new_cms_scanner 0.13.7

data/lib/cms_scanner/formatter.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'cms_scanner/formatter/buffer'
+
+module CMSScanner
+  # Formatter
+  module Formatter
+    # Module to be able to do Formatter.load() & Formatter.availables
+    # and do that as well when the Formatter is included in another module
+    module ClassMethods
+      # @param [ String ] format
+      # @param [ Array<String> ] custom_views
+      #
+      # @return [ Formatter::Base ]
+      def load(format = nil, custom_views = nil)
+        format ||= 'cli'
+        custom_views ||= []
+
+        f = const_get(format.tr('-', '_').camelize).new
+        custom_views.each { |v| f.views_directories << v }
+        f
+      end
+
+      # @return [ Array<String> ] The list of the available formatters (except the Base one)
+      # @note: the #load method above should then be used to create the associated formatter
+      def availables
+        formatters = NS::Formatter.constants.select do |const|
+          name = NS::Formatter.const_get(const)
+          name.is_a?(Class) && name != NS::Formatter::Base
+        end
+
+        formatters.map { |sym| sym.to_s.underscore.dasherize }
+      end
+    end
+
+    extend ClassMethods
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    # This module should be implemented in the code which uses this Framework to
+    # be able to override/implements instance methods for all the Formatters
+    # w/o having to include/write the methods in each formatters.
+    #
+    # Example: to override the #views_directories (see the wpscan-v3/lib/wpscan/formatter.rb)
+    module InstanceMethods
+    end
+
+    # Base Formatter
+    class Base
+      attr_reader :controller_name
+
+      def initialize
+        # Can't put this at the top level of the class, due to the NS::
+        extend NS::Formatter::InstanceMethods
+      end
+
+      # @return [ String ] The underscored name of the class
+      def format
+        self.class.name.demodulize.underscore
+      end
+
+      # @return [ Boolean ]
+      def user_interaction?
+        format == 'cli'
+      end
+
+      # @return [ String ] The underscored format to use as a base
+      def base_format; end
+
+      # @return [ Array<String> ]
+      def formats
+        [format, base_format].compact
+      end
+
+      # This is called after the scan
+      # and used in some formatters (e.g JSON)
+      # to indent results
+      def beautify; end
+
+      # @see #render
+      def output(tpl, vars = {}, controller_name = nil)
+        puts render(tpl, vars, controller_name)
+      end
+
+      ERB_SUPPORTS_KVARGS = ::ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+
+      # @param [ String ] tpl
+      # @param [ Hash ] vars
+      # @param [ String ] controller_name
+      def render(tpl, vars = {}, controller_name = nil)
+        template_vars(vars)
+        @controller_name = controller_name if controller_name
+
+        # '-' is used to disable new lines when -%> is used
+        # See http://www.ruby-doc.org/stdlib-2.1.1/libdoc/erb/rdoc/ERB.html
+        # Since ruby 2.6, KVARGS are supported and passing argument is deprecated in ruby 3+
+        if ERB_SUPPORTS_KVARGS
+          ERB.new(File.read(view_path(tpl)), trim_mode: '-').result(binding)
+        else
+          ERB.new(File.read(view_path(tpl)), nil, '-').result(binding)
+        end
+      end
+
+      # @param [ Hash ] vars
+      #
+      # @return [ Void ]
+      def template_vars(vars)
+        vars.each do |key, value|
+          instance_variable_set("@#{key}", value) unless key == :views_directories
+        end
+      end
+
+      # @param [ String ] tpl
+      #
+      # @return [ String ] The path of the view
+      def view_path(tpl)
+        if tpl[0, 1] == '@' # Global Template
+          tpl = tpl.delete('@')
+        else
+          raise 'The controller_name can not be nil' unless controller_name
+
+          tpl = "#{controller_name}/#{tpl}"
+        end
+
+        raise "Wrong tpl format: '#{tpl}'" unless %r{\A[\w/_]+\z}.match?(tpl)
+
+        views_directories.reverse_each do |dir|
+          formats.each do |format|
+            potential_file = File.join(dir, format, "#{tpl}.erb")
+
+            return potential_file if File.exist?(potential_file)
+          end
+        end
+
+        raise "View not found for #{format}/#{tpl}"
+      end
+
+      # @return [ Array<String> ] The directories to look into for views
+      def views_directories
+        @views_directories ||= [
+          APP_DIR, NS::APP_DIR,
+          File.join(Dir.home, ".#{NS.app_name}"), File.join(Dir.pwd, ".#{NS.app_name}")
+        ].uniq.reduce([]) { |acc, elem| acc << Pathname.new(elem).join('views').to_s }
+      end
+    end
+  end
+end

data/lib/cms_scanner/helper.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+# @param [ String ] file The file path
+def redirect_output_to_file(file)
+  $stdout.reopen(file, 'w')
+  $stdout.sync = true
+end

data/lib/cms_scanner/numeric.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+# Hack of the Numeric class
+class Numeric
+  # @return [ String ] A human readable string of the value
+  def bytes_to_human
+    units = %w[B KB MB GB TB]
+    e     = abs.zero? ? abs : (Math.log(abs) / Math.log(1024)).floor
+    s     = format('%<s>.3f', s: (abs.to_f / (1024**e)))
+
+    s.sub(/\.?0*$/, " #{units[e]}")
+  end
+end

data/lib/cms_scanner/parsed_cli.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  # Class to hold the parsed CLI options and have them available via
+  # methods, such as #verbose?, rather than from the hash.
+  # This is similar to an OpenStruct, but class wise (rather than instance), and with
+  # the logic to update the Browser options accordinly
+  class ParsedCli
+    # @return [ Hash ]
+    def self.options
+      @options ||= {}
+    end
+
+    # Sets the CLI options, and put them into the Browser as well
+    # @param [ Hash ] options
+    def self.options=(options)
+      @options = options.dup || {}
+
+      NS::Browser.reset
+      NS::Browser.instance(@options)
+    end
+
+    # @return [ Boolean ]
+    def self.verbose?
+      options[:verbose] ? true : false
+    end
+
+    # Unknown methods will return nil, this is the expected behaviour
+    # rubocop:disable Style/MissingRespondToMissing
+    def self.method_missing(method_name, *_args, &_block)
+      super if method_name == :new
+
+      options[method_name.to_sym]
+    end
+    # rubocop:enable Style/MissingRespondToMissing
+  end
+end

data/lib/cms_scanner/progressbar_null_output.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'ruby-progressbar/outputs/null'
+
+module CMSScanner
+  # Adds the feature to log message sent to #log
+  # So they can be retrieved at some point, like after a password attack with a JSON output
+  # which won't display the progressbar but still call #log for errors etc
+  class ProgressBarNullOutput < ::ProgressBar::Outputs::Null
+    # @retutn [ Array<String> ]
+    def logs
+      @logs ||= []
+    end
+
+    # Override of parent method
+    # @return [ Array<String> ] return the logs when no string provided
+    def log(string = nil)
+      return logs if string.nil?
+
+      logs << string unless logs.include?(string)
+    end
+  end
+end

data/lib/cms_scanner/public_suffix/domain.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module PublicSuffix
+  # Monkey Patch to include the match logic
+  class Domain
+    # For Sanity
+    def ==(other)
+      name == other.name
+    end
+
+    # @return [ Boolean ]
+    #
+    def match(pattern)
+      pattern = PublicSuffix.parse(pattern) unless pattern.is_a?(PublicSuffix::Domain)
+
+      return name == pattern.name unless pattern.trd
+      return false unless tld == pattern.tld && sld == pattern.sld
+
+      matching_pattern?(pattern)
+    end
+
+    protected
+
+    # @rturn [ Boolean ]
+    def matching_pattern?(pattern)
+      pattern_trds = pattern.trd.split('.')
+      domain_trds  = trd.split('.')
+
+      case pattern_trds.first
+      when '*'
+        pattern_trds[1..-1] == domain_trds[1..-1]
+      when '**'
+        pa = pattern_trds[1..-1]
+        pa_size = pa.size
+
+        domain_trds[domain_trds.size - pa_size, pa_size] == pa
+      else
+        name == pattern.name
+      end
+    end
+  end
+end

data/lib/cms_scanner/references.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  # References related to the issue
+  module References
+    extend ActiveSupport::Concern
+
+    # See ActiveSupport::Concern
+    module ClassMethods
+      # @return [ Array<Symbol> ]
+      def references_keys
+        @references_keys ||= %i[cve exploitdb url metasploit packetstorm securityfocus youtube]
+      end
+    end
+
+    # @param [ Hash ] refs
+    def references=(refs)
+      @references = {}
+
+      self.class.references_keys.each do |key|
+        next unless refs.key?(key)
+
+        @references[key] = if key == :youtube
+                             Array(refs[:youtube]).map { |id| youtube_url(id) }
+                           else
+                             Array(refs[key]).map(&:to_s)
+                           end
+      end
+    end
+
+    # @return [ Hash ]
+    def references
+      @references ||= {}
+    end
+
+    # @return [ Array<String> ] All the references URLs
+    def references_urls
+      cve_urls + exploitdb_urls + urls + msf_urls +
+        packetstorm_urls + securityfocus_urls + youtube_urls
+    end
+
+    # @return [ Array<String> ] The CVEs
+    def cves
+      references[:cve] || []
+    end
+
+    # @return [ Array<String> ]
+    def cve_urls
+      cves.reduce([]) { |acc, elem| acc << cve_url(elem) }
+    end
+
+    # @return [ String ] The URL to the CVE
+    def cve_url(cve)
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
+    end
+
+    # @return [ Array<String> ] The ExploitDB ID
+    def exploitdb_ids
+      references[:exploitdb] || []
+    end
+
+    # @return [ Array<String> ]
+    def exploitdb_urls
+      exploitdb_ids.reduce([]) { |acc, elem| acc << exploitdb_url(elem) }
+    end
+
+    # @return [ String ]
+    def exploitdb_url(id)
+      "https://www.exploit-db.com/exploits/#{id}/"
+    end
+
+    # @return [ String<Array> ]
+    def urls
+      references[:url] || []
+    end
+
+    # @return [ Array<String> ] The metasploit modules
+    def msf_modules
+      references[:metasploit] || []
+    end
+
+    # @return [ Array<String> ]
+    def msf_urls
+      msf_modules.reduce([]) { |acc, elem| acc << msf_url(elem) }
+    end
+
+    # @return [ String ] The URL to the metasploit module page
+    def msf_url(mod)
+      "https://www.rapid7.com/db/modules/#{mod.sub(%r{^/}, '')}/"
+    end
+
+    # @return [ Array<String> ] The Packetstormsecurity IDs
+    def packetstorm_ids
+      @packetstorm_ids ||= references[:packetstorm] || []
+    end
+
+    # @return [ Array<String> ]
+    def packetstorm_urls
+      packetstorm_ids.reduce([]) { |acc, elem| acc << packetstorm_url(elem) }
+    end
+
+    # @return [ String ]
+    def packetstorm_url(id)
+      "https://packetstormsecurity.com/files/#{id}/"
+    end
+
+    # @return [ Array<String> ] The Security Focus IDs
+    def securityfocus_ids
+      references[:securityfocus] || []
+    end
+
+    # @return [ Array<String> ]
+    def securityfocus_urls
+      securityfocus_ids.reduce([]) { |acc, elem| acc << securityfocus_url(elem) }
+    end
+
+    # @return [ String ]
+    def securityfocus_url(id)
+      "https://www.securityfocus.com/bid/#{id}/"
+    end
+
+    # @return [ Array<String> ]
+    def youtube_urls
+      references[:youtube] || []
+    end
+
+    # @return [ String ]
+    def youtube_url(id)
+      "https://www.youtube.com/watch?v=#{id}"
+    end
+  end
+end

data/lib/cms_scanner/scan.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  # Scan
+  class Scan
+    attr_reader :run_error
+
+    def initialize
+      NS.start_memory = GetProcessMem.new.bytes
+
+      controllers << NS::Controller::Core.new
+
+      exit_hook
+
+      yield self if block_given?
+    end
+
+    # @return [ Controllers ]
+    def controllers
+      @controllers ||= NS::Controllers.new
+    end
+
+    def run
+      controllers.run
+    rescue OptParseValidator::NoRequiredOption => e
+      @run_error = e
+
+      formatter.output('@usage', msg: e.message)
+    rescue NoMemoryError, ScriptError, SecurityError, SignalException, StandardError, SystemStackError => e
+      @run_error = e
+
+      output_params = {
+        reason: e.is_a?(Interrupt) ? 'Canceled by User' : e.message,
+        trace: e.backtrace,
+        verbose: NS::ParsedCli.verbose || run_error_exit_code == NS::ExitCode::EXCEPTION
+      }
+
+      output_params[:url] = controllers.first.target.url if NS::ParsedCli.url
+
+      formatter.output('@scan_aborted', output_params)
+    ensure
+      formatter.beautify
+    end
+
+    # Used for convenience
+    # @See Formatter
+    def formatter
+      controllers.first.formatter
+    end
+
+    # @return [ Hash ]
+    def datastore
+      controllers.first.datastore
+    end
+
+    # Hook to be able to have an exit code returned
+    # depending on the findings / errors
+    # :nocov:
+    def exit_hook
+      # Avoid hooking the exit when rspec is running, otherwise it will always return 0
+      # and Travis won't detect failed builds. Couldn't find a better way, even though
+      # some people managed to https://github.com/rspec/rspec-core/pull/410
+      return if defined?(RSpec)
+
+      at_exit do
+        exit(run_error_exit_code) if run_error
+
+        # The parsed_option[:url] must be checked to avoid raising erros when only -h/-v are given
+        exit(NS::ExitCode::VULNERABLE) if NS::ParsedCli.url && controllers.first.target.vulnerable?
+        exit(NS::ExitCode::OK)
+      end
+    end
+    # :nocov:
+
+    # @return [ Integer ] The exit code related to the run_error
+    def run_error_exit_code
+      return NS::ExitCode::CLI_OPTION_ERROR if run_error.is_a?(OptParseValidator::Error) ||
+                                               run_error.is_a?(OptionParser::ParseError)
+
+      return NS::ExitCode::INTERRUPTED if run_error.is_a?(Interrupt)
+
+      return NS::ExitCode::ERROR if run_error.is_a?(NS::Error::Standard) ||
+                                    run_error.is_a?(CMSScanner::Error::Standard)
+
+      NS::ExitCode::EXCEPTION
+    end
+  end
+end

data/lib/cms_scanner/target/hashes.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  # Scope system logic
+  class Target < WebSite
+    # @note Comments are deleted to avoid cache generation details
+    #
+    # @param [ Typhoeus::Response, String ] page
+    #
+    # @return [ String ] The md5sum of the page
+    def self.page_hash(page)
+      page = NS::Browser.get(page, followlocation: true) unless page.is_a?(Typhoeus::Response)
+
+      # Removes comments and script tags before computing the hash
+      # to remove any potential cached stuff
+      html = Nokogiri::HTML(page.body)
+      html.xpath('//script|//comment()').each(&:remove)
+
+      Digest::MD5.hexdigest(html)
+    end
+
+    # @return [ String ] The hash of the homepage
+    def homepage_hash
+      @homepage_hash ||= self.class.page_hash(url)
+    end
+
+    # @note This is used to detect potential custom 404 responding with a 200
+    # @return [ String ] The hash of a 404
+    def error_404_hash
+      @error_404_hash ||= self.class.page_hash(error_404_res)
+    end
+
+    # @param [ Typhoeus::Response, String ] page
+    # @return [ Boolean ] Wether or not the page is a the homepage or a 404 based on its md5sum
+    def homepage_or_404?(page)
+      homepage_and_404_hashes.include?(self.class.page_hash(page))
+    end
+
+    protected
+
+    def homepage_and_404_hashes
+      @homepage_and_404_hashes ||= [homepage_hash, error_404_hash].freeze
+    end
+  end
+end

data/lib/cms_scanner/target/platform/php.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  class Target < WebSite
+    module Platform
+      # Some PHP specific implementation
+      module PHP
+        DEBUG_LOG_PATTERN = /(?:\[\d{2}-[a-zA-Z]{3}-\d{4}\s\d{2}:\d{2}:\d{2}\s[A-Z]{3}\]|
+                              PHP\s(?:Fatal|Warning|Strict|Error|Notice):)/x.freeze
+        FPD_PATTERN       = /Fatal error:.+? in (.+?) on/.freeze
+        ERROR_LOG_PATTERN = /PHP Fatal error/i.freeze
+
+        # @param [ String ] path
+        # @param [ Regexp ] pattern
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ]
+        def log_file?(path, pattern, params = {})
+          # Only the first 700 bytes of the file are retrieved to avoid getting entire log file
+          # which can be huge (~ 2Go)
+          res = head_and_get(path, [200], get: params.merge(headers: { 'Range' => 'bytes=0-700' }))
+
+          res.body&.match?(pattern) ? true : false
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if  url(path) is a debug log, false otherwise
+        def debug_log?(path, params = {})
+          log_file?(path, DEBUG_LOG_PATTERN, params)
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] Wether or not url(path) is an error log file
+        def error_log?(path, params = {})
+          log_file?(path, ERROR_LOG_PATTERN, params)
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if url(path) contains a FPD, false otherwise
+        def full_path_disclosure?(path = nil, params = {})
+          !full_path_disclosure_entries(path, params).empty?
+        end
+
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Array<String> ] The FPD found, or an empty array if none
+        def full_path_disclosure_entries(path = nil, params = {})
+          res = NS::Browser.get(url(path), params)
+
+          res.body.scan(FPD_PATTERN).flatten
+        end
+      end
+    end
+  end
+end

data/lib/cms_scanner/target/platform.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'cms_scanner/target/platform/php'