arachni 0.4.4 → 0.4.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/CHANGELOG.md +37 -0
- data/README.md +18 -3
- data/lib/arachni/element/capabilities/auditable.rb +5 -1
- data/lib/arachni/element/capabilities/auditable/taint.rb +37 -2
- data/lib/arachni/platform/fingerprinter.rb +4 -4
- data/lib/arachni/platform/manager.rb +15 -1
- data/lib/arachni/platforms.rb +2 -1
- data/lib/arachni/rpc/server/framework/distributor.rb +2 -2
- data/lib/arachni/spider.rb +1 -1
- data/lib/arachni/ui/cli/utilities.rb +1 -1
- data/lib/version +1 -1
- data/modules/audit/file_inclusion.rb +126 -0
- data/modules/audit/os_cmd_injection.rb +11 -9
- data/modules/audit/path_traversal.rb +21 -21
- data/modules/audit/source_code_disclosure.rb +16 -15
- data/modules/audit/sqli.rb +13 -6
- data/modules/audit/sqli/patterns/access +3 -0
- data/modules/audit/sqli/patterns/coldfusion +1 -0
- data/modules/audit/sqli/patterns/db2 +5 -0
- data/modules/audit/sqli/patterns/emc +2 -0
- data/modules/audit/sqli/patterns/firebird +2 -0
- data/modules/audit/sqli/patterns/frontbase +1 -0
- data/modules/audit/sqli/patterns/hsqldb +1 -0
- data/modules/audit/sqli/patterns/informix +3 -0
- data/modules/audit/sqli/patterns/ingres +3 -0
- data/modules/audit/sqli/patterns/interbase +2 -0
- data/modules/audit/sqli/patterns/maxdb +2 -0
- data/modules/audit/sqli/patterns/mssql +24 -0
- data/modules/audit/sqli/patterns/mysql +15 -0
- data/modules/audit/sqli/patterns/oracle +6 -0
- data/modules/audit/sqli/patterns/pgsql +8 -0
- data/modules/audit/sqli/patterns/sqlite +5 -0
- data/modules/audit/sqli/patterns/sybase +3 -0
- data/modules/recon/common_files/filenames.txt +1 -0
- data/modules/recon/localstart_asp.rb +67 -0
- data/path_extractors/comments.rb +30 -0
- data/path_extractors/meta_refresh.rb +8 -4
- data/plugins/uncommon_headers.rb +91 -0
- data/reports/html/default/issue.erb +1 -1
- data/reports/html/default/plugins.erb +3 -3
- data/reports/plugin_formatters/html/uncommon_headers.rb +47 -0
- data/reports/plugin_formatters/stdout/uncommon_headers.rb +37 -0
- data/reports/plugin_formatters/xml/discovery.rb +2 -0
- data/reports/plugin_formatters/xml/timing_attacks.rb +2 -0
- data/reports/plugin_formatters/xml/uncommon_headers.rb +38 -0
- data/reports/plugin_formatters/xml/uniformity.rb +2 -1
- data/reports/xml/buffer.rb +9 -5
- data/spec/arachni/element/capabilities/auditable/taint_spec.rb +295 -82
- data/spec/arachni/framework_spec.rb +48 -35
- data/spec/arachni/platform/manager_spec.rb +3 -2
- data/spec/modules/audit/file_inclusion_spec.rb +25 -0
- data/spec/modules/audit/path_traversal_spec.rb +3 -3
- data/spec/modules/audit/sqli_spec.rb +2 -1
- data/spec/modules/recon/localstart_asp_spec.rb +19 -0
- data/spec/path_extractors/comments_spec.rb +22 -0
- data/spec/path_extractors/meta_refresh_spec.rb +3 -3
- data/spec/plugins/uncommon_headers_spec.rb +64 -0
- data/spec/support/logs/Dispatcher - 1755-58492.log +9 -0
- data/spec/support/logs/Dispatcher - 1783-39171.log +21 -0
- data/spec/support/logs/Dispatcher - 1920-39032.log +9 -0
- data/spec/support/logs/Dispatcher - 1931-5309.log +19 -0
- data/spec/support/logs/Dispatcher - 1943-59691.log +17 -0
- data/spec/support/logs/Dispatcher - 1953-29898.log +13 -0
- data/spec/support/logs/Dispatcher - 1962-41002.log +9 -0
- data/spec/support/logs/Dispatcher - 1973-27626.log +9 -0
- data/spec/support/logs/Dispatcher - 1983-18043.log +11 -0
- data/spec/support/logs/Dispatcher - 1996-23139.log +11 -0
- data/spec/support/logs/Dispatcher - 2010-10568.log +35 -0
- data/spec/support/logs/Dispatcher - 2072-29284.log +21 -0
- data/spec/support/logs/Dispatcher - 2081-3234.log +21 -0
- data/spec/support/logs/Dispatcher - 2090-18129.log +23 -0
- data/spec/support/logs/Dispatcher - 2132-43806.log +19 -0
- data/spec/support/logs/Dispatcher - 2141-1327.log +17 -0
- data/spec/support/logs/Dispatcher - 2150-52559.log +15 -0
- data/spec/support/logs/Dispatcher - 2163-60400.log +11 -0
- data/spec/support/logs/Dispatcher - 2176-6021.log +9 -0
- data/spec/support/logs/Dispatcher - 2185-22991.log +9 -0
- data/spec/support/logs/Dispatcher - 2194-15317.log +9 -0
- data/spec/support/logs/Dispatcher - 2203-51674.log +9 -0
- data/spec/support/logs/Dispatcher - 2212-25563.log +11 -0
- data/spec/support/logs/Dispatcher - 2225-7249.log +9 -0
- data/spec/support/logs/Dispatcher - 2234-36714.log +9 -0
- data/spec/support/logs/Dispatcher - 2291-34161.log +63 -0
- data/spec/support/logs/Dispatcher - 2300-29645.log +43 -0
- data/spec/support/logs/Dispatcher - 2309-26961.log +39 -0
- data/spec/support/logs/Dispatcher - 2320-25486.log +34 -0
- data/spec/support/logs/Dispatcher - 2394-20678.log +28 -0
- data/spec/support/logs/Dispatcher - 2409-35315.log +21 -0
- data/spec/support/logs/Dispatcher - 2428-13197.log +13 -0
- data/spec/support/logs/Dispatcher - 2444-26232.log +9 -0
- data/spec/support/logs/Dispatcher - 2573-19232.log +19 -0
- data/spec/support/logs/Dispatcher - 2583-26954.log +21 -0
- data/spec/support/logs/Dispatcher - 2592-57040.log +15 -0
- data/spec/support/logs/Dispatcher - 2606-55321.log +19 -0
- data/spec/support/logs/Dispatcher - 2615-56847.log +21 -0
- data/spec/support/logs/Dispatcher - 2624-51835.log +15 -0
- data/spec/support/logs/Dispatcher - 2745-54916.log +17 -0
- data/spec/support/logs/Dispatcher - 2754-32405.log +21 -0
- data/spec/support/logs/Dispatcher - 2763-13372.log +13 -0
- data/spec/support/logs/Dispatcher - 2776-6861.log +19 -0
- data/spec/support/logs/Dispatcher - 2785-19122.log +21 -0
- data/spec/support/logs/Dispatcher - 2794-54279.log +15 -0
- data/spec/support/logs/Dispatcher - 2847-13871.log +17 -0
- data/spec/support/logs/Dispatcher - 2856-56546.log +21 -0
- data/spec/support/logs/Dispatcher - 2865-22921.log +13 -0
- data/spec/support/logs/Dispatcher - 2878-27922.log +17 -0
- data/spec/support/logs/Dispatcher - 2888-5399.log +21 -0
- data/spec/support/logs/Dispatcher - 2897-6079.log +13 -0
- data/spec/support/logs/Dispatcher - 3129-24131.log +19 -0
- data/spec/support/logs/Dispatcher - 3139-17731.log +21 -0
- data/spec/support/logs/Dispatcher - 3148-33704.log +15 -0
- data/spec/support/logs/Dispatcher - 3172-16517.log +21 -0
- data/spec/support/logs/Dispatcher - 3181-26384.log +25 -0
- data/spec/support/logs/Dispatcher - 3190-37513.log +15 -0
- data/spec/support/logs/Dispatcher - 3232-40996.log +17 -0
- data/spec/support/logs/Dispatcher - 3241-14948.log +21 -0
- data/spec/support/logs/Dispatcher - 3250-40285.log +13 -0
- data/spec/support/logs/Dispatcher - 3263-26987.log +21 -0
- data/spec/support/logs/Dispatcher - 3272-2729.log +25 -0
- data/spec/support/logs/Dispatcher - 3297-52308.log +15 -0
- data/spec/support/logs/Dispatcher - 3335-17008.log +17 -0
- data/spec/support/logs/Dispatcher - 3344-33205.log +21 -0
- data/spec/support/logs/Dispatcher - 3353-22917.log +13 -0
- data/spec/support/logs/Dispatcher - 3367-34935.log +17 -0
- data/spec/support/logs/Dispatcher - 3376-35370.log +21 -0
- data/spec/support/logs/Dispatcher - 3385-26487.log +13 -0
- data/spec/support/logs/Instance - 2588-19460.error.log +314 -0
- data/spec/support/logs/Instance - 2861-5917.error.log +314 -0
- data/spec/support/logs/Instance - 2893-61274.error.log +413 -0
- data/spec/support/logs/Instance - 2913-11030.error.log +312 -0
- data/spec/support/logs/Instance - 2919-17549.error.log +314 -0
- data/spec/support/logs/Instance - 3054-17565.error.log +312 -0
- data/spec/support/servers/modules/audit/file_inclusion.rb +202 -0
- data/spec/support/servers/modules/audit/sqli/access +3 -0
- data/spec/support/servers/modules/audit/sqli/firebird +1 -0
- data/spec/support/servers/modules/audit/sqli/frontbase +1 -0
- data/spec/support/servers/modules/audit/sqli/hsqldb +1 -0
- data/spec/support/servers/modules/audit/sqli/ingres +3 -0
- data/spec/support/servers/modules/audit/sqli/maxdb +2 -0
- data/spec/support/servers/modules/audit/sqli/mssql +0 -5
- data/spec/support/servers/modules/audit/sqli/oracle +1 -1
- data/spec/support/servers/modules/audit/sqli/sybase +3 -0
- data/spec/support/servers/modules/recon/localstart_asp.rb +5 -0
- data/spec/support/servers/plugins/uncommon_headers.rb +16 -0
- metadata +202 -4
- data/modules/audit/sqli/regexp_ids.txt +0 -69
- data/plugins/redundant_vectors.rb +0 -34
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
MTJjMzVjNDlhODJlOTFlNGFiY2ZkNGVjOGE3MTEyOWQ4ZGE0NTI4Yg==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
NTQxM2I3OWU3YTc0ZDU5NTg2YzY5MjZiYzRkYjFjMGIwZTkxZjI4ZQ==
|
7
7
|
!binary "U0hBNTEy":
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
NmU0Y2ExMWQ3ZjhmN2UzZGMyYzEwMThlOTRiY2M4NDQ2MjQyMGVjZDhlMjli
|
10
|
+
ODAxNDEzMmE4ODIxYmVhMzBiOTNiNDljYmE0MmQ0ZmZiMTVmNzZkYjJiODFm
|
11
|
+
MWE1YzE3ODJiY2Y2OGJiMDhiNjZmYzAxZTMyZDgyMDU1NmQ3NDM=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
MWRkZDg5NjBhZTNhN2M1MjkzYTc2ZjM4YzhkZGMwN2Y0ZjIzNDA2MDY1YTE1
|
14
|
+
MjFlN2I1ZTkyNjc4YmZiZDRjNWE1ODY2MTZkNjk2MzY1MTU2MDY5NDA1ZGNi
|
15
|
+
YWM5MGVhMTUzZjVkYTNlNDJmMmEyZjFkZDBiZjNhNjNlZTdlY2M=
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,42 @@
|
|
1
1
|
# ChangeLog
|
2
2
|
|
3
|
+
## 0.4.5 _(September 12, 2013)_
|
4
|
+
|
5
|
+
- `Element::Capabilities::Auditable::Taint`
|
6
|
+
- Patterns can now be per-platform which results in improved fingerprinting
|
7
|
+
during the audit phase and less CPU stress when analyzing responses.
|
8
|
+
- Modules
|
9
|
+
- Audit
|
10
|
+
- Path traversal (`path_traversal`)
|
11
|
+
- Updated `/etc/passwd` signatures to be more generic.
|
12
|
+
- Updated MS Windows payloads to include dot truncation.
|
13
|
+
- Detection patterns organized per platform.
|
14
|
+
- Moved non-traversal payloads to the `file_inclusion` module.
|
15
|
+
- SQL Injection (`sqli`)
|
16
|
+
- Added support for:
|
17
|
+
- Firebird
|
18
|
+
- SAP Max DB
|
19
|
+
- Sybase
|
20
|
+
- Frontbase
|
21
|
+
- IngresDB
|
22
|
+
- HSQLDB
|
23
|
+
- MS Access
|
24
|
+
- OS command injection (`os_cmd_injection`)
|
25
|
+
- Detection patterns organized per platform.
|
26
|
+
- Added:
|
27
|
+
- File inclusion (`file_inclusion`) -- Extracted from `path_traversal`.
|
28
|
+
- Uses common server-side files and errors to identify issues.
|
29
|
+
- Recon
|
30
|
+
- Added:
|
31
|
+
- localstart.asp (`localstart_asp`)
|
32
|
+
- Checks if `localstart.asp` is accessible.
|
33
|
+
- Plugins
|
34
|
+
- Added:
|
35
|
+
- Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
|
36
|
+
- Path extractors
|
37
|
+
- Added:
|
38
|
+
- Extract partial paths from HTML comments (`comments`).
|
39
|
+
|
3
40
|
## 0.4.4 _(August 10, 2013)_
|
4
41
|
|
5
42
|
- Options
|
data/README.md
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
<table>
|
4
4
|
<tr>
|
5
5
|
<th>Version</th>
|
6
|
-
<td>0.4.
|
6
|
+
<td>0.4.5</td>
|
7
7
|
</tr>
|
8
8
|
<tr>
|
9
9
|
<th>Homepage</th>
|
@@ -101,7 +101,7 @@ From a user’s or a component developer’s point of view everything appears si
|
|
101
101
|
and straight-forward all the while providing power, performance and flexibility.
|
102
102
|
|
103
103
|
From the simple command-line utility scanner to the intuitive and user-friendly
|
104
|
-
Web interface and collaboration platform, Arachni follows the principle of
|
104
|
+
Web interface and collaboration platform, Arachni follows the principle of least
|
105
105
|
surprise and provides you with plenty of feedback and guidance.
|
106
106
|
|
107
107
|
#### In simple terms
|
@@ -263,6 +263,13 @@ Audit modules actively engage the web application via its inputs.
|
|
263
263
|
- SQLite
|
264
264
|
- DB2
|
265
265
|
- Informix
|
266
|
+
- Firebird
|
267
|
+
- SaP Max DB
|
268
|
+
- Sybase
|
269
|
+
- Frontbase
|
270
|
+
- Ingres
|
271
|
+
- HSQLDB
|
272
|
+
- MS Access
|
266
273
|
- Blind SQL injection using rDiff analysis (`sqli_blind_rdiff`).
|
267
274
|
- Blind SQL injection using timing attacks (`sqli_blind_timing`).
|
268
275
|
- MySQL
|
@@ -286,6 +293,12 @@ Audit modules actively engage the web application via its inputs.
|
|
286
293
|
- *nix
|
287
294
|
- Windows
|
288
295
|
- Tomcat
|
296
|
+
- File inclusion (`file_inclusion`).
|
297
|
+
- *nix
|
298
|
+
- Windows
|
299
|
+
- Tomcat
|
300
|
+
- PHP
|
301
|
+
- Perl
|
289
302
|
- Response splitting (`response_splitting`).
|
290
303
|
- OS command injection (`os_cmd_injection`).
|
291
304
|
- *nix
|
@@ -338,6 +351,7 @@ Recon modules look for the existence of files, folders and signatures.
|
|
338
351
|
- Auto-complete for password form fields (`password_autocomplete`).
|
339
352
|
- X-Forwarded-For Access Restriction Bypass (`x_forwarded_for_access_restriction_bypass`)
|
340
353
|
- Form-based upload (`form_upload`)
|
354
|
+
- localstart.asp (`localstart_asp`)
|
341
355
|
|
342
356
|
### Report Management
|
343
357
|
|
@@ -365,7 +379,7 @@ Recon modules look for the existence of files, folders and signatures.
|
|
365
379
|
#### Available plugins
|
366
380
|
|
367
381
|
Plugins add extra functionality to the system in a modular fashion, this way the
|
368
|
-
core remains lean and makes it easy for anyone to arbitrary functionality.
|
382
|
+
core remains lean and makes it easy for anyone to add arbitrary functionality.
|
369
383
|
|
370
384
|
- ReScan (`rescan`)-- It uses the AFR report of a previous scan to extract the sitemap
|
371
385
|
in order to avoid a redundant crawl.
|
@@ -388,6 +402,7 @@ core remains lean and makes it easy for anyone to arbitrary functionality.
|
|
388
402
|
Useful for unit-testing or a gazillion other things.
|
389
403
|
- Script (`script`) -- Loads and runs an external Ruby script under the scope of a plugin,
|
390
404
|
used for debugging and general hackery.
|
405
|
+
- Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
|
391
406
|
|
392
407
|
#### Defaults
|
393
408
|
|
@@ -439,9 +439,13 @@ module Auditable
|
|
439
439
|
|
440
440
|
return if platform_payloads.empty?
|
441
441
|
|
442
|
+
payload_platforms = Set.new( payloads.keys )
|
442
443
|
platform_payloads.each do |platform, payloads_for_platform|
|
443
444
|
audit( [payloads_for_platform].flatten.compact,
|
444
|
-
opts.merge(
|
445
|
+
opts.merge(
|
446
|
+
platform: platform,
|
447
|
+
payload_platforms: payload_platforms
|
448
|
+
),
|
445
449
|
&block )
|
446
450
|
end
|
447
451
|
else
|
@@ -105,8 +105,43 @@ module Auditable::Taint
|
|
105
105
|
def get_matches( res, opts )
|
106
106
|
opts[:substring] = opts[:injected_orig] if !opts[:regexp] && !opts[:substring]
|
107
107
|
|
108
|
-
|
109
|
-
|
108
|
+
match_patterns( opts[:regexp], method( :match_regexp_and_log ), res, opts.dup )
|
109
|
+
match_patterns( opts[:substring], method( :match_substring_and_log ), res, opts.dup )
|
110
|
+
end
|
111
|
+
|
112
|
+
def match_patterns( patterns, matcher, res, opts )
|
113
|
+
case patterns
|
114
|
+
when Regexp, String, Array
|
115
|
+
[patterns].flatten.compact.
|
116
|
+
each { |pattern| matcher.call( pattern, res, opts ) }
|
117
|
+
|
118
|
+
when Hash
|
119
|
+
if opts[:platform] && patterns[opts[:platform]]
|
120
|
+
[patterns[opts[:platform]]].flatten.compact.each do |p|
|
121
|
+
[p].flatten.compact.
|
122
|
+
each { |pattern| matcher.call( pattern, res, opts ) }
|
123
|
+
end
|
124
|
+
else
|
125
|
+
patterns.each do |platform, p|
|
126
|
+
dopts = opts.dup
|
127
|
+
dopts[:platform] = platform
|
128
|
+
|
129
|
+
[p].flatten.compact.
|
130
|
+
each { |pattern| matcher.call( pattern, res, dopts ) }
|
131
|
+
end
|
132
|
+
end
|
133
|
+
|
134
|
+
# Find out if there are any patterns without associated payloads
|
135
|
+
# and match them against every payload's response.
|
136
|
+
patterns.select { |p, _| !opts[:payload_platforms].include?( p ) }.
|
137
|
+
each do |platform, p|
|
138
|
+
dopts = opts.dup
|
139
|
+
dopts[:platform] = platform
|
140
|
+
|
141
|
+
[p].flatten.compact.
|
142
|
+
each { |pattern| matcher.call( pattern, res, dopts ) }
|
143
|
+
end
|
144
|
+
end
|
110
145
|
end
|
111
146
|
|
112
147
|
def match_substring_and_log( substring, res, opts )
|
@@ -72,14 +72,14 @@ class Fingerprinter
|
|
72
72
|
@headers ||= page.response_headers.downcase
|
73
73
|
end
|
74
74
|
|
75
|
-
# @return [String. nil]
|
75
|
+
# @return [String. nil] Downcased value of the `X-Powered-By` header.
|
76
76
|
def powered_by
|
77
|
-
headers['x-powered-by'].to_s
|
77
|
+
headers['x-powered-by'].to_s.downcase
|
78
78
|
end
|
79
79
|
|
80
|
-
# @return [String. nil]
|
80
|
+
# @return [String. nil] Downcased value of the `Server` header.
|
81
81
|
def server
|
82
|
-
headers['server'].to_s
|
82
|
+
headers['server'].to_s.downcase
|
83
83
|
end
|
84
84
|
|
85
85
|
# @return [String] Downcased file extension of the page.
|
@@ -82,7 +82,14 @@ class Manager
|
|
82
82
|
:db2,
|
83
83
|
:coldfusion,
|
84
84
|
:interbase,
|
85
|
-
:informix
|
85
|
+
:informix,
|
86
|
+
:firebird,
|
87
|
+
:maxdb,
|
88
|
+
:sybase,
|
89
|
+
:frontbase,
|
90
|
+
:ingres,
|
91
|
+
:hsqldb,
|
92
|
+
:access
|
86
93
|
]
|
87
94
|
|
88
95
|
SERVERS = [
|
@@ -127,6 +134,13 @@ class Manager
|
|
127
134
|
coldfusion: 'ColdFusion',
|
128
135
|
interbase: 'InterBase',
|
129
136
|
informix: 'Informix',
|
137
|
+
firebird: 'Firebird',
|
138
|
+
maxdb: 'SaP Max DB',
|
139
|
+
sybase: 'Sybase',
|
140
|
+
frontbase: 'Frontbase',
|
141
|
+
ingres: 'IngresDB',
|
142
|
+
hsqldb: 'HSQLDB',
|
143
|
+
access: 'MS Access',
|
130
144
|
|
131
145
|
# Web servers
|
132
146
|
apache: 'Apache',
|
data/lib/arachni/platforms.rb
CHANGED
@@ -131,7 +131,7 @@ module Distributor
|
|
131
131
|
# distribution.
|
132
132
|
unique_elements_per_chunk = elements_per_chunk.map.with_index do |elements, i|
|
133
133
|
elements.reject do |element|
|
134
|
-
more_than_one_in_sets( elements_per_chunk[i..-1], element )
|
134
|
+
more_than_one_in_sets?( elements_per_chunk[i..-1], element )
|
135
135
|
end
|
136
136
|
end
|
137
137
|
|
@@ -443,7 +443,7 @@ module Distributor
|
|
443
443
|
connect_to_dispatcher( @opts.datastore[:dispatcher_url] )
|
444
444
|
end
|
445
445
|
|
446
|
-
def more_than_one_in_sets( sets, item )
|
446
|
+
def more_than_one_in_sets?( sets, item )
|
447
447
|
occurrences = 0
|
448
448
|
sets.each do |set|
|
449
449
|
occurrences += 1 if set.include?( item )
|
data/lib/arachni/spider.rb
CHANGED
@@ -409,7 +409,7 @@ class Spider
|
|
409
409
|
|
410
410
|
if res.redirection? && res.location
|
411
411
|
@redirects << res.request.url
|
412
|
-
location = to_absolute( res.location )
|
412
|
+
location = to_absolute( res.location, res.request.url )
|
413
413
|
if hit_redirect_limit? || skip?( location )
|
414
414
|
print_info "Redirect limit reached, skipping: #{location}"
|
415
415
|
decrease_pending
|
@@ -395,7 +395,7 @@ module Utilities
|
|
395
395
|
--extend-paths=<filepath> Add the paths in <file> to the ones discovered by the crawler.
|
396
396
|
(Can be used multiple times.)
|
397
397
|
|
398
|
-
--
|
398
|
+
--restrict-paths=<filepath> Use the paths in <file> instead of crawling.
|
399
399
|
(Can be used multiple times.)
|
400
400
|
|
401
401
|
--https-only Forces the system to only follow HTTPS URLs.
|
data/lib/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.4.
|
1
|
+
0.4.5
|
@@ -0,0 +1,126 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
# File inclusion audit module.
|
18
|
+
#
|
19
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
20
|
+
#
|
21
|
+
# @version 0.1
|
22
|
+
#
|
23
|
+
# @see http://cwe.mitre.org/data/definitions/98.html
|
24
|
+
# @see https://www.owasp.org/index.php/PHP_File_Inclusion
|
25
|
+
class Arachni::Modules::FileInclusion < Arachni::Module::Base
|
26
|
+
|
27
|
+
def self.options
|
28
|
+
@options ||= {
|
29
|
+
format: [Format::STRAIGHT],
|
30
|
+
regexp: {
|
31
|
+
unix: [
|
32
|
+
/DOCUMENT_ROOT.*HTTP_USER_AGENT/,
|
33
|
+
/(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
|
34
|
+
],
|
35
|
+
windows: [
|
36
|
+
/\[boot loader\](.*)\[operating systems\]/im,
|
37
|
+
/\[fonts\](.*)\[extensions\]/im
|
38
|
+
],
|
39
|
+
tomcat: [
|
40
|
+
/<web\-app/im
|
41
|
+
],
|
42
|
+
|
43
|
+
# Generic PHP errors.
|
44
|
+
php: [
|
45
|
+
/An error occurred in script/,
|
46
|
+
/Failed opening '.*?' for inclusion/,
|
47
|
+
/Failed opening required/,
|
48
|
+
/failed to open stream:.*/,
|
49
|
+
/<b>Warning<\/b>:\s+file/,
|
50
|
+
/<b>Warning<\/b>:\s+read_file/,
|
51
|
+
/<b>Warning<\/b>:\s+highlight_file/,
|
52
|
+
/<b>Warning<\/b>:\s+show_source/
|
53
|
+
],
|
54
|
+
perl: [
|
55
|
+
/in .* at .* line d+?\./
|
56
|
+
]
|
57
|
+
},
|
58
|
+
|
59
|
+
# Add one more mutation (on the fly) which will include the extension
|
60
|
+
# of the original value (if that value was a filename) after a null byte.
|
61
|
+
each_mutation: proc do |mutation|
|
62
|
+
m = mutation.dup
|
63
|
+
|
64
|
+
# Figure out the extension of the default value, if it has one.
|
65
|
+
ext = m.original[m.altered].to_s.split( '.' )
|
66
|
+
ext = ext.size > 1 ? ext.last : nil
|
67
|
+
|
68
|
+
# Null-terminate the injected value and append the ext.
|
69
|
+
m.altered_value += "\x00.#{ext}"
|
70
|
+
|
71
|
+
# Pass our new element back to be audited.
|
72
|
+
m
|
73
|
+
end
|
74
|
+
}
|
75
|
+
end
|
76
|
+
|
77
|
+
def self.payloads
|
78
|
+
@payloads ||= {
|
79
|
+
unix: [
|
80
|
+
'/proc/self/environ',
|
81
|
+
'/etc/passwd'
|
82
|
+
],
|
83
|
+
windows: [
|
84
|
+
'/boot.ini',
|
85
|
+
'/windows/win.ini',
|
86
|
+
'/winnt/win.ini'
|
87
|
+
].map { |payload| [payload, "c:#{payload}", "#{payload}#{'.'* 700}"] }.flatten,
|
88
|
+
tomcat: [ '/WEB-INF/web.xml' ]
|
89
|
+
}.inject({}) do |h, (platform, payloads)|
|
90
|
+
h.merge platform => payloads.map { |p| [p, "file://#{p}" ] }.flatten
|
91
|
+
end
|
92
|
+
end
|
93
|
+
|
94
|
+
def run
|
95
|
+
audit self.class.payloads, self.class.options
|
96
|
+
end
|
97
|
+
|
98
|
+
def self.info
|
99
|
+
{
|
100
|
+
name: 'File Inclusion',
|
101
|
+
description: %q{It injects paths of common files (/etc/passwd and boot.ini)
|
102
|
+
and evaluates the existence of a file inclusion vulnerability
|
103
|
+
based on the presence of relevant content or errors in the HTTP responses.},
|
104
|
+
elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
|
105
|
+
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
|
106
|
+
version: '0.1',
|
107
|
+
references: {
|
108
|
+
'OWASP' => 'https://www.owasp.org/index.php/PHP_File_Inclusion'
|
109
|
+
},
|
110
|
+
targets: %w(Unix Windows Tomcat PHP Perl),
|
111
|
+
|
112
|
+
issue: {
|
113
|
+
name: %q{File Inclusion},
|
114
|
+
description: %q{The web application enforces improper limitation
|
115
|
+
of a pathname.},
|
116
|
+
tags: %w(file inclusion error injection regexp),
|
117
|
+
cwe: '98',
|
118
|
+
severity: Severity::HIGH,
|
119
|
+
remedy_guidance: %q{User inputs must be validated and filtered
|
120
|
+
before being used as a part of a filesystem path.}
|
121
|
+
}
|
122
|
+
|
123
|
+
}
|
124
|
+
end
|
125
|
+
|
126
|
+
end
|
@@ -14,25 +14,27 @@
|
|
14
14
|
limitations under the License.
|
15
15
|
=end
|
16
16
|
|
17
|
-
#
|
18
17
|
# Simple OS command injection module.
|
19
18
|
#
|
20
19
|
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
21
20
|
#
|
22
|
-
# @version 0.2
|
21
|
+
# @version 0.2.1
|
23
22
|
#
|
24
23
|
# @see http://cwe.mitre.org/data/definitions/78.html
|
25
24
|
# @see http://www.owasp.org/index.php/OS_Command_Injection
|
26
|
-
#
|
27
25
|
class Arachni::Modules::OSCmdInjection < Arachni::Module::Base
|
28
26
|
|
29
27
|
def self.options
|
30
28
|
@opts ||= {
|
31
|
-
regexp:
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
29
|
+
regexp: {
|
30
|
+
unix: [
|
31
|
+
/(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
|
32
|
+
],
|
33
|
+
windows: [
|
34
|
+
/\[boot loader\](.*)\[operating systems\]/im,
|
35
|
+
/\[fonts\](.*)\[extensions\]/im
|
36
|
+
]
|
37
|
+
},
|
36
38
|
format: [ Format::STRAIGHT, Format::APPEND ]
|
37
39
|
}
|
38
40
|
end
|
@@ -62,7 +64,7 @@ class Arachni::Modules::OSCmdInjection < Arachni::Module::Base
|
|
62
64
|
description: %q{Tries to find operating system command injections.},
|
63
65
|
elements: [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
|
64
66
|
author: 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
|
65
|
-
version: '0.2',
|
67
|
+
version: '0.2.1',
|
66
68
|
references: {
|
67
69
|
'OWASP' => 'http://www.owasp.org/index.php/OS_Command_Injection'
|
68
70
|
},
|