Room362.com

First of all, get Robert @RSnake Hansen’s RFI list here:

http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/

it’s a great list, but as soon as I saw it, I was like.. hmm.. how can I use that? Well, being that I am a Burp fan, I parsed the .dat with the following line:

cat rfi-locations.dat | grep -v "^#" | awk -F '?' '{print $1}' | sort -u > rsnake_list.txt

This pulls his list down to 906 entries which you can load in to Burp and hammer away with Intruder. If it pops any of them, not only have you better identified what is running on the site, but you might have just found RFI.

But I wanted to take this a step further:

The OSVDB archive allows you to download their entire database of vulnerabilities (after signing up for an account). I downloaded the CSV version so that I could parse it similar to how I did RSnakes. However, it definitely wasn’t that easy.

I downloaded osvd-csv.latest.tar.gz, extracted it and ran the following:

cat * | grep -i "remote file inclusion" | grep -v "\,0$" | awk -F "," '{print $13}' | sed ‘s/^\”//’ | set ‘s/\”$//’ | sort –u > osvdb_rfi.txt

Which got me close. About 3 hours of manual editing after that and I had another list of ~1750 possible remote file inclusions. Is this a full proof way of getting every possibility from the database? Definitely not, but it’s close, and I’d love to see some one modify and tweak my bash line to get it even closer. (Or find a completely different way)

Idea came thanks to cktricky from: http://cktricky.blogspot.com/

A bunch of sites on the web give you different pages depending on the browser you use to view it. I know when I was a web developer compatibility was the bane of my existence, as I'm sure it still is for all the web devs out there. Well, sometimes this leads to bad coding practices, or even the old "Google Bot gets to see everything" feature. Well, I had an idea to take Burp's Intruder and "Brute Force" any compatibility coding that a site may have. Especially if there is a restricted section of the page that you know is there, but don't have access to.

To start off you need a list of user agents. I pulled mine from the User-Agent Switcher lists I found on the web since they are in easily parsed XML.

From: http://www1.qainsight.net:8080/2007/05/18/Four+Links+To+UserAgent+List+And+An+Update+To+The+Useragent+Import.aspx

I downloaded: http://qainsight.net/content/binary/AgentStrings20070517.xml

There are plenty of ways to parse XML in your scripting language of choice but here is some dirty bash script that worked for me:

cat AgentStrings20070517.xml | grep "useragent=" | grep -v "\*" | awk -F '"' '{print $4}' > useragents.txt

Next, we set up our Intruder instance:

 

And import useragents.txt into Intruder and kick it off.

If any of the 'payloads' come back with anything different, it's definitely something to look into.