arachni 0.2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/ACKNOWLEDGMENTS.md +14 -0
- data/AUTHORS.md +6 -0
- data/CHANGELOG.md +162 -0
- data/CONTRIBUTORS.md +10 -0
- data/EXPLOITATION.md +429 -0
- data/HACKING.md +101 -0
- data/LICENSE.md +341 -0
- data/README.md +350 -0
- data/Rakefile +86 -0
- data/bin/arachni +22 -0
- data/bin/arachni_web +77 -0
- data/bin/arachni_xmlrpc +21 -0
- data/bin/arachni_xmlrpcd +82 -0
- data/bin/arachni_xmlrpcd_monitor +74 -0
- data/conf/README.webui.yaml.txt +44 -0
- data/conf/webui.yaml +11 -0
- data/external/metasploit/LICENSE +24 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_exec.rb +142 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_path_traversal.rb +113 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_php_eval.rb +150 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_php_include.rb +141 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_sqlmap.rb +92 -0
- data/external/metasploit/plugins/arachni.rb +536 -0
- data/getoptslong.rb +241 -0
- data/lib/anemone.rb +2 -0
- data/lib/anemone/cookie_store.rb +35 -0
- data/lib/anemone/core.rb +371 -0
- data/lib/anemone/exceptions.rb +5 -0
- data/lib/anemone/http.rb +144 -0
- data/lib/anemone/page.rb +337 -0
- data/lib/anemone/page_store.rb +160 -0
- data/lib/anemone/storage.rb +34 -0
- data/lib/anemone/storage/base.rb +75 -0
- data/lib/anemone/storage/exceptions.rb +15 -0
- data/lib/anemone/storage/mongodb.rb +89 -0
- data/lib/anemone/storage/pstore.rb +50 -0
- data/lib/anemone/storage/redis.rb +90 -0
- data/lib/anemone/storage/tokyo_cabinet.rb +57 -0
- data/lib/anemone/tentacle.rb +40 -0
- data/lib/arachni.rb +16 -0
- data/lib/audit_store.rb +346 -0
- data/lib/component_manager.rb +293 -0
- data/lib/component_options.rb +395 -0
- data/lib/exceptions.rb +76 -0
- data/lib/framework.rb +637 -0
- data/lib/http.rb +809 -0
- data/lib/issue.rb +302 -0
- data/lib/module.rb +4 -0
- data/lib/module/auditor.rb +455 -0
- data/lib/module/base.rb +188 -0
- data/lib/module/element_db.rb +158 -0
- data/lib/module/key_filler.rb +87 -0
- data/lib/module/manager.rb +87 -0
- data/lib/module/output.rb +68 -0
- data/lib/module/trainer.rb +240 -0
- data/lib/module/utilities.rb +110 -0
- data/lib/options.rb +547 -0
- data/lib/parser.rb +2 -0
- data/lib/parser/auditable.rb +522 -0
- data/lib/parser/elements.rb +296 -0
- data/lib/parser/page.rb +149 -0
- data/lib/parser/parser.rb +717 -0
- data/lib/plugin.rb +4 -0
- data/lib/plugin/base.rb +110 -0
- data/lib/plugin/manager.rb +162 -0
- data/lib/report.rb +4 -0
- data/lib/report/base.rb +119 -0
- data/lib/report/manager.rb +92 -0
- data/lib/rpc/xml/client/base.rb +71 -0
- data/lib/rpc/xml/client/dispatcher.rb +49 -0
- data/lib/rpc/xml/client/instance.rb +88 -0
- data/lib/rpc/xml/server/base.rb +90 -0
- data/lib/rpc/xml/server/dispatcher.rb +357 -0
- data/lib/rpc/xml/server/framework.rb +206 -0
- data/lib/rpc/xml/server/instance.rb +191 -0
- data/lib/rpc/xml/server/module/manager.rb +46 -0
- data/lib/rpc/xml/server/options.rb +124 -0
- data/lib/rpc/xml/server/output.rb +299 -0
- data/lib/rpc/xml/server/plugin/manager.rb +58 -0
- data/lib/ruby.rb +5 -0
- data/lib/ruby/object.rb +32 -0
- data/lib/ruby/string.rb +74 -0
- data/lib/ruby/xmlrpc/server.rb +27 -0
- data/lib/spider.rb +200 -0
- data/lib/typhoeus/request.rb +91 -0
- data/lib/typhoeus/response.rb +34 -0
- data/lib/ui/cli/cli.rb +744 -0
- data/lib/ui/cli/output.rb +279 -0
- data/lib/ui/web/log.rb +82 -0
- data/lib/ui/web/output_stream.rb +94 -0
- data/lib/ui/web/report_manager.rb +222 -0
- data/lib/ui/web/server.rb +903 -0
- data/lib/ui/web/server/db/placeholder +0 -0
- data/lib/ui/web/server/public/banner.png +0 -0
- data/lib/ui/web/server/public/bodybg-small.png +0 -0
- data/lib/ui/web/server/public/bodybg.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/pbar-ani.gif +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/jquery-ui-1.8.9.custom.css +573 -0
- data/lib/ui/web/server/public/favicon.ico +0 -0
- data/lib/ui/web/server/public/footer.jpg +0 -0
- data/lib/ui/web/server/public/icons/error.png +0 -0
- data/lib/ui/web/server/public/icons/info.png +0 -0
- data/lib/ui/web/server/public/icons/ok.png +0 -0
- data/lib/ui/web/server/public/icons/status.png +0 -0
- data/lib/ui/web/server/public/js/jquery-1.4.4.min.js +167 -0
- data/lib/ui/web/server/public/js/jquery-ui-1.8.9.custom.min.js +781 -0
- data/lib/ui/web/server/public/logo.png +0 -0
- data/lib/ui/web/server/public/nav-left.jpg +0 -0
- data/lib/ui/web/server/public/nav-right.jpg +0 -0
- data/lib/ui/web/server/public/nav-selected-left.jpg +0 -0
- data/lib/ui/web/server/public/nav-selected-right.jpg +0 -0
- data/lib/ui/web/server/public/reports/placeholder +1 -0
- data/lib/ui/web/server/public/sidebar-bottom.jpg +0 -0
- data/lib/ui/web/server/public/sidebar-h4.jpg +0 -0
- data/lib/ui/web/server/public/sidebar-top.jpg +0 -0
- data/lib/ui/web/server/public/spider.png +0 -0
- data/lib/ui/web/server/public/style.css +604 -0
- data/lib/ui/web/server/tmp/placeholder +0 -0
- data/lib/ui/web/server/views/dispatcher.erb +85 -0
- data/lib/ui/web/server/views/dispatcher_error.erb +14 -0
- data/lib/ui/web/server/views/error.erb +1 -0
- data/lib/ui/web/server/views/flash.erb +18 -0
- data/lib/ui/web/server/views/home.erb +14 -0
- data/lib/ui/web/server/views/instance.erb +213 -0
- data/lib/ui/web/server/views/layout.erb +95 -0
- data/lib/ui/web/server/views/log.erb +40 -0
- data/lib/ui/web/server/views/modules.erb +71 -0
- data/lib/ui/web/server/views/options.erb +23 -0
- data/lib/ui/web/server/views/output_results.erb +51 -0
- data/lib/ui/web/server/views/plugins.erb +42 -0
- data/lib/ui/web/server/views/report_formats.erb +30 -0
- data/lib/ui/web/server/views/reports.erb +55 -0
- data/lib/ui/web/server/views/settings.erb +120 -0
- data/lib/ui/web/server/views/welcome.erb +38 -0
- data/lib/ui/xmlrpc/dispatcher_monitor.rb +204 -0
- data/lib/ui/xmlrpc/xmlrpc.rb +843 -0
- data/logs/placeholder +0 -0
- data/metamodules/autothrottle.rb +74 -0
- data/metamodules/timeout_notice.rb +118 -0
- data/metamodules/uniformity.rb +98 -0
- data/modules/audit/code_injection.rb +136 -0
- data/modules/audit/code_injection_timing.rb +115 -0
- data/modules/audit/code_injection_timing/payloads.txt +4 -0
- data/modules/audit/csrf.rb +301 -0
- data/modules/audit/ldapi.rb +103 -0
- data/modules/audit/ldapi/errors.txt +26 -0
- data/modules/audit/os_cmd_injection.rb +103 -0
- data/modules/audit/os_cmd_injection/payloads.txt +2 -0
- data/modules/audit/os_cmd_injection_timing.rb +104 -0
- data/modules/audit/os_cmd_injection_timing/payloads.txt +3 -0
- data/modules/audit/path_traversal.rb +141 -0
- data/modules/audit/response_splitting.rb +105 -0
- data/modules/audit/rfi.rb +193 -0
- data/modules/audit/sqli.rb +120 -0
- data/modules/audit/sqli/regexp_ids.txt +90 -0
- data/modules/audit/sqli_blind_rdiff.rb +321 -0
- data/modules/audit/sqli_blind_timing.rb +103 -0
- data/modules/audit/sqli_blind_timing/payloads.txt +51 -0
- data/modules/audit/trainer.rb +89 -0
- data/modules/audit/unvalidated_redirect.rb +90 -0
- data/modules/audit/xpath.rb +104 -0
- data/modules/audit/xpath/errors.txt +26 -0
- data/modules/audit/xss.rb +99 -0
- data/modules/audit/xss_event.rb +134 -0
- data/modules/audit/xss_path.rb +125 -0
- data/modules/audit/xss_script_tag.rb +112 -0
- data/modules/audit/xss_tag.rb +112 -0
- data/modules/audit/xss_uri.rb +125 -0
- data/modules/recon/allowed_methods.rb +104 -0
- data/modules/recon/backdoors.rb +131 -0
- data/modules/recon/backdoors/filenames.txt +16 -0
- data/modules/recon/backup_files.rb +177 -0
- data/modules/recon/backup_files/extensions.txt +28 -0
- data/modules/recon/common_directories.rb +138 -0
- data/modules/recon/common_directories/directories.txt +265 -0
- data/modules/recon/common_files.rb +138 -0
- data/modules/recon/common_files/filenames.txt +17 -0
- data/modules/recon/directory_listing.rb +171 -0
- data/modules/recon/grep/captcha.rb +62 -0
- data/modules/recon/grep/credit_card.rb +85 -0
- data/modules/recon/grep/cvs_svn_users.rb +73 -0
- data/modules/recon/grep/emails.rb +59 -0
- data/modules/recon/grep/html_objects.rb +53 -0
- data/modules/recon/grep/private_ip.rb +54 -0
- data/modules/recon/grep/ssn.rb +53 -0
- data/modules/recon/htaccess_limit.rb +82 -0
- data/modules/recon/http_put.rb +95 -0
- data/modules/recon/interesting_responses.rb +118 -0
- data/modules/recon/unencrypted_password_forms.rb +119 -0
- data/modules/recon/webdav.rb +126 -0
- data/modules/recon/xst.rb +107 -0
- data/path_extractors/anchors.rb +35 -0
- data/path_extractors/forms.rb +35 -0
- data/path_extractors/frames.rb +38 -0
- data/path_extractors/generic.rb +39 -0
- data/path_extractors/links.rb +35 -0
- data/path_extractors/meta_refresh.rb +39 -0
- data/path_extractors/scripts.rb +37 -0
- data/path_extractors/sitemap.rb +31 -0
- data/plugins/autologin.rb +137 -0
- data/plugins/content_types.rb +90 -0
- data/plugins/cookie_collector.rb +99 -0
- data/plugins/form_dicattack.rb +185 -0
- data/plugins/healthmap.rb +94 -0
- data/plugins/http_dicattack.rb +133 -0
- data/plugins/metamodules.rb +118 -0
- data/plugins/proxy.rb +248 -0
- data/plugins/proxy/server.rb +66 -0
- data/plugins/waf_detector.rb +184 -0
- data/profiles/comprehensive.afp +74 -0
- data/profiles/full.afp +75 -0
- data/reports/afr.rb +59 -0
- data/reports/ap.rb +55 -0
- data/reports/html.rb +179 -0
- data/reports/html/default.erb +967 -0
- data/reports/metareport.rb +139 -0
- data/reports/metareport/arachni_metareport.rb +174 -0
- data/reports/plugin_formatters/html/content_types.rb +82 -0
- data/reports/plugin_formatters/html/cookie_collector.rb +66 -0
- data/reports/plugin_formatters/html/form_dicattack.rb +54 -0
- data/reports/plugin_formatters/html/healthmap.rb +76 -0
- data/reports/plugin_formatters/html/http_dicattack.rb +54 -0
- data/reports/plugin_formatters/html/metaformatters/timeout_notice.rb +65 -0
- data/reports/plugin_formatters/html/metaformatters/uniformity.rb +71 -0
- data/reports/plugin_formatters/html/metamodules.rb +93 -0
- data/reports/plugin_formatters/html/waf_detector.rb +54 -0
- data/reports/plugin_formatters/stdout/content_types.rb +73 -0
- data/reports/plugin_formatters/stdout/cookie_collector.rb +61 -0
- data/reports/plugin_formatters/stdout/form_dicattack.rb +52 -0
- data/reports/plugin_formatters/stdout/healthmap.rb +72 -0
- data/reports/plugin_formatters/stdout/http_dicattack.rb +53 -0
- data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +55 -0
- data/reports/plugin_formatters/stdout/metaformatters/uniformity.rb +68 -0
- data/reports/plugin_formatters/stdout/metamodules.rb +89 -0
- data/reports/plugin_formatters/stdout/waf_detector.rb +48 -0
- data/reports/plugin_formatters/xml/content_types.rb +91 -0
- data/reports/plugin_formatters/xml/cookie_collector.rb +70 -0
- data/reports/plugin_formatters/xml/form_dicattack.rb +57 -0
- data/reports/plugin_formatters/xml/healthmap.rb +82 -0
- data/reports/plugin_formatters/xml/http_dicattack.rb +57 -0
- data/reports/plugin_formatters/xml/metaformatters/timeout_notice.rb +67 -0
- data/reports/plugin_formatters/xml/metaformatters/uniformity.rb +82 -0
- data/reports/plugin_formatters/xml/metamodules.rb +91 -0
- data/reports/plugin_formatters/xml/waf_detector.rb +58 -0
- data/reports/stdout.rb +182 -0
- data/reports/txt.rb +77 -0
- data/reports/xml.rb +231 -0
- data/reports/xml/buffer.rb +98 -0
- metadata +516 -0
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
#
|
|
18
|
+
# Stdout formatter for the results of the ContentTypes plugin
|
|
19
|
+
#
|
|
20
|
+
# @author: Tasos "Zapotek" Laskos
|
|
21
|
+
# <tasos.laskos@gmail.com>
|
|
22
|
+
# <zapotek@segfault.gr>
|
|
23
|
+
# @version: 0.1
|
|
24
|
+
#
|
|
25
|
+
class ContentTypes < Arachni::Plugin::Formatter
|
|
26
|
+
|
|
27
|
+
def initialize( plugin_data )
|
|
28
|
+
@results = plugin_data[:results]
|
|
29
|
+
@description = plugin_data[:description]
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def run
|
|
33
|
+
print_status( 'Content-types' )
|
|
34
|
+
print_info( '~~~~~~~~~~~~~~~~~~~~~~~~~~' )
|
|
35
|
+
|
|
36
|
+
print_info( 'Description: ' + @description )
|
|
37
|
+
print_line
|
|
38
|
+
|
|
39
|
+
@results.each_pair {
|
|
40
|
+
|type, responses|
|
|
41
|
+
|
|
42
|
+
print_ok( type )
|
|
43
|
+
|
|
44
|
+
responses.each {
|
|
45
|
+
|res|
|
|
46
|
+
print_status( " URL: " + res[:url] )
|
|
47
|
+
print_info( " Method: " + res[:method] )
|
|
48
|
+
|
|
49
|
+
if res[:params] && res[:method].downcase == 'post'
|
|
50
|
+
print_info( " Parameters:" )
|
|
51
|
+
res[:params].each_pair {
|
|
52
|
+
|k, v|
|
|
53
|
+
print_info( " #{k} => #{v}" )
|
|
54
|
+
}
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
print_line
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
print_line
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
print_line
|
|
64
|
+
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
end
|
|
73
|
+
end
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
#
|
|
18
|
+
# Stdout formatter for the results of the CookieCollector plugin
|
|
19
|
+
#
|
|
20
|
+
# @author: Tasos "Zapotek" Laskos
|
|
21
|
+
# <tasos.laskos@gmail.com>
|
|
22
|
+
# <zapotek@segfault.gr>
|
|
23
|
+
# @version: 0.1
|
|
24
|
+
#
|
|
25
|
+
class CookieCollector < Arachni::Plugin::Formatter
|
|
26
|
+
|
|
27
|
+
def initialize( plugin_data )
|
|
28
|
+
@results = plugin_data[:results]
|
|
29
|
+
@description = plugin_data[:description]
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def run
|
|
33
|
+
print_status( 'Cookie collector' )
|
|
34
|
+
print_info( '~~~~~~~~~~~~~~~~~~' )
|
|
35
|
+
|
|
36
|
+
print_info( 'Description: ' + @description )
|
|
37
|
+
print_line
|
|
38
|
+
|
|
39
|
+
@results.each_with_index {
|
|
40
|
+
|result, i|
|
|
41
|
+
|
|
42
|
+
print_info( "[#{(i + 1).to_s}] On #{result[:time]}" )
|
|
43
|
+
print_info( "URL: " + result[:res]['effective_url'] )
|
|
44
|
+
print_info( 'Cookies forced to: ' )
|
|
45
|
+
result[:cookies].each_pair{
|
|
46
|
+
|name, value|
|
|
47
|
+
print_info( " #{name} => #{value}" )
|
|
48
|
+
}
|
|
49
|
+
print_line
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
print_line
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
end
|
|
61
|
+
end
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
#
|
|
18
|
+
# Stdout formatter for the results of the FormDicattack plugin
|
|
19
|
+
#
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class FormDicattack < Arachni::Plugin::Formatter
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
@description = plugin_data[:description]
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def run
|
|
34
|
+
print_status( 'Form dictionary attacker' )
|
|
35
|
+
print_info( '~~~~~~~~~~~~~~~~~~~~~~~~~~' )
|
|
36
|
+
|
|
37
|
+
print_info( 'Description: ' + @description )
|
|
38
|
+
print_line
|
|
39
|
+
print_info( "Cracked credentials:" )
|
|
40
|
+
print_ok( ' Username: ' + @results[:username] ) if @results[:username]
|
|
41
|
+
print_ok( ' Password: ' + @results[:password] ) if @results[:password]
|
|
42
|
+
|
|
43
|
+
print_line
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
end
|
|
52
|
+
end
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
#
|
|
18
|
+
# Stdout formatter for the results of the HealthMap plugin
|
|
19
|
+
#
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class HealthMap < Arachni::Plugin::Formatter
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def run
|
|
33
|
+
print_status( 'URL health-map' )
|
|
34
|
+
print_info( '~~~~~~~~~~~~~~~~' )
|
|
35
|
+
|
|
36
|
+
print_line
|
|
37
|
+
print_info( 'Legend:' )
|
|
38
|
+
print_ok( 'No issues' )
|
|
39
|
+
print_error( 'Has issues' )
|
|
40
|
+
print_line
|
|
41
|
+
|
|
42
|
+
@results[:map].each {
|
|
43
|
+
|i|
|
|
44
|
+
|
|
45
|
+
state = i.keys[0]
|
|
46
|
+
url = i.values[0]
|
|
47
|
+
|
|
48
|
+
if state == :unsafe
|
|
49
|
+
print_error( url )
|
|
50
|
+
else
|
|
51
|
+
print_ok( url )
|
|
52
|
+
end
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
print_line
|
|
56
|
+
|
|
57
|
+
print_info( 'Total: ' + @results[:total].to_s )
|
|
58
|
+
print_ok( 'Without issues: ' + @results[:safe].to_s )
|
|
59
|
+
print_error( 'With issues: ' + @results[:unsafe].to_s +
|
|
60
|
+
" ( #{@results[:issue_percentage].to_s}% )" )
|
|
61
|
+
|
|
62
|
+
print_line
|
|
63
|
+
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
end
|
|
72
|
+
end
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
|
|
12
|
+
module Arachni
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class Stdout
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
#
|
|
19
|
+
# Stdout formatter for the results of the HTTPDicattack plugin
|
|
20
|
+
#
|
|
21
|
+
#
|
|
22
|
+
# @author: Tasos "Zapotek" Laskos
|
|
23
|
+
# <tasos.laskos@gmail.com>
|
|
24
|
+
# <zapotek@segfault.gr>
|
|
25
|
+
# @version: 0.1
|
|
26
|
+
#
|
|
27
|
+
class HTTPDicattack < Arachni::Plugin::Formatter
|
|
28
|
+
|
|
29
|
+
def initialize( plugin_data )
|
|
30
|
+
@results = plugin_data[:results]
|
|
31
|
+
@description = plugin_data[:description]
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def run
|
|
35
|
+
print_status( 'HTTP dictionary attacker' )
|
|
36
|
+
print_info( '~~~~~~~~~~~~~~~~~~~~~~~~~~' )
|
|
37
|
+
|
|
38
|
+
print_info( 'Description: ' + @description )
|
|
39
|
+
print_line
|
|
40
|
+
print_info( "Cracked credentials:" )
|
|
41
|
+
print_ok( ' Username: ' + @results[:username] )
|
|
42
|
+
print_ok( ' Password: ' + @results[:password] )
|
|
43
|
+
|
|
44
|
+
print_line
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
end
|
|
53
|
+
end
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
class MetaModules
|
|
18
|
+
module MetaFormatters
|
|
19
|
+
|
|
20
|
+
#
|
|
21
|
+
# Stdout formatter for the results of the TimeoutNotice metamodule
|
|
22
|
+
#
|
|
23
|
+
# @author: Tasos "Zapotek" Laskos
|
|
24
|
+
# <tasos.laskos@gmail.com>
|
|
25
|
+
# <zapotek@segfault.gr>
|
|
26
|
+
# @version: 0.1
|
|
27
|
+
#
|
|
28
|
+
class TimeoutNotice < Arachni::Plugin::Formatter
|
|
29
|
+
|
|
30
|
+
def initialize( metadata )
|
|
31
|
+
@results = metadata[:results]
|
|
32
|
+
@description = metadata[:description]
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def run
|
|
36
|
+
print_status( ' --- Timeout notice:' )
|
|
37
|
+
print_info( 'Description: ' + @description )
|
|
38
|
+
|
|
39
|
+
print_line
|
|
40
|
+
print_info( 'Relevant issues:' )
|
|
41
|
+
print_info( '--------------------' )
|
|
42
|
+
@results.each {
|
|
43
|
+
|issue|
|
|
44
|
+
print_ok( "[\##{issue['index']}] #{issue['name']} at #{issue['url']} in #{issue['elem']} variable '#{issue['var']}' using #{issue['method']}." )
|
|
45
|
+
}
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
class MetaModules
|
|
18
|
+
module MetaFormatters
|
|
19
|
+
|
|
20
|
+
#
|
|
21
|
+
# Stdout formatter for the results of the Uniformity metamodule
|
|
22
|
+
#
|
|
23
|
+
# @author: Tasos "Zapotek" Laskos
|
|
24
|
+
# <tasos.laskos@gmail.com>
|
|
25
|
+
# <zapotek@segfault.gr>
|
|
26
|
+
# @version: 0.1
|
|
27
|
+
#
|
|
28
|
+
class Uniformity < Arachni::Plugin::Formatter
|
|
29
|
+
|
|
30
|
+
def initialize( metadata )
|
|
31
|
+
@results = metadata[:results]
|
|
32
|
+
@description = metadata[:description]
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def run
|
|
36
|
+
print_status( ' --- Uniformity (Lack of centralised sanitization):' )
|
|
37
|
+
print_info( 'Description: ' + @description )
|
|
38
|
+
|
|
39
|
+
print_line
|
|
40
|
+
print_info( 'Relevant issues:' )
|
|
41
|
+
print_info( '--------------------' )
|
|
42
|
+
|
|
43
|
+
uniformals = @results['uniformals']
|
|
44
|
+
pages = @results['pages']
|
|
45
|
+
|
|
46
|
+
uniformals.each_pair {
|
|
47
|
+
|id, uniformal|
|
|
48
|
+
|
|
49
|
+
issue = uniformal['issue']
|
|
50
|
+
print_ok( "#{issue['name']} in #{issue['elem']} variable '#{issue['var']}' using #{issue['method']} at the following pages:" )
|
|
51
|
+
|
|
52
|
+
pages[id].each_with_index {
|
|
53
|
+
|url, i|
|
|
54
|
+
print_info( url + " (Issue \##{uniformal['indices'][i]} - Hash ID: #{uniformal['hashes'][i]} )" )
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
print_line
|
|
58
|
+
}
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class Stdout
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
#
|
|
18
|
+
# Stdout formatter for the results of the MetaModules plugin
|
|
19
|
+
#
|
|
20
|
+
# @author: Tasos "Zapotek" Laskos
|
|
21
|
+
# <tasos.laskos@gmail.com>
|
|
22
|
+
# <zapotek@segfault.gr>
|
|
23
|
+
# @version: 0.1
|
|
24
|
+
#
|
|
25
|
+
class MetaModules
|
|
26
|
+
|
|
27
|
+
include Arachni::UI::Output
|
|
28
|
+
|
|
29
|
+
def initialize( plugin_data )
|
|
30
|
+
@results = plugin_data[:results]
|
|
31
|
+
@description = plugin_data[:description]
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def run
|
|
35
|
+
print_status( 'Meta-Modules' )
|
|
36
|
+
print_info( '~~~~~~~~~~~~~~' )
|
|
37
|
+
|
|
38
|
+
print_info( 'Description: ' + @description )
|
|
39
|
+
print_line
|
|
40
|
+
|
|
41
|
+
format_meta_results( @results )
|
|
42
|
+
|
|
43
|
+
print_line
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
#
|
|
47
|
+
# Runs plugin formatters for the running report and returns a hash
|
|
48
|
+
# with the prepared/formatted results.
|
|
49
|
+
#
|
|
50
|
+
# @param [AuditStore#plugins] plugins plugin data/results
|
|
51
|
+
#
|
|
52
|
+
def format_meta_results( plugins )
|
|
53
|
+
|
|
54
|
+
ancestor = self.class.ancestors[0]
|
|
55
|
+
|
|
56
|
+
# add the PluginFormatters module to the report
|
|
57
|
+
eval( "module MetaFormatters end" )
|
|
58
|
+
|
|
59
|
+
# prepare the directory of the formatters for the running report
|
|
60
|
+
lib = File.dirname( __FILE__ ) + '/metaformatters/'
|
|
61
|
+
|
|
62
|
+
@@formatters ||= {}
|
|
63
|
+
# initialize a new component manager to handle the plugin formatters
|
|
64
|
+
@@formatters[ancestor] ||= ::Arachni::Report::FormatterManager.new( lib, ancestor.const_get( 'MetaFormatters' ) )
|
|
65
|
+
|
|
66
|
+
# load all the formatters
|
|
67
|
+
@@formatters[ancestor].load( ['*'] ) if @@formatters[ancestor].empty?
|
|
68
|
+
|
|
69
|
+
# run the formatters and gather the formatted data they return
|
|
70
|
+
formatted = {}
|
|
71
|
+
@@formatters[ancestor].each_pair {
|
|
72
|
+
|name, formatter|
|
|
73
|
+
plugin_results = plugins[name]
|
|
74
|
+
next if !plugin_results || plugin_results[:results].empty?
|
|
75
|
+
|
|
76
|
+
formatted[name] = formatter.new( plugin_results.deep_clone ).run
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
return formatted
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
end
|
|
89
|
+
end
|