arachni 0.2.2.1 → 0.2.2.2

data/lib/ui/web/server/views/layout.erb

@@ -12,7 +12,7 @@
 
     <script type="text/javascript">
         function checkAll( type ) {
-            $( "." + type ).attr( "checked", true )
+            $( "." + type + ':not(:disabled)' ).attr( "checked", true )
         }
 
         function uncheckAll( type ) {

data/lib/ui/web/server/views/options.erb

@@ -10,9 +10,17 @@
                 <% if opt['type'] == 'path' %>
                 disabled="disabled" type="file" value="<%=opt['default']%>"
                 <% elsif opt['type'] == 'bool' %>
-                type="checkbox" <% if opt['default']%> checked="checked" <%end%>
+                type="checkbox"
+                    <% if session_options[component['plug_name']] && !(val = session_options[component['plug_name']][opt['name']]).nil? %>
+
+                    <%=val ? 'checked="checked"' : '' %>
+
+                    <% elsif opt['default'] %>
+                    checked="checked"
+                    <%end%>
+
                 <% else %>
-                 value="<%=opt['default']%>"
+                 value="<%=( session_options[component['plug_name']] && (val = session_options[component['plug_name']][opt['name']]) ) ? val : opt['default']%>"
                 <%end%>
 
                 />

data/lib/ui/web/server/views/plugins.erb

@@ -30,7 +30,7 @@
                 <h5>Description</h5>
                 <pre class="notice"> <%=prep_description( escape( plugin['description'] ) )%></pre>
 
-                <%= erb :options, { :layout => false }, :component => plugin%>
+                <%= erb :options, { :layout => false }, :component => plugin, :session_options => session_options%>
 
                 <p>
                     <strong>Version:</strong> <%=plugin['version']%><br/>

data/lib/ui/web/server/views/reports.erb

@@ -22,7 +22,9 @@
         <% if !reports.empty? %>
         <table>
             <tr>
+                <th>ID</th>
                 <th>Host</th>
+                <th>Issue count</th>
                 <th>Audit date</th>
                 <th>Report formats</th>
             </tr>
@@ -30,19 +32,21 @@
             <tr>
 
 
-                <td><%=report['host']%></td>
-                <td><%=report['date']%></td>
+                <td><%=report.id%></td>
+                <td><%=report.host%></td>
+                <td><%=report.issue_count%></td>
+                <td><%=report.datestamp%></td>
 
                 <td>
                     <ul class="reports">
                     <% available.each do |avail| %>
-                    <li><a href="/report/<%=CGI.escape(report['name'])%>.<%=avail['rep_name']%>"><%=escape(avail['name'])%></a></li>
+                    <li><a href="/report/<%=report.id%>.<%=avail['rep_name']%>"><%=escape(avail['name'])%></a></li>
                     <%end%>
                     </ul>
                 </td>
 
                 <td>
-                    <form action="/report/<%=CGI.escape(report['name'])%>/delete" method="post">
+                    <form action="/report/<%=report.id%>/delete" method="post">
                         <%= csrf_tag %>
                         <input type="submit" value="Delete" />
                     </form>

data/lib/ui/xmlrpc/xmlrpc.rb

@@ -642,7 +642,7 @@ class XMLRPC
                                       <zapotek@segfault.gr>
                (With the support of the community and the Arachni Team.)
 
-       Website:       http://github.com/Zapotek/arachni
+       Website:       http://arachni.segfault.gr - http://github.com/Zapotek/arachni
        Documentation: http://github.com/Zapotek/arachni/wiki'
         print_line
         print_line

data/metamodules/autothrottle.rb

@@ -17,7 +17,7 @@ module MetaModules
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 class AutoThrottle < Base
 
@@ -40,7 +40,7 @@ class AutoThrottle < Base
     def prepare
 
         # run for each response as it arrives
-        @http.on_complete {
+        @http.add_on_complete {
 
             # adjust only after finished bursts
             next if @http.curr_res_cnt == 0 || @http.curr_res_cnt % @http.max_concurrency != 0

data/metamodules/timeout_notice.rb

@@ -41,7 +41,7 @@ class TimeoutNotice < Base
 
     def prepare
         # run for each response as it arrives
-        @http.on_complete {
+        @http.add_on_complete {
             |res|
 
             # we don't care about non OK responses

data/modules/audit/sqli_blind_rdiff.rb

@@ -250,7 +250,7 @@ class BlindrDiffSQLInjection < Arachni::Module::Base
                 Issue::Element::LINK
             ],
             :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version         => '0.2.2',
+            :version         => '0.3',
             :references      => {
                 'OWASP'      => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
                 'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'

data/modules/recon/common_files/filenames.txt

@@ -15,3 +15,5 @@ install.php
 wp-admin/install.php
 wp-admin/setup-config.php
 config.php
+php.ini
+error_log

data/modules/recon/directory_listing.rb

@@ -46,6 +46,7 @@ class DirectoryListing < Arachni::Module::Base
 
     def run( )
 
+        return if @page.code != 200
         path = get_path( @page.url )
 
         return if !URI( path ).path || URI( path ).path.gsub( '/', '' ).empty?

data/modules/recon/interesting_responses.rb

@@ -20,7 +20,7 @@ module Modules
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 #
 class InterestingResponses < Arachni::Module::Base
@@ -45,7 +45,7 @@ class InterestingResponses < Arachni::Module::Base
         print_status( "Listening..." )
 
         # tell the HTTP interface to cal this block every-time a request completes
-        @http.on_complete {
+        @http.add_on_complete {
             |res|
             __log_results( res ) if !IGNORE_CODES.include?( res.code ) && !res.body.empty?
         }
@@ -62,7 +62,7 @@ class InterestingResponses < Arachni::Module::Base
             :description    => %q{Logs all non 200 (OK) server responses.},
             :elements       => [ ],
             :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            :version        => '0.1',
+            :version        => '0.1.1',
             :targets        => { 'Generic' => 'all' },
             :issue   => {
                 :name        => %q{Interesting server response.},

data/path_extractors/generic.rb

@@ -32,7 +32,11 @@ class Generic < Paths
     # @return   [Array<String>]  paths
     #
     def run( doc )
-        URI.extract( doc.to_s )
+        begin
+            URI.extract( doc.to_s )
+        rescue
+            return []
+        end
     end
 
 end

data/plugins/autologin.rb

@@ -27,6 +27,10 @@ class AutoLogin < Arachni::Plugin::Base
 
     attr_accessor :http
 
+    MSG_SUCCESS     = 'Form submitted successfully.'
+    MSG_FAILURE     = 'Could not find a form suiting the provided params at: '
+    MSG_NO_RESPONSE = 'Form submitted but no response was returned.'
+
     #
     # @param    [Arachni::Framework]    framework
     # @param    [Hash]        options    options passed to the plugin
@@ -64,8 +68,8 @@ class AutoLogin < Arachni::Plugin::Base
         }
 
         if !login_form
-            print_error( 'Could not find a form suiting the provided params at: ' +
-            @options['url'] )
+            register_results( { :code => 0, :msg => MSG_FAILURE + @options['url'] } )
+            print_error( MSG_FAILURE + @options['url'] )
             return
         end
 
@@ -80,10 +84,17 @@ class AutoLogin < Arachni::Plugin::Base
         res = login_form.submit( :async => false ).response
 
         if !res
-            print_error( 'Form submitted but no response was returned.' )
+            register_results( { :code => -1, :msg => MSG_NO_RESPONSE } )
+            print_error( MSG_NO_RESPONSE )
             return
         else
-            print_ok( 'Form submitted successfully.' )
+            register_results( { :code => 1, :msg => MSG_SUCCESS, :cookies => @http.current_cookies.dup } )
+            print_ok( MSG_SUCCESS )
+            print_info( 'Cookies set to:' )
+            @http.current_cookies.each_pair {
+                |name, val|
+                print_info( '    * ' + name + ' = ' + val )
+            }
         end
 
     end

data/plugins/content_types.rb

@@ -17,7 +17,7 @@ module Plugins
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 class ContentTypes < Arachni::Plugin::Base
 
@@ -38,7 +38,7 @@ class ContentTypes < Arachni::Plugin::Base
     end
 
     def run( )
-        @framework.http.on_complete {
+        @framework.http.add_on_complete {
             |res|
 
             next if @logged.include?( res.request.method.to_s.upcase + res.effective_url )

data/plugins/cookie_collector.rb

@@ -12,11 +12,12 @@ module Arachni
 module Plugins
 
 #
+# Simple cookie collector
 #
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.2
 #
 class CookieCollector < Arachni::Plugin::Base
 
@@ -33,18 +34,21 @@ class CookieCollector < Arachni::Plugin::Base
     end
 
     def run( )
-        @framework.http.on_complete {
-            |res|
-            update( extract_cookies( res ), res )
+        @framework.http.add_on_new_cookies {
+            |cookies, res|
+            update( cookies, res )
         }
     end
 
     def update( cookies, res )
         return if cookies.empty? || !update?( cookies )
 
+        res_hash = res.to_hash
+        res_hash.delete( 'body' )
+
         @cookies << {
             :time       => Time.now,
-            :res        => res.to_hash,
+            :res        => res_hash,
             :cookies    => cookies
         }
     end
@@ -60,17 +64,6 @@ class CookieCollector < Arachni::Plugin::Base
         return false
     end
 
-    def extract_cookies( res )
-        cookies = {}
-
-        Arachni::Parser.new( @framework.opts, res ).run.cookies.each {
-            |cookie|
-            cookies.merge!( cookie.simple )
-        }
-
-        return cookies
-    end
-
     def clean_up
         while( @framework.running? )
             ::IO.select( nil, nil, nil, 1 )

data/plugins/profiler.rb

@@ -0,0 +1,237 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+# Profiler plugin.
+#
+# Examines the behavior of the web application gathering general statistics
+# and performs taint analysis to determine which inputs affect the output.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class Profiler < Arachni::Plugin::Base
+
+    #
+    # Assumes the identity of an Auditor.
+    #
+    # It will audit all inputs and log when inserted values appear in a page's body.<br/>
+    # It's does not perform any vulnerability assesment nor does it send attack payloads,
+    # just simple benign strings.
+    #
+    # Since an Auditor has formal specifications a plug-in can't directly become one
+    # due to it's abstract nature.
+    #
+    # Thus, we use this helper class to perform auditing duties.
+    #
+    # @author: Tasos "Zapotek" Laskos
+    #                                      <tasos.laskos@gmail.com>
+    #                                      <zapotek@segfault.gr>
+    # @version: 0.1
+    #
+    class Auditor < Arachni::Module::Base
+
+        attr_reader :http
+        attr_reader :page
+
+        def initialize( page )
+            super( page )
+
+            @id = Digest::SHA2.hexdigest( rand( 1000 ).to_s )
+            @opts = {
+                :format    => [ Format::STRAIGHT ],
+                :elements  => [
+                    Issue::Element::FORM,
+                    Issue::Element::LINK,
+                    Issue::Element::COOKIE,
+                    Issue::Element::HEADER
+                ],
+                :remove_id => true
+            }
+
+            @@logged ||= Set.new
+        end
+
+        def run( &logger )
+            audit( @id, @opts ) {
+                |res, opts, elem|
+
+                landed_elems = []
+                if res.body.substring?( @id )
+                    landed_elems |= find_landing_elements( res )
+                end
+
+                if res.headers.to_s.substring?( @id )
+                    landed_elems |= find_landing_header_fields( res )
+                end
+
+                if !landed_elems.empty?
+
+                    @@logged << "#{elem.action}::#{elem.altered}::#{elem.type}"
+
+                    logger.call( @id, res, elem, landed_elems )
+                end
+
+            }
+        end
+
+        def find_landing_header_fields( res )
+            elems = []
+
+            parser = Arachni::Parser.new( Arachni::Options.instance, res )
+            parser.cookies.each {
+                |cookie|
+                elems << cookie if cookie.auditable.to_s.substring?( @id )
+            }
+
+            res.headers_hash.each_pair {
+                |k, v|
+                elems << Arachni::Parser::Element::Header.new( res.effective_url, { k => v } ) if v.substring?( @id )
+            }
+
+            return elems
+        end
+
+        def find_landing_elements( res )
+            elems = []
+
+            elems << Struct::Body.new( 'body', nil, { 'attrs' => {} } )
+
+            parser = Arachni::Parser.new( Arachni::Options.instance, res )
+            parser.forms.each {
+                |form|
+                elems << form if form.auditable.to_s.substring?( @id )
+            }
+
+            parser.links.each {
+                |link|
+                elems << link if link.auditable.to_s.substring?( @id )
+            }
+
+            return elems
+        end
+
+        def skip?( elem )
+            @@logged.include?( "#{elem.action}::#{elem.altered}::#{elem.type}" )
+        end
+
+        def self.info
+            { :name => 'Profiler' }
+        end
+
+    end
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        @framework = framework
+        @http      = framework.http
+        @options   = options
+    end
+
+    def prepare
+
+        Struct.new( 'Body', :type, :method, :raw, :auditable )
+
+        @inputs = []
+        @times  = []
+    end
+
+    def run
+
+        @http.add_on_complete {
+            |res|
+            @times << {
+                'url'    => res.effective_url,
+                'method' => res.request.method.to_s.upcase,
+                'params' => res.request.params,
+                'time'   => res.start_transfer_time
+            }
+        }
+
+        @framework.add_on_run_mods {
+            |page|
+
+            Auditor.new( page ).run {
+                |taint, res, elem, found_in|
+                log( taint, res, elem, found_in )
+            }
+
+        }
+    end
+
+    def clean_up
+        ::IO.select( nil, nil, nil, 1 ) while( @framework.running? )
+
+        register_results( { 'inputs' => @inputs, 'times' => @times } )
+    end
+
+    def log( taint, res, elem, landed_elems )
+
+        res_hash = res.to_hash
+        res_hash['headers'] = res_hash['headers_hash']
+
+         result = {
+            'taint'       => taint,
+            'element'     =>  {
+                'type'      => elem.type,
+                'auditable' => elem.auditable,
+                'name'      => elem.raw['attrs'] ? elem.raw['attrs']['name'] : nil,
+                'altered'   => elem.altered,
+                'owner'     => elem.url,
+                'action'    => elem.action,
+                'method'    => elem.method ? elem.method.upcase : nil,
+            },
+            'response'      => res_hash,
+            'request' => {
+                'url'      => res.request.url,
+                'method'   => res.request.method.to_s.upcase,
+                'params'   => res.request.params,
+                'headers'  => res.request.headers,
+            }
+        }
+
+        result['landed'] = landed_elems.map {
+            |elem|
+            {
+                'type'   => elem.type,
+                'method' => elem.method ? elem.method.upcase : nil,
+                'name'   => elem.raw['attrs'] ? elem.raw['attrs']['name'] : nil,
+                'auditable' => elem.auditable
+            }
+        }
+
+        @inputs << result
+    end
+
+    def self.info
+        {
+            :name           => 'Profiler',
+            :description    => %q{Examines the behavior of the web application gathering general statistics
+                and performs taint analysis to determine which inputs affect the output.
+
+                It's does not perform any vulnerability assesment nor does it send attack payloads.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1'
+        }
+    end
+
+end
+
+end
+end