bscan 1.4.4

data/lib/bscan.rb

@@ -0,0 +1,324 @@
+#!/usr/bin/env jruby
+
+require 'pathname'
+require 'buby'
+require 'getoptlong'
+require 'json'
+require 'bscan/utils/bscan_helper'
+require 'java'
+
+class String
+  def camelize
+    self.split(/[^a-z0-9]/i).map{|w| w.capitalize}.join
+  end
+  def camelize!
+    self.replace(self.split(/[^a-z0-9]/i).map{|w| w.capitalize}.join)
+  end
+end
+
+module BScan
+  
+  include BscanHelper
+  
+  attr_accessor :activity
+  attr_reader :modules_only
+  attr_reader :bscan_config
+
+  def Log (mtype, *msgs)
+    pr = "Unknown:"
+    case mtype
+    when 0
+      pr = "ERROR:"
+    when 1
+      pr = "WARN:"
+    when 2
+      pr = "INFO:"
+    when 3
+      pr = "DEBUG:"
+    end  
+    msgs.each do |msg|
+      if (@ll >= mtype)
+        dt = Time.now.strftime("%y%m%d %H%M%S")
+        @log.println "#{dt} #{pr} #{msg}"
+      end
+    end
+    @log.flush
+  end
+  
+  def evt_commandline_args args
+    @cmd_params ||= JSON.parse args[0]
+    @ll =  @cmd_params['loglevel'].to_i
+
+    lfile = @cmd_params['logfile']
+    if lfile != nil
+        begin
+          @log = java.io.PrintStream.new(lfile)
+        rescue Exception => e
+          $stderr.puts("BScan.evt_register_callbacks  Error: can't open log file '#{lfile}', exception: #{e.message}")
+          $stderr.puts(e.backtrace.join("\n"))
+          Process.exit!(2)
+        end
+    else
+      @log = $stdout
+    end
+
+    Log 2, "BScan.evt_commandline_args CMD_PARAMS: #{@cmd_params}"
+    @cmd_params.each_pair do |k,v|
+      Log 2,"BScan.evt_commandline_args #{k}:#{v}"
+    end
+  end
+  
+  
+  
+  def evt_http_message(tool_name, is_request, message_info)
+    super(tool_name, is_request, message_info)
+    if tool_name == 'Scanner'
+      if is_request
+        Log 2, "#"*70, "# BScan.evt_http_message REQUEST: #{message_info.url.toString}, tool: #{tool_name}", "#"*70
+        Log 3, "BScan.evt_http_message #{message_info.req_str}", ""
+      else
+        Log 2, "# BScan.evt_http_message RESPONSE CODE: #{message_info.statusCode}", ""
+        Log 3, "BScan.evt_http_message #{message_info.rsp_str}", ""
+      end
+    end
+    if tool_name == 'Spider'
+     if not is_request
+        @activity[0] = true
+        https = message_info.getProtocol() == "https" ? true : false
+        Log 2, "BScan.evt_http_message Passively scanning: #{message_info.url.to_string}"
+        do_passive_scan(message_info.getHost(), message_info.getPort(), https, message_info.getRequest(),  message_info.getResponse())
+        if (is_in_scope(message_info.url))
+          Log 2, "BScan.evt_http_message Actively scanning: #{message_info.url.to_string}"
+          isqi = do_active_scan(message_info.getHost(), message_info.getPort(), https, message_info.getRequest(), [])
+          @queue.push(isqi)
+          run_modules message_info
+        end
+     end
+    end  
+  end
+  
+  def is_module_static n,p
+    pref = 'bscan.' + n + '.'
+    pref += p + '.' if p and p.length > 0
+    @bscan_config[pref + 'static_request'] == 'true'  
+  end
+  
+  
+  def run_modules msg=nil
+    if @modules 
+      @modules.each do |m|
+        begin
+          mod,prop=m.split(':',2)
+          prop ||=''
+          mn = File.basename(mod,".rb")
+          is_static = is_module_static(mn,prop)
+          Log 2, "BScan.run_modules executing module #{mod}:#{prop} #{is_static}"
+          mn.camelize!
+          if (is_static && !msg) || (!is_static && msg)
+            eval("
+#           puts '=====================MODULE PATH: ' + $:.join(':') 
+            require '#{mod}'
+            require 'bscan/utils/bscan_helper.rb'
+            
+            class #{mn}#{prop}Class
+              include #{mn}
+              include BscanHelper
+            end
+            #{mn}#{prop}Class.new.run(self, msg, prop)
+            ")
+          end
+        rescue Exception => e
+          Log 1, "BScan.run_modules Can't exceute module #{mod}, Exception: #{e.message}"
+          Log 1, e.backtrace.join("\n")
+        end
+      end
+    end
+  end    
+  
+  def evt_scan_issue issue
+    super(issue)
+#    Buby::HttpRequestResponseHelper.implant(issue.http_messages)
+    write_issue_state issue
+  end
+  
+  def sync_save_state issue
+    @sync_state_mutex ||= Mutex.new
+    @sync_state_mutex.synchronize {
+      save_state(@sstream) if @sstream and issue.severity =~ /(High)/
+    }
+  end
+  
+  def write_issue_state issue
+#   Log 2,"INSPECT: #{issue.http_messages[0].methods}  #{issue.http_messages[0].inspect}  #{issue.http_messages[0].to_s} "
+    
+    Log 2,"BScan.write_issue_state #{not @istream} #{issue.http_messages[0].methods}  #{issue.http_messages[0].to_s} "
+    @istream or return
+    begin 
+      @istream.puts '#'*70,"#{issue.issue_name} : #{issue.url}",
+                    "Severity: #{issue.severity}(#{issue.confidence})",
+                    "Background: #{issue.issue_background}",
+                    "Details: #{issue.issue_detail}",
+                    "Remediation: #{issue.remediation_background}",
+                    "Request: #{issue.http_messages[0].req_str}",
+                    "Response: #{issue.http_messages[0].rsp_str}"
+      # sync_save_state issue throws exceptions
+      @istream.flush 
+    rescue Exception => e
+      Log 0, "BScan.write_issue_state Can't write issue #{issue.issue_name}, Exception: #{e.message}"
+      Log 0,  e.backtrace.join("\n")
+    end
+  end
+  def evt_application_closing
+    Log 2,"BScan.evt_application_closing"
+    @istream.close if @istream
+    @log.close if @log
+  end
+    
+  def evt_register_callbacks cb
+    super(cb)
+    begin
+      
+      Log 2, "="*30, "BScan.evt_register_callbacks registring, log = #{@cmd_params['logfile']}  ", "="*30 
+      @bscan_config = @cmd_params['bscan_config']
+      @burp_config = @cmd_params['burp_config']
+      @issues = @bscan_config['bscan.issues']
+      @modules_only = (@bscan_config['bscan.modules_only'] and @bscan_config['bscan.modules_only'] == 'true') 
+      
+      Log 1, "BScan.evt_register_callbacks No issues dir provided. Issues will not be logged." if not @issues
+      if (@issues)
+        begin 
+          dt = Time.now.strftime("%y%m%d_%H%M%S")
+          File.directory? @issues or %x{mkdir -p "#{@issues}"}
+          @sstream = "#{@issues}/session.#{dt}.zip"
+          @istream = File.open("#{@issues}/issues.#{dt}.txt","w")
+        rescue Exception => e
+          Log 0, "BScan.evt_register_callbacks Can't create issues or session files, Exception: #{e.message}"
+          Log 0,  e.backtrace.join("\n")
+  
+          exit_suite
+        end
+      end
+          
+      @queue ||= []
+      @activity = [false]
+      @inactivity_to = @bscan_config['bscan.inactivity_to']
+      @inactivity_to ||= '30'
+      @inactivity_to = @inactivity_to.to_i
+      # Will exit if @activity = 0  and @queue is empty two times
+      if @monitor == nil
+        Log 2, "="*30, "BScan.evt_register_callbacks Starting Monitor", "="*30 
+        @monitor = Thread.new(@queue, @activity) {|q,a|
+          cnt=0;
+          while (true) 
+            sleep(@inactivity_to/2)        
+            q.delete_if {|e| e.getPercentageComplete() == 100}
+            if q.length == 0 and not a[0] 
+              cnt += 1
+            else
+              cnt = 0
+  #            Log 2, "BScan.evt_register_callbacks QUEUE: #{q.length}, Activity: #{a[0]}"
+            end
+            if cnt > 1
+  #            Log 2, "BScan.evt_register_callbacks Scanning complete"
+              exit_suite
+              break
+            end
+            a[0] = false
+          end
+        }
+      end  
+     
+      Log 2, '='*30, 'BScan.evt_register_callbacks Params', '='*30
+      params = save_config
+      params['target.scopeinclude0']='**empty**' # burp can store the previous scope somehow, thus need to clean
+      @burp_config.each_pair do |k,v|
+        params[k] = v
+      end  
+      load_config params
+      params.each_pair {|k,v| Log 2,"#{k}:#{v}"} # if k =~ /^(scanner|spider)/}
+     
+     @modules ||= @bscan_config['bscan.modules']
+     @modules = [@modules] if not @modules.kind_of?(Array)
+     
+     mods = []
+     @modules.each do |m|
+       mods << m.split(',')
+     end
+
+     @modules = mods.flatten 
+     
+      urls = @bscan_config['bscan.url']
+      Log 2, "BScan.evt_register_callbacks urls: #{@modules_only} #{urls.join('|')}"
+  
+     run_modules # run_modules without 'msg' will do static reqs only 
+     return if @modules_only
+  
+      if not urls
+       Log 0, "BScan.evt_register_callbacks No URL's provided in config. Use bscan.url param. Multiple entries are OK"
+       exit_suite 
+      end
+      
+      urls = [urls] if not urls.kind_of?(Array)
+      
+      urls.each do |u|
+        Log 2, "BScan.evt_register_callbacks checking url: #{u}"
+        if not is_in_scope(u)
+          Log 2, "BScan.evt_register_callbacks including url: #{u}"
+          include_in_scope(u)
+        end
+        Log 2, "BScan.evt_register_callbacks Sending to spider: #{u}"
+        send_to_spider(u)
+      end
+    end
+  rescue Exception => e
+        Log 0, "BScan.evt_register_callbacks Exception: #{e.message}"
+        Log 0,  e.backtrace.join("\n")
+        exit_suite
+  end
+end
+
+
+def log ll, stream
+  stream.puts if true 
+end
+
+def add_multi map,k,v
+  if (map[k])
+    ov = map[k];
+    if (ov.kind_of?(Array))
+      map[k] << v
+    else 
+      map[k] = [ov,v]
+    end
+  else
+    map[k] = v  
+  end
+end
+
+def read_config file
+   
+   burp_config = {}
+   bscan_config = {}
+   
+   begin
+      open_in_path(file).each_line do |line|
+      line.chomp!
+      line.strip!
+      next if (line =~ /^#/ or line.length < 1)  
+      data = line.split(/=/)
+      val = nil
+      val = data[1..-1].join('=') if data.size > 1 
+      if data[0] =~ /^bscan./
+        add_multi(bscan_config,data[0],val)
+      else
+        burp_config[data[0]] = val
+      end
+    end
+    rescue Exception => e
+      $stderr.puts("BScan.read_config Error: can't read config file '#{file}', exception: #{e.message}")
+      $stderr.puts(e.backtrace.join("\n"))
+      Process.exit(3)
+    end 
+    [burp_config, bscan_config]
+end
+

data/lib/bscan/modules/injector.rb

@@ -0,0 +1,142 @@
+require 'bscan/utils/bscan_helper.rb'
+
+module Injector
+  
+  COMMENT_START='# '
+
+  def run *args
+
+    @bscan = args[0]
+    @config ||= @bscan.instance_variable_get("@bscan_config")
+    @bscan.activity[0]=true
+
+    @prop_pref = 'bscan.injector.'
+    @prop_pref += args[2] + '.' if args[2] && args[2].length > 0
+    @mid = args[2]?"Injector.#{args[2]}.":'Injector.' 
+    msg = args[1]
+
+    if not msg
+      inject_to_pattern
+      return
+    end
+    
+    url = msg.url.dup.to_s
+    @bscan.Log 2, "#{@mid}run for #{url}"
+    begin
+      if (url =~ /([^?]+)\?(.+)/)
+        beg = "#{$1}?"
+        params = $2
+        @bscan.Log 2, "#{@mid}run BEG: #{beg} PARAMS: #{params} FILE: #{@config[prop('file')]}"
+        injs = open_in_path(@config[prop('file')])
+        injs.each_line do |l|
+          l.chomp!
+          next if (l =~ /^#{COMMENT_START}/ or l.length < 1)
+          @bscan.Log 2, "#{@mid}run injecting: #{l}"
+         
+         @bscan.activity[0]=true
+
+          do_scan(msg, beg + l, l)       # in parameter name
+          do_scan(msg, beg.chop + l, l)  # in  URL
+          
+          pos=0
+          while (m=params.match(/([^&]+)=([^&]+)/,pos)) 
+            trg = beg + params[0..m.begin(2)-1] + l + params[m.end(2)..-1]
+            @bscan.activity[0]=true
+            do_scan(msg, trg, l)
+            pos=m.end(1)+1
+          end
+        end
+        injs.close
+      end
+      
+      inject_to_body msg if @config['bscan.injector.one.inject_to_body'] == 'true'
+      
+    rescue Exception => e
+      @bscan.Log 0, "#{@mid}run Exception: #{e.message}"
+      @bscan.Log 0, e.backtrace.join("\n")
+   end
+  end
+  
+  def inject_to_pattern
+    param = @config[prop('inject_instead_of')]
+    a=[]
+    if (not param or (a=param.split(':',3)).size < 3)
+        @bscan.Log 0, "#{@mid}inject_to_pattern: 'inject_instead_of' parameter is not valid #{param}"
+        return
+    end
+    @bscan.Log 2, "#{@mid}inject_to_pattern input: #{a.join('|')}"
+    begin
+      p,f,proto = Regexp.escape(a[0]), a[1], a[2]
+      file = open_in_path(f)
+      req = file.read
+      req.gsub!(/\^M\n/,"\r\n")
+      file.close
+
+      injs = open_in_path(@config[prop('file')])
+      injs.each_line do |l|
+        l.chomp!
+        next if (l =~ /^#{COMMENT_START}/ or l.length < 1)
+        @bscan.Log 2, "#{@mid}inject_to_pattern injecting: #{l}"
+
+        pos = 0
+        while (m=req.match(/(#{p}).*?(#{p})/,pos)) 
+          r = (req[0..m.begin(1)-1] + l + req[m.end(2)..-1]).gsub /#{p}(.*?)#{p}/,'\1'
+
+          @bscan.Log 2, "#{@mid}inject_to_pattern new req:\n#{r}"
+          set_len r
+          @bscan.activity[0]=true
+          send_req r,proto,l 
+          pos=m.end(1)
+        end
+      end
+      injs.close
+      
+    rescue Exception => e
+        @bscan.Log 0, "#{@mid}inject_to_pattern Exception: #{e.message}"
+        @bscan.Log 0, e.backtrace.join("\n")
+    end
+    
+  end
+ 
+  def inject_to_body msg
+    scanf = false
+    @bscan.Log 2, "#{@mid}inject_to_body req: #{msg.req_str}"
+    msg.request_headers.each do |a|
+     @bscan.Log 2, "#{@mid}inject_to_body hdr: #{a[0]} #{a[1]}"
+     if a.size > 1 and a[0] =~ /content-type/i and a[1] =~ /application\/x-www-form-urlencoded/i
+        scanf = true
+        break
+      end
+    end  
+    return if not scanf
+    m=msg.req_str.match(/\r?\n\r?\n/)
+    return if m.size < 1
+    start_pos = m.end(0)
+
+    begin
+      injs = open_in_path(@config[prop('file')])
+      injs.each_line do |l|
+        l.chomp!
+        next if (l =~ /^#{COMMENT_START}/ or l.length < 1)
+        @bscan.Log 2, "#{@mid}inject_to_body injecting: #{l}"
+        pos=start_pos
+        while (m=msg.req_str.match(/([^=]+)=([^=]+)/,pos)) 
+          req = msg.req_str[0..m.begin(2)-1] + l + msg.req_str[m.end(2)..-1]
+          req.sub!(/content-length\s*:\s*\d+/i, "Content-Length: "+(req.length-start_pos).to_s)
+          @bscan.Log 2, "#{@mid}inject_to_body #{pos} #{req}"
+          @bscan.activity[0]=true
+          send_req req, msg.getProtocol, l
+          pos=m.end(1)+1
+        end
+      end
+      injs.close
+    rescue Exception => e
+      @bscan.Log 0, "#{@mid}inject_to_body Exception: #{e.message}"
+      @bscan.Log 0, e.backtrace.join("\n")
+    end
+  end
+ 
+  
+
+  
+end