arachni 0.2.2.1

data/reports/metareport.rb

@@ -0,0 +1,139 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+require Options.instance.dir['reports'] + 'metareport/arachni_metareport.rb'
+
+module Reports
+
+#
+# Metareport
+#
+# Creates a file to be used with the Arachni MSF plug-in.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class Metareport < Arachni::Report::Base
+
+    #
+    # @param [AuditStore]  audit_store
+    # @param [Hash]        options    options passed to the report
+    #
+    def initialize( audit_store, options )
+        @audit_store = audit_store
+        @options     = options
+    end
+
+    def run( )
+
+        print_line( )
+        print_status( 'Creating file for the Metasploit framework...' )
+
+        msf = []
+
+        @audit_store.issues.each {
+            |issue|
+            next if !issue.metasploitable
+
+            issue.variations.each {
+                |variation|
+
+                if( ( method = issue.method.dup ) != 'post' )
+                    url = variation['url'].gsub( /\?.*/, '' )
+                else
+                    url = variation['url']
+                end
+
+                if( issue.elem == 'cookie' || issue.elem == 'header' )
+                    method = issue.elem
+                end
+
+                # pp issue
+                # pp variation['opts']
+
+                params = variation['opts'][:combo]
+                params[issue.var] = params[issue.var].gsub( variation['opts'][:injected_orig], 'XXinjectionXX' )
+
+                if method == 'cookie'
+                    params[issue.var] = URI.encode( params[issue.var], ';' )
+                    cookies = sub_cookie( variation['headers']['request']['cookie'], params )
+                    variation['headers']['request']['cookie'] = cookies.dup
+                end
+
+                # ap sub_cookie( variation['headers']['request']['cookie'], params )
+
+                msf << ArachniMetareport.new( {
+                    :host   => URI( url ).host,
+                    :port   => URI( url ).port,
+                    :vhost  => '',
+                    :ssl    => URI( url ).scheme == 'https',
+                    :path   => URI( url ).path,
+                    :query  => URI( url ).query,
+                    :method => method.upcase,
+                    :params => params,
+                    :headers=> variation['headers']['request'].dup,
+                    :pname  => issue.var,
+                    :proof  => variation['regexp_match'],
+                    :risk   => '',
+                    :name   => issue.name,
+                    :description    =>  issue.description,
+                    :category   =>  'n/a',
+                    :exploit    => issue.metasploitable
+                } )
+            }
+
+        }
+
+        # pp msf
+
+        outfile = File.new( @options['outfile'], 'w')
+        YAML.dump( msf, outfile )
+
+        print_status( 'Saved in \'' + @options['outfile'] + '\'.' )
+    end
+
+    def sub_cookie( str, params )
+        hash = {}
+        str.split( ';' ).each {
+            |cookie|
+            k,v = cookie.split( '=', 2 )
+            hash[k] = v
+        }
+
+        return hash.merge( params ).map{ |k,v| "#{k}=#{v}" }.join( ';' )
+    end
+
+    #
+    # REQUIRED
+    #
+    # Do not ommit any of the info.
+    #
+    def self.info
+        {
+            :name           => 'Metareport',
+            :description    => %q{Creates a file to be used with the Arachni MSF plug-in.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :options        => [
+                Arachni::OptString.new( 'outfile', [ false, 'Where to save the report.',
+                    Time.now.to_s + '.msf' ] ),
+            ]
+
+        }
+    end
+
+end
+
+end
+end

data/reports/metareport/arachni_metareport.rb

@@ -0,0 +1,174 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+#
+# ArachniMetareport
+#
+# This class is used by Arachni to save a report detailing all exploitable
+# vulnerabilities.
+#
+# A serialized array holding instances of this class will be loaded by
+# the Metasploit Framework.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class ArachniMetareport
+
+    #
+    # The IP address of the datastore_bak
+    #
+    # @return [String]
+    #
+    attr_accessor :host
+    
+    #
+    # The port number of the associated web site
+    #
+    # @return   [Integer]
+    #
+    attr_accessor :port
+    
+    #
+    # The virtual host for this particular web site
+    #
+    # @return   [Integer]
+    #
+    attr_accessor :vhost
+    
+    #
+    # Whether or not SSL is in use on this port
+    #
+    # @return   [Bool]
+    #
+    attr_accessor :ssl
+    
+    #
+    # Path of the vulnerable script
+    #
+    # @return   [String]
+    #
+    attr_accessor :path
+    
+    #
+    # Query part of the vulnerable URI
+    #
+    # @return   [Bool]
+    #
+    attr_accessor :query
+    
+    #
+    # HTTP method used for the vulnerability
+    #
+    # The MSF currently supports GET/POST/PATH only, although Arachni will also
+    # provide COOKIE and HEADER if that's the case.
+    #
+    # @return   [String]
+    #
+    attr_accessor :method
+    
+    #
+    # Parameters used for the vulnerability
+    #
+    # @return   [Hash]
+    #
+    attr_accessor :params
+    
+    #
+    # Headers used for the vulnerability
+    #
+    # Contains cookies.
+    #
+    # @return   [Hash]
+    #
+    attr_accessor :headers
+    
+    #
+    # The name of the vulnerable field
+    #
+    # @return   [String]
+    #
+    attr_accessor :pname
+    
+    #
+    # A string showing proof of the vulnerability
+    #
+    # @return   [String]
+    #
+    attr_accessor :proof
+    
+    #
+    # An integer value from 0 to 5 indicating the risk (5 is highest)
+    #
+    # @return   [Integer]
+    #
+    attr_accessor :risk
+    
+    #
+    # A string indicating the type of vulnerability
+    #
+    # @return   [String]
+    #
+    attr_accessor :name
+    
+    #
+    # Description of the vulnerability
+    #
+    # @return   [String]
+    #
+    attr_accessor :description
+    
+    #
+    # No idea what this is...
+    #
+    # @return   [String]
+    #
+    attr_accessor :category
+    
+    #
+    # An arachni_* exploit of the MSF framework that is able to exploit this
+    # type of vulnerability.
+    #
+    # Ex: unix/webapp/arachni_php_eval
+    #
+    # @return   [String]
+    #
+    attr_accessor :exploit
+    
+    #
+    # From Metasploit's report_web_vuln() in: lib/msf/core/db.rb
+    #
+    # opts MUST contain
+    #  :host     -- the ip address of the server hosting the web site
+    #  :port     -- the port number of the associated web site
+    #  :vhost    -- the virtual host for this particular web site
+    #  :ssl      -- whether or not SSL is in use on this port
+    #  :path      -- the virtual host name for this particular web site
+    #  :query     -- the query string appended to the path (not valid for GET method flaws)
+    #  :method    -- the form method, one of GET, POST, or PATH
+    #  :params    -- an ARRAY of all parameters and values specified in the form
+    #  :pname     -- the specific field where the vulnerability occurs
+    #  :proof     -- the string showing proof of the vulnerability
+    #  :risk      -- an INTEGER value from 0 to 5 indicating the risk (5 is highest)
+    #  :name      -- the string indicating the type of vulnerability
+    #
+    def initialize( opts = {} )
+        opts.each {
+            |k, v|
+            begin
+                send( "#{k.to_s.downcase}=", v )
+            rescue Exception => e
+            end
+        }
+    end
+    
+end

data/reports/plugin_formatters/html/content_types.rb

@@ -0,0 +1,82 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Reports
+
+class HTML
+    module PluginFormatters
+
+        #
+        # HTML formatter for the results of the ContentTypes plugin
+        #
+        # @author: Tasos "Zapotek" Laskos
+        #                                      <tasos.laskos@gmail.com>
+        #                                      <zapotek@segfault.gr>
+        # @version: 0.1
+        #
+        class ContentTypes < Arachni::Plugin::Formatter
+
+            def initialize( plugin_data )
+                @results     = plugin_data[:results]
+                @description = plugin_data[:description]
+            end
+
+            def run
+                return ERB.new( tpl ).result( binding )
+            end
+
+            def tpl
+                %q{
+                    <h3>Content types</h3>
+                    <blockquote><%=@description%></blockquote>
+
+                    <h4>Results</h4>
+                    <% @results.each_pair do |type, responses| %>
+                        <ul>
+
+                            <li>
+                                <%=type%>
+                                <ul>
+                                    <% responses.each do |res| %>
+                                    <li>
+                                        URL: <a href="<%=CGI.escapeHTML(res[:url])%>"><%=CGI.escapeHTML(res[:url])%></a><br/>
+                                        Method: <%=res[:method]%>
+
+                                        <% if res[:params] && res[:method].downcase == 'post' %>
+                                            <ul>
+                                                <li>Parameters:</li>
+                                                <%res[:params].each_pair do |name, val|%>
+                                                <li>
+                                                    <%=name%> = <%=val%>
+                                                </li>
+                                                <%end%>
+                                            <ul>
+                                        <%end%>
+                                    </li>
+                                    <%end%>
+                                </ul>
+                            </li>
+
+                        </ul>
+
+                    <%end%>
+                }
+
+            end
+
+        end
+
+    end
+end
+
+end
+end

data/reports/plugin_formatters/html/cookie_collector.rb

@@ -0,0 +1,66 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Reports
+
+class HTML
+    module PluginFormatters
+
+        #
+        # HTML formatter for the results of the CookieCollector plugin
+        #
+        # @author: Tasos "Zapotek" Laskos
+        #                                      <tasos.laskos@gmail.com>
+        #                                      <zapotek@segfault.gr>
+        # @version: 0.1
+        #
+        class CookieCollector < Arachni::Plugin::Formatter
+
+            def initialize( plugin_data )
+                @results     = plugin_data[:results]
+                @description = plugin_data[:description]
+            end
+
+            def run
+                return ERB.new( tpl ).result( binding )
+            end
+
+            def tpl
+                %q{
+                    <h3>Cookie Collector</h3>
+                    <blockquote><%=@description%></blockquote>
+
+                    <h4>Cookies</h4>
+                    <ul>
+                    <% @results.each do |entry| %>
+                        <li>
+                            On <%=entry[:time].to_s%> @ <a href="<%=CGI.escapeHTML(entry[:res]['effective_url'])%>"><%=CGI.escapeHTML(entry[:res]['effective_url'])%></a>
+                            <br/>
+                            Cookies were forced to:
+                            <ul>
+                                <% entry[:cookies].each_pair do |name, val| %>
+                                    <li><%=CGI.escapeHTML(name)%> = <%=CGI.escapeHTML(val)%></li>
+                                <%end%>
+                            </ul>
+                        </li>
+                    <%end%>
+                    </ul>
+                }
+            end
+
+        end
+
+    end
+end
+
+end
+end