def discover(self, fuzzableRequest):
"""
Search zone_h and parse the output.
@parameter fuzzableRequest: A fuzzableRequest instance that contains
(among other things) the URL to test.
"""
if not self._exec:
# This will remove the plugin from the discovery plugins to be runned.
raise w3afRunOnce()
else:
# Only run once
self._exec = False
target_domain = urlParser.getRootDomain(fuzzableRequest.getURL())
# Example URL:
# http://www.zone-h.org/archive/domain=cyprus-stones.com
# TODO: Keep this URL updated!
zone_h_url = "http://www.zone-h.org/archive/domain=" + target_domain
try:
response = self._urlOpener.GET(zone_h_url)
except w3afException, e:
msg = "An exception was raised while running zone-h plugin. Exception: " + str(e)
om.out.debug(msg)
else:
def discover(self, fuzzableRequest ):
'''
@parameter fuzzableRequest: A fuzzableRequest instance that contains (among other things) the URL to test.
'''
if not self._run:
# This will remove the plugin from the discovery plugins to be runned.
raise w3afRunOnce()
else:
# This plugin will only run one time.
self._run = False
pks_se = pks( self._urlOpener)
url = fuzzableRequest.getURL()
domain_root = urlParser.getRootDomain( url )
results = pks_se.search( domain_root )
for result in results:
i = info.info()
i.setPluginName(self.getName())
i.setURL( 'http://pgp.mit.edu:11371/' )
i.setId( [] )
mail = result.username +'@' + domain_root
i.setName( mail )
i.setDesc( 'The mail account: "'+ mail + '" was found in the MIT PKS server. ' )
i['mail'] = mail
i['user'] = result.username
i['name'] = result.name
i['url_list'] = ['http://pgp.mit.edu:11371/', ]
kb.kb.append( 'mails', 'mails', i )
# Don't save duplicated information in the KB. It's useless.
#kb.kb.append( self, 'mails', i )
om.out.information( i.getDesc() )
return []
def _get_to_check( self, domain ):
'''
@return: From the domain, get a list of FQDN, rootDomain and IP address.
'''
res = []
addrinfo = None
try:
addrinfo = socket.getaddrinfo( domain, 0)
except:
pass
else:
res.extend( [info[4][0] for info in addrinfo] )
fqdn = ''
try:
fqdn = socket.getfqdn( domain )
except:
pass
else:
res.append( fqdn )
rootDomain = ''
try:
rootDomain = urlParser.getRootDomain( domain )
except Exception, e:
om.out.debug( str(e) )
def _get_common_virtualhosts( self, domain ):
'''
@parameter domain: The original domain name.
@return: A list of possible domain names that could be hosted in the same web
server that "domain".
'''
res = []
common_virtual_hosts = ['intranet', 'intra', 'extranet', 'extra' , 'test' , 'test1'
'old' , 'new' , 'admin', 'adm', 'webmail', 'services', 'console', 'apps', 'mail',
'corporate', 'ws', 'webservice', 'private', 'secure', 'safe', 'hidden', 'public' ]
for subdomain in common_virtual_hosts:
# intranet
res.append( subdomain )
# intranet.www.targetsite.com
res.append( subdomain + '.' + domain )
# intranet.targetsite.com
res.append( subdomain + '.' + urlParser.getRootDomain( domain ) )
# This is for:
# intranet.targetsite
res.append( subdomain + '.' + urlParser.getRootDomain( domain ).split('.')[0] )
return res
def grep(self, request, response):
'''
Plugin entry point, get the emails and save them to the kb.
@parameter request: The HTTP request
@parameter request: The HTTP response
@return: None
'''
uri = response.getURI()
if uri not in self._already_inspected:
self._already_inspected.add(uri)
self._grep_worker(request, response, 'mails', \
urlParser.getRootDomain(response.getURL()))
if not self._only_target_domain:
self._grep_worker(request, response, 'external_mails')
def __init__( self, httpResponse ):
# "setBaseUrl"
url = httpResponse.getURL()
redirURL = httpResponse.getRedirURL()
if redirURL:
url = redirURL
self._baseUrl = url
self._baseDomain = urlParser.getDomain(url)
self._rootDomain = urlParser.getRootDomain(url)
# A nice default
self._encoding = 'utf-8'
# To store results
self._emails = []
self._re_URLs = []
def get_webroot_dirs( domain=None ):
'''
@return: A list of strings with possible webroots. This function also analyzed the contents of the
knowledgeBase and tries to use that information in order to guess.
'''
result = []
# This one has more probability of success that all the other ones together
obtained_webroot = kb.kb.getData( 'pathDisclosure', 'webroot' )
if obtained_webroot:
result.append(obtained_webroot)
if domain:
root_domain = urlParser.getRootDomain( 'http://' + domain )
result.append('/var/www/' + domain )
result.append( '/var/www/' + domain + '/www/' )
result.append( '/var/www/' + domain + '/html/' )
result.append( '/var/www/' + domain + '/htdocs/' )
result.append( '/home/' + domain )
result.append( '/home/' + domain + '/www/' )
result.append( '/home/' + domain + '/html/' )
result.append( '/home/' + domain + '/htdocs/' )
if domain != root_domain:
result.append( '/home/' + root_domain )
result.append( '/home/' + root_domain + '/www/' )
result.append( '/home/' + root_domain + '/html/' )
result.append( '/home/' + root_domain + '/htdocs/' )
result.append('/var/www/' + root_domain )
result.append( '/var/www/' + root_domain + '/www/' )
result.append( '/var/www/' + root_domain + '/html/' )
result.append( '/var/www/' + root_domain + '/htdocs/' )
result.append('/var/www/')
result.append('/var/www/html/')
result.append('/var/www/htdocs/')
return result
def discover(self, fuzzableRequest):
'''
@parameter fuzzableRequest: A fuzzableRequest instance that contains (among other things) the URL to test.
'''
result = []
# This will remove the plugin from the discovery plugins to be runned.
if not self._run:
raise w3afRunOnce()
# This plugin will only run one time.
self._run = False
bingSE = bing(self._urlOpener)
self._domain = domain = urlParser.getDomain(fuzzableRequest.getURL())
self._domainRoot = urlParser.getRootDomain(domain)
results = bingSE.getNResults('@'+self._domainRoot, self._resultLimit)
for result in results:
targs = (result,)
self._tm.startFunction(target=self._findAccounts, args=targs, ownerObj=self)
self._tm.join(self)
self.printUniq(kb.kb.getData('fingerBing', 'mails'), None)
return result
def discover(self, fuzzableRequest ):
'''
@parameter fuzzableRequest: A fuzzableRequest instance that contains
(among other things) the URL to test.
'''
if not self._run:
# This will remove the plugin from the discovery plugins to be runned.
raise w3afRunOnce()
else:
# This plugin will only run one time.
self._run = False
self._google = google(self._urlOpener)
self._domain = domain = urlParser.getDomain( fuzzableRequest.getURL() )
self._domain_root = urlParser.getRootDomain( domain )
if self._fast_search:
self._do_fast_search( domain )
else:
self._do_complete_search( domain )
self._tm.join( self )
self.printUniq( kb.kb.getData( 'fingerGoogle', 'mails' ), None )
return []
def discover(self, fuzzableRequest ):
'''
Search in xssed.com and parse the output.
@parameter fuzzableRequest: A fuzzableRequest instance that contains
(among other things) the URL to test.
'''
if not self._exec :
# This will remove the plugin from the discovery plugins to be runned.
raise w3afRunOnce()
else:
# Only run once
self._exec = False
target_domain = urlParser.getRootDomain( fuzzableRequest.getURL() )
try:
response = self._urlOpener.GET( self._xssed_url + "/search?key=." + target_domain )
except w3afException, e:
msg = 'An exception was raised while running xssedDotCom plugin. Exception: '
msg += '"' + str(e) + '".'
om.out.debug( msg )
else:
