1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# http://www.morningstarsecurity.com/research/whatweb
##
# Version 0.2 #
# Updated regex
##
Plugin.define "Microsoft-Office-XML" do
author "Brendan Coles <bcoles@gmail.com>" # 2010-10-14
version "0.2"
description "This module detects instances of Microsoft Office documents saved as HTML and attempts to extract the user name, company name and office version."
website "http://en.wikipedia.org/wiki/Microsoft_Office_XML_formats"
# About 123,000 results for <o:DocumentProperties> <o:Template> @ 2010-10-14
# Extract version, usernames and company
def passive
m=[]
# Excel
if @body =~ /<DocumentProperties xmlns="urn:schemas-microsoft-com:office:[excel|office]?">/ or @body =~ /<?mso-application progid="Excel.Sheet"?>/
# Get version
if @body =~ /<Version>([^<]+)<\/Version>/
version=@body.scan(/<Version>([^<]+)<\/Version>/)
m << {:version=>"Excel "+version}
end
# Get company
if @body =~ /<Company>([^<]+)<\/Company>/
accounts=@body.scan(/<Company>([^<]+)<\/Company>/)[0][0]
m << {:account=>"Company:"+accounts}
end
# Get usernames
if @body =~ /<Author>([^<]+)<\/Author>/
accounts=@body.scan(/<Author>([^<]+)<\/Author>/)[0][0]
m << {:account=>accounts}
end
if @body =~ /<LastAuthor>([^<]+)<\/LastAuthor>/
accounts=@body.scan(/<LastAuthor>([^<]+)<\/LastAuthor>/)[0][0]
m << {:account=>accounts}
end
end
# Word
if @body =~ /<o:DocumentProperties>/ or @body =~ /<?mso-application progid="Word.Document"?>/
# Get version
if @body =~ /<o:Version>([^<]+)<\/o:Version>/
version=@body.scan(/<o:Version>([^<]+)<\/o:Version>/)[0][0]
m << {:version=>"Word "+version}
end
# Get company
if @body =~ /<o:Company>([^<]+)<\/o:Company>/
accounts=@body.scan(/<o:Company>([^<]+)<\/o:Company>/)[0][0]
m << {:account=>"Company:"+accounts}
end
# Get usernames
if @body =~ /<o:Author>([^<]+)<\/o:Author>/
accounts=@body.scan(/<o:Author>([^<]+)<\/o:Author>/)[0][0]
m << {:account=>accounts}
end
if @body =~ /<o:LastAuthor>([^<]+)<\/o:LastAuthor>/
accounts=@body.scan(/<o:LastAuthor>([^<]+)<\/o:LastAuthor>/)[0][0]
m << {:account=>accounts}
end
end
# Core document properties
if @body =~ /<cp:coreProperties/
# Get usernames
if @body =~ /<dc:creator>([^<]+)<\/creator>/
accounts=@body.scan(/<dc:creator>([^<]+)<\/creator>/)[0][0]
m << {:account=>accounts}
end
if @body =~ /<dc:lastModifiedBy>([^<]+)<\/creator>/
accounts=@body.scan(/<dc:lastModifiedBy>([^<]+)<\/creator>/)[0][0]
m << {:account=>accounts}
end
# Get company
if @body =~ /<Company>([^<]+)<\/Company>/
accounts=@body.scan(/<Company>([^<]+)<\/Company>/)[0][0]
m << {:account=>"Company:"+accounts}
end
# Get version
if @body =~ /<AppVersion>([^<]+)<\/AppVersion>/
version=@body.scan(/<AppVersion>([^<]+)<\/AppVersion>/)[0][0]
m << {:version=>version}
end
end
m
end
end
|
