arachni 0.2.4 → 0.3

data/modules/audit/os_cmd_injection_timing/payloads.txt

@@ -1,3 +1,3 @@
 ping -n __TIME__ localhost
 ping -c __TIME__ localhost
-/usr/sbin/ping -s localhost 1000 10
+/usr/sbin/ping -s localhost 1000 __TIME__

data/modules/audit/sqli_blind_rdiff.rb

@@ -35,209 +35,32 @@ class BlindrDiffSQLInjection < Arachni::Module::Base
         super( page )
     end
 
-    def prepare( )
+    def prepare
+        @@__bools ||= []
 
-        # possible quote characters used in SQL statements
-        @__quotes = [
-            '\'',
-            '"',
-            ''
-        ]
+        if @@__bools.empty?
+            read_file( 'payloads.txt' ) {
+                |str|
 
-        # this will cause a silent error if there's a blind SQL injection
-        @__bad_chars =[
-           '\'"`',
-           # we need 2 requests thus we change the second one a little bit to
-           # fool the Auditor's redundancy filter
-           '\'"``'
-         ]
-
-        # %q% will be replaced by a character in @__quotes
-        @__injection = '%q% and %q%1'
-
-        @__opts = {
-            :format      => [ Format::APPEND ],
-            # we need to do our own redundancy checks
-            :redundant   => true
-        }
-
-        # used for redundancy checks
-        @@__audited ||= Set.new
-
-        # this is the structure of the responses
-        @responses = {
-            :orig => '',
-
-            :good => {
-
-            },
-            :bad  => {
-            }
-        }
-
-    end
-
-    def run( )
-
-        return if( __audited? )
-
-        if( !@page.query_vars || @page.query_vars.empty? )
-            print_status( 'Nothing to audit on current page, skipping...' )
-            return
-        end
-
-        # get the link object that fits the URL of the page
-        # this will be the one to audit
-        @page.links.each {
-            |link|
-            @__candidate = link if link.action == @page.url
-        }
-
-        return if !@__candidate
-
-        # let's get a fresh rendering of the page to assist us with
-        # irrelevant dynamic content elimination (banners, ads, etc...)
-        @http.get( @page.url, :params => @page.query_vars ).on_complete {
-            |res|
-
-            # eliminate dynamic content that's context-irrelevant
-            # ie. changing with every refresh
-            @responses[:orig] = @page.html.rdiff( res.body )
-        }
-
-        # force the webapp to return an error page
-        prep_bad_responses( )
-
-        # start injecting 'good' SQL queries
-        prep_good_responses( )
-
-        @http.after_run {
-            # analyze the HTML code of the responses in order to determine
-            # which injections were succesfull
-            analyze( )
-        }
-    end
-
-    # Audits page with 'bad' SQL characters and gathers error pages
-    def prep_bad_responses( )
-
-        @__bad_chars.each {
-            |str|
-
-            # get injection variations that will hopefully cause an internal/silent
-            # SQL error
-            variations = @__candidate.injection_sets( str, @__opts )
-
-            @responses[:bad_total] =  variations.size
-
-            variations.each {
-                |link|
-
-                # the altered link variable
-                altered = link.altered
-
-                print_status( @__candidate.get_status_str( altered ) )
-
-                # register us as the auditor
-                link.auditor( self )
-                # submit the link and get the response
-                link.submit( @__opts ).on_complete {
-                    |res|
-
-                    @responses[:bad][altered] ||= res.body.clone
-
-                    # remove context-irrelevant dynamic content like banners and such
-                    # from the error page
-                    @responses[:bad][altered] = @responses[:bad][altered].rdiff( res.body.clone )
+                [ '\'', '"', '' ].each {
+                    |quote|
+                    @@__bools << str.gsub( '%q%', quote )
                 }
             }
-        }
-    end
-
-    # Injects SQL code that doesn't affect the flow of execution nor presentation
-    def prep_good_responses( )
-
-        @__quotes.each {
-            |quote|
-
-            # prepare the statement with combinations of quote characters
-            str = @__injection.gsub( '%q%', quote )
-
-            variations = @__candidate.injection_sets( str, @__opts )
-
-            @responses[:good_total] =  variations.size
-
-            variations.each {
-                |link|
-
-                # the altered link variable
-                altered = link.altered
-
-                # register us as the auditor
-                link.auditor( self )
-
-                # submit the link and get the response
-                link.submit( @__opts ).on_complete {
-                    |res|
-
-                    @responses[:good][altered] ||= []
-
-                    # save the response for later analysis
-                    @responses[:good][altered] << {
-                        'str'  => str,
-                        'res'  => res
-                    }
-                }
-
-            }
-        }
-
-    end
-
-    # Goes through the responses induced by {#prep_good_responses} and {#__check} their code
-    def analyze( )
-        @responses[:good].keys.each {
-            |key|
-            @responses[:good][key].each {
-                |res|
-                __check( res['str'], res['res'], key )
-            }
-        }
-    end
-
-    #
-    # Compares HTML responses in order to identify successful blind sql injections
-    #
-    # @param  [String]  str  the string that unveiled the vulnerability
-    # @param  [Typhoeus::Response]
-    # @param  [String]  var   the vulnerable variable
-    #
-    def __check( str, res, var )
-
-        # if one of the injections gives the same results as the
-        # original page then a blind SQL injection exists
-        check = res.body.rdiff( @page.html )
-
-        if( check == @responses[:orig] && @responses[:bad][var] != check &&
-            !@http.custom_404?( res ) && res.code == 200 )
-            __log_results( var, res, str )
         end
-
     end
 
-    def clean_up
-        @@__audited << __audit_id( )
-    end
+    def run( )
 
-    def __audit_id
-        "#{URI( normalize_url( @page.url ) ).path}::#{@page.query_vars.keys}"
-    end
+        opts = {}
+        # fault injection seeds
+        opts[:faults] = [ '\'"`' ]
+        # boolean injection seeds
+        opts[:bools] = @@__bools
 
-    def __audited?
-        @@__audited.include?( __audit_id( ) )
+        audit_rdiff( opts )
     end
 
-
     def self.info
         {
             :name           => 'Blind (rDiff) SQL Injection',
@@ -247,7 +70,9 @@ class BlindrDiffSQLInjection < Arachni::Module::Base
                 (Note: This module may get confused by certain types of XSS vulnerabilities.
                     If this module returns a positive result you should investigate nonetheless.)},
             :elements       => [
-                Issue::Element::LINK
+                Issue::Element::LINK,
+                Issue::Element::FORM,
+                Issue::Element::COOKIE
             ],
             :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
             :version         => '0.3',
@@ -276,46 +101,6 @@ class BlindrDiffSQLInjection < Arachni::Module::Base
         }
     end
 
-    private
-
-    def __log_results( var, res, str )
-
-        url = res.effective_url
-
-        # since we bypassed the auditor completely we need to create
-        # our own opts hash and pass it to the Vulnerability class.
-        #
-        # this is only required for Metasploitable vulnerabilities
-        opts = {
-            :injected_orig => URI( @page.url ).query,
-            :combo         => @__candidate.auditable
-        }
-
-        issue = Issue.new( {
-                :var          => var,
-                :url          => url,
-                :method       => res.request.method.to_s,
-                :opts         => opts,
-                :injected     => str,
-                :id           => str,
-                :regexp       => 'n/a',
-                :regexp_match => 'n/a',
-                :elem         => Issue::Element::LINK,
-                :response     => res.body,
-                :verification => true,
-                :headers      => {
-                    :request    => res.request.headers,
-                    :response   => res.headers,
-                }
-            }.merge( self.class.info )
-        )
-
-        print_ok( "In #{Issue::Element::LINK} var '#{var}' ( #{url} )" )
-
-        # register our results with the system
-        register_results( [ issue ] )
-    end
-
 end
 end
 end

data/modules/audit/sqli_blind_rdiff/payloads.txt

@@ -0,0 +1,5 @@
+%q% and %q%1
+%q%) and %q%1
+%q%)) and %q%1
+%q%))) and %q%1
+%q%)))) and %q%1

data/modules/audit/sqli_blind_timing.rb

@@ -18,7 +18,7 @@ module Modules
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2
+# @version: 0.2.1
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://capec.mitre.org/data/definitions/7.html
@@ -55,6 +55,13 @@ class BlindTimingSQLInjection < Arachni::Module::Base
         audit_timeout( @@__injection_str, @__opts )
     end
 
+    def redundant
+        # We add ourselves to the list too.
+        # We don't want more than one timing-attack variation per issue,
+        # it's too expensive.
+        [ 'sqli', 'sqli_blind_rdiff', 'sqli_blind_timing' ]
+    end
+
     def self.info
         {
             :name           => 'Blind (timing) SQL injection',
@@ -68,7 +75,7 @@ class BlindTimingSQLInjection < Arachni::Module::Base
                 Issue::Element::HEADER
             ],
             :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.1.1',
+            :version        => '0.2.1',
             :references     => {
                 'OWASP'      => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
                 'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'

data/path_extractors/anchors.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extracts paths from anchor elements.

data/path_extractors/forms.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extracts paths from "form" HTML elements.

data/path_extractors/frames.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extracts paths from frames.

data/path_extractors/generic.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extract URLs from arbitrary text.

data/path_extractors/links.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extracts paths from "link" HTML elements.

data/path_extractors/meta_refresh.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extracts meta refresh URLs.

data/path_extractors/scripts.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # Extracts paths from "script" HTML elements.<br/>

data/path_extractors/sitemap.rb

@@ -8,7 +8,7 @@
 
 =end
 
-module Anemone::Extractors
+module Arachni::Parser::Extractors
 
 #
 # @author: Tasos "Zapotek" Laskos

data/plugins/proxy/server.rb

@@ -25,7 +25,7 @@ class Proxy
     # @author: Tasos "Zapotek" Laskos
     #                                      <tasos.laskos@gmail.com>
     #                                      <zapotek@segfault.gr>
-    # @version: 0.1
+    # @version: 0.1.1
     #
     class Server < WEBrick::HTTPProxyServer
 
@@ -57,7 +57,8 @@ class Proxy
             res.header['content-type'] = 'text/plain'
             res.header.delete( 'content-encoding' )
 
-            res.body << reasons.map{ |msg| " *  #{msg}" }.join( "\n" )
+            res.body << reasons.pop + "\n"
+            res.body << reasons.map{ |msg| "  *  #{msg}" }.join( "\n" )
         end
     end
 end

data/plugins/waf_detector.rb

@@ -126,7 +126,6 @@ class WAFDetector < Arachni::Plugin::Base
 
     def queue_original
         @precision.times {
-            # grab the page containing the login form
             @framework.http.get( @url.to_s ).on_complete {
                 |res|
                 @responses[:original] ||= res.body
@@ -137,7 +136,6 @@ class WAFDetector < Arachni::Plugin::Base
 
     def queue_vanilla( )
         @precision.times {
-            # grab the page containing the login form
             @framework.http.get( @url.to_s, :params => @safe ).on_complete {
                 |res|
                 @responses[:vanilla] ||= res.body
@@ -148,7 +146,6 @@ class WAFDetector < Arachni::Plugin::Base
 
     def queue_spicy( )
         @precision.times {
-            # grab the page containing the login form
             @framework.http.get( @url.to_s, :params => @unsafe ).on_complete {
                 |res|
                 @responses[:spicy] ||= res.body