pwn 0.4.514 → 0.4.517

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop_todo.yml +17 -11
  3. data/Gemfile +10 -9
  4. data/README.md +2 -2
  5. data/bin/pwn_fuzz_net_app_proto +4 -1
  6. data/bin/pwn_phone +124 -0
  7. data/bin/pwn_sast +7 -2
  8. data/lib/pwn/plugins/baresip.rb +632 -0
  9. data/lib/pwn/plugins/serial.rb +1 -1
  10. data/lib/pwn/plugins/sock.rb +32 -0
  11. data/lib/pwn/plugins/thread_pool.rb +19 -5
  12. data/lib/pwn/plugins.rb +1 -0
  13. data/lib/pwn/reports/phone.rb +294 -0
  14. data/lib/pwn/reports.rb +1 -0
  15. data/lib/pwn/sast/amqp_connect_as_guest.rb +1 -1
  16. data/lib/pwn/sast/apache_file_system_util_api.rb +1 -1
  17. data/lib/pwn/sast/aws.rb +1 -1
  18. data/lib/pwn/sast/banned_function_calls_c.rb +1 -1
  19. data/lib/pwn/sast/base64.rb +1 -1
  20. data/lib/pwn/sast/beef_hook.rb +5 -2
  21. data/lib/pwn/sast/cmd_execution_java.rb +1 -1
  22. data/lib/pwn/sast/cmd_execution_python.rb +1 -1
  23. data/lib/pwn/sast/cmd_execution_ruby.rb +1 -1
  24. data/lib/pwn/sast/cmd_execution_scala.rb +1 -1
  25. data/lib/pwn/sast/csrf.rb +3 -2
  26. data/lib/pwn/sast/deserial_java.rb +12 -2
  27. data/lib/pwn/sast/emoticon.rb +4 -1
  28. data/lib/pwn/sast/eval.rb +3 -2
  29. data/lib/pwn/sast/factory.rb +7 -2
  30. data/lib/pwn/sast/http_authorization_header.rb +1 -1
  31. data/lib/pwn/sast/inner_html.rb +4 -3
  32. data/lib/pwn/sast/keystore.rb +5 -2
  33. data/lib/pwn/sast/location_hash.rb +3 -2
  34. data/lib/pwn/sast/log4j.rb +1 -1
  35. data/lib/pwn/sast/logger.rb +1 -1
  36. data/lib/pwn/sast/outer_html.rb +3 -2
  37. data/lib/pwn/sast/password.rb +1 -1
  38. data/lib/pwn/sast/pom_version.rb +5 -2
  39. data/lib/pwn/sast/port.rb +1 -1
  40. data/lib/pwn/sast/private_key.rb +1 -1
  41. data/lib/pwn/sast/redirect.rb +1 -1
  42. data/lib/pwn/sast/redos.rb +1 -1
  43. data/lib/pwn/sast/shell.rb +1 -1
  44. data/lib/pwn/sast/signature.rb +1 -1
  45. data/lib/pwn/sast/sql.rb +1 -1
  46. data/lib/pwn/sast/ssl.rb +9 -2
  47. data/lib/pwn/sast/sudo.rb +1 -1
  48. data/lib/pwn/sast/task_tag.rb +1 -1
  49. data/lib/pwn/sast/throw_errors.rb +3 -2
  50. data/lib/pwn/sast/token.rb +7 -2
  51. data/lib/pwn/sast/version.rb +6 -2
  52. data/lib/pwn/sast/window_location_hash.rb +3 -2
  53. data/lib/pwn/version.rb +1 -1
  54. data/spec/lib/pwn/reports/phone_spec.rb +15 -0
  55. metadata +43 -24
@@ -7,7 +7,8 @@ module PWN
7
7
  # Supported Method Parameters::
8
8
  # PWN::Plugins::ThreadPool.fill(
9
9
  # enumerable_array: 'required array for proper thread pool assignment',
10
- # :max_threads: 'optional number of threads in the thread pool (defaults to 9)',
10
+ # max_threads: 'optional number of threads in the thread pool (defaults to 9)',
11
+ # seconds_between_thread_exec: 'optional - time to sleep between thread execution (defaults to 0)'
11
12
  # &block
12
13
  # )
13
14
  #
@@ -19,19 +20,32 @@ module PWN
19
20
 
20
21
  public_class_method def self.fill(opts = {})
21
22
  enumerable_array = opts[:enumerable_array]
22
- opts[:max_threads].nil? ? max_threads = 9 : max_threads = opts[:max_threads].to_i
23
+ max_threads = opts[:max_threads].to_i
24
+ max_threads = 9 if max_threads.zero?
25
+ # seconds_between_thread_exec = opts[:seconds_between_thread_exec].to_i
23
26
 
24
27
  puts "Initiating Thread Pool of #{max_threads} Worker Threads...."
25
28
  queue = SizedQueue.new(max_threads)
26
29
  threads = Array.new(max_threads) do
27
30
  Thread.new do
28
- until (this_thread = queue.pop) == :END
31
+ until (this_thread = queue.pop) == :POOL_EXHAUSTED
29
32
  yield this_thread
30
33
  end
31
34
  end
32
35
  end
33
- enumerable_array.uniq.sort.each { |this_thread| queue << this_thread }
34
- max_threads.times { queue << :END }
36
+
37
+ enumerable_array.uniq.sort.each do |this_thread|
38
+ queue << this_thread
39
+ end
40
+
41
+ max_threads.times do
42
+ queue << :POOL_EXHAUSTED
43
+ end
44
+
45
+ # threads.each do |thread|
46
+ # sleep seconds_between_thread_exec if seconds_between_thread_exec.positive?
47
+ # thread.join
48
+ # end
35
49
  threads.each(&:join)
36
50
  rescue Interrupt
37
51
  puts "\nGoodbye."
data/lib/pwn/plugins.rb CHANGED
@@ -8,6 +8,7 @@ module PWN
8
8
  autoload :Android, 'pwn/plugins/android'
9
9
  autoload :AnsibleVault, 'pwn/plugins/ansible_vault'
10
10
  autoload :AuthenticationHelper, 'pwn/plugins/authentication_helper'
11
+ autoload :BareSIP, 'pwn/plugins/baresip'
11
12
  autoload :BasicAuth, 'pwn/plugins/basic_auth'
12
13
  autoload :BeEF, 'pwn/plugins/beef'
13
14
  autoload :BurpSuite, 'pwn/plugins/burp_suite'
@@ -0,0 +1,294 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'json'
4
+
5
+ module PWN
6
+ module Reports
7
+ # This plugin generates the War Dialing results produced by pwn_phone.
8
+ module Phone
9
+ # Supported Method Parameters::
10
+ # PWN::Reports::Phone.generate(
11
+ # dir_path: dir_path,
12
+ # results_hash: results_hash
13
+ # )
14
+
15
+ public_class_method def self.generate(opts = {})
16
+ dir_path = opts[:dir_path].to_s if File.directory?(opts[:dir_path].to_s)
17
+ raise "PWN Error: Invalid Directory #{dir_path}" if dir_path.nil?
18
+
19
+ results_hash = opts[:results_hash]
20
+
21
+ File.write(
22
+ "#{dir_path}/pwn_phone.json",
23
+ JSON.pretty_generate(results_hash)
24
+ )
25
+
26
+ html_report = %q{<!DOCTYPE HTML>
27
+ <html>
28
+ <head>
29
+ <!-- favicon.ico from https://0dayinc.com -->
30
+ <link rel="icon" href="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABIXAAASFwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIkAAACJAgAAiSYAAIlbAACJcAAAiX0AAIlmAACJLQAAiQQAAIkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIkAAACJAAAAiS0AAIluAACJdwAAiXgAAIl+AACJeAAAiXQAAIk5AACJAQAAiQAAAAAAAAAAAAAAAAAAAAAAAACJAAAAiRgAAIlvAACJbQAAiXcAAIl7AACJcwAAiXEAAIl1AACJZwAAiR4AAIkAAACJAAAAAAAAAAAAAACJAAAAiQAAAIlEAACJfAAAiXIAAIlyAACJewAAiX4AAIl5AACJdQAAiXcAAIlIAACJAAAAiQAAAAAAAAAAAAAAiQAAAIkJAACJWQAAiXUAAIl9AACJdAAAiYYAAImLAACJdAAAiXkAAImNAACJfQAAiQwAAIkAAAAAAAAAAAAAAIkAAACJFQAAiWsAAIl2AACJfAAAiYIAAImCAACJfwAAiXYAAIl5AACJiQAAiYYAAIkWAACJAAAAAAAAAAAAAACJAAAAiSAAAIl2AACJeQAAiXkAAIl1AACJfwAAiYEAAIl8AACJbwAAiXoAAImBAACJFgAAiQAAAAAAAAAAAAAAiQAAAIkpAACJeAAAiXMAAIl3AACJeQAAiXUAAImAAACJfwAAiWYAAIl4AACJfwAAiR4AAIkAAAAAAAAAAAAAAIkAAACJKAAAiXkAAIlyAACJdQAAiXQAAIluAACJfAAAiXwAAIl3AACJewAAiXwAAIkvAACJAAAAAAAAAAAAAACJAAAAiSMAAIl4AACJdgAAiXsAAIl1AACJcQAAiXcAAIl6AACJeQAAiXoAAIl0AACJKQAAiQAAAAAAAAAAAAAAiQAAAIkXAACJaAAAiXgAAIl3AACJfAAAiXkAAIl3AACJZwAAiXcAAIl0AACJagAAiSgAAIkAAAAAAAAAAAAAAIkAAACJDgAAiV4AAIl5AACJbwAAiW4AAIl9AACJewAAiXcAAIl6AACJfQAAiW8AAIkWAACJAAAAAAAAAAAAAACJAAAAiQ0AAIllAACJewAAiXYAAIl4AACJdQAAiXUAAIl4AACJbQAAiXkAAIlNAACJAwAAiQAAAAAAAAAAAAAAiQAAAIkCAACJPQAAiXMAAIl2AACJeAAAiWgAAIlsAACJfQAAiXsAAIlwAACJGQAAiQAAAIkAAAAAAAAAAAAAAAAAAACJAAAAiQcAAIk4AACJXAAAiXoAAIl7AACJfAAAiYAAAIlsAACJJwAAiQMAAIkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIkAAACJAQAAiSsAAIluAACJewAAiXwAAIluAACJKgAAiQAAAIkAAAAAAAAAAAAAAAAA8A8AAPAHAADgBwAA4AcAAMADAADAAwAAwAMAAMADAADAAwAAwAMAAMADAADAAwAAwAMAAMAHAADgBwAA8B8AAA==" type="image/x-icon" />
31
+ <style>
32
+ body {
33
+ font-family: Verdana, Geneva, sans-serif;
34
+ font-size: 11px;
35
+ background-color: #FFFFFF;
36
+ color: #084B8A !important;
37
+ }
38
+
39
+ a:link {
40
+ color: #0174DF;
41
+ text-decoration: none;
42
+ }
43
+
44
+ a:visited {
45
+ color: #B40404;
46
+ text-decoration: none;
47
+ }
48
+
49
+ a:hover {
50
+ color: #01A9DB;
51
+ text-decoration: underline;
52
+ }
53
+
54
+ a:active {
55
+ color: #610B5E;
56
+ text-decoration: underline;
57
+ }
58
+
59
+ table {
60
+ width: 100%;
61
+ border-spacing:0px;
62
+ }
63
+
64
+ table.squish {
65
+ table-layout: fixed;
66
+ }
67
+
68
+ td {
69
+ vertical-align: top;
70
+ word-wrap: break-word !important;
71
+ }
72
+
73
+ .highlighted {
74
+ background-color: #F2F5A9 !important;
75
+ }
76
+ </style>
77
+
78
+ <!-- jQuery, DataTables, & FancyApps -->
79
+ <script type="text/javascript" src="//code.jquery.com/jquery-3.6.0.min.js"></script>
80
+
81
+ <link rel="stylesheet" type="text/css" href="//cdn.datatables.net/v/dt/dt-1.11.4/b-2.2.2/b-colvis-2.2.2/b-html5-2.2.2/b-print-2.2.2/cr-1.5.5/fc-4.0.1/fh-3.2.1/kt-2.6.4/r-2.2.9/rg-1.1.4/rr-1.2.8/sc-2.0.5/sp-1.4.0/sl-1.3.4/datatables.min.css"/>
82
+
83
+ <script type="text/javascript" src="//cdn.datatables.net/v/dt/dt-1.11.4/b-2.2.2/b-colvis-2.2.2/b-html5-2.2.2/b-print-2.2.2/cr-1.5.5/fc-4.0.1/fh-3.2.1/kt-2.6.4/r-2.2.9/rg-1.1.4/rr-1.2.8/sc-2.0.5/sp-1.4.0/sl-1.3.4/datatables.min.js"></script>
84
+
85
+ <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/@fancyapps/ui@4.0/dist/fancybox.css" type="text/css" />
86
+
87
+ <script type="text/javascript" src="//cdn.jsdelivr.net/npm/@fancyapps/ui@4.0/dist/fancybox.umd.js"></script>
88
+ </head>
89
+
90
+ <body id="pwn_body">
91
+
92
+ <h1 style="display:inline">
93
+ <a href="https://github.com/0dayinc/pwn/tree/master">~ pwn phone</a>
94
+ </h1><br /><br />
95
+ <h2 id="report_name"></h2><br />
96
+
97
+ <div><button type="button" id="button">Rows Selected</button></div><br />
98
+ <div>
99
+ <b>Toggle Column(s):</b>&nbsp;
100
+ <a class="toggle-vis" data-column="1" href="#">Call Started</a>&nbsp;|&nbsp;
101
+ <a class="toggle-vis" data-column="2" href="#">Source #</a>&nbsp;|&nbsp;
102
+ <a class="toggle-vis" data-column="3" href="#">Source # Rules</a>&nbsp;|&nbsp;
103
+ <a class="toggle-vis" data-column="4" href="#">Target #</a>&nbsp;|&nbsp;
104
+ <a class="toggle-vis" data-column="5" href="#">Seconds Recorded</a>&nbsp;|&nbsp;
105
+ <a class="toggle-vis" data-column="6" href="#">Call Stopped</a>
106
+ <a class="toggle-vis" data-column="7" href="#">Reason</a>
107
+ <a class="toggle-vis" data-column="8" href="#">Recording</a>&nbsp;|&nbsp;
108
+ <a class="toggle-vis" data-column="9" href="#">Spectrogram</a>&nbsp;|&nbsp;
109
+ <a class="toggle-vis" data-column="10" href="#">Waveform</a>
110
+ </div>
111
+ <br /><br />
112
+
113
+ <div>
114
+ <table id="pwn_phone_results" class="display" cellspacing="0">
115
+ <thead>
116
+ <tr>
117
+ <th>#</th>
118
+ <th>Call Started</th>
119
+ <th>Source #</th>
120
+ <th>Source # Rules</th>
121
+ <th>Target #</th>
122
+ <th>Seconds Recorded</th>
123
+ <th>Call Stopped</th>
124
+ <th>Reason Stopped</th>
125
+ <th>Recording</th>
126
+ <th>Spectrogram</th>
127
+ <th>Waveform</th>
128
+ </tr>
129
+ </thead>
130
+ <!-- DataTables <tbody> -->
131
+ </table>
132
+ </div>
133
+
134
+ <script>
135
+ var htmlEntityEncode = $.fn.dataTable.render.text().display;
136
+ var line_entry_uri = "";
137
+ $(document).ready(function() {
138
+ var oldStart = 0;
139
+ var table = $('#pwn_phone_results').DataTable( {
140
+ "paging": true,
141
+ "pagingType": "full_numbers",
142
+ "fnDrawCallback": function ( oSettings ) {
143
+ /* Need to redo the counters if filtered or sorted */
144
+ if ( oSettings.bSorted || oSettings.bFiltered ) {
145
+ for ( var i=0, iLen=oSettings.aiDisplay.length ; i<iLen ; i++ ) {
146
+ $('td:eq(0)', oSettings.aoData[ oSettings.aiDisplay[i] ].nTr ).html( i+1 );
147
+ }
148
+ }
149
+ // Jump to top when utilizing pagination
150
+ if ( oSettings._iDisplayStart != oldStart ) {
151
+ var targetOffset = $('#pwn_body').offset().top;
152
+ $('html,body').animate({scrollTop: targetOffset}, 500);
153
+ oldStart = oSettings._iDisplayStart;
154
+ }
155
+ // Select individual lines in a row
156
+ $('#multi_line_select tbody').on('click', 'tr', function () {
157
+ $(this).toggleClass('highlighted');
158
+ if ($('#multi_line_select tr.highlighted').length > 0) {
159
+ $('#multi_line_select tr td button').attr('disabled', 'disabled');
160
+ // Remove multi-line bug button
161
+ } else {
162
+ $('#multi_line_select tr td button').removeAttr('disabled');
163
+ // Add multi-line bug button
164
+ }
165
+ });
166
+ },
167
+ "ajax": "pwn_phone.json",
168
+ //"deferRender": true,
169
+ "dom": "fplitfpliS",
170
+ "autoWidth": false,
171
+ "columns": [
172
+ { "data": null },
173
+ {
174
+ "data": "call_started",
175
+ "render": $.fn.dataTable.render.text()
176
+ },
177
+ {
178
+ "data": "src_num",
179
+ "render": $.fn.dataTable.render.text()
180
+ },
181
+ {
182
+ "data": "src_num_rules",
183
+ "render": $.fn.dataTable.render.text()
184
+ },
185
+ {
186
+ "data": "target_num",
187
+ "render": $.fn.dataTable.render.text()
188
+ },
189
+ {
190
+ "data": "seconds_recorded",
191
+ "render": $.fn.dataTable.render.text()
192
+ },
193
+ {
194
+ "data": "call_stopped",
195
+ "render": $.fn.dataTable.render.text()
196
+ },
197
+ {
198
+ "data": "reason",
199
+ "render": $.fn.dataTable.render.text()
200
+ },
201
+ {
202
+ "data": "recording",
203
+ "render": function (data, type, row, meta) {
204
+ var wav = htmlEntityEncode(data);
205
+ if (wav == '--') {
206
+ return wav;
207
+ } else {
208
+ return '<audio controls><source src="' + wav +'" type="audio/wav"></audio>';
209
+ }
210
+ }
211
+ },
212
+ {
213
+ "data": "spectrogram",
214
+ "render": function (data, type, row, meta) {
215
+ var spt = htmlEntityEncode(data);
216
+ if (spt == '--') {
217
+ return spt;
218
+ } else {
219
+ return '<a data-fancybox data-src="' + spt + '" data-caption="' + spt + '"><img src="' + data +'" target="_blank" style="width:150px; height:150px;"/></a>';
220
+ }
221
+ }
222
+ },
223
+ {
224
+ "data": "waveform",
225
+ "render": function (data, type, row, meta) {
226
+ var wfm = htmlEntityEncode(data);
227
+ if (wfm == '--') {
228
+ return wfm;
229
+ } else {
230
+ return '<a data-fancybox data-src="' + wfm + '" data-caption="' + wfm + '"><img src="' + data +'" target="_blank" style="width:150px; height:150px;"/></a>';
231
+ }
232
+ }
233
+ }
234
+ ]
235
+ });
236
+ // Toggle Columns
237
+ $('a.toggle-vis').on('click', function (e) {
238
+ e.preventDefault();
239
+
240
+ // Get the column API object
241
+ var column = table.column( $(this).attr('data-column') );
242
+
243
+ // Toggle the visibility
244
+ column.visible( ! column.visible() );
245
+ });
246
+
247
+ // TODO: Open bug for highlighted rows ;)
248
+ $('#button').click( function () {
249
+ alert($('#multi_line_select tr.highlighted').length +' row(s) highlighted');
250
+ });
251
+ });
252
+
253
+ function multi_line_select() {
254
+ // Select all lines in a row
255
+ //$('#pwn_phone_results tbody').on('click', 'tr', function () {
256
+ // $(this).children('td').children('#multi_line_select').children('tbody').children('tr').toggleClass('highlighted');
257
+ //});
258
+
259
+ }
260
+ </script>
261
+ </body>
262
+ </html>
263
+ }
264
+
265
+ File.open("#{dir_path}/pwn_phone.html", 'w') do |f|
266
+ f.print(html_report)
267
+ end
268
+ rescue StandardError => e
269
+ raise e
270
+ end
271
+
272
+ # Author(s):: 0day Inc. <request.pentest@0dayinc.com>
273
+
274
+ public_class_method def self.authors
275
+ "AUTHOR(S):
276
+ 0day Inc. <request.pentest@0dayinc.com>
277
+ "
278
+ end
279
+
280
+ # Display Usage for this Module
281
+
282
+ public_class_method def self.help
283
+ puts "USAGE:
284
+ #{self}.generate(
285
+ dir_path: dir_path,
286
+ results_hash: results_hash
287
+ )
288
+
289
+ #{self}.authors
290
+ "
291
+ end
292
+ end
293
+ end
294
+ end
data/lib/pwn/reports.rb CHANGED
@@ -9,6 +9,7 @@ module PWN
9
9
  # autoload :JSON, 'pwn/reports/json'
10
10
  # autoload :PDF, 'pwn/reports/pdf'
11
11
  autoload :Fuzz, 'pwn/reports/fuzz'
12
+ autoload :Phone, 'pwn/reports/phone'
12
13
  autoload :SAST, 'pwn/reports/sast'
13
14
  # autoload :XML, 'pwn/reports/xml'
14
15
 
@@ -23,7 +23,7 @@ module PWN
23
23
  logger_results = ''
24
24
 
25
25
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
26
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
26
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
27
27
  line_no_and_contents_arr = []
28
28
  entry_beautified = false
29
29
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
25
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
data/lib/pwn/sast/aws.rb CHANGED
@@ -21,7 +21,7 @@ module PWN
21
21
  logger_results = ''
22
22
 
23
23
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
24
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
24
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
25
25
  line_no_and_contents_arr = []
26
26
  entry_beautified = false
27
27
 
@@ -23,7 +23,7 @@ module PWN
23
23
  logger_results = ''
24
24
 
25
25
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
26
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.c' || File.extname(entry) == '.cpp' || File.extname(entry) == '.c++' || File.extname(entry) == '.cxx' || File.extname(entry) == '.h' || File.extname(entry) == '.hpp' || File.extname(entry) == '.h++' || File.extname(entry) == '.hh' || File.extname(entry) == '.hxx' || File.extname(entry) == '.ii' || File.extname(entry) == '.ixx' || File.extname(entry) == '.ipp' || File.extname(entry) == '.inl' || File.extname(entry) == '.txx' || File.extname(entry) == '.tpp' || File.extname(entry) == '.tpl')
26
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.c' || File.extname(entry) == '.cpp' || File.extname(entry) == '.c++' || File.extname(entry) == '.cxx' || File.extname(entry) == '.h' || File.extname(entry) == '.hpp' || File.extname(entry) == '.h++' || File.extname(entry) == '.hh' || File.extname(entry) == '.hxx' || File.extname(entry) == '.ii' || File.extname(entry) == '.ixx' || File.extname(entry) == '.ipp' || File.extname(entry) == '.inl' || File.extname(entry) == '.txx' || File.extname(entry) == '.tpp' || File.extname(entry) == '.tpl') && entry !~ /test/i
27
27
  line_no_and_contents_arr = []
28
28
  entry_beautified = false
29
29
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
25
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
25
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -32,7 +32,10 @@ module PWN
32
32
  entry_beautified = true
33
33
  end
34
34
 
35
- test_case_filter = "grep -Fin 'hook.js' #{entry}"
35
+ test_case_filter = "
36
+ grep -Fin \
37
+ -e 'hook.js' #{entry}
38
+ "
36
39
 
37
40
  str = `#{test_case_filter}`.to_s.scrub
38
41
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && File.extname(entry) == '.java'
25
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && File.extname(entry) == '.java' && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.py' || File.extname(entry) == '.pyc' || File.extname(entry) == '.pyo' || File.extname(entry) == '.pyd')
25
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.py' || File.extname(entry) == '.pyc' || File.extname(entry) == '.pyo' || File.extname(entry) == '.pyd') && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.rb' || File.extname(entry) == '.rbw')
25
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.rb' || File.extname(entry) == '.rbw') && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && File.extname(entry) == '.scala'
25
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && File.extname(entry) == '.scala' && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
data/lib/pwn/sast/csrf.rb CHANGED
@@ -23,7 +23,7 @@ module PWN
23
23
  logger_results = ''
24
24
 
25
25
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
26
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
26
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
27
27
  line_no_and_contents_arr = []
28
28
  entry_beautified = false
29
29
 
@@ -34,7 +34,8 @@ module PWN
34
34
  end
35
35
 
36
36
  test_case_filter = "
37
- grep -ni 'csrf' #{entry}
37
+ grep -ni \
38
+ -e 'csrf' #{entry}
38
39
  "
39
40
 
40
41
  str = `#{test_case_filter}`.to_s.scrub
@@ -24,7 +24,7 @@ module PWN
24
24
  logger_results = ''
25
25
 
26
26
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
27
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.scala' || File.extname(entry) == '.java')
27
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.scala' || File.extname(entry) == '.java') && entry !~ /test/i
28
28
  line_no_and_contents_arr = []
29
29
  entry_beautified = false
30
30
 
@@ -34,7 +34,17 @@ module PWN
34
34
  entry_beautified = true
35
35
  end
36
36
 
37
- test_case_filter = "grep -in -e readObject -e XMLdecoder -e fromXML -e readObjectNodData -e readResolve -e readExternal -e readUnshared -e Serializable #{entry}"
37
+ test_case_filter = "
38
+ grep -in \
39
+ -e readObject \
40
+ -e XMLdecoder \
41
+ -e fromXML \
42
+ -e readObjectNodData \
43
+ -e readResolve \
44
+ -e readExternal \
45
+ -e readUnshared \
46
+ -e Serializable #{entry}
47
+ "
38
48
 
39
49
  str = `#{test_case_filter}`.to_s.scrub
40
50
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
25
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -38,6 +38,9 @@ module PWN
38
38
  -e ';-)' \
39
39
  -e ':-P' \
40
40
  -e ':-D' \
41
+ -e '\_o_/' \
42
+ -e '\_O_/' \
43
+ -e '\_0_/' \
41
44
  -e ':-O' #{entry}
42
45
  "
43
46
 
data/lib/pwn/sast/eval.rb CHANGED
@@ -23,7 +23,7 @@ module PWN
23
23
  logger_results = ''
24
24
 
25
25
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
26
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
26
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
27
27
  line_no_and_contents_arr = []
28
28
  entry_beautified = false
29
29
 
@@ -34,7 +34,8 @@ module PWN
34
34
  end
35
35
 
36
36
  test_case_filter = "
37
- grep -n 'eval(' #{entry}
37
+ grep -n \
38
+ -e 'eval(' #{entry}
38
39
  "
39
40
 
40
41
  str = `#{test_case_filter}`.to_s.scrub
@@ -24,7 +24,7 @@ module PWN
24
24
  logger_results = ''
25
25
 
26
26
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
27
- if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.scala' || File.extname(entry) == '.java')
27
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.scala' || File.extname(entry) == '.java') && entry !~ /test/i
28
28
  line_no_and_contents_arr = []
29
29
  entry_beautified = false
30
30
 
@@ -34,7 +34,12 @@ module PWN
34
34
  entry_beautified = true
35
35
  end
36
36
 
37
- test_case_filter = "grep -in -e DocumentBuilderFactory -e XMLInputFactory -e SAXParserFactory #{entry}"
37
+ test_case_filter = "
38
+ grep -in \
39
+ -e DocumentBuilderFactory \
40
+ -e XMLInputFactory \
41
+ -e SAXParserFactory #{entry}
42
+ "
38
43
 
39
44
  str = `#{test_case_filter}`.to_s.scrub
40
45
 
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
25
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -23,7 +23,7 @@ module PWN
23
23
  logger_results = ''
24
24
 
25
25
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
26
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
26
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
27
27
  line_no_and_contents_arr = []
28
28
  entry_beautified = false
29
29
 
@@ -34,7 +34,8 @@ module PWN
34
34
  end
35
35
 
36
36
  test_case_filter = "
37
- grep -n 'innerHTML' #{entry}
37
+ grep -n \
38
+ -e 'innerHTML' #{entry}
38
39
  "
39
40
 
40
41
  str = `#{test_case_filter}`.to_s.scrub
@@ -112,7 +113,7 @@ module PWN
112
113
  section: 'MALICIOUS CODE PROTECTION',
113
114
  nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
114
115
  cwe_id: '79',
115
- uri: 'https://cwe.mitre.org/data/definitions/79.html'
116
+ cwe_uri: 'https://cwe.mitre.org/data/definitions/79.html'
116
117
  }
117
118
  rescue StandardError => e
118
119
  raise e
@@ -22,7 +22,7 @@ module PWN
22
22
  logger_results = ''
23
23
 
24
24
  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
- if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
25
+ if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
26
26
  line_no_and_contents_arr = []
27
27
  entry_beautified = false
28
28
 
@@ -32,7 +32,10 @@ module PWN
32
32
  entry_beautified = true
33
33
  end
34
34
 
35
- test_case_filter = "grep -Fin 'keystore' #{entry}"
35
+ test_case_filter = "
36
+ grep -Fin \
37
+ -e 'keystore' #{entry}
38
+ "
36
39
 
37
40
  str = `#{test_case_filter}`.to_s.scrub
38
41