lib/whatweb/plugins/microsoft-office-xml.rb
# frozen_string_literal: true
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# http://www.morningstarsecurity.com/research/whatweb
##
# Version 0.2 #
# Updated regex
##
WhatWeb::Plugin.define "Microsoft-Office-XML" do
@author = "Brendan Coles <bcoles@gmail.com>" # 2010-10-14
@version = "0.2"
@description = "This module detects instances of Microsoft Office documents saved as HTML and attempts to extract the user name, company name and office version."
@website = "http://en.wikipedia.org/wiki/Microsoft_Office_XML_formats"
# About 123,000 results for <o:DocumentProperties> <o:Template> @ 2010-10-14
# Extract version, usernames and company
def passive(target)
m = []
# Excel
if target.body =~ /<DocumentProperties xmlns="urn:schemas-microsoft-com:office:[excel|office]?">/ || target.body =~ /<?mso-application progid="Excel.Sheet"?>/
# Get version
if /<Version>([^<]+)<\/Version>/.match?(target.body)
version = target.body.scan(/<Version>([^<]+)<\/Version>/)
m << { version: "Excel " + version }
end
# Get company
if /<Company>([^<]+)<\/Company>/.match?(target.body)
accounts = target.body.scan(/<Company>([^<]+)<\/Company>/)[0][0]
m << { account: "Company:" + accounts }
end
# Get usernames
if /<Author>([^<]+)<\/Author>/.match?(target.body)
accounts = target.body.scan(/<Author>([^<]+)<\/Author>/)[0][0]
m << { account: accounts }
end
if /<LastAuthor>([^<]+)<\/LastAuthor>/.match?(target.body)
accounts = target.body.scan(/<LastAuthor>([^<]+)<\/LastAuthor>/)[0][0]
m << { account: accounts }
end
end
# Word
if target.body =~ /<o:DocumentProperties>/ || target.body =~ /<?mso-application progid="Word.Document"?>/
# Get version
if /<o:Version>([^<]+)<\/o:Version>/.match?(target.body)
version = target.body.scan(/<o:Version>([^<]+)<\/o:Version>/)[0][0]
m << { version: "Word " + version }
end
# Get company
if /<o:Company>([^<]+)<\/o:Company>/.match?(target.body)
accounts = target.body.scan(/<o:Company>([^<]+)<\/o:Company>/)[0][0]
m << { account: "Company:" + accounts }
end
# Get usernames
if /<o:Author>([^<]+)<\/o:Author>/.match?(target.body)
accounts = target.body.scan(/<o:Author>([^<]+)<\/o:Author>/)[0][0]
m << { account: accounts }
end
if /<o:LastAuthor>([^<]+)<\/o:LastAuthor>/.match?(target.body)
accounts = target.body.scan(/<o:LastAuthor>([^<]+)<\/o:LastAuthor>/)[0][0]
m << { account: accounts }
end
end
# Core document properties
if /<cp:coreProperties/.match?(target.body)
# Get usernames
if /<dc:creator>([^<]+)<\/creator>/.match?(target.body)
accounts = target.body.scan(/<dc:creator>([^<]+)<\/creator>/)[0][0]
m << { account: accounts }
end
if /<dc:lastModifiedBy>([^<]+)<\/creator>/.match?(target.body)
accounts = target.body.scan(/<dc:lastModifiedBy>([^<]+)<\/creator>/)[0][0]
m << { account: accounts }
end
# Get company
if /<Company>([^<]+)<\/Company>/.match?(target.body)
accounts = target.body.scan(/<Company>([^<]+)<\/Company>/)[0][0]
m << { account: "Company:" + accounts }
end
# Get version
if /<AppVersion>([^<]+)<\/AppVersion>/.match?(target.body)
version = target.body.scan(/<AppVersion>([^<]+)<\/AppVersion>/)[0][0]
m << { version: version }
end
end
m
end
end