bbot 2.5.0.6742rc0__tar.gz → 2.5.0.6765rc0__tar.gz

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: bbot
-Version: 2.5.0.6742rc0
+Version: 2.5.0.6765rc0
 Summary: OSINT automation for hackers.
 License: GPL-3.0
 Keywords: python,cli,automation,osint,threat-intel,intelligence,neo4j,scanner,python-library,hacking,recursion,pentesting,recon,command-line-tool,bugbounty,subdomains,security-tools,subdomain-scanner,osint-framework,attack-surface,subdomain-enumeration,osint-tool

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/bbot/__init__.py

@@ -1,5 +1,5 @@
 # version placeholder (replaced by poetry-dynamic-versioning)
-__version__ = "v2.5.0.6742rc"
+__version__ = "v2.5.0.6765rc"
 
 from .scanner import Scanner, Preset
 

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/bbot/core/helpers/names_generator.py

@@ -173,6 +173,7 @@ adjectives = [
     "pasty",
     "peckish",
     "pedantic",
+    "pensive",
     "pernicious",
     "perturbed",
     "perverted",
@@ -671,6 +672,7 @@ names = [
     "tracy",
     "travis",
     "treebeard",
+    "trent",
     "triss",
     "tyler",
     "tyrell",

bbot-2.5.0.6765rc0/bbot/modules/aspnet_bin_exposure.py

@@ -0,0 +1,80 @@
+from bbot.modules.base import BaseModule
+
+
+class aspnet_bin_exposure(BaseModule):
+    watched_events = ["URL"]
+    produced_events = ["VULNERABILITY"]
+    flags = ["active", "safe", "web-thorough"]
+    meta = {
+        "description": "Check for ASP.NET Security Feature Bypasses (CVE-2023-36899 and CVE-2023-36560)",
+        "created_date": "2025-01-28",
+        "author": "@liquidsec",
+    }
+
+    in_scope_only = True
+    test_dlls = [
+        "Telerik.Web.UI.dll",
+        "Newtonsoft.Json.dll",
+        "System.Net.Http.dll",
+        "EntityFramework.dll",
+        "AjaxControlToolkit.dll",
+    ]
+
+    @staticmethod
+    def normalize_url(url):
+        return str(url.rstrip("/") + "/").lower()
+
+    def _incoming_dedup_hash(self, event):
+        return hash(self.normalize_url(event.data))
+
+    async def handle_event(self, event):
+        normalized_url = self.normalize_url(event.data)
+        for test_dll in self.test_dlls:
+            for technique in ["b/(S(X))in/###DLL_PLACEHOLDER###/(S(X))/", "(S(X))/b/(S(X))in/###DLL_PLACEHOLDER###"]:
+                test_url = f"{normalized_url}{technique.replace('###DLL_PLACEHOLDER###', test_dll)}"
+                self.debug(f"Sending test URL: [{test_url}]")
+                kwargs = {"method": "GET", "allow_redirects": False, "timeout": 10}
+                test_result = await self.helpers.request(test_url, **kwargs)
+                if test_result:
+                    if test_result.status_code == 200 and (
+                        "content-type" in test_result.headers
+                        and "application/x-msdownload" in test_result.headers["content-type"]
+                    ):
+                        self.debug(
+                            f"Got positive result for probe with test url: [{test_url}]. Status Code: [{test_result.status_code}] Content Length: [{len(test_result.content)}]"
+                        )
+
+                        if test_result.status_code == 200 and (
+                            "content-type" in test_result.headers
+                            and "application/x-msdownload" in test_result.headers["content-type"]
+                        ):
+                            confirm_url = (
+                                f"{normalized_url}{technique.replace('###DLL_PLACEHOLDER###', 'oopsnotarealdll.dll')}"
+                            )
+                            confirm_result = await self.helpers.request(confirm_url, **kwargs)
+
+                            if confirm_result and (
+                                confirm_result.status_code != 200
+                                or not (
+                                    "content-type" in confirm_result.headers
+                                    and "application/x-msdownload" in confirm_result.headers["content-type"]
+                                )
+                            ):
+                                description = f"IIS Bin Directory DLL Exposure. Detection Url: [{test_url}]"
+                                await self.emit_event(
+                                    {
+                                        "severity": "HIGH",
+                                        "host": str(event.host),
+                                        "url": normalized_url,
+                                        "description": description,
+                                    },
+                                    "VULNERABILITY",
+                                    event,
+                                    context="{module} detected IIS Bin Directory DLL Exposure vulnerability",
+                                )
+                                return True
+
+    async def filter_event(self, event):
+        if "dir" in event.tags:
+            return True
+        return False

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/bbot/modules/hunt.py

@@ -50,7 +50,16 @@ hunt_param_dict = {
         "cfg",
         "config",
     ],
-    "Directory Traversal": ["entry", "download", "attachment", "basepath", "path", "file", "source", "dest"],
+    "Directory Traversal": [
+        "entry",
+        "download",
+        "attachment",
+        "basepath",
+        "path",
+        "file",
+        "source",
+        "dest",
+    ],
     "Local File Include": [
         "file",
         "document",
@@ -279,8 +288,6 @@ class hunt(BaseModule):
         "author": "@liquidsec",
         "created_date": "2022-07-20",
     }
-    # accept all events regardless of scope distance
-    scope_distance_modifier = None
 
     async def handle_event(self, event):
         p = event.data["name"]

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/bbot/modules/iis_shortnames.py

@@ -166,6 +166,10 @@ class iis_shortnames(BaseModule):
 
         cl = ext_char_list if extension_mode is True else char_list
 
+        self.debug(
+            f"Solving shortname recursive for {target} with prefix {prefix} and extension mode {extension_mode}"
+        )
+
         urls_and_kwargs = []
 
         for c in cl:
@@ -334,6 +338,18 @@ class iis_shortnames(BaseModule):
                     for url_hint in url_hint_list:
                         if "." in url_hint:
                             hint_type = "shortname-endpoint"
+                            # Check if it's a ZIP file
+                            if url_hint.lower().endswith(".zip"):
+                                await self.emit_event(
+                                    {
+                                        "host": str(event.host),
+                                        "url": event.data,
+                                        "description": f"Possible backup file (zip) in web root: {normalized_url}{url_hint}",
+                                    },
+                                    "FINDING",
+                                    event,
+                                    context=f"{{module}} discovered possible backup file in web root: {url_hint}",
+                                )
                         else:
                             hint_type = "shortname-directory"
 

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/bbot/presets/web/dotnet-audit.yml

@@ -12,6 +12,7 @@ modules:
   - telerik
   - ajaxpro
   - dotnetnuke
+  - aspnet_bin_exposure
 
 config:
   modules:

bbot-2.5.0.6765rc0/bbot/test/test_step_2/module_tests/test_module_aspnet_bin_exposure.py

@@ -0,0 +1,73 @@
+from .base import ModuleTestBase
+import re
+
+
+class TestAspnetBinExposure(ModuleTestBase):
+    targets = ["http://127.0.0.1:8888"]
+    modules_overrides = ["httpx", "aspnet_bin_exposure"]
+    config_overrides = {
+        "modules": {
+            "aspnet_bin_exposure": {
+                "test_dlls": [
+                    "Newtonsoft.Json.dll",
+                ]
+            }
+        }
+    }
+
+    async def setup_before_prep(self, module_test):
+        # Simulate successful DLL exposure
+        expect_args = {
+            "method": "GET",
+            "uri": "/b/(S(X))in/Newtonsoft.Json.dll/(S(X))/",
+        }
+        respond_args = {
+            "status": 200,
+            "headers": {"content-type": "application/x-msdownload"},
+            "response_data": b"MZ\x90\x00\x03\x00\x00\x00",
+        }
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        # Simulate failed DLL exposure (confirmation test)
+        expect_args = {
+            "method": "GET",
+            "uri": "/b/(S(X))in/oopsnotarealdll.dll/(S(X))/",
+        }
+        respond_args = {"status": 404}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        # Simulate alternative technique
+        expect_args = {
+            "method": "GET",
+            "uri": "/(S(X))/b/(S(X))in/Newtonsoft.Json.dll",
+        }
+        respond_args = {
+            "status": 200,
+            "headers": {"content-type": "application/x-msdownload"},
+            "response_data": b"MZ\x90\x00\x03\x00\x00\x00",
+        }
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        # Simulate failed alternative technique (confirmation test)
+        expect_args = {
+            "method": "GET",
+            "uri": "/(S(X))/b/(S(X))in/oopsnotarealdll.dll",
+        }
+        respond_args = {"status": 404}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        # Fallback for any other requests
+        expect_args = {"uri": re.compile(r"^/.*$")}
+        respond_args = {"status": 404}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+    def check(self, module_test, events):
+        vulnerability_found = False
+        for e in events:
+            if e.type == "VULNERABILITY" and "IIS Bin Directory DLL Exposure" in e.data["description"]:
+                vulnerability_found = True
+                assert e.data["severity"] == "HIGH", "Vulnerability severity should be HIGH"
+                assert "Detection Url" in e.data["description"], "Description should include detection URL"
+                break
+
+        assert vulnerability_found, "No vulnerability event was found"

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/bbot/test/test_step_2/module_tests/test_module_iis_shortnames.py

@@ -43,19 +43,64 @@ class TestIIS_Shortnames(ModuleTestBase):
         respond_args = {"response_data": "", "status": 400}
         module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
 
-        for char in "BLSHAX":
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BA\*~1\*.*$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BAC\*~1\*.*$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACK\*~1\*.*$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACKU\*~1\*.*$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACKUP\*~1\*/a.aspx$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACKUP~1\*$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACKUP~1\.Z\*/a.aspx$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACKUP~1\.ZI\*/a.aspx$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        expect_args = {"method": "GET", "uri": re.compile(r"\/BACKUP~1\.ZIP\*/a.aspx$")}
+        respond_args = {"response_data": "", "status": 400}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+        for char in "BLSHAXCKUP":
             expect_args = {"method": "GET", "uri": re.compile(rf"\/\*{char}\*~1\*.*$")}
             respond_args = {"response_data": "", "status": 400}
             module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
 
+        for char in "ZIP":
+            expect_args = {"method": "GET", "uri": re.compile(rf"\/\*~1\*{char}\*.*$")}
+            respond_args = {"response_data": "", "status": 400}
+            module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
     def check(self, module_test, events):
         vulnerabilityEmitted = False
         url_hintEmitted = False
+        zip_findingEmitted = False
         for e in events:
             if e.type == "VULNERABILITY" and "iis-magic-url" not in e.tags:
                 vulnerabilityEmitted = True
             if e.type == "URL_HINT" and e.data == "http://127.0.0.1:8888/BLSHAX~1":
                 url_hintEmitted = True
+            if e.type == "FINDING" and "Possible backup file (zip) in web root" in e.data["description"]:
+                zip_findingEmitted = True
 
         assert vulnerabilityEmitted
         assert url_hintEmitted
+        assert zip_findingEmitted

{bbot-2.5.0.6742rc0 → bbot-2.5.0.6765rc0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bbot"
-version = "v2.5.0.6742rc"
+version = "v2.5.0.6765rc"
 description = "OSINT automation for hackers."
 authors = [
     "TheTechromancer",