arachni 0.4.4 → 0.4.5

data/modules/audit/path_traversal.rb

@@ -14,17 +14,15 @@
     limitations under the License.
 =end
 
-#
 # Path Traversal audit module.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.3.3
+# @version 0.4
 #
 # @see http://cwe.mitre.org/data/definitions/22.html
 # @see http://www.owasp.org/index.php/Path_Traversal
 # @see http://projects.webappsec.org/Path-Traversal
-#
 class Arachni::Modules::PathTraversal < Arachni::Module::Base
 
     MINIMUM_TRAVERSALS = 0
@@ -33,14 +31,19 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
     def self.options
         @options ||= {
             format: [Format::STRAIGHT],
-            regexp: [
-                /DOCUMENT_ROOT.*HTTP_USER_AGENT/,
-                /root:[x\*]:0:0:.+:[0-9a-zA-Z\/]+/im,
-                /mail:x:\d+:\d+:.+:[0-9a-zA-Z\/]+/im,
-                /\[boot loader\](.*)\[operating systems\]/im,
-                /\[fonts\](.*)\[extensions\]/im,
-                /<web\-app/im
-            ],
+            regexp: {
+                unix: [
+                    /DOCUMENT_ROOT.*HTTP_USER_AGENT/,
+                    /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
+                ],
+                windows: [
+                    /\[boot loader\](.*)\[operating systems\]/im,
+                    /\[fonts\](.*)\[extensions\]/im
+                ],
+                tomcat: [
+                    /<web\-app/im
+                ]
+            },
 
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
@@ -72,23 +75,20 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
                 'boot.ini',
                 'windows/win.ini',
                 'winnt/win.ini'
-            ]
+            ].map { |payload| [payload, "#{payload}#{'.'* 700}"] }.flatten
         }.inject({}) do |h, (platform, payloads)|
             h[platform] = payloads.map do |payload|
                 trv = '/'
-                prefix = (platform == :windows ? 'c:' : nil)
-
-                [ "#{prefix}/#{payload}", "file://#{prefix}/#{payload}" ] +
-                    (MINIMUM_TRAVERSALS..MAXIMUM_TRAVERSALS).map do
-                        trv << '../'
-                        [ "#{trv}#{payload}", "file://#{trv}#{payload}" ]
-                    end
+                (MINIMUM_TRAVERSALS..MAXIMUM_TRAVERSALS).map do
+                    trv << '../'
+                    [ "#{trv}#{payload}", "file://#{trv}#{payload}" ]
+                end
             end.flatten
 
             h
         end
 
-        @payloads[:tomcat] = [ '', '/', '/../../', '../../', ].map do |trv|
+        @payloads[:tomcat] = [ '/../../', '../../', ].map do |trv|
              [ "#{trv}WEB-INF/web.xml", "file://#{trv}WEB-INF/web.xml" ]
         end.flatten
 
@@ -107,7 +107,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
                 based on the presence of relevant content in the HTML responses.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.3.3',
+            version:     '0.4',
             references:  {
                 'OWASP' => 'http://www.owasp.org/index.php/Path_Traversal',
                 'WASC'  => 'http://projects.webappsec.org/Path-Traversal'

data/modules/audit/source_code_disclosure.rb

@@ -27,21 +27,22 @@ class Arachni::Modules::SourceCodeDisclosure < Arachni::Module::Base
 
     def self.options
         @options ||= {
-            format:        [Format::STRAIGHT],
-            regexp:        [
-                # PHP
-                /<\?php/,
-
-                # JSP
-                /<%|<%=|<%@\s+page|<%@\s+include|<%--|import\s+javax.servlet|
-                    import\s+java.io|import=['"]java.io|request\.getParameterValues\(|
-                    response\.setHeader|response\.setIntHeader\(/m,
-
-                # ASP
-                /<%|Response\.Write|Request\.Form|Request\.QueryString|
-                    Response\.Flush|Session\.SessionID|Session\.Timeout|
-                    Server\.CreateObject|Server\.MapPath/im
-            ],
+            format:  [Format::STRAIGHT],
+            regexp:  {
+                php: [
+                    /<\?php/
+                ],
+                jsp: [
+                    /<%|<%=|<%@\s+page|<%@\s+include|<%--|import\s+javax.servlet|
+                        import\s+java.io|import=['"]java.io|request\.getParameterValues\(|
+                        response\.setHeader|response\.setIntHeader\(/m
+                ],
+                asp: [
+                    /<%|Response\.Write|Request\.Form|Request\.QueryString|
+                        Response\.Flush|Session\.SessionID|Session\.Timeout|
+                        Server\.CreateObject|Server\.MapPath/im
+                ]
+            },
 
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.

data/modules/audit/sqli.rb

@@ -14,23 +14,29 @@
     limitations under the License.
 =end
 
-#
 # SQL Injection audit module.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.7
+# @version 0.2
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://unixwiz.net/techtips/sql-injection.html
 # @see http://en.wikipedia.org/wiki/SQL_injection
 # @see http://www.securiteam.com/securityreviews/5DP0N1P76E.html
 # @see http://www.owasp.org/index.php/SQL_Injection
-#
 class Arachni::Modules::SQLInjection < Arachni::Module::Base
 
     def self.error_patterns
-        @error_patterns ||= read_file( 'regexp_ids.txt' )
+        return @error_patterns if @error_patterns
+
+        @error_patterns = {}
+        Dir[File.dirname( __FILE__ ) + '/sqli/patterns/*'].each do |file|
+            @error_patterns[File.basename( file ).to_sym] =
+                IO.read( file ).split( "\n" )
+        end
+
+        @error_patterns
     end
 
     def self.ignore_patterns
@@ -62,14 +68,15 @@ class Arachni::Modules::SQLInjection < Arachni::Module::Base
             description: %q{SQL injection module, uses known SQL DB errors to identify vulnerabilities.},
             elements:    [Element::LINK, Element::FORM, Element::COOKIE, Element::HEADER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.7',
+            version:     '0.2',
             references:  {
                 'UnixWiz'    => 'http://unixwiz.net/techtips/sql-injection.html',
                 'Wikipedia'  => 'http://en.wikipedia.org/wiki/SQL_injection',
                 'SecuriTeam' => 'http://www.securiteam.com/securityreviews/5DP0N1P76E.html',
                 'OWASP'      => 'http://www.owasp.org/index.php/SQL_Injection'
             },
-            targets:     %w(Oracle ColdFusion InterBase PostgreSQL MySQL MSSQL EMC SQLite DB2 Informix),
+            targets:     %w(Oracle ColdFusion InterBase PostgreSQL MySQL MSSQL EMC
+                            SQLite DB2 Informix Firebird MaxDB Sybase Frontbase Ingres HSQLDB),
             issue:       {
                 name:            %q{SQL Injection},
                 description:     %q{SQL code can be injected into the web application.},

data/modules/audit/sqli/patterns/access

@@ -0,0 +1,3 @@
+JET Database Engine
+Access Database Engine
+\[Microsoft\]\[ODBC Microsoft Access Driver\]

data/modules/audit/sqli/patterns/coldfusion

@@ -0,0 +1 @@
+\[Macromedia\]\[SQLServer JDBC Driver\]

data/modules/audit/sqli/patterns/db2

@@ -0,0 +1,5 @@
+DB2 SQL error:
+\[IBM\]\[CLI Driver\]\[DB2/6000\]
+CLI Driver.*DB2
+DB2 SQL error
+db2_\w+\(

data/modules/audit/sqli/patterns/emc

@@ -0,0 +1,2 @@
+\[DM_QUERY_E_SYNTAX\]
+has occurred in the vicinity of:

data/modules/audit/sqli/patterns/firebird

@@ -0,0 +1,2 @@
+Dynamic SQL Error
+

data/modules/audit/sqli/patterns/frontbase

@@ -0,0 +1 @@
+Exception (condition )?\d+\. Transaction rollback\.

data/modules/audit/sqli/patterns/hsqldb

@@ -0,0 +1 @@
+org\.hsqldb\.jdbc

data/modules/audit/sqli/patterns/informix

@@ -0,0 +1,3 @@
+An illegal character has been found in the statement
+com\.informix\.jdbc
+Exception.*Informix

data/modules/audit/sqli/patterns/ingres

@@ -0,0 +1,3 @@
+Warning.*ingres_
+Ingres SQLSTATE
+Ingres\W.*Driver

data/modules/audit/sqli/patterns/interbase

@@ -0,0 +1,2 @@
+<b>Warning</b>: ibase_
+Unexpected end of command in statement

data/modules/audit/sqli/patterns/maxdb

@@ -0,0 +1,2 @@
+SQL error.*POS([0-9]+).*
+Warning.*maxdb.*

data/modules/audit/sqli/patterns/mssql

@@ -0,0 +1,24 @@
+System\.Data\.OleDb\.OleDbException
+\[Microsoft\]\[ODBC SQL Server Driver\]
+\[SqlException
+System\.Data\.SqlClient\.SqlException
+Unclosed quotation mark after the character string
+'80040e14'
+mssql_query\(\)
+Microsoft OLE DB Provider for ODBC Drivers
+Microsoft OLE DB Provider for SQL Server
+Incorrect syntax near
+Sintaxis incorrecta cerca de
+Syntax error in string in query expression
+Procedure or function .* expects parameter
+Unclosed quotation mark before the character string
+Syntax error .* in query expression
+Data type mismatch in criteria expression\.
+ADODB\.Field \(0x800A0BCD\)
+the used select statements have different number of columns
+OLE DB.*SQL Server
+Warning.*mssql_.*
+Driver.*SQL[\-\_\ ]*Server
+SQL Server.*Driver
+SQL Server.*[0-9a-fA-F]{8}
+Exception.*\WSystem\.Data\.SqlClient\.

data/modules/audit/sqli/patterns/mysql

@@ -0,0 +1,15 @@
+supplied argument is not a valid MySQL
+Column count doesn't match value count at row
+mysql_fetch_array\(\)
+on MySQL result index
+You have an error in your SQL syntax;
+You have an error in your SQL syntax near
+MySQL server version for the right syntax to use
+\[MySQL\]\[ODBC
+Column count doesn't match
+Table '[^']+' doesn't exist
+SQL syntax.*MySQL
+Warning.*mysql_.*
+valid MySQL result
+MySqlClient\.
+

data/modules/audit/sqli/patterns/oracle

@@ -0,0 +1,6 @@
+ORA-[0-9][0-9][0-9][0-9]
+java\.sql\.SQLException
+Oracle error
+Oracle.*Driver
+Warning.*oci_.*
+Warning.*ora_.*

data/modules/audit/sqli/patterns/pgsql

@@ -0,0 +1,8 @@
+PostgreSQL query failed:
+supplied argument is not a valid PostgreSQL result
+pg_query\(\) \[:
+pg_exec\(\) \[:
+PostgreSQL.*ERROR
+Warning.*pg_.*
+valid PostgreSQL result
+Npgsql\.

data/modules/audit/sqli/patterns/sqlite

@@ -0,0 +1,5 @@
+Warning.*sqlite_.*
+Warning.*SQLite3::
+SQLite/JDBCDriver
+SQLite\.Exception
+System\.Data\.SQLite\.SQLiteException

data/modules/audit/sqli/patterns/sybase

@@ -0,0 +1,3 @@
+Sybase message:
+Warning.*sybase.*
+Sybase.*Server message.*

data/modules/recon/common_files/filenames.txt

@@ -17,3 +17,4 @@ wp-admin/setup-config.php
 config.php
 php.ini
 error_log
+elmah.axd

data/modules/recon/localstart_asp.rb

@@ -0,0 +1,67 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+# localstart.asp recon module.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1
+class Arachni::Modules::LocalstartASP < Arachni::Module::Base
+
+    def run
+        return if page.platforms.os.any? && !page.platforms.os.include?( :windows )
+
+        path = get_path( page.url )
+        return if audited?( path )
+        audited path
+
+        http.get( "#{path}/#{seed}" ) do |response|
+            # If it needs auth by default then don't bother checking because
+            # we'll get an FP.
+            return if response.code == 401
+
+            url = "#{path}/localstart.asp"
+
+            print_status "Checking: #{url}"
+            http.get( url, &method( :check_and_log ) )
+        end
+    end
+
+    def check_and_log( response )
+        return if response.code != 401
+
+        log( { element: Element::SERVER }, response )
+    end
+
+    def self.info
+        {
+            name:        'localstart.asp',
+            description: %q{Checks for localstart.asp.},
+            elements:    [ Element::SERVER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1',
+            targets:     %w(Generic),
+            issue:       {
+                name:            %q{Exposed localstart.asp page},
+                description:     %q{The default management ISS page localstart.asp
+                    is still on the server.},
+                tags:            %w(asp iis server),
+                severity:        Severity::LOW
+            }
+        }
+    end
+
+end

data/path_extractors/comments.rb

@@ -0,0 +1,30 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+require 'uri'
+
+# Extract paths from HTML comments.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+# @version 0.1
+class Arachni::Parser::Extractors::Comments < Arachni::Parser::Extractors::Base
+
+    def run( doc )
+        doc.xpath( '//comment()' ).map(&:text).join.
+            scan( /[\/a-zA-Z0-9%._-]+/ ).select { |s| s.include? '/' }
+    end
+
+end

data/path_extractors/meta_refresh.rb

@@ -19,7 +19,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.1
+# @version 0.1.2
 #
 class Arachni::Parser::Extractors::MetaRefresh < Arachni::Parser::Extractors::Base
 
@@ -31,7 +31,13 @@ class Arachni::Parser::Extractors::MetaRefresh < Arachni::Parser::Extractors::Ba
     # @return   [Array<String>]  paths
     #
     def run( doc )
-        doc.search( "//meta[@http-equiv='refresh']" ).map do |url|
+        doc.search( "//meta[
+                translate(
+                    @http-equiv,
+                        'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
+                        'abcdefghijklmnopqrstuvwxyz'
+                    ) = 'refresh'
+            ]" ).map do |url|
             begin
                 _, url = url['content'].split( ';', 2 )
                 next if !url
@@ -40,8 +46,6 @@ class Arachni::Parser::Extractors::MetaRefresh < Arachni::Parser::Extractors::Ba
                 next
             end
         end
-    rescue
-        nil
     end
 
     def unquote( str )

data/plugins/uncommon_headers.rb

@@ -0,0 +1,91 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+#
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+class Arachni::Plugins::UncommonHeaders < Arachni::Plugin::Base
+
+    is_distributable
+
+    COMMON = Set.new([
+         'content-type',
+         'content-length',
+         'server',
+         'connection',
+         'accept-ranges',
+         'age',
+         'allow',
+         'cache-control',
+         'content-encoding',
+         'content-language',
+         'content-range',
+         'date',
+         'etag',
+         'expires',
+         'last-modified',
+         'location',
+         'pragma',
+         'proxy-authenticate',
+         'set-cookie',
+         'trailer',
+         'transfer-encoding'
+    ])
+
+    def prepare
+        @headers_per_url = Hash.new do |h, url|
+            h[url] = {}
+        end
+    end
+
+    def run
+        http.add_on_complete do |response|
+            headers = response.headers_hash.
+                select { |name, _| !COMMON.include?( name.to_s.downcase ) }
+
+            @headers_per_url[response.effective_url].merge! headers
+        end
+    end
+
+    def clean_up
+        wait_while_framework_running
+        register_results @headers_per_url
+    end
+
+    def self.merge( results )
+        merged = Hash.new do |h, url|
+            h[url] = {}
+        end
+
+        results.each do |headers_per_url|
+            headers_per_url.each do |url, headers|
+                merged[url].merge! headers
+            end
+        end
+
+        merged
+    end
+
+    def self.info
+        {
+            name:        'Uncommon headers',
+            description: %q{Intercepts HTTP responses and logs uncommon headers.},
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1'
+        }
+    end
+
+end