arachni 0.4.4 → 0.4.5

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NGVjNDkxZDVkMmEyM2I5ODAxZjg0ZDI0NTk2NjBkNWY0MDIyMTZhZg==
+    MTJjMzVjNDlhODJlOTFlNGFiY2ZkNGVjOGE3MTEyOWQ4ZGE0NTI4Yg==
   data.tar.gz: !binary |-
-    M2Y1NGFjN2EzNTBhMDRiYmI4ZDc1ZTY1ZTY4NmRhZGFhMTE3MWQ3NA==
+    NTQxM2I3OWU3YTc0ZDU5NTg2YzY5MjZiYzRkYjFjMGIwZTkxZjI4ZQ==
 !binary "U0hBNTEy":
   metadata.gz: !binary |-
-    N2MwNzBhYzQ5NGJiYjhlYzZiNjMwMWE2ZjQ0NzEzNWY0MDI1YmNhYmFjMTk0
-    MWMyOGVkODRlMzczODNhZWJkNmJkNTJlNDllZjEzZTJiMzUyMjI5NzhkMzMz
-    N2NlNjA0YTc2YzUyNjU3MDdiMmE2OTExZDU3YmIwY2E1NDU1YTc=
+    NmU0Y2ExMWQ3ZjhmN2UzZGMyYzEwMThlOTRiY2M4NDQ2MjQyMGVjZDhlMjli
+    ODAxNDEzMmE4ODIxYmVhMzBiOTNiNDljYmE0MmQ0ZmZiMTVmNzZkYjJiODFm
+    MWE1YzE3ODJiY2Y2OGJiMDhiNjZmYzAxZTMyZDgyMDU1NmQ3NDM=
   data.tar.gz: !binary |-
-    NDAyNGRiNjVhMTY5ZTk4MDJiMzMxMWEyNDljZjgwODk1NzMyOGQ2NWM3Yzcy
-    NmExYzc1MGFjYWFmOTAwMDdjYjY3NGZkMDc5ZDQ1M2ZjNWY3ZjJkMTc2MGUx
-    YmQzNTY3MWMzNjE3YTIxN2M1NGJkMjE3MjJhMTc5MjVlZTVlNzM=
+    MWRkZDg5NjBhZTNhN2M1MjkzYTc2ZjM4YzhkZGMwN2Y0ZjIzNDA2MDY1YTE1
+    MjFlN2I1ZTkyNjc4YmZiZDRjNWE1ODY2MTZkNjk2MzY1MTU2MDY5NDA1ZGNi
+    YWM5MGVhMTUzZjVkYTNlNDJmMmEyZjFkZDBiZjNhNjNlZTdlY2M=

data/CHANGELOG.md

@@ -1,5 +1,42 @@
 # ChangeLog
 
+## 0.4.5 _(September 12, 2013)_
+
+- `Element::Capabilities::Auditable::Taint`
+    - Patterns can now be per-platform which results in improved fingerprinting
+        during the audit phase and less CPU stress when analyzing responses.
+- Modules
+    - Audit
+        - Path traversal (`path_traversal`)
+            - Updated `/etc/passwd` signatures to be more generic.
+            - Updated MS Windows payloads to include dot truncation.
+            - Detection patterns organized per platform.
+            - Moved non-traversal payloads to the `file_inclusion` module.
+        - SQL Injection (`sqli`)
+            - Added support for:
+                - Firebird
+                - SAP Max DB
+                - Sybase
+                - Frontbase
+                - IngresDB
+                - HSQLDB
+                - MS Access
+        - OS command injection (`os_cmd_injection`)
+            - Detection patterns organized per platform.
+        - Added:
+            - File inclusion (`file_inclusion`) -- Extracted from `path_traversal`.
+                - Uses common server-side files and errors to identify issues.
+    - Recon
+        - Added:
+            - localstart.asp (`localstart_asp`)
+                - Checks if `localstart.asp` is accessible.
+- Plugins
+    - Added:
+        - Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
+- Path extractors
+    - Added:
+        - Extract partial paths from HTML comments (`comments`).
+
 ## 0.4.4 _(August 10, 2013)_
 
 - Options

data/README.md

@@ -3,7 +3,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>0.4.4</td>
+        <td>0.4.5</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -101,7 +101,7 @@ From a user’s or a component developer’s point of view everything appears si
 and straight-forward all the while providing power, performance and flexibility.
 
 From the simple command-line utility scanner to the intuitive and user-friendly
-Web interface and collaboration platform, Arachni follows the principle of lease
+Web interface and collaboration platform, Arachni follows the principle of least
 surprise and provides you with plenty of feedback and guidance.
 
 #### In simple terms
@@ -263,6 +263,13 @@ Audit modules actively engage the web application via its inputs.
     - SQLite
     - DB2
     - Informix
+    - Firebird
+    - SaP Max DB
+    - Sybase
+    - Frontbase
+    - Ingres
+    - HSQLDB
+    - MS Access
 - Blind SQL injection using rDiff analysis (`sqli_blind_rdiff`).
 - Blind SQL injection using timing attacks (`sqli_blind_timing`).
     - MySQL
@@ -286,6 +293,12 @@ Audit modules actively engage the web application via its inputs.
     - *nix
     - Windows
     - Tomcat
+- File inclusion (`file_inclusion`).
+    - *nix
+    - Windows
+    - Tomcat
+    - PHP
+    - Perl
 - Response splitting (`response_splitting`).
 - OS command injection (`os_cmd_injection`).
     - *nix
@@ -338,6 +351,7 @@ Recon modules look for the existence of files, folders and signatures.
 - Auto-complete for password form fields (`password_autocomplete`).
 - X-Forwarded-For Access Restriction Bypass (`x_forwarded_for_access_restriction_bypass`)
 - Form-based upload (`form_upload`)
+- localstart.asp (`localstart_asp`)
 
 ### Report Management
 
@@ -365,7 +379,7 @@ Recon modules look for the existence of files, folders and signatures.
 #### Available plugins
 
 Plugins add extra functionality to the system in a modular fashion, this way the
-core remains lean and makes it easy for anyone to arbitrary functionality.
+core remains lean and makes it easy for anyone to add arbitrary functionality.
 
 - ReScan  (`rescan`)-- It uses the AFR report of a previous scan to extract the sitemap
     in order to avoid a redundant crawl.
@@ -388,6 +402,7 @@ core remains lean and makes it easy for anyone to arbitrary functionality.
     Useful for unit-testing or a gazillion other things.
 - Script (`script`) -- Loads and runs an external Ruby script under the scope of a plugin,
     used for debugging and general hackery.
+- Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
 
 #### Defaults
 

data/lib/arachni/element/capabilities/auditable.rb

@@ -439,9 +439,13 @@ module Auditable
 
                 return if platform_payloads.empty?
 
+                payload_platforms = Set.new( payloads.keys )
                 platform_payloads.each do |platform, payloads_for_platform|
                     audit( [payloads_for_platform].flatten.compact,
-                           opts.merge( platform: platform ),
+                           opts.merge(
+                               platform: platform,
+                               payload_platforms: payload_platforms
+                           ),
                            &block )
                 end
             else

data/lib/arachni/element/capabilities/auditable/taint.rb

@@ -105,8 +105,43 @@ module Auditable::Taint
     def get_matches( res, opts )
         opts[:substring] = opts[:injected_orig] if !opts[:regexp] && !opts[:substring]
 
-        [opts[:regexp]].flatten.compact.each { |regexp| match_regexp_and_log( regexp, res, opts ) }
-        [opts[:substring]].flatten.compact.each { |substring| match_substring_and_log( substring, res, opts ) }
+        match_patterns( opts[:regexp], method( :match_regexp_and_log ), res, opts.dup )
+        match_patterns( opts[:substring], method( :match_substring_and_log ), res, opts.dup )
+    end
+
+    def match_patterns( patterns, matcher, res, opts )
+        case patterns
+            when Regexp, String, Array
+                [patterns].flatten.compact.
+                    each { |pattern| matcher.call( pattern, res, opts ) }
+
+            when Hash
+                if opts[:platform] && patterns[opts[:platform]]
+                    [patterns[opts[:platform]]].flatten.compact.each do |p|
+                        [p].flatten.compact.
+                            each { |pattern| matcher.call( pattern, res, opts ) }
+                    end
+                else
+                    patterns.each do |platform, p|
+                        dopts = opts.dup
+                        dopts[:platform] = platform
+
+                        [p].flatten.compact.
+                            each { |pattern| matcher.call( pattern, res, dopts ) }
+                    end
+                end
+
+                # Find out if there are any patterns without associated payloads
+                # and match them against every payload's response.
+                patterns.select { |p, _|  !opts[:payload_platforms].include?( p ) }.
+                    each do |platform, p|
+                        dopts = opts.dup
+                        dopts[:platform] = platform
+
+                        [p].flatten.compact.
+                            each { |pattern| matcher.call( pattern, res, dopts ) }
+                    end
+        end
     end
 
     def match_substring_and_log( substring, res, opts )

data/lib/arachni/platform/fingerprinter.rb

@@ -72,14 +72,14 @@ class Fingerprinter
         @headers ||= page.response_headers.downcase
     end
 
-    # @return   [String. nil] Value of the `X-Powered-By` header.
+    # @return   [String. nil] Downcased value of the `X-Powered-By` header.
     def powered_by
-        headers['x-powered-by'].to_s
+        headers['x-powered-by'].to_s.downcase
     end
 
-    # @return   [String. nil] Value of the `Server` header.
+    # @return   [String. nil] Downcased value of the `Server` header.
     def server
-        headers['server'].to_s
+        headers['server'].to_s.downcase
     end
 
     # @return   [String] Downcased file extension of the page.

data/lib/arachni/platform/manager.rb

@@ -82,7 +82,14 @@ class Manager
         :db2,
         :coldfusion,
         :interbase,
-        :informix
+        :informix,
+        :firebird,
+        :maxdb,
+        :sybase,
+        :frontbase,
+        :ingres,
+        :hsqldb,
+        :access
     ]
 
     SERVERS = [
@@ -127,6 +134,13 @@ class Manager
         coldfusion: 'ColdFusion',
         interbase:  'InterBase',
         informix:   'Informix',
+        firebird:   'Firebird',
+        maxdb:      'SaP Max DB',
+        sybase:     'Sybase',
+        frontbase:  'Frontbase',
+        ingres:     'IngresDB',
+        hsqldb:     'HSQLDB',
+        access:     'MS Access',
 
         # Web servers
         apache:     'Apache',

data/lib/arachni/platforms.rb

@@ -153,7 +153,8 @@ class Platform
         :db2,
         :coldfusion,
         :interbase,
-        :informix
+        :informix,
+        :firebird
     ]
 
     # Web servers.

data/lib/arachni/rpc/server/framework/distributor.rb

@@ -131,7 +131,7 @@ module Distributor
         # distribution.
         unique_elements_per_chunk = elements_per_chunk.map.with_index do |elements, i|
             elements.reject do |element|
-                more_than_one_in_sets( elements_per_chunk[i..-1], element )
+                more_than_one_in_sets?( elements_per_chunk[i..-1], element )
             end
         end
 
@@ -443,7 +443,7 @@ module Distributor
         connect_to_dispatcher( @opts.datastore[:dispatcher_url] )
     end
 
-    def more_than_one_in_sets( sets, item )
+    def more_than_one_in_sets?( sets, item )
         occurrences = 0
         sets.each do |set|
             occurrences += 1 if set.include?( item )

data/lib/arachni/spider.rb

@@ -409,7 +409,7 @@ class Spider
 
             if res.redirection? && res.location
                 @redirects << res.request.url
-                location = to_absolute( res.location )
+                location = to_absolute( res.location, res.request.url )
                 if hit_redirect_limit? || skip?( location )
                     print_info "Redirect limit reached, skipping: #{location}"
                     decrease_pending

data/lib/arachni/ui/cli/utilities.rb

@@ -395,7 +395,7 @@ module Utilities
     --extend-paths=<filepath>   Add the paths in <file> to the ones discovered by the crawler.
                                   (Can be used multiple times.)
 
-    --interceptor.callict-paths=<filepath> Use the paths in <file> instead of crawling.
+    --restrict-paths=<filepath> Use the paths in <file> instead of crawling.
                                   (Can be used multiple times.)
 
     --https-only                Forces the system to only follow HTTPS URLs.

data/lib/version

@@ -1 +1 @@
-0.4.4
+0.4.5

data/modules/audit/file_inclusion.rb

@@ -0,0 +1,126 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+# File inclusion audit module.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1
+#
+# @see http://cwe.mitre.org/data/definitions/98.html
+# @see https://www.owasp.org/index.php/PHP_File_Inclusion
+class Arachni::Modules::FileInclusion < Arachni::Module::Base
+
+    def self.options
+        @options ||= {
+            format: [Format::STRAIGHT],
+            regexp: {
+                unix: [
+                    /DOCUMENT_ROOT.*HTTP_USER_AGENT/,
+                    /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
+                ],
+                windows: [
+                    /\[boot loader\](.*)\[operating systems\]/im,
+                    /\[fonts\](.*)\[extensions\]/im
+                ],
+                tomcat: [
+                    /<web\-app/im
+                ],
+
+                # Generic PHP errors.
+                php: [
+                    /An error occurred in script/,
+                    /Failed opening '.*?' for inclusion/,
+                    /Failed opening required/,
+                    /failed to open stream:.*/,
+                    /<b>Warning<\/b>:\s+file/,
+                    /<b>Warning<\/b>:\s+read_file/,
+                    /<b>Warning<\/b>:\s+highlight_file/,
+                    /<b>Warning<\/b>:\s+show_source/
+                ],
+                perl: [
+                    /in .* at .* line d+?\./
+                ]
+            },
+
+            # Add one more mutation (on the fly) which will include the extension
+            # of the original value (if that value was a filename) after a null byte.
+            each_mutation: proc do |mutation|
+                m = mutation.dup
+
+                # Figure out the extension of the default value, if it has one.
+                ext = m.original[m.altered].to_s.split( '.' )
+                ext = ext.size > 1 ? ext.last : nil
+
+                # Null-terminate the injected value and append the ext.
+                m.altered_value += "\x00.#{ext}"
+
+                # Pass our new element back to be audited.
+                m
+            end
+        }
+    end
+
+    def self.payloads
+        @payloads ||= {
+            unix:    [
+                '/proc/self/environ',
+                '/etc/passwd'
+            ],
+            windows: [
+                '/boot.ini',
+                '/windows/win.ini',
+                '/winnt/win.ini'
+            ].map { |payload| [payload, "c:#{payload}", "#{payload}#{'.'* 700}"] }.flatten,
+            tomcat: [ '/WEB-INF/web.xml' ]
+        }.inject({}) do |h, (platform, payloads)|
+            h.merge platform => payloads.map { |p| [p, "file://#{p}" ] }.flatten
+        end
+    end
+
+    def run
+        audit self.class.payloads, self.class.options
+    end
+
+    def self.info
+        {
+            name:        'File Inclusion',
+            description: %q{It injects paths of common files (/etc/passwd and boot.ini)
+                and evaluates the existence of a file inclusion vulnerability
+                based on the presence of relevant content or errors in the HTTP responses.},
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.1',
+            references:  {
+                'OWASP' => 'https://www.owasp.org/index.php/PHP_File_Inclusion'
+            },
+            targets:     %w(Unix Windows Tomcat PHP Perl),
+
+            issue:       {
+                name:            %q{File Inclusion},
+                description:     %q{The web application enforces improper limitation
+                    of a pathname.},
+                tags:            %w(file inclusion error injection regexp),
+                cwe:             '98',
+                severity:        Severity::HIGH,
+                remedy_guidance: %q{User inputs must be validated and filtered
+                    before being used as a part of a filesystem path.}
+            }
+
+        }
+    end
+
+end

data/modules/audit/os_cmd_injection.rb

@@ -14,25 +14,27 @@
     limitations under the License.
 =end
 
-#
 # Simple OS command injection module.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.2
+# @version 0.2.1
 #
 # @see http://cwe.mitre.org/data/definitions/78.html
 # @see http://www.owasp.org/index.php/OS_Command_Injection
-#
 class Arachni::Modules::OSCmdInjection < Arachni::Module::Base
 
     def self.options
         @opts ||= {
-            regexp: [
-                /root:x:0:0:.+:[0-9a-zA-Z\/]+/,
-                /\[boot loader\](.*)\[operating systems\]/,
-                /\[fonts\](.*)\[extensions\]/
-            ],
+            regexp: {
+                unix: [
+                    /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
+                ],
+                windows: [
+                    /\[boot loader\](.*)\[operating systems\]/im,
+                    /\[fonts\](.*)\[extensions\]/im
+                ]
+            },
             format: [ Format::STRAIGHT, Format::APPEND ]
         }
     end
@@ -62,7 +64,7 @@ class Arachni::Modules::OSCmdInjection < Arachni::Module::Base
             description: %q{Tries to find operating system command injections.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2',
+            version:     '0.2.1',
             references:  {
                 'OWASP' => 'http://www.owasp.org/index.php/OS_Command_Injection'
             },