Module web_vulndb.rb

[saheredelgadom]

This module has an option that is:

VULNCSV yes Path of vulnerabilities csv file to use

how to build a csv file to fulfill this need?

Does this file have a specific format?

what should go inside it?

Could you please give me a format as this file should be?

[h00die]

This file (https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/http/web_vulndb.rb) and previously named (https://github.com/rapid7/metasploit-framework/commits/7964d0f38a44033da1b5e721c3b5d39a9124e944/modules/auxiliary/scanner/http/wmap_web_vulndb.rb?browsing_rename_history=true&new_path=modules/auxiliary/scanner/http/web_vulndb.rb&original_branch=master) hasn't had a meaningful update in 13 years. There is no module docs (that wasn't a thing back then), and I don't see an original PR that included this. Googling around, https://seclists.org/metasploit/2010/q1/103 is the best thing I can find that has any information at all. They say there is a default file, I don't see it in the framework anymore so it was either lost to the sands of time, or deleted for a reason at some point.

If you're able to find any information, please let us know!

[Techno-Fox]

I would be interested in this as well. I remember when I was trying to update the openvas plugin, then greenbone security broke everything. Might try that again, but yea not much docs for web_vulndb, nor updates (i'm surprised)

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[bcoles]

This module is a naive threaded spray and pray poor man's nikto/nuclei vulnerability scanner. You could also think of it as dirbuster/gobuster with response context text matching.

Does this file have a specific format? what should go inside it? Could you please give me a format as this file should be?

A quick test and read of the source reveals the format should be:

path to something that is known to be vulnerable,text expected to exist in the response,notes/comment about why this is interesting/vulnerable

For example:

/awesomePhpSoftware?page=https://google.com/,Google,Awesome PHP Software page parameter RFI vulnerability

CSV parsing:

https://github.com/rapid7/metasploit-framework/blob/234949bff8641e128cea5ab363093d5acba938b7/modules/auxiliary/scanner/http/web_vulndb.rb#L123-L127

puts textarr.inspect reveals the CSV parsing format:

Like other content discovery tools (dirbuter/gobuster), the module features 404 detection. Presumably leaving the text matching field empty will simply match 200 status code.

This module was added when the wmap plugin and metasploit database integration were new. The module stores matched URLs in the database as notes. The intention was likely to integrate this with wmap (which has been neglected for over a decade).

how to build a csv file to fulfill this need?

The email thread h00die linked above implies that the database is supposed to be automatically generated. There's also a hint that the format may be similar to that of nikto. The format is similar but not identical.

I'm not convinced that there was ever a default CSV file. Maybe.

I'm not sure that any tool to automatically generate the database was ever developed.

However, you should be able to convert existing wordlists to CSV fairly easily; ie:

• https://github.com/xmendez/wfuzz/tree/master/wordlist/vulns
• https://github.com/tennc/fuzzdb/blob/master/attack-payloads/rfi/rfi.txt

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.