Andres,
I tested yesterday and it worked perfect. Good work with the improvements!
Regards,
On Fri, Oct 12, 2012 at 4:36 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Tomas,
>
> On Thu, Oct 11, 2012 at 10:37 PM, Andres Riancho
> <andres.rian...@gmail.com> wrote:
> > Tomas,
> >
> > On Sun, Oct 7, 2012 at 2:43 PM, Tomas Velazquez
> > <tomas.velazqu...@gmail.com> wrote:
> >> Andres,
> >>
> >> I applied your fixes, thanks. I also added threadpool function to
> download
> >> files!
> >>
> https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/crawl/dot_listing.py
> >
> > Nice! I'll work on this tomorrow,
>
> Done! Your code made it into the threading2 branch! I applied some
> minor changes that you can see here [0][1]. The most important ones
> are:
>
> * Updated regular expression to pass all the tests
> * Reporting vulnerability when username and group is disclosed
> * Reporting that .listing exists even though the files referenced
> in it are not present (the sysadmin should remove the .listing
> anyways)
> * Returning .listing URL to the core
>
> This leaves my TODO [2] with only two items related to you:
> * iis_short_name_brute.py
> * rcs.py
>
> I think I'll be able to close them later today.
>
> [0] https://sourceforge.net/apps/trac/w3af/changeset/5885
> [1] https://sourceforge.net/apps/trac/w3af/changeset/5884
> [2] https://sourceforge.net/apps/trac/w3af/wiki/andres%27-TODO
>
> >> If someone wants to see the results of google can use this google dork:
> >> inurl:listing ext:listing rwx OR rw- OR r-x OR r--
> >
> > Looking at some results I found that the file also exposes the
> > username that owns the file. I'll parse that too, show it as a
> > vulnerability and put it somewhere in the KB where bruteforce plugins
> > can use it as a username.
> >
> >> And google can crawl this files because exist directory listing. How
> many
> >> hidden .listing exist at Internet? :>
> >>
> >> Regards
> >>
> >>
> >> On Fri, Oct 5, 2012 at 9:38 PM, Andres Riancho <
> andres.rian...@gmail.com>
> >> wrote:
> >>>
> >>> List, Tomas,
> >>>
> >>> > -
> >>> >
> https://code.google.com/p/tvelazquez/source/browse/pentest/w3af-plugins/crawl/dot_listing.py
> >>>
> >>> * Was totally unaware of the .listing files, nice find :)
> >>>
> >>> * Plugin was written for threading2 branch, wiiii ! I don't have to
> >>> migrate it :)
> >>>
> >>> * Code review:
> >>>
> >>> - self._regex_str =
> >>> '[a-z-]{10}\s*\d+\s*\d+\s*\d+\s*\d+\s*\w+\s*\d+\s*[0-9:]{4,5}\s*(\S+)'
> >>> self._mo = re.compile(self._regex_str)
> >>>
> >>> No need to make the regex_str a class attribute if you're not
> >>> going to use it again. Rename self._mo to self._listing_parser_re ,
> >>> "mo" usually is short for match object (which is actually the result
> >>> of applying a regex to a string, not the compiled regex).
> >>>
> >>> - Well documented code, thanks for that
> >>>
> >>> - Not sure if this is needed for "production code" om.out.debug(
> >>> '[dot_listing] Testing "' + url + '".' )
> >>>
> >>> - msg = ('A .listing file was found at: "%s". The contents'
> >>> ' of this file can disclose filenames')
> >>>
> >>> Actually you just proved a couple of lines above that the
> >>> .listing actually discloses filenames, so I would rephrase that to
> >>> remove the potential.
> >>>
> >>> To sum up, this looks good and should be easy to add to the threading2
> >>> branch after these changes have been applied and the unittests are
> >>> written (I'll do that last part). Thanks!
> >>>
> >>> Regards,
> >>> --
> >>> Andrés Riancho
> >>> Project Leader at w3af - http://w3af.org/
> >>> Web Application Attack and Audit Framework
> >>> Twitter: @w3af
> >>> GPG: 0x93C344F3
> >>
> >>
> >
> >
> >
> > --
> > Andrés Riancho
> > Project Leader at w3af - http://w3af.org/
> > Web Application Attack and Audit Framework
> > Twitter: @w3af
> > GPG: 0x93C344F3
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
