pwn 0.5.350 → 0.5.352
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +3 -3
- data/lib/pwn/plugins/burp_suite.rb +14 -3
- data/lib/pwn/reports/sast.rb +77 -28
- data/lib/pwn/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0ed1ecac3031877ce2727dca9ed321e834c8a864de719923106c0e4630f88f15
|
|
4
|
+
data.tar.gz: ca5dff2fb03d1600932cdc4fad2dafc8ee1f1a4712262306d0a04b52074f552f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5b923dc37f4f57041c2667c1bacf4f7b7cb763fdb0d2528faf647a09c8196793916c1734357f36d69b06afe5daa462103861aab0f81585868b2d10d4bf749a86
|
|
7
|
+
data.tar.gz: 9db9f36b6586bcc58f6f825cd6ef3d4484f981df1666985b9d110a683dd521dac24fd9d23ae86b6210f5d26a77467dfc247eb64a376fd582551c254d72715d61
|
data/README.md
CHANGED
|
@@ -37,7 +37,7 @@ $ cd /opt/pwn
|
|
|
37
37
|
$ ./install.sh
|
|
38
38
|
$ ./install.sh ruby-gem
|
|
39
39
|
$ pwn
|
|
40
|
-
pwn[v0.5.
|
|
40
|
+
pwn[v0.5.352]:001 >>> PWN.help
|
|
41
41
|
```
|
|
42
42
|
|
|
43
43
|
[](https://youtu.be/G7iLUY4FzsI)
|
|
@@ -52,7 +52,7 @@ $ rvm use ruby-3.4.4@pwn
|
|
|
52
52
|
$ gem uninstall --all --executables pwn
|
|
53
53
|
$ gem install --verbose pwn
|
|
54
54
|
$ pwn
|
|
55
|
-
pwn[v0.5.
|
|
55
|
+
pwn[v0.5.352]:001 >>> PWN.help
|
|
56
56
|
```
|
|
57
57
|
|
|
58
58
|
If you're using a multi-user install of RVM do:
|
|
@@ -62,7 +62,7 @@ $ rvm use ruby-3.4.4@pwn
|
|
|
62
62
|
$ rvmsudo gem uninstall --all --executables pwn
|
|
63
63
|
$ rvmsudo gem install --verbose pwn
|
|
64
64
|
$ pwn
|
|
65
|
-
pwn[v0.5.
|
|
65
|
+
pwn[v0.5.352]:001 >>> PWN.help
|
|
66
66
|
```
|
|
67
67
|
|
|
68
68
|
PWN periodically upgrades to the latest version of Ruby which is reflected in `/opt/pwn/.ruby-version`. The easiest way to upgrade to the latest version of Ruby from a previous PWN installation is to run the following script:
|
|
@@ -204,6 +204,7 @@ module PWN
|
|
|
204
204
|
break
|
|
205
205
|
end
|
|
206
206
|
end
|
|
207
|
+
print "\n"
|
|
207
208
|
|
|
208
209
|
spider_json.merge!(spider_status_json)
|
|
209
210
|
rescue StandardError => e
|
|
@@ -340,7 +341,7 @@ module PWN
|
|
|
340
341
|
openapi_spec = opts[:openapi_spec]
|
|
341
342
|
raise 'ERROR: openapi_spec parameter not found' unless File.exist?(openapi_spec)
|
|
342
343
|
|
|
343
|
-
additional_http_headers = opts[:additional_http_headers]
|
|
344
|
+
additional_http_headers = opts[:additional_http_headers] ||= {}
|
|
344
345
|
raise 'ERROR: additional_http_headers must be a Hash' unless additional_http_headers.is_a?(Hash)
|
|
345
346
|
|
|
346
347
|
highlight = opts[:highlight] ||= 'NONE'
|
|
@@ -494,7 +495,7 @@ module PWN
|
|
|
494
495
|
request_path = full_path.dup
|
|
495
496
|
query_params = []
|
|
496
497
|
|
|
497
|
-
|
|
498
|
+
operation.each do |param|
|
|
498
499
|
next unless param.is_a?(Hash) && param[:name] && param[:in]
|
|
499
500
|
|
|
500
501
|
param_name = param[:name].to_s
|
|
@@ -518,6 +519,16 @@ module PWN
|
|
|
518
519
|
host: host
|
|
519
520
|
}
|
|
520
521
|
request_headers.merge!(additional_http_headers)
|
|
522
|
+
# Aggregate remaining HTTP header names from spec,
|
|
523
|
+
# reference as keys, and assign their respective
|
|
524
|
+
# values to the request_headers hash
|
|
525
|
+
operation[:parameters]&.each do |param|
|
|
526
|
+
next unless param.is_a?(Hash) && param[:in] == 'header' && param[:name]
|
|
527
|
+
|
|
528
|
+
header_name = param[:name].to_s.downcase
|
|
529
|
+
header_value = param[:schema]&.dig(:example) || 'PLACEHOLDER'
|
|
530
|
+
request_headers[header_name] = header_value.to_s
|
|
531
|
+
end
|
|
521
532
|
|
|
522
533
|
# Construct request lines, including all headers
|
|
523
534
|
request_lines = [
|
|
@@ -526,7 +537,7 @@ module PWN
|
|
|
526
537
|
request_headers.each do |key, value|
|
|
527
538
|
# Capitalize header keys (e.g., 'host' to 'Host', 'authorization' to 'Authorization')
|
|
528
539
|
header_key = key.to_s.split('-').map(&:capitalize).join('-')
|
|
529
|
-
request_lines
|
|
540
|
+
request_lines.push("#{header_key}: #{value}")
|
|
530
541
|
end
|
|
531
542
|
request_lines << '' << '' # Add blank lines for HTTP request body separation
|
|
532
543
|
|
data/lib/pwn/reports/sast.rb
CHANGED
|
@@ -78,8 +78,8 @@ module PWN
|
|
|
78
78
|
word-wrap: break-word !important;
|
|
79
79
|
}
|
|
80
80
|
|
|
81
|
-
.highlighted {
|
|
82
|
-
background-color: #
|
|
81
|
+
tr.highlighted td {
|
|
82
|
+
background-color: #FFF396 !important;
|
|
83
83
|
}
|
|
84
84
|
</style>
|
|
85
85
|
|
|
@@ -98,7 +98,7 @@ module PWN
|
|
|
98
98
|
</h1><br /><br />
|
|
99
99
|
<h2 id="report_name"></h2><br />
|
|
100
100
|
|
|
101
|
-
<div><button type="button" id="button">Rows Selected</button></div><br />
|
|
101
|
+
<div><button type="button" id="button">Rows Selected</button> <button type="button" id="export_selected">Export Selected to JSON</button></div><br />
|
|
102
102
|
<div>
|
|
103
103
|
<b>Toggle Column(s):</b>
|
|
104
104
|
<a class="toggle-vis" data-column="1" href="#">Timestamp</a> |
|
|
@@ -153,17 +153,6 @@ module PWN
|
|
|
153
153
|
$('html,body').animate({scrollTop: targetOffset}, 500);
|
|
154
154
|
oldStart = oSettings._iDisplayStart;
|
|
155
155
|
}
|
|
156
|
-
// Select individual lines in a row
|
|
157
|
-
$('#multi_line_select tbody').on('click', 'tr', function () {
|
|
158
|
-
$(this).toggleClass('highlighted');
|
|
159
|
-
if ($('#multi_line_select tr.highlighted').length > 0) {
|
|
160
|
-
$('#multi_line_select tr td button').attr('disabled', 'disabled');
|
|
161
|
-
// Remove multi-line bug button
|
|
162
|
-
} else {
|
|
163
|
-
$('#multi_line_select tr td button').removeAttr('disabled');
|
|
164
|
-
// Add multi-line bug button
|
|
165
|
-
}
|
|
166
|
-
});
|
|
167
156
|
},
|
|
168
157
|
"ajax": "#{report_name}.json",
|
|
169
158
|
//"deferRender": true,
|
|
@@ -182,7 +171,7 @@ module PWN
|
|
|
182
171
|
var sast_module = data['sast_module'].split('::')[2];
|
|
183
172
|
var sast_test_case = sast_module.replace(/\\.?([A-Z])/g, function (x,y){ if (sast_module.match(/\\.?([A-Z][a-z])/g) ) { return "_" + y.toLowerCase(); } else { return y.toLowerCase(); } }).replace(/^_/g, "");
|
|
184
173
|
|
|
185
|
-
return '<tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">NIST 800-53: ' + htmlEntityEncode(data['section']) + '</a><br /><br /><a href="' + htmlEntityEncode(data['cwe_uri']) + '" target="_blank">CWE:' + htmlEntityEncode(data['cwe_id']) + '</a></td></tr>';
|
|
174
|
+
return '<table class="squish"><tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">NIST 800-53: ' + htmlEntityEncode(data['section']) + '</a><br /><br /><a href="' + htmlEntityEncode(data['cwe_uri']) + '" target="_blank">CWE:' + htmlEntityEncode(data['cwe_id']) + '</a></td></tr></table>';
|
|
186
175
|
}
|
|
187
176
|
},
|
|
188
177
|
{
|
|
@@ -194,13 +183,13 @@ module PWN
|
|
|
194
183
|
|
|
195
184
|
file = htmlEntityEncode(data['entry']);
|
|
196
185
|
|
|
197
|
-
return '<table class="squish"><tr
|
|
186
|
+
return '<table class="squish"><tr><td style="width:150px;" align="left"><a href="' + line_entry_uri + '" target="_blank">' + file + '</a></td></tr></table>';
|
|
198
187
|
}
|
|
199
188
|
},
|
|
200
189
|
{
|
|
201
190
|
"data": "line_no_and_contents",
|
|
202
191
|
"render": function (data, type, row, meta) {
|
|
203
|
-
var pwn_rows = '<
|
|
192
|
+
var pwn_rows = '<table class="multi_line_select squish" style="width: 665px"><tbody>';
|
|
204
193
|
for (var i = 0; i < data.length; i++) {
|
|
205
194
|
var tr_class;
|
|
206
195
|
if (i % 2 == 0) { tr_class = "odd"; } else { tr_class = "even"; }
|
|
@@ -243,7 +232,7 @@ module PWN
|
|
|
243
232
|
|
|
244
233
|
pwn_rows = pwn_rows.concat('<tr class="' + tr_class + '"><td style="width:90px" align="left"><a href="' + htmlEntityEncode(to_line_number) + '" target="_blank">' + htmlEntityEncode(data[i]['line_no']) + '</a>: </td><td style="width:300px" align="left">' + htmlEntityEncode(data[i]['contents']) + '</td><td style="width:200px" align="right"><a href="mailto:' + canned_email + '">' + htmlEntityEncode(data[i]['author']) + '</a></td></tr>');
|
|
245
234
|
}
|
|
246
|
-
pwn_rows = pwn_rows.concat('</tbody></table
|
|
235
|
+
pwn_rows = pwn_rows.concat('</tbody></table>');
|
|
247
236
|
return pwn_rows;
|
|
248
237
|
}
|
|
249
238
|
},
|
|
@@ -255,7 +244,14 @@ module PWN
|
|
|
255
244
|
"data": "test_case_filter",
|
|
256
245
|
"render": $.fn.dataTable.render.text()
|
|
257
246
|
}
|
|
258
|
-
]
|
|
247
|
+
],
|
|
248
|
+
"initComplete": function(settings, json) {
|
|
249
|
+
$('#report_name').text(json.report_name);
|
|
250
|
+
}
|
|
251
|
+
});
|
|
252
|
+
|
|
253
|
+
$('#pwn_scan_git_source_results tbody').on('click', '.multi_line_select tr', function () {
|
|
254
|
+
$(this).toggleClass('highlighted');
|
|
259
255
|
});
|
|
260
256
|
|
|
261
257
|
// Custom advanced search handling
|
|
@@ -318,19 +314,72 @@ module PWN
|
|
|
318
314
|
column.visible( ! column.visible() );
|
|
319
315
|
});
|
|
320
316
|
|
|
321
|
-
// TODO: Open bug for highlighted rows ;)
|
|
322
317
|
$('#button').click( function () {
|
|
323
|
-
alert($('
|
|
318
|
+
alert($('.multi_line_select tr.highlighted').length +' row(s) highlighted');
|
|
324
319
|
});
|
|
325
|
-
});
|
|
326
320
|
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
321
|
+
$('#export_selected').click( function () {
|
|
322
|
+
if ($('.multi_line_select tr.highlighted').length === 0) {
|
|
323
|
+
alert('No rows selected');
|
|
324
|
+
return;
|
|
325
|
+
}
|
|
332
326
|
|
|
333
|
-
|
|
327
|
+
$.getJSON(table.ajax.url(), function(original_json) {
|
|
328
|
+
var selected_results = {};
|
|
329
|
+
|
|
330
|
+
$('.multi_line_select tr.highlighted').each(function() {
|
|
331
|
+
var inner_tr = $(this);
|
|
332
|
+
var main_tr = inner_tr.closest('td').parent();
|
|
333
|
+
var row = table.row(main_tr);
|
|
334
|
+
var row_index = row.index();
|
|
335
|
+
var line_index = inner_tr.index();
|
|
336
|
+
|
|
337
|
+
if (selected_results[row_index] === undefined) {
|
|
338
|
+
selected_results[row_index] = {
|
|
339
|
+
row: row,
|
|
340
|
+
lines: []
|
|
341
|
+
};
|
|
342
|
+
}
|
|
343
|
+
|
|
344
|
+
selected_results[row_index].lines.push(line_index);
|
|
345
|
+
});
|
|
346
|
+
|
|
347
|
+
var new_data = [];
|
|
348
|
+
|
|
349
|
+
Object.keys(selected_results).forEach(function(ri) {
|
|
350
|
+
var sel = selected_results[ri];
|
|
351
|
+
var orig_row_data = sel.row.data();
|
|
352
|
+
var new_row_data = JSON.parse(JSON.stringify(orig_row_data));
|
|
353
|
+
|
|
354
|
+
sel.lines.sort((a, b) => a - b);
|
|
355
|
+
new_row_data.line_no_and_contents = sel.lines.map(function(li) {
|
|
356
|
+
return orig_row_data.line_no_and_contents[li];
|
|
357
|
+
});
|
|
358
|
+
|
|
359
|
+
new_row_data.raw_content = new_row_data.line_no_and_contents.map(l => l.contents).join('\\n');
|
|
360
|
+
|
|
361
|
+
new_data.push(new_row_data);
|
|
362
|
+
});
|
|
363
|
+
|
|
364
|
+
original_json.data = new_data;
|
|
365
|
+
|
|
366
|
+
if (original_json.report_name) {
|
|
367
|
+
original_json.report_name += '_selected';
|
|
368
|
+
}
|
|
369
|
+
|
|
370
|
+
var json_str = JSON.stringify(original_json, null, 2);
|
|
371
|
+
var blob = new Blob([json_str], { type: 'application/json' });
|
|
372
|
+
var url = URL.createObjectURL(blob);
|
|
373
|
+
var a = document.createElement('a');
|
|
374
|
+
a.href = url;
|
|
375
|
+
a.download = (original_json.report_name || 'selected') + '.json';
|
|
376
|
+
document.body.appendChild(a);
|
|
377
|
+
a.click();
|
|
378
|
+
document.body.removeChild(a);
|
|
379
|
+
URL.revokeObjectURL(url);
|
|
380
|
+
});
|
|
381
|
+
});
|
|
382
|
+
});
|
|
334
383
|
</script>
|
|
335
384
|
</body>
|
|
336
385
|
</html>
|
data/lib/pwn/version.rb
CHANGED