pwn 0.4.542 → 0.4.543

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 21ef9d6fdf6c9eccf69de573293a4cd3b1b1b8ee223886539030d13e330d9fac
-  data.tar.gz: 71f07204cdf4432c45f12e1cebf1a0da3f41ba370e60396b833b3f8d4b752928
+  metadata.gz: a5d887b5d0434dcaa46ef673de80a11641844733b4589b622c8da8c3eab6e961
+  data.tar.gz: 3e35c91f769c6969de334f40e6c91c7f411051ddb2091bd9df0efc8c88b0b1c9
 SHA512:
-  metadata.gz: 39b1c9849f9396e972b24f26d2ae4b7b9aead4afc9ad865231fc60828360a77c237522ff2df2fda302930e381f1c3056f1917e03fa25468aa8e722cadcf526ab
-  data.tar.gz: 426a22f81eb171d98298c58e1176469ec623aa4e8adf35d82d78553ead7b8dddfd1eecf7aa658ffc076eccf6404c3bb93cc1b722de855f411fd3bfb463e54fb6
+  metadata.gz: 015c611721dd8c43fc06f4a8eb88ccbe7c3deb8f959f7c0cd56e14e61ae509c2f39c85b56fd16e6c6dc230993177818b95ac9c71614f3666d79131343971afb0
+  data.tar.gz: 4e475ccc1edcfcbcc5220106ecb6accd68104513b3264235bf6dadd51eb9c2d9ecc5ad58576c8954f0ae9359d258fffc543e3239f8db9125e76c685b91fbf4bb

data/README.md

@@ -37,7 +37,7 @@ $ rvm use ruby-3.1.2@pwn
 $ rvm list gemsets
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.542]:001 >>> PWN.help
+pwn[v0.4.543]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-3.1.2@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.542]:001 >>> PWN.help
+pwn[v0.4.543]:001 >>> PWN.help
 ```
 
 

data/bin/pwn_sast

@@ -95,6 +95,7 @@ begin
       Logger
       OuterHTML
       Password
+      PHPInputMechanisms
       PHPTypeJuggling
       PomVersion
       Port

data/lib/pwn/sast/php_input_mechanisms.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: false
+
+require 'socket'
+
+module PWN
+  module SAST
+    # SAST Module used to identify HTTP input
+    # mechanisms that exist in PHP code (e.g. $_REQUEST, $_GET, etc.)
+    module PHPInputMechanisms
+      @@logger = PWN::Plugins::PWNLogger.create
+
+      # Supported Method Parameters::
+      # PWN::SAST::PHPInputMechanisms.scan(
+      #   dir_path: 'optional path to dir defaults to .'
+      #   git_repo_root_uri: 'optional http uri of git repo scanned'
+      # )
+
+      public_class_method def self.scan(opts = {})
+        dir_path = opts[:dir_path]
+        git_repo_root_uri = opts[:git_repo_root_uri].to_s.scrub
+        result_arr = []
+        logger_results = ''
+
+        PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
+          if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && File.extname(entry).include?('.php') && entry !~ /test/i
+            line_no_and_contents_arr = []
+            entry_beautified = false
+
+            if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
+              js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
+              entry = "#{entry}.JS-BEAUTIFIED"
+              entry_beautified = true
+            end
+
+            test_case_filter = "
+              grep -Fn \
+              -e '$_COOKIE' \
+              -e '$_FILES' \
+              -e '$_GET' \
+              -e '$_POST' \
+              -e '$_REQUEST' \
+              -e '$_SERVER' \
+              -e '$_SESSION' #{entry}
+            "
+
+            str = `#{test_case_filter}`.to_s.scrub
+
+            if str.to_s.empty?
+              # If str length is >= 64 KB do not include results. (Due to Mongo Document Size Restrictions)
+              logger_results = "#{logger_results}~" # Catching bugs is good :)
+            else
+              str = "1:Result larger than 64KB -> Size: #{str.to_s.length}.  Please click the \"Path\" link for more details." if str.to_s.length >= 64_000
+
+              hash_line = {
+                timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
+                security_references: security_references,
+                filename: { git_repo_root_uri: git_repo_root_uri, entry: entry },
+                line_no_and_contents: '',
+                raw_content: str,
+                test_case_filter: test_case_filter
+              }
+
+              # COMMMENT: Must be a better way to implement this (regex is kinda funky)
+              line_contents_split = str.split(/^(\d{1,}):|\n(\d{1,}):/)[1..-1]
+              line_no_count = line_contents_split.length # This should always be an even number
+              current_count = 0
+              while line_no_count > current_count
+                line_no = line_contents_split[current_count]
+                contents = line_contents_split[current_count + 1]
+                if Dir.exist?("#{dir_path}/.git") ||
+                   Dir.exist?('.git')
+
+                  repo_root = dir_path
+                  repo_root = '.' if Dir.exist?('.git')
+
+                  author = PWN::Plugins::Git.get_author(
+                    repo_root: repo_root,
+                    from_line: line_no,
+                    to_line: line_no,
+                    target_file: entry,
+                    entry_beautified: entry_beautified
+                  )
+                else
+                  author = 'N/A'
+                end
+                hash_line[:line_no_and_contents] = line_no_and_contents_arr.push(
+                  line_no: line_no,
+                  contents: contents,
+                  author: author
+                )
+
+                current_count += 2
+              end
+              result_arr.push(hash_line)
+              logger_results = "#{logger_results}x" # Seeing progress is good :)
+            end
+          end
+        end
+        logger_banner = "http://#{Socket.gethostname}:8808/doc_root/pwn-#{PWN::VERSION.to_s.scrub}/#{to_s.scrub.gsub('::', '/')}.html"
+        if logger_results.empty?
+          @@logger.info("#{logger_banner}: No files applicable to this test case.\n")
+        else
+          @@logger.info("#{logger_banner} => #{logger_results}complete.\n")
+        end
+        result_arr
+      rescue StandardError => e
+        raise e
+      end
+
+      # Used primarily to map NIST 800-53 Revision 4 Security Controls
+      # https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
+      # to PWN Exploit & Static Code Anti-Pattern Matching Modules to
+      # Determine the level of Testing Coverage w/ PWN.
+
+      public_class_method def self.security_references
+        {
+          sast_module: self,
+          section: 'DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN',
+          nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SA-17',
+          cwe_id: '661',
+          cwe_uri: 'https://cwe.mitre.org/data/definitions/661.html'
+        }
+      rescue StandardError => e
+        raise e
+      end
+
+      # Author(s):: 0day Inc. <request.pentest@0dayinc.com>
+
+      public_class_method def self.authors
+        "AUTHOR(S):
+          0day Inc. <request.pentest@0dayinc.com>
+        "
+      end
+
+      # Display Usage for this Module
+
+      public_class_method def self.help
+        puts "USAGE:
+          sast_arr = #{self}.scan(
+            :dir_path => 'optional path to dir defaults to .',
+            :git_repo_root_uri => 'optional http uri of git repo scanned'
+          )
+
+          #{self}.authors
+        "
+      end
+    end
+  end
+end

data/lib/pwn/sast/php_type_juggling.rb

@@ -4,13 +4,13 @@ require 'socket'
 
 module PWN
   module SAST
-    # SAST Module used to identify command
-    # execution residing within Java source code.
+    # SAST Module used to identify loose comparisons
+    # (i.e. == instead of ===) within PHP source code.
     module PHPTypeJuggling
       @@logger = PWN::Plugins::PWNLogger.create
 
       # Supported Method Parameters::
-      # PWN::SAST::Log4J.scan(
+      # PWN::SAST::PHPTypeJuggling.scan(
       #   dir_path: 'optional path to dir defaults to .'
       #   git_repo_root_uri: 'optional http uri of git repo scanned'
       # )
@@ -34,7 +34,8 @@ module PWN
 
             test_case_filter = "
               grep -Fn \
-              -e '==' #{entry}
+              -e '==' #{entry} \ |
+              grep -v '==='
             "
 
             str = `#{test_case_filter}`.to_s.scrub

data/lib/pwn/sast.rb

@@ -29,6 +29,7 @@ module PWN
     autoload :Logger, 'pwn/sast/logger'
     autoload :OuterHTML, 'pwn/sast/outer_html'
     autoload :Password, 'pwn/sast/password'
+    autoload :PHPInputMechanisms, 'pwn/sast/php_input_mechanisms'
     autoload :PHPTypeJuggling, 'pwn/sast/php_type_juggling'
     autoload :PomVersion, 'pwn/sast/pom_version'
     autoload :Port, 'pwn/sast/port'

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.4.542'
+  VERSION = '0.4.543'
 end

data/spec/lib/pwn/sast/php_input_mechanisms_spec.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe PWN::SAST::PHPInputMechanisms do
+  it 'scan method should exist' do
+    scan_response = PWN::SAST::PHPInputMechanisms
+    expect(scan_response).to respond_to :scan
+  end
+
+  it 'should display information for security_references' do
+    security_references_response = PWN::SAST::PHPInputMechanisms
+    expect(security_references_response).to respond_to :security_references
+  end
+
+  it 'should display information for authors' do
+    authors_response = PWN::SAST::PHPInputMechanisms
+    expect(authors_response).to respond_to :authors
+  end
+
+  it 'should display information for existing help method' do
+    help_response = PWN::SAST::PHPInputMechanisms
+    expect(help_response).to respond_to :help
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.4.542
+  version: 0.4.543
 platform: ruby
 authors:
 - 0day Inc.
@@ -1641,6 +1641,7 @@ files:
 - lib/pwn/sast/logger.rb
 - lib/pwn/sast/outer_html.rb
 - lib/pwn/sast/password.rb
+- lib/pwn/sast/php_input_mechanisms.rb
 - lib/pwn/sast/php_type_juggling.rb
 - lib/pwn/sast/pom_version.rb
 - lib/pwn/sast/port.rb
@@ -1939,6 +1940,7 @@ files:
 - spec/lib/pwn/sast/log4j_spec.rb
 - spec/lib/pwn/sast/logger_spec.rb
 - spec/lib/pwn/sast/password_spec.rb
+- spec/lib/pwn/sast/php_input_mechanisms_spec.rb
 - spec/lib/pwn/sast/php_type_juggling_spec.rb
 - spec/lib/pwn/sast/pom_version_spec.rb
 - spec/lib/pwn/sast/port_spec.rb