arachni 0.4.3.2 → 0.4.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/CHANGELOG.md +42 -0
- data/README.md +4 -1
- data/lib/arachni/element/capabilities/auditable.rb +5 -0
- data/lib/arachni/element/capabilities/auditable/rdiff.rb +105 -122
- data/lib/arachni/framework.rb +4 -1
- data/lib/arachni/http.rb +9 -10
- data/lib/arachni/mixins/progress_bar.rb +1 -1
- data/lib/arachni/options.rb +16 -0
- data/lib/arachni/rpc/server/active_options.rb +1 -1
- data/lib/arachni/ui/cli/utilities.rb +4 -0
- data/lib/arachni/uri.rb +2 -1
- data/lib/version +1 -1
- data/modules/audit/code_injection_php_input_wrapper.rb +76 -0
- data/modules/audit/path_traversal.rb +23 -13
- data/modules/audit/rfi.rb +4 -3
- data/modules/audit/source_code_disclosure.rb +138 -0
- data/modules/audit/sqli_blind_rdiff.rb +16 -13
- data/modules/audit/sqli_blind_rdiff/payloads.txt +5 -5
- data/modules/recon/grep/form_upload.rb +61 -0
- data/modules/recon/htaccess_limit.rb +6 -3
- data/modules/recon/x_forwarded_for_access_restriction_bypass.rb +55 -0
- data/plugins/http_dicattack.rb +5 -8
- data/plugins/redundant_vectors.rb +34 -0
- data/reports/html/default/issues.erb +7 -22
- data/reports/stdout.rb +3 -3
- data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb +3 -2
- data/spec/arachni/http_spec.rb +27 -1
- data/spec/modules/audit/path_traversal_spec.rb +2 -2
- data/spec/modules/audit/rfi_spec.rb +1 -1
- data/spec/modules/audit/source_code_disclosure_spec.rb +24 -0
- data/spec/modules/recon/grep/form_upload_spec.rb +19 -0
- data/spec/modules/recon/x_forwarded_for_access_restriction_bypass_spec.rb +19 -0
- data/spec/plugins/http_dicattack_spec.rb +3 -3
- data/spec/support/servers/arachni/element/capabilities/auditable/rdiff.rb +3 -1
- data/spec/support/servers/modules/audit/path_traversal.rb +12 -6
- data/spec/support/servers/modules/audit/source_code_disclosure.rb +96 -0
- data/spec/support/servers/modules/audit/sqli_blind_rdiff.rb +2 -11
- data/spec/support/servers/modules/recon/grep/form_upload.rb +9 -0
- data/spec/support/servers/modules/recon/x_forwarded_for_access_restriction_bypass.rb +16 -0
- data/spec/support/shared/element/capabilities/auditable.rb +22 -1
- metadata +19 -452
- data/spec/support/logs/Dispatcher - 1000-42597.log +0 -9
- data/spec/support/logs/Dispatcher - 1009-18926.log +0 -9
- data/spec/support/logs/Dispatcher - 1018-26020.log +0 -9
- data/spec/support/logs/Dispatcher - 1027-51590.log +0 -9
- data/spec/support/logs/Dispatcher - 1036-31265.log +0 -11
- data/spec/support/logs/Dispatcher - 1049-64968.log +0 -9
- data/spec/support/logs/Dispatcher - 1059-36177.log +0 -9
- data/spec/support/logs/Dispatcher - 1119-32736.log +0 -63
- data/spec/support/logs/Dispatcher - 1128-64822.log +0 -43
- data/spec/support/logs/Dispatcher - 1137-33870.log +0 -39
- data/spec/support/logs/Dispatcher - 1146-57070.log +0 -34
- data/spec/support/logs/Dispatcher - 1155-1976.log +0 -28
- data/spec/support/logs/Dispatcher - 1166-7613.log +0 -21
- data/spec/support/logs/Dispatcher - 1176-38750.log +0 -13
- data/spec/support/logs/Dispatcher - 1186-13313.log +0 -9
- data/spec/support/logs/Dispatcher - 1328-54360.log +0 -19
- data/spec/support/logs/Dispatcher - 1338-50709.log +0 -21
- data/spec/support/logs/Dispatcher - 1347-36899.log +0 -15
- data/spec/support/logs/Dispatcher - 1362-31178.log +0 -19
- data/spec/support/logs/Dispatcher - 1374-11925.log +0 -21
- data/spec/support/logs/Dispatcher - 1384-20223.log +0 -15
- data/spec/support/logs/Dispatcher - 1575-41606.log +0 -17
- data/spec/support/logs/Dispatcher - 1585-60468.log +0 -21
- data/spec/support/logs/Dispatcher - 1594-55347.log +0 -13
- data/spec/support/logs/Dispatcher - 1607-32309.log +0 -19
- data/spec/support/logs/Dispatcher - 1616-38493.log +0 -21
- data/spec/support/logs/Dispatcher - 1625-44887.log +0 -15
- data/spec/support/logs/Dispatcher - 1677-56065.log +0 -17
- data/spec/support/logs/Dispatcher - 1686-61752.log +0 -21
- data/spec/support/logs/Dispatcher - 1698-55714.log +0 -13
- data/spec/support/logs/Dispatcher - 1711-14301.log +0 -17
- data/spec/support/logs/Dispatcher - 1720-52378.log +0 -21
- data/spec/support/logs/Dispatcher - 1729-22756.log +0 -13
- data/spec/support/logs/Dispatcher - 2016-10522.log +0 -19
- data/spec/support/logs/Dispatcher - 2025-12440.log +0 -21
- data/spec/support/logs/Dispatcher - 2034-6928.log +0 -15
- data/spec/support/logs/Dispatcher - 2058-54432.log +0 -21
- data/spec/support/logs/Dispatcher - 2067-19379.log +0 -25
- data/spec/support/logs/Dispatcher - 2076-43318.log +0 -15
- data/spec/support/logs/Dispatcher - 2112-16482.log +0 -17
- data/spec/support/logs/Dispatcher - 2121-7790.log +0 -21
- data/spec/support/logs/Dispatcher - 2130-18423.log +0 -13
- data/spec/support/logs/Dispatcher - 2145-13060.log +0 -21
- data/spec/support/logs/Dispatcher - 2154-42433.log +0 -25
- data/spec/support/logs/Dispatcher - 2163-55198.log +0 -15
- data/spec/support/logs/Dispatcher - 2199-19221.log +0 -17
- data/spec/support/logs/Dispatcher - 2208-27404.log +0 -21
- data/spec/support/logs/Dispatcher - 2217-34366.log +0 -13
- data/spec/support/logs/Dispatcher - 2230-52868.log +0 -17
- data/spec/support/logs/Dispatcher - 2239-1425.log +0 -21
- data/spec/support/logs/Dispatcher - 2248-34228.log +0 -13
- data/spec/support/logs/Dispatcher - 23550-62617.log +0 -9
- data/spec/support/logs/Dispatcher - 23577-56565.log +0 -21
- data/spec/support/logs/Dispatcher - 23734-28957.log +0 -9
- data/spec/support/logs/Dispatcher - 23744-12387.log +0 -19
- data/spec/support/logs/Dispatcher - 23753-8683.log +0 -17
- data/spec/support/logs/Dispatcher - 23762-7032.log +0 -13
- data/spec/support/logs/Dispatcher - 23771-13735.log +0 -9
- data/spec/support/logs/Dispatcher - 23780-6422.log +0 -9
- data/spec/support/logs/Dispatcher - 23789-37971.log +0 -11
- data/spec/support/logs/Dispatcher - 23802-4861.log +0 -11
- data/spec/support/logs/Dispatcher - 23815-27068.log +0 -35
- data/spec/support/logs/Dispatcher - 23900-13978.log +0 -21
- data/spec/support/logs/Dispatcher - 23928-16013.log +0 -21
- data/spec/support/logs/Dispatcher - 23952-10950.log +0 -23
- data/spec/support/logs/Dispatcher - 24002-6528.log +0 -19
- data/spec/support/logs/Dispatcher - 24011-65281.log +0 -17
- data/spec/support/logs/Dispatcher - 24020-51743.log +0 -15
- data/spec/support/logs/Dispatcher - 24033-26547.log +0 -11
- data/spec/support/logs/Dispatcher - 24046-57891.log +0 -9
- data/spec/support/logs/Dispatcher - 24055-65062.log +0 -9
- data/spec/support/logs/Dispatcher - 24064-19057.log +0 -9
- data/spec/support/logs/Dispatcher - 24073-54430.log +0 -9
- data/spec/support/logs/Dispatcher - 24082-25596.log +0 -11
- data/spec/support/logs/Dispatcher - 24095-43694.log +0 -9
- data/spec/support/logs/Dispatcher - 24104-17121.log +0 -9
- data/spec/support/logs/Dispatcher - 24158-40106.log +0 -63
- data/spec/support/logs/Dispatcher - 24167-21385.log +0 -43
- data/spec/support/logs/Dispatcher - 24176-6454.log +0 -39
- data/spec/support/logs/Dispatcher - 24185-5125.log +0 -34
- data/spec/support/logs/Dispatcher - 24194-57640.log +0 -28
- data/spec/support/logs/Dispatcher - 24203-3500.log +0 -21
- data/spec/support/logs/Dispatcher - 24212-26331.log +0 -13
- data/spec/support/logs/Dispatcher - 24222-65421.log +0 -9
- data/spec/support/logs/Dispatcher - 24764-27994.log +0 -19
- data/spec/support/logs/Dispatcher - 24774-32543.log +0 -21
- data/spec/support/logs/Dispatcher - 24783-19136.log +0 -15
- data/spec/support/logs/Dispatcher - 24796-60141.log +0 -19
- data/spec/support/logs/Dispatcher - 24805-24219.log +0 -21
- data/spec/support/logs/Dispatcher - 24814-22343.log +0 -15
- data/spec/support/logs/Dispatcher - 24933-3408.log +0 -17
- data/spec/support/logs/Dispatcher - 24942-62948.log +0 -21
- data/spec/support/logs/Dispatcher - 24951-32294.log +0 -13
- data/spec/support/logs/Dispatcher - 24964-62518.log +0 -19
- data/spec/support/logs/Dispatcher - 24973-13438.log +0 -21
- data/spec/support/logs/Dispatcher - 24982-14621.log +0 -15
- data/spec/support/logs/Dispatcher - 25033-2920.log +0 -17
- data/spec/support/logs/Dispatcher - 25043-58761.log +0 -21
- data/spec/support/logs/Dispatcher - 25052-29212.log +0 -13
- data/spec/support/logs/Dispatcher - 25066-41541.log +0 -17
- data/spec/support/logs/Dispatcher - 25075-37989.log +0 -21
- data/spec/support/logs/Dispatcher - 25084-11499.log +0 -13
- data/spec/support/logs/Dispatcher - 25311-26011.log +0 -19
- data/spec/support/logs/Dispatcher - 25320-24733.log +0 -21
- data/spec/support/logs/Dispatcher - 25329-29047.log +0 -15
- data/spec/support/logs/Dispatcher - 25353-46711.log +0 -21
- data/spec/support/logs/Dispatcher - 25362-36226.log +0 -25
- data/spec/support/logs/Dispatcher - 25371-56232.log +0 -15
- data/spec/support/logs/Dispatcher - 25407-3246.log +0 -17
- data/spec/support/logs/Dispatcher - 25416-34890.log +0 -21
- data/spec/support/logs/Dispatcher - 25425-15634.log +0 -13
- data/spec/support/logs/Dispatcher - 25438-34664.log +0 -21
- data/spec/support/logs/Dispatcher - 25447-3660.log +0 -25
- data/spec/support/logs/Dispatcher - 25456-8081.log +0 -15
- data/spec/support/logs/Dispatcher - 25492-10542.log +0 -17
- data/spec/support/logs/Dispatcher - 25501-45084.log +0 -21
- data/spec/support/logs/Dispatcher - 25510-35194.log +0 -13
- data/spec/support/logs/Dispatcher - 25519-53450.log +0 -17
- data/spec/support/logs/Dispatcher - 25532-55565.log +0 -21
- data/spec/support/logs/Dispatcher - 25541-6244.log +0 -13
- data/spec/support/logs/Dispatcher - 28179-60102.log +0 -9
- data/spec/support/logs/Dispatcher - 28206-59109.log +0 -21
- data/spec/support/logs/Dispatcher - 28347-64968.log +0 -9
- data/spec/support/logs/Dispatcher - 28357-36177.log +0 -19
- data/spec/support/logs/Dispatcher - 28366-50815.log +0 -17
- data/spec/support/logs/Dispatcher - 28375-20163.log +0 -13
- data/spec/support/logs/Dispatcher - 28384-40303.log +0 -9
- data/spec/support/logs/Dispatcher - 28393-26451.log +0 -9
- data/spec/support/logs/Dispatcher - 28402-18767.log +0 -11
- data/spec/support/logs/Dispatcher - 28415-56936.log +0 -11
- data/spec/support/logs/Dispatcher - 28428-4219.log +0 -35
- data/spec/support/logs/Dispatcher - 28489-21241.log +0 -21
- data/spec/support/logs/Dispatcher - 28498-4440.log +0 -21
- data/spec/support/logs/Dispatcher - 28507-56565.log +0 -23
- data/spec/support/logs/Dispatcher - 28548-64105.log +0 -19
- data/spec/support/logs/Dispatcher - 28557-9265.log +0 -17
- data/spec/support/logs/Dispatcher - 28566-60378.log +0 -15
- data/spec/support/logs/Dispatcher - 28580-47697.log +0 -11
- data/spec/support/logs/Dispatcher - 28593-45818.log +0 -9
- data/spec/support/logs/Dispatcher - 28603-24718.log +0 -9
- data/spec/support/logs/Dispatcher - 28612-10811.log +0 -9
- data/spec/support/logs/Dispatcher - 28621-30580.log +0 -9
- data/spec/support/logs/Dispatcher - 28642-14288.log +0 -11
- data/spec/support/logs/Dispatcher - 28657-46406.log +0 -9
- data/spec/support/logs/Dispatcher - 28666-48831.log +0 -9
- data/spec/support/logs/Dispatcher - 28723-34387.log +0 -63
- data/spec/support/logs/Dispatcher - 28732-54101.log +0 -43
- data/spec/support/logs/Dispatcher - 28741-5251.log +0 -39
- data/spec/support/logs/Dispatcher - 28750-8280.log +0 -34
- data/spec/support/logs/Dispatcher - 28759-38308.log +0 -28
- data/spec/support/logs/Dispatcher - 28768-65028.log +0 -21
- data/spec/support/logs/Dispatcher - 28777-56986.log +0 -13
- data/spec/support/logs/Dispatcher - 28787-15576.log +0 -9
- data/spec/support/logs/Dispatcher - 28994-50422.log +0 -19
- data/spec/support/logs/Dispatcher - 29004-46776.log +0 -21
- data/spec/support/logs/Dispatcher - 29013-21266.log +0 -15
- data/spec/support/logs/Dispatcher - 29026-3603.log +0 -19
- data/spec/support/logs/Dispatcher - 29035-17800.log +0 -21
- data/spec/support/logs/Dispatcher - 29044-7103.log +0 -15
- data/spec/support/logs/Dispatcher - 29165-63459.log +0 -17
- data/spec/support/logs/Dispatcher - 29174-14377.log +0 -21
- data/spec/support/logs/Dispatcher - 29183-49752.log +0 -13
- data/spec/support/logs/Dispatcher - 29196-55000.log +0 -19
- data/spec/support/logs/Dispatcher - 29205-33060.log +0 -21
- data/spec/support/logs/Dispatcher - 29214-62279.log +0 -15
- data/spec/support/logs/Dispatcher - 29269-40689.log +0 -17
- data/spec/support/logs/Dispatcher - 29278-10110.log +0 -21
- data/spec/support/logs/Dispatcher - 29288-55076.log +0 -13
- data/spec/support/logs/Dispatcher - 29301-13242.log +0 -17
- data/spec/support/logs/Dispatcher - 29310-21310.log +0 -21
- data/spec/support/logs/Dispatcher - 29319-62724.log +0 -13
- data/spec/support/logs/Dispatcher - 29568-37063.log +0 -19
- data/spec/support/logs/Dispatcher - 29577-56333.log +0 -21
- data/spec/support/logs/Dispatcher - 29586-49998.log +0 -15
- data/spec/support/logs/Dispatcher - 29611-63916.log +0 -21
- data/spec/support/logs/Dispatcher - 29620-29551.log +0 -25
- data/spec/support/logs/Dispatcher - 29629-49377.log +0 -15
- data/spec/support/logs/Dispatcher - 29665-40270.log +0 -17
- data/spec/support/logs/Dispatcher - 29674-61313.log +0 -21
- data/spec/support/logs/Dispatcher - 29683-33859.log +0 -13
- data/spec/support/logs/Dispatcher - 29696-38359.log +0 -21
- data/spec/support/logs/Dispatcher - 29705-30896.log +0 -25
- data/spec/support/logs/Dispatcher - 29714-17665.log +0 -15
- data/spec/support/logs/Dispatcher - 29752-63853.log +0 -17
- data/spec/support/logs/Dispatcher - 29761-3448.log +0 -21
- data/spec/support/logs/Dispatcher - 29770-31902.log +0 -13
- data/spec/support/logs/Dispatcher - 29783-47589.log +0 -17
- data/spec/support/logs/Dispatcher - 29792-8436.log +0 -21
- data/spec/support/logs/Dispatcher - 29801-9350.log +0 -13
- data/spec/support/logs/Dispatcher - 339-13552.log +0 -9
- data/spec/support/logs/Dispatcher - 384-22932.log +0 -21
- data/spec/support/logs/Dispatcher - 744-9325.log +0 -9
- data/spec/support/logs/Dispatcher - 754-41076.log +0 -19
- data/spec/support/logs/Dispatcher - 763-49534.log +0 -17
- data/spec/support/logs/Dispatcher - 772-59109.log +0 -13
- data/spec/support/logs/Dispatcher - 782-41178.log +0 -9
- data/spec/support/logs/Dispatcher - 791-11829.log +0 -9
- data/spec/support/logs/Dispatcher - 800-47866.log +0 -11
- data/spec/support/logs/Dispatcher - 814-16120.log +0 -11
- data/spec/support/logs/Dispatcher - 827-2111.log +0 -35
- data/spec/support/logs/Dispatcher - 889-13083.log +0 -21
- data/spec/support/logs/Dispatcher - 898-53883.log +0 -21
- data/spec/support/logs/Dispatcher - 911-41959.log +0 -23
- data/spec/support/logs/Dispatcher - 955-24486.log +0 -19
- data/spec/support/logs/Dispatcher - 965-25535.log +0 -17
- data/spec/support/logs/Dispatcher - 974-14231.log +0 -15
- data/spec/support/logs/Dispatcher - 987-5144.log +0 -11
- data/spec/support/logs/Instance - 1343-24327.error.log +0 -328
- data/spec/support/logs/Instance - 1694-39251.error.log +0 -328
- data/spec/support/logs/Instance - 1725-15789.error.log +0 -427
- data/spec/support/logs/Instance - 1766-53560.error.log +0 -326
- data/spec/support/logs/Instance - 1773-12955.error.log +0 -328
- data/spec/support/logs/Instance - 1948-11071.error.log +0 -326
- data/spec/support/logs/Instance - 24779-49625.error.log +0 -328
- data/spec/support/logs/Instance - 25048-11380.error.log +0 -328
- data/spec/support/logs/Instance - 25080-24917.error.log +0 -427
- data/spec/support/logs/Instance - 25106-33475.error.log +0 -326
- data/spec/support/logs/Instance - 25112-54559.error.log +0 -328
- data/spec/support/logs/Instance - 25242-65202.error.log +0 -326
- data/spec/support/logs/Instance - 29009-57043.error.log +0 -328
- data/spec/support/logs/Instance - 29283-31439.error.log +0 -328
- data/spec/support/logs/Instance - 29315-55609.error.log +0 -427
- data/spec/support/logs/Instance - 29341-7004.error.log +0 -326
- data/spec/support/logs/Instance - 29347-6024.error.log +0 -328
- data/spec/support/logs/Instance - 29492-27943.error.log +0 -326
data/lib/arachni/options.rb
CHANGED
@@ -494,6 +494,12 @@ class Options
|
|
494
494
|
# @return [Integer] HTTP request timeout in milliseconds
|
495
495
|
attr_accessor :http_timeout
|
496
496
|
|
497
|
+
# @return [Integer] HTTP auth username.
|
498
|
+
attr_accessor :http_username
|
499
|
+
|
500
|
+
# @return [Integer] HTTP auth password.
|
501
|
+
attr_accessor :http_password
|
502
|
+
|
497
503
|
# @return [Bool] Only follow HTTPS links.
|
498
504
|
attr_accessor :https_only
|
499
505
|
|
@@ -576,6 +582,8 @@ class Options
|
|
576
582
|
@lsrep = []
|
577
583
|
|
578
584
|
@http_req_limit = 20
|
585
|
+
@http_username = nil
|
586
|
+
@http_password = nil
|
579
587
|
|
580
588
|
@mods = []
|
581
589
|
|
@@ -1005,6 +1013,8 @@ class Options
|
|
1005
1013
|
[ '--spawns', GetoptLong::REQUIRED_ARGUMENT ],
|
1006
1014
|
[ '--grid', GetoptLong::NO_ARGUMENT ],
|
1007
1015
|
[ '--grid-mode', GetoptLong::REQUIRED_ARGUMENT ],
|
1016
|
+
[ '--http-username', GetoptLong::REQUIRED_ARGUMENT ],
|
1017
|
+
[ '--http-password', GetoptLong::REQUIRED_ARGUMENT ],
|
1008
1018
|
[ '--https-only', GetoptLong::NO_ARGUMENT ],
|
1009
1019
|
[ '--no-fingerprinting', GetoptLong::NO_ARGUMENT ],
|
1010
1020
|
[ '--platforms', GetoptLong::REQUIRED_ARGUMENT ],
|
@@ -1274,6 +1284,12 @@ class Options
|
|
1274
1284
|
|
1275
1285
|
when '--https-only'
|
1276
1286
|
@https_only = true
|
1287
|
+
|
1288
|
+
when '--http-username'
|
1289
|
+
@http_username = arg
|
1290
|
+
|
1291
|
+
when '--http-password'
|
1292
|
+
@http_password = arg
|
1277
1293
|
end
|
1278
1294
|
end
|
1279
1295
|
|
@@ -31,7 +31,7 @@ class ActiveOptions
|
|
31
31
|
|
32
32
|
%w( url http_req_limit http_timeout user_agent redirect_limit proxy_username
|
33
33
|
proxy_password proxy_type proxy_host proxy_port authed_by cookies
|
34
|
-
cookie_string ).each do |m|
|
34
|
+
cookie_string http_username http_password ).each do |m|
|
35
35
|
m = "#{m}=".to_sym
|
36
36
|
self.class.class_eval do
|
37
37
|
define_method m do |v|
|
@@ -306,6 +306,10 @@ module Utilities
|
|
306
306
|
|
307
307
|
--only-positives Echo positive results *only*.
|
308
308
|
|
309
|
+
--http-username=<string> Username for HTTP authentication.
|
310
|
+
|
311
|
+
--http-password=<string> Password for HTTP authentication.
|
312
|
+
|
309
313
|
--http-req-limit=<integer> Concurrent HTTP requests limit.
|
310
314
|
(Default: #{@opts.http_req_limit})
|
311
315
|
(Be careful not to kill your server.)
|
data/lib/arachni/uri.rb
CHANGED
@@ -532,13 +532,14 @@ class URI
|
|
532
532
|
# @return [String]
|
533
533
|
# The URL up to its path component (no resource name, query, fragment, etc).
|
534
534
|
def up_to_path
|
535
|
+
return if !path
|
535
536
|
uri_path = path.dup
|
536
537
|
|
537
538
|
uri_path = File.dirname( uri_path ) if !File.extname( path ).empty?
|
538
539
|
|
539
540
|
uri_path << '/' if uri_path[-1] != '/'
|
540
541
|
|
541
|
-
uri_str = scheme
|
542
|
+
uri_str = "#{scheme}://#{host}"
|
542
543
|
uri_str << ':' + port.to_s if port && port != 80
|
543
544
|
uri_str << uri_path
|
544
545
|
end
|
data/lib/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.4.
|
1
|
+
0.4.4
|
@@ -0,0 +1,76 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
# @see OWASP https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
|
18
|
+
#
|
19
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
20
|
+
#
|
21
|
+
# @version 0.1
|
22
|
+
class Arachni::Modules::CodeExecutionPHPInputWrapper < Arachni::Module::Base
|
23
|
+
|
24
|
+
def self.options
|
25
|
+
@options ||= {
|
26
|
+
format: [Format::STRAIGHT],
|
27
|
+
body: "<?php echo 'vDBVBsbVdv'; ?> <?php echo chr(80).chr(76).chr(76).chr(33).chr(56).chr(111).chr(55) ?>",
|
28
|
+
substring: 'vDBVBsbVdv PLL!8o7',
|
29
|
+
|
30
|
+
# Add one more mutation (on the fly) which will include the extension
|
31
|
+
# of the original value (if that value was a filename) after a null byte.
|
32
|
+
each_mutation: proc do |mutation|
|
33
|
+
m = mutation.dup
|
34
|
+
|
35
|
+
# Figure out the extension of the default value, if it has one.
|
36
|
+
ext = m.original[m.altered].to_s.split( '.' )
|
37
|
+
ext = ext.size > 1 ? ext.last : nil
|
38
|
+
|
39
|
+
# Null-terminate the injected value and append the ext.
|
40
|
+
m.altered_value += "\x00.#{ext}"
|
41
|
+
|
42
|
+
# Pass our new element back to be audited.
|
43
|
+
m
|
44
|
+
end
|
45
|
+
}
|
46
|
+
end
|
47
|
+
|
48
|
+
def run
|
49
|
+
audit 'php://input', self.class.options
|
50
|
+
end
|
51
|
+
|
52
|
+
def self.info
|
53
|
+
{
|
54
|
+
name: 'Code injection (php://input wrapper)',
|
55
|
+
description: %q{It injects PHP code into the HTTP request body and
|
56
|
+
uses the php://input wrapper to try and load it.},
|
57
|
+
elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
|
58
|
+
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
|
59
|
+
version: '0.1',
|
60
|
+
references: {
|
61
|
+
'OWASP' => 'https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution'
|
62
|
+
},
|
63
|
+
targets: %w(PHP),
|
64
|
+
issue: {
|
65
|
+
name: %q{Code injection (php://input wrapper)},
|
66
|
+
description: %q{The web application can be forced to execute
|
67
|
+
arbitrary code via the php://input wrapper.},
|
68
|
+
tags: %w(remote injection php code execution),
|
69
|
+
cwe: '94',
|
70
|
+
severity: Severity::HIGH
|
71
|
+
}
|
72
|
+
|
73
|
+
}
|
74
|
+
end
|
75
|
+
|
76
|
+
end
|
@@ -19,7 +19,7 @@
|
|
19
19
|
#
|
20
20
|
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
21
21
|
#
|
22
|
-
# @version 0.3.
|
22
|
+
# @version 0.3.3
|
23
23
|
#
|
24
24
|
# @see http://cwe.mitre.org/data/definitions/22.html
|
25
25
|
# @see http://www.owasp.org/index.php/Path_Traversal
|
@@ -27,11 +27,15 @@
|
|
27
27
|
#
|
28
28
|
class Arachni::Modules::PathTraversal < Arachni::Module::Base
|
29
29
|
|
30
|
+
MINIMUM_TRAVERSALS = 0
|
31
|
+
MAXIMUM_TRAVERSALS = 6
|
32
|
+
|
30
33
|
def self.options
|
31
34
|
@options ||= {
|
32
35
|
format: [Format::STRAIGHT],
|
33
36
|
regexp: [
|
34
|
-
/
|
37
|
+
/DOCUMENT_ROOT.*HTTP_USER_AGENT/,
|
38
|
+
/root:[x\*]:0:0:.+:[0-9a-zA-Z\/]+/im,
|
35
39
|
/mail:x:\d+:\d+:.+:[0-9a-zA-Z\/]+/im,
|
36
40
|
/\[boot loader\](.*)\[operating systems\]/im,
|
37
41
|
/\[fonts\](.*)\[extensions\]/im,
|
@@ -44,7 +48,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
|
|
44
48
|
m = mutation.dup
|
45
49
|
|
46
50
|
# Figure out the extension of the default value, if it has one.
|
47
|
-
ext = m.
|
51
|
+
ext = m.original[m.altered].to_s.split( '.' )
|
48
52
|
ext = ext.size > 1 ? ext.last : nil
|
49
53
|
|
50
54
|
# Null-terminate the injected value and append the ext.
|
@@ -60,21 +64,27 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
|
|
60
64
|
return @payloads if @payloads
|
61
65
|
|
62
66
|
@payloads = {
|
63
|
-
unix: [
|
67
|
+
unix: [
|
68
|
+
'proc/self/environ',
|
69
|
+
'etc/passwd'
|
70
|
+
],
|
64
71
|
windows: [
|
65
72
|
'boot.ini',
|
66
73
|
'windows/win.ini',
|
67
74
|
'winnt/win.ini'
|
68
75
|
]
|
69
76
|
}.inject({}) do |h, (platform, payloads)|
|
70
|
-
h[platform] =
|
71
|
-
'/'
|
72
|
-
'
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
+
h[platform] = payloads.map do |payload|
|
78
|
+
trv = '/'
|
79
|
+
prefix = (platform == :windows ? 'c:' : nil)
|
80
|
+
|
81
|
+
[ "#{prefix}/#{payload}", "file://#{prefix}/#{payload}" ] +
|
82
|
+
(MINIMUM_TRAVERSALS..MAXIMUM_TRAVERSALS).map do
|
83
|
+
trv << '../'
|
84
|
+
[ "#{trv}#{payload}", "file://#{trv}#{payload}" ]
|
85
|
+
end
|
77
86
|
end.flatten
|
87
|
+
|
78
88
|
h
|
79
89
|
end
|
80
90
|
|
@@ -97,7 +107,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
|
|
97
107
|
based on the presence of relevant content in the HTML responses.},
|
98
108
|
elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
|
99
109
|
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
|
100
|
-
version: '0.3.
|
110
|
+
version: '0.3.3',
|
101
111
|
references: {
|
102
112
|
'OWASP' => 'http://www.owasp.org/index.php/Path_Traversal',
|
103
113
|
'WASC' => 'http://projects.webappsec.org/Path-Traversal'
|
@@ -110,7 +120,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
|
|
110
120
|
of a pathname to a restricted directory.},
|
111
121
|
tags: %w(path traversal injection regexp),
|
112
122
|
cwe: '22',
|
113
|
-
severity: Severity::
|
123
|
+
severity: Severity::HIGH,
|
114
124
|
cvssv2: '4.3',
|
115
125
|
remedy_guidance: %q{User inputs must be validated and filtered
|
116
126
|
before being used as a part of a filesystem path.},
|
data/modules/audit/rfi.rb
CHANGED
@@ -60,8 +60,9 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
|
|
60
60
|
#
|
61
61
|
def self.payloads
|
62
62
|
@payloads ||= [
|
63
|
-
'hTtP://arachni.
|
64
|
-
'arachni.
|
63
|
+
'hTtP://tests.arachni-scanner.com/rfi.md5.txt',
|
64
|
+
'http://tests.arachni-scanner.com/rfi.md5.txt',
|
65
|
+
'tests.arachni-scanner.com/rfi.md5.txt'
|
65
66
|
]
|
66
67
|
end
|
67
68
|
|
@@ -116,7 +117,7 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
|
|
116
117
|
#
|
117
118
|
elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
|
118
119
|
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
|
119
|
-
version: '0.2',
|
120
|
+
version: '0.2.1',
|
120
121
|
references: {
|
121
122
|
'WASC' => 'http://projects.webappsec.org/Remote-File-Inclusion',
|
122
123
|
'Wikipedia' => 'http://en.wikipedia.org/wiki/Remote_File_Inclusion'
|
@@ -0,0 +1,138 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
# Identifies source code disclosures by injecting a known server-side file
|
18
|
+
# into all input vectors and then inspects the responses for the existence of
|
19
|
+
# source code.
|
20
|
+
#
|
21
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
22
|
+
#
|
23
|
+
# @version 0.1
|
24
|
+
#
|
25
|
+
# @see http://cwe.mitre.org/data/definitions/540.html
|
26
|
+
class Arachni::Modules::SourceCodeDisclosure < Arachni::Module::Base
|
27
|
+
|
28
|
+
def self.options
|
29
|
+
@options ||= {
|
30
|
+
format: [Format::STRAIGHT],
|
31
|
+
regexp: [
|
32
|
+
# PHP
|
33
|
+
/<\?php/,
|
34
|
+
|
35
|
+
# JSP
|
36
|
+
/<%|<%=|<%@\s+page|<%@\s+include|<%--|import\s+javax.servlet|
|
37
|
+
import\s+java.io|import=['"]java.io|request\.getParameterValues\(|
|
38
|
+
response\.setHeader|response\.setIntHeader\(/m,
|
39
|
+
|
40
|
+
# ASP
|
41
|
+
/<%|Response\.Write|Request\.Form|Request\.QueryString|
|
42
|
+
Response\.Flush|Session\.SessionID|Session\.Timeout|
|
43
|
+
Server\.CreateObject|Server\.MapPath/im
|
44
|
+
],
|
45
|
+
|
46
|
+
# Add one more mutation (on the fly) which will include the extension
|
47
|
+
# of the original value (if that value was a filename) after a null byte.
|
48
|
+
each_mutation: proc do |mutation|
|
49
|
+
next if mutation.is_a?( Arachni::Form ) &&
|
50
|
+
(mutation.original? || mutation.sample?)
|
51
|
+
|
52
|
+
m = mutation.dup
|
53
|
+
|
54
|
+
# Figure out the extension of the default value, if it has one.
|
55
|
+
ext = m.original[m.altered].to_s.split( '.' )
|
56
|
+
ext = ext.size > 1 ? ext.last : nil
|
57
|
+
|
58
|
+
# If the extension of the default value is the same as of the
|
59
|
+
# payload there's no need to add an extra mutation.
|
60
|
+
next if ext == mutation.altered_value.split( '.' ).last
|
61
|
+
|
62
|
+
# Null-terminate the injected value and append the ext.
|
63
|
+
m.altered_value += "\x00.#{ext}"
|
64
|
+
|
65
|
+
# Pass our new element back to be audited.
|
66
|
+
m
|
67
|
+
end
|
68
|
+
}
|
69
|
+
end
|
70
|
+
|
71
|
+
def self.payload=( file )
|
72
|
+
@payload = file
|
73
|
+
end
|
74
|
+
|
75
|
+
def self.payload
|
76
|
+
@payload
|
77
|
+
end
|
78
|
+
|
79
|
+
def self.supported_extensions
|
80
|
+
@supported_extensions ||=
|
81
|
+
Set.new([ 'jsp', 'asp', 'aspx', 'php', 'htm', 'html' ])
|
82
|
+
end
|
83
|
+
|
84
|
+
def prepare
|
85
|
+
# Let's look for fresh a payload -- i.e. an identifiable server-side page.
|
86
|
+
page.paths.each do |path|
|
87
|
+
parsed_path = uri_parse( path )
|
88
|
+
next if !self.class.supported_extensions.include?( parsed_path.resource_extension )
|
89
|
+
|
90
|
+
self.class.payload = uri_parse( parsed_path.without_query ).path
|
91
|
+
break
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
def run
|
96
|
+
return if !self.class.payload
|
97
|
+
|
98
|
+
candidate_elements.each do |element|
|
99
|
+
payload = calculate_path_to_payload_from( element.action )
|
100
|
+
next if !payload
|
101
|
+
|
102
|
+
element.taint_analysis( payload, self.class.options )
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
106
|
+
def calculate_path_to_payload_from( url )
|
107
|
+
return if !(up_to_path = uri_parse( url ).up_to_path)
|
108
|
+
|
109
|
+
Pathname.new( self.class.payload ).
|
110
|
+
relative_path_from( Pathname.new( uri_parse( up_to_path ).path ) ).to_s
|
111
|
+
end
|
112
|
+
|
113
|
+
def self.info
|
114
|
+
{
|
115
|
+
name: 'Source code disclosure',
|
116
|
+
description: %q{It tries to identify whether or not the web application
|
117
|
+
can be forced to reveal source code.},
|
118
|
+
elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
|
119
|
+
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
|
120
|
+
version: '0.1',
|
121
|
+
targets: %w(PHP ASP JSP),
|
122
|
+
references: {
|
123
|
+
'CWE' => 'http://cwe.mitre.org/data/definitions/540.html'
|
124
|
+
},
|
125
|
+
issue: {
|
126
|
+
name: %q{Source code disclosure},
|
127
|
+
description: %q{The web application can be forced to reveal source code.},
|
128
|
+
tags: %w(code source file inclusion disclosure),
|
129
|
+
cwe: '540',
|
130
|
+
severity: Severity::HIGH,
|
131
|
+
remedy_guidance: %q{User inputs must be validated and filtered
|
132
|
+
before being included in a file-system path during file reading operations.},
|
133
|
+
}
|
134
|
+
|
135
|
+
}
|
136
|
+
end
|
137
|
+
|
138
|
+
end
|
@@ -14,7 +14,6 @@
|
|
14
14
|
limitations under the License.
|
15
15
|
=end
|
16
16
|
|
17
|
-
#
|
18
17
|
# Blind SQL injection audit module
|
19
18
|
#
|
20
19
|
# It uses reverse-diff analysis of HTML code in order to determine successful
|
@@ -22,29 +21,33 @@
|
|
22
21
|
#
|
23
22
|
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
24
23
|
#
|
25
|
-
# @version 0.
|
24
|
+
# @version 0.4
|
26
25
|
#
|
27
26
|
# @see http://cwe.mitre.org/data/definitions/89.html
|
28
27
|
# @see http://capec.mitre.org/data/definitions/7.html
|
29
28
|
# @see http://www.owasp.org/index.php/Blind_SQL_Injection
|
30
|
-
#
|
31
29
|
class Arachni::Modules::BlindrDiffSQLInjection < Arachni::Module::Base
|
32
30
|
|
33
31
|
prefer :sqli
|
34
32
|
|
35
|
-
def self.
|
36
|
-
@
|
37
|
-
|
38
|
-
|
39
|
-
[ '\'', '"', '' ].each { |quote| @booleans << str.gsub( '%q%', quote ) }
|
40
|
-
end
|
41
|
-
end
|
42
|
-
@booleans
|
33
|
+
def self.queries_for_expression( expression )
|
34
|
+
(@templates ||= read_file( 'payloads.txt' )).map do |template|
|
35
|
+
[ '\'', '"', '' ].map{ |quote| template.gsub( '%q%', quote ) + " #{expression}" }
|
36
|
+
end.flatten
|
43
37
|
end
|
44
38
|
|
45
39
|
# Options holding fault and boolean injection seeds.
|
46
40
|
def self.options
|
47
|
-
@
|
41
|
+
return @options if @options
|
42
|
+
|
43
|
+
pairs = []
|
44
|
+
falses = queries_for_expression( '1=2' )
|
45
|
+
|
46
|
+
queries_for_expression( '1=1' ).each.with_index do |true_expr, i|
|
47
|
+
pairs << { true_expr => falses[i] }
|
48
|
+
end
|
49
|
+
|
50
|
+
@options = { pairs: pairs }
|
48
51
|
end
|
49
52
|
|
50
53
|
def run
|
@@ -61,7 +64,7 @@ class Arachni::Modules::BlindrDiffSQLInjection < Arachni::Module::Base
|
|
61
64
|
If this module returns a positive result you should investigate nonetheless.)},
|
62
65
|
elements: [ Element::LINK, Element::FORM, Element::COOKIE ],
|
63
66
|
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
|
64
|
-
version: '0.
|
67
|
+
version: '0.4',
|
65
68
|
references: {
|
66
69
|
'OWASP' => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
|
67
70
|
'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'
|