arachni 0.4.0.4 → 0.4.1

data/modules/audit/sqli_blind_timing.rb

@@ -1,105 +1,85 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
-
-module Arachni
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # Blind SQL Injection module using timing attacks.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.2.2
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.2.3
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://capec.mitre.org/data/definitions/7.html
 # @see http://www.owasp.org/index.php/Blind_SQL_Injection
 #
-class BlindTimingSQLInjection < Arachni::Module::Base
+class Arachni::Modules::BlindTimingSQLInjection < Arachni::Module::Base
 
-    include Arachni::Module::Utilities
-
-    def prepare
-        @@__injection_str ||= []
-
-        if @@__injection_str.empty?
-            read_file( 'payloads.txt' ) {
-                |str|
-                @@__injection_str << str
-            }
-        end
-
-        @__opts = {
-            :format  => [ Format::STRAIGHT ],
-            :timeout => 4000,
-            :timeout_divider => 1000
-        }
+    # We add ourselves to the list too.
+    # We don't want more than one timing-attack variation per issue,
+    # it's too expensive.
+    prefer :sqli, :sqli_blind_rdiff
 
+    def self.sleep_codes
+        @sleep_codes ||= read_file( 'payloads.txt' )
     end
 
     def run
-        audit_timeout( @@__injection_str, @__opts )
-    end
-
-    def redundant
-        # We add ourselves to the list too.
-        # We don't want more than one timing-attack variation per issue,
-        # it's too expensive.
-        [ 'sqli', 'sqli_blind_rdiff', 'sqli_blind_timing' ]
+        audit_timeout( self.class.sleep_codes,
+            format:          [Format::STRAIGHT, Format::APPEND],
+            timeout:         4000,
+            timeout_divider: 1000
+        )
     end
 
     def self.info
         {
-            :name           => 'Blind (timing) SQL injection',
-            :description    => %q{Blind SQL Injection module using timing attacks
+            name:        'Blind (timing) SQL injection',
+            description: %q{Blind SQL Injection module using timing attacks
                 (if the remote server suddenly becomes unresponsive or your network
                 connection suddenly chokes up this module will probably produce false positives).},
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.2.2',
-            :references     => {
-                'OWASP'      => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.2.3',
+            references:  {
+                'OWASP'         => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
                 'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'
             },
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Blind SQL Injection (timing attack)},
-                :description => %q{SQL code can be injected into the web application
-                    even though it may not be obvious due to suppression of error messages.
-                    (This issue was discovered using a timing attack; timing attacks
-                    can result in false positives in cases where the server takes
-                    an abnormally long time to respond.
-                    Either case, these issues will require further investigation
-                    even if they are false positives.)},
-                :tags        => [ 'sql', 'blind', 'timing', 'injection', 'database' ],
-                :cwe         => '89',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '9.0',
-                :remedy_guidance    => %q{Suppression of error messages leads to
-                    security through obscurity which is not a good practise.
-                    The web application needs to enforce stronger validation
-                    on user inputs.},
-                :remedy_code => '',
-                :metasploitable => 'unix/webapp/arachni_sqlmap'
+            targets:     %w(MySQL PostgreSQL MSSQL),
+            issue:       {
+                name:            %q{Blind SQL Injection (timing attack)},
+                description:     %q{SQL code can be injected into the web application
+    even though it may not be obvious due to suppression of error messages.
+    (This issue was discovered using a timing attack; timing attacks
+    can result in false positives in cases where the server takes
+    an abnormally long time to respond.
+    Either case, these issues will require further investigation
+    even if they are false positives.)},
+                tags:            %w(sql blind timing injection database),
+                cwe:             '89',
+                severity:        Severity::HIGH,
+                cvssv2:          '9.0',
+                remedy_guidance: %q{Suppression of error messages leads to
+    security through obscurity which is not a good practise.
+    The web application needs to enforce stronger validation
+    on user inputs.},
+                remedy_code:     '',
+                metasploitable:  'unix/webapp/arachni_sqlmap'
             }
 
         }
     end
 
 end
-end
-end

data/modules/audit/trainer.rb

@@ -1,15 +1,18 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 #
@@ -18,66 +21,26 @@ module Modules
 #
 # It also forces Arachni to train itself by analyzing the server responses.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.1
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
+# @version 0.1.2
 #
-class Trainer < Arachni::Module::Base
-
-    include Arachni::Module::Utilities
-
-    def prepare
-
-        # this will be the used as the injection string
-        @str = '_arachni_trainer_' + seed
-
-        @opts = {
-            #
-            # tell the framework to learn from the
-            # server responses that this module will cause.
-            #
-            :train  => true,
-            :param_flip => true
-        }
-    end
+class Arachni::Modules::Trainer < Arachni::Module::Base
 
     def run
-        #
-        # this will inject the string in @str into all available inputs
-        #
-        audit( @str, @opts ) {
-            #
-            # empty block, we don't need to check for anything
-            #
-            # however since we haven't passed at least a regexp to audit()
-            # we need to provide a block otherwise the Auditor will complain...
-            #
-            # that bastard!
-            #
-        }
+        audit( '_arachni_trainer_' + seed, train: true, param_flip: true ){}
     end
 
     def self.info
         {
-            :name           => 'Trainer',
-            :description    => %q{Pokes and probes all inputs of a given page in order to uncover new input vectors.
+            name:        'Trainer',
+            description: %q{Pokes and probes all inputs of a given page in order to uncover new input vectors.
                 It also forces Arachni to train itself by analyzing the server responses.},
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.1.1',
-            :references     => {
-            },
-            :targets        => { 'Generic' => 'all' },
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            version:     '0.1.2',
+            targets:     %w(Generic)
         }
     end
 
 end
-end
-end

data/modules/audit/unvalidated_redirect.rb

@@ -1,79 +1,69 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
-
-module Arachni
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # Unvalidated redirect audit module.
 #
 # It audits links, forms and cookies, injects URLs and checks
-# the Location header field to determnine whether the attack was successful.
+# the Location header field to determine whether the attack was successful.
 #
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.3
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1.4
 #
 # @see http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 #
-class UnvalidatedRedirect < Arachni::Module::Base
+class Arachni::Modules::UnvalidatedRedirect < Arachni::Module::Base
 
-    def run
-        [
-          'www.arachni-boogie-woogie.com',
-          'http://www.arachni-boogie-woogie.com',
-        ].each {
-            |url|
-            audit( url ) {
-                |res, opts|
-                log( opts, res ) if( res.headers_hash['Location'] == url )
-            }
-        }
+    def self.urls
+        @urls ||= ['www.arachni-boogie-woogie.com',
+                   'https://www.arachni-boogie-woogie.com',
+                   'http://www.arachni-boogie-woogie.com']
     end
 
+    def run
+        self.class.urls.each do |url|
+            audit( url ) { |res, opts| log( opts, res ) if self.class.urls.include?( res.location ) }
+        end
+    end
 
     def self.info
         {
-            :name           => 'UnvalidatedRedirect',
-            :description    => %q{Injects URLs and checks the Location header field
+            name:        'UnvalidatedRedirect',
+            description: %q{Injects URLs and checks the Location header field
                 to determnine whether the attack was successful.},
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.1.3',
-            :references     => {
-                 'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards'
+            elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1.4',
+            references:  {
+                'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards'
             },
-            :targets        => { 'Generic' => 'all' },
+            targets:     %w(Generic),
 
-            :issue   => {
-                :name        => %q{Unvalidated redirect},
-                :description => %q{The web application redirects users to unvalidated URLs.},
-                :tags        => [ 'unvalidated', 'redirect', 'injection', 'header', 'location' ],
-                :cwe         => '819',
-                :severity    => Issue::Severity::MEDIUM,
-                :cvssv2       => '',
-                :remedy_guidance    => '',
-                :remedy_code => '',
+            issue:       {
+                name:            %q{Unvalidated redirect},
+                description:     %q{The web application redirects users to unvalidated URLs.},
+                tags: %w(unvalidated redirect injection header location),
+                cwe:             '819',
+                severity:        Severity::MEDIUM,
+                remedy_guidance: %q{Server side verification should be employed
+                    to ensure that the redirect destination is the one intended.}
             }
-
         }
     end
 
 end
-end
-end

data/modules/audit/xpath.rb

@@ -1,97 +1,66 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # XPath Injection audit module.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.1
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1.2
 #
 # @see http://cwe.mitre.org/data/definitions/91.html
 # @see http://www.owasp.org/index.php/XPATH_Injection
 # @see http://www.owasp.org/index.php/Testing_for_XPath_Injection_%28OWASP-DV-010%29
 #
-class XPathInjection < Arachni::Module::Base
-
-    include Arachni::Module::Utilities
-
-    def prepare
-
-        #
-        # we make this a class variable and populate it only once
-        # to reduce file IO
-        #
-        @@__errors ||= []
-
-        if @@__errors.empty?
-            read_file( 'errors.txt' ) { |error| @@__errors << error }
-        end
-
-        # prepare the strings that will hopefully cause the webapp
-        # to output XPath error messages
-        @__injection_strs = [
-            "'\"",
-            "<!--"
-        ]
+class Arachni::Modules::XPathInjection < Arachni::Module::Base
 
-        @__opts = {
-            :format => [ Format::APPEND ],
-            :substring => @@__errors
-        }
+    def self.error_strings
+        @error_strings ||= read_file( 'errors.txt' )
+    end
 
+    def self.opts
+        @opts ||= { format: [Format::APPEND], substring: error_strings }
     end
 
     def run
-        @__injection_strs.each {
-            |str|
-            audit( str, @__opts )
-        }
+        # these will hopefully cause the webapp to output XPath error messages
+        %w('" ]]]]]]]]] <!--).each { |str| audit( str, self.class.opts ) }
     end
 
-
     def self.info
         {
-            :name           => 'XPathInjection',
-            :description    => %q{XPath injection module},
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            :version        => '0.1.1',
-            :references     => {
-                'OWASP'      => 'http://www.owasp.org/index.php/XPATH_Injection'
+            name:        'XPathInjection',
+            description: %q{XPath injection module},
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1.2',
+            references:  {
+                'OWASP' => 'http://www.owasp.org/index.php/XPATH_Injection'
             },
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{XPath Injection},
-                :description => %q{XPath queries can be injected into the web application.},
-                :tags        => [ 'xpath', 'database', 'error', 'injection', 'regexp' ],
-                :cwe         => '91',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '',
-                :remedy_guidance    => 'User inputs must be validated and filtered
-                    before being included in database queries.',
-                :remedy_code => ''
+            targets:     %w(General PHP Java dotNET libXML2),
+            issue:       {
+                name:            %q{XPath Injection},
+                description:     %q{XPath queries can be injected into the web application.},
+                tags:            %w(xpath database error injection regexp),
+                cwe:             '91',
+                severity:        Severity::HIGH,
+                remedy_guidance: 'User inputs must be validated and filtered
+    before being included in database queries.',
             }
-
         }
     end
 
 end
-end
-end