Fingerprinting using HTTP headers would be much cleaner if shodan style searches could be performed in a similair way to ghdb.
For example, instead of using:
server=@meta["server"] if @meta.keys.include?("server")
server=@meta["Server"] if @meta.keys.include?("Server")
if server =~ /GoAhead-Webs/i
m << {:name=>"server string",:string=>server}
end
You could use:
# regex style
{:name=>"server string", :shodan=>/[server|Server]+:[\s]*GoAhead-Webs/ },
# or perhaps plaintext style, case insensitive
{:name=>"server string", :shodan=>"Server: GoAhead-Webs/ },
The same applies to cookies:
m=[]
m << {:name=>"PastVisitor Cookie" } if @meta["set-cookie"] =~ /PastVisitor=[0-9]+.*/
becomes:
{:name=>"PastVisitor Cookie", :shodan=>/set-cookie:[\s]*PastVisitor=[0-9]+.*/ },
I've noted a few plugins where this could be useful:
~/proj/whatweb-0.4.4$ cat plugins/*.rb | grep -i Shodan
# About 13,446 Shodan results for Server:"AV787 Video Web Server" @ 2010-07-20
# About 1,002 Shodan results for Server:BarracudaHTTP @ 2010-07-24
# About 1,661 shodan results for printer Server:debut @ 2010-07-22
# About 21,276 Shodan results for Server:HP-ChaiSOE ONNECTION @ 2010-07-22
# About 189 Shodan results for Server:i-Catcher Console @ 2010-07-20
# About 94 Shodan results for Server:webcamXP @ 2010-07-24
# About 268 shodan results for Server: Snap Appliance, Inc. @ 2010-07-24
# About 543 Shodan results for Server:NetEVI @ 2010-07-22
# About 50 SHODAN results for Server:"Observer XT (c) Veo" @ 2010-07-18
I think ShodanHQ has gained enough publicity that using "shodan=>" would make sense.
Just a suggestion. Also I haven't been able to fingerprint using copyright symbols and different languages have been a challenge. UTF-8 support would be awesome :D
BUGS
nicer error handling when fed bad input, cmdline options, etc