/usr/share/w3af/plugins/discovery/findvhost.py is in w3af-console 1.1svn5547-1.1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 | '''
findvhost.py
Copyright 2006 Andres Riancho
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
import core.controllers.outputManager as om
# options
from core.data.options.option import option
from core.data.options.optionList import optionList
from core.controllers.basePlugin.baseDiscoveryPlugin import baseDiscoveryPlugin
import core.data.parsers.dpCache as dpCache
from core.controllers.misc.levenshtein import relative_distance_lt
from core.data.fuzzer.fuzzer import createRandAlNum
from core.controllers.w3afException import w3afException
import core.data.kb.knowledgeBase as kb
import core.data.kb.info as info
import core.data.kb.vuln as vuln
import core.data.constants.severity as severity
from core.data.bloomfilter.bloomfilter import scalable_bloomfilter
import socket
class findvhost(baseDiscoveryPlugin):
'''
Modify the HTTP Host header and try to find virtual hosts.
@author: Andres Riancho ( andres.riancho@gmail.com )
'''
def __init__(self):
baseDiscoveryPlugin.__init__(self)
# Internal variables
self._first_exec = True
self._already_queried = scalable_bloomfilter()
self._can_resolve_domain_names = False
self._non_existant_response = None
def discover(self, fuzzableRequest ):
'''
Find virtual hosts.
@parameter fuzzableRequest: A fuzzableRequest instance that contains
(among other things) the URL to test.
'''
vhost_list = []
if self._first_exec:
# Only run once
self._first_exec = False
vhost_list = self._generic_vhosts( fuzzableRequest )
# Set this for later
self._can_resolve_domain_names = self._can_resolve_domains()
# I also test for ""dead links"" that the web programmer left in the page
# For example, If w3af finds a link to "http://corporative.intranet.corp/" it will try to
# resolve the dns name, if it fails, it will try to request that page from the server
vhost_list.extend( self._get_dead_links( fuzzableRequest ) )
# Report our findings
for vhost, request_id in vhost_list:
v = vuln.vuln()
v.setPluginName(self.getName())
v.setURL( fuzzableRequest.getURL() )
v.setMethod( 'GET' )
v.setName( 'Shared hosting' )
v.setSeverity(severity.LOW)
domain = fuzzableRequest.getURL().getDomain()
msg = 'Found a new virtual host at the target web server, the virtual host name is: "'
msg += vhost + '". To access this site you might need to change your DNS resolution'
msg += ' settings in order to point "' + vhost + '" to the IP address of "'
msg += domain + '".'
v.setDesc( msg )
v.setId( request_id )
kb.kb.append( self, 'findvhost', v )
om.out.information( v.getDesc() )
return []
def _get_dead_links(self, fuzzableRequest):
'''
Find every link on a HTML document verify if the domain is reachable or not; after that,
verify if the web found a different name for the target site or if we found a new site that
is linked. If the link points to a dead site then report it (it could be pointing to some
private address or something...)
'''
res = []
# Get some responses to compare later
base_url = fuzzableRequest.getURL().baseUrl()
original_response = self._uri_opener.GET(fuzzableRequest.getURI(), cache=True)
base_response = self._uri_opener.GET(base_url, cache=True)
base_resp_body = base_response.getBody()
try:
dp = dpCache.dpc.getDocumentParserFor(original_response)
except w3afException:
# Failed to find a suitable parser for the document
return []
# Set the non existant response
non_existant = 'iDoNotExistPleaseGoAwayNowOrDie' + createRandAlNum(4)
self._non_existant_response = self._uri_opener.GET(base_url,
cache=False, headers={'Host': non_existant})
nonexist_resp_body = self._non_existant_response.getBody()
# Note:
# - With parsed_references I'm 100% that it's really something in the HTML
# that the developer intended to add.
#
# - The re_references are the result of regular expressions, which in some cases
# are just false positives.
#
# In this case, and because I'm only going to use the domain name of the URL
# I'm going to trust the re_references also.
parsed_references, re_references = dp.getReferences()
parsed_references.extend(re_references)
for link in parsed_references:
domain = link.getDomain()
#
# First section, find internal hosts using the HTTP Host header:
#
if domain not in self._already_queried:
# If the parsed page has an external link to www.google.com
# then I'll send a request to the target site, with Host: www.google.com
# This sucks, but it's cool if the document has a link to
# http://some.internal.site.target.com/
try:
vhost_response = self._uri_opener.GET(base_url, cache=False,
headers={'Host': domain })
except w3afException:
pass
else:
self._already_queried.add(domain)
vhost_resp_body = vhost_response.getBody()
# If they are *really* different (not just different by some chars)
if relative_distance_lt(vhost_resp_body, base_resp_body, 0.35) and \
relative_distance_lt(vhost_resp_body, nonexist_resp_body, 0.35):
# and the domain can't just be resolved using a DNS query to
# our regular DNS server
report = True
if self._can_resolve_domain_names:
try:
socket.gethostbyname(domain)
except:
# aha! The HTML is linking to a domain that's
# hosted in the same server, and the domain name
# can NOT be resolved!
report = True
else:
report = False
# have found something interesting!
if report:
res.append( (domain, vhost_response.id) )
#
# Second section, find hosts using failed DNS resolutions
#
if self._can_resolve_domain_names:
try:
# raises exception when it's not found
# socket.gaierror: (-5, 'No address associated with hostname')
socket.gethostbyname( domain )
except:
i = info.info()
i.setPluginName(self.getName())
i.setName('Internal hostname in HTML link')
i.setURL( fuzzableRequest.getURL() )
i.setMethod( 'GET' )
i.setId( original_response.id )
msg = 'The content of "'+ fuzzableRequest.getURL() +'" references a non '
msg += 'existant domain: "' + link + '". This may be a broken link, or an'
msg += ' internal domain name.'
i.setDesc( msg )
kb.kb.append( self, 'findvhost', i )
om.out.information( i.getDesc() )
res = [ r for r in res if r != '']
return res
def _can_resolve_domains(self):
'''
This method was added to verify if w3af can resolve domain names
using the OS configuration (/etc/resolv.conf in linux) or if we are in some
strange LAN where we can't.
@return: True if we can resolve domain names.
'''
try:
socket.gethostbyname( 'www.w3.org' )
except:
return False
else:
return True
def _generic_vhosts( self, fuzzableRequest ):
'''
Test some generic virtual hosts, only do this once.
'''
res = []
base_url = fuzzableRequest.getURL().baseUrl()
common_vhost_list = self._get_common_virtualhosts(base_url)
# Get some responses to compare later
original_response = self._uri_opener.GET(base_url, cache=True)
orig_resp_body = original_response.getBody()
non_existant = 'iDoNotExistPleaseGoAwayNowOrDie' + createRandAlNum(4)
self._non_existant_response = self._uri_opener.GET(base_url, cache=False, \
headers={'Host': non_existant })
nonexist_resp_body = self._non_existant_response.getBody()
for common_vhost in common_vhost_list:
try:
vhost_response = self._uri_opener.GET( base_url, cache=False, \
headers={'Host': common_vhost } )
except w3afException:
pass
else:
vhost_resp_body = vhost_response.getBody()
# If they are *really* different (not just different by some chars)
if relative_distance_lt(vhost_resp_body, orig_resp_body, 0.35) and \
relative_distance_lt(vhost_resp_body, nonexist_resp_body, 0.35):
res.append((common_vhost, vhost_response.id))
return res
def _get_common_virtualhosts( self, base_url ):
'''
@parameter base_url: The target URL object.
@return: A list of possible domain names that could be hosted in the same web
server that "domain".
'''
res = []
domain = base_url.getDomain()
root_domain = base_url.getRootDomain()
common_virtual_hosts = ['intranet', 'intra', 'extranet', 'extra' , 'test' , 'test1'
'old' , 'new' , 'admin', 'adm', 'webmail', 'services', 'console', 'apps', 'mail',
'corporate', 'ws', 'webservice', 'private', 'secure', 'safe', 'hidden', 'public' ]
for subdomain in common_virtual_hosts:
# intranet
res.append( subdomain )
# intranet.www.targetsite.com
res.append( subdomain + '.' + domain )
# intranet.targetsite.com
res.append( subdomain + '.' + root_domain )
# This is for:
# intranet.targetsite
res.append( subdomain + '.' + root_domain.split('.')[0] )
return res
def getOptions( self ):
'''
@return: A list of option objects for this plugin.
'''
ol = optionList()
return ol
def setOptions( self, OptionList ):
'''
This method sets all the options that are configured using the user interface
generated by the framework using the result of getOptions().
@parameter OptionList: A dictionary with the options for the plugin.
@return: No value is returned.
'''
pass
def getPluginDeps( self ):
'''
@return: A list with the names of the plugins that should be run before the
current one.
'''
return []
def getLongDesc( self ):
'''
@return: A DETAILED description of the plugin functions and features.
'''
return '''
This plugin uses the HTTP Host header to find new virtual hosts. For example, if the
intranet page is hosted in the same server that the public page, and the web server
is misconfigured, this plugin will discover that virtual host.
Please note that this plugin doesn't use any DNS technique to find this virtual hosts.
'''
|