def crawl(self, fuzzable_request): ''' Plugin entry point, perform all the work. ''' to_check = self._get_to_check(fuzzable_request.get_url()) # I found some URLs, create fuzzable requests phishtank_matches = self._is_in_phishtank(to_check) for ptm in phishtank_matches: response = self._uri_opener.GET(ptm.url) for fr in self._create_fuzzable_requests(response): self.output_queue.put(fr) # Only create the vuln object once if phishtank_matches: desc = 'The URL: "%s" seems to be involved in a phishing scam.' \ ' Please see %s for more info.' desc = desc % (ptm.url, ptm.more_info_URL) v = Vuln('Phishing scam', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(ptm.url) kb.kb.append(self, 'phishtank', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity())
def _send_and_check(self, repo_url, repo_get_files, repo, domain_path): ''' Check if a repository index exists in the domain_path. :return: None, everything is saved to the self.out_queue. ''' http_response = self.http_get_and_parse(repo_url) if not is_404(http_response): filenames = repo_get_files(http_response.get_body()) parsed_url_set = set() for filename in self._clean_filenames(filenames): test_url = domain_path.url_join(filename) if test_url not in self._analyzed_filenames: parsed_url_set.add(test_url) self._analyzed_filenames.add(filename) self.worker_pool.map(self.http_get_and_parse, parsed_url_set) if parsed_url_set: desc = 'A %s was found at: "%s"; this could indicate that'\ ' a %s is accessible. You might be able to download'\ ' the Web application source code.' desc = desc % (repo, http_response.get_url(), repo) v = Vuln('Source code repository', desc, severity.MEDIUM, http_response.id, self.get_name()) v.set_url(http_response.get_url()) kb.kb.append(self, repo, v) om.out.vulnerability(v.get_desc(), severity=v.get_severity())
def _find_auth_uri(self, response): ''' Analyze a 200 response and report any findings of http://user:[email protected]/ :return: None ''' # # Analyze the HTTP URL # if ('@' in response.get_uri() and self._auth_uri_regex.match(response.get_uri().url_string)): # An authentication URI was found! desc = 'The resource: "%s" has a user and password in' \ ' the URI.' desc = desc % response.get_uri() v = Vuln('Basic HTTP credentials', desc, severity.HIGH, response.id, self.get_name()) v.set_url(response.get_url()) v.add_to_highlight(response.get_uri().url_string) kb.kb.append(self, 'userPassUri', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) # # Analyze the HTTP response body # url_list = [] try: DocumentParser = parser_cache.dpc.get_document_parser_for(response) except w3afException, w3: msg = 'Failed to find a suitable document parser. ' \ 'Exception: ' + str(w3) om.out.debug(msg)
def _check_if_exists(self, web_shell_url): ''' Check if the file exists. :param web_shell_url: The URL to check ''' try: response = self._uri_opener.GET(web_shell_url, cache=True) except w3afException: om.out.debug('Failed to GET webshell:' + web_shell_url) else: if self._is_possible_backdoor(response): desc = 'A web backdoor was found at: "%s"; this could ' \ 'indicate that the server has been compromised.' desc = desc % response.get_url() v = Vuln('Potential web backdoor', desc, severity.HIGH, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'backdoors', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) for fr in self._create_fuzzable_requests(response): self.output_queue.put(fr)
def _classic_worker(self, gh, search_term): ''' Perform the searches and store the results in the kb. ''' google_list = self._google_se.get_n_results(search_term, 9) for result in google_list: # I found a vuln in the site! response = self._uri_opener.GET(result.URL, cache=True) if not is_404(response): desc = 'ghdb plugin found a vulnerability at URL: "%s".' \ ' According to GHDB the vulnerability description'\ ' is "%s".' desc = desc % (response.get_url(), gh.desc) v = Vuln('Google hack database match', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) v.set_method('GET') kb.kb.append(self, 'vuln', v) om.out.vulnerability(v.get_desc(), severity=severity.LOW) # Create the fuzzable requests for fr in self._create_fuzzable_requests(response): self.output_queue.put(fr)
def _parse_xssed_result(self, response): ''' Parse the result from the xssed site and create the corresponding info objects. :return: Fuzzable requests pointing to the XSS (if any) ''' html_body = response.get_body() if "<b>XSS:</b>" in html_body: # # Work! # regex_many_vulns = re.findall( "<a href='(/mirror/\d*/)' target='_blank'>", html_body) for mirror_relative_link in regex_many_vulns: mirror_url = self._xssed_url.url_join(mirror_relative_link) xss_report_response = self._uri_opener.GET(mirror_url) matches = re.findall("URL:.+", xss_report_response.get_body()) dxss = self._decode_xssed_url if self._fixed in xss_report_response.get_body(): vuln_severity = severity.LOW desc = 'This script contained a XSS vulnerability: "%s".' desc = desc % dxss(dxss(matches[0])) else: vuln_severity = severity.HIGH desc = 'According to xssed.com, this script contains a'\ ' XSS vulnerability: "%s".' desc = desc % dxss(dxss(matches[0])) v = Vuln('Potential XSS vulnerability', desc, vuln_severity, response.id, self.get_name()) v.set_url(mirror_url) kb.kb.append(self, 'xss', v) om.out.information(v.get_desc()) # # Add the fuzzable request, this is useful if I have the # XSS plugin enabled because it will re-test this and # possibly confirm the vulnerability # fuzzable_request_list = self._create_fuzzable_requests( xss_report_response) return fuzzable_request_list else: # Nothing to see here... om.out.debug('xssed_dot_com did not find any previously reported' ' XSS vulnerabilities.') return []
def _parse_xssed_result(self, response): ''' Parse the result from the xssed site and create the corresponding info objects. :return: Fuzzable requests pointing to the XSS (if any) ''' html_body = response.get_body() if "<b>XSS:</b>" in html_body: # # Work! # regex_many_vulns = re.findall( "<a href='(/mirror/\d*/)' target='_blank'>", html_body) for mirror_relative_link in regex_many_vulns: mirror_url = self._xssed_url.url_join(mirror_relative_link) xss_report_response = self._uri_opener.GET(mirror_url) matches = re.findall("URL:.+", xss_report_response.get_body()) dxss = self._decode_xssed_url if self._fixed in xss_report_response.get_body(): vuln_severity = severity.LOW desc = 'This script contained a XSS vulnerability: "%s".' desc = desc % dxss(dxss(matches[0])) else: vuln_severity = severity.HIGH desc = 'According to xssed.com, this script contains a'\ ' XSS vulnerability: "%s".' desc = desc % dxss(dxss(matches[0])) v = Vuln('Potential XSS vulnerability', desc, vuln_severity, response.id, self.get_name()) v.set_url(mirror_url) kb.kb.append(self, 'xss', v) om.out.information(v.get_desc()) # # Add the fuzzable request, this is useful if I have the # XSS plugin enabled because it will re-test this and # possibly confirm the vulnerability # fuzzable_request_list = self._create_fuzzable_requests( xss_report_response) return fuzzable_request_list else: # Nothing to see here... om.out.debug('xssed_dot_com did not find any previously reported' ' XSS vulnerabilities.')
def _analyze_crossdomain_clientaccesspolicy(self, url, response, file_name): try: dom = xml.dom.minidom.parseString(response.get_body()) except Exception: # Report this, it may be interesting for the final user # not a vulnerability per-se... but... it's information after all if 'allow-access-from' in response.get_body() or \ 'cross-domain-policy' in response.get_body() or \ 'cross-domain-access' in response.get_body(): desc = 'The "%s" file at: "%s" is not a valid XML.' desc = desc % (file_name, response.get_url()) i = Info('Invalid RIA settings file', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'info', i) om.out.information(i.get_desc()) else: if (file_name == 'crossdomain.xml'): url_list = dom.getElementsByTagName("allow-access-from") attribute = 'domain' if (file_name == 'clientaccesspolicy.xml'): url_list = dom.getElementsByTagName("domain") attribute = 'uri' for url in url_list: url = url.getAttribute(attribute) desc = 'The "%s" file at "%s" allows flash/silverlight'\ ' access from any site.' desc = desc % (file_name, response.get_url()) if url == '*': v = Vuln('Insecure RIA settings', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) v.set_method('GET') kb.kb.append(self, 'vuln', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: i = Info('Cross-domain allow ACL', desc, response.id, self.get_name()) i.set_url(response.get_url()) i.set_method('GET') kb.kb.append(self, 'info', i) om.out.information(i.get_desc())
def _analyze_crossdomain_clientaccesspolicy(self, url, response, file_name): try: dom = xml.dom.minidom.parseString(response.get_body()) except Exception: # Report this, it may be interesting for the final user # not a vulnerability per-se... but... it's information after all if 'allow-access-from' in response.get_body() or \ 'cross-domain-policy' in response.get_body() or \ 'cross-domain-access' in response.get_body(): desc = 'The "%s" file at: "%s" is not a valid XML.' desc = desc % (file_name, response.get_url()) i = Info('Invalid RIA settings file', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'info', i) om.out.information(i.get_desc()) else: if(file_name == 'crossdomain.xml'): url_list = dom.getElementsByTagName("allow-access-from") attribute = 'domain' if(file_name == 'clientaccesspolicy.xml'): url_list = dom.getElementsByTagName("domain") attribute = 'uri' for url in url_list: url = url.getAttribute(attribute) desc = 'The "%s" file at "%s" allows flash/silverlight'\ ' access from any site.' desc = desc % (file_name, response.get_url()) if url == '*': v = Vuln('Insecure RIA settings', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) v.set_method('GET') kb.kb.append(self, 'vuln', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: i = Info('Cross-domain allow ACL', desc, response.id, self.get_name()) i.set_url(response.get_url()) i.set_method('GET') kb.kb.append(self, 'info', i) om.out.information(i.get_desc())
def _brute_worker(self, url, combination): ''' Try a user/password combination with HTTP basic authentication against a specific URL. :param url: A string representation of an URL :param combination: A tuple that contains (user,pass) ''' # Remember that this worker is called from a thread which lives in a # threadpool. If the worker finds something, it has to let the rest know # and the way we do that is by setting self._found. # # If one thread sees that we already bruteforced the access, the rest will # simply no-op if not self._found or not self._stop_on_first: user, passwd = combination raw_values = "%s:%s" % (user, passwd) auth = 'Basic %s' % base64.b64encode(raw_values).strip() headers = Headers([('Authorization', auth)]) try: response = self._uri_opener.GET(url, cache=False, grep=False, headers=headers) except w3afException, w3: msg = 'Exception while bruteforcing basic authentication,'\ ' error message: "%s".' om.out.debug(msg % w3) else: # GET was OK if response.get_code() != 401: self._found = True desc = 'Found authentication credentials to: "%s".'\ ' A valid user and password combination is: %s/%s .' desc = desc % (url, user, passwd) v = Vuln('Guessable credentials', desc, severity.HIGH, response.id, self.get_name()) v.set_url(url) v['user'] = user v['pass'] = passwd v['response'] = response kb.kb.append(self, 'auth', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity())
def _parse_zone_h_result(self, response): ''' Parse the result from the zone_h site and create the corresponding info objects. :return: None ''' # # I'm going to do only one big "if": # # - The target site was hacked more than one time # - The target site was hacked only one time # # This is the string I have to parse: # in the zone_h response, they are two like this, the first has to be ignored! regex = 'Total notifications: <b>(\d*)</b> of which <b>(\d*)</b> single ip and <b>(\d*)</b> mass' regex_result = re.findall(regex, response.get_body()) try: total_attacks = int(regex_result[0][0]) except IndexError: om.out.debug( 'An error was generated during the parsing of the zone_h website.' ) else: # Do the if... if total_attacks > 1: desc = 'The target site was defaced more than one time in the'\ ' past. For more information please visit the following'\ ' URL: "%s".' % response.get_url() v = Vuln('Previous defacements', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'defacements', v) om.out.information(v.get_desc()) elif total_attacks == 1: desc = 'The target site was defaced in the past. For more'\ ' information please visit the following URL: "%s".' desc = desc % response.get_url() i = Info('Previous defacements', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'defacements', i) om.out.information(i.get_desc())
def _parse_zone_h_result(self, response): ''' Parse the result from the zone_h site and create the corresponding info objects. :return: None ''' # # I'm going to do only one big "if": # # - The target site was hacked more than one time # - The target site was hacked only one time # # This is the string I have to parse: # in the zone_h response, they are two like this, the first has to be ignored! regex = 'Total notifications: <b>(\d*)</b> of which <b>(\d*)</b> single ip and <b>(\d*)</b> mass' regex_result = re.findall(regex, response.get_body()) try: total_attacks = int(regex_result[0][0]) except IndexError: om.out.debug('An error was generated during the parsing of the zone_h website.') else: # Do the if... if total_attacks > 1: desc = 'The target site was defaced more than one time in the'\ ' past. For more information please visit the following'\ ' URL: "%s".' % response.get_url() v = Vuln('Previous defacements', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'defacements', v) om.out.information(v.get_desc()) elif total_attacks == 1: desc = 'The target site was defaced in the past. For more'\ ' information please visit the following URL: "%s".' desc = desc % response.get_url() i = Info('Previous defacements', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'defacements', i) om.out.information(i.get_desc())
def _analyze_401(self, response): ''' Analyze a 401 response and report it. :return: None ''' realm = self._get_realm(response) if realm is None: self._report_no_realm(response) return insecure = response.get_url().get_protocol() == 'http' vuln_severity = severity.HIGH if insecure else severity.LOW desc = 'The resource: "%s" requires HTTP authentication' if insecure: desc += ' over a non-encrypted channel, which allows'\ ' potential intruders to sniff traffic and capture'\ ' valid credentials.' else: desc += '.' desc += ' The received authentication realm is: "%s".' desc = desc % (response.get_url(), realm) # Report the common case, were a realm is set. if 'ntlm' in realm.lower(): v = Vuln('NTLM authentication', desc, vuln_severity, response.id, self.get_name()) else: v = Vuln('HTTP Basic authentication', desc, vuln_severity, response.id, self.get_name()) v.set_url(response.get_url()) v['message'] = realm v.add_to_highlight(realm) kb.kb.append(self, 'auth', v) om.out.information(v.get_desc())
def audit_phpinfo(self, response): ''' Scan for insecure php settings :author: Aung Khant (aungkhant[at]yehg.net) :return none two divisions: vulnerable settings and useful informative settings ''' ##### [Vulnerable Settings] ##### ### [register_globals] ### regex_str = 'register_globals</td><td class="v">(On|Off)</td>' register_globals = re.search(regex_str, response.get_body(), re.I) rg_flag = '' if register_globals: rg = register_globals.group(1) if(rg == 'On'): desc = 'The phpinfo()::register_globals is on.' v = Vuln('PHP register_globals: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: rg_flag = 'info' rg_name = 'PHP register_globals: Off' rg_desc = 'The phpinfo()::register_globals is off.' ### [/register_globals] ### ### [allow_url_fopen] ### regex_str = 'allow_url_fopen</td><td class="v">(On|<i>no value</i>)</td>' allow_url_fopen = re.search(regex_str, response.get_body(), re.I) if allow_url_fopen: desc = 'The phpinfo()::allow_url_fopen is enabled.' v = Vuln('PHP allow_url_fopen: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/allow_url_fopen] ### ### [allow_url_include] ### regex_str = 'allow_url_include</td><td class="v">(On|<i>no value</i>)</td>' allow_url_include = re.search(regex_str, response.get_body(), re.I) if allow_url_include: desc = 'The phpinfo()::allow_url_include is enabled.' v = Vuln('PHP allow_url_include: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/allow_url_include] ### ### [display_errors] ### regex_str = 'display_errors</td><td class="v">(On|<i>no value</i>)</td>' display_errors = re.search(regex_str, response.get_body(), re.I) if display_errors: desc = 'The phpinfo()::display_errors is enabled.' v = Vuln('PHP display_errors: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/display_errors] ### ### [expose_php] ### regex_str = 'expose_php</td><td class="v">(On|<i>no value</i>)</td>' expose_php = re.search(regex_str, response.get_body(), re.I) if expose_php: desc = 'The phpinfo()::expose_php is enabled.' v = Vuln('PHP expose_php: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/expose_php] ### ### [lowest_privilege_test] ### regex_str = 'User/Group </td><td class="v">(.*?)\((\d.*?)\)/(\d.*?)</td>' lowest_privilege_test = re.search(regex_str, response.get_body(), re.I) lpt_flag = '' if lowest_privilege_test: lpt_uname = lowest_privilege_test.group(1) lpt_uid = lowest_privilege_test.group(2) lpt_uid = int(lpt_uid) lpt_gid = lowest_privilege_test.group(3) if lpt_uid < 99 or lpt_gid < 99 or \ re.match('root|apache|daemon|bin|operator|adm', lpt_uname, re.I): desc = 'phpinfo()::PHP may be executing as a higher privileged'\ ' group. Username: %s, UserID: %s, GroupID: %s.' desc = desc % (lpt_uname, lpt_uid, lpt_gid) v = Vuln('PHP lowest_privilege_test:fail', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: lpt_flag = 'info' lpt_name = 'privilege:' + lpt_uname lpt_desc = 'phpinfo()::PHP is executing under ' lpt_desc += 'username: '******', ' lpt_desc += 'userID: ' + str(lpt_uid) + ', ' lpt_desc += 'groupID: ' + lpt_gid ### [/lowest_privilege_test] ### ### [disable_functions] ### regex_str = 'disable_functions</td><td class="v">(.*?)</td>' disable_functions = re.search(regex_str, response.get_body(), re.I) if disable_functions: secure_df = 8 df = disable_functions.group(1) dfe = df.split(',') if(len(dfe) < secure_df): desc = 'The phpinfo()::disable_functions are set to few.' v = Vuln('PHP disable_functions:few', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/disable_functions] ### ### [curl_file_support] ### regex_str = '<h1 class="p">PHP Version (\d).(\d).(\d)</h1>' curl_file_support = re.search(regex_str, response.get_body(), re.I) if curl_file_support: php_major_ver = curl_file_support.group(1) php_minor_ver = curl_file_support.group(2) php_rev_ver = curl_file_support.group(3) current_ver = php_major_ver + '.' + php_minor_ver + \ '' + php_rev_ver current_ver = float(current_ver) php_major_ver = int(php_major_ver) php_minor_ver = int(php_minor_ver) php_rev_ver = int(php_rev_ver) cv4check = float(4.44) cv5check = float(5.16) curl_vuln = 1 if(php_major_ver == 4): if (current_ver >= cv4check): curl_vuln = 0 elif (php_major_ver == 5): if (current_ver >= cv5check): curl_vuln = 0 elif (php_major_ver >= 6): curl_vuln = 0 else: curl_vuln = 0 if(curl_vuln == 1): desc = 'The phpinfo()::cURL::file_support has a security hole'\ ' present in this version of PHP allows the cURL'\ ' functions to bypass safe_mode and open_basedir'\ ' restrictions.' v = Vuln('PHP curl_file_support:not_fixed', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/curl_file_support] ### ### [cgi_force_redirect] ### regex_str = 'cgi_force_redirect</td><td class="v">(.*?)</td>' cgi_force_redirect = re.search(regex_str, response.get_body(), re.I) if cgi_force_redirect: utd = cgi_force_redirect.group(1) + '' if(utd != 'On'): desc = 'The phpinfo()::CGI::force_redirect is disabled.' v = Vuln('PHP cgi_force_redirect: Off', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/cgi_force_redirect] ### ### [session_cookie_httponly] ### regex_str = 'session\.cookie_httponly</td><td class="v">(Off|no|0)</td>' session_cookie_httponly = re.search(regex_str, response.get_body(), re.I) if session_cookie_httponly: desc = 'The phpinfo()::session.cookie_httponly is off.' v = Vuln('PHP session.cookie_httponly: Off', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/session_cookie_httponly] ### ### [session_save_path] ### regex_str = 'session\.save_path</td><td class="v">(<i>no value</i>)</td>' session_save_path = re.search(regex_str, response.get_body(), re.I) if session_save_path: desc = 'The phpinfo()::session.save_path may be set to world-'\ 'accessible directory.' v = Vuln('PHP session_save_path:Everyone', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/session_save_path] ### ### [session_use_trans] ### regex_str = 'session\.use_trans</td><td class="v">(On)</td>' session_use_trans = re.search(regex_str, response.get_body(), re.I) if session_use_trans: desc = 'The phpinfo()::session.use_trans is enabled. This makes'\ ' session hijacking easier.' v = Vuln('PHP session_use_trans: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/session_use_trans] ### ### [default_charset] ### regex_str = 'default_charset</td><td class="v">(Off|no|0)</td>' default_charset = re.search(regex_str, response.get_body(), re.I) if default_charset: desc = 'The phpinfo()::default_charset is set to none. This'\ ' makes PHP scripts vulnerable to variable charset'\ ' encoding XSS.' v = Vuln('PHP default_charset: Off', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/default_charset] ### ### [enable_dl] ### regex_str = 'enable_dl</td><td class="v">(On|Off)</td>' enable_dl = re.search(regex_str, response.get_body(), re.I) ed_flag = '' if enable_dl: rg = enable_dl.group(1) if(rg == 'On'): desc = 'The phpinfo()::enable_dl is on.' v = Vuln('PHP enable_dl: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: ed_flag = 'info' ed_name = 'PHP enable_dl: Off' ed_desc = 'The phpinfo()::enable_dl is off.' ### [/enable_dl] ### ### [memory_limit] ### regex_str = 'memory_limit</td><td class="v">(\d.*?)</td>' memory_limit = re.search(regex_str, response.get_body(), re.I) if memory_limit: secure_ml = 10 ml = memory_limit.group(1) + '' ml = ml.replace('M', '') if(ml > secure_ml): desc = 'The phpinfo()::memory_limit is set to higher value'\ ' (%s).' % memory_limit.group(1) v = Vuln('PHP memory_limit:high', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/memory_limit] ### ### [post_max_size] ### regex_str = 'post_max_size</td><td class="v">(\d.*?)</td>' post_max_size = re.search( regex_str, response.get_body(), re.IGNORECASE) if post_max_size: secure_pms = 20 pms = post_max_size.group(1) + '' pms = pms.replace('M', '') pms = int(pms) if(pms > secure_pms): desc = 'The phpinfo()::post_max_size is set to higher value'\ ' (%s).' % post_max_size.group(1) v = Vuln('PHP post_max_size:high', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/post_max_size] ### ### [upload_max_filesize] ### regex_str = 'upload_max_filesize</td><td class="v">(\d.*?)</td>' upload_max_filesize = re.search( regex_str, response.get_body(), re.IGNORECASE) if upload_max_filesize: secure_umf = 20 umf = upload_max_filesize.group(1) + '' umf = umf.replace('M', '') umf = int(umf) if(umf > secure_umf): desc = 'The phpinfo()::upload_max_filesize is set to higher'\ ' value (%s).' % upload_max_filesize.group(1) v = Vuln('PHP upload_max_filesize:high', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/upload_max_filesize] ### ### [upload_tmp_dir] ### regex_str = 'upload_tmp_dir</td><td class="v">(<i>no value</i>)</td>' upload_tmp_dir = re.search(regex_str, response.get_body(), re.I) if upload_tmp_dir: desc = 'The phpinfo()::upload_tmp_dir may be set to world-'\ 'accessible directory.' v = Vuln('PHP upload_tmp_dir:Everyone', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/upload_tmp_dir] ### ##### [/Vulnerable Settings] ##### ##### [Useful Informative Settings] ##### ### [privilege] ### if lpt_flag == 'info': i = Info(lpt_name, lpt_desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/privilege] ### ### [register_globals]### if rg_flag == 'info': i = Info(rg_name, rg_desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/register_globals]### ### [enable_dl]### if ed_flag == 'info': i = Info(ed_name, ed_desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/enable_dl]### ### [file_uploads] ### regex_str = 'file_uploads</td><td class="v">(On|<i>no value</i>)</td>' file_uploads = re.search(regex_str, response.get_body(), re.IGNORECASE) if file_uploads: desc = 'The phpinfo()::file_uploads is enabled.' i = Info('PHP file_uploads: On', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/file_uploads] ### ### [magic_quotes_gpc] ### regex_str = 'magic_quotes_gpc</td><td class="v">(On|Off)</td>' magic_quotes_gpc = re.search(regex_str, response.get_body(), re.I) if magic_quotes_gpc: mqg = magic_quotes_gpc.group(1) if (mqg == 'On'): desc = 'The phpinfo()::magic_quotes_gpc is on.' i = Info('PHP magic_quotes_gpc: On', desc, response.id, self.get_name()) else: desc = 'The phpinfo()::magic_quotes_gpc is off.' i = Info('PHP magic_quotes_gpc: Off', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/magic_quotes_gpc] ### ### [open_basedir] ### regex_str = 'open_basedir</td><td class="v">(.*?)</td>' open_basedir = re.search(regex_str, response.get_body(), re.I) if open_basedir: obd = open_basedir.group(1) if(obd == '<i>no value</i>'): desc = 'The phpinfo()::open_basedir is not set.' i = Info('PHP open_basedir:disabled', desc, response.id, self.get_name()) else: desc = 'The phpinfo()::open_basedir is set to %s.' desc = desc % open_basedir.group(1) i = Info('PHP open_basedir:enabled', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/open_basedir] ### ### [session_hash_function] ### regex_str = 'session\.hash_function</td><td class="v">(.*?)</td>' session_hash_function = re.search(regex_str, response.get_body(), re.I) if session_hash_function: if session_hash_function.group(1) == 0\ or session_hash_function.group(1) != 'no': desc = 'The phpinfo()::session.hash_function use md5 algorithm.' i = Info('PHP session.hash_function:md5', desc, response.id, self.get_name()) else: desc = 'The phpinfo()::session.hash_function use sha algorithm.' i = Info('PHP session.hash_function:sha', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc())
sysinfo = re.search(regex_str, response.get_body(), re.I) if (php_version and sysinfo): desc = 'The phpinfo() file was found at: %s. The version'\ ' of PHP is: "%s" and the system information is:'\ ' "%s".' desc = desc % (response.get_url(), php_version.group(2), sysinfo.group(1)) v = Vuln('phpinfo() file found', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) if (self._has_audited == 0): self.audit_phpinfo(response) self._has_audited = 1 def audit_phpinfo(self, response): ''' Scan for insecure php settings :author: Aung Khant (aungkhant[at]yehg.net) :return none two divisions: vulnerable settings and useful informative settings '''
'using author.dll was there: %s' % e om.out.debug(msg) else: # The file we uploaded has the reversed filename as body if res.get_body() == rand_file[::-1] and not is_404(res): desc = 'An insecure configuration in the frontpage extensions'\ ' allows unauthenticated users to upload files to the'\ ' remote web server.' v = Vuln('Insecure Frontpage extensions configuration', desc, severity.HIGH, [upload_id, res.id], self.get_name()) v.set_url(target_url) v.set_method('POST') om.out.vulnerability(v.get_desc(), severity=v.get_severity()) self.kb_append(self, 'frontpage', v) else: msg = 'The file that was uploaded using the POST method is'\ ' not present on the remote web server at "%s".' om.out.debug(msg % target_url) def get_plugin_deps(self): ''' :return: A list with the names of the plugins that should be run before the current one. ''' return ['infrastructure.frontpage_version'] def get_long_desc(self): '''
if ('@' in url.url_string and self._auth_uri_regex.match(url.url_string)): desc = 'The resource: "%s" has a user and password in the'\ ' body. The offending URL is: "%s".' desc = desc % (response.get_url(), url) v = Vuln('Basic HTTP credentials', desc, severity.HIGH, response.id, self.get_name()) v.set_url(response.get_url()) v.add_to_highlight(url.url_string) kb.kb.append(self, 'userPassUri', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) def _get_realm(self, response): for key in response.get_headers(): if key.lower() == 'www-authenticate': realm = response.get_headers()[key] return realm return None def _report_no_realm(self, response): # Report this strange case desc = 'The resource: "%s" requires authentication (HTTP Code'\ ' 401) but the www-authenticate header is not present.'\ ' This requires human verification.' desc = desc % response.get_url()
regex_str = 'System </td><td class="v">(.*?)</td></tr>' sysinfo = re.search(regex_str, response.get_body(), re.I) if (php_version and sysinfo): desc = 'The phpinfo() file was found at: %s. The version'\ ' of PHP is: "%s" and the system information is:'\ ' "%s".' desc = desc % (response.get_url(), php_version.group(2), sysinfo.group(1)) v = Vuln('phpinfo() file found', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) if (self._has_audited == 0): self.audit_phpinfo(response) self._has_audited = 1 def audit_phpinfo(self, response): ''' Scan for insecure php settings :author: Aung Khant (aungkhant[at]yehg.net) :return none two divisions: vulnerable settings and useful informative settings '''
def audit_phpinfo(self, response): ''' Scan for insecure php settings :author: Aung Khant (aungkhant[at]yehg.net) :return none two divisions: vulnerable settings and useful informative settings ''' ##### [Vulnerable Settings] ##### ### [register_globals] ### regex_str = 'register_globals</td><td class="v">(On|Off)</td>' register_globals = re.search(regex_str, response.get_body(), re.I) rg_flag = '' if register_globals: rg = register_globals.group(1) if (rg == 'On'): desc = 'The phpinfo()::register_globals is on.' v = Vuln('PHP register_globals: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: rg_flag = 'info' rg_name = 'PHP register_globals: Off' rg_desc = 'The phpinfo()::register_globals is off.' ### [/register_globals] ### ### [allow_url_fopen] ### regex_str = 'allow_url_fopen</td><td class="v">(On|<i>no value</i>)</td>' allow_url_fopen = re.search(regex_str, response.get_body(), re.I) if allow_url_fopen: desc = 'The phpinfo()::allow_url_fopen is enabled.' v = Vuln('PHP allow_url_fopen: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/allow_url_fopen] ### ### [allow_url_include] ### regex_str = 'allow_url_include</td><td class="v">(On|<i>no value</i>)</td>' allow_url_include = re.search(regex_str, response.get_body(), re.I) if allow_url_include: desc = 'The phpinfo()::allow_url_include is enabled.' v = Vuln('PHP allow_url_include: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/allow_url_include] ### ### [display_errors] ### regex_str = 'display_errors</td><td class="v">(On|<i>no value</i>)</td>' display_errors = re.search(regex_str, response.get_body(), re.I) if display_errors: desc = 'The phpinfo()::display_errors is enabled.' v = Vuln('PHP display_errors: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/display_errors] ### ### [expose_php] ### regex_str = 'expose_php</td><td class="v">(On|<i>no value</i>)</td>' expose_php = re.search(regex_str, response.get_body(), re.I) if expose_php: desc = 'The phpinfo()::expose_php is enabled.' v = Vuln('PHP expose_php: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/expose_php] ### ### [lowest_privilege_test] ### regex_str = 'User/Group </td><td class="v">(.*?)\((\d.*?)\)/(\d.*?)</td>' lowest_privilege_test = re.search(regex_str, response.get_body(), re.I) lpt_flag = '' if lowest_privilege_test: lpt_uname = lowest_privilege_test.group(1) lpt_uid = lowest_privilege_test.group(2) lpt_uid = int(lpt_uid) lpt_gid = lowest_privilege_test.group(3) if lpt_uid < 99 or lpt_gid < 99 or \ re.match('root|apache|daemon|bin|operator|adm', lpt_uname, re.I): desc = 'phpinfo()::PHP may be executing as a higher privileged'\ ' group. Username: %s, UserID: %s, GroupID: %s.' desc = desc % (lpt_uname, lpt_uid, lpt_gid) v = Vuln('PHP lowest_privilege_test:fail', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: lpt_flag = 'info' lpt_name = 'privilege:' + lpt_uname lpt_desc = 'phpinfo()::PHP is executing under ' lpt_desc += 'username: '******', ' lpt_desc += 'userID: ' + str(lpt_uid) + ', ' lpt_desc += 'groupID: ' + lpt_gid ### [/lowest_privilege_test] ### ### [disable_functions] ### regex_str = 'disable_functions</td><td class="v">(.*?)</td>' disable_functions = re.search(regex_str, response.get_body(), re.I) if disable_functions: secure_df = 8 df = disable_functions.group(1) dfe = df.split(',') if (len(dfe) < secure_df): desc = 'The phpinfo()::disable_functions are set to few.' v = Vuln('PHP disable_functions:few', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/disable_functions] ### ### [curl_file_support] ### regex_str = '<h1 class="p">PHP Version (\d).(\d).(\d)</h1>' curl_file_support = re.search(regex_str, response.get_body(), re.I) if curl_file_support: php_major_ver = curl_file_support.group(1) php_minor_ver = curl_file_support.group(2) php_rev_ver = curl_file_support.group(3) current_ver = php_major_ver + '.' + php_minor_ver + \ '' + php_rev_ver current_ver = float(current_ver) php_major_ver = int(php_major_ver) php_minor_ver = int(php_minor_ver) php_rev_ver = int(php_rev_ver) cv4check = float(4.44) cv5check = float(5.16) curl_vuln = 1 if (php_major_ver == 4): if (current_ver >= cv4check): curl_vuln = 0 elif (php_major_ver == 5): if (current_ver >= cv5check): curl_vuln = 0 elif (php_major_ver >= 6): curl_vuln = 0 else: curl_vuln = 0 if (curl_vuln == 1): desc = 'The phpinfo()::cURL::file_support has a security hole'\ ' present in this version of PHP allows the cURL'\ ' functions to bypass safe_mode and open_basedir'\ ' restrictions.' v = Vuln('PHP curl_file_support:not_fixed', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/curl_file_support] ### ### [cgi_force_redirect] ### regex_str = 'cgi_force_redirect</td><td class="v">(.*?)</td>' cgi_force_redirect = re.search(regex_str, response.get_body(), re.I) if cgi_force_redirect: utd = cgi_force_redirect.group(1) + '' if (utd != 'On'): desc = 'The phpinfo()::CGI::force_redirect is disabled.' v = Vuln('PHP cgi_force_redirect: Off', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/cgi_force_redirect] ### ### [session_cookie_httponly] ### regex_str = 'session\.cookie_httponly</td><td class="v">(Off|no|0)</td>' session_cookie_httponly = re.search(regex_str, response.get_body(), re.I) if session_cookie_httponly: desc = 'The phpinfo()::session.cookie_httponly is off.' v = Vuln('PHP session.cookie_httponly: Off', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/session_cookie_httponly] ### ### [session_save_path] ### regex_str = 'session\.save_path</td><td class="v">(<i>no value</i>)</td>' session_save_path = re.search(regex_str, response.get_body(), re.I) if session_save_path: desc = 'The phpinfo()::session.save_path may be set to world-'\ 'accessible directory.' v = Vuln('PHP session_save_path:Everyone', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/session_save_path] ### ### [session_use_trans] ### regex_str = 'session\.use_trans</td><td class="v">(On)</td>' session_use_trans = re.search(regex_str, response.get_body(), re.I) if session_use_trans: desc = 'The phpinfo()::session.use_trans is enabled. This makes'\ ' session hijacking easier.' v = Vuln('PHP session_use_trans: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/session_use_trans] ### ### [default_charset] ### regex_str = 'default_charset</td><td class="v">(Off|no|0)</td>' default_charset = re.search(regex_str, response.get_body(), re.I) if default_charset: desc = 'The phpinfo()::default_charset is set to none. This'\ ' makes PHP scripts vulnerable to variable charset'\ ' encoding XSS.' v = Vuln('PHP default_charset: Off', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/default_charset] ### ### [enable_dl] ### regex_str = 'enable_dl</td><td class="v">(On|Off)</td>' enable_dl = re.search(regex_str, response.get_body(), re.I) ed_flag = '' if enable_dl: rg = enable_dl.group(1) if (rg == 'On'): desc = 'The phpinfo()::enable_dl is on.' v = Vuln('PHP enable_dl: On', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) else: ed_flag = 'info' ed_name = 'PHP enable_dl: Off' ed_desc = 'The phpinfo()::enable_dl is off.' ### [/enable_dl] ### ### [memory_limit] ### regex_str = 'memory_limit</td><td class="v">(\d.*?)</td>' memory_limit = re.search(regex_str, response.get_body(), re.I) if memory_limit: secure_ml = 10 ml = memory_limit.group(1) + '' ml = ml.replace('M', '') if (ml > secure_ml): desc = 'The phpinfo()::memory_limit is set to higher value'\ ' (%s).' % memory_limit.group(1) v = Vuln('PHP memory_limit:high', desc, severity.MEDIUM, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/memory_limit] ### ### [post_max_size] ### regex_str = 'post_max_size</td><td class="v">(\d.*?)</td>' post_max_size = re.search(regex_str, response.get_body(), re.IGNORECASE) if post_max_size: secure_pms = 20 pms = post_max_size.group(1) + '' pms = pms.replace('M', '') pms = int(pms) if (pms > secure_pms): desc = 'The phpinfo()::post_max_size is set to higher value'\ ' (%s).' % post_max_size.group(1) v = Vuln('PHP post_max_size:high', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/post_max_size] ### ### [upload_max_filesize] ### regex_str = 'upload_max_filesize</td><td class="v">(\d.*?)</td>' upload_max_filesize = re.search(regex_str, response.get_body(), re.IGNORECASE) if upload_max_filesize: secure_umf = 20 umf = upload_max_filesize.group(1) + '' umf = umf.replace('M', '') umf = int(umf) if (umf > secure_umf): desc = 'The phpinfo()::upload_max_filesize is set to higher'\ ' value (%s).' % upload_max_filesize.group(1) v = Vuln('PHP upload_max_filesize:high', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/upload_max_filesize] ### ### [upload_tmp_dir] ### regex_str = 'upload_tmp_dir</td><td class="v">(<i>no value</i>)</td>' upload_tmp_dir = re.search(regex_str, response.get_body(), re.I) if upload_tmp_dir: desc = 'The phpinfo()::upload_tmp_dir may be set to world-'\ 'accessible directory.' v = Vuln('PHP upload_tmp_dir:Everyone', desc, severity.LOW, response.id, self.get_name()) v.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', v) om.out.vulnerability(v.get_desc(), severity=v.get_severity()) ### [/upload_tmp_dir] ### ##### [/Vulnerable Settings] ##### ##### [Useful Informative Settings] ##### ### [privilege] ### if lpt_flag == 'info': i = Info(lpt_name, lpt_desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/privilege] ### ### [register_globals]### if rg_flag == 'info': i = Info(rg_name, rg_desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/register_globals]### ### [enable_dl]### if ed_flag == 'info': i = Info(ed_name, ed_desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/enable_dl]### ### [file_uploads] ### regex_str = 'file_uploads</td><td class="v">(On|<i>no value</i>)</td>' file_uploads = re.search(regex_str, response.get_body(), re.IGNORECASE) if file_uploads: desc = 'The phpinfo()::file_uploads is enabled.' i = Info('PHP file_uploads: On', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/file_uploads] ### ### [magic_quotes_gpc] ### regex_str = 'magic_quotes_gpc</td><td class="v">(On|Off)</td>' magic_quotes_gpc = re.search(regex_str, response.get_body(), re.I) if magic_quotes_gpc: mqg = magic_quotes_gpc.group(1) if (mqg == 'On'): desc = 'The phpinfo()::magic_quotes_gpc is on.' i = Info('PHP magic_quotes_gpc: On', desc, response.id, self.get_name()) else: desc = 'The phpinfo()::magic_quotes_gpc is off.' i = Info('PHP magic_quotes_gpc: Off', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/magic_quotes_gpc] ### ### [open_basedir] ### regex_str = 'open_basedir</td><td class="v">(.*?)</td>' open_basedir = re.search(regex_str, response.get_body(), re.I) if open_basedir: obd = open_basedir.group(1) if (obd == '<i>no value</i>'): desc = 'The phpinfo()::open_basedir is not set.' i = Info('PHP open_basedir:disabled', desc, response.id, self.get_name()) else: desc = 'The phpinfo()::open_basedir is set to %s.' desc = desc % open_basedir.group(1) i = Info('PHP open_basedir:enabled', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc()) ### [/open_basedir] ### ### [session_hash_function] ### regex_str = 'session\.hash_function</td><td class="v">(.*?)</td>' session_hash_function = re.search(regex_str, response.get_body(), re.I) if session_hash_function: if session_hash_function.group(1) == 0\ or session_hash_function.group(1) != 'no': desc = 'The phpinfo()::session.hash_function use md5 algorithm.' i = Info('PHP session.hash_function:md5', desc, response.id, self.get_name()) else: desc = 'The phpinfo()::session.hash_function use sha algorithm.' i = Info('PHP session.hash_function:sha', desc, response.id, self.get_name()) i.set_url(response.get_url()) kb.kb.append(self, 'phpinfo', i) om.out.information(i.get_desc())