Example #1
0
    def _find_auth_uri(self, response):
        """
        Analyze a 200 response and report any findings of http://user:[email protected]/
        :return: None
        """
        #
        #   Analyze the HTTP URL
        #
        if self._url_has_auth(response.get_uri()):
            # An authentication URI was found!
            desc = ('The resource: "%s" has a user and password in'
                    ' the URI.')
            desc %= response.get_uri()
            v = Vuln('Basic HTTP credentials', desc, severity.HIGH,
                     response.id, self.get_name())

            v.set_url(response.get_url())
            v.add_to_highlight(response.get_uri().url_string)

            kb.kb.append(self, 'userPassUri', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())

        #
        #   Analyze the HTTP response body
        #
        url_list = []
        try:
            document_parser = parser_cache.dpc.get_document_parser_for(response)
        except BaseFrameworkException as e:
            msg = 'Failed to find a suitable document parser. Exception: "%s"'
            om.out.debug(msg % e)
        else:
            parsed_references, re_references = document_parser.get_references()
            url_list.extend(parsed_references)
            url_list.extend(re_references)

        for url in url_list:

            if self._url_has_auth(url):

                desc = ('The resource: "%s" has a user and password in the'
                        ' body. The offending URL is: "%s".')
                desc %= (response.get_url(), url)
                
                v = Vuln('Basic HTTP credentials', desc,
                         severity.HIGH, response.id, self.get_name())

                v.set_url(response.get_url())
                v.add_to_highlight(url.url_string)

                kb.kb.append(self, 'userPassUri', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #2
0
    def _classic_worker(self, gh, search_term):
        """
        Perform the searches and store the results in the kb.
        """
        google_list = self._google_se.get_n_results(search_term, 9)

        for result in google_list:
            # I found a vuln in the site!
            response = self._uri_opener.GET(result.URL, cache=True)
            if not is_404(response):
                desc = 'ghdb plugin found a vulnerability at URL: "%s".' \
                      ' According to GHDB the vulnerability description'\
                      ' is "%s".'
                desc = desc % (response.get_url(), gh.desc)
                
                v = Vuln('Google hack database match', desc,
                         severity.MEDIUM, response.id, self.get_name())
                v.set_url(response.get_url())
                v.set_method('GET')

                kb.kb.append(self, 'vuln', v)
                om.out.vulnerability(v.get_desc(), severity=severity.LOW)

                # Create the fuzzable requests
                for fr in self._create_fuzzable_requests(response):
                    self.output_queue.put(fr)
Example #3
0
def disable_functions(response):
    regex_str = 'disable_functions</td><td class="v">(.*?)</td>'
    disable_functions_mo = re.search(regex_str, response.get_body(), re.I)

    if not disable_functions_mo:
        return

    secure_df = 8
    df = disable_functions_mo.group(1)
    dfe = df.split(',')

    if len(dfe) >= secure_df:
        return

    desc = ('The phpinfo()::disable_functions does NOT seem to be set. This'
            ' configuration parameter is a good indicator of a security'
            '-enabled PHP installation. The disabled functions are: %s')
    desc %= (', '.join(dfe), )

    v = Vuln('PHP disable_functions weakness', desc, severity.MEDIUM,
             response.id, 'phpinfo')
    v.set_url(response.get_url())

    kb.kb.append('phpinfo', 'phpinfo', v)
    om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #4
0
    def _check_if_exists(self, web_shell_url):
        """
        Check if the file exists.

        :param web_shell_url: The URL to check
        """
        try:
            response = self._uri_opener.GET(web_shell_url, cache=True)
        except BaseFrameworkException:
            om.out.debug('Failed to GET webshell:' + web_shell_url)
        else:
            signature = self._match_signature(response)
            if signature is None:
                return

            desc = (u'An HTTP response matching the web backdoor signature'
                    u' "%s" was found at: "%s"; this could indicate that the'
                    u' server has been compromised.')
            desc %= (signature, response.get_url())

            # It's probability is higher if we found a long signature
            _severity = severity.HIGH if len(
                signature) > 8 else severity.MEDIUM

            v = Vuln(u'Potential web backdoor', desc, _severity, response.id,
                     self.get_name())
            v.set_url(response.get_url())

            kb.kb.append(self, 'backdoors', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())

            fr = FuzzableRequest.from_http_response(response)
            self.output_queue.put(fr)
Example #5
0
    def _classic_worker(self, gh, search_term):
        """
        Perform the searches and store the results in the kb.
        """
        google_list = self._google_se.get_n_results(search_term, 9)

        for result in google_list:
            # I found a vuln in the site!
            response = self._uri_opener.GET(result.URL, cache=True)
            if not is_404(response):
                desc = ('ghdb plugin found a vulnerability at URL: "%s".'
                        ' According to GHDB the vulnerability description'
                        ' is "%s".')
                desc %= (response.get_url(), gh.desc)

                v = Vuln('Google hack database match', desc, severity.MEDIUM,
                         response.id, self.get_name())
                v.set_url(response.get_url())
                v.set_method('GET')

                kb.kb.append(self, 'vuln', v)
                om.out.vulnerability(v.get_desc(), severity=severity.LOW)

                # Create the fuzzable requests
                fr = FuzzableRequest(response.get_url())
                self.output_queue.put(fr)
Example #6
0
    def _find_auth_uri(self, response):
        """
        Analyze a 200 response and report any findings of http://user:[email protected]/
        :return: None
        """
        #
        #   Analyze the HTTP URL
        #
        if ('@' in response.get_uri()
                and self._auth_uri_regex.match(response.get_uri().url_string)):
            # An authentication URI was found!
            desc = 'The resource: "%s" has a user and password in' \
                   ' the URI.'
            desc = desc % response.get_uri()
            v = Vuln('Basic HTTP credentials', desc, severity.HIGH,
                     response.id, self.get_name())

            v.set_url(response.get_url())
            v.add_to_highlight(response.get_uri().url_string)

            kb.kb.append(self, 'userPassUri', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())

        #
        #   Analyze the HTTP response body
        #
        url_list = []
        try:
            DocumentParser = parser_cache.dpc.get_document_parser_for(response)
        except BaseFrameworkException, w3:
            msg = 'Failed to find a suitable document parser. ' \
                  'Exception: ' + str(w3)
            om.out.debug(msg)
Example #7
0
    def crawl(self, fuzzable_request):
        """
        Plugin entry point, performs all the work.
        """
        to_check = self._get_to_check(fuzzable_request.get_url())

        # I found some URLs, create fuzzable requests
        pt_matches = self._is_in_phishtank(to_check)

        for ptm in pt_matches:
            fr = FuzzableRequest(ptm.url)
            self.output_queue.put(fr)

        # Only create the vuln object once
        if pt_matches:
            desc = 'The URL: "%s" seems to be involved in a phishing scam.' \
                   ' Please see %s for more info.'
            desc = desc % (ptm.url, ptm.more_info_url)

            v = Vuln('Phishing scam', desc, severity.MEDIUM, [],
                     self.get_name())
            v.set_url(ptm.url)

            kb.kb.append(self, 'phishtank', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #8
0
    def _lowest_privilege_test(self, response):
        regex_str = 'User/Group </td><td class="v">(.*?)\((\d.*?)\)/(\d.*?)</td>'
        lowest_privilege_test = re.search(regex_str, response.get_body(), re.I)
        if lowest_privilege_test:
            lpt_uname = lowest_privilege_test.group(1)
            lpt_uid = lowest_privilege_test.group(2)
            lpt_uid = int(lpt_uid)
            lpt_gid = lowest_privilege_test.group(3)
            if lpt_uid < 99 or lpt_gid < 99 or \
            re.match('root|apache|daemon|bin|operator|adm', lpt_uname, re.I):

                desc = 'phpinfo()::PHP may be executing as a higher privileged'\
                       ' group. Username: %s, UserID: %s, GroupID: %s.' 
                desc = desc % (lpt_uname, lpt_uid, lpt_gid)
                
                v = Vuln('PHP lowest_privilege_test:fail', desc,
                         severity.MEDIUM, response.id, self.get_name())
                v.set_url(response.get_url())

                kb.kb.append(self, 'phpinfo', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
            else:
                lpt_name = 'privilege:' + lpt_uname
                lpt_desc = 'phpinfo()::PHP is executing under '
                lpt_desc += 'username: '******', '
                lpt_desc += 'userID: ' + str(lpt_uid) + ', '
                lpt_desc += 'groupID: ' + lpt_gid
                i = Info(lpt_name, lpt_desc, response.id, self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'phpinfo', i)
                om.out.information(i.get_desc())
Example #9
0
    def _find_auth_uri(self, response):
        """
        Analyze a 200 response and report any findings of http://user:[email protected]/
        :return: None
        """
        #
        #   Analyze the HTTP URL
        #
        if ('@' in response.get_uri() and
                self._auth_uri_regex.match(response.get_uri().url_string)):
            # An authentication URI was found!
            desc = 'The resource: "%s" has a user and password in' \
                   ' the URI.'
            desc = desc % response.get_uri()
            v = Vuln('Basic HTTP credentials', desc, severity.HIGH,
                     response.id, self.get_name())

            v.set_url(response.get_url())
            v.add_to_highlight(response.get_uri().url_string)

            kb.kb.append(self, 'userPassUri', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())

        #
        #   Analyze the HTTP response body
        #
        url_list = []
        try:
            DocumentParser = parser_cache.dpc.get_document_parser_for(response)
        except BaseFrameworkException, w3:
            msg = 'Failed to find a suitable document parser. ' \
                'Exception: ' + str(w3)
            om.out.debug(msg)
Example #10
0
    def grep(self, request, response):
        """
        Plugin entry point, search for the credit cards.
        :param request: The HTTP request object.
        :param response: The HTTP response object
        :return: None
        """
        if response.is_text_or_html() and response.get_code() == 200 \
                and response.get_clear_text_body() is not None:

            found_cards = self._find_card(response.get_clear_text_body())

            for card in found_cards:
                desc = 'The URL: "%s" discloses the credit card number: "%s"'
                desc = desc % (response.get_url(), card)

                v = Vuln('Credit card number disclosure', desc,
                         severity.INFORMATION, response.id, self.get_name())

                v.set_url(response.get_url())
                v.add_to_highlight(card)

                om.out.vulnerability(v.get_desc(),
                                     severity=severity.INFORMATION)
                self.kb_append_uniq(self, 'credit_cards', v, 'URL')
Example #11
0
    def _check_if_exists(self, web_shell_url):
        """
        Check if the file exists.

        :param web_shell_url: The URL to check
        """
        try:
            response = self._uri_opener.GET(web_shell_url, cache=True)
        except BaseFrameworkException:
            om.out.debug('Failed to GET webshell:' + web_shell_url)
        else:
            signature = self._match_signature(response)
            if signature is None:
                return

            desc = (u'An HTTP response matching the web backdoor signature'
                    u' "%s" was found at: "%s"; this could indicate that the'
                    u' server has been compromised.')
            desc %= (signature, response.get_url())

            # It's probability is higher if we found a long signature
            _severity = severity.HIGH if len(signature) > 8 else severity.MEDIUM

            v = Vuln(u'Potential web backdoor', desc, _severity,
                     response.id, self.get_name())
            v.set_url(response.get_url())

            kb.kb.append(self, 'backdoors', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())

            fr = FuzzableRequest.from_http_response(response)
            self.output_queue.put(fr)
Example #12
0
def upload_max_filesize(response):
    regex_str = 'upload_max_filesize</td><td class="v">(\d.*?)</td>'
    upload_max_filesize_mo = re.search(regex_str, response.get_body(),
                                       re.IGNORECASE)

    if not upload_max_filesize_mo:
        return

    secure_umf = 20
    umf = upload_max_filesize_mo.group(1) + ''
    umf = umf.replace('M', '')
    umf = int(umf)

    if umf <= secure_umf:
        return

    desc = 'The phpinfo()::upload_max_filesize is set to a high value: %s'
    desc %= (upload_max_filesize_mo.group(1), )

    v = Vuln('PHP upload_max_filesize:high', desc, severity.LOW, response.id,
             'phpinfo')
    v.set_url(response.get_url())

    kb.kb.append('phpinfo', 'phpinfo', v)
    om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #13
0
    def _check_if_exists(self, web_shell_url):
        """
        Check if the file exists.

        :param web_shell_url: The URL to check
        """
        try:
            response = self._uri_opener.GET(web_shell_url, cache=True)
        except BaseFrameworkException:
            om.out.debug('Failed to GET webshell:' + web_shell_url)
        else:
            if self._is_possible_backdoor(response):
                desc = 'A web backdoor was found at: "%s"; this could ' \
                       'indicate that the server has been compromised.'
                desc = desc % response.get_url()

                v = Vuln('Potential web backdoor', desc, severity.HIGH,
                         response.id, self.get_name())
                v.set_url(response.get_url())

                kb.kb.append(self, 'backdoors', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())

                fr = FuzzableRequest.from_http_response(response)
                self.output_queue.put(fr)
Example #14
0
    def crawl(self, fuzzable_request, debugging_id):
        """
        Plugin entry point, performs all the work.

        :param debugging_id: A unique identifier for this call to discover()
        :param fuzzable_request: A fuzzable_request instance that contains
                                    (among other things) the URL to test.
        """
        to_check = self._get_to_check(fuzzable_request.get_url())

        # I found some URLs, create fuzzable requests
        pt_matches = self._is_in_phishtank(to_check)

        if not pt_matches:
            return

        for ptm in pt_matches:
            fr = FuzzableRequest(ptm.url)
            self.output_queue.put(fr)

        desc = ('The URL: "%s" seems to be involved in a Phishing scam.'
                ' Please see %s for more info.')
        desc %= (ptm.url, ptm.more_info_url)

        v = Vuln('Phishing scam', desc, severity.MEDIUM, [], self.get_name())
        v.set_url(ptm.url)

        kb.kb.append(self, 'phishtank', v)
        om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #15
0
    def _check_if_exists(self, web_shell_url):
        """
        Check if the file exists.

        :param web_shell_url: The URL to check
        """
        try:
            response = self._uri_opener.GET(web_shell_url, cache=True)
        except BaseFrameworkException:
            om.out.debug('Failed to GET webshell:' + web_shell_url)
        else:
            if self._is_possible_backdoor(response):
                desc = 'A web backdoor was found at: "%s"; this could ' \
                       'indicate that the server has been compromised.'
                desc = desc % response.get_url()

                v = Vuln('Potential web backdoor', desc, severity.HIGH,
                         response.id, self.get_name())
                v.set_url(response.get_url())

                kb.kb.append(self, 'backdoors', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())

                fr = FuzzableRequest.from_http_response(response)
                self.output_queue.put(fr)
Example #16
0
    def _send_and_check(self, repo_url, repo_get_files, repo, domain_path):
        """
        Check if a repository index exists in the domain_path.

        :return: None, everything is saved to the self.out_queue.
        """
        http_response = self.http_get_and_parse(repo_url)

        if not is_404(http_response):

            filenames = repo_get_files(http_response.get_body())

            parsed_url_set = set()

            for filename in self._clean_filenames(filenames):
                test_url = domain_path.url_join(filename)
                if test_url not in self._analyzed_filenames:
                    parsed_url_set.add(test_url)
                    self._analyzed_filenames.add(filename)

            self.worker_pool.map(self.http_get_and_parse, parsed_url_set)

            if parsed_url_set:
                desc = 'A %s was found at: "%s"; this could indicate that'\
                       ' a %s is accessible. You might be able to download'\
                       ' the Web application source code.'
                desc = desc % (repo, http_response.get_url(), repo)
                
                v = Vuln('Source code repository', desc, severity.MEDIUM,
                         http_response.id, self.get_name())
                v.set_url(http_response.get_url())
                
                kb.kb.append(self, repo, v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #17
0
    def crawl(self, fuzzable_request):
        """
        Plugin entry point, perform all the work.
        """
        to_check = self._get_to_check(fuzzable_request.get_url())

        # I found some URLs, create fuzzable requests
        phishtank_matches = self._is_in_phishtank(to_check)
        for ptm in phishtank_matches:
            response = self._uri_opener.GET(ptm.url)
            for fr in self._create_fuzzable_requests(response):
                self.output_queue.put(fr)

        # Only create the vuln object once
        if phishtank_matches:
            desc = 'The URL: "%s" seems to be involved in a phishing scam.' \
                   ' Please see %s for more info.'
            desc = desc % (ptm.url, ptm.more_info_URL)
            
            v = Vuln('Phishing scam', desc, severity.MEDIUM, response.id,
                     self.get_name())
            v.set_url(ptm.url)
            
            kb.kb.append(self, 'phishtank', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #18
0
    def _analyze_crossdomain_clientaccesspolicy(self, url, response, file_name):

        # https://github.com/andresriancho/w3af/issues/14491
        if file_name not in self.FILE_TAG_ATTR:
            return

        try:
            dom = xml.dom.minidom.parseString(response.get_body())
        except Exception:
            # Report this, it may be interesting for the final user
            # not a vulnerability per-se... but... it's information after all
            if 'allow-access-from' in response.get_body() or \
            'cross-domain-policy' in response.get_body() or \
            'cross-domain-access' in response.get_body():

                desc = 'The "%s" file at: "%s" is not a valid XML.'
                desc %= (file_name, response.get_url())

                i = Info('Invalid RIA settings file', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'info', i)
                om.out.information(i.get_desc())

            return

        tag, attribute = self.FILE_TAG_ATTR.get(file_name)
        url_list = dom.getElementsByTagName(tag)

        for url in url_list:
            url = url.getAttribute(attribute)

            if url == '*':
                desc = 'The "%s" file at "%s" allows flash/silverlight'\
                       ' access from any site.'
                desc %= (file_name, response.get_url())

                v = Vuln('Insecure RIA settings', desc, severity.LOW,
                         response.id, self.get_name())
                v.set_url(response.get_url())
                v.set_method('GET')

                kb.kb.append(self, 'vuln', v)
                om.out.vulnerability(v.get_desc(),
                                     severity=v.get_severity())
            else:
                desc = 'The "%s" file at "%s" allows flash/silverlight'\
                       ' access from "%s".'
                desc %= (file_name, response.get_url(), url)

                i = Info('Cross-domain allow ACL', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())
                i.set_method('GET')

                kb.kb.append(self, 'info', i)
                om.out.information(i.get_desc())
Example #19
0
    def _analyze_crossdomain_clientaccesspolicy(self, url, response,
                                                file_name):

        # https://github.com/andresriancho/w3af/issues/14491
        if file_name not in self.FILE_TAG_ATTR:
            return

        try:
            dom = xml.dom.minidom.parseString(response.get_body())
        except Exception:
            # Report this, it may be interesting for the final user
            # not a vulnerability per-se... but... it's information after all
            if 'allow-access-from' in response.get_body() or \
            'cross-domain-policy' in response.get_body() or \
            'cross-domain-access' in response.get_body():

                desc = 'The "%s" file at: "%s" is not a valid XML.'
                desc %= (file_name, response.get_url())

                i = Info('Invalid RIA settings file', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'info', i)
                om.out.information(i.get_desc())

            return

        tag, attribute = self.FILE_TAG_ATTR.get(file_name)
        url_list = dom.getElementsByTagName(tag)

        for url in url_list:
            url = url.getAttribute(attribute)

            if url == '*':
                desc = 'The "%s" file at "%s" allows flash/silverlight'\
                       ' access from any site.'
                desc %= (file_name, response.get_url())

                v = Vuln('Insecure RIA settings', desc, severity.LOW,
                         response.id, self.get_name())
                v.set_url(response.get_url())
                v.set_method('GET')

                kb.kb.append(self, 'vuln', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
            else:
                desc = 'The "%s" file at "%s" allows flash/silverlight'\
                       ' access from "%s".'
                desc %= (file_name, response.get_url(), url)

                i = Info('Cross-domain allow ACL', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())
                i.set_method('GET')

                kb.kb.append(self, 'info', i)
                om.out.information(i.get_desc())
Example #20
0
    def _parse_xssed_result(self, response):
        """
        Parse the result from the xssed site and create the corresponding info
        objects.

        :return: Fuzzable requests pointing to the XSS (if any)
        """
        html_body = response.get_body()

        if "<b>XSS:</b>" not in html_body:
            #   Nothing to see here...
            om.out.debug('xssed_dot_com did not find any previously reported'
                         ' XSS vulnerabilities.')
            return

        #
        #   Work!
        #
        regex_many_vulns = re.findall(
            "<a href='(/mirror/\d*/)' target='_blank'>", html_body)

        for mirror_relative_link in regex_many_vulns:

            mirror_url = self._xssed_url.url_join(mirror_relative_link)
            xss_report_response = self._uri_opener.GET(mirror_url)
            matches = re.findall("URL:.+", xss_report_response.get_body())

            dxss = self._decode_xssed_url
            xss_url = dxss(dxss(matches[0]))

            if self._fixed in xss_report_response.get_body():
                vuln_severity = severity.LOW
                desc = 'According to xssed.com, this URL contained a XSS'\
                       ' vulnerability: "%s".'
                desc = desc % xss_url
            else:
                vuln_severity = severity.HIGH
                desc = 'According to xssed.com, this URL contains a'\
                       ' XSS vulnerability: "%s".'
                desc = desc % xss_url

            v = Vuln('Potential XSS vulnerability', desc, vuln_severity,
                     response.id, self.get_name())

            v.set_url(mirror_url)

            kb.kb.append(self, 'xss', v)
            om.out.information(v.get_desc())

            #
            #   Add the fuzzable request, this is useful if I have the
            #   XSS plugin enabled because it will re-test this and
            #   possibly confirm the vulnerability
            #
            fr = FuzzableRequest(URL(xss_url))
            self.output_queue.put(fr)
Example #21
0
    def _analyze_crossdomain_clientaccesspolicy(self, url, response,
                                                file_name):
        try:
            dom = xml.dom.minidom.parseString(response.get_body())
        except Exception:
            # Report this, it may be interesting for the final user
            # not a vulnerability per-se... but... it's information after all
            if 'allow-access-from' in response.get_body() or \
            'cross-domain-policy' in response.get_body() or \
            'cross-domain-access' in response.get_body():

                desc = 'The "%s" file at: "%s" is not a valid XML.'
                desc = desc % (file_name, response.get_url())

                i = Info('Invalid RIA settings file', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'info', i)
                om.out.information(i.get_desc())
        else:
            if file_name == 'crossdomain.xml':
                url_list = dom.getElementsByTagName("allow-access-from")
                attribute = 'domain'
            if file_name == 'clientaccesspolicy.xml':
                url_list = dom.getElementsByTagName("domain")
                attribute = 'uri'

            for url in url_list:
                url = url.getAttribute(attribute)

                if url == '*':
                    desc = 'The "%s" file at "%s" allows flash/silverlight'\
                           ' access from any site.'
                    desc = desc % (file_name, response.get_url())

                    v = Vuln('Insecure RIA settings', desc, severity.LOW,
                             response.id, self.get_name())
                    v.set_url(response.get_url())
                    v.set_method('GET')

                    kb.kb.append(self, 'vuln', v)
                    om.out.vulnerability(v.get_desc(),
                                         severity=v.get_severity())
                else:
                    desc = 'The "%s" file at "%s" allows flash/silverlight'\
                           ' access from "%s".'
                    desc = desc % (file_name, response.get_url(), url)

                    i = Info('Cross-domain allow ACL', desc, response.id,
                             self.get_name())
                    i.set_url(response.get_url())
                    i.set_method('GET')

                    kb.kb.append(self, 'info', i)
                    om.out.information(i.get_desc())
Example #22
0
    def _parse_xssed_result(self, response):
        """
        Parse the result from the xssed site and create the corresponding info
        objects.

        :return: Fuzzable requests pointing to the XSS (if any)
        """
        html_body = response.get_body()

        if "<b>XSS:</b>" not in html_body:
            #   Nothing to see here...
            om.out.debug('xssed_dot_com did not find any previously reported'
                         ' XSS vulnerabilities.')
            return

        #
        #   Work!
        #
        regex_many_vulns = re.findall("<a href='(/mirror/\d*/)' target='_blank'>",
                                      html_body)

        for mirror_relative_link in regex_many_vulns:

            mirror_url = self._xssed_url.url_join(mirror_relative_link)
            xss_report_response = self._uri_opener.GET(mirror_url)
            matches = re.findall("URL:.+", xss_report_response.get_body())

            dxss = self._decode_xssed_url
            xss_url = dxss(dxss(matches[0]))

            if self._fixed in xss_report_response.get_body():
                vuln_severity = severity.LOW
                desc = 'According to xssed.com, this URL contained a XSS'\
                       ' vulnerability: "%s".'
                desc = desc % xss_url
            else:
                vuln_severity = severity.HIGH
                desc = 'According to xssed.com, this URL contains a'\
                       ' XSS vulnerability: "%s".'
                desc = desc % xss_url

            v = Vuln('Potential XSS vulnerability', desc,
                     vuln_severity, response.id, self.get_name())

            v.set_url(mirror_url)

            kb.kb.append(self, 'xss', v)
            om.out.information(v.get_desc())

            #
            #   Add the fuzzable request, this is useful if I have the
            #   XSS plugin enabled because it will re-test this and
            #   possibly confirm the vulnerability
            #
            fr = FuzzableRequest(URL(xss_url))
            self.output_queue.put(fr)
Example #23
0
    def _analyze_crossdomain_clientaccesspolicy(self, url, response, file_name):
        try:
            dom = xml.dom.minidom.parseString(response.get_body())
        except Exception:
            # Report this, it may be interesting for the final user
            # not a vulnerability per-se... but... it's information after all
            if 'allow-access-from' in response.get_body() or \
            'cross-domain-policy' in response.get_body() or \
            'cross-domain-access' in response.get_body():

                desc = 'The "%s" file at: "%s" is not a valid XML.'
                desc = desc % (file_name, response.get_url())
            
                i = Info('Invalid RIA settings file', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())
                
                kb.kb.append(self, 'info', i)
                om.out.information(i.get_desc())
        else:
            if file_name == 'crossdomain.xml':
                url_list = dom.getElementsByTagName("allow-access-from")
                attribute = 'domain'
            if file_name == 'clientaccesspolicy.xml':
                url_list = dom.getElementsByTagName("domain")
                attribute = 'uri'

            for url in url_list:
                url = url.getAttribute(attribute)

                if url == '*':
                    desc = 'The "%s" file at "%s" allows flash/silverlight'\
                           ' access from any site.'
                    desc = desc % (file_name, response.get_url())

                    v = Vuln('Insecure RIA settings', desc, severity.LOW,
                             response.id, self.get_name())
                    v.set_url(response.get_url())
                    v.set_method('GET')

                    kb.kb.append(self, 'vuln', v)
                    om.out.vulnerability(v.get_desc(),
                                         severity=v.get_severity())
                else:
                    desc = 'The "%s" file at "%s" allows flash/silverlight'\
                           ' access from "%s".'
                    desc = desc % (file_name, response.get_url(), url)

                    i = Info('Cross-domain allow ACL', desc, response.id,
                             self.get_name())
                    i.set_url(response.get_url())
                    i.set_method('GET')

                    kb.kb.append(self, 'info', i)
                    om.out.information(i.get_desc())
Example #24
0
 def _allow_url_include(self, response):
     regex_str = 'allow_url_include</td><td class="v">(On|<i>no value</i>)</td>'
     allow_url_include = re.search(regex_str, response.get_body(), re.I)
     if allow_url_include:
         desc = 'The phpinfo()::allow_url_include is enabled.'
         v = Vuln('PHP allow_url_include: On', desc,
                  severity.MEDIUM, response.id, self.get_name())
         v.set_url(response.get_url())
         
         kb.kb.append(self, 'phpinfo', v)
         om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #25
0
 def _session_cookie_httponly(self, response):
     regex_str = 'session\.cookie_httponly</td><td class="v">(Off|no|0)</td>'
     session_cookie_httponly = re.search(regex_str, response.get_body(), re.I)
     if session_cookie_httponly:
         desc = 'The phpinfo()::session.cookie_httponly is off.'
         v = Vuln('PHP session.cookie_httponly: Off', desc,
                  severity.MEDIUM, response.id, self.get_name())
         v.set_url(response.get_url())
         
         kb.kb.append(self, 'phpinfo', v)
         om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #26
0
 def _display_errors(self, response):
     regex_str = 'display_errors</td><td class="v">(On|<i>no value</i>)</td>'
     display_errors = re.search(regex_str, response.get_body(), re.I)
     if display_errors:
         desc = 'The phpinfo()::display_errors is enabled.'
         v = Vuln('PHP display_errors: On', desc,
                  severity.MEDIUM, response.id, self.get_name())
         v.set_url(response.get_url())
         
         kb.kb.append(self, 'phpinfo', v)
         om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #27
0
 def _expose_php(self, response):
     regex_str = 'expose_php</td><td class="v">(On|<i>no value</i>)</td>'
     expose_php = re.search(regex_str, response.get_body(), re.I)
     if expose_php:
         desc = 'The phpinfo()::expose_php is enabled.'
         v = Vuln('PHP expose_php: On', desc,
                  severity.MEDIUM, response.id, self.get_name())
         v.set_url(response.get_url())
         
         kb.kb.append(self, 'phpinfo', v)
         om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #28
0
    def _upload_tmp_dir(self, response):
        regex_str = 'upload_tmp_dir</td><td class="v">(<i>no value</i>)</td>'
        upload_tmp_dir = re.search(regex_str, response.get_body(), re.I)
        if upload_tmp_dir:
            desc = 'The phpinfo()::upload_tmp_dir may be set to world-'\
                   'accessible directory.'
            v = Vuln('PHP upload_tmp_dir:Everyone', desc,
                     severity.LOW, response.id, self.get_name())
            v.set_url(response.get_url())

            kb.kb.append(self, 'phpinfo', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #29
0
 def _session_use_trans(self, response):
     regex_str = 'session\.use_trans</td><td class="v">(On)</td>'
     session_use_trans = re.search(regex_str, response.get_body(), re.I)
     if session_use_trans:
         desc = 'The phpinfo()::session.use_trans is enabled. This makes'\
                ' session hijacking easier.'
         v = Vuln('PHP session_use_trans: On', desc,
                  severity.MEDIUM, response.id, self.get_name())
         v.set_url(response.get_url())
         
         kb.kb.append(self, 'phpinfo', v)
         om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #30
0
    def _session_save_path(self, response):
        regex_str = 'session\.save_path</td><td class="v">(<i>no value</i>)</td>'
        session_save_path = re.search(regex_str, response.get_body(), re.I)
        if session_save_path:
            desc = 'The phpinfo()::session.save_path may be set to world-'\
                   'accessible directory.'
            v = Vuln('PHP session_save_path:Everyone', desc,
                     severity.LOW, response.id, self.get_name())
            v.set_url(response.get_url())

            kb.kb.append(self, 'phpinfo', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #31
0
 def _default_charset(self, response):
     regex_str = 'default_charset</td><td class="v">(Off|no|0)</td>'
     default_charset = re.search(regex_str, response.get_body(), re.I)
     if default_charset:
         desc = 'The phpinfo()::default_charset is set to none. This'\
                ' makes PHP scripts vulnerable to variable charset'\
                ' encoding XSS.'
         v = Vuln('PHP default_charset: Off', desc,
                  severity.MEDIUM, response.id, self.get_name())
         v.set_url(response.get_url())
         
         kb.kb.append(self, 'phpinfo', v)
         om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #32
0
 def _cgi_force_redirect(self, response):
     regex_str = 'cgi_force_redirect</td><td class="v">(.*?)</td>'
     cgi_force_redirect = re.search(regex_str, response.get_body(), re.I)
     if cgi_force_redirect:
         utd = cgi_force_redirect.group(1) + ''
         if utd != 'On':
             desc = 'The phpinfo()::CGI::force_redirect is disabled.'
             v = Vuln('PHP cgi_force_redirect: Off', desc,
                      severity.MEDIUM, response.id, self.get_name())
             v.set_url(response.get_url())
             
             kb.kb.append(self, 'phpinfo', v)
             om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #33
0
    def _brute_worker(self, url, combination):
        """
        Try a user/password combination with HTTP basic authentication against
        a specific URL.

        :param url: A string representation of an URL
        :param combination: A tuple that contains (user,pass)
        """
        # Remember that this worker is called from a thread which lives in a
        # threadpool. If the worker finds something, it has to let the rest know
        # and the way we do that is by setting self._found.
        #
        # If one thread sees that we already bruteforced the access, the rest
        # will simply no-op
        if not self._found or not self._stop_on_first:
            user, passwd = combination

            raw_values = "%s:%s" % (user, passwd)
            auth = 'Basic %s' % base64.b64encode(raw_values).strip()
            headers = Headers([('Authorization', auth)])

            fr = FuzzableRequest(url, headers=headers, method='GET')

            try:
                response = self._uri_opener.send_mutant(fr,
                                                        cache=False,
                                                        grep=False)
            except BaseFrameworkException, w3:
                msg = 'Exception while brute-forcing basic authentication,' \
                      ' error message: "%s".'
                om.out.debug(msg % w3)
            else:
                # GET was OK
                if response.get_code() != 401:
                    self._found = True

                    desc = 'Found authentication credentials to: "%s".' \
                           ' A valid user and password combination is: %s/%s .'
                    desc = desc % (url, user, passwd)
                    v = Vuln('Guessable credentials', desc, severity.HIGH,
                             response.id, self.get_name())
                    v.set_url(url)

                    v['user'] = user
                    v['pass'] = passwd
                    v['response'] = response
                    v['request'] = fr

                    kb.kb.append(self, 'auth', v)
                    om.out.vulnerability(v.get_desc(),
                                         severity=v.get_severity())
Example #34
0
def allow_url_fopen(response):
    regex_str = 'allow_url_fopen</td><td class="v">(On|<i>no value</i>)</td>'
    allow_url_fopen_mo = re.search(regex_str, response.get_body(), re.I)

    if not allow_url_fopen_mo:
        return

    desc = 'The phpinfo()::allow_url_fopen is enabled.'
    v = Vuln('PHP allow_url_fopen: On', desc, severity.MEDIUM, response.id,
             'phpinfo')
    v.set_url(response.get_url())

    kb.kb.append('phpinfo', 'phpinfo', v)
    om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #35
0
    def _brute_worker(self, url, combination):
        """
        Try a user/password combination with HTTP basic authentication against
        a specific URL.

        :param url: A string representation of an URL
        :param combination: A tuple that contains (user,pass)
        """
        # Remember that this worker is called from a thread which lives in a
        # threadpool. If the worker finds something, it has to let the rest know
        # and the way we do that is by setting self._found.
        #
        # If one thread sees that we already bruteforced the access, the rest
        # will simply no-op
        if not self._found or not self._stop_on_first:
            user, passwd = combination

            raw_values = "%s:%s" % (user, passwd)
            auth = 'Basic %s' % base64.b64encode(raw_values).strip()
            headers = Headers([('Authorization', auth)])

            fr = FuzzableRequest(url, headers=headers, method='GET')

            try:
                response = self._uri_opener.send_mutant(fr, cache=False,
                                                        grep=False)
            except BaseFrameworkException, w3:
                msg = 'Exception while brute-forcing basic authentication,'\
                      ' error message: "%s".'
                om.out.debug(msg % w3)
            else:
                # GET was OK
                if response.get_code() != 401:
                    self._found = True
                    
                    desc = 'Found authentication credentials to: "%s".'\
                           ' A valid user and password combination is: %s/%s .'
                    desc = desc % (url, user, passwd)
                    v = Vuln('Guessable credentials', desc,
                             severity.HIGH, response.id, self.get_name())
                    v.set_url(url)
                    
                    v['user'] = user
                    v['pass'] = passwd
                    v['response'] = response
                    v['request'] = fr

                    kb.kb.append(self, 'auth', v)
                    om.out.vulnerability(v.get_desc(),
                                         severity=v.get_severity())
Example #36
0
def upload_tmp_dir(response):
    regex_str = 'upload_tmp_dir</td><td class="v">(<i>no value</i>)</td>'
    upload_tmp_dir_mo = re.search(regex_str, response.get_body(), re.I)

    if not upload_tmp_dir_mo:
        return

    desc = 'The phpinfo()::upload_tmp_dir may be set to world-readable directory.'
    v = Vuln('PHP upload_tmp_dir is world readable', desc, severity.LOW,
             response.id, 'phpinfo')
    v.set_url(response.get_url())

    kb.kb.append('phpinfo', 'phpinfo', v)
    om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #37
0
    def _parse_zone_h_result(self, response):
        """
        Parse the result from the zone_h site and create the corresponding info
        objects.

        :return: None
        """
        #
        #   I'm going to do only one big "if":
        #
        #       - The target site was hacked more than one time
        #       - The target site was hacked only one time
        #

        # This is the string I have to parse:
        # in the zone_h response, they are two like this, the first has to be ignored!
        regex = 'Total notifications: <b>(\d*)</b> of which <b>(\d*)</b> single ip and <b>(\d*)</b> mass'
        regex_result = re.findall(regex, response.get_body())

        try:
            total_attacks = int(regex_result[0][0])
        except IndexError:
            om.out.debug(
                'An error was generated during the parsing of the zone_h website.'
            )
        else:

            # Do the if...
            if total_attacks > 1:
                desc = 'The target site was defaced more than one time in the'\
                       ' past. For more information please visit the following'\
                       ' URL: "%s".' % response.get_url()

                v = Vuln('Previous defacements', desc, severity.MEDIUM,
                         response.id, self.get_name())
                v.set_url(response.get_url())

                kb.kb.append(self, 'defacements', v)
                om.out.information(v.get_desc())
            elif total_attacks == 1:
                desc = 'The target site was defaced in the past. For more'\
                       ' information please visit the following URL: "%s".'
                desc = desc % response.get_url()
                i = Info('Previous defacements', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'defacements', i)
                om.out.information(i.get_desc())
Example #38
0
 def _disable_functions(self, response):
     regex_str = 'disable_functions</td><td class="v">(.*?)</td>'
     disable_functions = re.search(regex_str, response.get_body(), re.I)
     if disable_functions:
         secure_df = 8
         df = disable_functions.group(1)
         dfe = df.split(',')
         if len(dfe) < secure_df:
             desc = 'The phpinfo()::disable_functions are set to few.'
             v = Vuln('PHP disable_functions:few', desc,
                      severity.MEDIUM, response.id, self.get_name())
             v.set_url(response.get_url())
             
             kb.kb.append(self, 'phpinfo', v)
             om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #39
0
def session_use_trans(response):
    regex_str = 'session\.use_trans</td><td class="v">(On)</td>'
    session_use_trans_mo = re.search(regex_str, response.get_body(), re.I)

    if not session_use_trans_mo:
        return

    desc = ('The phpinfo()::session.use_trans is enabled. This makes'
            ' session hijacking easier.')
    v = Vuln('PHP session_use_trans: On', desc, severity.MEDIUM, response.id,
             'phpinfo')
    v.set_url(response.get_url())

    kb.kb.append('phpinfo', 'phpinfo', v)
    om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #40
0
def session_save_path(response):
    regex_str = 'session\.save_path</td><td class="v">(<i>no value</i>)</td>'
    session_save_path_mo = re.search(regex_str, response.get_body(), re.I)

    if not session_save_path_mo:
        return

    desc = ('The phpinfo()::session.save_path may be set to a world-'
            'readable directory.')
    v = Vuln('Word readable PHP session_save_path', desc, severity.LOW,
             response.id, 'phpinfo')
    v.set_url(response.get_url())

    kb.kb.append('phpinfo', 'phpinfo', v)
    om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #41
0
 def _memory_limit(self, response):
     regex_str = 'memory_limit</td><td class="v">(\d.*?)</td>'
     memory_limit = re.search(regex_str, response.get_body(), re.I)
     if memory_limit:
         secure_ml = 10
         ml = memory_limit.group(1) + ''
         ml = ml.replace('M', '')
         if ml > secure_ml:
             desc = 'The phpinfo()::memory_limit is set to higher value'\
                    ' (%s).' % memory_limit.group(1)
             v = Vuln('PHP memory_limit:high', desc,
                      severity.MEDIUM, response.id, self.get_name())
             v.set_url(response.get_url())
             
             kb.kb.append(self, 'phpinfo', v)
             om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #42
0
    def _parse_zone_h_result(self, response):
        """
        Parse the result from the zone_h site and create the corresponding info
        objects.

        :return: None
        """
        #
        #   I'm going to do only one big "if":
        #
        #       - The target site was hacked more than one time
        #       - The target site was hacked only one time
        #

        # This is the string I have to parse:
        # in the zone_h response, they are two like this, the first has to be ignored!
        regex = 'Total notifications: <b>(\d*)</b> of which <b>(\d*)</b> single ip and <b>(\d*)</b> mass'
        regex_result = re.findall(regex, response.get_body())

        try:
            total_attacks = int(regex_result[0][0])
        except IndexError:
            om.out.debug('An error was generated during the parsing of the zone_h website.')
        else:

            # Do the if...
            if total_attacks > 1:
                desc = 'The target site was defaced more than one time in the'\
                       ' past. For more information please visit the following'\
                       ' URL: "%s".' % response.get_url()
                       
                v = Vuln('Previous defacements', desc,
                         severity.MEDIUM, response.id, self.get_name())
                v.set_url(response.get_url())
                
                kb.kb.append(self, 'defacements', v)
                om.out.information(v.get_desc())
            elif total_attacks == 1:
                desc = 'The target site was defaced in the past. For more'\
                       ' information please visit the following URL: "%s".'
                desc = desc % response.get_url()
                i = Info('Previous defacements', desc, response.id,
                         self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'defacements', i)
                om.out.information(i.get_desc())
Example #43
0
    def _post_max_size(self, response):
        regex_str = 'post_max_size</td><td class="v">(\d.*?)</td>'
        post_max_size = re.search(
            regex_str, response.get_body(), re.IGNORECASE)
        if post_max_size:
            secure_pms = 20
            pms = post_max_size.group(1) + ''
            pms = pms.replace('M', '')
            pms = int(pms)
            if pms > secure_pms:
                desc = 'The phpinfo()::post_max_size is set to higher value'\
                       ' (%s).' % post_max_size.group(1)
                v = Vuln('PHP post_max_size:high', desc,
                         severity.LOW, response.id, self.get_name())
                v.set_url(response.get_url())

                kb.kb.append(self, 'phpinfo', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #44
0
 def _upload_max_filesize(self, response):
     regex_str = 'upload_max_filesize</td><td class="v">(\d.*?)</td>'
     upload_max_filesize = re.search(
         regex_str, response.get_body(), re.IGNORECASE)
     if upload_max_filesize:
         secure_umf = 20
         umf = upload_max_filesize.group(1) + ''
         umf = umf.replace('M', '')
         umf = int(umf)
         if umf > secure_umf:
             desc = 'The phpinfo()::upload_max_filesize is set to higher'\
                    ' value (%s).' % upload_max_filesize.group(1)
             v = Vuln('PHP upload_max_filesize:high', desc,
                      severity.LOW, response.id, self.get_name())
             v.set_url(response.get_url())
             
             kb.kb.append(self, 'phpinfo', v)
             om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #45
0
    def _analyze_401(self, response):
        """
        Analyze a 401 response and report it.
        :return: None
        """
        realm = self._get_realm(response)
        
        if realm is None:
            self._report_no_realm(response)
            return
        
        insecure = response.get_url().get_protocol() == 'http'
        vuln_severity = severity.HIGH if insecure else severity.LOW
        
        desc = 'The resource: "%s" requires HTTP authentication'
        if insecure:
            desc += ' over a non-encrypted channel, which allows'\
                    ' potential intruders to sniff traffic and capture'\
                    ' valid credentials.'
        else:
            desc += '.'
        
        desc += ' The received authentication realm is: "%s".'
        desc = desc % (response.get_url(), realm)
        
        # Report the common case, were a realm is set.
        if 'ntlm' in realm.lower():
            
            v = Vuln('NTLM authentication', desc,
                     vuln_severity, response.id, self.get_name())

        else:
            v = Vuln('HTTP Basic authentication', desc,
                     vuln_severity, response.id, self.get_name())

        v.set_url(response.get_url())
        v['message'] = realm
        v.add_to_highlight(realm)

        kb.kb.append(self, 'auth', v)
        om.out.information(v.get_desc())
Example #46
0
    def _curl_file_support(self, response):
        regex_str = '<h1 class="p">PHP Version (\d).(\d).(\d)</h1>'
        curl_file_support = re.search(regex_str, response.get_body(), re.I)
        if curl_file_support:
            php_major_ver = curl_file_support.group(1)
            php_minor_ver = curl_file_support.group(2)
            php_rev_ver = curl_file_support.group(3)

            current_ver = php_major_ver + '.' + php_minor_ver + \
                '' + php_rev_ver
            current_ver = float(current_ver)
            php_major_ver = int(php_major_ver)
            php_minor_ver = int(php_minor_ver)
            php_rev_ver = int(php_rev_ver)

            cv4check = float(4.44)
            cv5check = float(5.16)
            curl_vuln = 1

            if php_major_ver == 4:
                if current_ver >= cv4check:
                    curl_vuln = 0
            elif php_major_ver == 5:
                if current_ver >= cv5check:
                    curl_vuln = 0
            elif php_major_ver >= 6:
                curl_vuln = 0
            else:
                curl_vuln = 0

            if curl_vuln == 1:
                desc = 'The phpinfo()::cURL::file_support has a security hole'\
                       ' present in this version of PHP allows the cURL'\
                       ' functions to bypass safe_mode and open_basedir'\
                       ' restrictions.'
                v = Vuln('PHP curl_file_support:not_fixed', desc,
                         severity.MEDIUM, response.id, self.get_name())
                v.set_url(response.get_url())
                
                kb.kb.append(self, 'phpinfo', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
Example #47
0
    def _enable_dl(self, response):
        regex_str = 'enable_dl</td><td class="v">(On|Off)</td>'
        enable_dl = re.search(regex_str, response.get_body(), re.I)
        if enable_dl:
            rg = enable_dl.group(1)
            if rg == 'On':
                desc = 'The phpinfo()::enable_dl is on.'
                v = Vuln('PHP enable_dl: On', desc,
                         severity.MEDIUM, response.id, self.get_name())
                v.set_url(response.get_url())
                
                kb.kb.append(self, 'phpinfo', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
            else:
                ed_name = 'PHP enable_dl: Off'
                ed_desc = 'The phpinfo()::enable_dl is off.'
                i = Info(ed_name, ed_desc, response.id, self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'phpinfo', i)
                om.out.information(i.get_desc())
Example #48
0
    def _register_globals(self, response):
        regex_str = 'register_globals</td><td class="v">(On|Off)</td>'
        register_globals = re.search(regex_str, response.get_body(), re.I)

        if register_globals:
            rg = register_globals.group(1)
            if rg == 'On':
                desc = 'The phpinfo()::register_globals is on.'
                v = Vuln('PHP register_globals: On', desc,
                         severity.MEDIUM, response.id, self.get_name())
                v.set_url(response.get_url())
                
                kb.kb.append(self, 'phpinfo', v)
                om.out.vulnerability(v.get_desc(), severity=v.get_severity())
            else:
                rg_name = 'PHP register_globals: Off'
                rg_desc = 'The phpinfo()::register_globals is off.'
                i = Info(rg_name, rg_desc, response.id, self.get_name())
                i.set_url(response.get_url())

                kb.kb.append(self, 'phpinfo', i)
                om.out.information(i.get_desc())
Example #49
0
    def crawl(self, fuzzable_request):
        """
        Plugin entry point, performs all the work.
        """
        to_check = self._get_to_check(fuzzable_request.get_url())

        # I found some URLs, create fuzzable requests
        pt_handler = self._is_in_phishtank(to_check)

        for ptm in pt_handler.matches:
            fr = FuzzableRequest(ptm.url)
            self.output_queue.put(fr)

        # Only create the vuln object once
        if pt_handler.matches:
            desc = 'The URL: "%s" seems to be involved in a phishing scam.' \
                   ' Please see %s for more info.'
            desc = desc % (ptm.url, ptm.more_info_url)

            v = Vuln('Phishing scam', desc, severity.MEDIUM, [], self.get_name())
            v.set_url(ptm.url)

            kb.kb.append(self, 'phishtank', v)
            om.out.vulnerability(v.get_desc(), severity=v.get_severity())