Andres,
I applied your fixes, thanks. I also added threadpool function to download
files!
https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/crawl/dot_listing.py
If someone wants to see the results of google can use this google dork:
inurl:listing ext:listing rwx OR rw- OR r-x OR r--
And google can crawl this files because exist directory listing. How many
hidden .listing exist at Internet? :>
Regards
On Fri, Oct 5, 2012 at 9:38 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> List, Tomas,
>
> > -
> https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/crawl/dot_listing.py
>
> * Was totally unaware of the .listing files, nice find :)
>
> * Plugin was written for threading2 branch, wiiii ! I don't have to
> migrate it :)
>
> * Code review:
>
> - self._regex_str =
> '[a-z-]{10}\s*\d+\s*\d+\s*\d+\s*\d+\s*\w+\s*\d+\s*[0-9:]{4,5}\s*(\S+)'
> self._mo = re.compile(self._regex_str)
>
> No need to make the regex_str a class attribute if you're not
> going to use it again. Rename self._mo to self._listing_parser_re ,
> "mo" usually is short for match object (which is actually the result
> of applying a regex to a string, not the compiled regex).
>
> - Well documented code, thanks for that
>
> - Not sure if this is needed for "production code" om.out.debug(
> '[dot_listing] Testing "' + url + '".' )
>
> - msg = ('A .listing file was found at: "%s". The contents'
> ' of this file can disclose filenames')
>
> Actually you just proved a couple of lines above that the
> .listing actually discloses filenames, so I would rephrase that to
> remove the potential.
>
> To sum up, this looks good and should be easy to add to the threading2
> branch after these changes have been applied and the unittests are
> written (I'll do that last part). Thanks!
>
> Regards,
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
