search

sullo / nikto

Nikto web server scanner
Other
8.3k stars 1.2k forks source link

Bug: STDOUT Now showing large numbers of Var: debug-like lines #706

Closed zombietango closed 3 years ago

zombietango commented 3 years ago

Expected behavior

Normally, Nikto would only display findings or additional information requested via the -Display flags.

Actual behavior

Very recently (probably as of the last commit release), I am now receiving a large number of STDOUT entries that appear to be debug messages, regardless of any -Display flags. Examples:

Var: @CGIDIRS val: /cgi-bin-sdb/ Var: @CGIDIRS val: /cgi-mod/ Var: @CGIDIRS val: /cgi.cgi/ Var: @CGIDIRS val: /webcgi/ Var: @CGIDIRS val: /cgi-914/ Var: @CGIDIRS val: /cgi-915/ Var: @CGIDIRS val: /bin/ Var: @CGIDIRS val: /cgi/ Var: @CGIDIRS val: /mpcgi/ Var: @CGIDIRS val: /cgi-bin/ Var: @CGIDIRS val: /ows-bin/ Var: @CGIDIRS val: /cgi-sys/ Var: @CGIDIRS val: /cgi-local/ Var: @CGIDIRS val: /htbin/ Var: @CGIDIRS val: /cgibin/ Var: @CGIDIRS val: /cgis/ Var: @CGIDIRS val: /scripts/ Var: @CGIDIRS val: /cgi-win/ Var: @CGIDIRS val: /fcgi-bin/ Var: @CGIDIRS val: /cgi-exe/ Var: @CGIDIRS val: /cgi-home/ Var: @CGIDIRS val: /cgi-perl/ Var: @CGIDIRS val: /scgi-bin/ Var: @CGIDIRS val: /cgi-bin-sdb/ Var: @CGIDIRS val: /cgi-mod/

Var: @RFIURL val: http://cirt.net/rfiinc.txt? Var: @RFIURL val: http://cirt.net/rfiinc.txt? Var: @RFIURL val: http://cirt.net/rfiinc.txt? Var: @RFIURL val: http://cirt.net/rfiinc.txt?

Var: @NUKE val: / Var: @NUKE val: /postnuke/ Var: @NUKE val: /postnuke/html/ Var: @NUKE val: /modules/ Var: @NUKE val: /phpBB/ Var: @NUKE val: /forum/

Var: @PHPMYADMIN val: /3rdparty/phpMyAdmin/ Var: @PHPMYADMIN val: /phpMyAdmin/ Var: @PHPMYADMIN val: /3rdparty/phpmyadmin/ Var: @PHPMYADMIN val: /phpmyadmin/ Var: @PHPMYADMIN val: /pma/ Var: @PHPMYADMIN val: /.tools/phpMyAdmin/current/

Steps to reproduce

  1. Run Nikto
  2. Watch STDOUT
  3. See additional display lines

There was no specific requirements for me to see this issue.

Nikto version

`--------------------------------------------------------------------------- Nikto Versions

File Version Last Mod

Nikto main 2.1.6 LibWhisker 2.5 db_404_strings 2.003 db_content_search 2.000 db_dictionary 1.0 db_dir_traversal 2.1.6 db_domino 2.1.6 db_drupal 1.00 db_embedded 2.004 db_favicon 2.010 db_headers 2.008 db_httpoptions 2.002 db_multiple_index 2.005 db_outdated 2.017 db_parked_strings 2.001 db_realms 2.002 db_server_msgs 2.006 db_tests 2.021 db_variables 2.004 nikto_apache_expect_xss.plugin 2.04 nikto_apacheusers.plugin 2.06 nikto_auth.plugin 2.04 nikto_cgi.plugin 2.06 nikto_clientaccesspolicy.plugin 1.00 nikto_content_search.plugin 2.05 nikto_cookies.plugin 2.05 nikto_core.plugin 2.1.5 nikto_dictionary_attack.plugin 2.04 nikto_dir_traversal.plugin 2.1.6 nikto_dishwasher.plugin 2.20 nikto_docker_registry.plugin 2.20 nikto_domino.plugin 2.1.6 nikto_drupal.plugin 1.00 nikto_embedded.plugin 2.07 nikto_favicon.plugin 2.09 nikto_fileops.plugin 1.00 nikto_headers.plugin 2.11 nikto_httpoptions.plugin 2.10 nikto_ms10_070.plugin 1.00 nikto_msgs.plugin 2.07 nikto_multiple_index.plugin 2.03 nikto_negotiate.plugin 2.00 nikto_origin_reflection.plugin 2.01 nikto_outdated.plugin 2.09 nikto_parked.plugin 2.00 nikto_paths.plugin 2.00 nikto_put_del_test.plugin 2.04 nikto_report_csv.plugin 2.07 nikto_report_html.plugin 2.06 nikto_report_json.plugin 2.00 nikto_report_nbe.plugin 2.02 nikto_report_sqlg.plugin 2.00 nikto_report_text.plugin 2.05 nikto_report_xml.plugin 2.06 nikto_robots.plugin 2.06 nikto_shellshock.plugin 2.01 nikto_siebel.plugin 1.00 nikto_sitefiles.plugin 2.00 nikto_ssl.plugin 2.01 nikto_strutshock.plugin 2.01 nikto_tests.plugin 2.04 ---------------------------------------------------------------------------`

Further technical info

macOS 10.15.3 perl:

Platform: osname=darwin, osvers=19.0, archname=darwin-thread-multi-2level uname='darwin osx374.sd.apple.com 19.0 darwin kernel version 18.0.0: tue jul 9 11:12:08 pdt 2019; root:xnu-4903.201.2.100.7~1release_x86_64 x86_64 ' config_args='-ds -e -Dprefix=/usr -Dccflags=-g -pipe -Dldflags= -Dman3ext=3pm -Duseithreads -Duseshrplib -Dinc_version_list=none -Dcc=cc' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef

tautology0 commented 3 years ago

Looks like this was added in version https://github.com/sullo/nikto/commit/2289670647c7b93aeb13e5cfa73c42f72b38501b#diff-0dfffae278774b7d83fb0f8df0815860e21f079cf9f16c2c565cf317612b47b6

sullo commented 3 years ago

I commented the lines. debugging another issue and i accidentally committed. thanks!

tautology0 commented 3 years ago

Damnit, you pushed at the same time I did :-P

digininja commented 3 years ago

I nearly reported this but it seemed like such an obvious thing that I assumed it was "new normal" and so didn't bother.

On Wed, 11 Nov 2020 at 15:45, D L notifications@github.com wrote:

Damnit, you pushed at the same time I did :-P

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/706#issuecomment-725497368, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWIYPMRRXV2DAU3IIALSPKWRNANCNFSM4TSCYEAQ .

zombietango commented 3 years ago

Thanks guys! Working as expected now.