Andres,
Your ideas seems great! Maybe this plugin should by two plugins.
A grep plugin doing detection and a crawl plugin doing brute force.
I would like to remind people of the list that request with short name
are invalids we need the full filename! And the obvious solution to
find filenames is brute force. Maybe we need a new function that
searches all dictionaries of w3af and return the words that could
match short names.
What do you think List?
Sounds good, I let this plugin at the end of my TODO.
Regards,
On Mon, Oct 15, 2012 at 10:49 PM, Andres Riancho
<andres.rian...@gmail.com>wrote:
> Tomas,
>
> On Sun, Oct 7, 2012 at 6:00 PM, Tomas Velazquez
> <tomas.velazqu...@gmail.com> wrote:
> > List, Andres,
> >
> > The idea is that for every directory found by web_spider exploit the
> > vulnerability and gettting the short name list of directories and files.
> > Then with this files like "ASPNET~1" try a directory brute force that
> only
> > be done with directory names that match with the first 6 characters.
> >
> > Yeah, this code is only a POC, should by rewrited. I need some new ideas
> on
> > how to do this.
> >
> > Andres, I use a very small dictionary to test the plugin:
> >
> https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/discovery/iis_short_name_brute/common_dirs_iis.db
>
> All right, so... if you agree, lets leave this plugin aside for a
> while. I think that you already have enough with the RFI and LFI tests
> you're running and the potential rewrite of the rcs.py plugin you
> wrote a while ago.
>
> Just finished writing this to my TODO list:
>
> * Verify if I can write a plugin or core component that exploits the
> 8.3 filename format as explained by Bogdan in a blog post. Tomas sent
> iis_short_name_brute.py a while ago which could be useful; but I was
> thinking about something that wouldn't depend on a separate wordlist.
> My idea would work more like:
> * Intercept all HTTP requests and responses
> * Verify if the remote server supports 8.3
> * If the response was a 404, and the remote server supports 8.3 try
> the short name instead.
> The good thing about this is that if the user enabled 8.3 and
> nikto, and nikto requests /backup2012.tgz and it doesn't exist, the
> 8.3 would request /backup~1.tgz and that might exist. The bad thing is
> that it is a mixture between a grep plugin (needs to read all http
> traffic) and a crawl plugin (needs to perform requests and return new
> URLs to the core); which might be difficult to implement respecting
> the framework's rules.
>
> Regards,
>
> > Regards
> >
> >
> >
> > On Fri, Oct 5, 2012 at 9:25 PM, Andres Riancho <andres.rian...@gmail.com
> >
> > wrote:
> >>
> >> List, Tomas,
> >>
> >> > -
> >> >
> https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/discovery/iis_short_name_brute.py
> >>
> >> Wanted to do that for a while! It was in my TODO list [0] , search for
> >> 8.3. My idea was different from the one you've implemented, could you
> >> explain to us what this does? I see that it verifies that the remote
> >> server has this feature and then it tries to bruteforce it, but I was
> >> expecting tests like backup~.zip , are those in common_dirs_iis.db?
> >> Could you share that file?
> >>
> >> Send us more info about the techniques used, how it was tested, etc.
> >>
> >> [0] https://sourceforge.net/apps/trac/w3af/wiki/andres%27-TODO
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
