Tomas, On Sun, Oct 7, 2012 at 6:00 PM, Tomas Velazquez <tomas.velazqu...@gmail.com> wrote: > List, Andres, > > The idea is that for every directory found by web_spider exploit the > vulnerability and gettting the short name list of directories and files. > Then with this files like "ASPNET~1" try a directory brute force that only > be done with directory names that match with the first 6 characters. > > Yeah, this code is only a POC, should by rewrited. I need some new ideas on > how to do this. > > Andres, I use a very small dictionary to test the plugin: > https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/discovery/iis_short_name_brute/common_dirs_iis.db
All right, so... if you agree, lets leave this plugin aside for a while. I think that you already have enough with the RFI and LFI tests you're running and the potential rewrite of the rcs.py plugin you wrote a while ago. Just finished writing this to my TODO list: * Verify if I can write a plugin or core component that exploits the 8.3 filename format as explained by Bogdan in a blog post. Tomas sent iis_short_name_brute.py a while ago which could be useful; but I was thinking about something that wouldn't depend on a separate wordlist. My idea would work more like: * Intercept all HTTP requests and responses * Verify if the remote server supports 8.3 * If the response was a 404, and the remote server supports 8.3 try the short name instead. The good thing about this is that if the user enabled 8.3 and nikto, and nikto requests /backup2012.tgz and it doesn't exist, the 8.3 would request /backup~1.tgz and that might exist. The bad thing is that it is a mixture between a grep plugin (needs to read all http traffic) and a crawl plugin (needs to perform requests and return new URLs to the core); which might be difficult to implement respecting the framework's rules. Regards, > Regards > > > > On Fri, Oct 5, 2012 at 9:25 PM, Andres Riancho <andres.rian...@gmail.com> > wrote: >> >> List, Tomas, >> >> > - >> > https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/discovery/iis_short_name_brute.py >> >> Wanted to do that for a while! It was in my TODO list [0] , search for >> 8.3. My idea was different from the one you've implemented, could you >> explain to us what this does? I see that it verifies that the remote >> server has this feature and then it tries to bruteforce it, but I was >> expecting tests like backup~.zip , are those in common_dirs_iis.db? >> Could you share that file? >> >> Send us more info about the techniques used, how it was tested, etc. >> >> [0] https://sourceforge.net/apps/trac/w3af/wiki/andres%27-TODO >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
