1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
#VERSION,2.06
# $Id: nikto_msgs.plugin 632 2011-02-19 02:49:31Z sullo $
###############################################################################
# Copyright (C) 2006 CIRT, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License only.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###############################################################################
# PURPOSE:
# Various messages relating to the server banner
###############################################################################
# NOTES:
# versions are loaded from the "db_server_msgs" file, which should be in the
# plugins directory this plugin checks the server version to see if there are
# any version specific items in the db_server_msgs this differs from
# nikto_outdated because that is ONLY checking to see if it is an old version,
# whereas this checks to see if the versions match
###############################################################################
sub nikto_msgs_init {
my $id = { name => "msgs",
full_name => "Server Messages",
author => "Sullo",
description => "Checks the server version against known issues.",
hooks => {
scan => { method => \&nikto_msgs,
weight => 20,
},
},
copyright => "2008 CIRT Inc."
};
return $id;
}
sub nikto_msgs {
return if $mark->{'terminate'};
my ($mark) = @_;
my $dbarray;
$dbarray = init_db("db_server_msgs");
foreach my $item (@$dbarray) {
$item->{'server'} = validate_and_fix_regex($item->{'server'});
if ($mark->{'banner'} =~ /($item->{'server'})\b/i) {
add_vulnerability($mark, "$1 - $item->{'message'}",
$item->{'nikto_id'}, $item->{'osvdb'});
}
}
# Special stuff to pull information from results
# McAfee ePO
if ($mark->{'banner'} =~ /Agent-ListenServer-HttpSvr\/1\.0\b/i) {
my ($RES, $CONTENT) =
nfetch($mark, "/", "GET", "", "", "", "msgs: Agent-ListenServer-HttpSvr");
next unless ($RES == 200);
# Computer name
return if $mark->{'terminate'};
my $name = $CONTENT;
$name =~ s#(^.*<ComputerName>)([a-zA-Z0-9]*)(</ComputerName>.*$)#$2#;
my $eposerver = $CONTENT;
$eposerver =~ s#(^.*<ePOServerName>)([a-zA-Z0-9]*)(</ePOServerName>.*$)#$2#;
add_vulnerability(
$mark,
"Web server is a McAfee ePO agent, showing the hostname is $name and the ePO server is $eposerver.",
80100,
0
);
}
# HP WBEM
if ($mark->{'banner'} =~ /CompaqHTTPServer/i) {
my ($RES, $CONTENT) =
nfetch($mark, "/cpqlogin.htm", "GET", "", "", "", "msgs: CompaqHTTPServer");
next unless ($RES == 200);
return if $mark->{'terminate'};
my $ipaddrs = "";
my $name;
foreach my $line (split(/\n/, $CONTENT)) {
if ($line =~ "System Management Homepage for ") {
$name = $line;
$name =~ s#(^.*System Management Homepage for )([a-zA-Z0-9]*)(</font>.*$)#$2#;
}
if ($line =~ "new ObjectIpAddresses") {
my $ipaddr = $line;
$ipaddr =~ s#(^.*new ObjectIpAddresses\(")([\d\.]+)("\);.*$)#$2#;
nprint("$ipaddr");
$ipaddrs .= " $ipaddr";
}
}
add_vulnerability(
$mark,
"Web server is an HP WBEM agent, showing the hostname is $name and the IP addresses are$ipaddrs.",
80101,
0
);
}
}
1;
|
