new_cms_scanner 0.13.7

data/lib/cms_scanner/browser.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require 'cms_scanner/browser/actions'
+require 'cms_scanner/browser/options'
+
+module CMSScanner
+  # Singleton used to perform HTTP/HTTPS request to the target
+  class Browser
+    extend Actions
+
+    # @param [ Hash ] parsed_options
+    #
+    # @return [ Void ]
+    def initialize(parsed_options = {})
+      self.throttle = 0
+
+      load_options(parsed_options.dup)
+    end
+
+    private_class_method :new
+
+    # @param [ Hash ] parsed_options
+    #
+    # @return [ Browser ] The instance
+    def self.instance(parsed_options = {})
+      @@instance ||= new(parsed_options)
+    end
+
+    def self.reset
+      @@instance = nil
+    end
+
+    # @param [ String ] url
+    # @param [ Hash ] params
+    #
+    # @return [ Typhoeus::Request ]
+    def forge_request(url, params = {})
+      Typhoeus::Request.new(url, request_params(params))
+    end
+
+    # @return [ Hash ] The request params used to connect tothe  target as well as potential other systems such as API
+    def default_connect_request_params
+      params = {}
+
+      if disable_tls_checks
+        # See http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
+        params[:ssl_verifypeer] = false
+        params[:ssl_verifyhost] = 0
+        # TLSv1.0 and plus, allows to use a protocol potentially lower than the OS default
+        params[:sslversion] = :tlsv1
+      end
+
+      {
+        connecttimeout: :connect_timeout, cache_ttl: :cache_ttl,
+        proxy: :proxy, timeout: :request_timeout
+      }.each do |typhoeus_opt, browser_opt|
+        attr_value = public_send(browser_opt)
+        params[typhoeus_opt] = attr_value unless attr_value.nil?
+      end
+
+      params
+    end
+
+    # @return [ Hash ]
+    # The params are not cached (using @params ||= for example), so that they are set accordingly if updated
+    # by a controller/other piece of code
+    def default_request_params
+      params = default_connect_request_params.merge(
+        headers: { 'User-Agent' => user_agent, 'Referer' => url }.merge(headers || {}),
+        accept_encoding: 'gzip, deflate',
+        method: :get
+      )
+
+      { cookiejar: :cookie_jar, cookiefile: :cookie_jar, cookie: :cookie_string }.each do |typhoeus_opt, browser_opt|
+        attr_value = public_send(browser_opt)
+        params[typhoeus_opt] = attr_value unless attr_value.nil?
+      end
+
+      params[:proxyuserpwd] = "#{proxy_auth[:username]}:#{proxy_auth[:password]}" if proxy_auth
+      params[:userpwd] = "#{http_auth[:username]}:#{http_auth[:password]}" if http_auth
+
+      params[:headers]['Host'] = vhost if vhost
+
+      params
+    end
+
+    # @param [ Hash ] params
+    #
+    # @return [ Hash ]
+    def request_params(params = {})
+      default_request_params.merge(params) do |key, oldval, newval|
+        key == :headers ? oldval.merge(newval) : newval
+      end
+    end
+  end
+end

data/lib/cms_scanner/cache/file_store.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Cache
+    # Cache Implementation using files
+    class FileStore
+      attr_reader :storage_path, :serializer
+
+      # The serializer must have the 2 methods #load and #dump
+      #   (Marshal and YAML have them)
+      # YAML is Human Readable, contrary to Marshal which store in a binary format
+      # Marshal does not need any "require"
+      #
+      # @param [ String ] storage_path
+      # @param [ Constant ] serializer
+      def initialize(storage_path, serializer = Marshal)
+        @storage_path = File.expand_path(storage_path)
+        @serializer   = serializer
+
+        FileUtils.mkdir_p(@storage_path) unless Dir.exist?(@storage_path)
+      end
+
+      # TODO: rename this to clear ?
+      def clean
+        Dir[File.join(storage_path, '*')].each do |f|
+          File.delete(f) unless File.symlink?(f)
+        end
+      end
+
+      # @param [ String ] key
+      #
+      # @return [ Mixed ]
+      def read_entry(key)
+        return if expired_entry?(key)
+
+        serializer.load(File.read(entry_path(key)))
+      rescue StandardError
+        nil
+      end
+
+      # @param [ String ] key
+      # @param [ Mixed ] data_to_store
+      # @param [ Integer ] cache_ttl
+      def write_entry(key, data_to_store, cache_ttl)
+        return unless cache_ttl.to_i.positive?
+
+        File.write(entry_path(key), serializer.dump(data_to_store))
+        File.write(entry_expiration_path(key), Time.now.to_i + cache_ttl)
+      end
+
+      # @param [ String ] key
+      #
+      # @return [ String ] The file path associated to the key
+      def entry_path(key)
+        File.join(storage_path, key)
+      end
+
+      # @param [ String ] key
+      #
+      # @return [ String ] The expiration file path associated to the key
+      def entry_expiration_path(key)
+        "#{entry_path(key)}.expiration"
+      end
+
+      private
+
+      # @param [ String ] key
+      #
+      # @return [ Boolean ]
+      def expired_entry?(key)
+        File.read(entry_expiration_path(key)).to_i <= Time.now.to_i
+      rescue StandardError
+        true
+      end
+    end
+  end
+end

data/lib/cms_scanner/cache/typhoeus.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'cms_scanner/cache/file_store'
+
+module CMSScanner
+  module Cache
+    # Cache implementation for Typhoeus
+    class Typhoeus < FileStore
+      # @param [ Typhoeus::Request ] request
+      #
+      # @return [ Typhoeus::Response ]
+      def get(request)
+        read_entry(request.hash.to_s)
+      end
+
+      # @param [ Typhoeus::Request ] request
+      # @param [ Typhoeus::Response ] response
+      def set(request, response)
+        return if response.timed_out? || response.code&.zero?
+
+        write_entry(request.hash.to_s, response, request.cache_ttl)
+      end
+    end
+  end
+end

data/lib/cms_scanner/controller.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Controller
+    # Base Controller
+    class Base
+      include OptParseValidator
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_options; end
+
+      def before_scan; end
+
+      def run; end
+
+      def after_scan; end
+
+      def ==(other)
+        self.class == other.class
+      end
+
+      # Reset all the class attibutes
+      # Currently only used in specs
+      def self.reset
+        @@target    = nil
+        @@datastore = nil
+        @@formatter = nil
+      end
+
+      # @return [ Target ]
+      def target
+        @@target ||= NS::Target.new(NS::ParsedCli.url, NS::ParsedCli.options)
+      end
+
+      # @param [ OptParsevalidator::OptParser ] parser
+      def self.option_parser=(parser)
+        @@option_parser = parser
+      end
+
+      # @return [ OptParsevalidator::OptParser ]
+      def option_parser
+        @@option_parser
+      end
+
+      # @return [ Hash ]
+      def datastore
+        @@datastore ||= {}
+      end
+
+      # @return [ Formatter::Base ]
+      def formatter
+        @@formatter ||= NS::Formatter.load(NS::ParsedCli.format, datastore[:views])
+      end
+
+      # @see Formatter#output
+      #
+      # @return [ Void ]
+      def output(tpl, vars = {})
+        formatter.output(*tpl_params(tpl, vars))
+      end
+
+      # @see Formatter#render
+      #
+      # @return [ String ]
+      def render(tpl, vars = {})
+        formatter.render(*tpl_params(tpl, vars))
+      end
+
+      # @return [ Boolean ]
+      def user_interaction?
+        formatter.user_interaction? && !NS::ParsedCli.output
+      end
+
+      # @return [ String ]
+      def tmp_directory
+        File.join('/tmp', NS.app_name)
+      end
+
+      protected
+
+      # @param [ String ] tpl
+      # @param [ Hash ] vars
+      #
+      # @return [ Array<String> ]
+      def tpl_params(tpl, vars)
+        [
+          tpl,
+          instance_variable_values.merge(vars),
+          self.class.name.demodulize.underscore
+        ]
+      end
+
+      # @return [ Hash ] All the instance variable keys (and their values) and the verbose value
+      def instance_variable_values
+        h = { verbose: NS::ParsedCli.verbose }
+        instance_variables.each do |a|
+          s    = a.to_s
+          n    = s[1..s.size]
+          h[n.to_sym] = instance_variable_get(a)
+        end
+        h
+      end
+    end
+  end
+end

data/lib/cms_scanner/controllers.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  # Controllers Container
+  class Controllers < Array
+    attr_reader :option_parser, :running
+
+    # @param [ OptParsevalidator::OptParser ] options_parser
+    def initialize(option_parser = OptParseValidator::OptParser.new(nil, 40))
+      @option_parser = option_parser
+
+      register_config_files
+
+      option_parser.config_files.result_key = 'cli_options'
+    end
+
+    # Adds the potential option file paths to the option_parser
+    def register_config_files
+      [Dir.home, Dir.pwd].each do |dir|
+        option_parser.config_files.class.supported_extensions.each do |ext|
+          option_parser.config_files << Pathname.new(dir).join(".#{NS.app_name}", "scan.#{ext}").to_s
+        end
+      end
+    end
+
+    # @param [ Controller::Base ] controller
+    #
+    # @retun [ Controllers ] self
+    def <<(controller)
+      options = controller.cli_options
+
+      unless include?(controller)
+        option_parser.add(*options) if options
+        super(controller)
+      end
+      self
+    end
+
+    def run
+      NS::ParsedCli.options     = option_parser.results
+      first.class.option_parser = option_parser # To be able to output the help when -h/--hh
+
+      redirect_output_to_file(NS::ParsedCli.output) if NS::ParsedCli.output
+
+      Timeout.timeout(NS::ParsedCli.max_scan_duration, NS::Error::MaxScanDurationReached) do
+        each(&:before_scan)
+
+        @running = true
+
+        each(&:run)
+      end
+    ensure
+      # The rescue is there to prevent unfinished requests to raise an error, which would prevent
+      # the reverse_each to run
+      # rubocop:disable Style/RescueModifier
+      NS::Browser.instance.hydra.abort rescue nil
+      # rubocop:enable Style/RescueModifier
+
+      # Reverse is used here as the app/controllers/core#after_scan finishes the output
+      # and must be the last one to be executed. It also guarantee that stats will be output
+      # even when an error occurs, which could help in debugging.
+      # However, the #after_scan methods are only executed if the scan was running, and won't be
+      # called when there is a CLI error, or just -h/--hh/--version for example
+      reverse_each(&:after_scan) if running
+    end
+  end
+end

data/lib/cms_scanner/errors/http.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Error
+    # Target Down Error
+    class TargetDown < Standard
+      attr_reader :response
+
+      def initialize(response)
+        @response = response
+      end
+
+      def to_s
+        "The url supplied '#{response.request.url}' seems to be down (#{response.return_message})"
+      end
+    end
+
+    # HTTP Authentication Required Error
+    class HTTPAuthRequired < Standard
+      # :nocov:
+      def to_s
+        'HTTP authentication required (or was invalid), please provide it with --http-auth'
+      end
+      # :nocov:
+    end
+
+    # Proxy Authentication Required Error
+    class ProxyAuthRequired < Standard
+      # :nocov:
+      def to_s
+        'Proxy authentication required (or was invalid), please provide it with --proxy-auth'
+      end
+      # :nocov:
+    end
+
+    # Access Forbidden Error
+    class AccessForbidden < Standard
+      attr_reader :random_user_agent_used
+
+      # @param [ Boolean ] random_user_agent_used
+      def initialize(random_user_agent_used)
+        @random_user_agent_used = random_user_agent_used
+      end
+
+      def to_s
+        msg = if random_user_agent_used
+                'Well... --random-user-agent didn\'t work, use --force to skip this check if needed.'
+              else
+                'Please re-try with --random-user-agent'
+              end
+
+        "The target is responding with a 403, this might be due to a WAF. #{msg}"
+      end
+    end
+
+    # HTTP Redirect Error
+    class HTTPRedirect < Standard
+      attr_reader :redirect_uri
+
+      # @param [ String ] url
+      def initialize(url)
+        @redirect_uri = Addressable::URI.parse(url).normalize
+      end
+
+      def to_s
+        "The URL supplied redirects to #{redirect_uri}. Use the --ignore-main-redirect "\
+          'option to ignore the redirection and scan the target, or change the --url option ' \
+          'value to the redirected URL.'
+      end
+    end
+  end
+end

data/lib/cms_scanner/errors/scan.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Error
+    # Used instead of the Timeout::Error
+    class MaxScanDurationReached < Standard
+      # :nocov:
+      def to_s
+        'Max Scan Duration Reached'
+      end
+      # :nocov:
+    end
+  end
+end

data/lib/cms_scanner/errors.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Error
+    class Standard < StandardError
+    end
+  end
+end
+
+require_relative 'errors/http'
+require_relative 'errors/scan'

data/lib/cms_scanner/exit_code.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  # Exit Code Values
+  module ExitCode
+    # No error, scan finished w/o any vulnerabilies found
+    OK               = 0
+
+    # All exceptions raised by OptParseValidator and OptionParser
+    CLI_OPTION_ERROR = 1
+
+    # Interrupt received
+    INTERRUPTED      = 2
+
+    # Unhandled/unexpected Exception occured
+    EXCEPTION        = 3
+
+    # Error, scan did not finish
+    ERROR            = 0
+
+    # The target has at least one vulnerability.
+    # Currently, the interesting findings do not count as vulnerable things
+    VULNERABLE       = 0
+  end
+end

data/lib/cms_scanner/finders/base_finders.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    # Base class container for the Finders (i.e IndependentFinders etc)
+    class BaseFinders < Array
+      # @return [ Findings ]
+      def findings
+        @findings ||= NS::Finders::Findings.new
+      end
+
+      # Should be implemented in child classes
+      def run; end
+
+      protected
+
+      # @param [ Symbol ] mode :mixed, :passive or :aggressive
+      # @return [ Array<Symbol> ] The symbols to call for the mode
+      def symbols_from_mode(mode)
+        symbols = %i[passive aggressive]
+
+        return symbols if mode.nil? || mode == :mixed
+
+        symbols.include?(mode) ? Array(mode) : []
+      end
+
+      # @param [ CMSScanner::Finders::Finder ] finder
+      # @param [ Symbol ] symbol See return values of #symbols_from_mode
+      # @param [ Hash ] opts
+      def run_finder(finder, symbol, opts)
+        Array(finder.send(symbol, opts.merge(found: findings))).compact.each do |found|
+          findings << found
+        end
+      end
+
+      # Allow child classes to filter the findings, such as return the best one
+      # or remove the low confidence ones.
+      #
+      # @return [ Findings ]
+      def filter_findings
+        findings
+      end
+    end
+  end
+end

data/lib/cms_scanner/finders/finder/breadth_first_dictionary_attack.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    class Finder
+      # Module to provide an easy way to perform password attacks
+      module BreadthFirstDictionaryAttack
+        # @param [ Array<CMSScanner::Model::User> ] users
+        # @param [ String ] wordlist_path
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression
+        #
+        # @yield [ CMSScanner::User ] When a valid combination is found
+        #
+        # Due to Typhoeus threads shenanigans, in rare cases the progress-bar might
+        # be incorrectly updated, hence the 'rescue ProgressBar::InvalidProgressError'
+        #
+        # TODO: Make rubocop happy about metrics etc
+        #
+        # rubocop:disable all
+        def attack(users, wordlist_path, opts = {})
+          wordlist = File.open(wordlist_path)
+
+          create_progress_bar(total: users.size * wordlist.count, show_progression: opts[:show_progression])
+
+          queue_count         = 0
+          # Keep the number of requests sent for each users
+          # to be able to correctly update the progress when a password is found
+          user_requests_count = {}
+
+          users.each { |u| user_requests_count[u.username] = 0 }
+
+          File.foreach(wordlist, chomp: true) do |password|
+            remaining_users = users.select { |u| u.password.nil? }
+
+            break if remaining_users.empty?
+
+            remaining_users.each do |user|
+              request = login_request(user.username, password)
+
+              user_requests_count[user.username] += 1
+
+              request.on_complete do |res|
+                progress_bar.title = "Trying #{user.username} / #{password}"
+
+                progress_bar.increment unless progress_bar.progress == progress_bar.total
+
+                if valid_credentials?(res)
+                  user.password = password
+
+                  begin
+                    progress_bar.total -= wordlist.count - user_requests_count[user.username]
+                  rescue ProgressBar::InvalidProgressError
+                  end
+
+                  yield user
+                elsif errored_response?(res)
+                  output_error(res)
+                end
+              end
+
+              hydra.queue(request)
+              queue_count += 1
+
+              if queue_count >= hydra.max_concurrency
+                hydra.run
+                queue_count = 0
+              end
+            end
+          end
+
+          hydra.run
+          progress_bar.stop
+        end
+        # rubocop:enable all
+
+        # @param [ String ] username
+        # param [ String ] password
+        #
+        # @return [ Typhoeus::Request ]
+        def login_request(username, password)
+          # To Implement in the finder related to the attack
+        end
+
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Boolean ] Whether or not credentials related to the request are valid
+        def valid_credentials?(response)
+          # To Implement in the finder related to the attack
+        end
+
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Boolean ] Whether or not something wrong happened
+        #                     other than wrong credentials
+        def errored_response?(response)
+          # To Implement in the finder related to the attack
+        end
+
+        protected
+
+        # @param [ Typhoeus::Response ] response
+        def output_error(response)
+          error = if response.timed_out?
+                    'Request timed out.'
+                  elsif response.code.zero?
+                    "No response from remote server. WAF/IPS? (#{response.return_message})"
+                  elsif response.code.to_s.start_with?('50')
+                    'Server error, try reducing the number of threads.'
+                  elsif NS::ParsedCli.verbose?
+                    "Unknown response received Code: #{response.code}\nBody: #{response.body}"
+                  else
+                    "Unknown response received Code: #{response.code}"
+                  end
+
+          progress_bar.log("Error: #{error}")
+        end
+      end
+    end
+  end
+end