def _analyze_ips(self, ip_address_list, fuzzable_request): ''' Search all IP addresses in Bing and determine if they have more than one domain hosted on it. Store findings in KB. ''' bing_wrapper = bing(self._uri_opener) # This is the best way to search, one by one! for ip_address in ip_address_list: results = bing_wrapper.get_n_results('ip:' + ip_address, self._result_limit) results = [r.URL.base_url() for r in results] results = list(set(results)) # not vuln by default is_vulnerable = False if len(results) > 1: # We may have something... is_vulnerable = True if len(results) == 2: # Maybe we have this case: # [Mon 09 Jun 2008 01:08:26 PM ART] - http://216.244.147.14/ # [Mon 09 Jun 2008 01:08:26 PM ART] - http://www.business.com/ # Where www.business.com resolves to 216.244.147.14; so we don't really # have more than one domain in the same server. try: res0 = socket.gethostbyname(results[0].get_domain()) res1 = socket.gethostbyname(results[1].get_domain()) except: pass else: if res0 == res1: is_vulnerable = False if is_vulnerable: desc = 'The web application under test seems to be in a shared' \ ' hosting. This list of domains, and the domain of the ' \ ' web application under test, all point to the same IP' \ ' address (%s):\n' % ip_address domain_list = kb.kb.raw_read(self, 'domains') for url in results: domain = url.get_domain() desc += '- %s\n' % domain domain_list.append(domain) kb.kb.raw_write(self, 'domains', domain_list) v = Vuln.from_fr('Shared hosting', desc, severity.MEDIUM, 1, self.get_name(), fuzzable_request) v['also_in_hosting'] = results om.out.vulnerability(desc, severity=severity.MEDIUM) kb.kb.append(self, 'shared_hosting', v)
def discover(self, fuzzable_request): """ :param fuzzable_request: A fuzzable_request instance that contains (among other things) the URL to test. """ if not is_private_site(fuzzable_request.get_url().get_domain()): bingSE = bing(self._uri_opener) self._domain = fuzzable_request.get_url().get_domain() self._domain_root = fuzzable_request.get_url().get_root_domain() results = bingSE.get_n_results("@" + self._domain_root, self._result_limit) # Send the requests using threads: self.worker_pool.map(self._find_accounts, results)
def discover(self, fuzzable_request): ''' :param fuzzable_request: A fuzzable_request instance that contains (among other things) the URL to test. ''' if not is_private_site(fuzzable_request.get_url().get_domain()): bingSE = bing(self._uri_opener) self._domain = fuzzable_request.get_url().get_domain() self._domain_root = fuzzable_request.get_url().get_root_domain() results = bingSE.get_n_results( '@' + self._domain_root, self._result_limit) # Send the requests using threads: self.worker_pool.map(self._find_accounts, results)
def crawl(self, fuzzable_request): ''' :param fuzzable_request: A fuzzable_request instance that contains (among other things) the URL to test. ''' bing_se = bing(self._uri_opener) domain = fuzzable_request.get_url().get_domain() if is_private_site(domain): msg = 'There is no point in searching Bing for "site:%s".' msg += ' Bing does\'nt index private pages.' raise w3afException(msg % domain) try: results = bing_se.get_n_results('site:' + domain, self._result_limit) except: pass else: self.worker_pool.map(self._get_fuzzable_requests, [r.URL for r in results])
def setUp(self): self.query, self.limit = random.choice([('big bang theory', 200), ('two and half man', 40), ('doctor house', 60)]) self.bing_se = bing(ExtendedUrllib())