arachni 0.2.2.1

data/modules/audit/sqli_blind_timing.rb

@@ -0,0 +1,103 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Blind SQL Injection module using timing attacks.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2
+#
+# @see http://cwe.mitre.org/data/definitions/89.html
+# @see http://capec.mitre.org/data/definitions/7.html
+# @see http://www.owasp.org/index.php/Blind_SQL_Injection
+#
+class BlindTimingSQLInjection < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        @@__injection_str ||= []
+
+        if @@__injection_str.empty?
+            read_file( 'payloads.txt' ) {
+                |str|
+                @@__injection_str << str
+            }
+        end
+
+        @__opts = {
+            :format  => [ Format::STRAIGHT ],
+            :timeout => 4000,
+            :timeout_divider => 1000
+        }
+
+    end
+
+    def run
+        audit_timeout( @@__injection_str, @__opts )
+    end
+
+    def self.info
+        {
+            :name           => 'Blind (timing) SQL injection',
+            :description    => %q{Blind SQL Injection module using timing attacks
+                (if the remote server suddenly becomes unresponsive or your network
+                connection suddenly chokes up this module will probably produce false positives).},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.1',
+            :references     => {
+                'OWASP'      => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
+                'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Blind SQL Injection (timing attack)},
+                :description => %q{SQL code can be injected into the web application
+                    even though it may not be obvious due to suppression of error messages.
+                    (This issue was discovered using a timing attack; timing attacks
+                    can result in false positives in cases where the server takes
+                    an abnormally long time to respond.
+                    Either case, these issues will require further investigation
+                    even if they are false positives.)},
+                :tags        => [ 'sql', 'blind', 'timing', 'injection', 'database' ],
+                :cwe         => '89',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => %q{Suppression of error messages leads to
+                    security through obscurity which is not a good practise.
+                    The web application needs to enforce stronger validation
+                    on user inputs.},
+                :remedy_code => '',
+                :metasploitable => 'unix/webapp/arachni_sqlmap'
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/sqli_blind_timing/payloads.txt

@@ -0,0 +1,51 @@
+sleep(__TIME__)#
+1 or sleep(__TIME__)#
+" or sleep(__TIME__)#
+' or sleep(__TIME__)#
+" or sleep(__TIME__)="
+' or sleep(__TIME__)='
+1) or sleep(__TIME__)#
+") or sleep(__TIME__)="
+') or sleep(__TIME__)='
+1)) or sleep(__TIME__)#
+")) or sleep(__TIME__)="
+')) or sleep(__TIME__)='
+1 and sleep(__TIME__)#
+" and sleep(__TIME__)#
+' and sleep(__TIME__)#
+" and sleep(__TIME__)="
+' and sleep(__TIME__)='
+1) and sleep(__TIME__)#
+") and sleep(__TIME__)="
+') and sleep(__TIME__)='
+1)) and sleep(__TIME__)#
+")) and sleep(__TIME__)="
+')) and sleep(__TIME__)='
+;waitfor delay '0:0:__TIME__'--
+);waitfor delay '0:0:__TIME__'--
+';waitfor delay '0:0:__TIME__'--
+";waitfor delay '0:0:__TIME__'--
+');waitfor delay '0:0:__TIME__'--
+");waitfor delay '0:0:__TIME__'--
+));waitfor delay '0:0:__TIME__'--
+'));waitfor delay '0:0:__TIME__'--
+"));waitfor delay '0:0:__TIME__'--
+pg_sleep(__TIME__)--
+1 or pg_sleep(__TIME__)--
+" or pg_sleep(__TIME__)--
+' or pg_sleep(__TIME__)--
+1) or pg_sleep(__TIME__)--
+") or pg_sleep(__TIME__)--
+') or pg_sleep(__TIME__)--
+1)) or pg_sleep(__TIME__)--
+")) or pg_sleep(__TIME__)--
+')) or pg_sleep(__TIME__)--
+1 and pg_sleep(__TIME__)--
+" and pg_sleep(__TIME__)--
+' and pg_sleep(__TIME__)--
+1) and pg_sleep(__TIME__)--
+") and pg_sleep(__TIME__)--
+') and pg_sleep(__TIME__)--
+1)) and pg_sleep(__TIME__)--
+")) and pg_sleep(__TIME__)--
+')) and pg_sleep(__TIME__)--

data/modules/audit/trainer.rb

@@ -0,0 +1,89 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+#
+# Pokes and probes all inputs of a given page in order to uncover
+# new input vectors.
+#
+# It also forces Arachni to train itself by analyzing the server responses.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+#
+class Trainer < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        # this will be the used as the injection string
+        @str = '_arachni_trainer_' + seed
+
+        @opts = {
+            #
+            # tell the frameworm to learn from the
+            # server responses that this module will cause.
+            #
+            :train  => true,
+            :param_flip => true
+        }
+    end
+
+    def run( )
+
+        #
+        # this will inject the string in @str into all available inputs
+        #
+        audit( @str, @opts ) {
+            #
+            # empty block, we don't need to check for anything
+            #
+            # however since we haven't passed at least a regexp to audit()
+            # we need to provide a block otherwise the Auditor will complain...
+            #
+            # that bastard!
+            #
+        }
+    end
+
+    def self.info
+        {
+            :name           => 'Trainer',
+            :description    => %q{Pokes and probes all inputs of a given page in order to uncover new input vectors.
+                It also forces Arachni to train itself by analyzing the server responses.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1',
+            :references     => {
+            },
+            :targets        => { 'Generic' => 'all' },
+        }
+    end
+
+end
+end
+end

data/modules/audit/unvalidated_redirect.rb

@@ -0,0 +1,90 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Unvalidated redirect audit module.
+#
+# It audits links, forms and cookies, injects URLs and checks
+# the Location header field to determnine whether the attack was successful.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+# @see http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
+#
+class UnvalidatedRedirect < Arachni::Module::Base
+
+    def initialize( page )
+        super( page )
+
+        # initialize the array that will hold the results
+        @results = []
+    end
+
+    def prepare( )
+        @__urls = [
+          'www.arachni-boogie-woogie.com',
+          'http://www.arachni-boogie-woogie.com',
+        ]
+    end
+
+    def run( )
+        @__urls.each {
+            |url|
+            audit( url ) {
+                |res, opts|
+                log( opts, res ) if( res.headers_hash['Location'] == url )
+            }
+        }
+    end
+
+
+    def self.info
+        {
+            :name           => 'UnvalidatedRedirect',
+            :description    => %q{Injects URLs and checks the Location header field
+                to determnine whether the attack was successful.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.1',
+            :references     => {
+                 'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards'
+            },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Unvalidated redirect},
+                :description => %q{The web application redirects users to unvalidated URLs.},
+                :tags        => [ 'unvalidated', 'redirect', 'injection', 'header', 'location' ],
+                :cwe         => '819',
+                :severity    => Issue::Severity::MEDIUM,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/xpath.rb

@@ -0,0 +1,104 @@
+=begin
+  $Id$
+
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XPath Injection audit module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+# @see http://cwe.mitre.org/data/definitions/91.html
+# @see http://www.owasp.org/index.php/XPATH_Injection
+# @see http://www.owasp.org/index.php/Testing_for_XPath_Injection_%28OWASP-DV-010%29
+#
+class XPathInjection < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        #
+        # we make this a class variable and populate it only once
+        # to reduce file IO
+        #
+        @@__errors ||= []
+
+        if @@__errors.empty?
+            read_file( 'errors.txt' ) { |error| @@__errors << error }
+        end
+
+        # prepare the strings that will hopefully cause the webapp
+        # to output XPath error messages
+        @__injection_strs = [
+            "'\"",
+            "<!--"
+        ]
+
+        @__opts = {
+            :format => [ Format::APPEND ],
+            :substring => @@__errors
+        }
+
+    end
+
+    def run( )
+        @__injection_strs.each {
+            |str|
+            audit( str, @__opts )
+        }
+    end
+
+
+    def self.info
+        {
+            :name           => 'XPathInjection',
+            :description    => %q{XPath injection module},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :references     => {
+                'OWASP'      => 'http://www.owasp.org/index.php/XPATH_Injection'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{XPath Injection},
+                :description => %q{XPath queries can be injected into the web application.},
+                :tags        => [ 'xpath', 'database', 'error', 'injection', 'regexp' ],
+                :cwe         => '91',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '',
+                :remedy_guidance    => 'User inputs must be validated and filtered
+                    before being included in database queries.',
+                :remedy_code => ''
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/xpath/errors.txt

@@ -0,0 +1,26 @@
+xmlXPathEval: evaluation failed
+SimpleXMLElement::xpath()
+XPathException
+MS.Internal.Xml.
+Unknown error in XPath
+org.apache.xpath.XPath
+A closing bracket expected in
+An operand in Union Expression does not produce a node-set
+Cannot convert expression to a number
+Document Axis does not allow any context Location Steps
+Empty Path Expression
+Empty Relative Location Path
+Empty Union Expression
+Expected '\)' in
+Expected node test or name specification after axis operator
+Incompatible XPath key
+Incorrect Variable Binding
+libxml2 library function failed
+xmlsec library function
+error '80004005'
+A document must contain exactly one root element.
+Expression must evaluate to a node-set.
+Expected token '\]'
+<p>msxml4.dll</font>
+<p>msxml3.dll</font>
+4005 Notes error: Query is not understandable