bbot 2.4.2.6706rc0__tar.gz → 2.5.0__tar.gz

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: bbot
-Version: 2.4.2.6706rc0
+Version: 2.5.0
 Summary: OSINT automation for hackers.
 License: GPL-3.0
 Keywords: python,cli,automation,osint,threat-intel,intelligence,neo4j,scanner,python-library,hacking,recursion,pentesting,recon,command-line-tool,bugbounty,subdomains,security-tools,subdomain-scanner,osint-framework,attack-surface,subdomain-enumeration,osint-tool

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/__init__.py

@@ -1,5 +1,5 @@
 # version placeholder (replaced by poetry-dynamic-versioning)
-__version__ = "v2.4.2.6706rc"
+__version__ = "v2.5.0"
 
 from .scanner import Scanner, Preset
 

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/modules/lightfuzz/lightfuzz.py

@@ -11,7 +11,7 @@ class lightfuzz(BaseModule):
 
     options = {
         "force_common_headers": False,
-        "enabled_submodules": ["sqli", "cmdi", "xss", "path", "ssti", "crypto", "serial", "nosqli"],
+        "enabled_submodules": ["sqli", "cmdi", "xss", "path", "ssti", "crypto", "serial"],
         "disable_post": False,
     }
     options_desc = {

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/modules/lightfuzz/submodules/serial.py

@@ -153,10 +153,20 @@ class serial(BaseLightfuzz):
                         error in response.text for error in general_errors
                     )  # ensure the 200 is not actually an error
                 ):
+
+                    def get_title(text):
+                        soup = self.lightfuzz.helpers.beautifulsoup(text, "html.parser")
+                        if soup and soup.title and soup.title.string:
+                            return f"'{self.lightfuzz.helpers.truncate_string(soup.title.string, 50)}'"
+                        return ""
+
+                    baseline_title = get_title(payload_baseline.baseline.text)
+                    probe_title = get_title(response.text)
+
                     self.results.append(
                         {
                             "type": "FINDING",
-                            "description": f"POSSIBLE Unsafe Deserialization. {self.metadata()} Technique: [Error Resolution] Serialization Payload: [{type}]",
+                            "description": f"POSSIBLE Unsafe Deserialization. {self.metadata()} Technique: [Error Resolution (Baseline: [{payload_baseline.baseline.status_code}] {baseline_title} -> Probe: [{status_code}] {probe_title})] Serialization Payload: [{type}]",
                         }
                     )
                 # if the first case doesn't match, we check for a telltale error string like "java.io.optionaldataexception" in the response.

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/modules/lightfuzz/submodules/sqli.py

@@ -111,6 +111,7 @@ class sqli(BaseLightfuzz):
                     single_quote[3].status_code != 429
                     and double_single_quote[3].status_code != 429
                     and http_compare.baseline.status_code != 429
+                    and http_compare.baseline.status_code != 403  # Ensure the baseline status code is not 403
                 ):  # prevent false positives from rate limiting
                     # if the code changed in the single quote probe, and the code is NOT the same between that and the double single quote probe, SQL injection is indicated
                     if "code" in single_quote[1] and (

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/modules/lightfuzz/submodules/xss.py

@@ -142,14 +142,14 @@ class xss(BaseLightfuzz):
                     break
 
         if in_tag_attribute:
-            in_tag_attribute_probe = f'{random_string}"'
-            in_tag_attribute_match = f'{random_string}"'
+            in_tag_attribute_probe = f'{random_string}"z'
+            in_tag_attribute_match = f'{random_string}"z'
             await self.check_probe(
                 cookies, in_tag_attribute_probe, in_tag_attribute_match, "Tag Attribute"
             )  # After reflection in the HTTP response, did the quote survive without url-encoding or other sanitization/escaping?
 
-            in_tag_attribute_probe = f'{random_string}"'
-            in_tag_attribute_match = f'"{random_string}""'
+            in_tag_attribute_probe = f'{random_string}"z'
+            in_tag_attribute_match = f'"{random_string}""z'
             await self.check_probe(
                 cookies, in_tag_attribute_probe, in_tag_attribute_match, "Tag Attribute (autoquote)"
             )  # After reflection in the HTTP response, did the quote survive without url-encoding or other sanitization/escaping (and account for auto-quoting)

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/presets/web/lightfuzz-heavy.yml

@@ -12,5 +12,5 @@ modules:
 config:
   modules:
     lightfuzz:
-      enabled_submodules: [cmdi,crypto,nosqli,path,serial,sqli,ssti,xss]
+      enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss]
       disable_post: False

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/presets/web/lightfuzz-medium.yml

@@ -11,4 +11,4 @@ modules:
 config:
   modules:
     lightfuzz:
-      enabled_submodules: [cmdi,crypto,nosqli,path,serial,sqli,ssti,xss]
+      enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss]

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/presets/web/lightfuzz-superheavy.yml

@@ -8,6 +8,6 @@ config:
   modules:
     lightfuzz:
       force_common_headers: True # Fuzz common headers like X-Forwarded-For even if they're not observed on the target
-      enabled_submodules: [cmdi,crypto,nosqli,path,serial,sqli,ssti,xss]
+      enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss]
     excavate:
       speculate_params: True # speculate potential parameters extracted from JSON/XML web responses

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/bbot/test/test_step_2/module_tests/test_module_lightfuzz.py

@@ -639,132 +639,6 @@ class Test_Lightfuzz_urlencoding(Test_Lightfuzz_xss_injs):
         assert xss_finding_emitted, "In Javascript XSS FINDING not emitted"
 
 
-class Test_Lightfuzz_nosqli_quoteescape(ModuleTestBase):
-    targets = ["http://127.0.0.1:8888"]
-    modules_overrides = ["httpx", "lightfuzz", "excavate"]
-    config_overrides = {
-        "interactsh_disable": True,
-        "modules": {
-            "lightfuzz": {
-                "enabled_submodules": ["nosqli"],
-            }
-        },
-    }
-
-    def request_handler(self, request):
-        normal_block = """
-            <section class="search-filters">
-                        <label>Refine your search:</label>
-                        <a class="filter-category" href="/?category=Pets">Pets</a>
-                    </section>
-        """
-
-        qs = str(request.query_string.decode())
-        if "category=" in qs:
-            value = qs.split("=")[1]
-            if "&" in value:
-                value = value.split("&")[0]
-            if value == "Pets%27":
-                return Response("JSON ERROR!", status=500)
-            elif value == "Pets%5C%27":
-                return Response("No results", status=200)
-            elif value == "Pets%27%20%26%26%200%20%26%26%20%27x":
-                return Response("No results", status=200)
-            elif value == "Pets%27%20%26%26%201%20%26%26%20%27x":
-                return Response('{"category":"Pets","entries":["dog","cat","bird"]}', status=200)
-            else:
-                return Response("No results", status=200)
-        return Response(normal_block, status=200)
-
-    async def setup_after_prep(self, module_test):
-        module_test.scan.modules["lightfuzz"].helpers.rand_string = lambda *args, **kwargs: "AAAAAAAAAAAAAA"
-        expect_args = re.compile("/")
-        module_test.set_expect_requests_handler(expect_args=expect_args, request_handler=self.request_handler)
-
-    def check(self, module_test, events):
-        nosqli_finding_emitted = False
-        finding_count = 0
-        for e in events:
-            if e.type == "FINDING":
-                finding_count += 1
-                if (
-                    "Possible NoSQL Injection. Parameter: [category] Parameter Type: [GETPARAM] Original Value: [Pets] Detection Method: [Quote/Escaped Quote + Conditional Affect]"
-                    in e.data["description"]
-                ):
-                    nosqli_finding_emitted = True
-        assert nosqli_finding_emitted, "NoSQLi FINDING not emitted"
-        assert finding_count == 1, "Unexpected FINDING events reported"
-
-
-class Test_Lightfuzz_nosqli_negation(Test_Lightfuzz_nosqli_quoteescape):
-    def request_handler(self, request):
-        form_block = """
-            <form method="POST" action="">
-            <label for="username">Username:</label>
-            <input type="text" id="username" name="username" required>
-            <br>
-            <label for="password">Password:</label>
-            <input type="password" id="password" name="password" required>
-            <br>
-            <button type="submit">Login</button>
-          </form>
-        """
-        if request.method == "GET":
-            return Response(form_block, status=200)
-
-        if "username[$ne]" in request.form.keys() and "password[$ne]" in request.form.keys():
-            return Response("Welcome, testuser1!", status=200)
-        if "username[$eq]" in request.form.keys() and "password[$eq]" in request.form.keys():
-            return Response("Invalid Username or Password!", status=200)
-        else:
-            return Response("Invalid Username or Password!", status=200)
-
-    def check(self, module_test, events):
-        nosqli_finding_emitted = False
-        finding_count = 0
-        for e in events:
-            if e.type == "FINDING":
-                finding_count += 1
-                if (
-                    "Possible NoSQL Injection. Parameter: [password] Parameter Type: [POSTPARAM] Detection Method: [Parameter Name Operator Injection - Negation ([$ne])] Differences: [body]"
-                    in e.data["description"]
-                ):
-                    nosqli_finding_emitted = True
-        assert nosqli_finding_emitted, "NoSQLi FINDING not emitted"
-        assert finding_count == 2, "Unexpected FINDING events reported"
-
-
-class Test_Lightfuzz_nosqli_negation_falsepositive(Test_Lightfuzz_nosqli_quoteescape):
-    def request_handler(self, request):
-        form_block = """
-            <form method="POST" action="">
-            <label for="username">Username:</label>
-            <input type="text" id="username" name="username" required>
-            <br>
-            <label for="password">Password:</label>
-            <input type="password" id="password" name="password" required>
-            <br>
-            <button type="submit">Login</button>
-          </form>
-        """
-        if request.method == "GET":
-            return Response(form_block, status=200)
-
-        if "username[$ne]" in request.form.keys() and "password[$ne]" in request.form.keys():
-            return Response("missing username or password", status=500)
-        if "username[$eq]" in request.form.keys() and "password[$eq]" in request.form.keys():
-            return Response("missing username or password", status=500)
-        else:
-            return Response("Invalid Username or Password!", status=200)
-
-    def check(self, module_test, events):
-        finding_count = 0
-        for e in events:
-            if e.type == "FINDING":
-                finding_count += 1
-        assert finding_count == 0, "False positive FINDING emitted"
-
-
 # SQLI Single Quote/Two Single Quote (getparam)
 class Test_Lightfuzz_sqli(ModuleTestBase):
     targets = ["http://127.0.0.1:8888"]
@@ -1040,8 +914,6 @@ class Test_Lightfuzz_sqli_cookies(Test_Lightfuzz_sqli):
         </html>
         """
 
-        print("@@@@@???")
-        print(request.cookies)
         if request.cookies.get("test") is not None:
             header_value = request.cookies.get("test")
 
@@ -1226,7 +1098,7 @@ class Test_Lightfuzz_serial_errorresolution(ModuleTestBase):
             if e.type == "FINDING":
                 if (
                     e.data["description"]
-                    == "POSSIBLE Unsafe Deserialization. Parameter: [TextBox1] Parameter Type: [POSTPARAM] Technique: [Error Resolution] Serialization Payload: [dotnet_base64]"
+                    == "POSSIBLE Unsafe Deserialization. Parameter: [TextBox1] Parameter Type: [POSTPARAM] Technique: [Error Resolution (Baseline: [500]  -> Probe: [200] )] Serialization Payload: [dotnet_base64]"
                 ):
                     lightfuzz_serial_detect_errorresolution = True
 
@@ -1326,7 +1198,7 @@ class Test_Lightfuzz_serial_errorresolution_existingvalue_valid(Test_Lightfuzz_s
                     excavate_detect_serialization_value = True
                 if (
                     e.data["description"]
-                    == "POSSIBLE Unsafe Deserialization. Parameter: [TextBox1] Parameter Type: [POSTPARAM] Original Value: [AAEAAAD/////AQAAAAAAAAAGAQAAAAdndXN0YXZvCw==] Technique: [Error Resolution] Serialization Payload: [dotnet_base64]"
+                    == "POSSIBLE Unsafe Deserialization. Parameter: [TextBox1] Parameter Type: [POSTPARAM] Original Value: [AAEAAAD/////AQAAAAAAAAAGAQAAAAdndXN0YXZvCw==] Technique: [Error Resolution (Baseline: [500]  -> Probe: [200] )] Serialization Payload: [dotnet_base64]"
                 ):
                     lightfuzz_serial_detect_errorresolution = True
 

{bbot-2.4.2.6706rc0 → bbot-2.5.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bbot"
-version = "v2.4.2.6706rc"
+version = "v2.5.0"
 description = "OSINT automation for hackers."
 authors = [
     "TheTechromancer",
@@ -109,7 +109,7 @@ lint.ignore = ["E402", "E711", "E713", "E721", "E741", "F403", "F405", "E501"]
 [tool.poetry-dynamic-versioning]
 enable = false
 metadata = false
-format-jinja = 'v2.4.2{% if branch == "dev" %}.{{ distance }}rc{% endif %}'
+format-jinja = 'v2.5.0{% if branch == "dev" %}.{{ distance }}rc{% endif %}'
 
 [tool.poetry-dynamic-versioning.substitution]
 files = ["*/__init__.py"]

bbot-2.4.2.6706rc0/bbot/modules/lightfuzz/submodules/nosqli.py

@@ -1,183 +0,0 @@
-from .base import BaseLightfuzz
-from bbot.errors import HttpCompareError
-import urllib.parse
-
-
-class nosqli(BaseLightfuzz):
-    """
-    Detects NoSQL injection vulnerabilities.
-
-    Techniques:
-
-    * Quote Injection Analysis:
-       - Injects single quotes and escaped single quotes into parameters
-       - Compares response differences between the two to detect NoSQL parsing
-       - Uses baseline comparison to validate findings and reduce false positives
-
-    * Operator Injection:
-       - Tests MongoDB-style operator injection using [$eq] and [$ne]
-       - Modifies parameter names to include operators
-       - Detects behavioral changes in application responses
-
-    Validation of findings is achieved using confirmation probes to rule out unstable endpoints
-    """
-
-    friendly_name = "NoSQL Injection"
-
-    async def fuzz(self):
-        cookies = self.event.data.get("assigned_cookies", {})
-        probe_value = self.incoming_probe_value(populate_empty=True)
-        quote_probe_baseline = None
-        try:
-            quote_probe_baseline = self.compare_baseline(
-                self.event.data["type"], probe_value, cookies, additional_params_populate_empty=True
-            )
-        except HttpCompareError as e:
-            self.verbose(f"Encountered HttpCompareError Sending Compare Baseline: {e}")
-
-        if quote_probe_baseline:
-            try:
-                # send the with a single quote, and then another with an escaped single quote
-                (
-                    single_quote_comparison,
-                    single_quote_diff_reasons,
-                    single_quote_reflection,
-                    single_quote_response,
-                ) = await self.compare_probe(
-                    quote_probe_baseline,
-                    self.event.data["type"],
-                    f"{probe_value}'",
-                    cookies,
-                    additional_params_populate_empty=True,
-                )
-                (
-                    escaped_single_quote_comparison,
-                    escaped_single_quote_diff_reasons,
-                    escaped_single_quote_reflection,
-                    escaped_single_quote_response,
-                ) = await self.compare_probe(
-                    quote_probe_baseline,
-                    self.event.data["type"],
-                    rf"{probe_value}\'",
-                    cookies,
-                    additional_params_populate_empty=True,
-                )
-                if not single_quote_comparison and single_quote_response and escaped_single_quote_response:
-                    # if the single quote probe changed the code or body, and the escaped single quote probe did not cause the same change, injection is possible
-                    if ("code" in single_quote_diff_reasons or "body" in single_quote_diff_reasons) and (
-                        single_quote_diff_reasons != escaped_single_quote_diff_reasons
-                    ):
-                        self.verbose(
-                            "Initial heuristic indicates possible NoSQL Injection, sending confirmation probes"
-                        )
-                        confirm_baseline = self.compare_baseline(
-                            self.event.data["type"],
-                            urllib.parse.quote(f"{probe_value}' && 0 && 'x", safe=""),
-                            cookies,
-                            additional_params_populate_empty=True,
-                            skip_urlencoding=True,
-                        )
-                        (
-                            confirmation_probe_false_comparison,
-                            confirmation_probe_false_diff_reasons,
-                            confirmation_probe_false_reflection,
-                            confirmation_probe_false_response,
-                        ) = await self.compare_probe(
-                            confirm_baseline,
-                            self.event.data["type"],
-                            urllib.parse.quote(f"{probe_value}' && 1 && 'x", safe=""),
-                            cookies,
-                            additional_params_populate_empty=True,
-                            skip_urlencoding=True,
-                        )
-                        if confirmation_probe_false_response:
-                            if not confirmation_probe_false_comparison and confirmation_probe_false_diff_reasons != [
-                                "header"
-                            ]:
-                                (
-                                    final_confirm_comparison,
-                                    final_confirm_diff_reasons,
-                                    final_confirm_reflection,
-                                    final_confirm_response,
-                                ) = await self.compare_probe(
-                                    confirm_baseline,
-                                    self.event.data["type"],
-                                    urllib.parse.quote(f"{probe_value}' && 0 && 'x", safe=""),
-                                    cookies,
-                                    additional_params_populate_empty=True,
-                                    skip_urlencoding=True,
-                                )
-
-                                if final_confirm_response and final_confirm_comparison:
-                                    self.results.append(
-                                        {
-                                            "type": "FINDING",
-                                            "description": f"Possible NoSQL Injection. {self.metadata()} Detection Method: [Quote/Escaped Quote + Conditional Affect] Differences: [{'.'.join(confirmation_probe_false_diff_reasons)}]",
-                                        }
-                                    )
-                                else:
-                                    self.verbose(
-                                        "Aborted reporting Possible NoSQL Injection, due to unstable/inconsistent responses"
-                                    )
-
-            except HttpCompareError as e:
-                self.verbose(f"Encountered HttpCompareError Sending Compare Probe: {e}")
-
-        # Comparison operator injection
-        if self.event.data["type"] in ["POSTPARAM", "GETPARAM"]:
-            nosqli_negation_baseline = None
-
-            try:
-                nosqli_negation_baseline = self.compare_baseline(
-                    self.event.data["type"],
-                    f"{probe_value}'",
-                    cookies,
-                    additional_params_populate_empty=True,
-                    parameter_name_suffix="[$eq]",
-                    parameter_name_suffix_additional_params="[$eq]",
-                )
-            except HttpCompareError as e:
-                self.verbose(f"Encountered HttpCompareError Sending Compare Baseline: {e}")
-
-            if nosqli_negation_baseline:
-                try:
-                    (
-                        nosqli_negate_comparison,
-                        nosqli_negate_diff_reasons,
-                        nosqli_negate_reflection,
-                        nosqli_negate_response,
-                    ) = await self.compare_probe(
-                        nosqli_negation_baseline,
-                        self.event.data["type"],
-                        f"{probe_value}'",
-                        cookies,
-                        additional_params_populate_empty=True,
-                        parameter_name_suffix="[$ne]",
-                        parameter_name_suffix_additional_params="[$ne]",
-                    )
-                    if nosqli_negate_response:
-                        if not nosqli_negate_comparison and nosqli_negate_diff_reasons != ["header"]:
-                            # If we are about to report a finding, rule out a false positive from unstable URL by sending another probe with the baseline values, and ensure those dont also come back as different
-                            (
-                                nosqli_negate_comfirm_comparison,
-                                nosqli_negate_confirm_diff_reasons,
-                                nosqli_negate_confirm_reflection,
-                                nosqli_negate_confirm_response,
-                            ) = await self.compare_probe(
-                                nosqli_negation_baseline,
-                                self.event.data["type"],
-                                f"{probe_value}'",
-                                cookies,
-                                additional_params_populate_empty=True,
-                                parameter_name_suffix="[$eq]",
-                                parameter_name_suffix_additional_params="[$eq]",
-                            )
-                            if nosqli_negate_comfirm_comparison:
-                                self.results.append(
-                                    {
-                                        "type": "FINDING",
-                                        "description": f"Possible NoSQL Injection. {self.metadata()} Detection Method: [Parameter Name Operator Injection - Negation ([$ne])] Differences: [{'.'.join(nosqli_negate_diff_reasons)}]",
-                                    }
-                                )
-                except HttpCompareError as e:
-                    self.verbose(f"Encountered HttpCompareError Sending Compare Probe: {e}")