arachni 0.2.2.1

data/lib/rpc/xml/server/framework.rb

@@ -0,0 +1,206 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+require Options.instance.dir['lib'] + 'framework'
+require Options.instance.dir['lib'] + 'rpc/xml/server/module/manager'
+require Options.instance.dir['lib'] + 'rpc/xml/server/plugin/manager'
+
+module RPC
+module XML
+module Server
+
+#
+# Extends the Framework adding XML-RPC specific functionality
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+class Framework < Arachni::Framework
+
+    #
+    # Our run() method needs to run the parent's run() method in
+    # a separate thread.
+    #
+    alias :old_run :run
+
+    # make this inherited methods visible again
+    private :old_run, :stats, :pause!, :paused?, :resume!, :lsmod, :modules, :lsplug, :clean_up!
+    public  :stats, :pause!, :paused?, :resume!, :lsmod, :modules, :lsplug, :clean_up!
+
+    #
+    # Aborts the running audit.
+    #
+    def abort!
+        @job.kill
+        return true
+    end
+
+    #
+    # Checks to see if an audit is running.
+    #
+    # @return   [Bool]
+    #
+    def busy?
+        return false if !@job
+        return @job.alive?
+    end
+
+    #
+    # Checks whether the framework is in debug mode
+    #
+    def debug?
+        @@debug
+    end
+
+    #
+    # Checks whether the framework is in debug mode
+    #
+    def verbose?
+        @@verbose
+    end
+
+
+    #
+    # some XMLRPC libraries of other languages map remote objects to local objects
+    # creating an invalid syntax situation since the aforementioned languages
+    # may not allow "?" or "!" in method names.
+    #
+    # so we alias these methods to make it easier on 3rd party developers.
+    #
+    alias :pause :pause!
+    alias :is_paused :paused?
+    alias :resume :resume!
+    alias :clean_up :clean_up!
+    alias :is_busy :busy?
+    alias :is_debug :debug?
+    alias :is_verbose :verbose?
+
+    def initialize( opts )
+        super( opts )
+        @modules = Arachni::RPC::XML::Server::Module::Manager.new( opts )
+        @plugins = Arachni::RPC::XML::Server::Plugin::Manager.new( self )
+    end
+
+    #
+    # Returns an array of hashes with information
+    # about all available reports
+    #
+    # @return    [Array<Hash>]
+    #
+    def lsplug
+
+        plug_info = []
+
+        @plugins.available( ).each {
+            |plugin|
+
+            info = @plugins[plugin].info
+
+            info[:plug_name]   = plugin
+            info[:path]        = @plugins.name_to_path( plugin )
+
+            info[:options] = [info[:options]].flatten.compact.map {
+                |opt|
+                opt_h = opt.to_h
+                opt_h['default'] = '' if opt_h['default'].nil?
+                opt_h['type']    = opt.type
+                opt_h
+            }
+
+            plug_info << info
+        }
+
+        @plugins.clear( )
+
+        return plug_info
+    end
+
+
+    #
+    # Starts the audit.
+    #
+    # The audit is started in a new thread to avoid service blocking.
+    #
+    def run
+        @job = Thread.new {
+            exception_jail { old_run }
+        }
+        return true
+    end
+
+    #
+    # Returns the results of the audit.
+    #
+    # @return   [YAML]  YAML dump of the results hash
+    #
+    def report
+        exception_jail {
+            return false if !@job
+
+            store =  audit_store( true )
+            store.framework = ''
+            return YAML.dump( store.to_h.dup )
+        }
+    end
+
+    #
+    # Returns the results of the audit as a serialized AuditStore object.
+    #
+    # @return   [YAML]  YAML dump of the AuditStore
+    #
+    def auditstore
+        exception_jail {
+            return false if !@job
+
+            store =  audit_store( true )
+            store.framework = nil
+
+            return YAML.dump( store )
+        }
+    end
+
+    #
+    # Enables debugging output
+    #
+    def debug_on
+        @@debug = true
+    end
+
+    #
+    # Disables debugging output
+    #
+    def debug_off
+        @@debug = false
+    end
+
+    #
+    # Enables debugging output
+    #
+    def verbose_on
+        @@verbose = true
+    end
+
+    #
+    # Disables debugging output
+    #
+    def verbose_off
+        @@verbose = false
+    end
+
+end
+
+end
+end
+end
+end

data/lib/rpc/xml/server/instance.rb

@@ -0,0 +1,191 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+require 'webrick'
+require 'webrick/https'
+require 'xmlrpc/server'
+require 'openssl'
+
+module Arachni
+
+require Options.instance.dir['lib'] + 'rpc/xml/server/base'
+require Options.instance.dir['lib'] + 'rpc/xml/server/output'
+require Options.instance.dir['lib'] + 'rpc/xml/server/framework'
+require Options.instance.dir['lib'] + 'rpc/xml/server/options'
+
+module RPC
+module XML
+module Server
+
+#
+# XMLRPC Server class
+#
+# Provides an XML-RPC server to assist with general integration and UI development.
+#
+# Only instantiated by the Dispatcher to provide support for multiple
+# and concurent XMLRPC clients/scans.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.3
+#
+class Instance < Base
+
+    # the output interface for XML-RPC
+    include Arachni::UI::Output
+    include Arachni::Module::Utilities
+
+    private :shutdown, :alive?
+    public  :shutdown, :alive?
+
+
+    #
+    # Initializes the XML-RPC interface, the HTTP(S) server and the framework.
+    #
+    # @param    [Options]    opts
+    #
+    def initialize( opts )
+
+        prep_framework
+        banner
+
+        @opts = opts
+        super( @opts )
+
+        if @opts.debug
+            debug!
+        end
+
+
+        if @opts.reroute_to_logfile
+            reroute_to_file( @opts.dir['root'] +
+                "logs/XMLRPC-Server - #{Process.pid}:#{@opts.rpc_port} - #{Time.now.asctime}.log" )
+        else
+            reroute_to_file( false )
+        end
+
+        set_handlers
+
+        # trap interupts and exit cleanly when required
+        trap( 'HUP' ) { shutdown }
+        trap( 'INT' ) { shutdown }
+
+    end
+
+    #
+    # Resets the framework leaving it lemon fresh for the next scan.
+    #
+    # If you reuse without reseting, Arachni will eat your kitten!<br/>
+    # (And I don't mean sexually...)
+    #
+    def reset
+
+        print_status( 'Resetting...' )
+
+        exception_jail {
+            @framework.modules.clear
+            Arachni.reset
+            Arachni::Options.instance.reset
+            prep_framework
+            set_handlers
+            output
+        }
+
+        print_status( 'Done.' )
+
+        return true
+    end
+
+    #
+    # Flushes the output buffer and returns all pending system messages.
+    #
+    # All messages are classified based on their type.
+    #
+    # @return   [Array<Hash>]
+    #
+    def output
+        flush_buffer( )
+    end
+
+    #
+    # Makes the HTTP(S) server go bye-bye...Lights out!
+    #
+    def shutdown
+        print_status( 'Shutting down...' )
+        super
+        print_status( 'Done.' )
+        return true
+    end
+    alias :shutdown! :shutdown
+
+    #
+    # Starts the HTTP(S) server and the XML-RPC service.
+    #
+    def run
+
+        begin
+            print_status( 'Starting the server...' )
+            # start the show!
+            super
+        rescue Exception => e
+            exception_jail{ raise e }
+            exit 0
+        end
+    end
+
+    private
+
+    #
+    # Initialises the RPC framework.
+    #
+    def prep_framework
+        @framework = nil
+        @framework = Arachni::RPC::XML::Server::Framework.new( Options.instance )
+    end
+
+    #
+    # Outputs the Arachni banner.<br/>
+    # Displays version number, revision number, author details etc.
+    #
+    def banner
+
+        puts 'Arachni - Web Application Security Scanner Framework v' +
+            @framework.version + ' [' + @framework.revision + ']
+       Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+                                      <zapotek@segfault.gr>
+               (With the support of the community and the Arachni Team.)
+
+       Website:       http://github.com/Zapotek/arachni
+       Documentation: http://github.com/Zapotek/arachni/wiki'
+        puts
+        puts
+
+    end
+
+    #
+    # Starts the XML-RPC service and attaches it to the HTTP(S) server.<br/>
+    # It also prepares all the RPC handlers.
+    #
+    def set_handlers
+        @service.clear_handlers
+        add_handler( "service",   self )
+        add_handler( "framework", @framework )
+        add_handler( "opts",      @framework.opts )
+        add_handler( "modules",   @framework.modules )
+        add_handler( "plugins",   @framework.plugins )
+    end
+
+end
+
+end
+end
+end
+end

data/lib/rpc/xml/server/module/manager.rb

@@ -0,0 +1,46 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+require Options.instance.dir['lib'] + 'module/manager'
+
+module RPC
+module XML
+module Server
+
+module Module
+
+#
+# We need to extend the original Manager and redeclare its inherited methods
+# which are required over XMLRPC.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+class Manager < ::Arachni::Module::Manager
+
+    # make these inherited methods visible again
+    private :load, :available
+    public :load, :available
+
+    def initialize( opts )
+        super( opts )
+    end
+
+end
+
+end
+end
+end
+end
+end

data/lib/rpc/xml/server/options.rb

@@ -0,0 +1,124 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+#
+# Overrides the Options class adding support for direct options parsing.
+#
+# Not much to look at but it streamlines XML-RPC server option handling.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class Options
+
+    def set( hash )
+        hash.each_pair {
+            |k, v|
+            begin
+                send( "#{k.to_s}=", v )
+            rescue Exception => e
+                ap e
+                ap e.backtrace
+            end
+        }
+        true
+    end
+
+    #
+    # Resets all important options that can affect the scan
+    # during framework reuse.
+    #
+    def reset
+        # nil everything out
+        self.instance_variables.each {
+            |var|
+
+            # do *NOT* nil out @dir, we'll loose our paths!
+            next if var.to_s == '@dir'
+
+            begin
+                instance_variable_set( var.to_s, nil )
+            rescue Exception
+            end
+        }
+
+
+        @exclude    = []
+        @include    = []
+        @redundant  = []
+        @lsmod      = []
+        @exclude_cookies    = []
+
+        # set some defaults
+        @redirect_limit = 20
+
+        # relatively low but will give good performance without bottleneck
+        # on low bandwidth conections
+        @http_req_limit = 20
+    end
+
+    #
+    # Sets the URL include filter.
+    #
+    # Only URLs matching any of these rules will be crawled.
+    #
+    # @param    [Array<Regexp>]     arr
+    #
+    def include=( arr )
+        @include = arr.map{ |rule| Regexp.new( rule ) }
+        return true
+    end
+
+    #
+    # Sets the URL exclude filter.
+    #
+    # URLs matching any of these rules will not be crawled.
+    #
+    # @param    [Array<Regexp>]     arr
+    #
+    def exclude=( arr )
+        @exclude = arr.map{ |rule| Regexp.new( rule ) }
+        return true
+    end
+
+    #
+    # Sets the redundancy filters.
+    #
+    # Filter example:
+    #     [
+    #        {
+    #            'regexp'    => 'calendar.php', # URL to apply the filter to
+    #            'count'     => 5   # how many times to crawl the url
+    #        },
+    #        {
+    #            'regexp'    => 'gallery.php',
+    #            'count'     => 3
+    #        }
+    #    ]
+    #
+    # @param     [Array<Hash>]  arr
+    #
+    def redundant=( arr )
+        ruleset = []
+        arr.each {
+            |rule|
+            rule['regexp'] = Regexp.new( rule['regexp'] )
+            ruleset << rule
+        }
+        @redundant = ruleset.dup
+        return true
+    end
+
+end
+end