arachni 0.2.2.1

data/modules/recon/common_files.rb

@@ -0,0 +1,138 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Looks for sensitive common files on the server.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.3
+#
+#
+class CommonFiles < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare
+        # to keep track of the requests and not repeat them
+        @@__audited ||= Set.new
+
+        # our results array
+        @results = []
+
+        @@__filenames ||=[]
+        return if !@@__filenames.empty?
+
+        read_file( 'filenames.txt' ) {
+            |file|
+            @@__filenames << file
+        }
+    end
+
+    def run( )
+
+        path = get_path( @page.url )
+        return if @@__audited.include?( path )
+
+        print_status( "Scanning..." )
+        @@__filenames.each {
+            |file|
+
+            #
+            # Test for the existance of the file
+            #
+            # We're not worrying about its contents, the Trainer will
+            # analyze it and if it's HTML it'll extract any new attack vectors.
+            #
+
+            url  = path + file
+
+            print_status( "Checking for #{url}" )
+
+            req  = @http.get( url, :train => true )
+
+            req.on_complete {
+                |res|
+                print_status( "Analyzing #{res.effective_url}" )
+                __log_results( res, file )
+            }
+        }
+
+        @@__audited << path
+    end
+
+
+    def self.info
+        {
+            :name           => 'CommonFiles',
+            :description    => %q{Tries to find common sensitive files on the server.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.3',
+            :references     => {},
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{A common sensitive file exists on the server.},
+                :description => %q{},
+                :tags        => [ 'common', 'path', 'file' ],
+                :cwe         => '',
+                :severity    => Issue::Severity::LOW,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    #
+    # Adds an issue to the @results array<br/>
+    # and outputs an "OK" message with the filename and its url.
+    #
+    # @param  [Net::HTTPResponse]  res   the HTTP response
+    # @param  [String]  filename   the discovered filename
+    #
+    def __log_results( res, filename )
+
+        return if( res.code != 200 || @http.custom_404?( res ) )
+
+        url = res.effective_url
+        # append the result to the results array
+        @results << Issue.new( {
+            :url          => url,
+            :injected     => filename,
+            :id           => filename,
+            :elem         => Issue::Element::PATH,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( @results )
+
+        # inform the user that we have a match
+        print_ok( "Found #{filename} at " + url )
+    end
+
+end
+end
+end

data/modules/recon/common_files/filenames.txt

@@ -0,0 +1,17 @@
+robots.txt
+sitemap.xml
+sitemap.xml.gz
+phpinfo.php
+CVS/Repository
+CVS/Root
+CVS/Entries
+.git/HEAD
+_mmServerScripts/MMHTTPDB.php
+_mmServerScripts/MMHTTPDB.asp
+_mmDBScripts/MMHTTPDB.php
+_mmDBScripts/MMHTTPDB.asp
+config/database.yml
+install.php
+wp-admin/install.php
+wp-admin/setup-config.php
+config.php

data/modules/recon/directory_listing.rb

@@ -0,0 +1,171 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Tries to force directory listings.
+#
+# Can't take credit for this one, it's Michal's (lcamtuf's) method from Skipfish.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class DirectoryListing < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    DIFF_THRESHOLD = 1000
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare
+        foo = File.basename( __FILE__, '.rb' )
+        @dirs = [
+            "\\.#{foo}\\",
+            "\\.\\",
+            ".#{foo}/",
+            "./"
+       ]
+
+       @@__checked ||= Set.new
+    end
+
+    def run( )
+
+        path = get_path( @page.url )
+
+        return if !URI( path ).path || URI( path ).path.gsub( '/', '' ).empty?
+
+        # no redundant checks pl0x! kthxb.
+        return if @@__checked.include?( path )
+
+        @harvested = []
+
+        @dirs = [ @page.url ] | @dirs.map { |dir| path + dir } | [ path ]
+        @dirs.each_with_index {
+            |url, i|
+
+            @http.get( url ).on_complete {
+                |res|
+
+                if res
+                    @harvested[i] = res
+                    __check( path ) if __done_harvesting?
+                end
+            }
+
+        }
+    end
+
+    def __done_harvesting?
+
+        return false if @harvested.size != 6
+        @harvested.each {
+            |res|
+            return false if !res
+        }
+
+        return true
+    end
+
+    def __check( path )
+
+        @@__checked << path
+
+        # if we have a 403 Forbidden it means that we succesfully
+        # built a pah which would force a directory listing *but*
+        # the web server kicked our asses...so let's run away like
+        # little girls...
+        @harvested.each {
+            |res|
+            return if res.code == 403
+        }
+
+        if !File.basename( @harvested[0].effective_url, '?*' ).empty? &&
+            __same_page?( @harvested[0], @harvested[5] )
+            return
+        end
+
+
+        if !__same_page?( @harvested[1], @harvested[0] ) &&
+           !__same_page?( @harvested[1], @harvested[2] )
+            __log_results( @harvested[5] )
+        end
+
+        if !__same_page?( @harvested[3], @harvested[0] ) &&
+           !__same_page?( @harvested[3], @harvested[4] )
+            __log_results( @harvested[5] )
+        end
+
+    end
+
+    def __same_page?( res1, res2 )
+
+        # back out...
+        return false if res1.code != res2.code
+        return false if (res1.body.size - res2.body.size).abs > DIFF_THRESHOLD
+
+        return true
+    end
+
+    def self.info
+        {
+            :name           => 'Directory listing',
+            :description    => %q{Tries to force directory listings.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :references     => {},
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Directory listing is enabled.},
+                :description => %q{In most circumstances enabling directory listings is a bad practise
+                    as it allows an attacker to better grasp the web application's structure.},
+                :tags        => [ 'path', 'directory', 'listing', 'index' ],
+                :cwe         => '548',
+                :severity    => Issue::Severity::LOW,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+        }
+    end
+
+    def __log_results( res )
+
+        return if res.code != 200 || res.body.empty?
+
+        issue = Issue.new( {
+            :url          => res.effective_url,
+            :method       => res.request.method.to_s.upcase,
+            :elem         => Issue::Element::SERVER,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( [issue] )
+
+        print_ok( 'Found: ' + res.effective_url )
+    end
+
+end
+end
+end

data/modules/recon/grep/captcha.rb

@@ -0,0 +1,62 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Modules
+
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class CAPTCHA < Arachni::Module::Base
+
+    def initialize( page )
+        @page = page
+    end
+
+    def run( )
+
+        begin
+            # since we only care about forms parse the HTML and match forms only
+            Nokogiri::HTML( @page.body ).xpath( "//form" ).each {
+                |form|
+                # pretty dumb way to do this but it's a pretty dumb issue anyways...
+                match_and_log( /captcha/i, form.to_s )
+            }
+        rescue
+        end
+
+    end
+
+    def self.info
+        {
+            :name           => 'CAPTCHA',
+            :description    => %q{Greps pages for forms with CAPTCHAs.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Found a CAPTCHA protected form.},
+                :description => %q{Arachni can't audit CAPTCHA protected forms, consider auditing manually.},
+                :cwe         => '',
+                :severity    => Issue::Severity::INFORMATIONAL,
+                :cvssv2      => '',
+                :remedy_guidance    => %q{},
+                :remedy_code => '',
+            }
+        }
+    end
+
+end
+end
+end

data/modules/recon/grep/credit_card.rb

@@ -0,0 +1,85 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Modules
+
+#
+# Credit Card Number recon module.
+#
+# Scans every page for credit card numbers.
+#
+# @author: morpheuslaw <msidagni@nopsec.com>
+# @version: 0.1
+#
+class CreditCards < Arachni::Module::Base
+
+    def initialize( page )
+        @page = page
+    end
+
+    def run( )
+        ccNumber = /\b(((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7][\d\s-]{15})\b/
+
+        # match CC number candidates and verify matches before logging
+        match_and_log( ccNumber ){
+            |match|
+            __luhn_check( match )
+        }
+    end
+
+    #
+    # Checks for a valid credit card number
+    #
+    def __luhn_check( cc_number )
+      cc_number   = cc_number.gsub( /D/, '' )
+      cc_length   = cc_number.length
+      parity      = cc_length % 2
+
+      sum = 0
+      for i in 0..cc_length
+         digit = cc_number[i].to_i - 48
+
+         if i % 2 == parity
+           digit = digit * 2
+         end
+
+         if digit > 9
+           digit = digit - 9
+         end
+
+         sum = sum + digit
+      end
+
+      return (sum % 10) == 0
+    end
+
+    def self.info
+        {
+            :name           => 'Credit card number disclosure',
+            :description    => %q{Scans pages for credit card numbers.},
+            :author         => 'morpheuslaw <msidagni@nopsec.com>',
+            :version        => '0.1',
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Credit card number disclosure.},
+                :description => %q{A credit card number is disclosed in the body of the page.},
+                :cwe         => '200',
+                :severity    => Issue::Severity::MEDIUM,
+                :cvssv2      => '0',
+                :remedy_guidance    => %q{Remove credit card numbers from the body of the HTML pages.},
+                :remedy_code => '',
+            }
+        }
+    end
+
+end
+end
+end