new_cms_scanner 0.13.7

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 56edd064a963293e585d678c18e58db39cbd514a56586ab7f445bc9f28d4d10b
+  data.tar.gz: 52a249bb09f8b840e67bce8e51f1f2170a1a4fc9efaf3ab9726417bb4b6ca83c
+SHA512:
+  metadata.gz: e1c015727d38e5019eeff523c3951e0b8291968b9c437c986fd483d73d012aece1bc8c92e79d3a048a17389c2d62532d8d0039b0833b1ac30b93f449b26acf09
+  data.tar.gz: 237d542e023caf48867ed491e53c51b5a63a3fbffaeb043405644c6346462ebd3b11860fc2d1cec151ae76a5c89d67d012b12c1c1adb540e8ae9078096254674

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (C) 2014-2015 - WPScanTeam
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,26 @@
+# CMSScanner
+
+[![Gem Version](https://badge.fury.io/rb/cms_scanner.svg)](https://badge.fury.io/rb/cms_scanner)
+![Build](https://github.com/wpscanteam/CMSScanner/workflows/Build/badge.svg)
+[![Coverage Status](https://img.shields.io/coveralls/wpscanteam/CMSScanner.svg)](https://coveralls.io/r/wpscanteam/CMSScanner)
+[![Code Climate](https://api.codeclimate.com/v1/badges/b90b7f9f6982792ef8d6/maintainability)](https://codeclimate.com/github/wpscanteam/CMSScanner/maintainability)
+
+The goal of this gem is to provide a quick and easy way to create a CMS/WebSite Scanner by acting like a Framework and providing classes, formatters etc.
+
+## /!\ This gem is currently Experimental /!\
+
+## A basic implementation example is available in the example folder.
+
+To start to play with it, copy all its files and folders into a new git repository and run `bundle install && rake install` inside it.
+It will create a `cmsscan` command that you can run against a target, ie `cmsscan --url https://www.google.com`
+
+
+Install Dependencies: `bundle install`
+
+## Contributing
+
+1. Fork it ( https://github.com/wpscanteam/CMSScanner/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/app/app.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Formatters
+require_relative 'formatters/cli'
+require_relative 'formatters/cli_no_colour'
+require_relative 'formatters/cli_no_color'
+require_relative 'formatters/json'
+
+# Controllers
+require_relative 'controllers/core'
+require_relative 'controllers/interesting_findings'
+
+# Models
+require_relative 'models/interesting_finding'
+require_relative 'models/robots_txt'
+require_relative 'models/fantastico_fileslist'
+require_relative 'models/search_replace_db_2'
+require_relative 'models/headers'
+require_relative 'models/xml_rpc'
+require_relative 'models/version'
+require_relative 'models/user'
+
+# Finders
+require_relative 'finders/interesting_findings'

data/app/controllers/core/cli_options.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Controller
+    # CLI Options for the Core Controller
+    class Core < Base
+      def cli_options
+        formats = NS::Formatter.availables
+
+        [
+          OptURL.new(['-u', '--url URL', 'The URL to scan'],
+                     required_unless: %i[help hh version],
+                     default_protocol: 'http'),
+          OptBoolean.new(['--force', 'Do not check if target returns a 403'])
+        ] + mixed_cli_options + [
+          OptFilePath.new(['-o', '--output FILE', 'Output to FILE'], writable: true, exists: false),
+          OptChoice.new(['-f', '--format FORMAT',
+                         'Output results in the format supplied'], choices: formats),
+          OptChoice.new(['--detection-mode MODE'],
+                        choices: %w[mixed passive aggressive],
+                        normalize: :to_sym,
+                        default: :mixed),
+          OptArray.new(['--scope DOMAINS',
+                        'Comma separated (sub-)domains to consider in scope. ',
+                        'Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld'], advanced: true)
+        ] + cli_browser_options
+      end
+
+      def mixed_cli_options
+        [
+          OptBoolean.new(['-h', '--help', 'Display the simple help and exit']),
+          OptBoolean.new(['--hh', 'Display the full help and exit']),
+          OptBoolean.new(['--version', 'Display the version and exit']),
+          OptBoolean.new(['--ignore-main-redirect', 'Ignore the main redirect (if any) and scan the target url'],
+                         advanced: true),
+          OptBoolean.new(['-v', '--verbose', 'Verbose mode']),
+          OptBoolean.new(['--[no-]banner', 'Whether or not to display the banner'], default: true),
+          OptPositiveInteger.new(['--max-scan-duration SECONDS',
+                                  'Abort the scan if it exceeds the time provided in seconds'],
+                                 advanced: true)
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_options
+        cli_browser_headers_options + [
+          OptBoolean.new(['--random-user-agent', '--rua',
+                          'Use a random user-agent for each scan']),
+          OptFilePath.new(['--user-agents-list FILE-PATH',
+                           'List of agents to use with --random-user-agent'],
+                          exists: true,
+                          advanced: true,
+                          default: APP_DIR.join('user_agents.txt')),
+          OptCredentials.new(['--http-auth login:password']),
+          OptPositiveInteger.new(['-t', '--max-threads VALUE', 'The max threads to use'],
+                                 default: 5),
+          OptPositiveInteger.new(['--throttle MilliSeconds', 'Milliseconds to wait before doing another web request. ' \
+                                                             'If used, the max threads will be set to 1.']),
+          OptPositiveInteger.new(['--request-timeout SECONDS', 'The request timeout in seconds'],
+                                 default: 60),
+          OptPositiveInteger.new(['--connect-timeout SECONDS', 'The connection timeout in seconds'],
+                                 default: 30),
+          OptBoolean.new(['--disable-tls-checks',
+                          'Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ ' \
+                          '(requires cURL 7.66 for the latter)'])
+        ] + cli_browser_proxy_options + cli_browser_cookies_options + cli_browser_cache_options
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_headers_options
+        [
+          OptString.new(['--user-agent VALUE', '--ua']),
+          OptHeaders.new(['--headers HEADERS', 'Additional headers to append in requests'], advanced: true),
+          OptString.new(['--vhost VALUE', 'The virtual host (Host header) to use in requests'], advanced: true)
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_proxy_options
+        [
+          OptProxy.new(['--proxy protocol://IP:port',
+                        'Supported protocols depend on the cURL installed']),
+          OptCredentials.new(['--proxy-auth login:password'])
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_cookies_options
+        [
+          OptString.new(['--cookie-string COOKIE',
+                         'Cookie string to use in requests, ' \
+                         'format: cookie1=value1[; cookie2=value2]']),
+          OptFilePath.new(['--cookie-jar FILE-PATH', 'File to read and write cookies'],
+                          writable: true,
+                          readable: true,
+                          create: true,
+                          default: File.join(tmp_directory, 'cookie_jar.txt'))
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_browser_cache_options
+        [
+          OptInteger.new(['--cache-ttl TIME_TO_LIVE', 'The cache time to live in seconds'],
+                         default: 600, advanced: true),
+          OptBoolean.new(['--clear-cache', 'Clear the cache before the scan'], advanced: true),
+          OptDirectoryPath.new(['--cache-dir PATH'],
+                               readable: true,
+                               writable: true,
+                               create: true,
+                               default: File.join(tmp_directory, 'cache'),
+                               advanced: true)
+        ]
+      end
+    end
+  end
+end

data/app/controllers/core.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require_relative 'core/cli_options'
+
+module CMSScanner
+  module Controller
+    # Core Controller
+    class Core < Base
+      def setup_cache
+        return unless NS::ParsedCli.cache_dir
+
+        storage_path = File.join(NS::ParsedCli.cache_dir, Digest::MD5.hexdigest(target.url))
+
+        Typhoeus::Config.cache = Cache::Typhoeus.new(storage_path)
+        Typhoeus::Config.cache.clean if NS::ParsedCli.clear_cache
+      end
+
+      def before_scan
+        maybe_output_banner_help_and_version
+
+        setup_cache
+        check_target_availability
+      end
+
+      def maybe_output_banner_help_and_version
+        output('banner') if NS::ParsedCli.banner
+        output('help', help: option_parser.simple_help, simple: true) if NS::ParsedCli.help
+        output('help', help: option_parser.full_help, simple: false) if NS::ParsedCli.hh
+        output('version') if NS::ParsedCli.version
+
+        exit(NS::ExitCode::OK) if NS::ParsedCli.help || NS::ParsedCli.hh || NS::ParsedCli.version
+      end
+
+      # Checks that the target is accessible, raises related errors otherwise
+      #
+      # @return [ Void ]
+      def check_target_availability
+        res = NS::Browser.get(target.url)
+
+        case res.code
+        when 0
+          raise Error::TargetDown, res
+        when 401
+          raise Error::HTTPAuthRequired
+        when 403
+          raise Error::AccessForbidden, NS::ParsedCli.random_user_agent unless NS::ParsedCli.force
+        when 407
+          raise Error::ProxyAuthRequired
+        end
+
+        # Checks for redirects
+        # An out of scope redirect will raise an Error::HTTPRedirect
+        effective_url = target.homepage_res.effective_url
+
+        return if target.in_scope?(effective_url)
+
+        raise Error::HTTPRedirect, effective_url unless NS::ParsedCli.ignore_main_redirect
+
+        target.homepage_res = res
+      end
+
+      def run
+        @start_time = Time.now
+        @start_memory = NS.start_memory
+
+        output('started', url: target.url, ip: target.ip, effective_url: target.homepage_url)
+      end
+
+      def after_scan
+        @stop_time   = Time.now
+        @elapsed     = @stop_time - @start_time
+        @used_memory = GetProcessMem.new.bytes - @start_memory
+
+        output('finished',
+               cached_requests: NS.cached_requests,
+               requests_done: NS.total_requests,
+               data_sent: NS.total_data_sent,
+               data_received: NS.total_data_received)
+      end
+    end
+  end
+end

data/app/controllers/interesting_findings.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Controller
+    # InterestingFindings Controller
+    class InterestingFindings < Base
+      def cli_options
+        [
+          OptChoice.new(
+            ['--interesting-findings-detection MODE',
+             'Use the supplied mode for the interesting findings detection. '],
+            choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
+          )
+        ]
+      end
+
+      def run
+        mode = NS::ParsedCli.interesting_findings_detection || NS::ParsedCli.detection_mode
+        findings = target.interesting_findings(mode: mode)
+
+        output('findings', findings: findings) unless findings.empty?
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/fantastico_fileslist.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    module InterestingFindings
+      # FantasticoFileslist finder
+      class FantasticoFileslist < Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'fantastico_fileslist.txt'
+          res  = target.head_and_get(path)
+
+          return if res.body.strip.empty?
+          return unless res.headers && res.headers['Content-Type']&.start_with?('text/plain')
+
+          NS::Model::FantasticoFileslist.new(target.url(path), confidence: 70, found_by: found_by)
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/headers.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    module InterestingFindings
+      # Interesting Headers finder
+      class Headers < Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          r = NS::Model::Headers.new(target.homepage_url, confidence: 100, found_by: found_by)
+
+          r.interesting_entries.empty? ? nil : r
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/robots_txt.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    module InterestingFindings
+      # Robots.txt finder
+      class RobotsTxt < Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'robots.txt'
+          res  = target.head_and_get(path)
+
+          return unless res&.code == 200 && res.body =~ /(?:user-agent|(?:dis)?allow):/i
+
+          NS::Model::RobotsTxt.new(target.url(path), confidence: 100, found_by: found_by)
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/search_replace_db_2.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    module InterestingFindings
+      # SearchReplaceDB2 finder
+      class SearchReplaceDB2 < Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'searchreplacedb2.php'
+
+          return unless /by interconnect/i.match?(target.head_and_get(path).body)
+
+          NS::Model::SearchReplaceDB2.new(target.url(path), confidence: 100, found_by: found_by)
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/xml_rpc.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Finders
+    module InterestingFindings
+      # XML RPC finder
+      class XMLRPC < Finder
+        # @return [ Array<String> ] The potential urls to the XMl RPC file
+        def potential_urls
+          @potential_urls ||= []
+        end
+
+        # @return [ Array<XMLRPC> ]
+        def passive(opts = {})
+          [passive_headers(opts), passive_body(opts)].compact
+        end
+
+        # @return [ XMLRPC ]
+        def passive_headers(_opts = {})
+          url = target.homepage_res.headers['X-Pingback']
+
+          return unless target.in_scope?(url)
+
+          potential_urls << url
+
+          NS::Model::XMLRPC.new(url, confidence: 30, found_by: 'Headers (Passive Detection)')
+        end
+
+        # @return [ XMLRPC ]
+        def passive_body(_opts = {})
+          target.homepage_res.html.css('link[rel="pingback"]').each do |tag|
+            url = tag.attribute('href').to_s
+
+            next unless target.in_scope?(url)
+
+            potential_urls << url
+
+            return NS::Model::XMLRPC.new(url, confidence: 30, found_by: 'Link Tag (Passive Detection)')
+          end
+          nil
+        end
+
+        # @return [ XMLRPC ]
+        def aggressive(_opts = {})
+          potential_urls << target.url('xmlrpc.php')
+
+          potential_urls.uniq.each do |potential_url|
+            next unless target.in_scope?(potential_url)
+
+            res = NS::Browser.post(potential_url, body: Digest::MD5.hexdigest(rand(999_999).to_s[0..5]))
+
+            next unless /<methodResponse>/i.match?(res&.body)
+
+            return NS::Model::XMLRPC.new(potential_url, confidence: 100, found_by: DIRECT_ACCESS)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative 'interesting_findings/headers'
+require_relative 'interesting_findings/robots_txt'
+require_relative 'interesting_findings/fantastico_fileslist'
+require_relative 'interesting_findings/search_replace_db_2'
+require_relative 'interesting_findings/xml_rpc'
+
+module CMSScanner
+  module Finders
+    module InterestingFindings
+      # Interesting Files Finder
+      class Base
+        include IndependentFinder
+
+        # @param [ CMSScanner::Target ] target
+        def initialize(target)
+          %w[Headers RobotsTxt FantasticoFileslist SearchReplaceDB2 XMLRPC].each do |f|
+            finders << NS::Finders::InterestingFindings.const_get(f).new(target)
+          end
+        end
+      end
+    end
+  end
+end

data/app/formatters/cli.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Formatter
+    # CLI Formatter
+    class Cli < Base
+      # @return [ String ]
+      def info_icon
+        green('[+]')
+      end
+
+      # @return [ String ]
+      def notice_icon
+        blue('[i]')
+      end
+
+      # @return [ String ]
+      def warning_icon
+        amber('[!]')
+      end
+
+      # @return [ String ]
+      def critical_icon
+        red('[!]')
+      end
+
+      # @param [ String ] text
+      # @return [ String ]
+      def bold(text)
+        colorize(text, 1)
+      end
+
+      # @param [ String ] text
+      # @return [ String ]
+      def red(text)
+        colorize(text, 31)
+      end
+
+      # @param [ String ] text
+      # @return [ String ]
+      def green(text)
+        colorize(text, 32)
+      end
+
+      # @param [ String ] text
+      # @return [ String ]
+      def amber(text)
+        colorize(text, 33)
+      end
+
+      # @param [ String ] text
+      # @return [ String ]
+      def blue(text)
+        colorize(text, 34)
+      end
+
+      # @param [ String ] text
+      # @param [ Integer ] color_code
+      # @return [ String ]
+      def colorize(text, color_code)
+        "\e[#{color_code}m#{text}\e[0m"
+      end
+    end
+  end
+end

data/app/formatters/cli_no_color.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Formatter
+    # Because Reason https://github.com/wpscanteam/CMSScanner/issues/56
+    class CliNoColor < CliNoColour
+    end
+  end
+end

data/app/formatters/cli_no_colour.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Formatter
+    # CLI No Colour Formatter
+    class CliNoColour < Cli
+      # Override to get the cli views
+      def format
+        'cli'
+      end
+
+      def colorize(text, _color_code)
+        text
+      end
+    end
+  end
+end

data/app/formatters/json.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Formatter
+    # JSON Formatter
+    class Json < Base
+      include Buffer
+
+      def beautify
+        puts JSON.pretty_generate(JSON.parse("{#{buffer.chomp.chomp(',')}}"))
+      end
+    end
+  end
+end

data/app/models/fantastico_fileslist.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Model
+    # Fantastico is a commercial script library that automates the installation of web applications to a website.
+    # Fantastico scripts are executed from the administration area of a website control panel such as cPanel.
+    # It creates a file named fantastico_fileslist.txt that is publicly available and contains a list of all the
+    # files from the current directory. The contents of this file may expose sensitive information to an attacker.
+    class FantasticoFileslist < InterestingFinding
+      # @return [ String ]
+      def to_s
+        @to_s ||= "Fantastico list found: #{url}"
+      end
+
+      # @return [ Array<String> ] The interesting files/dirs detected
+      def interesting_entries
+        results = []
+
+        entries.each do |entry|
+          next unless /(?:admin|\.log|\.sql|\.db)/i.match?(entry)
+
+          results << entry
+        end
+        results
+      end
+
+      def references
+        @references ||= {
+          url: ['https://web.archive.org/web/20140518040021/http://www.acunetix.com/vulnerabilities/fantastico-fileslist/']
+        }
+      end
+    end
+  end
+end

data/app/models/headers.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module CMSScanner
+  module Model
+    # Interesting Headers
+    class Headers < InterestingFinding
+      # @return [ Hash ] The headers
+      def entries
+        res = NS::Browser.get(url)
+        return [] unless res&.headers
+
+        res.headers
+      end
+
+      # @return [ Array<String> ] The interesting headers detected
+      def interesting_entries
+        results = []
+
+        entries.each do |header, value|
+          next if known_headers.include?(header.downcase)
+
+          results << "#{header}: #{Array(value).join(', ')}"
+        end
+        results
+      end
+
+      # @return [ Array<String> ] Downcased known headers
+      def known_headers
+        %w[
+          age accept-ranges cache-control content-encoding content-length content-type connection date
+          etag expires keep-alive location last-modified link pragma set-cookie strict-transport-security
+          transfer-encoding vary x-cache x-content-security-policy x-content-type-options
+          x-frame-options x-language x-permitted-cross-domain-policies x-pingback x-varnish
+          x-webkit-csp x-xss-protection
+        ]
+      end
+
+      # @return [ String ]
+      def to_s
+        @to_s ||= 'Headers'
+      end
+    end
+  end
+end