[Nikto-discuss] User Defined DB

david lodge resident.deity at gmail.com
Thu Jul 2 11:36:23 UTC 2009 

> I did all the steps mentioned in the chapter 7.
> I saved a copy of db_tests, made changes to the copy to include my tests in
> the following format:

Don't use copy of db_tests - this'll duplicate all tests in db_tests!

The way the user defined database loader works is to do the following:
* load db_tests
* load udb_tests

They both load into the same ID, and there isn't much intelligence to
prevent duplication!

> "429402","0","b","mygallery/myfunctions/mygallerybrowser.php?myPath=","GET","Wordpress
> Vulnerability","","","","","Exloitable file mygallerybrowser.php file in
> mygallery.","",""

It looks okay initially, but some points that may stop it working:
* The URI field (4th field) should start with a /; making this
/mygallery/myfunctions/mygallerybrowser.php?myPath=
* The match 1 field (6th field) is either a HTTP code, or something
that'll match in the resulting data; are you expecting the words
"Wordpress Vulnerability" in the output?
* DO you really want tuning "b" (software identification); if this is
exploitable I'd suggest something like 5 (Remote File retrievable)

I'd normally advise putting the HTTP code in the match 1 field (e.g.
200) and the contents in the match 1 and field (7th field), so I'd put
this as:
"429402","0","b","/mygallery/myfunctions/mygallerybrowser.php?myPath=","GET","200","Wordpress
Vulnerability","","","","Exloitable file mygallerybrowser.php file in
mygallery.","",""

This would expect for a uri of
/mygallery/myfunctions/mygallerybrowser.php?myPath= a HTTP response of
200, with the data containing "Wordpress Vulnerability". The way I
normally test this is by using wget to get the url and then build it
round there.

Also, what version of nikto are you using; I've just (looking at this)
discovered an error in db_tests on version 2.1.0, which shouldn't
cause a problem but may. I've also just noticed that -dbcheck barfs on
a lot of the standard databases; so we can't depend on that!

> I saved the file as udb_tests in plugins directory. But I cannot get any
> results from Nikto. How do I make sure that all the tests are loading
> properly? Is there anything that I might have forgotten?

Probably the best test is to use the verbose flag (-D v) and pipe the
output to a file, you should see something like:
V:Thu Jul  2 12:32:31 2009 - 403 for GET:       /cgi/download.cgi
(Apologies in advance for the American date format, I'll fix this into
something international one of these days)

For your entry in the database, here you can see the response from the
server and the URI it's going to. For further debugging you can use
the debug switch (-D d); this will dump the whole libwhisker request
and response hashes and tell exactly what's happening.

Give me a shout if you're still having problems.

Thanks

dave

More information about the Nikto-discuss mailing list