Tomas, On Sun, Oct 7, 2012 at 2:43 PM, Tomas Velazquez <tomas.velazqu...@gmail.com> wrote: > Andres, > > I applied your fixes, thanks. I also added threadpool function to download > files! > https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/crawl/dot_listing.py
Nice! I'll work on this tomorrow, > If someone wants to see the results of google can use this google dork: > inurl:listing ext:listing rwx OR rw- OR r-x OR r-- Looking at some results I found that the file also exposes the username that owns the file. I'll parse that too, show it as a vulnerability and put it somewhere in the KB where bruteforce plugins can use it as a username. > And google can crawl this files because exist directory listing. How many > hidden .listing exist at Internet? :> > > Regards > > > On Fri, Oct 5, 2012 at 9:38 PM, Andres Riancho <andres.rian...@gmail.com> > wrote: >> >> List, Tomas, >> >> > - >> > https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/crawl/dot_listing.py >> >> * Was totally unaware of the .listing files, nice find :) >> >> * Plugin was written for threading2 branch, wiiii ! I don't have to >> migrate it :) >> >> * Code review: >> >> - self._regex_str = >> '[a-z-]{10}\s*\d+\s*\d+\s*\d+\s*\d+\s*\w+\s*\d+\s*[0-9:]{4,5}\s*(\S+)' >> self._mo = re.compile(self._regex_str) >> >> No need to make the regex_str a class attribute if you're not >> going to use it again. Rename self._mo to self._listing_parser_re , >> "mo" usually is short for match object (which is actually the result >> of applying a regex to a string, not the compiled regex). >> >> - Well documented code, thanks for that >> >> - Not sure if this is needed for "production code" om.out.debug( >> '[dot_listing] Testing "' + url + '".' ) >> >> - msg = ('A .listing file was found at: "%s". The contents' >> ' of this file can disclose filenames') >> >> Actually you just proved a couple of lines above that the >> .listing actually discloses filenames, so I would rephrase that to >> remove the potential. >> >> To sum up, this looks good and should be easy to add to the threading2 >> branch after these changes have been applied and the unittests are >> written (I'll do that last part). Thanks! >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
