cms_scanner 0.0.19 → 0.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0c16a64244ed7befaa7147416fb7f0602dd5e01a
4
- data.tar.gz: 0eecb7cd60d586dcce20ceac600b65e48573581b
3
+ metadata.gz: 5dff32b05d6da49f0ad5697263e3a1e0a3d011a7
4
+ data.tar.gz: 5373a9c0a91523b45287aa577f07ce53a59fd59e
5
5
  SHA512:
6
- metadata.gz: 8fae913eb98950ceab827816b37f72ed9ce2d0dcad33677b9e12900b14275f242382155635273ec4e4d26d60e3c4ee507752ff47d0ece9aa0a3f8ea51a09ed70
7
- data.tar.gz: bc44ad999e82fdf7744ea738939ee8a7da795681d563f0f494c0e581eaa31998b437be6239ca2e3bd8c9cf6496b2eab26e3ae4396667a9a242dfcfdf44e7adf1
6
+ metadata.gz: a8c5b0c833ac6514ab85a5a1c5d00a7932eb41c33ad44bfcba544935b84c7405771b06b8ec833d3b211317af4412515db9b075cc88f17a56adcb1a64b2907ed5
7
+ data.tar.gz: 1a568813897294b4958f5f3f23ce245b64fa5322698a353bf5504bf599f8ef02a90c5a96dcf52b53dce0e3ccd7acc3225a9feae590cbc6f7b1c7bee41c4f6ba4
data/app/controllers.rb CHANGED
@@ -1,2 +1,2 @@
1
1
  require_relative 'controllers/core'
2
- require_relative 'controllers/interesting_files'
2
+ require_relative 'controllers/interesting_findings'
@@ -1,12 +1,12 @@
1
1
  module CMSScanner
2
2
  module Controller
3
- # InterestingFiles Controller
4
- class InterestingFiles < Base
3
+ # InterestingFindings Controller
4
+ class InterestingFindings < Base
5
5
  def cli_options
6
6
  [
7
7
  OptChoice.new(
8
- ['--interesting-files-detection MODE',
9
- 'Use the supplied mode for the interesting files detection. ' \
8
+ ['--interesting-findings-detection MODE',
9
+ 'Use the supplied mode for the interesting findings detection. ' \
10
10
  'Modes: mixed, passive, aggressive'
11
11
  ],
12
12
  choices: %w(mixed passive aggressive),
@@ -15,8 +15,8 @@ module CMSScanner
15
15
  end
16
16
 
17
17
  def run
18
- mode = parsed_options[:interesting_files_detection] || parsed_options[:detection_mode]
19
- findings = target.interesting_files(mode: mode)
18
+ mode = parsed_options[:interesting_findings_detection] || parsed_options[:detection_mode]
19
+ findings = target.interesting_findings(mode: mode)
20
20
 
21
21
  output('findings', findings: findings) unless findings.empty?
22
22
  end
data/app/finders.rb CHANGED
@@ -1 +1 @@
1
- require_relative 'finders/interesting_files'
1
+ require_relative 'finders/interesting_findings'
@@ -0,0 +1,23 @@
1
+ require_relative 'interesting_findings/headers'
2
+ require_relative 'interesting_findings/robots_txt'
3
+ require_relative 'interesting_findings/fantastico_fileslist'
4
+ require_relative 'interesting_findings/search_replace_db_2'
5
+ require_relative 'interesting_findings/xml_rpc'
6
+
7
+ module CMSScanner
8
+ module Finders
9
+ module InterestingFindings
10
+ # Interesting Files Finder
11
+ class Base
12
+ include IndependentFinder
13
+
14
+ # @param [ CMSScanner::Target ] target
15
+ def initialize(target)
16
+ %w(Headers RobotsTxt FantasticoFileslist SearchReplaceDB2 XMLRPC).each do |f|
17
+ finders << NS::Finders::InterestingFindings.const_get(f).new(target)
18
+ end
19
+ end
20
+ end
21
+ end
22
+ end
23
+ end
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  module Finders
3
- module InterestingFiles
3
+ module InterestingFindings
4
4
  # FantasticoFileslist finder
5
5
  class FantasticoFileslist < Finder
6
6
  # @return [ String ] The url of the fantastico_fileslist.txt file
@@ -8,14 +8,14 @@ module CMSScanner
8
8
  target.url('fantastico_fileslist.txt')
9
9
  end
10
10
 
11
- # @return [ InterestingFile ]
11
+ # @return [ InterestingFinding ]
12
12
  def aggressive(_opts = {})
13
13
  res = NS::Browser.get(url)
14
14
 
15
15
  return unless res && res.code == 200 && res.body.length > 0
16
16
  return unless res.headers && res.headers['Content-Type'] =~ /\Atext\/plain/
17
17
 
18
- NS::FantasticoFileslist.new(url, confidence: 100, found_by: found_by)
18
+ NS::FantasticoFileslist.new(url, confidence: 70, found_by: found_by)
19
19
  end
20
20
  end
21
21
  end
@@ -1,9 +1,9 @@
1
1
  module CMSScanner
2
2
  module Finders
3
- module InterestingFiles
3
+ module InterestingFindings
4
4
  # Interesting Headers finder
5
5
  class Headers < Finder
6
- # @return [ InterestingFile ]
6
+ # @return [ InterestingFinding ]
7
7
  def passive(_opts = {})
8
8
  r = NS::Headers.new(target.url, confidence: 100, found_by: found_by)
9
9
 
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  module Finders
3
- module InterestingFiles
3
+ module InterestingFindings
4
4
  # Robots.txt finder
5
5
  class RobotsTxt < Finder
6
6
  # @return [ String ] The url of the robots.txt file
@@ -8,7 +8,7 @@ module CMSScanner
8
8
  target.url('robots.txt')
9
9
  end
10
10
 
11
- # @return [ InterestingFile ]
11
+ # @return [ InterestingFinding ]
12
12
  def aggressive(_opts = {})
13
13
  res = NS::Browser.get(url)
14
14
 
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  module Finders
3
- module InterestingFiles
3
+ module InterestingFindings
4
4
  # SearchReplaceDB2 finder
5
5
  class SearchReplaceDB2 < Finder
6
6
  # @return [ String ] The url to the searchreplacedb2 PHP file
@@ -8,15 +8,15 @@ module CMSScanner
8
8
  target.url('searchreplacedb2.php')
9
9
  end
10
10
 
11
- # @return [ InterestingFile ]
11
+ # @return [ InterestingFinding ]
12
12
  def aggressive(_opts = {})
13
13
  res = NS::Browser.get(url)
14
14
 
15
15
  return unless res && res.code == 200 && res.body =~ /by interconnect/i
16
16
 
17
- NS::InterestingFile.new(url, confidence: 100,
18
- found_by: found_by,
19
- references: references)
17
+ NS::InterestingFinding.new(url, confidence: 100,
18
+ found_by: found_by,
19
+ references: references)
20
20
  end
21
21
 
22
22
  def references
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  module Finders
3
- module InterestingFiles
3
+ module InterestingFindings
4
4
  # XML RPC finder
5
5
  class XMLRPC < Finder
6
6
  # @return [ Array<String> ] The potential urls to the XMl RPC file
data/app/models.rb CHANGED
@@ -1,4 +1,4 @@
1
- require_relative 'models/interesting_file'
1
+ require_relative 'models/interesting_finding'
2
2
  require_relative 'models/robots_txt'
3
3
  require_relative 'models/fantastico_fileslist'
4
4
  require_relative 'models/headers'
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  # FantasticoFileslist
3
- class FantasticoFileslist < InterestingFile
3
+ class FantasticoFileslist < InterestingFinding
4
4
  # @return [ Array<String> ] The interesting files/dirs detected
5
5
  def interesting_entries
6
6
  results = []
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
- # Not really an interesting file, but will use this class for convenience
3
- class Headers < InterestingFile
2
+ # Interesting Headers
3
+ class Headers < InterestingFinding
4
4
  # @return [ Hash ] The headers
5
5
  def entries
6
6
  res = NS::Browser.get(url)
@@ -1,12 +1,19 @@
1
1
  module CMSScanner
2
- # Interesting File
3
- class InterestingFile
2
+ # Interesting Finding
3
+ class InterestingFinding
4
4
  include NS::Finders::Finding
5
5
 
6
6
  attr_reader :url
7
+ attr_writer :to_s
7
8
 
9
+ # @param [ String ] url
10
+ # @param [ Hash ] opts
11
+ # :to_s (override the to_s method)
12
+ # See Finders::Finding for other available options
8
13
  def initialize(url, opts = {})
9
- @url = url
14
+ @url = url
15
+ @to_s = opts[:to_s]
16
+
10
17
  parse_finding_options(opts)
11
18
  end
12
19
 
@@ -20,12 +27,12 @@ module CMSScanner
20
27
  end
21
28
 
22
29
  def to_s
23
- url
30
+ @to_s || url
24
31
  end
25
32
 
26
33
  def ==(other)
27
34
  return false unless self.class == other.class
28
- url == other.url
35
+ to_s == other.to_s
29
36
  end
30
37
  end
31
38
  end
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  # Robots.txt
3
- class RobotsTxt < InterestingFile
3
+ class RobotsTxt < InterestingFinding
4
4
  # @todo Better detection, currently everything not empty or / is returned
5
5
  #
6
6
  # @return [ Array<String> ] The interesting Allow/Disallow rules detected
@@ -1,6 +1,6 @@
1
1
  module CMSScanner
2
2
  # XML RPC
3
- class XMLRPC < InterestingFile
3
+ class XMLRPC < InterestingFinding
4
4
  # @param [ String ] method
5
5
  # @param [ Array ] params
6
6
  # @param [ Hash ] request_params
@@ -1,7 +1,8 @@
1
- Interesting Findings: <%= @findings.size %>
1
+ <% unless @findings.empty? -%>
2
+ Interesting Finding(s):
2
3
  <% @findings.each do |finding| -%>
3
4
 
4
- <%= green('[+]') %> <%= finding.url %>
5
+ <%= green('[+]') %> <%= finding %>
5
6
  <% if finding.confidence > 0 -%>
6
7
  | Confidence: <%= finding.confidence %>%
7
8
  <% end -%>
@@ -18,4 +19,5 @@ Interesting Findings: <%= @findings.size %>
18
19
  <% end -%>
19
20
  <%= render('_array', a: finding.references, s: 'Reference', p: 'References') -%>
20
21
  <%= render('_array', a: finding.interesting_entries, s: 'Interesting Entry', p: 'Interesting Entries') -%>
22
+ <% end -%>
21
23
  <% end %>
@@ -1,4 +1,4 @@
1
- "interesting_files": [
1
+ "interesting_findings": [
2
2
  <% unless @findings.empty? -%>
3
3
  {
4
4
  <% last_index = @findings.size - 1 %>
@@ -37,9 +37,9 @@ module CMSScanner
37
37
  # @return [ Hash ]
38
38
  def default_request_params
39
39
  params = {
40
- ssl_verifypeer: false, # Disable SSL-Certificate checks
41
- ssl_verifyhost: 2, # Disable SSL-Certificate checks
42
- headers: { 'User-Agent' => user_agent }
40
+ ssl_verifypeer: false, ssl_verifyhost: 2, # Disable SSL-Certificate checks
41
+ headers: { 'User-Agent' => user_agent },
42
+ method: :get
43
43
  }
44
44
 
45
45
  { connecttimeout: :connect_timeout, cache_ttl: :cache_ttl,
@@ -1,5 +1,3 @@
1
- require 'cms_scanner/finders/confidence'
2
-
3
1
  module CMSScanner
4
2
  module Finders
5
3
  # Finding
@@ -24,14 +22,14 @@ module CMSScanner
24
22
  @interesting_entries ||= []
25
23
  end
26
24
 
27
- # @return [ Confidence ]
25
+ # @return [ Integer ]
28
26
  def confidence
29
- @confidence ||= Confidence.new(0)
27
+ @confidence ||= 0
30
28
  end
31
29
 
32
- # @param [ Integer, Confidence ] value
30
+ # @param [ Integer ] value
33
31
  def confidence=(value)
34
- @confidence = value.is_a?(Confidence) ? value : Confidence.new(value)
32
+ @confidence = value >= 100 ? 100 : value
35
33
  end
36
34
 
37
35
  # @param [ Hash ] opts
@@ -22,8 +22,8 @@ module CMSScanner
22
22
  # @param [ Hash ] opts
23
23
  #
24
24
  # @return [ Findings ]
25
- def interesting_files(opts = {})
26
- @interesting_files ||= NS::Finders::InterestingFiles::Base.find(self, opts)
25
+ def interesting_findings(opts = {})
26
+ @interesting_findings ||= NS::Finders::InterestingFindings::Base.find(self, opts)
27
27
  end
28
28
 
29
29
  # @param [ Regexp ] pattern
@@ -5,15 +5,35 @@ module CMSScanner
5
5
  module PHP
6
6
  DEBUG_LOG_PATTERN = /\[[^\]]+\] PHP (?:Warning|Error|Notice):/
7
7
  FPD_PATTERN = /Fatal error:.+? in (.+?) on/
8
+ ERROR_LOG_PATTERN = /PHP Fatal error/i
8
9
 
9
10
  # @param [ String ] path
11
+ # @param [ Regexp ] pattern
10
12
  # @param [ Hash ] params The request params
11
13
  #
12
- # @return [ Boolean ] true if url(path) is a debug log, false otherwise
13
- def debug_log?(path = nil, params = {})
14
+ # @return [ Boolean ]
15
+ def log_file?(path, pattern, params = {})
16
+ # Only the first 700 bytes of the file are retrieved to avoid getting enture log file
17
+ # which can be huge (~ 2Go)
14
18
  res = NS::Browser.get(url(path), params.merge(headers: { 'range' => 'bytes=0-700' }))
15
19
 
16
- res.body =~ DEBUG_LOG_PATTERN ? true : false
20
+ res.body =~ pattern ? true : false
21
+ end
22
+
23
+ # @param [ String ] path
24
+ # @param [ Hash ] params The request params
25
+ #
26
+ # @return [ Boolean ] true if url(path) is a debug log, false otherwise
27
+ def debug_log?(path, params = {})
28
+ log_file?(path, DEBUG_LOG_PATTERN, params)
29
+ end
30
+
31
+ # @param [ String ] path
32
+ # @param [ Hash ] params The request params
33
+ #
34
+ # @return [ Boolean ] Wether or not url(path) is an error log file
35
+ def error_log?(path, params = {})
36
+ log_file?(path, ERROR_LOG_PATTERN, params)
17
37
  end
18
38
 
19
39
  # @param [ String ] path
@@ -1,4 +1,4 @@
1
1
  # Version
2
2
  module CMSScanner
3
- VERSION = '0.0.19'
3
+ VERSION = '0.0.20'
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cms_scanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.19
4
+ version: 0.0.20
5
5
  platform: ruby
6
6
  authors:
7
7
  - WPScanTeam - Erwan Le Rousseau
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-03-06 00:00:00.000000000 Z
11
+ date: 2015-03-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: opt_parse_validator
@@ -219,14 +219,14 @@ files:
219
219
  - app/controllers.rb
220
220
  - app/controllers/core.rb
221
221
  - app/controllers/core/cli_options.rb
222
- - app/controllers/interesting_files.rb
222
+ - app/controllers/interesting_findings.rb
223
223
  - app/finders.rb
224
- - app/finders/interesting_files.rb
225
- - app/finders/interesting_files/fantastico_fileslist.rb
226
- - app/finders/interesting_files/headers.rb
227
- - app/finders/interesting_files/robots_txt.rb
228
- - app/finders/interesting_files/search_replace_db_2.rb
229
- - app/finders/interesting_files/xml_rpc.rb
224
+ - app/finders/interesting_findings.rb
225
+ - app/finders/interesting_findings/fantastico_fileslist.rb
226
+ - app/finders/interesting_findings/headers.rb
227
+ - app/finders/interesting_findings/robots_txt.rb
228
+ - app/finders/interesting_findings/search_replace_db_2.rb
229
+ - app/finders/interesting_findings/xml_rpc.rb
230
230
  - app/formatters.rb
231
231
  - app/formatters/cli.rb
232
232
  - app/formatters/cli_no_colour.rb
@@ -234,19 +234,19 @@ files:
234
234
  - app/models.rb
235
235
  - app/models/fantastico_fileslist.rb
236
236
  - app/models/headers.rb
237
- - app/models/interesting_file.rb
237
+ - app/models/interesting_finding.rb
238
238
  - app/models/robots_txt.rb
239
239
  - app/models/version.rb
240
240
  - app/models/xml_rpc.rb
241
241
  - app/views/cli/core/banner.erb
242
242
  - app/views/cli/core/finished.erb
243
243
  - app/views/cli/core/started.erb
244
- - app/views/cli/interesting_files/_array.erb
245
- - app/views/cli/interesting_files/findings.erb
244
+ - app/views/cli/interesting_findings/_array.erb
245
+ - app/views/cli/interesting_findings/findings.erb
246
246
  - app/views/cli/scan_aborted.erb
247
247
  - app/views/json/core/finished.erb
248
248
  - app/views/json/core/started.erb
249
- - app/views/json/interesting_files/findings.erb
249
+ - app/views/json/interesting_findings/findings.erb
250
250
  - app/views/json/scan_aborted.erb
251
251
  - cms_scanner.gemspec
252
252
  - lib/cms_scanner.rb
@@ -259,7 +259,6 @@ files:
259
259
  - lib/cms_scanner/controllers.rb
260
260
  - lib/cms_scanner/errors/auth_errors.rb
261
261
  - lib/cms_scanner/finders.rb
262
- - lib/cms_scanner/finders/confidence.rb
263
262
  - lib/cms_scanner/finders/finder.rb
264
263
  - lib/cms_scanner/finders/finder/enumerator.rb
265
264
  - lib/cms_scanner/finders/finder/fingerprinter.rb
@@ -312,7 +311,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
312
311
  version: '0'
313
312
  requirements: []
314
313
  rubyforge_project:
315
- rubygems_version: 2.4.5
314
+ rubygems_version: 2.4.6
316
315
  signing_key:
317
316
  specification_version: 4
318
317
  summary: Experimental CMSScanner
@@ -1,23 +0,0 @@
1
- require_relative 'interesting_files/headers'
2
- require_relative 'interesting_files/robots_txt'
3
- require_relative 'interesting_files/fantastico_fileslist'
4
- require_relative 'interesting_files/search_replace_db_2'
5
- require_relative 'interesting_files/xml_rpc'
6
-
7
- module CMSScanner
8
- module Finders
9
- module InterestingFiles
10
- # Interesting Files Finder
11
- class Base
12
- include IndependentFinder
13
-
14
- # @param [ CMSScanner::Target ] target
15
- def initialize(target)
16
- %w(Headers RobotsTxt FantasticoFileslist SearchReplaceDB2 XMLRPC).each do |f|
17
- finders << NS.const_get("Finders::InterestingFiles::#{f}").new(target)
18
- end
19
- end
20
- end
21
- end
22
- end
23
- end
@@ -1,81 +0,0 @@
1
- module CMSScanner
2
- module Finders
3
- # Confidence
4
- class Confidence < Numeric
5
- attr_reader :value
6
-
7
- def initialize(value)
8
- @value = value
9
- end
10
-
11
- # @param [ Integer, Confidence ] other
12
- #
13
- # TODO: rework the formula which is weak when the value to add is < the current confidence
14
- # e.g: 90 + 50 + 30 => 82
15
- #
16
- # @return [ Confidence ] A new Confidence
17
- def +(other)
18
- return Confidence.new(100) if @value == 100
19
-
20
- to_add = other_value(other)
21
- new_value = (@value + to_add) / 1.5
22
- new_value = 100 if new_value > 100 || to_add == 100
23
-
24
- Confidence.new(new_value.floor)
25
- end
26
-
27
- #
28
- ## Convenient Methods
29
- #
30
- #:nocov:
31
- def to_s
32
- @value.to_s
33
- end
34
-
35
- def to_json
36
- @value.to_json
37
- end
38
-
39
- # @param [ Integer, Confidence ] other
40
- def other_value(other)
41
- other.is_a?(Confidence) ? other.value : other
42
- end
43
-
44
- # @param [ Integer, Confidence ] other
45
- def ==(other)
46
- @value == other_value(other)
47
- end
48
-
49
- # @param [ Integer, Confidence ] other
50
- def eql?(other)
51
- @value.eql?(other_value(other))
52
- end
53
-
54
- # @param [ Integer, Confidence ] other
55
- def <(other)
56
- @value < other_value(other)
57
- end
58
-
59
- # @param [ Integer, Confidence ] other
60
- def <=(other)
61
- @value <= other_value(other)
62
- end
63
-
64
- # @param [ Integer, Confidence ] other
65
- def >(other)
66
- @value > other_value(other)
67
- end
68
-
69
- # @param [ Integer, Confidence ] other
70
- def >=(other)
71
- @value >= other_value(other)
72
- end
73
-
74
- # @param [ Integer, Confidence ] other
75
- def <=>(other)
76
- @value <=> other_value(other)
77
- end
78
- #:nocov:
79
- end
80
- end
81
- end