bbot 2.4.2__py3-none-any.whl → 2.4.2.6590rc0__py3-none-any.whl

bbot/modules/lightfuzz/lightfuzz.py

@@ -0,0 +1,203 @@
+import importlib
+from bbot.modules.base import BaseModule
+
+from bbot.errors import InteractshError
+
+
+class lightfuzz(BaseModule):
+    watched_events = ["URL", "WEB_PARAMETER"]
+    produced_events = ["FINDING", "VULNERABILITY"]
+    flags = ["active", "aggressive", "web-thorough", "deadly"]
+
+    options = {
+        "force_common_headers": False,
+        "enabled_submodules": ["sqli", "cmdi", "xss", "path", "ssti", "crypto", "serial", "nosqli"],
+        "disable_post": False,
+    }
+    options_desc = {
+        "force_common_headers": "Force emit commonly exploitable parameters that may be difficult to detect",
+        "enabled_submodules": "A list of submodules to enable. Empty list enabled all modules.",
+        "disable_post": "Disable processing of POST parameters, avoiding form submissions.",
+    }
+
+    meta = {
+        "description": "Find Web Parameters and Lightly Fuzz them using a heuristic based scanner",
+        "author": "@liquidsec",
+        "created_date": "2024-06-28",
+    }
+    common_headers = ["x-forwarded-for", "user-agent"]
+    in_scope_only = True
+
+    _module_threads = 4
+
+    async def setup(self):
+        self.event_dict = {}
+        self.interactsh_subdomain_tags = {}
+        self.interactsh_instance = None
+        self.disable_post = self.config.get("disable_post", False)
+        self.enabled_submodules = self.config.get("enabled_submodules")
+        self.interactsh_disable = self.scan.config.get("interactsh_disable", False)
+        self.submodules = {}
+
+        if not self.enabled_submodules:
+            return False, "Lightfuzz enabled without any submodules. Must enable at least one submodule."
+
+        for submodule_name in self.enabled_submodules:
+            try:
+                submodule_module = importlib.import_module(f"bbot.modules.lightfuzz.submodules.{submodule_name}")
+                submodule_class = getattr(submodule_module, submodule_name)
+            except ImportError:
+                return False, f"Invalid Lightfuzz submodule ({submodule_name}) specified in enabled_modules"
+            self.submodules[submodule_name] = submodule_class
+
+        interactsh_needed = any(submodule.uses_interactsh for submodule in self.submodules.values())
+
+        if interactsh_needed and not self.interactsh_disable:
+            try:
+                self.interactsh_instance = self.helpers.interactsh()
+                self.interactsh_domain = await self.interactsh_instance.register(callback=self.interactsh_callback)
+            except InteractshError as e:
+                self.warning(f"Interactsh failure: {e}")
+        return True
+
+    async def interactsh_callback(self, r):
+        full_id = r.get("full-id", None)
+        if full_id:
+            if "." in full_id:
+                details = self.interactsh_subdomain_tags.get(full_id.split(".")[0])
+                if not details["event"]:
+                    return
+                # currently, this is only used by the cmdi submodule. Later, when other modules use it, we will need to store description data in the interactsh_subdomain_tags dictionary
+                await self.emit_event(
+                    {
+                        "severity": "CRITICAL",
+                        "host": str(details["event"].host),
+                        "url": details["event"].data["url"],
+                        "description": f"OS Command Injection (OOB Interaction) Type: [{details['type']}] Parameter Name: [{details['name']}] Probe: [{details['probe']}]",
+                    },
+                    "VULNERABILITY",
+                    details["event"],
+                )
+            else:
+                # this is likely caused by something trying to resolve the base domain first and can be ignored
+                self.debug("skipping result because subdomain tag was missing")
+
+    def _outgoing_dedup_hash(self, event):
+        return hash(
+            (
+                "lightfuzz",
+                str(event.host),
+                event.data["url"],
+                event.data["description"],
+                event.data.get("type", ""),
+                event.data.get("name", ""),
+            )
+        )
+
+    async def run_submodule(self, submodule, event):
+        submodule_instance = submodule(self, event)
+        await submodule_instance.fuzz()
+        if len(submodule_instance.results) > 0:
+            for r in submodule_instance.results:
+                event_data = {"host": str(event.host), "url": event.data["url"], "description": r["description"]}
+
+                envelopes = getattr(event, "envelopes", None)
+                envelope_summary = getattr(envelopes, "summary", None)
+                if envelope_summary:
+                    # Append the envelope summary to the description
+                    event_data["description"] += f" Envelopes: [{envelope_summary}]"
+
+                if r["type"] == "VULNERABILITY":
+                    event_data["severity"] = r["severity"]
+                await self.emit_event(
+                    event_data,
+                    r["type"],
+                    event,
+                )
+
+    async def handle_event(self, event):
+        if event.type == "URL":
+            if self.config.get("force_common_headers", False) is False:
+                return False
+
+            # If force_common_headers is True, we force the emission of a WEB_PARAMETER for each of the common headers to force fuzzing against them
+            for h in self.common_headers:
+                description = f"Speculative (Forced) Header [{h}]"
+                data = {
+                    "host": str(event.host),
+                    "type": "HEADER",
+                    "name": h,
+                    "original_value": None,
+                    "url": event.data,
+                    "description": description,
+                }
+                await self.emit_event(data, "WEB_PARAMETER", event)
+
+        elif event.type == "WEB_PARAMETER":
+            # check connectivity to url
+            connectivity_test = await self.helpers.request(event.data["url"], timeout=10)
+
+            if connectivity_test:
+                for submodule_name, submodule in self.submodules.items():
+                    self.debug(f"Starting {submodule_name} fuzz()")
+                    await self.run_submodule(submodule, event)
+            else:
+                self.debug(f"WEB_PARAMETER URL {event.data['url']} failed connectivity test, aborting")
+
+    async def cleanup(self):
+        if self.interactsh_instance:
+            try:
+                await self.interactsh_instance.deregister()
+                self.debug(
+                    f"successfully deregistered interactsh session with correlation_id {self.interactsh_instance.correlation_id}"
+                )
+            except InteractshError as e:
+                self.warning(f"Interactsh failure: {e}")
+
+    async def finish(self):
+        if self.interactsh_instance:
+            await self.helpers.sleep(5)
+            try:
+                for r in await self.interactsh_instance.poll():
+                    await self.interactsh_callback(r)
+            except InteractshError as e:
+                self.debug(f"Error in interact.sh: {e}")
+
+    # If we've disabled fuzzing POST parameters, back out of POSTPARAM WEB_PARAMETER events as quickly as possible
+    async def filter_event(self, event):
+        if event.type == "WEB_PARAMETER" and self.disable_post and event.data["type"] == "POSTPARAM":
+            return False, "POST parameter disabled in lightfuzz module"
+        return True
+
+    @classmethod
+    def help_text(self):
+        # Call the base class help_text method
+        base_help_text = super().help_text()
+
+        import importlib
+
+        submodules = {}
+        for submodule_name in self.options.get("enabled_submodules", []):
+            try:
+                submodule_module = importlib.import_module(f"bbot.modules.lightfuzz.submodules.{submodule_name}")
+                submodule_class = getattr(submodule_module, submodule_name)
+                submodules[submodule_name] = submodule_class
+            except ImportError:
+                continue
+
+        # Find all submodules
+        submodules_info = "\nLightfuzz Submodules:\n"
+        for submodule_name, submodule_class in submodules.items():
+            try:
+                friendly_name = getattr(submodule_class, "friendly_name", submodule_name)
+                description = (
+                    submodule_class.__doc__.strip() if submodule_class.__doc__ else "No description available"
+                )
+                indented_description = "      " + description.replace("\n", "\n      ")
+                submodules_info += f"  - {submodule_name} ({friendly_name}):\n"
+                submodules_info += f"{indented_description}\n\n"
+            except AttributeError:
+                continue
+
+        # Combine the base help text with the submodules information
+        return base_help_text + submodules_info

bbot/modules/lightfuzz/submodules/base.py

@@ -0,0 +1,312 @@
+import copy
+import base64
+import binascii
+from urllib.parse import quote
+
+
+class BaseLightfuzz:
+    friendly_name = ""
+    uses_interactsh = False
+
+    def __init__(self, lightfuzz, event):
+        self.lightfuzz = lightfuzz
+        self.event = event
+        self.results = []
+        self.parameter_name = self.event.data["name"]
+
+    @staticmethod
+    def is_hex(s):
+        try:
+            bytes.fromhex(s)
+            return True
+        except ValueError:
+            return False
+
+    @staticmethod
+    def is_base64(s):
+        try:
+            if base64.b64encode(base64.b64decode(s)).decode() == s:
+                return True
+        except (binascii.Error, UnicodeDecodeError):
+            return False
+        return False
+
+    # WEB_PARAMETER event may contain additional_params (e.g. other parameters in the same form or query string). These will be sent unchanged along with the probe.
+    def additional_params_process(self, additional_params, additional_params_populate_empty):
+        """
+        Processes additional parameters by populating blank or empty values with random strings if specified.
+
+        Parameters:
+        - additional_params (dict): A dictionary of additional parameters to process.
+        - additional_params_populate_blank_empty (bool): If True, populates blank or empty parameter values with random numeric strings.
+
+        Returns:
+        - dict: A dictionary with processed additional parameters, where blank or empty values are replaced with random strings if specified.
+
+        The function iterates over the provided additional parameters and replaces any blank or empty values with a random numeric string
+        of length 10, if the flag is set to True. Otherwise, it returns the parameters unchanged.
+        """
+        if not additional_params or not additional_params_populate_empty:
+            return additional_params
+
+        return {
+            k: self.lightfuzz.helpers.rand_string(10, numeric_only=True) if v in ("", None) else v
+            for k, v in additional_params.items()
+        }
+
+    def conditional_urlencode(self, probe, event_type, skip_urlencoding=False):
+        """Conditionally url-encodes the probe if the event type requires it and encoding is not skipped by the submodule.
+        We also don't encode if any envelopes are present.
+        """
+        if event_type in ["GETPARAM", "COOKIE"] and not skip_urlencoding and getattr(self.event, "envelopes", None):
+            # Exclude '&' from being encoded since we are operating on full query strings
+            return quote(probe, safe="&")
+        return probe
+
+    def build_query_string(self, probe, parameter_name, additional_params=None):
+        """Constructs a URL with query parameters from the given probe and additional parameters."""
+        url = f"{self.event.data['url']}?{parameter_name}={probe}"
+        if additional_params:
+            url = self.lightfuzz.helpers.add_get_params(url, additional_params, encode=False).geturl()
+        return url
+
+    def prepare_request(
+        self,
+        event_type,
+        probe,
+        cookies,
+        additional_params=None,
+        speculative_mode="GETPARAM",
+        parameter_name_suffix="",
+        additional_params_populate_empty=False,
+        skip_urlencoding=False,
+    ):
+        """
+        Prepares the request parameters by processing the probe and constructing the request based on the event type.
+        """
+
+        if parameter_name_suffix:
+            parameter_name = f"{self.parameter_name}{parameter_name_suffix}"
+        else:
+            parameter_name = self.parameter_name
+        additional_params = self.additional_params_process(additional_params, additional_params_populate_empty)
+
+        # Transparently pack the probe value into the envelopes, if present
+        probe = self.outgoing_probe_value(probe)
+
+        # URL Encode the probe if the event type is GETPARAM or COOKIE, if there are no envelopes, and the submodule did not opt-out with skip_urlencoding
+        probe = self.conditional_urlencode(probe, event_type, skip_urlencoding)
+
+        if event_type == "SPECULATIVE":
+            event_type = speculative_mode
+
+        # Construct request parameters based on the event type
+        if event_type == "GETPARAM":
+            url = self.build_query_string(probe, parameter_name, additional_params)
+            return {"method": "GET", "cookies": cookies, "url": url}
+        elif event_type == "COOKIE":
+            cookies_probe = {parameter_name: probe}
+            return {"method": "GET", "cookies": {**cookies, **cookies_probe}, "url": self.event.data["url"]}
+        elif event_type == "HEADER":
+            headers = {parameter_name: probe}
+            return {"method": "GET", "headers": headers, "cookies": cookies, "url": self.event.data["url"]}
+        elif event_type in ["POSTPARAM", "BODYJSON"]:
+            # Prepare data for POSTPARAM and BODYJSON event types
+            data = {parameter_name: probe}
+            if additional_params:
+                data.update(additional_params)
+            if event_type == "BODYJSON":
+                return {"method": "POST", "json": data, "cookies": cookies, "url": self.event.data["url"]}
+            else:
+                return {"method": "POST", "data": data, "cookies": cookies, "url": self.event.data["url"]}
+
+    def compare_baseline(
+        self,
+        event_type,
+        probe,
+        cookies,
+        additional_params_populate_empty=False,
+        speculative_mode="GETPARAM",
+        skip_urlencoding=False,
+        parameter_name_suffix="",
+        parameter_name_suffix_additional_params="",
+    ):
+        """
+        Compares the baseline using prepared request parameters.
+        """
+        additional_params = copy.deepcopy(self.event.data.get("additional_params", {}))
+
+        if additional_params and parameter_name_suffix_additional_params:
+            # Add suffix to each key in additional_params
+            additional_params = {
+                f"{k}{parameter_name_suffix_additional_params}": v for k, v in additional_params.items()
+            }
+
+        request_params = self.prepare_request(
+            event_type,
+            probe,
+            cookies,
+            additional_params,
+            speculative_mode,
+            parameter_name_suffix,
+            additional_params_populate_empty,
+            skip_urlencoding,
+        )
+        request_params.update({"include_cache_buster": False})
+        return self.lightfuzz.helpers.http_compare(**request_params)
+
+    async def baseline_probe(self, cookies):
+        """
+        Executes a baseline probe to establish a baseline for comparison.
+        """
+        if self.event.data.get("eventtype") in ["POSTPARAM", "BODYJSON"]:
+            method = "POST"
+        else:
+            method = "GET"
+
+        return await self.lightfuzz.helpers.request(
+            method=method,
+            cookies=cookies,
+            url=self.event.data.get("url"),
+            allow_redirects=False,
+            retries=1,
+            timeout=10,
+        )
+
+    async def compare_probe(
+        self,
+        http_compare,
+        event_type,
+        probe,
+        cookies,
+        additional_params_populate_empty=False,
+        additional_params_override={},
+        speculative_mode="GETPARAM",
+        skip_urlencoding=False,
+        parameter_name_suffix="",
+        parameter_name_suffix_additional_params="",
+    ):
+        # Deep copy to avoid modifying original additional_params
+        additional_params = copy.deepcopy(self.event.data.get("additional_params", {}))
+
+        # Override additional parameters if provided
+        additional_params.update(additional_params_override)
+
+        if additional_params and parameter_name_suffix_additional_params:
+            # Add suffix to each key in additional_params
+            additional_params = {
+                f"{k}{parameter_name_suffix_additional_params}": v for k, v in additional_params.items()
+            }
+
+        # Prepare request parameters
+        request_params = self.prepare_request(
+            event_type,
+            probe,
+            cookies,
+            additional_params,
+            speculative_mode,
+            parameter_name_suffix,
+            additional_params_populate_empty,
+            skip_urlencoding,
+        )
+        # Perform the comparison using the constructed request parameters
+        url = request_params.pop("url")
+        return await http_compare.compare(url, **request_params)
+
+    async def standard_probe(
+        self,
+        event_type,
+        cookies,
+        probe,
+        timeout=10,
+        additional_params_populate_empty=False,
+        speculative_mode="GETPARAM",
+        allow_redirects=False,
+        skip_urlencoding=False,
+    ):
+        request_params = self.prepare_request(
+            event_type,
+            probe,
+            cookies,
+            self.event.data.get("additional_params"),
+            speculative_mode,
+            "",
+            additional_params_populate_empty,
+            skip_urlencoding,
+        )
+        request_params.update({"allow_redirects": allow_redirects, "retries": 0, "timeout": timeout})
+        self.debug(f"standard_probe requested URL: [{request_params['url']}]")
+        return await self.lightfuzz.helpers.request(**request_params)
+
+    def metadata(self):
+        metadata_string = f"Parameter: [{self.event.data['name']}] Parameter Type: [{self.event.data['type']}]"
+        if self.event.data["original_value"] != "" and self.event.data["original_value"] is not None:
+            metadata_string += (
+                f" Original Value: [{self.lightfuzz.helpers.truncate_string(self.event.data['original_value'], 200)}]"
+            )
+        return metadata_string
+
+    def incoming_probe_value(self, populate_empty=True):
+        """
+        Transparently modifies the incoming probe value (the original value of the WEB_PARAMETER), given any envelopes that may have been identified, so that fuzzing within the envelopes can occur.
+        """
+        envelopes = getattr(self.event, "envelopes", None)
+        probe_value = ""
+        if envelopes is not None:
+            probe_value = envelopes.get_subparam()
+            self.debug(f"incoming_probe_value (after unpacking): {probe_value} with envelopes [{envelopes}]")
+        if not probe_value:
+            if populate_empty is True:
+                probe_value = self.lightfuzz.helpers.rand_string(10, numeric_only=True)
+            else:
+                probe_value = ""
+        probe_value = str(probe_value)
+        return probe_value
+
+    def outgoing_probe_value(self, outgoing_probe_value):
+        """
+        Transparently modifies the outgoing probe value (fuzz probe being sent to the target), given any envelopes that may have been identified, so that fuzzing within the envelopes can occur.
+        """
+        self.debug(f"outgoing_probe_value (before packing): {outgoing_probe_value} / {self.event}")
+        envelopes = getattr(self.event, "envelopes", None)
+        if envelopes is not None:
+            envelopes.set_subparam(value=outgoing_probe_value)
+            outgoing_probe_value = envelopes.pack()
+            self.debug(
+                f"outgoing_probe_value (after packing): {outgoing_probe_value} with envelopes [{envelopes}] / {self.event}"
+            )
+        return outgoing_probe_value
+
+    def get_submodule_name(self):
+        """Extracts the submodule name from the class name."""
+        return self.__class__.__name__.replace("Lightfuzz", "").lower()
+
+    def log(self, level, message, *args, **kwargs):
+        submodule_name = self.get_submodule_name()
+        prefixed_message = f"[{submodule_name}] {message}"
+        log_method = getattr(self.lightfuzz, level)
+        log_method(prefixed_message, *args, **kwargs)
+
+    def debug(self, message, *args, **kwargs):
+        self.log("debug", message, *args, **kwargs)
+
+    def verbose(self, message, *args, **kwargs):
+        self.log("verbose", message, *args, **kwargs)
+
+    def info(self, message, *args, **kwargs):
+        self.log("info", message, *args, **kwargs)
+
+    def hugeinfo(self, message, *args, **kwargs):
+        self.log("hugeinfo", message, *args, **kwargs)
+
+    def warning(self, message, *args, **kwargs):
+        self.log("warning", message, *args, **kwargs)
+
+    def hugewarning(self, message, *args, **kwargs):
+        self.log("hugewarning", message, *args, **kwargs)
+
+    def error(self, message, *args, **kwargs):
+        self.log("error", message, *args, **kwargs)
+
+    def critical(self, message, *args, **kwargs):
+        self.log("critical", message, *args, **kwargs)

bbot/modules/lightfuzz/submodules/cmdi.py

@@ -0,0 +1,106 @@
+from bbot.errors import HttpCompareError
+from .base import BaseLightfuzz
+
+import urllib.parse
+
+
+class cmdi(BaseLightfuzz):
+    """
+    Detects command injection vulnerabilities.
+
+    Techniques:
+
+    * Echo Canary Detection:
+       - Injects command delimiters (;, &&, ||, &, |) along with an echo command
+       - Checks if the echoed canary appears in the response without the "echo" itself
+       - Uses a false positive probe to validate findings
+
+    * Blind Command Injection:
+       - Injects nslookup commands with unique subdomain tags
+       - Detects command execution through DNS resolution via Interactsh
+    """
+
+    friendly_name = "Command Injection"
+    uses_interactsh = True
+
+    async def fuzz(self):
+        cookies = self.event.data.get(
+            "assigned_cookies", {}
+        )  # Retrieve assigned cookies from WEB_PARAMETER event data, if present
+        probe_value = self.incoming_probe_value()
+
+        canary = self.lightfuzz.helpers.rand_string(10, numeric_only=True)
+        http_compare = self.compare_baseline(
+            self.event.data["type"], probe_value, cookies
+        )  # Initialize the http_compare object and establish a baseline HTTP response
+
+        cmdi_probe_strings = [
+            "AAAA",  # False positive probe
+            ";",
+            "&&",
+            "||",
+            "&",
+            "|",
+        ]
+
+        positive_detections = []
+        for p in cmdi_probe_strings:
+            try:
+                # add "echo" to the cmdi probe value to construct the command to be executed
+                echo_probe = f"{probe_value}{p} echo {canary} {p}"
+                # we have to handle our own URL-encoding here, because our payloads include the & character
+                if self.event.data["type"] == "GETPARAM":
+                    echo_probe = urllib.parse.quote(echo_probe.encode(), safe="")
+
+                # send cmdi probe and compare with baseline response
+                cmdi_probe = await self.compare_probe(
+                    http_compare, self.event.data["type"], echo_probe, cookies, skip_urlencoding=True
+                )
+
+                # ensure we received an HTTP response
+                if cmdi_probe[3]:
+                    # check if the canary is in the response and the word "echo" is NOT in the response text, ruling out mere reflection of the entire probe value without execution
+                    if canary in cmdi_probe[3].text and "echo" not in cmdi_probe[3].text:
+                        self.debug(f"canary [{canary}] found in response when sending probe [{p}]")
+                        if p == "AAAA":  # Handle detection false positive probe
+                            self.warning(
+                                f"False Postive Probe appears to have been triggered for {self.event.data['url']}, aborting remaining detection"
+                            )
+                            return
+                        positive_detections.append(p)  # Add detected probes to positive detections
+            except HttpCompareError as e:
+                self.debug(e)
+                continue
+        if len(positive_detections) > 0:
+            self.results.append(
+                {
+                    "type": "FINDING",
+                    "description": f"POSSIBLE OS Command Injection. {self.metadata()} Detection Method: [echo canary] CMD Probe Delimeters: [{' '.join(positive_detections)}]",
+                }
+            )
+
+        # Blind OS Command Injection
+        if self.lightfuzz.interactsh_instance:
+            self.lightfuzz.event_dict[self.event.data["url"]] = self.event  # Store the event associated with the URL
+            for p in cmdi_probe_strings:
+                # generate a random subdomain tag and associate it with the event, type, name, and probe
+                subdomain_tag = self.lightfuzz.helpers.rand_string(4, digits=False)
+                self.lightfuzz.interactsh_subdomain_tags[subdomain_tag] = {
+                    "event": self.event,
+                    "type": self.event.data["type"],
+                    "name": self.event.data["name"],
+                    "probe": p,
+                }
+                # payload is an nslookup command that includes the interactsh domain prepended the previously generated subdomain tag
+                interactsh_probe = f"{p} nslookup {subdomain_tag}.{self.lightfuzz.interactsh_domain} {p}"
+                # we have to handle our own URL-encoding here, because our payloads include the & character
+                if self.event.data["type"] == "GETPARAM":
+                    interactsh_probe = urllib.parse.quote(interactsh_probe.encode(), safe="")
+                # we send the probe here, and any positive detections are processed in the interactsh_callback defined in lightfuzz.py
+                await self.standard_probe(
+                    self.event.data["type"],
+                    cookies,
+                    f"{probe_value}{interactsh_probe}",
+                    timeout=15,
+                    skip_urlencoding=True,
+                )