Delicious Webapp Hacking

2010-12-25 477 words 3 minutes

Contents

[UPDATE] This module (enum_delicious) has been pulled from Metasploit since Delicious no longer allows searching by site.

In the last post I showed off how Archive.org’s Wayback machine can be used to pull urls for a domain, another place where URLs are stored and can be searched by domain is Delicious.com (a bookmarking service). I’ve seen people bookmark everything from internal web portals to urls with special no-auth passwords in them. It may even reveal subdomains and hosts you didn’t know about. This can be a very handy set of data.

Be forewarned though, Delicious has been putting ads in the results and I haven’t gotten a solid regex to work on picking them out yet. So comb your results before slamming them in the requestor script from the last post. The module works basically the same way, but here it is in action:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113


msf auxiliary(enum_delicious) > info
       Name: Pull Del.icio.us Links (URLs) for a domain
    Version: 11107
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Rob Fuller

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  DOMAIN                    yes       Domain to request URLS for
  OUTFILE                   no        Where to output the list for use

Description:
  This module pulls and parses the URLs stored by Del.icio.us users 
  for the purpose of replaying during a web assessment. Finding 
  unlinked and old pages.

msf auxiliary(enum_delicious) > set DOMAIN portswigger.net
DOMAIN => portswigger.net
msf auxiliary(enum_delicious) > run

[*] Pulling urls from Delicious.com
[*] Page number: 1
[*] Page number: 2
[*] Page number: 3
[*] Page number: 4
[*] Located 81 addresses for portswigger.net
http://blog.portswigger.net/
http://blog.portswigger.net/2007/04/preventing-username-enumeration.html
http://blog.portswigger.net/2007/04/using-recursive-grep-for-harvesting.html
http://blog.portswigger.net/2007/05/on-site-request-forgery.html
http://blog.portswigger.net/2007/06/viewstate-snooping.html
http://blog.portswigger.net/2007/07/dns-pinning-and-web-proxies.html
http://blog.portswigger.net/2007/07/hacking-without-credentials.html
http://blog.portswigger.net/2007/07/lame-bugs-for-rainy-day.html
http://blog.portswigger.net/2007/10/introducing-burp-sequencer.html
http://blog.portswigger.net/2007/11/new-burp-beta.html
http://blog.portswigger.net/2007/12/burp-suite-v11-released.html
http://blog.portswigger.net/2008/03/book-review-ajax-security.html
http://blog.portswigger.net/2008/03/xsrf-and-threat-ratings.html
http://blog.portswigger.net/2008/04/can-you-hit-moving-target.html
http://blog.portswigger.net/2008/05/burp-sequencer-101.html
http://blog.portswigger.net/2008/05/null-byte-attacks-are-alive-and-well.html
http://blog.portswigger.net/2008/08/attacking-parameter-names.html
http://blog.portswigger.net/2008/08/problem-accepting-self-signed-ssl.html
http://blog.portswigger.net/2008/11/mobp-burp-extender-extended.html
http://blog.portswigger.net/2008/11/mobp-filtering-and-deleting-content.html
http://blog.portswigger.net/2008/11/mobp-new-target-site-map.html
http://blog.portswigger.net/2008/11/month-of-burp-pr0n.html
http://blog.portswigger.net/2008/12/burp-suite-v12-released.html
http://blog.portswigger.net/2008/12/when-good-xsrf-defence-turns-bad.html
http://blog.portswigger.net/2009/04/intercepting-thick-client.html
http://blog.portswigger.net/2009/04/using-burp-extender.html
http://blog.portswigger.net/2009/11/if-politicians-were-http-status-codes.html
http://blog.portswigger.net/2009/11/v13p-ssl-pain-relief.html
http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
http://blog.portswigger.net/2010/06/comparing-web-application-scanners-part.html
http://blog.portswigger.net/2010/06/comparing-web-application-scanners.html
http://blog.portswigger.net/search/label/MoBP
http://portswigger.net/
http://portswigger.net/books/
http://portswigger.net/burp/
http://portswigger.net/burp/downloadfree.html
http://portswigger.net/burp/help/intruder.html
http://portswigger.net/burp/help/proxy.html
http://portswigger.net/burp/proxy.html
http://portswigger.net/burp/scanner.html
http://portswigger.net/intruder/
http://portswigger.net/misc/
http://portswigger.net/misc/wahh-toc.pdf
http://portswigger.net/proxy/
http://portswigger.net/proxy/help.html
http://portswigger.net/proxy/help.html#matchreplace
http://portswigger.net/proxy/screenshots.html
http://portswigger.net/proxy/servercerts.html
http://portswigger.net/scanner/screenshots.html
http://portswigger.net/sequencer/
http://portswigger.net/spider/
http://portswigger.net/spider/help.html#using
http://portswigger.net/suite/
http://portswigger.net/suite/comparerhelp.html
http://portswigger.net/suite/download.html
http://portswigger.net/suite/download2.html
http://portswigger.net/suite/help.html#using
http://portswigger.net/suite/help.html#what
http://portswigger.net/suite/pro.html
http://portswigger.net/suite/screenshots.html
http://portswigger.net/suite/spider.html
http://portswigger.net/training/
http://portswigger.net/wahh/
http://portswigger.net/wahh/answers.html
http://portswigger.net/wahh/jattack-fuzz.java
http://portswigger.net/wahh/tasks.html
http://portswigger.net/wahh/toc.html
http://portswigger.net/wahh/tools.html
http://releases.portswigger.net/2009/08/v1214.html
http://releases.portswigger.net/2010/03/v1301.html
http://releases.portswigger.net/2010/05/v1305.html
http://releases.portswigger.net/2010/07/v1307.html
http://releases.portswigger.net/2010/08/v1308.html
http://www.portswigger.net/intruder/screenshots.html
http://www.portswigger.net/proxy/download.html
http://www.portswigger.net/scanner/
http://www.portswigger.net/sequencer/help.html
http://www.portswigger.net/spider/help.html
http://www.portswigger.net/spider/screenshots.html
http://www.portswigger.net/suite/help.html
http://www.portswigger.net/suite/successstories.html
[*] Auxiliary module execution completed
msf auxiliary(enum_delicious) > 

Both this and the Wayback module can be found in the Metasploit trunk