cms_scanner 0.0.2

data/lib/cms_scanner/finders/independent_finders.rb

@@ -0,0 +1,41 @@
+module CMSScanner
+  module Finders
+    # Independent Finders container
+    # This class is designed to handle independent results
+    # which are not related with others
+    # e.g: interesting files
+    class IndependentFinders < Array
+      # @return [ Findings ]
+      def findings
+        @findings ||= NS::Finders::Findings.new
+      end
+
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] mode :mixed, :passive or :aggressive
+      #
+      # @return [ Findings ]
+      def run(opts = {})
+        each do |finder|
+          symbols_from_mode(opts[:mode]).each do |symbol|
+            r = finder.send(symbol, opts)
+
+            next unless r
+
+            findings + [*r]
+          end
+        end
+
+        findings
+      end
+
+      # @param [ Symbol ] mode :mixed, :passive or :aggressive
+      # @return [ Array<Symbol> ] The symbols to call for the mode
+      def symbols_from_mode(mode)
+        symbols = [:passive, :aggressive]
+
+        return symbols if mode.nil? || mode == :mixed
+        symbols.include?(mode) ? [*mode] : []
+      end
+    end
+  end
+end

data/lib/cms_scanner/formatter.rb

@@ -0,0 +1,118 @@
+require 'cms_scanner/formatter/buffer'
+
+module CMSScanner
+  # Formatter
+  module Formatter
+    # Module to be able to do Formatter.load() & Formatter.availables
+    # and do that as well when the Formatter is included in another module
+    module ClassMethods
+      # @param [ String ] format
+      # @param [ Array<String> ] custom_views
+      #
+      # @return [ Formatter::Base ]
+      def load(format = nil, custom_views = nil)
+        format       ||= 'cli'
+        custom_views ||= []
+
+        f = const_get(format.gsub(/-/, '_').camelize).new
+        custom_views.each { |v| f.views_directories << v }
+        f
+      end
+
+      # @return [ Array<String> ] The list of the available formatters (except the Base one)
+      # @note: the #load method above should then be used to create the associated formatter
+      def availables
+        formatters = NS::Formatter.constants.select do |const|
+          name = NS::Formatter.const_get(const)
+          name.is_a?(Class) && name != NS::Formatter::Base
+        end
+
+        formatters.map { |sym| sym.to_s.underscore.dasherize }
+      end
+    end
+
+    extend ClassMethods
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    # Base Formatter
+    class Base
+      attr_reader :controller_name
+
+      # @return [ String ] The underscored name of the class
+      def format
+        self.class.name.demodulize.underscore
+      end
+
+      # @return [ String ] The underscored format to use as a base
+      def base_format; end
+
+      # @return [ Array<String> ]
+      def formats
+        [format, base_format].compact
+      end
+
+      # This is called after the scan
+      # and used in some formatters (e.g JSON)
+      # to indent results
+      def beautify; end
+
+      # @see #render
+      def output(tpl, vars = {}, controller_name = nil)
+        puts render(tpl, vars, controller_name)
+      end
+
+      # @param [ String ] tpl
+      # @param [ Hash ] vars
+      # @param [ String ] controller_name
+      def render(tpl, vars = {}, controller_name = nil)
+        template_vars(vars)
+        @controller_name = controller_name if controller_name
+
+        # '-' is used to disable new lines when -%> is used
+        # See http://www.ruby-doc.org/stdlib-2.1.1/libdoc/erb/rdoc/ERB.html
+        ERB.new(File.read(view_path(tpl)), nil, '-').result(binding)
+      end
+
+      # @param [ Hash ] vars
+      #
+      # @return [ Void ]
+      def template_vars(vars)
+        vars.each do |key, value|
+          instance_variable_set("@#{key}", value) unless key == :views_directories
+        end
+      end
+
+      # @param [ String ] tpl
+      #
+      # @return [ String ] The path of the view
+      def view_path(tpl)
+        if tpl[0, 1] == '@' # Global Template
+          tpl = tpl.delete('@')
+        else
+          fail 'The controller_name can not be nil' unless controller_name
+          tpl = "#{controller_name}/#{tpl}"
+        end
+
+        fail "Wrong tpl format: '#{tpl}'" unless tpl =~ /\A[\w\/_]+\z/
+
+        views_directories.reverse.each do |dir|
+          formats.each do |format|
+            potential_file = File.join(dir, format, "#{tpl}.erb")
+
+            return potential_file if File.exist?(potential_file)
+          end
+        end
+
+        fail "View not found for #{format}/#{tpl}"
+      end
+
+      # @return [ Array<String> ] The directories to look into for views
+      def views_directories
+        @views_directories ||= [Pathname.new(APP_DIR).join('views').to_s]
+      end
+    end
+  end
+end

data/lib/cms_scanner/formatter/buffer.rb

@@ -0,0 +1,15 @@
+module CMSScanner
+  module Formatter
+    # Module used to output the rendered views into a buffer
+    # and beautify it a the end of the scan
+    module Buffer
+      def output(tpl, vars = {}, controller_name = nil)
+        buffer << render(tpl, vars, controller_name)
+      end
+
+      def buffer
+        @buffer ||= ''
+      end
+    end
+  end
+end

data/lib/cms_scanner/target.rb

@@ -0,0 +1,33 @@
+require 'cms_scanner/web_site'
+require 'cms_scanner/target/platform'
+require 'cms_scanner/target/server'
+
+module CMSScanner
+  # Target to Scan
+  class Target < WebSite
+    include Server::Generic
+    # @note Subdomains are considered out of scope (maybe consider them in ?)
+    #       Also, // are handled by Addressable::URI, but worngly :/
+    #       e.g: Addressable::URI.parse('//file').host => file
+    #
+    # @param [ String ] url
+    #
+    # @return [ Boolean ] true if the url given belongs to the target
+    def in_scope?(url)
+      return true if url[0, 1] == '/' && url[1, 1] != '/'
+
+      Addressable::URI.parse(url).host == uri.host
+    rescue
+      false
+    end
+
+    # TODO: add a force option to re-call the #find rather than return the @interesting_files ?
+    #
+    # @param [ Hash ] opts
+    #
+    # @return [ Findings ]
+    def interesting_files(opts = {})
+      @interesting_files ||= NS::Finders::InterestingFiles.find(self, opts)
+    end
+  end
+end

data/lib/cms_scanner/target/platform.rb

@@ -0,0 +1,2 @@
+require 'cms_scanner/target/platform/php'
+require 'cms_scanner/target/platform/wordpress'

data/lib/cms_scanner/target/platform/php.rb

@@ -0,0 +1,39 @@
+module CMSScanner
+  class Target < WebSite
+    module Platform
+      # Some PHP specific implementation
+      module PHP
+        DEBUG_LOG_PATTERN = /\[[^\]]+\] PHP (?:Warning|Error|Notice):/
+        FPD_PATTERN       = /Fatal error:.+? in (.+?) on/
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if  url(path) is a debug log, false otherwise
+        def debug_log?(path = nil, params = {})
+          res = NS::Browser.get(url(path), params.merge(headers: { 'range' => 'bytes=0-700' }))
+
+          res.body =~ DEBUG_LOG_PATTERN ? true : false
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if url(path) contains a FPD, false otherwise
+        def full_path_disclosure?(path = nil, params = {})
+          !full_path_disclosure_entries(path, params).empty?
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Array<String> ] The FPD found, or an empty array if none
+        def full_path_disclosure_entries(path = nil, params = {})
+          res = NS::Browser.get(url(path), params)
+
+          res.body.scan(FPD_PATTERN).flatten
+        end
+      end
+    end
+  end
+end

data/lib/cms_scanner/target/platform/wordpress.rb

@@ -0,0 +1,35 @@
+%w(custom_directories).each do |required|
+  require "cms_scanner/target/platform/wordpress/#{required}"
+end
+
+module CMSScanner
+  class Target < WebSite
+    module Platform
+      # Some WordPress specific implementation
+      module WordPress
+        include PHP
+
+        WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|plugins|plugins))|wp-includes)/}i
+
+        def wordpress?
+          page = Nokogiri::HTML(Browser.get(url).body)
+
+          page.css('script, link').each do |tag|
+            tag_url = tag.attribute('href').to_s
+
+            next unless in_scope?(tag_url)
+
+            tag_uri = Addressable::URI.parse(tag_url)
+
+            return true if tag_uri.path =~ WORDPRESS_PATTERN
+          end
+          false
+        end
+
+        def wordpress_hosted?
+          uri.host =~ /wordpress.com$/i ? true : false
+        end
+      end
+    end
+  end
+end

data/lib/cms_scanner/target/platform/wordpress/custom_directories.rb

@@ -0,0 +1,62 @@
+module CMSScanner
+  class Target < WebSite
+    module Platform
+      # wp-content & plugins directory implementation
+      module WordPress
+        def content_dir=(dir)
+          @content_dir = dir.chomp('/')
+        end
+
+        def plugins_dir=(dir)
+          @plugins_dir = dir.chomp('/')
+        end
+
+        # @return [ String ] The wp-content directory
+        def content_dir
+          unless @content_dir
+            page        = Nokogiri::HTML(Browser.get(url).body)
+            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
+            pattern     = %r{#{escaped_url}(.+?)\/(?:themes|plugins|uploads)\/}i
+
+            page.css('link,script,style,img').each do |tag|
+              %w(href src).each do |attribute|
+                attr_value = tag.attribute(attribute).to_s
+
+                next if attr_value.nil? || attr_value.empty?
+                next unless in_scope?(attr_value) && attr_value.match(pattern)
+
+                return @content_dir = Regexp.last_match[1]
+              end
+            end
+          end
+          @content_dir
+        end
+
+        # @return [ Addressable::URI ]
+        def content_uri
+          uri.join("#{content_dir}/")
+        end
+
+        # @return [ String ]
+        def content_url
+          content_uri.to_s
+        end
+
+        # @return [ String ]
+        def plugins_dir
+          @plugins_dir ||= "#{content_dir}/plugins"
+        end
+
+        # @return [ Addressable::URI ]
+        def plugins_uri
+          uri.join("#{plugins_dir}/")
+        end
+
+        # @return [ String ]
+        def plugins_url
+          plugins_uri.to_s
+        end
+      end
+    end
+  end
+end

data/lib/cms_scanner/target/server.rb

@@ -0,0 +1,3 @@
+require 'cms_scanner/target/server/generic'
+require 'cms_scanner/target/server/apache'
+require 'cms_scanner/target/server/iis'

data/lib/cms_scanner/target/server/apache.rb

@@ -0,0 +1,43 @@
+module CMSScanner
+  class Target < WebSite
+    module Server
+      # Some Apche specific implementation
+      module Apache
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Symbol ] :apache
+        def server(_path = nil, _params = {})
+          :Apache
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if url(path) has the directory
+        #                          listing enabled, false otherwise
+        def directory_listing?(path = nil, params = {})
+          res = NS::Browser.get(url(path), params)
+
+          res.code == 200 && res.body =~ /<h1>Index of/ ? true : false
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Array<String> ] The first level of directories/files listed,
+        #                           or an empty array if none
+        def directory_listing_entries(path = nil, params = {})
+          return [] unless directory_listing?(path, params)
+
+          doc   = Nokogiri::HTML(NS::Browser.get(url(path), params).body)
+          found = []
+
+          doc.css('td a').each { |node| found << node.text.to_s }
+
+          found[1..-1] # returns the array w/o the first element 'Parent Directory'
+        end
+      end
+    end
+  end
+end

data/lib/cms_scanner/target/server/generic.rb

@@ -0,0 +1,34 @@
+module CMSScanner
+  class Target < WebSite
+    module Server
+      # Some Apche specific implementation
+      module Generic
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Symbol ] The detected remote server (:Apache, :IIS)
+        def server(path = nil, params = {})
+          headers = headers(path, params)
+
+          return nil unless headers
+
+          case headers[:server]
+          when /\Aapache/i
+            :Apache
+          when /\AMicrosoft-IIS/i
+            :IIS
+          end
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Hash ] The headers
+        def headers(path = nil, params = {})
+          # The HEAD method might be rejected by some servers ... maybe switch to GET ?
+          NS::Browser.head(url(path), params).headers
+        end
+      end
+    end
+  end
+end

data/lib/cms_scanner/target/server/iis.rb

@@ -0,0 +1,48 @@
+module CMSScanner
+  class Target < WebSite
+    module Server
+      # Some IIS specific implementation
+      module IIS
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Symbol ] :iis
+        def server(_path = nil, _params = {})
+          :IIS
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if url(path) has the directory
+        #                          listing enabled, false otherwise
+        def directory_listing?(path = nil, params = {})
+          res = NS::Browser.get(url(path), params)
+
+          res.code == 200 && res.body =~ /<H1>#{uri.host} - \// ? true : false
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Array<String> ] The first level of directories/files listed,
+        #                           or an empty array if none
+        def directory_listing_entries(path = nil, params = {})
+          return [] unless directory_listing?(path, params)
+
+          doc   = Nokogiri::HTML(NS::Browser.get(url(path), params).body)
+          found = []
+
+          doc.css('pre a').each do |node|
+            entry = node.text.to_s
+
+            next if entry == '[To Parent Directory]'
+            found << entry
+          end
+
+          found
+        end
+      end
+    end
+  end
+end