arachni 0.2.3 → 0.2.4

data/CHANGELOG.md

@@ -1,7 +1,27 @@
 
 # ChangeLog
 
-## Version 0.2.3 _(Under development)_
+## Version 0.2.4 _(July 1, 2011)_
+- HTTP
+   - Implemented a 10s time-out [Issue #40]
+- Command Line Interface
+   - The interrupt handler (Ctrl+C) now presents the option to generate reports mid-scan. [Issue #41]
+   - Added a counter of timed-out requests in the stats.
+- WebUI
+   - The "Replay" form's action attribute now contains the full URL, including params. [Issue #38]
+   - Fixed path clash that caused the "shutdown" button in the Dispatchers screen not to work. [Issue #39]
+   - Fixed mix-up of output messages from different instances. [Issue #36]
+   - Added a counter of timed-out requests in "Instance" screens.
+- External
+    - Metasploit
+       - Updated SQL injection exploit module to work with SQLmap 0.9. [Issue #37]
+- Reports
+   - HTML
+      - Fixed yet another error condition occuring with broken encodings. [Issue #31]
+- Auditor
+   - Timing attacks now have a "control" to verify that the server is indeed alive i.e. requests won't time-out by default.
+
+## Version 0.2.3 _(May 22, 2011)_
 - WebUI
    - Added connection cache for XMLRPC server instances to remove HTTPS handshake overhead and take advantage of keep-alive support.
    - Added initial support for management of multiple Dispatchers.

data/README.md

@@ -2,7 +2,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>0.2.3</td>
+        <td>0.2.4</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -229,11 +229,12 @@ Still, this can be an invaluable asset to Fuzzer modules.
 
 ### CDE packages for Linux
 
-Arachni is released as [CDE packages](http://stanford.edu/~pgbovine/cde.html) for your convinience.<br/>
+<del>Arachni is released as [CDE packages](http://stanford.edu/~pgbovine/cde.html) for your convinience.<br/>
 CDE packages are self contained and thus alleviate the need for Ruby and other dependencies to be installed or root access.<br/>
 You can download the latest CDE package from the [download](https://github.com/Zapotek/arachni/downloads) page and escape the dependency hell.<br/>
-If you decide to go the CDE route you can skip the rest, you're done.
+If you decide to go the CDE route you can skip the rest, you're done.</del>
 
+Due to some incompatibility this release does not have a CDE package yet.
 
 ### Gem
 

data/external/metasploit/modules/exploits/unix/webapp/arachni_sqlmap.rb

@@ -2,91 +2,90 @@ require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
 
-	include Msf::Exploit::Remote::HttpClient
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'          => 'Arachni SQLMAP SQL Injection External Module',
-			'Description'   => %q{
-
-				This module is designed to be used with the Arachni plug-in.
-
-				From the original:
-
-					This module launches an sqlmap session.
-				sqlmap is an automatic SQL injection tool developed in Python.
-				Its goal is to detect and take advantage of SQL injection
-				vulnerabilities on web applications. Once it detects one
-				or more SQL injections on the target host, the user can
-				choose among a variety of options to perform an extensive
-				back-end database management system fingerprint, retrieve
-				DBMS session user and database, enumerate users, password
-				hashes, privileges, databases, dump entire or user
-				specific DBMS tables/columns, run his own SQL SELECT
-				statement, read specific files on the file system and much
-				more.
-			},
-			'Author'        => [
-				'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # modified to work with the Arachni plug-in
-				'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' # original module: auxiliary/scanner/http/sqlmap.rb
-			],
-			'License'       => BSD_LICENSE,
-			'Version'       => '$Revision: 9212 $',
-			'References'    =>
-				[
-					['URL', 'http://github.com/Zapotek/arachni'],
-					['URL', 'http://sqlmap.sourceforge.net'],
-				]
-			))
-
-		register_options(
-			[
-				OptString.new('METHOD', [ true,  "HTTP Method", 'GET' ]),
-				OptString.new('PATH', [ true,  "The path to test for SQL injection", 'index.php' ]),
-				OptString.new('GET', [ false, "HTTP GET query", 'id=1' ]),
-				OptString.new('POST', [ false, "The data string to be sent through POST", '' ]),
-				OptString.new('COOKIES', [ false, "", '' ]),
-				OptString.new('OPTS', [ false,  "The sqlmap options to use", '--users --time-test --passwords --dbs --sql-shell -v 0' ]),
-				OptPath.new('SQLMAP_PATH', [ true,  "The sqlmap >= 0.8 full path ", 'sqlmap' ]),
-			], self.class)
-	end
-
-	def run
-
-		sqlmap = datastore['SQLMAP_PATH']
-
-		if not sqlmap
-			print_error("The sqlmap script could not be found")
-			return
-		end
-
-		data   = datastore['POST'].gsub( 'XXinjectionXX', '' )
-		method = datastore['METHOD'].upcase
-
-		sqlmap_url  = (datastore['SSL'] ? "https" : "http")
-		sqlmap_url += "://" + datastore['RHOST'] + ":" + datastore['RPORT']
-		sqlmap_url += "/" + datastore['PATH']
-
-		if method == "GET"
-			sqlmap_url += '?' + datastore['GET'].gsub( 'XXinjectionXX', '' )
-		end
-
-		cmd  = sqlmap + ' -u \'' + sqlmap_url + '\''
-		cmd += ' --method ' + method
-		cmd += ' ' + datastore['OPTS']
-		cmd += ' --cookie \'' + datastore['COOKIES'].to_s + '\'' if datastore['COOKIES']
-
-		if not data.empty?
-			cmd += ' --data \'' + data + '\''
-		end
-
-		if datastore['BATCH'] == true
-			cmd += ' --batch'
-		end
-
-		print_status("exec: #{cmd}")
-		system( cmd )
-	end
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Arachni SQLMAP SQL Injection External Module',
+      'Description'   => %q{
+
+        This module is designed to be used with the Arachni plug-in.
+
+        From the original:
+
+          This module launches an sqlmap session.
+        sqlmap is an automatic SQL injection tool developed in Python.
+        Its goal is to detect and take advantage of SQL injection
+        vulnerabilities on web applications. Once it detects one
+        or more SQL injections on the target host, the user can
+        choose among a variety of options to perform an extensive
+        back-end database management system fingerprint, retrieve
+        DBMS session user and database, enumerate users, password
+        hashes, privileges, databases, dump entire or user
+        specific DBMS tables/columns, run his own SQL SELECT
+        statement, read specific files on the file system and much
+        more.
+      },
+      'Author'        => [
+        'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # modified to work with the Arachni plug-in
+        'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' # original module: auxiliary/scanner/http/sqlmap.rb
+      ],
+      'License'       => BSD_LICENSE,
+      'Version'       => '$Revision: 9212 $',
+      'References'    =>
+        [
+          ['URL', 'http://github.com/Zapotek/arachni'],
+          ['URL', 'http://sqlmap.sourceforge.net'],
+        ]
+      ))
+
+    register_options(
+      [
+        OptString.new('METHOD', [ true,  "HTTP Method", 'GET' ]),
+        OptString.new('PATH', [ true,  "The path to test for SQL injection", 'index.php' ]),
+        OptString.new('GET', [ false, "HTTP GET query", 'id=1' ]),
+        OptString.new('POST', [ false, "The data string to be sent through POST", '' ]),
+        OptString.new('COOKIES', [ false, "", '' ]),
+        OptString.new('OPTS', [ false,  "The sqlmap options to use", '--users --dbs --sql-shell -v 0' ]),
+        OptPath.new('SQLMAP_PATH', [ true,  "The sqlmap 0.9 full path ", 'sqlmap' ]),
+      ], self.class)
+  end
+
+  def run
+
+    sqlmap = datastore['SQLMAP_PATH']
+
+    if not sqlmap
+      print_error("The sqlmap script could not be found")
+      return
+    end
+
+    data   = datastore['POST'].gsub( 'XXinjectionXX', '' )
+    method = datastore['METHOD'].upcase
+
+    sqlmap_url  = (datastore['SSL'] ? "https" : "http")
+    sqlmap_url += "://" + datastore['RHOST'] + ":" + datastore['RPORT']
+    sqlmap_url += "/" + datastore['PATH']
+
+    if method == "GET"
+      sqlmap_url += '?' + datastore['GET'].gsub( 'XXinjectionXX', '' )
+    end
+
+    cmd  = sqlmap + ' -u \'' + sqlmap_url + '\''
+    cmd += ' ' + datastore['OPTS']
+    cmd += ' --cookie \'' + datastore['COOKIES'].to_s + '\'' if datastore['COOKIES']
+
+    if not data.empty?
+      cmd += ' --data \'' + data + '\''
+    end
+
+    if datastore['BATCH'] == true
+      cmd += ' --batch'
+    end
+
+    print_status("exec: #{cmd}")
+    system( cmd )
+  end
 
 end
 

data/lib/arachni.rb

@@ -11,6 +11,6 @@
 module Arachni
 
     # the universal system version
-    VERSION      = '0.2.3'
+    VERSION      = '0.2.4'
 
 end

data/lib/framework.rb

@@ -57,7 +57,7 @@ module Arachni
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2.2
+# @version: 0.2.3
 #
 class Framework
 
@@ -217,6 +217,7 @@ class Framework
         return {
             :requests   => req_cnt,
             :responses  => res_cnt,
+            :time_out_count  => http.time_out_count,
             :time       => audit_store.delta_time,
             :avg        => ( res_cnt / @opts.delta_time ).to_i.to_s,
             :sitemap_size  => @sitemap.size,

data/lib/http.rb

@@ -66,6 +66,8 @@ class HTTP
     attr_reader :request_count
     attr_reader :response_count
 
+    attr_reader :time_out_count
+
     attr_reader :curr_res_time
     attr_reader :curr_res_cnt
 
@@ -127,11 +129,12 @@ class HTTP
             :user_agent      => opts.user_agent,
             :follow_location => false,
             :disable_ssl_peer_verification => true,
-            # :timeout         => 8000
+            :timeout         => 10000
         }.merge( proxy_opts )
 
         @request_count  = 0
         @response_count = 0
+        @time_out_count = 0
 
         # we'll use it to identify our requests
         @rand_seed = seed( )
@@ -242,6 +245,11 @@ class HTTP
             print_debug( 'Train?: ' + res.request.train?.to_s  )
             print_debug( '------------' )
 
+            if res.timed_out?
+                print_error( 'Request timed-out! -- ID# ' + res.request.id.to_s )
+                @time_out_count += 1
+            end
+
             if( req.train? )
                 # handle redirections
                 if( ( redir = redirect?( res.dup ) ).is_a?( String ) )

data/lib/module/auditor.rb

@@ -20,7 +20,7 @@ module Module
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2.2
+# @version: 0.2.3
 #
 module Auditor
 
@@ -359,17 +359,28 @@ module Auditor
             ( (opts[:timeout] + 3000) / opts[:timeout_divider] ).to_s )
 
         elem.auditor( self )
-        elem.audit( str, opts ) {
+
+        # this is the control; audit the element with an empty seed to make sure
+        # that the web page is alive i.e won't time-out by default
+        elem.audit( '' , opts ) {
             |res, opts|
+            if !res.timed_out?
+
+                elem.audit( str, opts ) {
+                    |res, opts|
 
-            if res.timed_out?
+                    if res.timed_out?
+
+                        # all issues logged by timing attacks need manual verification.
+                        # end of story.
+                        opts[:verification] = true
+                        log( opts, res)
+                    end
+                }
 
-                # all issues logged by timing attacks need manual verification.
-                # end of story.
-                opts[:verification] = true
-                log( opts, res)
             end
         }
+
     end
 
     def audit_timeout_debug_msg( phase, delay )

data/lib/ui/cli/cli.rb

@@ -26,7 +26,7 @@ module UI
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1.6
+# @version: 0.1.7
 # @see Arachni::Framework
 #
 class CLI
@@ -141,6 +141,7 @@ class CLI
         print_info( "Burst response count total   #{stats[:curr_res_cnt]} " )
         print_info( "Burst average response time  #{stats[:average_res_time]}" )
         print_info( "Burst average                #{stats[:curr_avg]} requests/second" )
+        print_info( "Timed-out requests           #{stats[:time_out_count]}" )
         print_info( "Original max concurrency     #{@opts.http_req_limit}" )
         print_info( "Throttled max concurrency    #{stats[:max_concurrency]}" )
 
@@ -166,13 +167,20 @@ class CLI
         @interrupt_handler = Thread.new {
 
              Thread.new {
-                if gets[0] == 'e'
-                    @@only_positives = false
-                    unmute!
-                    @interrupt_handler.kill
 
-                     print_info( 'Exiting...' )
-                     exit 0
+                case gets[0]
+
+                    when 'e'
+                        @@only_positives = false
+                        unmute!
+                        @interrupt_handler.kill
+
+                        print_info( 'Exiting...' )
+                        exit 0
+
+                    when 'r'
+                        unmute!
+                        @arachni.reports.run( @arachni.audit_store( ) )
                 end
 
                 @@only_positives = only_positives_opt
@@ -196,7 +204,7 @@ class CLI
                     exit 0
                 end
 
-                print_info( 'Continue? (hit \'enter\' to continue, \'e\' to exit)' )
+                print_info( 'Continue? (hit \'enter\' to continue, \'r\' to generate reports and \'e\' to exit)' )
                 mute!
 
                 ::IO::select( nil, nil, nil, 1 )

data/lib/ui/web/output_stream.rb

@@ -62,13 +62,13 @@ module Web
 
             self << @instance.service.output
 
-            @@last_output ||= ''
+            @last_output ||= ''
             cnt = 0
 
             if @buffer.empty?
-                yield @@last_output
+                yield @last_output
             else
-                @@last_output = ''
+                @last_output = ''
             end
 
             while( ( out = @buffer.pop ) && ( ( cnt += 1 ) < @lines ) )
@@ -80,7 +80,7 @@ module Web
 
                 icon = @icon_whitelist[type] || ''
                 str = icon + CGI.escapeHTML( " #{out.values[0]}" ) + "<br/>"
-                @@last_output << str
+                @last_output << str
                 yield str
 
             end

data/lib/ui/web/server.rb

@@ -42,14 +42,14 @@ require Arachni::Options.instance.dir['lib'] + 'ui/web/output_stream'
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1.3
+# @version: 0.1.4
 #
 # @see Arachni::RPC::XML::Client::Instance
 # @see Arachni::RPC::XML::Client::Dispatcher
 #
 module Web
 
-    VERSION = '0.1.3'
+    VERSION = '0.1.4'
 
 class Server < Sinatra::Base
 
@@ -658,7 +658,7 @@ class Server < Sinatra::Base
     #
     # shuts down all instances
     #
-    post "/dispatchers/:url/shutdown" do
+    post "/dispatchers/:url/shutdown_all" do
         shutdown_all( params[:url] )
         redirect '/dispatchers'
     end
@@ -789,7 +789,9 @@ class Server < Sinatra::Base
         begin
             arachni = connect_to_instance( params[:url] )
             if arachni.framework.busy?
-                { 'data' => OutputStream.new( arachni, 38 ).data }.to_json
+                @@output_streams ||= {}
+                @@output_streams[params[:url]] ||= OutputStream.new( arachni, 38 )
+                { 'data' => @@output_streams[params[:url]].data }.to_json
             else
                 settings.log.instance_shutdown( env, params[:url] )
                 save_and_shutdown( arachni )
@@ -873,7 +875,7 @@ class Server < Sinatra::Base
                 arachni.service.shutdown!
             end
         rescue
-            flash.now[:notice] = "Instance at #{params[:url]} has already been shutdown."
+            flash.now[:notice] = "Instance at #{params[:url]} has been shutdown."
             erb params[:splat][0].to_sym, { :layout => true }, :shutdown => true, :stats => dispatcher_stats
         end
     end

data/lib/ui/web/server/views/dispatchers.erb

@@ -21,7 +21,7 @@
         </h2>
 
         <%if !dispatcher_stats['running_jobs'].empty? %>
-        <form action="/dispatchers/<%=sanitize_url( d_url.dup )%>/shutdown" method="post">
+        <form action="/dispatchers/<%=sanitize_url( d_url.dup )%>/shutdown_all" method="post">
             <%= csrf_tag %>
             <input type="submit" value="Shutdown all" />
         </form>

data/lib/ui/web/server/views/instance.erb

@@ -48,6 +48,7 @@
                 <ul>
                     <li>Current max concurrency: <span id="max_concurrency">0</span> requests</li>
                     <li>Average response time: <span id="average_res_time">0</span> ms</li>
+                    <li>Timed-out requests: <span id="time_out_count">0</span></li>
                     <li>Current page: <span id="current_page">0</span></li>
                 </ul>
 
@@ -123,6 +124,7 @@
                     document.getElementById( 'crawled' ).innerHTML = stats.sitemap_size;
                     document.getElementById( 'current_page' ).innerHTML = stats.current_page;
                     document.getElementById( 'average_res_time' ).innerHTML = stats.average_res_time;
+                    document.getElementById( 'time_out_count' ).innerHTML = stats.time_out_count;
                     document.getElementById( 'max_concurrency' ).innerHTML = stats.max_concurrency;
 
                     percentage = (stats.auditmap_size / stats.sitemap_size) * 100

data/lib/ui/web/server/views/output_results.erb

@@ -33,7 +33,7 @@
 
                  <% if issue.method && (issue.elem.downcase == 'form' || issue.elem.downcase == 'link' ) &&
                        ( issue.method.downcase == 'get' || issue.method.downcase == 'post' ) %>
-                    <form style="display:inline" action="<%=issue.url%>" target="_blank" method="<%=issue.method.downcase%>">
+                    <form style="display:inline" action="<%=issue.variations[0]['url']%>" target="_blank" method="<%=issue.method.downcase%>">
                         <% if issue.variations[0]['opts'][:combo]%>
                             <%issue.variations[0]['opts'][:combo].each_pair do |name, value|%>
                                 <input type="hidden" name="<%=escape(name)%>" value="<%=escape( value )%>" />

data/reports/html.rb

@@ -11,6 +11,7 @@
 require 'erb'
 require 'base64'
 require 'cgi'
+require 'iconv'
 
 module Arachni
 
@@ -24,7 +25,7 @@ module Reports
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2.1
+# @version: 0.2.2
 #
 class HTML < Arachni::Report::Base
 
@@ -87,15 +88,15 @@ class HTML < Arachni::Report::Base
       "\"" + str.gsub( "\n", '\n' ) + "\"";
     end
 
+    def normalize( str )
+        ic = ::Iconv.new( 'UTF-8//IGNORE', 'UTF-8' )
+        ic.iconv( str + ' ' )[0..-2]
+    end
+
     def escapeHTML( str )
         # carefully escapes HTML and converts to UTF-8
         # while removing invalid character sequences
-        begin
-            return CGI.escapeHTML( str )
-        rescue
-            ic = Iconv.new( 'UTF-8//IGNORE', 'UTF-8' )
-            return CGI.escapeHTML( ic.iconv( str + ' ' )[0..-2] )
-        end
+        return CGI.escapeHTML( normalize( str ) )
     end
 
     def self.prep_description( str )

metadata

@@ -2,7 +2,7 @@
 name: arachni
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.2.3
+  version: 0.2.4
 platform: ruby
 authors: 
 - Tasos Laskos
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-05-22 00:00:00 +01:00
+date: 2011-07-01 00:00:00 +03:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency