.*?| References<\\/td>.*? | #TEMPL_REFERENCES#<\\/td>.*?<\\/tr>/#TEMPL_REFERENCES_ROW_REPLACE#/s;\n }\n\n # Now process main template with all variables (including processed SSL row replacements)\n foreach my $var (keys %variables) {\n my $replacement = $variables{$var};\n\n # Escape $ in replacement to prevent backreference interpretation ($1, $&, etc.)\n $replacement =~ s/\\$/\\$\\$/g;\n $template =~ s/\\Q$var\\E/$replacement/g;\n }\n\n return $template;\n}\n###############################################################################\nsub linkify_refs {\n my $refs = $_[0] || return;\n my @rs = split(/ /, $refs);\n for (my $i = 0 ; $i <= $#rs ; $i++) {\n $r = $rs[$i];\n my $escaped_r = simple_enc($r);\n if ($r =~ /^OSVDB-(\\d+)$/) {\n my $id = $1;\n $r = \"$escaped_r\";\n }\n elsif ($r =~ /^CVE-\\d{4}-\\d{3,4}/) {\n my $escaped_url_r = simple_enc($r);\n $r =\n \"$escaped_r\";\n }\n elsif ($r =~ /^MS-\\d+-\\d+/i) {\n my $escaped_url_r = simple_enc($r);\n $r =\n \"$escaped_r\";\n }\n elsif ($r =~ /^(CA-\\d{4}-\\d{2})/) {\n my $escaped_ca = simple_enc($1);\n $r =\n \"$escaped_r\";\n }\n elsif ($r =~ /^CWE-\\d+/) {\n my $escaped_url_r = simple_enc($r);\n $r =\n \"$escaped_r\";\n }\n elsif ($r =~ /^http/) {\n my $escaped_url_r = simple_enc($r);\n $r = \"$escaped_r\";\n }\n $rs[$i] = $r;\n }\n my $out = join(\"\", @rs);\n $out =~ s/
$//;\n return $out;\n}\n\n###############################################################################\nsub simple_enc {\n my $var = $_[0] || return;\n $var =~ s/&/&/g;\n $var =~ s//>/g;\n $var =~ s/\"/"/g;\n $var =~ s/'/'/g;\n return $var;\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_report_json.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: JSON Reporting - Multi-host support\n###############################################################################\nour $JSONRPT_ALL = []; # Arrayref to hold all hosts' reports\nour $JSONRPT_CURR = undef; # Scalarref to current host's report\n\nuse JSON;\nuse Time::Piece;\nuse Time::Seconds;\n\n###############################################################################\nsub nikto_report_json_init {\n use JSON;\n\n my $id = { name => \"report_json\",\n full_name => \"JSON reports\",\n author => \"Sullo\",\n description => \"Produces a JSON report.\",\n report_head => \\&json_open,\n report_host_start => \\&json_host_start,\n report_host_end => \\&json_host_end,\n report_close => \\&json_close,\n report_item => \\&json_item,\n report_ssl_info => \\&json_ssl_info,\n report_format => 'json',\n copyright => \"2025 Chris Sullo\"\n };\n return $id;\n}\n\n###############################################################################\n# open output file\nsub json_open {\n my ($file) = @_;\n\n # Open file with lexical handle (read-write mode for JSON)\n my $fh;\n open($fh, \"+>\", $file) || die \"+ ERROR: Unable to open '$file' for write: $@\\n\";\n\n # Enable autoflush\n $fh->autoflush(1);\n\n return $fh;\n}\n\n###############################################################################\n# start output for a host\nsub json_host_start {\n my ($handle, $mark) = @_;\n\n # Get current time with timezone\n my $current_time = localtime;\n my $start_time = $mark->{'start_time'} ? localtime($mark->{'start_time'}) : $current_time;\n\n $JSONRPT_CURR = { host => $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'},\n ip => $mark->{'ip'},\n port => $mark->{'port'},\n server_banner => $mark->{'banner'},\n start_time => $start_time->strftime('%Y-%m-%d %H:%M:%S %z'),\n vulnerabilities => []\n };\n\n # Add current host report to the array of all hosts\n push @$JSONRPT_ALL, $JSONRPT_CURR;\n return;\n}\n\n###############################################################################\n# write SSL info\nsub json_ssl_info {\n my ($handle, $mark) = @_;\n\n # Update the current host report with SSL info\n return unless defined $JSONRPT_CURR;\n\n # Extract CN from subject\n my $cn = '';\n if ($mark->{'ssl_cert_subject'} =~ /CN=([^$ \\/]+)/) {\n $cn = $1;\n }\n\n $JSONRPT_CURR->{'ssl_info'} = { ciphers => $mark->{'ssl_cipher'} || '',\n issuer => $mark->{'ssl_cert_issuer'} || '',\n subject => $mark->{'ssl_cert_subject'} || '',\n cn => $cn,\n altnames => $mark->{'ssl_cert_altnames'} || ''\n };\n}\n\n###############################################################################\n# end output for a host\nsub json_host_end {\n my ($handle, $mark) = @_;\n my $end_time;\n\n if ($mark->{'end_time'} eq '') {\n $end_time = localtime;\n }\n else {\n $end_time = localtime($mark->{'end_time'});\n }\n\n $JSONRPT_CURR->{'end_time'} = $end_time->strftime('%Y-%m-%d %H:%M:%S %z');\n return;\n}\n\n###############################################################################\n# close output file\nsub json_close {\n my ($handle, $mark) = @_;\n my $json_encoder = JSON->new->utf8->canonical->pretty->convert_blessed;\n my $json_output = $json_encoder->encode($JSONRPT_ALL);\n print $handle $json_output;\n close($handle);\n return;\n}\n\n###############################################################################\n# print an item\nsub json_item {\n my ($handle, $mark, $item) = @_;\n\n my $uri = $item->{'uri'};\n if (($uri ne '') && ($mark->{'root'} ne '') && ($uri !~ /^$mark->{'root'}/)) {\n $uri = $mark->{'root'} . $uri;\n }\n\n my $msg = $item->{'message'};\n my $uri2 = quotemeta($uri);\n my $root = quotemeta($mark->{'root'});\n $msg =~ s/^$uri2:\\s//;\n $msg =~ s/^$root$uri2:\\s//;\n\n push @{ $JSONRPT_CURR->{'vulnerabilities'} },\n { id => $item->{'nikto_id'},\n references => $item->{'refs'},\n method => $item->{'method'},\n url => $uri,\n msg => $msg\n };\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_report_sqlg.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: SQL Reporting\n###############################################################################\n# Sample table create (mysql):\n#\tcreate table nikto_table (id int(11) not null auto_increment primary key,\n#\tscanid varchar(32), testid varchar(6) not null, ip varchar(15),\n#\thostname text, port int(5), tls tinyint(1), refs text, httpmethod text,\n#\turi text, message text, request blob, response mediumblob);\n# See documentation/nikto_schema_mysql.sql and nikto_schema_postgresql.sql for complete schemas\n###############################################################################\nsub nikto_report_sqlg_init {\n my $id = { name => \"report_sqlg\",\n full_name => \"Generic SQL reports\",\n author => \"Sullo\",\n description => \"Produces SQL inserts into a generic database.\",\n report_head => \\&sqlg_open,\n report_host_start => \\&sqlg_host_start,\n report_item => \\&sqlg_item,\n report_ssl_info => \\&sqlg_ssl_info,\n report_format => 'sql',\n copyright => \"2013 Chris Sullo\"\n };\n return $id;\n}\n\n###############################################################################\n# open output file\nsub sqlg_open {\n my ($file) = @_;\n print STDERR \"+ ERROR: Output file not specified.\\n\" if $file eq '';\n\n # Open file with lexical handle and produce header\n my $fh;\n open($fh, \">>\", $file) || die print STDERR \"+ ERROR: Unable to open '$file' for write: $@\\n\";\n\n # Enable autoflush\n $fh->autoflush(1);\n\n # Write header\n my $opt = $CLI{'all_options'};\n $opt =~ s/'/\\\\'/g;\n print $fh \"# $VARIABLES{'name'} - v$VARIABLES{'version'}/$VARIABLES{'core_version'}\\n\";\n print $fh \"# Options: $opt\\n\";\n print $fh \"# Start Time: \" . localtime($COUNTERS{'scan_start'}) . \"\\n\";\n print $fh \"# End Time: \" . localtime($COUNTERS{'scan_end'}) . \"\\n\";\n print $fh \"\\n\";\n\n return $fh;\n}\n\n###############################################################################\n# start output\nsub sqlg_host_start {\n my ($handle, $mark) = @_;\n my $banner = $mark->{'banner'} || '';\n my $ssl = 0;\n if (defined $mark->{'ssl_cipher'}) { $ssl = 1; }\n my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};\n\n my $scanid = $mark->{'scanid'} || '';\n my $msg = $banner ne '' ? \"Server banner: $banner\" : \"Host scan started\";\n my $ip = $mark->{'ip'};\n\n $ip =~ s/'/\\\\'/g;\n $hostname =~ s/'/\\\\'/g;\n $msg =~ s/'/\\\\'/g;\n $scanid =~ s/'/\\\\'/g;\n\n my $sql =\n \"insert into nikto_table (scanid, testid, ip, hostname, port, tls, refs, httpmethod, uri, message) values(\";\n $sql .=\n \"'$scanid','999958','$ip','$hostname','$mark->{'port'}','$ssl','0','GET','/','$msg');\\n\";\n print $handle $sql;\n\n return;\n}\n\n###############################################################################\n# write SSL info\nsub sqlg_ssl_info {\n my ($handle, $mark) = @_;\n\n my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};\n my $ssl_cipher = $mark->{'ssl_cipher'} || '';\n my $ssl_subject = $mark->{'ssl_cert_subject'} || '';\n my $ssl_issuer = $mark->{'ssl_cert_issuer'} || '';\n my $ssl_altnames = $mark->{'ssl_cert_altnames'} || '';\n my $ssl = defined $mark->{'ssl_cipher'} ? 1 : 0;\n \n # Extract CN from subject\n my $ssl_cn = '';\n if ($ssl_subject =~ /CN=([^$ \\/]+)/) {\n $ssl_cn = $1;\n }\n\n # Build combined SSL info message\n my $ssl_message = \"SSL/TLS Information - \";\n $ssl_message .= \"Subject: $ssl_subject\" if $ssl_subject ne '';\n $ssl_message .= \"; CN: $ssl_cn\" if $ssl_cn ne '';\n $ssl_message .= \"; SAN: $ssl_altnames\" if $ssl_altnames ne '';\n $ssl_message .= \"; Ciphers: $ssl_cipher\" if $ssl_cipher ne '';\n $ssl_message .= \"; Issuer: $ssl_issuer\" if $ssl_issuer ne '';\n $ssl_message =~ s/'/\\\\'/g;\n\n # Single INSERT statement with all SSL info\n my $sql =\n \"insert into nikto_table (scanid, testid, ip, hostname, port, tls, refs, httpmethod, uri, message) values(\";\n $sql .=\n \"'$mark->{'scanid'}','000137','$mark->{'ip'}','$hostname','$mark->{'port'}','$ssl','0','GET','/','$ssl_message');\\n\";\n print $handle $sql;\n}\n\n###############################################################################\n# print an item\nsub sqlg_item {\n my ($handle, $mark, $item) = @_;\n foreach my $uri (split(' ', $item->{'uri'})) {\n my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};\n $hostname = quotemeta($hostname);\n my $httpmethod = quotemeta($item->{'method'});\n my $msg = quotemeta($item->{'message'});\n my $root = quotemeta($mark->{'root'});\n my $rootq = quotemeta($mark->{'root'}); # temporary, just for regex\n $uri = quotemeta($uri);\n my $ssl = $mark->{'ssl_cipher'} ? 1 : 0;\n\n # Get scanid (generated by core in report_host_start)\n my $scanid = $item->{'mark'}->{'scanid'} || '';\n $scanid =~ s/'/\\\\'/g; # Escape single quotes\n\n my $sql =\n \"insert into nikto_table (scanid, testid, ip, hostname, port, tls, refs, httpmethod, uri, message, request, response) values(\";\n $sql .=\n \"'$scanid','$item->{'nikto_id'}','$item->{'mark'}->{'ip'}','$hostname','$item->{'mark'}->{'port'}','$ssl',\";\n $sql .= \"'$item->{'refs'}','$httpmethod',\";\n\n if (($uri ne '') && ($root ne '') && ($uri !~ /^$rootq/)) {\n $sql .= \"'\" . $root . $uri . \"',\";\n }\n else {\n $sql .= \"'$uri',\";\n }\n\n $msg =~ s/^$uri:\\s//;\n $msg =~ s/^$rootq$uri:\\s//;\n $sql .= \"'$msg',\";\n\n # Rebuild the request from the hash -- no need to escape as it's base64 encoded\n my $req = rebuild_request($item->{'request'}, 1, 48000);\n $sql .= \"'\" . LW2::encode_base64($req, '') . \"',\";\n\n # response content\n my $response = rebuild_response($$item{'response'}, 1, 12000000);\n $sql .= \"'\" . LW2::encode_base64($response, '') . \"');\";\n print $handle \"$sql\\n\";\n }\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_report_text.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Text Reporting\n###############################################################################\nsub nikto_report_text_init {\n my $id = { name => \"report_text\",\n full_name => \"Text reports\",\n author => \"Tautology\",\n description => \"Produces a text report.\",\n report_head => \\&text_open,\n report_host_start => \\&text_host,\n report_item => \\&text_item,\n report_ssl_info => \\&text_ssl_info,\n report_format => 'txt',\n copyright => \"2008 Chris Sullo\"\n };\n return $id;\n}\n\nsub text_open {\n my ($file) = @_;\n print STDERR \"+ ERROR: Output file not specified.\\n\" if $file eq '';\n\n # Open file with lexical handle and produce header\n my $fh;\n open($fh, \">>\", $file) || die print STDERR \"+ ERROR: Unable to open '$file' for write: $@\\n\";\n\n # Enable autoflush\n $fh->autoflush(1);\n\n # Write header\n print $fh \"- $VARIABLES{'name'} v$VARIABLES{'version'}/$VARIABLES{'core_version'}\\n\";\n\n return $fh;\n}\n\nsub text_host {\n my ($handle, $mark) = @_;\n my ($curr_host, $curr_port);\n my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};\n print $handle \"+ Target Host: $hostname\\n\";\n print $handle \"+ Target Port: $mark->{port}\\n\";\n}\n\nsub text_ssl_info {\n my ($handle, $mark) = @_;\n print $handle \"+ SSL Info: Subject: $mark->{'ssl_cert_subject'}\\n\";\n\n # Extract and display CN separately\n my $cn = '';\n if ($mark->{'ssl_cert_subject'} =~ /CN=([^$ \\/]+)/) {\n $cn = $1;\n print $handle \" CN: $cn\\n\";\n }\n\n # Display SAN if present\n if ($mark->{'ssl_cert_altnames'} ne '') {\n print $handle \" SAN: $mark->{'ssl_cert_altnames'}\\n\";\n }\n\n print $handle \" Ciphers: $mark->{'ssl_cipher'}\\n\";\n print $handle \" Issuer: $mark->{'ssl_cert_issuer'}\\n\";\n}\n\nsub text_item {\n my ($handle, $mark, $item) = @_;\n\n foreach my $uri (split(' ', $item->{uri})) {\n my $line = \"+ \";\n if ($item->{method}) { $line .= $item->{method} . \" \" }\n if (($uri ne '') && ($uri !~ /^$mark->{'root'}/)) {\n $line .= $mark->{'root'} . $uri . \": \";\n }\n $line .= $item->{message};\n if ($item->{refs} ne \"\") { $line .= \" See: \" . $item->{refs} . \": \" }\n print $handle \"$line\\n\";\n }\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_report_xml.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: XML Reporting - Multi-host support with proper XML handling\n###############################################################################\nour $XMLRPT_ALL = []; # Arrayref to hold all hosts' reports\nour $XMLRPT_CURR = undef; # Scalarref to current host's report\nour $XML_WRITER = undef; # XML::Writer instance\nour $XML_HANDLE = undef; # File handle\n\nuse XML::Writer;\nuse Time::Piece;\nuse Time::Seconds;\n\n###############################################################################\nsub nikto_report_xml_init {\n my $id = { name => \"report_xml\",\n full_name => \"XML reports (v2)\",\n author => \"Sullo\",\n description => \"Produces a proper XML report with validation.\",\n report_head => \\&xml_open,\n report_host_start => \\&xml_host_start,\n report_host_end => \\&xml_host_end,\n report_close => \\&xml_close,\n report_item => \\&xml_item,\n report_ssl_info => \\&xml_ssl_info,\n report_format => 'xml',\n copyright => \"2025 Chris Sullo\"\n };\n return $id;\n}\n\n###############################################################################\n# open output file\nsub xml_open {\n my ($file) = @_;\n print STDERR \"+ ERROR: Output file not specified.\\n\" if $file eq '';\n\n # Open file with lexical handle for writing\n my $fh;\n open($fh, \">>\", $file) || die print STDERR \"+ ERROR: Unable to open '$file' for write: $@\\n\";\n\n # Enable autoflush\n $fh->autoflush(1);\n\n # Store lexical handle reference in package variable\n $XML_HANDLE = $fh;\n\n # Initialize XML writer with proper settings\n $XML_WRITER = XML::Writer->new(OUTPUT => $fh,\n DATA_MODE => 1,\n DATA_INDENT => 2,\n ENCODING => 'UTF-8',\n UNSAFE => 0 # Ensure proper escaping\n );\n\n # Write XML declaration\n $XML_WRITER->xmlDecl('UTF-8');\n\n # Write DOCTYPE if DTD is defined\n if (defined $CONFIGFILE{'NIKTODTD'} && $CONFIGFILE{'NIKTODTD'} ne '') {\n\n # Resolve DTD path relative to Nikto execution directory\n my $dtd_path = $CONFIGFILE{'NIKTODTD'};\n if ($dtd_path !~ /^\\// && defined $CONFIGFILE{'EXECDIR'}) {\n $dtd_path = \"$CONFIGFILE{'EXECDIR'}/$dtd_path\";\n }\n $XML_WRITER->doctype('niktoscans', 'SYSTEM', $dtd_path);\n }\n\n # Start root element\n $XML_WRITER->startTag('niktoscans');\n\n nprint(\"- XML report initialized with proper encoding and structure\", \"v\", \"report_xml\");\n return $fh;\n}\n\n###############################################################################\n# start host entry\nsub xml_host_start {\n my ($handle, $mark) = @_;\n\n # Initialize current host report\n $XMLRPT_CURR = { targetip => $mark->{'ip'},\n targethostname => $mark->{'hostname'},\n targetport => $mark->{'port'},\n targetbanner => $mark->{'banner'} || '',\n starttime => date_disp($mark->{'start_time'}),\n sitename => '',\n siteip => '',\n hostheader => $mark->{'vhost'} || $mark->{'hostname'},\n errors => $mark->{'total_errors'} || 0,\n checks => $COUNTERS{'total_checks'} || 0,\n items => [],\n ssl_info => undef\n };\n\n # Build site URLs\n my $protocol = $mark->{'ssl'} ? 'https' : 'http';\n my $hostname = $mark->{'vhost'} || $mark->{'hostname'};\n\n $XMLRPT_CURR->{'siteip'} = \"$protocol://$mark->{'ip'}:$mark->{'port'}$mark->{'root'}\";\n $XMLRPT_CURR->{'siteip'} .= '/' unless $XMLRPT_CURR->{'siteip'} =~ /\\/$/;\n\n if ($hostname ne '') {\n $XMLRPT_CURR->{'sitename'} = \"$protocol://$hostname:$mark->{'port'}$mark->{'root'}\";\n $XMLRPT_CURR->{'sitename'} .= '/' unless $XMLRPT_CURR->{'sitename'} =~ /\\/$/;\n }\n else {\n $XMLRPT_CURR->{'sitename'} = 'N/A';\n }\n\n push(@$XMLRPT_ALL, $XMLRPT_CURR);\n\n # Write niktoscan start tag with all required attributes\n $XML_WRITER->startTag('niktoscan',\n hoststest => $COUNTERS{'hosts_completed'} || 0,\n options => $CLI{'all_options'} || '',\n version => $VARIABLES{'version'} || 'unknown',\n scanstart => localtime($COUNTERS{'scan_start'}) || '',\n scanend => localtime($COUNTERS{'scan_end'}) || '',\n scanelapsed => ($COUNTERS{'scan_elapsed'} || 0),\n nxmlversion => \"1.2\"\n );\n\n # Write scandetails start tag\n $XML_WRITER->startTag('scandetails',\n targetip => $mark->{'ip'},\n targethostname => $mark->{'hostname'},\n targetport => $mark->{'port'},\n targetbanner => $mark->{'banner'} || '',\n starttime => date_disp($mark->{'start_time'}),\n sitename => $XMLRPT_CURR->{'sitename'},\n siteip => $XMLRPT_CURR->{'siteip'},\n hostheader => $XMLRPT_CURR->{'hostheader'},\n errors => $XMLRPT_CURR->{'errors'},\n checks => $XMLRPT_CURR->{'checks'}\n );\n\n nprint(\"- XML host entry started for $mark->{'hostname'}\", \"v\", \"report_xml\");\n}\n\n###############################################################################\n# write SSL info\nsub xml_ssl_info {\n my ($handle, $mark) = @_;\n\n # Extract CN from subject for separate reporting\n my $cn = '';\n if ($mark->{'ssl_cert_subject'} =~ /CN=([^$ \\/]+)/) {\n $cn = $1;\n }\n\n # Store SSL info in current host report\n $XMLRPT_CURR->{'ssl_info'} = { ciphers => $mark->{'ssl_cipher'},\n issuers => $mark->{'ssl_cert_issuer'} || '',\n info => $mark->{'ssl_cert_subject'} || '',\n cn => $cn,\n altnames => $mark->{'ssl_cert_altnames'} || ''\n };\n\n # Write SSL info tag immediately\n $XML_WRITER->emptyTag('ssl',\n ciphers => $XMLRPT_CURR->{'ssl_info'}->{'ciphers'},\n issuers => $XMLRPT_CURR->{'ssl_info'}->{'issuers'},\n info => $XMLRPT_CURR->{'ssl_info'}->{'info'},\n cn => $XMLRPT_CURR->{'ssl_info'}->{'cn'},\n altnames => $XMLRPT_CURR->{'ssl_info'}->{'altnames'}\n );\n}\n\n###############################################################################\n# end host entry\nsub xml_host_end {\n my ($handle, $mark) = @_;\n\n # Update host data with end time and elapsed time\n $XMLRPT_CURR->{'endtime'} = date_disp($mark->{'end_time'});\n $XMLRPT_CURR->{'elapsed'} = $mark->{'end_time'} - $mark->{'start_time'};\n $XMLRPT_CURR->{'itemsfound'} = $mark->{'total_vulns'} || 0;\n\n # Write statistics\n $XML_WRITER->emptyTag('statistics',\n elapsed => $XMLRPT_CURR->{'elapsed'},\n itemsfound => $XMLRPT_CURR->{'itemsfound'},\n itemstested => $XMLRPT_CURR->{'checks'},\n endtime => $XMLRPT_CURR->{'endtime'}\n );\n\n # Close scandetails and niktoscan tags\n $XML_WRITER->endTag('scandetails');\n $XML_WRITER->endTag('niktoscan');\n\n nprint(\"- XML host entry completed for $mark->{'hostname'}\", \"v\", \"report_xml\");\n}\n\n###############################################################################\n# add item to current host\nsub xml_item {\n my ($handle, $mark, $item) = @_;\n\n # Add item to current host's items array\n push(@{ $XMLRPT_CURR->{'items'} },\n { id => $item->{'nikto_id'},\n method => $item->{'method'},\n description => $item->{'message'},\n uri => $item->{'uri'},\n namelink => $item->{'namelink'} || '',\n iplink => $item->{'iplink'} || '',\n references => $item->{'refs'} || ''\n }\n );\n\n # Write item tag with proper structure\n $XML_WRITER->startTag('item',\n id => $item->{'nikto_id'},\n method => $item->{'method'}\n );\n\n # Write item content with CDATA for potentially problematic content\n $XML_WRITER->startTag('description');\n $XML_WRITER->cdata($item->{'message'});\n $XML_WRITER->endTag('description');\n\n $XML_WRITER->startTag('uri');\n $XML_WRITER->cdata($item->{'uri'});\n $XML_WRITER->endTag('uri');\n\n $XML_WRITER->startTag('namelink');\n $XML_WRITER->cdata($item->{'namelink'} || '');\n $XML_WRITER->endTag('namelink');\n\n $XML_WRITER->startTag('iplink');\n $XML_WRITER->cdata($item->{'iplink'} || '');\n $XML_WRITER->endTag('iplink');\n\n $XML_WRITER->startTag('references');\n $XML_WRITER->cdata($item->{'refs'} || '');\n $XML_WRITER->endTag('references');\n\n $XML_WRITER->endTag('item');\n}\n\n###############################################################################\n# close output file\nsub xml_close {\n my ($handle) = @_;\n\n # Close root element\n $XML_WRITER->endTag('niktoscans');\n\n # End the XML writer\n $XML_WRITER->end();\n\n # Close file handle\n close($XML_HANDLE) if $XML_HANDLE;\n\n # Validate XML if possible\n xml_validate_output($handle);\n\n nprint(\"- XML report completed with proper structure\", \"v\", \"report_xml\");\n}\n\n###############################################################################\n# Validate XML output\nsub xml_validate_output {\n my ($filename) = @_;\n\n # Only validate if XML::LibXML is available\n eval {\n require XML::LibXML;\n\n my $parser = XML::LibXML->new();\n my $doc = $parser->parse_file($filename);\n\n # Validate against DTD if available\n if (defined $CONFIGFILE{'NIKTODTD'} && $CONFIGFILE{'NIKTODTD'} ne '') {\n $doc->validate();\n nprint(\"- XML output validated against DTD successfully\", \"v\", \"report_xml\");\n }\n else {\n nprint(\"- XML output is well-formed\", \"v\", \"report_xml\");\n }\n };\n if ($@) {\n nprint(\"+ WARNING: XML validation failed: $@\", \"e\");\n }\n}\n\nsub nikto_reports { } # so core doesn't freak\n\n1;\n"
},
{
"path": "program/plugins/nikto_robots.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Check out the robots.txt file\n###############################################################################\nsub nikto_robots_init {\n my $id = {\n name => \"robots\",\n full_name => \"Robots\",\n author => \"Sullo\",\n description =>\n \"Checks whether there's anything within the robots.txt file and analyses it for other paths to pass to other scripts.\",\n hooks => { recon => { method => \\&nikto_robots,\n weight => 49,\n },\n },\n copyright => \"2008 Chris Sullo\",\n options => { nocheck => \"Flag to disable checking entries in robots file.\", }\n };\n return $id;\n}\n\nsub nikto_robots {\n my ($mark, $parameters) = @_;\n return if $mark->{'terminate'};\n\n my ($code, $content, $errors, $request, $response) =\n nfetch($mark, \"/robots.txt\", \"GET\", \"\", \"\", \"\", \"robots\");\n my $has_non_root_entries = 1;\n\n # Validate content-type: should be text/* or not present\n if (defined($response->{'content-type'})) {\n if ( $response->{'content-type'} !~ /^text\\//i\n || $response->{'content-type'} =~ /^text\\/html/i) {\n return; # Not a text type, or is HTML - skip processing\n }\n }\n\n # Accept any 2xx success code (except 204 No Content) or custom \"okay\" response\n if ($code =~ /^2\\d\\d$/) {\n if (is_404($mark, \"/robots.txt\", $response)) {\n return;\n }\n\n my (%DIRS, %RFILES);\n my $DISCTR = 0;\n my @DOC = split(/\\n/, $content);\n my $tocheck;\n foreach my $line (@DOC) {\n $line =~ s/(?:^\\s+|\\s+$)//g;\n $line = quotemeta($line);\n if ($line =~ /allow/i) {\n chomp($line);\n\n # Report if Allow\n $has_non_root_entries = 0 if ($line =~ /^allow/i);\n $line =~ s/\\#.*$//;\n $line =~ s/\\s+/ /g;\n $line =~ s/\\t/ /g;\n $line =~ s/(?:dis)?allow(?:\\\\:)?(?:\\\\\\s+)?//i;\n $line =~ s/\\/+/\\//g;\n $line =~ s/\\\\//g;\n\n if ($line eq \"\") { next; }\n\n # try to figure out file vs dir... just guess...\n if (($line !~ /\\./) && ($line !~ /\\/$/)) { $line .= \"/\"; }\n\n $line = LW2::uri_normalize($line);\n\n # figure out dirs/files...\n my $realdir = validate_and_fix_regex(LW2::uri_get_dir($line));\n my $realfile = validate_and_fix_regex($line);\n $realfile =~ s/^$realdir//;\n\n nprint(\"- robots.txt entry dir:$realdir -- file:$realfile\",\n \"d\", ($mark->{'hostname'}, $mark->{'ip'}, $mark->{'displayname'}));\n if (($realdir ne \"\") && ($realdir ne \"/\")) {\n $realdir =~ s/\\\\//g;\n $DIRS{$realdir} = 1;\n }\n if (($realfile ne \"\") && ($realfile ne \"/\")) {\n $realfile =~ s/\\\\//g;\n $RFILES{$realfile} = 1;\n }\n $DISCTR++;\n\n if (($realdir ne \"\") && ($realdir ne \"/\")) { $has_non_root_entries = 0; }\n next\n if ( ($realdir eq \"/\" && $realfile eq \"\")\n || ($realfile eq \"/\" && $realdir eq \"\"));\n next if ($line =~ /\\*/); # Wildcards\n $tocheck{$line} = 1;\n } # end if $line =~ allow\n } # end foreach my $line (@DOC)\n\n # Check for allowed paths\n foreach my $line (keys %tocheck) {\n return if $mark->{'terminate'};\n if (!defined($parameters->{'nocheck'})) {\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, $line, \"GET\", \"\", \"\", \"\", \"Robots: Check for URI\");\n if (!is_404($mark, $line, $response)\n && ($res !~ /^40[346]$/)\n && ($res !~ /^30[21]$/)) {\n add_vulnerability(\n $mark,\n \"/robots.txt: Entry '$line' is returned a non-forbidden or redirect HTTP code ($res)\",\n 999997,\n \"https://portswigger.net/kb/issues/00600600_robots-txt-file\",\n \"GET\",\n \"/$line\",\n $request,\n $response\n );\n }\n }\n }\n\n # Use shared path matching logic\n path_matcher(\\%RFILES, \\%DIRS, undef);\n\n my $msg =\n ($DISCTR == 1) ? \"contains 1 entry which should be manually viewed.\"\n : ($DISCTR > 1) ? \"contains $DISCTR entries which should be manually viewed.\"\n : \"retrieved but it does not contain any 'disallow' entries (which is odd).\";\n\n if ($has_non_root_entries eq 0) {\n add_vulnerability($mark, \"/robots.txt: $msg\",\n 999996, \"https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt\",\n \"GET\", \"/robots.txt\", $request, $response);\n }\n }\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_shellshock.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Check for the bash 'shellshock' vulnerability\n###############################################################################\nsub nikto_shellshock_init {\n my $id = { name => \"shellshock\",\n full_name => \"shellshock\",\n author => \"sullo\",\n description => \"Look for the bash 'shellshock' vulnerability.\",\n hooks => { scan => { method => \\&nikto_shellshock, weight => 20 }, },\n copyright => \"2014 Chris Sullo\",\n options => { uri => \"uri to assess\", },\n };\n\n return $id;\n}\n\nsub nikto_shellshock {\n my ($mark, $parameters) = @_;\n my ($found, @names,);\n\n # This would be better coming from live scan results and not db_variables\n my @files = split(/ /, $VARIABLES{\"\\@SHELLSHOCK\"});\n\n push(@files, \"\");\n my %headers;\n $headers{'User-Agent'} = '() { :; }; echo 93e4r0-cve-2014-6271: true;echo;echo;';\n $headers{'Referer'} = '() { _; } >_[$($())] { echo 93e4r0-cve-2014-6278: true; echo;echo; }';\n my @dirs = split(/ /, $VARIABLES{'@CGIDIRS'});\n push(@dirs, \"/\");\n\n #check for FP... error in page\n my $checkcontent = 1;\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, \"/\", \"GET\", \"\", \\%headers, \"\", \"shellshock\");\n if ($content =~ /93e4r0-cve/) {\n $checkcontent = 0;\n nprint(\n \"Content seems to contain error headers, ignoring content match in shellshock plugin\",\n \"v\");\n }\n\n if (defined $parameters->{'uri'}) {\n\n # request by hostname\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, \"$parameters->{'uri'}\", \"GET\", \"\", \\%headers, \"\", \"shellshock\");\n if ( ($response->{'93e4r0-cve-2014-6271'} eq 'true')\n || ($checkcontent && ($content =~ /(?{'uri'}: Site appears vulnerable to the 'shellshock' vulnerability).\",\n 999949,\n \"CVE-2014-6271\",\n \"GET\",\n \"$parameters->{'uri'}\",\n $request,\n $response\n );\n }\n if ( ($response->{'93e4r0-cve-2014-6278'} eq 'true')\n || ($checkcontent && ($content =~ /(?{'uri'}: Site appears vulnerable to the 'shellshock' vulnerability.\",\n 999948,\n \"CVE-2014-6278\",\n \"GET\",\n \"$parameters->{'uri'}\",\n $request,\n $response\n );\n }\n }\n else {\n foreach my $cgidir (@dirs) {\n foreach my $file (@files) {\n return if $mark->{'terminate'};\n\n # request by hostname\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, \"$cgidir$file\", \"GET\", \"\", \\%headers, \"\", \"shellshock\");\n if ( ($response->{'93e4r0-cve-2014-6271'} eq 'true')\n || ($checkcontent && ($content =~ /(?{'93e4r0-cve-2014-6278'} eq 'true')\n || ($checkcontent && ($content =~ /(? \"siebel\",\n full_name => \"Siebel Checks\",\n author => \"Tautology\",\n description => \"Performs a set of checks against an installed Siebel application\",\n hooks => { scan => { method => \\&nikto_siebel, }, },\n copyright => \"2011 Chris Sullo\",\n options => {\n enumerate => \"Flag to indicate whether we shall attempt to enumerate known apps\",\n applications => \"List of applications\",\n languages => \"List of Languages\",\n application => \"Application to attack\",\n }\n };\n return $id;\n}\n\nsub nikto_siebel {\n my ($mark, $parameters) = @_;\n return if $mark->{'terminate'};\n my $application;\n\n # Check whether we have an application\n if (defined $parameters->{'enumerate'}) {\n my @apps = nikto_siebel_enumerate($mark, $parameters);\n $application = $apps[0];\n }\n\n if ($application eq \"\" && defined $parameters->{'application'}) {\n $application = $parameters->{'application'};\n }\n\n if ($application eq \"\") {\n nprint(\"No Siebel Application defined\", \"v\", \"siebel\");\n return;\n }\n\n # Now we have an application time to perform some tests\n my $path = $application . \"/base.txt\";\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, $path, \"GET\", \"\", \"\", \"\", \"siebel: find default pages\");\n if ($res eq \"200\") {\n my ($siebelver, $appver, $hotfix);\n $siebelver = $content;\n $siebelver =~ s/([ \\t]*)([0-9.]*)( .*\\n.*)/$2/;\n chomp($siebelver);\n $appver = $content;\n $appver =~ s/(.*\\[)(.*)(\\].*\\n.*)/$2/;\n chomp($appver);\n $hotfix = $content;\n $hotfix =~ s/(.*\\n)(.*HOTFIX )(.*)/$3/;\n add_vulnerability(\n $mark,\n \"$path: Siebel version $siebelver found application version $appver and applied hostfixes are $hotfix\",\n 999901,\n \"https://www.oracle.com/applications/siebel/\",\n \"GET\",\n $path,\n $request,\n $response\n );\n }\n\n $path = $application . \"/_stats.swe\";\n ($res, $content, $error, $request, $response) =\n nfetch($mark, $path, \"GET\", \"\", \"\", \"\", \"siebel: find default pages\");\n if ($res eq \"200\") {\n add_vulnerability(\n $mark, \"/_stats.swe: Siebel stats page found\",\n 999902,\n \"https://docs.oracle.com/cd/E14004_01/books/SysDiag/SysDiagSWSEstats7.html\",\n \"GET\", $path, $request, $response\n );\n }\n\n foreach\n my $page (split(/ /, \"About_Siebel.htm files/ images/ help/ siebstarthelp.htm siebindex.htm\"))\n {\n $path = $application . \"/$page\";\n ($res, $content, $error, $request, $response) =\n nfetch($mark, $path, \"GET\", \"\", \"\", \"\", \"siebel: find default pages\");\n if ($res eq \"200\") {\n add_vulnerability($mark, \"$path: Siebel default file found\",\n 999903, \"\", \"GET\", $path, $request, $response);\n }\n }\n\n return;\n}\n\nsub nikto_siebel_enumerate {\n my ($mark, $params) = @_;\n\n # Default apps and languages - allow parameters to over-ride them.\n my $apps =\n \"emarketing ecustomer pmmanager sales marketing wpeserv salesce econsumerpharma emedia epublicsector eaf echannelcme epharmace siaservicece finseenenrollment ecustomercme loyalty erm etraining esales callcenter wpsales eai smc eprofessionalpharma eenergy pseservice sismarketing econsumer medicalce epharma fins finesales finscustomer htim loyaltyscw ermadmin eevents eauctionswexml cra wpserv eai_anon edealer esitesclinical eautomotive econsumersector echannelaf eEnergyOilGasChemicals cgce eclinical finsconsole finsebanking finssalespam htimpim eloyalty ememb pimportal eservice service wppm servicece edealerscw ecommunications ehospitality eretail echannelcg eCommunicationsWireless siasalesce emedical finsechannel finsebrokerage esalescme\";\n my $langs =\n \"enu euq cht dan fin deu hun kor ptb sky sve pse cat shl nld fra ell ita nor ptg slv tha psl chs csy frc heb jpn plk rus esn trk\";\n\n my @foundapps;\n\n if ($params->{applications}) {\n $apps = $params->{applications};\n }\n\n if ($params->{languages}) {\n $langs = $params->{languages};\n }\n\n foreach my $language (split(/ /, $langs)) {\n foreach my $application (split(/ /, $apps)) {\n my $appname = $application . \"_\" . $language;\n my $startname = $appname . \"/start.swe\";\n ($res, $content, $error, $request, $response) =\n nfetch($mark, $startname, \"GET\", \"\", \"\", \"\", \"Siebel: enumerate application\");\n if ($res eq \"200\") {\n\n # We've found an app\n add_vulnerability($mark, \"$startname: Enumerated Siebel application: \" . $appname,\n 999900, \"\", \"GET\", $startname, $request, $response);\n push(@foundapps, $appname);\n }\n }\n }\n\n return @foundapps;\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_sitefiles.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Look for interesting files based on site name/ip\n###############################################################################\nsub nikto_sitefiles_init {\n my $id = { name => \"sitefiles\",\n full_name => \"Site Files\",\n author => \"sullo\",\n description => \"Look for interesting files based on the site's IP/name\",\n hooks => { scan => { method => \\&nikto_sitefiles, }, },\n copyright => \"2014 Chris Sullo\"\n };\n\n return $id;\n}\n\n###############################################################################\n# File type detection functions to reduce false positives\n###############################################################################\n\nsub detect_file_type {\n my ($content, $uri) = @_;\n my $first_bytes = substr($content, 0, 64); # Check first 64 bytes\n my $content_length = length($content);\n\n # Return early for empty content\n return 'empty' if $content_length == 0;\n\n # File signatures (Magic Numbers)\n my %signatures = (\n\n # Archive formats\n 'zip' => qr/^PK\\x03\\x04|PK\\x05\\x06|PK\\x07\\x08/,\n 'tar' => qr/^.{257}ustar|^.{257}ustar\\x00|^.{257}ustar |^.{257}ustar\\x00\\x00/,\n 'gz' => qr/^\\x1f\\x8b/,\n 'bz2' => qr/^BZh/,\n 'lzma' => qr/^\\x5d\\x00\\x00/,\n\n # Certificate/Key formats\n 'pem' =>\n qr/^-----BEGIN (CERTIFICATE|RSA PRIVATE KEY|DSA PRIVATE KEY|EC PRIVATE KEY|PRIVATE KEY|PUBLIC KEY)-----/,\n 'jks' => qr/^\\xfe\\xed\\xfe\\xed/, # Java KeyStore magic\n\n # Database formats\n 'sql' => qr/^(CREATE|INSERT|UPDATE|DELETE|SELECT|DROP|ALTER|--|\\/\\*|select)/i,\n );\n\n # Check signatures\n foreach my $type (keys %signatures) {\n if ($first_bytes =~ $signatures{$type}) {\n return $type;\n }\n }\n\n # Special handling for ZIP-based formats (egg, war) - check BEFORE generic ZIP\n if ($first_bytes =~ /^PK\\x03\\x04/) {\n if ($uri =~ /\\.egg$/i) {\n return 'egg';\n }\n if ($uri =~ /\\.war$/i) {\n return 'war';\n }\n }\n\n # tar detection - check for tar file structure\n if ($uri =~ /\\.tar$/i) {\n\n # Tar files have 512-byte blocks, check if content length is multiple of 512\n if ($content_length % 512 == 0) {\n\n # Check for null bytes at the end (tar files end with null blocks)\n my $last_block = substr($content, -512);\n if ($last_block =~ /^\\x00+$/) {\n return 'tar';\n }\n }\n\n # Check for tar header structure (first 512 bytes should have specific format)\n if ($content_length >= 512) {\n my $header = substr($content, 0, 512);\n\n# Tar header: filename (100 bytes) + mode (8) + uid (8) + gid (8) + size (12) + mtime (12) + checksum (8) + typeflag (1) + linkname (100) + magic (6) + version (2) + uname (32) + gname (32) + devmajor (8) + devminor (8) + prefix (155) + padding (12)\n# Check if it looks like a tar header (has printable filename, reasonable size)\n my $filename = substr($header, 0, 100);\n $filename =~ s/\\x00.*$//; # Remove null padding\n if ($filename =~ /^[[:print:]]+$/ && length($filename) > 0) {\n return 'tar';\n }\n }\n }\n\n # Special case: Check for compressed tar variants\n if ($uri =~ /\\.(tar\\.gz|tgz)$/i && $first_bytes =~ /^\\x1f\\x8b/) {\n return 'tar.gz';\n }\n if ($uri =~ /\\.(tar\\.bz2)$/i && $first_bytes =~ /^BZh/) {\n return 'tar.bz2';\n }\n if ($uri =~ /\\.(tar\\.lzma)$/i && $first_bytes =~ /^\\x5d\\x00\\x00/) {\n return 'tar.lzma';\n }\n\n # Check for HTML/Text content (negative cases)\n if ($first_bytes =~ /^ [ 'zip', 'binary' ],\n 'tar' => [ 'tar', 'binary' ],\n 'gz' => [ 'gz', 'binary' ],\n 'bz2' => [ 'bz2', 'binary' ],\n 'lzma' => [ 'lzma', 'binary' ],\n 'egg' => [ 'egg', 'zip', 'binary' ], # egg files can be detected as zip\n 'war' => [ 'war', 'zip', 'binary' ], # war files can be detected as zip\n 'pem' => [ 'pem', 'text' ],\n 'jks' => [ 'jks', 'binary' ],\n 'sql' => [ 'sql', 'text' ],\n 'tar.gz' => [ 'gz', 'binary' ], # gz signature for tar.gz\n 'tar.bz2' => [ 'bz2', 'binary' ], # bz2 signature for tar.bz2\n 'tar.lzma' => [ 'lzma', 'binary' ], # lzma signature for tar.lzma\n );\n\n # Check if detected type matches expected\n if (exists $expected_types{$expected_type}) {\n my @valid_types = @{ $expected_types{$expected_type} };\n foreach my $valid_type (@valid_types) {\n return 1 if $detected_type eq $valid_type;\n }\n return 0; # Mismatch\n }\n\n # For unknown expected types, just check it's not HTML\n return 0 if $detected_type eq 'html';\n return 1;\n}\n\nsub is_likely_real_file {\n my ($content, $uri) = @_;\n\n # Quick size check\n return 0 if length($content) < 20;\n\n # Get expected file type from URI\n my $expected_type = '';\n if ($uri =~ /\\.(tar\\.gz|tgz)$/i) {\n $expected_type = 'tar.gz';\n }\n elsif ($uri =~ /\\.(tar\\.bz2)$/i) {\n $expected_type = 'tar.bz2';\n }\n elsif ($uri =~ /\\.(tar\\.lzma)$/i) {\n $expected_type = 'tar.lzma';\n }\n elsif ($uri =~ /\\.(zip|tar|gz|bz2|lzma|egg|war|pem|jks|sql)$/i) {\n $expected_type = lc($1);\n }\n\n # If we can't determine expected type, do basic validation\n if (!$expected_type) {\n my $detected = detect_file_type($content, $uri);\n return 0 if $detected eq 'html'; # HTML = likely false positive\n return 1 if $detected =~ /^(binary|zip|tar|gz|bz2|lzma|egg|war|pem|jks|sql)$/;\n return 0;\n }\n\n # Validate against expected type\n return validate_file_content($content, $uri, $expected_type);\n}\n\nsub analyze_file_details {\n my ($content, $uri) = @_;\n\n my $detected_type = detect_file_type($content, $uri);\n my $content_length = length($content);\n my $entropy = calculate_entropy($content);\n\n # Calculate confidence\n my $confidence = 0;\n\n # Base confidence on file type\n $confidence += 90 if $detected_type =~ /^(zip|tar|gz|bz2|lzma|egg|war|jks)$/;\n $confidence += 85 if $detected_type eq 'pem';\n $confidence += 80 if $detected_type eq 'sql';\n $confidence += 70 if $detected_type eq 'binary';\n $confidence -= 50 if $detected_type eq 'html'; # Penalty for HTML\n\n # Size-based adjustments\n $confidence += 10 if $content_length > 1000; # Larger files more likely real\n if ($content_length < 100) {\n\n # Be more lenient with certain file types - small files are common\n if ($detected_type eq 'sql') {\n $confidence -= 10; # Less penalty for small SQL files\n }\n elsif ($detected_type eq 'lzma') {\n $confidence -= 5; # Very small penalty for small LZMA files\n }\n else {\n $confidence -= 20; # Very small files suspicious\n }\n }\n\n # Entropy-based adjustments\n $confidence += 15 if $entropy > 7.0; # High entropy = likely binary\n if ($entropy < 3.0) {\n\n # Be more lenient with LZMA files for low entropy\n if ($detected_type eq 'lzma') {\n $confidence -= 10; # Less penalty for LZMA with low entropy\n }\n else {\n $confidence -= 20; # Low entropy = likely text/HTML\n }\n }\n\n # Ensure confidence is between 0-100\n $confidence = 0 if $confidence < 0;\n $confidence = 100 if $confidence > 100;\n\n # Return a simple array instead of hash to avoid construction issues\n return [ $detected_type, $content_length, $entropy, $confidence ];\n}\n\nsub nikto_sitefiles {\n my ($mark) = @_;\n my (%flags, %files, %names);\n\n # Minimum confidence required to report a file\n my $confidence_threshold = 60;\n\n $names{ $mark->{'hostname'} } = 1;\n $names{ $mark->{'vhost'} } = 1;\n\n foreach my $n (keys %names) {\n my $nn = $n;\n $nn =~ s/^www(?:\\d+)?\\.//;\n $names{$nn} = 1;\n $nn = $n;\n $nn =~ s/\\./_/g;\n $names{$nn} = 1;\n my @bits = split(/\\./, $n);\n my ($temp1, $temp2) = '';\n\n for (my $i = 0 ; $i <= $#bits ; $i++) {\n $names{ $bits[$i] } = 1;\n $temp1 .= $bits[$i];\n $temp2 .= '.' . $bits[$i];\n $temp2 =~ s/^\\.//;\n $names{$temp1} = 1;\n $names{$temp2} = 1;\n }\n }\n $names{'backup'} = 1;\n $names{'site'} = 1;\n $names{'archive'} = 1;\n $names{'database'} = 1;\n $names{'dump'} = 1;\n $names{ $mark->{'ip'} } = 1;\n\n foreach my $item (keys %names) {\n next if $item eq '';\n foreach\n my $ext (qw/jks cer pem zip tar tar.gz gz tgz tar.bz2 tar.lzma bz2 lzma egg war sql/) {\n $files{\"$item\\.$ext\"} = 1;\n }\n }\n\n foreach my $f (keys %files) {\n\n # trickery to test with both host header and without\n foreach my $flag (0 .. 1) {\n return if $mark->{'terminate'};\n my $msg = \"\";\n $flags{'nohost'} = $flag;\n if ($flag) {\n $msg = \"(NOTE: requested by IP address).\";\n }\n\n # request. flags passed will determine if hostname is used or not\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, \"/$f\", \"GET\", \"\", \"\", \\%flags, \"sitefiles\");\n\n my $condition1 = defined($response->{'content-type'})\n && $response->{'content-type'} =~ /^application\\//i;\n my $condition2 =\n ($res == 200)\n && (length($content) > 0)\n && (!defined($response->{'content-type'})\n || $response->{'content-type'} !~ /^text\\//i)\n && (!is_404($mark, \"/$f\", $response));\n\n if ($condition1 || $condition2) {\n\n # Enhanced content analysis to reduce false positives\n if (is_likely_real_file($content, \"/$f\")) {\n my $analysis = analyze_file_details($content, \"/$f\");\n my $conf = $analysis->[3];\n\n # Only report if confidence is high enough\n if ($conf > $confidence_threshold) {\n my $type_info = \"Confidence: $conf%\";\n add_vulnerability(\n $mark,\n \"/$f: Potentially interesting backup/cert file found. $msg [$type_info]\",\n 740001,\n \"https://cwe.mitre.org/data/definitions/530.html\",\n \"HEAD\",\n \"/$f\",\n $request,\n $response\n );\n }\n }\n\n last;\n }\n }\n }\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_springboot.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Scan for exposed Spring Boot Actuator endpoints and basic info leaks\n###############################################################################\n\nuse JSON;\n\nsub nikto_springboot_init {\n my $id = { name => \"springboot\",\n full_name => \"Spring Boot Actuator endpoint check\",\n author => \"Sullo\",\n description => \"Detects exposed Spring Boot Actuator endpoints and basic info leaks\",\n hooks => { scan => { method => \\&nikto_springboot, } },\n copyright => \"2025 Chris Sullo\"\n };\n return $id;\n}\n\nsub nikto_springboot {\n my ($mark) = @_;\n my $root = $mark->{'root'} || '';\n $root =~ s/\\/$//; # Remove trailing slash if present\n\n my @endpoints = qw(\n /actuator\n /actuator/health\n /actuator/info\n /actuator/env\n /actuator/mappings\n /actuator/metrics\n /actuator/beans\n /actuator/configprops\n /actuator/loggers\n /actuator/threaddump\n /actuator/auditevents\n /actuator/httptrace\n /actuator/scheduledtasks\n /actuator/heapdump\n /actuator/jolokia\n /actuator/prometheus\n );\n\n my $host = $mark->{'hostname'};\n my $port = $mark->{'port'};\n my $proto = $mark->{'ssl'} ? 'https' : 'http';\n my $base_url = \"$proto://$host:$port\";\n\n foreach my $ep (@endpoints) {\n my $path = $root . $ep;\n nprint(\"Checking $path\", \"v\", \"springboot\");\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, $path, 'GET', '', '', undef, 'springboot');\n my $ct = $response->{'content-type'} || '';\n\n # Quick exits\n if ($res == 404) {\n next;\n }\n elsif ($res != 200 && $res != 404) {\n nprint(\"$path: Non-200 ($res) - possibly restricted endpoint\", \"v\", \"springboot\");\n next;\n }\n\n # resposnes should be JSON\n next unless ($ct =~ /application\\/json/i || $content =~ /^\\s*\\{/);\n\n my $json;\n eval { $json = decode_json($content); };\n if ($@ || !$json) {\n nprint(\"$path: 200 but invalid JSON\", \"v\", \"springboot\");\n next;\n }\n\n # /actuator special handling\n if ($ep eq '/actuator') {\n if (exists $json->{'_links'} && ref($json->{'_links'}) eq 'HASH') {\n my $links = $json->{'_links'};\n my @found;\n foreach my $k (keys %$links) {\n my $href = $links->{$k}{'href'};\n next unless $href;\n my $report_val;\n\n # If on same host, report only the path; otherwise, report full URL\n if ($href =~ m{^$proto://$host(?::$port)?(/.*)$}) {\n $report_val = $1;\n }\n else {\n $report_val = $href;\n }\n push @found, $report_val;\n add_vulnerability(\n $mark,\n \"$report_val: Spring Boot Actuator endpoint discovered via /actuator _links.\",\n 750001,\n \"https://docs.spring.io/spring-boot/docs/current/actuator-api/html/\",\n 'GET',\n $report_val\n );\n }\n }\n else {\n nprint(\"/actuator: 200 but no _links\", \"v\", \"springboot\");\n }\n next;\n }\n\n # /actuator/health\n if ($ep eq '/actuator/health') {\n if (exists $json->{'status'} && $json->{'status'} eq 'UP') {\n add_vulnerability(\n $mark,\n \"$path: Spring Boot Actuator health endpoint exposed\",\n 750002,\n \"https://docs.spring.io/spring-boot/docs/current/actuator-api/html/#health\",\n 'GET',\n $path\n );\n }\n next;\n }\n\n # /actuator/info\n if ($ep eq '/actuator/info') {\n if ( exists $json->{'build'}\n && ref($json->{'build'}) eq 'HASH'\n && exists $json->{'build'}{'version'}) {\n add_vulnerability(\n $mark,\n \"$path: Spring Boot Actuator info endpoint exposed (build version: $json->{'build'}{'version'})\",\n 750003,\n \"https://docs.spring.io/spring-boot/docs/current/actuator-api/html/#info\",\n 'GET',\n $path\n );\n }\n next;\n }\n\n # Other endpoints: report if valid, non-empty JSON\n if (ref($json) eq 'HASH' && scalar(keys %$json) > 0) {\n add_vulnerability(\n $mark, \"$path: Spring Boot Actuator endpoint exposed (valid JSON response)\",\n 750004, \"https://docs.spring.io/spring-boot/docs/current/actuator-api/html/\",\n 'GET', $path\n );\n }\n }\n}\n\n1;\n"
},
{
"path": "program/plugins/nikto_ssl.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Test certificate information\n###############################################################################\nsub nikto_ssl_init {\n my $id = { name => \"ssl\",\n full_name => \"SSL and cert checks\",\n author => \"Sullo\",\n description => \"Perform checks on SSL/Certificates\",\n hooks => { scan => { method => \\&nikto_ssl, } },\n copyright => \"2010 Chris Sullo\"\n };\n return $id;\n}\n\nsub nikto_ssl {\n my ($mark) = @_;\n\n if ($mark->{ssl}) {\n my @cn_names;\n my @san_names;\n my $match = 0;\n\n # Extract CN from subject\n if ($mark->{'ssl_cert_subject'} =~ /CN=([^$ \\/]+)/) {\n push(@cn_names, $1);\n }\n\n # Extract SAN names\n if ($mark->{'ssl_cert_altnames'} ne '') {\n foreach my $n (split(/, /, $mark->{'ssl_cert_altnames'})) {\n push(@san_names, $n);\n }\n }\n\n # Combine all names for validation\n my @all_names = (@cn_names, @san_names);\n @all_names = unique_vals(@all_names);\n\n # Create detailed name lists for error messages\n my $cn_list = @cn_names ? join(\", \", @cn_names) : \"none\";\n my $san_list = @san_names ? join(\", \", @san_names) : \"none\";\n my $allnames = join(\", \", @all_names);\n\n foreach my $cert_name (@all_names) {\n next unless $cert_name; # Skip empty names\n\n # straight up match\n if (lc($mark->{'hostname'}) eq lc($cert_name)) {\n $match = 1;\n }\n\n # wildcard cert\n elsif ($cert_name =~ /^\\*/) {\n add_vulnerability($mark, \"/: Server is using a wildcard certificate: $cert_name\",\n 999992, \"https://en.wikipedia.org/wiki/Wildcard_certificate\");\n $cert_name =~ s/^\\*\\.//;\n $cert_name = rquote($cert_name);\n\n # must match leading dot\n # only one level of subdomain allowed\n if ($mark->{'hostname'} =~ /^(.*)\\.?$cert_name/i) {\n my $matched = $1;\n my $tldcount = ($matched =~ tr/\\.//);\n if ($tldcount <= 1) { $match = 1; }\n }\n }\n last if $match;\n }\n\n if (!$match) {\n my $error_msg = \"/: Hostname '$mark->{'hostname'}' does not match certificate names\";\n $error_msg .= \" (CN: $cn_list, SAN: $san_list)\";\n add_vulnerability($mark, $error_msg, 999993,\n \"https://cwe.mitre.org/data/definitions/297.html\");\n }\n }\n}\n\nsub unique_vals {\n my %seen;\n grep !$seen{$_}++, @_;\n}\n\n1;\n\n"
},
{
"path": "program/plugins/nikto_tests.plugin",
"content": "###############################################################################\n# SPDX-License-Identifier: GPL-3.0-only\n# PURPOSE: Perform the full database of nikto tests against a target\n###############################################################################\nsub nikto_tests_init {\n my $id = { name => \"tests\",\n full_name => \"Nikto Tests\",\n author => \"Sullo, Tautology\",\n description => \"Test host with the standard Nikto tests\",\n copyright => \"2008 Chris Sullo\",\n hooks => {\n scan => { method => \\&nikto_tests,\n weight => 99,\n },\n },\n options => {\n passfiles => \"Flag to indicate whether to check for common password files\",\n all => \"Flag to indicate whether to check all files with all directories\",\n report => \"Report a status after the passed number of tests\",\n }\n };\n return $id;\n}\n\nsub nikto_tests {\n my ($mark, $parameters) = @_;\n return if $mark->{'terminate'};\n my $data;\n\n # this is the actual the looped code for all the checks\n foreach my $checkid (sort keys %TESTS) {\n return if $mark->{'terminate'};\n\n # replace variables in the uri\n my @urilist = change_variables($TESTS{$checkid}{'uri'}, $mark, $checkid);\n\n # Now repeat for each uri\n URI: foreach my $uri (@urilist) {\n return if $mark->{'terminate'};\n my (%headrs, %flags, $data);\n if ($TESTS{$checkid}{'headers'} ne '') {\n my $header = unslash($TESTS{$checkid}{'headers'});\n\n # Apply variable replacement to headers\n my @header_lines = split /\\r\\n/, $header;\n foreach my $h (@header_lines) {\n my ($key, $value) = split(/: /, $h);\n $key = lc($key);\n\n # Apply change_variables to the value part\n my @replaced_values = change_variables($value, $mark, $checkid);\n foreach my $replaced_value (@replaced_values) {\n $headrs{$key} = $replaced_value;\n }\n }\n $headrs{'host'} = $mark->{'hostname'}\n unless ($headrs{'host'}); # Kludge not to override host injection vectors\n $flags{'noclean'} = 1;\n }\n if ($TESTS{$checkid}{'data'} ne '') {\n $data = unslash($TESTS{$checkid}{'data'});\n $headrs{'content-length'} = length($data)\n unless grep(/^(transfer-encoding|content-length)$/i, keys %headrs);\n }\n\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, $uri, $TESTS{$checkid}{'method'}, $data, \\%headrs, \\%flags, $checkid);\n\n # DSL matcher expects response headers as a hashref\n my $response_string = rebuild_response($response, 0);\n my %response_headers;\n foreach my $line (split(/\\r?\\n/, $response_string)) {\n next if $line =~ /^HTTP\\//; # Skip status line\n last if $line =~ /^\\s*$/; # Stop at blank line (end of headers)\n if ($line =~ /^([^:]+):\\s*(.*)$/) {\n my ($name, $value) = (lc($1), $2);\n if (exists $response_headers{$name}) {\n $response_headers{$name} .= ', ' . $value;\n }\n else {\n $response_headers{$name} = $value;\n }\n }\n }\n my $response_headers = \\%response_headers;\n\n # Extract cookies as a hashref for matcher\n my %cookies = ();\n if (ref $response->{'whisker'}->{'cookies'} eq 'ARRAY') {\n foreach my $cookie (@{ $response->{'whisker'}->{'cookies'} }) {\n if ($cookie =~ /^([^=]+)=([^;]*)/) {\n $cookies{ lc($1) } = $2;\n }\n }\n }\n\n # Use the DSL matcher - now returns (match_status, captured_groups)\n my ($positive, $reason, $captures) = (0, '', []);\n my @matcher_result =\n $TESTS{$checkid}{'matcher'}->($res, $content, $response_headers, \\%cookies);\n\n my ($match_status, $captured_groups) = @matcher_result;\n if ($match_status) {\n $positive = 1;\n $reason = 'DSL Match';\n $captures = $captured_groups || [];\n }\n\n # matched on something, check fails/ands\n if ($positive) {\n\n # if it's an index.php, check for normal /index.php to see if it's a FP\n # if ($uri =~ /^\\/index.php\\?/i) {\n # my $clean_content = rm_active_content($content, $mark->{'root'} . $uri);\n # if (LW2::md5($clean_content) eq $mark->{'FoF'}{'index.php'}{'match'}) {\n # next;\n # }\n # }\n\n # Check user-specified error codes/strings first (highest priority, always wins)\n # This must be checked before any other 404 detection logic\n if (defined $VARIABLES{'ERRCODES'} && ref($VARIABLES{'ERRCODES'}) eq 'HASH') {\n my $code_str = \"$res\";\n if (exists $VARIABLES{'ERRCODES'}->{$code_str}) {\n next URI; # Skip this test, it's a 404\n }\n }\n if (defined $VARIABLES{'ERRSTRINGS'} && ref($VARIABLES{'ERRSTRINGS'}) eq 'HASH') {\n foreach my $pattern (keys %{ $VARIABLES{'ERRSTRINGS'} }) {\n if ($content =~ /$pattern/) {\n next URI; # Skip this test, it's a 404\n }\n }\n }\n\n # Lastly check for a false positive based on file extension or type.\n # We check is_404 when the actual response code is 200, because 404 error pages\n # can return 200 status codes. However, we skip the check if:\n # 1. There's a positive BODY match (specific body content indicates real content)\n # 2. The DSL has an explicit non-200 CODE match (like CODE:404, CODE:403)\n # without including 200, as those are intentional matches for specific status codes.\n my $has_code_match = ($TESTS{$checkid}{'dsl'} =~ /CODE:/i);\n\n # Check if DSL has an explicit non-200 CODE match that doesn't include 200\n # (e.g., CODE:404, CODE:403, but not CODE:200 or CODE:200|404)\n my $has_explicit_non200_code = 0;\n if ($has_code_match) {\n my $includes_code_200 = ($TESTS{$checkid}{'dsl'} =~ /\\bCODE:\\s*200(\\D|$)/i);\n\n # If there's a CODE match but it doesn't include 200, skip is_404 check\n $has_explicit_non200_code = !$includes_code_200;\n }\n\n # Check if DSL has positive BODY patterns (BODY: but not !BODY:)\n my $has_body_match = ($TESTS{$checkid}{'dsl'} =~ /(?:^|[^!])BODY:/i);\n\n if ( $res == 200\n && !$has_body_match\n && !$has_explicit_non200_code\n && is_404($mark, $mark->{'root'} . $uri, $response)) {\n next;\n }\n\n # Process message with captured groups (if any)\n my $message = $TESTS{$checkid}{'message'};\n if (@$captures && $message =~ /\\$\\d+/) {\n $message = process_captured_groups($message, $captures);\n }\n\n # All checks passed, add vulnerability\n add_vulnerability($mark, \"$mark->{'root'}$uri: $message\",\n $checkid, $TESTS{$checkid}{'references'},\n $TESTS{$checkid}{'method'}, $mark->{'root'} . $uri,\n $request, $response,\n $reason\n );\n }\n }\n\n # Percentages\n if ( $OUTPUT{'progress'}\n && $parameters->{'report'}\n && ($COUNTERS{'totalrequests'} % $parameters->{'report'}) == 0) {\n status_report();\n }\n } # end check loop\n\n # Perform mutation tests\n passchecks($mark) if $parameters->{'passfiles'};\n allchecks($mark) if $parameters->{'all'};\n\n return;\n}\n\nsub passchecks {\n my ($mark) = @_;\n my @DIRS = (split(/ /, $VARIABLES{\"\\@PASSWORDDIRS\"}));\n my @PFILES = (split(/ /, $VARIABLES{\"\\@PASSWORDFILES\"}));\n my @EXTS = qw(asp bak dat data dbc dbf exe htm html htx ini lst txt xml php php3);\n\n nprint(\"- Performing passfiles mutation.\", \"v\", \"tests\");\n\n # Update total requests for status reports\n my @CGIS = split(/ /, $VARIABLES{'@CGIDIRS'});\n $COUNTERS{'total_checks'} =\n $COUNTERS{'total_checks'} +\n (scalar(@DIRS) * scalar(@PFILES)) +\n (scalar(@DIRS) * scalar(@PFILES) * scalar(@EXTS)) +\n ((scalar(@DIRS) * scalar(@PFILES) * scalar(@EXTS) * scalar(@CGIS)) * 2);\n\n foreach my $dir (@DIRS) {\n return if $mark->{'terminate'};\n foreach my $file (@PFILES) {\n next if ($file eq \"\");\n\n # dir/file\n testfile($mark, \"$dir$file\", \"passfiles\", \"299998\");\n\n foreach my $ext (@EXTS) {\n return if $mark->{'terminate'};\n\n # dir/file.ext\n testfile($mark, \"$dir$file.$ext\", \"passfiles\", \"299998\");\n\n foreach my $cgi (@CGIS) {\n $cgi =~ s/\\/$//;\n\n # dir/file.ext\n testfile($mark, \"$cgi$dir$file.$ext\", \"passfiles\", \"299998\");\n\n # dir/file\n testfile($mark, \"$cgi$dir$file\", \"passfiles\", \"299998\");\n }\n }\n }\n }\n}\n\nsub allchecks {\n my ($mark) = @_;\n\n # Hashes to temporarily store files/dirs in\n # We're using hashes to ensure that duplicates are removed\n my (%FILES, %DIRS);\n\n # build the arrays\n nprint(\"- Loading root level files.\", \"v\", \"tests\");\n foreach my $checkid (keys %TESTS) {\n\n # Expand out vars so we get full matches\n my @uris = change_variables($TESTS{$checkid}{'uri'}, $mark, $checkid);\n\n foreach my $uri (@uris) {\n my $dir = LW2::uri_get_dir($uri);\n my $file = $uri;\n\n if ($dir ne \"\") {\n $DIRS{$dir} = \"\";\n $dir =~ s/([^a-zA-Z0-9])/\\\\$1/g;\n $file =~ s/$dir//;\n }\n if (($file ne \"\") && ($file !~ /^\\?/)) {\n $FILES{$file} = \"\";\n }\n }\n }\n\n # Update total requests for status reports\n $COUNTERS{'total_checks'} = $COUNTERS{'total_checks'} + (keys(%DIRS) * keys(%FILES));\n\n # Now do a check for each item - just check the return status, nothing else\n foreach my $dir (keys %DIRS) {\n foreach my $file (keys %FILES) {\n return if $mark->{'terminate'};\n testfile($mark, \"$dir$file\", \"all checks\", 299999);\n }\n }\n}\n\nsub testfile {\n my ($mark, $uri, $name, $tid) = @_;\n return if $mark->{'terminate'};\n my ($res, $content, $error, $request, $response) =\n nfetch($mark, $uri, \"GET\", \"\", \"\", \"\", \"Tests: $name\");\n nprint(\"- $res for $uri (error: $error)\",\n \"v\", ($mark->{'hostname'}, $mark->{'ip'}, $mark->{'displayname'}));\n if ($error) {\n $mark->{'total_errors'}++;\n nprint(\"+ ERROR: $uri returned an error: $error\",\n \"e\", ($mark->{'hostname'}, $mark->{'ip'}, $mark->{'displayname'}));\n return;\n }\n if ($res == 200) {\n add_vulnerability($mark, \"$uri: file found during $name mutation\",\n $tid, \"\", \"GET\", $uri, $request, $response);\n }\n}\n\n1;\n"
},
{
"path": "program/templates/htm_close.tmpl",
"content": "© 2008 Chris Sullo \n\n\n\n |