pwn 0.5.407 → 0.5.408

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6cdcedb953c971c8feccabd99bb44f1e229254d4adbaf8f5d06c53416da1d3c7
-  data.tar.gz: 2642aa96456651ef17d042794f21ad69754335e8d3b8d7e3415e311adb1dbd05
+  metadata.gz: 8d06c6b5e12a9f4cf4234fac12f6ab411827e323c3e9e0a47619f0dbef244c48
+  data.tar.gz: 3add4e6e3d8aa13f210500668182dafccc85c212e1d4b13cabda9d932ccaf668
 SHA512:
-  metadata.gz: 8041d87f4162ebb4fb28c9b6acc5cfae7394fb4e082cd8a4a99e6ac22f1181701a0e32d28e97593d7e169cadc80ca71c76d0144d7e313e16c8c9b1ee799bd20a
-  data.tar.gz: 0a654b39bf9c3f63b24accc464fd7b8222f060dfd5748118e99771d8ef9897e6551c95e63b40fdd4b0eabfe21694241a448c3a00607e21306b7e64683b871500
+  metadata.gz: 715b74eaecca58b65bfabe0b9e025eb807068ce7774ab04d3ed21ba29c52b597a7e730c45fff58a6a97d95566dd9d987fb29f2f63b212f28e0d9869c21822374
+  data.tar.gz: 7d93377be56f0f32aa29f4e8321d789fb63b100b0a6b212f2857286045035706afcee3138998c7f15428f919a195457449e9945feba15678838c85a724cf44e4

data/README.md

@@ -37,7 +37,7 @@ $ cd /opt/pwn
 $ ./install.sh
 $ ./install.sh ruby-gem
 $ pwn
-pwn[v0.5.407]:001 >>> PWN.help
+pwn[v0.5.408]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-3.4.4@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.5.407]:001 >>> PWN.help
+pwn[v0.5.408]:001 >>> PWN.help
 ```
 
 If you're using a multi-user install of RVM do:
@@ -62,7 +62,7 @@ $ rvm use ruby-3.4.4@pwn
 $ rvmsudo gem uninstall --all --executables pwn
 $ rvmsudo gem install --verbose pwn
 $ pwn
-pwn[v0.5.407]:001 >>> PWN.help
+pwn[v0.5.408]:001 >>> PWN.help
 ```
 
 PWN periodically upgrades to the latest version of Ruby which is reflected in `/opt/pwn/.ruby-version`.  The easiest way to upgrade to the latest version of Ruby from a previous PWN installation is to run the following script:

data/lib/pwn/plugins/zaproxy.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'cgi'
+require 'fileutils'
 require 'pty'
 require 'securerandom'
 require 'json'
@@ -113,10 +114,15 @@ module PWN
 
         zap_obj[:mitm_browser] = browser_obj2
 
+        timestamp = Time.now.strftime('%Y-%m-%d_%H-%M-%S%z')
+        session_path = "/tmp/zaproxy-#{timestamp}.session"
+        zap_obj[:session_path] = session_path
+
         if headless
-          zaproxy_cmd = "cd #{zap_root} && ./#{zap_bin} -daemon"
+          # TODO: Ensure Default Context still exists and is default context
+          zaproxy_cmd = "cd #{zap_root} && ./#{zap_bin} -daemon -newsession #{session_path}"
         else
-          zaproxy_cmd = "cd #{zap_root} && ./#{zap_bin}"
+          zaproxy_cmd = "cd #{zap_root} && ./#{zap_bin} -newsession #{session_path}"
         end
 
         zaproxy_cmd = "#{zaproxy_cmd} -host #{zap_ip} -port #{zap_port}"
@@ -501,6 +507,8 @@ module PWN
         scan_policy = opts[:scan_policy] ||= 'Default Policy'
 
         exclude_paths.each do |exclude_path|
+          # Remove trailing .* from target_url if it exists
+          target_url = target_url.delete_suffix('.*') if target_url.end_with?('.*')
           exclude_path_regex = "#{target_url}#{exclude_path}.*"
           params = {
             apikey: api_key,
@@ -717,6 +725,11 @@ module PWN
           params: params
         )
 
+        session_path = zap_obj[:session_path]
+        session_path_files = Dir.glob("#{session_path}*")
+        # Remove session files - need to add a slight delay between each unlink to work around file locks
+        session_path_files.each { |f| FileUtils.rm_f(f); sleep 0.3 }
+
         zap_obj = nil
       rescue StandardError, SystemExit, Interrupt => e
         raise e

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.5.407'
+  VERSION = '0.5.408'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.5.407
+  version: 0.5.408
 platform: ruby
 authors:
 - 0day Inc.