pwn 0.4.604 → 0.4.606
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +5 -4
- data/README.md +2 -2
- data/bin/pwn_sast +1 -0
- data/lib/pwn/plugins/open_ai.rb +3 -3
- data/lib/pwn/sast/md5.rb +143 -0
- data/lib/pwn/sast.rb +1 -0
- data/lib/pwn/version.rb +1 -1
- data/spec/lib/pwn/sast/md5_spec.rb +25 -0
- metadata +27 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 467f8bfe15183838882de427a8dccce2eebb4ec939b78169d3280d076b0fa764
|
4
|
+
data.tar.gz: 192da1120a211f797081731a984e97532954e12b53146f8b15b66aa225fe1967
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 627618f032d8b088408a46e9fea4994ed7def61af35beeedef44a9a50b78c4dfe0b1fce87681c8a1d233306a0dd01734085d742a8e1afc1131ac874e17c061a2
|
7
|
+
data.tar.gz: 398ceaec43e0ccb285c032e08192b6a5956151c42054e56ca191051825356036c7cbe2267ae7991595aabb79e3c35ad55e4cf3fa7ac1620b3ce6709d04f124a5
|
data/Gemfile
CHANGED
@@ -11,14 +11,14 @@ gemspec
|
|
11
11
|
# In some circumstances custom flags are passed to gems in order
|
12
12
|
# to build appropriately. Defer to ./reinstall_pwn_gemset.sh
|
13
13
|
# to review these custom flags (e.g. pg, serialport, etc).
|
14
|
-
gem 'activesupport', '7.0.4'
|
14
|
+
gem 'activesupport', '7.0.4.1'
|
15
15
|
gem 'anemone', '0.7.2'
|
16
16
|
gem 'authy', '3.0.1'
|
17
17
|
gem 'aws-sdk', '3.1.0'
|
18
18
|
gem 'bettercap', '1.6.2'
|
19
19
|
gem 'brakeman', '5.4.0'
|
20
20
|
gem 'bson', '4.15.0'
|
21
|
-
gem 'bundler', '>=2.4.
|
21
|
+
gem 'bundler', '>=2.4.5'
|
22
22
|
gem 'bundler-audit', '0.9.1'
|
23
23
|
gem 'bunny', '2.20.2'
|
24
24
|
gem 'colorize', '0.8.1'
|
@@ -26,6 +26,7 @@ gem 'credit_card_validations', '6.0.0'
|
|
26
26
|
gem 'eventmachine', '1.2.7'
|
27
27
|
gem 'executable-hooks', '1.6.1'
|
28
28
|
gem 'faye-websocket', '0.11.1'
|
29
|
+
gem 'ffi', '1.15.5'
|
29
30
|
gem 'fftw3', '0.3'
|
30
31
|
gem 'gdb', '1.0.0'
|
31
32
|
gem 'gem-wrappers', '1.4.0'
|
@@ -62,9 +63,9 @@ gem 'rex', '2.0.13'
|
|
62
63
|
gem 'rmagick', '5.1.0'
|
63
64
|
gem 'rspec', '3.12.0'
|
64
65
|
gem 'rtesseract', '3.1.2'
|
65
|
-
gem 'rubocop', '1.
|
66
|
+
gem 'rubocop', '1.44.0'
|
66
67
|
gem 'rubocop-rake', '0.6.0'
|
67
|
-
gem 'rubocop-rspec', '2.
|
68
|
+
gem 'rubocop-rspec', '2.18.1'
|
68
69
|
gem 'ruby-audio', '1.6.1'
|
69
70
|
gem 'ruby-nmap', '1.0.1'
|
70
71
|
gem 'ruby-saml', '1.15.0'
|
data/README.md
CHANGED
@@ -37,7 +37,7 @@ $ rvm use ruby-3.2.0@pwn
|
|
37
37
|
$ rvm list gemsets
|
38
38
|
$ gem install --verbose pwn
|
39
39
|
$ pwn
|
40
|
-
pwn[v0.4.
|
40
|
+
pwn[v0.4.606]:001 >>> PWN.help
|
41
41
|
```
|
42
42
|
|
43
43
|
[](https://youtu.be/G7iLUY4FzsI)
|
@@ -52,7 +52,7 @@ $ rvm use ruby-3.2.0@pwn
|
|
52
52
|
$ gem uninstall --all --executables pwn
|
53
53
|
$ gem install --verbose pwn
|
54
54
|
$ pwn
|
55
|
-
pwn[v0.4.
|
55
|
+
pwn[v0.4.606]:001 >>> PWN.help
|
56
56
|
```
|
57
57
|
|
58
58
|
|
data/bin/pwn_sast
CHANGED
data/lib/pwn/plugins/open_ai.rb
CHANGED
@@ -96,7 +96,7 @@ module PWN
|
|
96
96
|
# request: 'required - message to ChatGPT'
|
97
97
|
# model: 'optional - model to use for text generation (defaults to text-davinci-003)',
|
98
98
|
# temp: 'optional - creative response float (deafults to 0)',
|
99
|
-
# max_tokens: 'optional - integer (
|
99
|
+
# max_tokens: 'optional - integer (defaults to 3_072)'
|
100
100
|
# )
|
101
101
|
|
102
102
|
public_class_method def self.chat_gpt(opts = {})
|
@@ -107,7 +107,7 @@ module PWN
|
|
107
107
|
temp = opts[:temp].to_f
|
108
108
|
temp = 0 unless temp.positive?
|
109
109
|
max_tokens = opts[:max_tokens].to_i
|
110
|
-
max_tokens =
|
110
|
+
max_tokens = 3_072 unless max_tokens.positive?
|
111
111
|
|
112
112
|
rest_call = 'completions'
|
113
113
|
|
@@ -183,7 +183,7 @@ module PWN
|
|
183
183
|
request: 'required - message to ChatGPT',
|
184
184
|
model: 'optional - model to use for text generation (defaults to text-davinci-003)',
|
185
185
|
temp: 'optional - creative response float (deafults to 0)',
|
186
|
-
max_tokens: 'optional - integer (deafults to
|
186
|
+
max_tokens: 'optional - integer (deafults to 3_072)'
|
187
187
|
)
|
188
188
|
|
189
189
|
response = #{self}.img_gen(
|
data/lib/pwn/sast/md5.rb
ADDED
@@ -0,0 +1,143 @@
|
|
1
|
+
# frozen_string_literal: false
|
2
|
+
|
3
|
+
require 'socket'
|
4
|
+
|
5
|
+
module PWN
|
6
|
+
module SAST
|
7
|
+
# SAST Module used to identify MD5 hash related objects, methods, classes, etc.
|
8
|
+
# to determine if deprecated hashing is still supported.
|
9
|
+
module MD5
|
10
|
+
@@logger = PWN::Plugins::PWNLogger.create
|
11
|
+
|
12
|
+
# Supported Method Parameters::
|
13
|
+
# PWN::SAST::MD5.scan(
|
14
|
+
# dir_path: 'optional path to dir defaults to .'
|
15
|
+
# git_repo_root_uri: 'optional http uri of git repo scanned'
|
16
|
+
# )
|
17
|
+
|
18
|
+
public_class_method def self.scan(opts = {})
|
19
|
+
dir_path = opts[:dir_path]
|
20
|
+
git_repo_root_uri = opts[:git_repo_root_uri].to_s.scrub
|
21
|
+
result_arr = []
|
22
|
+
logger_results = ''
|
23
|
+
|
24
|
+
PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
|
25
|
+
if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
|
26
|
+
line_no_and_contents_arr = []
|
27
|
+
entry_beautified = false
|
28
|
+
|
29
|
+
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
31
|
+
entry = "#{entry}.JS-BEAUTIFIED"
|
32
|
+
entry_beautified = true
|
33
|
+
end
|
34
|
+
|
35
|
+
test_case_filter = "
|
36
|
+
grep -n \
|
37
|
+
-ei 'md5' #{entry}
|
38
|
+
"
|
39
|
+
|
40
|
+
str = `#{test_case_filter}`.to_s.scrub
|
41
|
+
|
42
|
+
if str.to_s.empty?
|
43
|
+
# If str length is >= 64 KB do not include results. (Due to Mongo Document Size Restrictions)
|
44
|
+
logger_results = "#{logger_results}~" # Catching bugs is good :)
|
45
|
+
else
|
46
|
+
str = "1:Result larger than 64KB -> Size: #{str.to_s.length}. Please click the \"Path\" link for more details." if str.to_s.length >= 64_000
|
47
|
+
|
48
|
+
hash_line = {
|
49
|
+
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
50
|
+
security_references: security_references,
|
51
|
+
filename: { git_repo_root_uri: git_repo_root_uri, entry: entry },
|
52
|
+
line_no_and_contents: '',
|
53
|
+
raw_content: str,
|
54
|
+
test_case_filter: test_case_filter
|
55
|
+
}
|
56
|
+
|
57
|
+
# COMMMENT: Must be a better way to implement this (regex is kinda funky)
|
58
|
+
line_contents_split = str.split(/^(\d{1,}):|\n(\d{1,}):/)[1..-1]
|
59
|
+
line_no_count = line_contents_split.length # This should always be an even number
|
60
|
+
current_count = 0
|
61
|
+
while line_no_count > current_count
|
62
|
+
line_no = line_contents_split[current_count]
|
63
|
+
contents = line_contents_split[current_count + 1]
|
64
|
+
if Dir.exist?("#{dir_path}/.git") ||
|
65
|
+
Dir.exist?('.git')
|
66
|
+
|
67
|
+
repo_root = dir_path
|
68
|
+
repo_root = '.' if Dir.exist?('.git')
|
69
|
+
|
70
|
+
author = PWN::Plugins::Git.get_author(
|
71
|
+
repo_root: repo_root,
|
72
|
+
from_line: line_no,
|
73
|
+
to_line: line_no,
|
74
|
+
target_file: entry,
|
75
|
+
entry_beautified: entry_beautified
|
76
|
+
)
|
77
|
+
else
|
78
|
+
author = 'N/A'
|
79
|
+
end
|
80
|
+
hash_line[:line_no_and_contents] = line_no_and_contents_arr.push(
|
81
|
+
line_no: line_no,
|
82
|
+
contents: contents,
|
83
|
+
author: author
|
84
|
+
)
|
85
|
+
|
86
|
+
current_count += 2
|
87
|
+
end
|
88
|
+
result_arr.push(hash_line)
|
89
|
+
logger_results = "#{logger_results}x" # Seeing progress is good :)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
93
|
+
logger_banner = "http://#{Socket.gethostname}:8808/doc_root/pwn-#{PWN::VERSION.to_s.scrub}/#{to_s.scrub.gsub('::', '/')}.html"
|
94
|
+
if logger_results.empty?
|
95
|
+
@@logger.info("#{logger_banner}: No files applicable to this test case.\n")
|
96
|
+
else
|
97
|
+
@@logger.info("#{logger_banner} => #{logger_results}complete.\n")
|
98
|
+
end
|
99
|
+
result_arr
|
100
|
+
rescue StandardError => e
|
101
|
+
raise e
|
102
|
+
end
|
103
|
+
|
104
|
+
# Used primarily to map NIST 800-53 Revision 4 Security Controls
|
105
|
+
# https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
|
106
|
+
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
107
|
+
# Determine the level of Testing Coverage w/ PWN.
|
108
|
+
|
109
|
+
public_class_method def self.security_references
|
110
|
+
{
|
111
|
+
sast_module: self,
|
112
|
+
section: 'MALICIOUS CODE PROTECTION',
|
113
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-28',
|
114
|
+
cwe_id: '328',
|
115
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/328.html'
|
116
|
+
}
|
117
|
+
rescue StandardError => e
|
118
|
+
raise e
|
119
|
+
end
|
120
|
+
|
121
|
+
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
122
|
+
|
123
|
+
public_class_method def self.authors
|
124
|
+
"AUTHOR(S):
|
125
|
+
0day Inc. <request.pentest@0dayinc.com>
|
126
|
+
"
|
127
|
+
end
|
128
|
+
|
129
|
+
# Display Usage for this Module
|
130
|
+
|
131
|
+
public_class_method def self.help
|
132
|
+
puts "USAGE:
|
133
|
+
sast_arr = #{self}.scan(
|
134
|
+
dir_path: 'optional path to dir defaults to .',
|
135
|
+
git_repo_root_uri: 'optional http uri of git repo scanned'
|
136
|
+
)
|
137
|
+
|
138
|
+
#{self}.authors
|
139
|
+
"
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|
data/lib/pwn/sast.rb
CHANGED
@@ -27,6 +27,7 @@ module PWN
|
|
27
27
|
autoload :LocationHash, 'pwn/sast/location_hash'
|
28
28
|
autoload :Log4J, 'pwn/sast/log4j'
|
29
29
|
autoload :Logger, 'pwn/sast/logger'
|
30
|
+
autoload :MD5, 'pwn/sast/md5'
|
30
31
|
autoload :OuterHTML, 'pwn/sast/outer_html'
|
31
32
|
autoload :Password, 'pwn/sast/password'
|
32
33
|
autoload :PHPInputMechanisms, 'pwn/sast/php_input_mechanisms'
|
data/lib/pwn/version.rb
CHANGED
@@ -0,0 +1,25 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'spec_helper'
|
4
|
+
|
5
|
+
describe PWN::SAST::MD5 do
|
6
|
+
it 'scan method should exist' do
|
7
|
+
scan_response = PWN::SAST::MD5
|
8
|
+
expect(scan_response).to respond_to :scan
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'should display information for security_references' do
|
12
|
+
security_references_response = PWN::SAST::MD5
|
13
|
+
expect(security_references_response).to respond_to :security_references
|
14
|
+
end
|
15
|
+
|
16
|
+
it 'should display information for authors' do
|
17
|
+
authors_response = PWN::SAST::MD5
|
18
|
+
expect(authors_response).to respond_to :authors
|
19
|
+
end
|
20
|
+
|
21
|
+
it 'should display information for existing help method' do
|
22
|
+
help_response = PWN::SAST::MD5
|
23
|
+
expect(help_response).to respond_to :help
|
24
|
+
end
|
25
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pwn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.606
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- 0day Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-01-
|
11
|
+
date: 2023-01-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 7.0.4
|
19
|
+
version: 7.0.4.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 7.0.4
|
26
|
+
version: 7.0.4.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: anemone
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -114,14 +114,14 @@ dependencies:
|
|
114
114
|
requirements:
|
115
115
|
- - ">="
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 2.4.
|
117
|
+
version: 2.4.5
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - ">="
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 2.4.
|
124
|
+
version: 2.4.5
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: bundler-audit
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
@@ -220,6 +220,20 @@ dependencies:
|
|
220
220
|
- - '='
|
221
221
|
- !ruby/object:Gem::Version
|
222
222
|
version: 0.11.1
|
223
|
+
- !ruby/object:Gem::Dependency
|
224
|
+
name: ffi
|
225
|
+
requirement: !ruby/object:Gem::Requirement
|
226
|
+
requirements:
|
227
|
+
- - '='
|
228
|
+
- !ruby/object:Gem::Version
|
229
|
+
version: 1.15.5
|
230
|
+
type: :runtime
|
231
|
+
prerelease: false
|
232
|
+
version_requirements: !ruby/object:Gem::Requirement
|
233
|
+
requirements:
|
234
|
+
- - '='
|
235
|
+
- !ruby/object:Gem::Version
|
236
|
+
version: 1.15.5
|
223
237
|
- !ruby/object:Gem::Dependency
|
224
238
|
name: fftw3
|
225
239
|
requirement: !ruby/object:Gem::Requirement
|
@@ -716,14 +730,14 @@ dependencies:
|
|
716
730
|
requirements:
|
717
731
|
- - '='
|
718
732
|
- !ruby/object:Gem::Version
|
719
|
-
version: 1.
|
733
|
+
version: 1.44.0
|
720
734
|
type: :runtime
|
721
735
|
prerelease: false
|
722
736
|
version_requirements: !ruby/object:Gem::Requirement
|
723
737
|
requirements:
|
724
738
|
- - '='
|
725
739
|
- !ruby/object:Gem::Version
|
726
|
-
version: 1.
|
740
|
+
version: 1.44.0
|
727
741
|
- !ruby/object:Gem::Dependency
|
728
742
|
name: rubocop-rake
|
729
743
|
requirement: !ruby/object:Gem::Requirement
|
@@ -744,14 +758,14 @@ dependencies:
|
|
744
758
|
requirements:
|
745
759
|
- - '='
|
746
760
|
- !ruby/object:Gem::Version
|
747
|
-
version: 2.
|
761
|
+
version: 2.18.1
|
748
762
|
type: :runtime
|
749
763
|
prerelease: false
|
750
764
|
version_requirements: !ruby/object:Gem::Requirement
|
751
765
|
requirements:
|
752
766
|
- - '='
|
753
767
|
- !ruby/object:Gem::Version
|
754
|
-
version: 2.
|
768
|
+
version: 2.18.1
|
755
769
|
- !ruby/object:Gem::Dependency
|
756
770
|
name: ruby-audio
|
757
771
|
requirement: !ruby/object:Gem::Requirement
|
@@ -1669,6 +1683,7 @@ files:
|
|
1669
1683
|
- lib/pwn/sast/location_hash.rb
|
1670
1684
|
- lib/pwn/sast/log4j.rb
|
1671
1685
|
- lib/pwn/sast/logger.rb
|
1686
|
+
- lib/pwn/sast/md5.rb
|
1672
1687
|
- lib/pwn/sast/outer_html.rb
|
1673
1688
|
- lib/pwn/sast/password.rb
|
1674
1689
|
- lib/pwn/sast/php_input_mechanisms.rb
|
@@ -1969,6 +1984,7 @@ files:
|
|
1969
1984
|
- spec/lib/pwn/sast/location_hash_spec.rb
|
1970
1985
|
- spec/lib/pwn/sast/log4j_spec.rb
|
1971
1986
|
- spec/lib/pwn/sast/logger_spec.rb
|
1987
|
+
- spec/lib/pwn/sast/md5_spec.rb
|
1972
1988
|
- spec/lib/pwn/sast/password_spec.rb
|
1973
1989
|
- spec/lib/pwn/sast/php_input_mechanisms_spec.rb
|
1974
1990
|
- spec/lib/pwn/sast/php_type_juggling_spec.rb
|
@@ -2062,7 +2078,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
2062
2078
|
- !ruby/object:Gem::Version
|
2063
2079
|
version: '0'
|
2064
2080
|
requirements: []
|
2065
|
-
rubygems_version: 3.4.
|
2081
|
+
rubygems_version: 3.4.5
|
2066
2082
|
signing_key:
|
2067
2083
|
specification_version: 4
|
2068
2084
|
summary: Automated Security Testing for CI/CD Pipelines & Beyond
|