arachni 0.4.3.2 → 0.4.4

data/lib/arachni/options.rb

@@ -494,6 +494,12 @@ class Options
     # @return   [Integer]   HTTP request timeout in milliseconds
     attr_accessor :http_timeout
 
+    # @return   [Integer]   HTTP auth username.
+    attr_accessor :http_username
+
+    # @return   [Integer]   HTTP auth password.
+    attr_accessor :http_password
+
     # @return   [Bool]   Only follow HTTPS links.
     attr_accessor :https_only
 
@@ -576,6 +582,8 @@ class Options
         @lsrep  = []
 
         @http_req_limit = 20
+        @http_username = nil
+        @http_password = nil
 
         @mods = []
 
@@ -1005,6 +1013,8 @@ class Options
             [ '--spawns',                 GetoptLong::REQUIRED_ARGUMENT ],
             [ '--grid',                   GetoptLong::NO_ARGUMENT ],
             [ '--grid-mode',              GetoptLong::REQUIRED_ARGUMENT ],
+            [ '--http-username',          GetoptLong::REQUIRED_ARGUMENT ],
+            [ '--http-password',          GetoptLong::REQUIRED_ARGUMENT ],
             [ '--https-only',             GetoptLong::NO_ARGUMENT ],
             [ '--no-fingerprinting',      GetoptLong::NO_ARGUMENT ],
             [ '--platforms',              GetoptLong::REQUIRED_ARGUMENT ],
@@ -1274,6 +1284,12 @@ class Options
 
                     when '--https-only'
                         @https_only = true
+
+                    when '--http-username'
+                        @http_username = arg
+
+                    when '--http-password'
+                        @http_password = arg
                 end
             end
 

data/lib/arachni/rpc/server/active_options.rb

@@ -31,7 +31,7 @@ class ActiveOptions
 
         %w( url http_req_limit http_timeout user_agent redirect_limit proxy_username
             proxy_password proxy_type proxy_host proxy_port authed_by cookies
-            cookie_string ).each do |m|
+            cookie_string http_username http_password ).each do |m|
             m = "#{m}=".to_sym
             self.class.class_eval do
                 define_method m do |v|

data/lib/arachni/ui/cli/utilities.rb

@@ -306,6 +306,10 @@ module Utilities
 
     --only-positives            Echo positive results *only*.
 
+    --http-username=<string>    Username for HTTP authentication.
+
+    --http-password=<string>    Password for HTTP authentication.
+
     --http-req-limit=<integer>  Concurrent HTTP requests limit.
                                   (Default: #{@opts.http_req_limit})
                                   (Be careful not to kill your server.)

data/lib/arachni/uri.rb

@@ -532,13 +532,14 @@ class URI
     # @return   [String]
     #   The URL up to its path component (no resource name, query, fragment, etc).
     def up_to_path
+        return if !path
         uri_path = path.dup
 
         uri_path = File.dirname( uri_path ) if !File.extname( path ).empty?
 
         uri_path << '/' if uri_path[-1] != '/'
 
-        uri_str = scheme + "://" + host
+        uri_str = "#{scheme}://#{host}"
         uri_str << ':' + port.to_s if port && port != 80
         uri_str << uri_path
     end

data/lib/version

@@ -1 +1 @@
-0.4.3.2
+0.4.4

data/modules/audit/code_injection_php_input_wrapper.rb

@@ -0,0 +1,76 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+# @see OWASP    https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1
+class Arachni::Modules::CodeExecutionPHPInputWrapper < Arachni::Module::Base
+
+    def self.options
+        @options ||= {
+            format:    [Format::STRAIGHT],
+            body:      "<?php echo 'vDBVBsbVdv'; ?> <?php echo chr(80).chr(76).chr(76).chr(33).chr(56).chr(111).chr(55) ?>",
+            substring: 'vDBVBsbVdv PLL!8o7',
+
+            # Add one more mutation (on the fly) which will include the extension
+            # of the original value (if that value was a filename) after a null byte.
+            each_mutation: proc do |mutation|
+                m = mutation.dup
+
+                # Figure out the extension of the default value, if it has one.
+                ext = m.original[m.altered].to_s.split( '.' )
+                ext = ext.size > 1 ? ext.last : nil
+
+                # Null-terminate the injected value and append the ext.
+                m.altered_value += "\x00.#{ext}"
+
+                # Pass our new element back to be audited.
+                m
+            end
+        }
+    end
+
+    def run
+        audit 'php://input', self.class.options
+    end
+
+    def self.info
+        {
+            name:        'Code injection (php://input wrapper)',
+            description: %q{It injects PHP code into the HTTP request body and
+                uses the php://input wrapper to try and load it.},
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.1',
+            references:  {
+                'OWASP'     => 'https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution'
+            },
+            targets:     %w(PHP),
+            issue:       {
+                name:            %q{Code injection (php://input wrapper)},
+                description:     %q{The web application can be forced to execute
+                    arbitrary code via the php://input wrapper.},
+                tags:            %w(remote injection php code execution),
+                cwe:             '94',
+                severity:        Severity::HIGH
+            }
+
+        }
+    end
+
+end

data/modules/audit/path_traversal.rb

@@ -19,7 +19,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.3.1
+# @version 0.3.3
 #
 # @see http://cwe.mitre.org/data/definitions/22.html
 # @see http://www.owasp.org/index.php/Path_Traversal
@@ -27,11 +27,15 @@
 #
 class Arachni::Modules::PathTraversal < Arachni::Module::Base
 
+    MINIMUM_TRAVERSALS = 0
+    MAXIMUM_TRAVERSALS = 6
+
     def self.options
         @options ||= {
             format: [Format::STRAIGHT],
             regexp: [
-                /root:x:0:0:.+:[0-9a-zA-Z\/]+/im,
+                /DOCUMENT_ROOT.*HTTP_USER_AGENT/,
+                /root:[x\*]:0:0:.+:[0-9a-zA-Z\/]+/im,
                 /mail:x:\d+:\d+:.+:[0-9a-zA-Z\/]+/im,
                 /\[boot loader\](.*)\[operating systems\]/im,
                 /\[fonts\](.*)\[extensions\]/im,
@@ -44,7 +48,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
                 m = mutation.dup
 
                 # Figure out the extension of the default value, if it has one.
-                ext = m.orig[m.altered].to_s.split( '.' )
+                ext = m.original[m.altered].to_s.split( '.' )
                 ext = ext.size > 1 ? ext.last : nil
 
                 # Null-terminate the injected value and append the ext.
@@ -60,21 +64,27 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
         return @payloads if @payloads
 
         @payloads = {
-            unix:    [ 'etc/passwd' ],
+            unix:    [
+                'proc/self/environ',
+                'etc/passwd'
+            ],
             windows: [
                 'boot.ini',
                 'windows/win.ini',
                 'winnt/win.ini'
             ]
         }.inject({}) do |h, (platform, payloads)|
-            h[platform] = [
-                '/',
-                '/../../../../../../../../../../../../../../../../'
-            ].map do |trv|
-                payloads.map do |payload|
-                    [ "#{trv}#{payload}", "file://#{trv}#{payload}" ]
-                end
+            h[platform] = payloads.map do |payload|
+                trv = '/'
+                prefix = (platform == :windows ? 'c:' : nil)
+
+                [ "#{prefix}/#{payload}", "file://#{prefix}/#{payload}" ] +
+                    (MINIMUM_TRAVERSALS..MAXIMUM_TRAVERSALS).map do
+                        trv << '../'
+                        [ "#{trv}#{payload}", "file://#{trv}#{payload}" ]
+                    end
             end.flatten
+
             h
         end
 
@@ -97,7 +107,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
                 based on the presence of relevant content in the HTML responses.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.3.1',
+            version:     '0.3.3',
             references:  {
                 'OWASP' => 'http://www.owasp.org/index.php/Path_Traversal',
                 'WASC'  => 'http://projects.webappsec.org/Path-Traversal'
@@ -110,7 +120,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
     of a pathname to a restricted directory.},
                 tags:            %w(path traversal injection regexp),
                 cwe:             '22',
-                severity:        Severity::MEDIUM,
+                severity:        Severity::HIGH,
                 cvssv2:          '4.3',
                 remedy_guidance: %q{User inputs must be validated and filtered
     before being used as a part of a filesystem path.},

data/modules/audit/rfi.rb

@@ -60,8 +60,9 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
     #
     def self.payloads
         @payloads ||= [
-            'hTtP://arachni.github.com/arachni/rfi.md5.txt',
-            'arachni.github.com/arachni/rfi.md5.txt'
+            'hTtP://tests.arachni-scanner.com/rfi.md5.txt',
+            'http://tests.arachni-scanner.com/rfi.md5.txt',
+            'tests.arachni-scanner.com/rfi.md5.txt'
         ]
     end
 
@@ -116,7 +117,7 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
             #
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2',
+            version:     '0.2.1',
             references:  {
                 'WASC'      => 'http://projects.webappsec.org/Remote-File-Inclusion',
                 'Wikipedia' => 'http://en.wikipedia.org/wiki/Remote_File_Inclusion'

data/modules/audit/source_code_disclosure.rb

@@ -0,0 +1,138 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+# Identifies source code disclosures by injecting a known server-side file
+# into all input vectors and then inspects the responses for the existence of
+# source code.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1
+#
+# @see http://cwe.mitre.org/data/definitions/540.html
+class Arachni::Modules::SourceCodeDisclosure < Arachni::Module::Base
+
+    def self.options
+        @options ||= {
+            format:        [Format::STRAIGHT],
+            regexp:        [
+                # PHP
+                /<\?php/,
+
+                # JSP
+                /<%|<%=|<%@\s+page|<%@\s+include|<%--|import\s+javax.servlet|
+                    import\s+java.io|import=['"]java.io|request\.getParameterValues\(|
+                    response\.setHeader|response\.setIntHeader\(/m,
+
+                # ASP
+                /<%|Response\.Write|Request\.Form|Request\.QueryString|
+                    Response\.Flush|Session\.SessionID|Session\.Timeout|
+                    Server\.CreateObject|Server\.MapPath/im
+            ],
+
+            # Add one more mutation (on the fly) which will include the extension
+            # of the original value (if that value was a filename) after a null byte.
+            each_mutation: proc do |mutation|
+                next if mutation.is_a?( Arachni::Form ) &&
+                    (mutation.original? || mutation.sample?)
+
+                m = mutation.dup
+
+                # Figure out the extension of the default value, if it has one.
+                ext = m.original[m.altered].to_s.split( '.' )
+                ext = ext.size > 1 ? ext.last : nil
+
+                # If the extension of the default value is the same as of the
+                # payload there's no need to add an extra mutation.
+                next if ext == mutation.altered_value.split( '.' ).last
+
+                # Null-terminate the injected value and append the ext.
+                m.altered_value += "\x00.#{ext}"
+
+                # Pass our new element back to be audited.
+                m
+            end
+        }
+    end
+
+    def self.payload=( file )
+        @payload = file
+    end
+
+    def self.payload
+        @payload
+    end
+
+    def self.supported_extensions
+        @supported_extensions ||=
+            Set.new([ 'jsp', 'asp', 'aspx', 'php', 'htm', 'html' ])
+    end
+
+    def prepare
+        # Let's look for fresh a payload -- i.e. an identifiable server-side page.
+        page.paths.each do |path|
+            parsed_path = uri_parse( path )
+            next if !self.class.supported_extensions.include?( parsed_path.resource_extension )
+
+            self.class.payload = uri_parse( parsed_path.without_query ).path
+            break
+        end
+    end
+
+    def run
+        return if !self.class.payload
+
+        candidate_elements.each do |element|
+            payload = calculate_path_to_payload_from( element.action )
+            next if !payload
+
+            element.taint_analysis( payload, self.class.options )
+        end
+    end
+
+    def calculate_path_to_payload_from( url )
+        return if !(up_to_path = uri_parse( url ).up_to_path)
+
+        Pathname.new( self.class.payload ).
+            relative_path_from( Pathname.new( uri_parse( up_to_path ).path ) ).to_s
+    end
+
+    def self.info
+        {
+            name:        'Source code disclosure',
+            description: %q{It tries to identify whether or not the web application
+                can be forced to reveal source code.},
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1',
+            targets:     %w(PHP ASP JSP),
+            references:  {
+                'CWE' => 'http://cwe.mitre.org/data/definitions/540.html'
+            },
+            issue:       {
+                name:            %q{Source code disclosure},
+                description:     %q{The web application can be forced to reveal source code.},
+                tags:            %w(code source file inclusion disclosure),
+                cwe:             '540',
+                severity:        Severity::HIGH,
+                remedy_guidance: %q{User inputs must be validated and filtered
+                    before being included in a file-system path during file reading operations.},
+            }
+
+        }
+    end
+
+end

data/modules/audit/sqli_blind_rdiff.rb

@@ -14,7 +14,6 @@
     limitations under the License.
 =end
 
-#
 # Blind SQL injection audit module
 #
 # It uses reverse-diff analysis of HTML code in order to determine successful
@@ -22,29 +21,33 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.3.2
+# @version 0.4
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://capec.mitre.org/data/definitions/7.html
 # @see http://www.owasp.org/index.php/Blind_SQL_Injection
-#
 class Arachni::Modules::BlindrDiffSQLInjection < Arachni::Module::Base
 
     prefer :sqli
 
-    def self.booleans
-        @booleans ||= []
-        if @booleans.empty?
-            read_file( 'payloads.txt' ) do |str|
-                [ '\'', '"', '' ].each { |quote| @booleans << str.gsub( '%q%', quote ) }
-            end
-        end
-        @booleans
+    def self.queries_for_expression( expression )
+        (@templates ||= read_file( 'payloads.txt' )).map do |template|
+            [ '\'', '"', '' ].map{ |quote| template.gsub( '%q%', quote ) + " #{expression}" }
+        end.flatten
     end
 
     # Options holding fault and boolean injection seeds.
     def self.options
-        @opts ||= { faults: [ '\'"`' ], bools:  booleans }
+        return @options if @options
+
+        pairs  = []
+        falses = queries_for_expression( '1=2' )
+
+        queries_for_expression( '1=1' ).each.with_index do |true_expr, i|
+            pairs << { true_expr => falses[i] }
+        end
+
+        @options = { pairs: pairs }
     end
 
     def run
@@ -61,7 +64,7 @@ class Arachni::Modules::BlindrDiffSQLInjection < Arachni::Module::Base
                     If this module returns a positive result you should investigate nonetheless.)},
             elements:    [ Element::LINK, Element::FORM, Element::COOKIE ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.3.2',
+            version:     '0.4',
             references:  {
                 'OWASP'         => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
                 'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'