RCE scanner added - TODO: Bugfix

2016-12-27 22:40:20 +01:00 · 2016-12-27 22:40:20 +01:00 · 50975cde2d
parent 71b589dbb7
commit 50975cde2d
6 changed files with 71 additions and 9 deletions
--- a/Plugin/background.js
+++ b/Plugin/background.js
@ -33,6 +33,7 @@ function send_target(server, url, deep, impact){
    http.onreadystatechange = function() {
      if (http.readyState == XMLHttpRequest.DONE) {
        http_data = JSON.parse(http.responseText);
+        console.log(http.responseText);

        // Notifications and update local storage
        if (http_data.xss != '0'){
@ -88,6 +89,23 @@ function send_target(server, url, deep, impact){
          })();
        }

+        if (http_data.rce != '0'){
+          // Update RCE count
+          chrome.storage.sync.get(['rce'], function(items) {
+            chrome.storage.sync.set({'rce': items['rce']+parseInt(http_data.rce)})
+          });
+
+          // Update vulnerabilities URL list
+          chrome.storage.sync.get(['list'], function(items) {
+            chrome.storage.sync.set({'list': items['list']+http_data.list})
+          });
+
+          new Notification('New vulnerability detected !', {
+            icon: 'icon.png',
+            body: 'RCE on '+extract_domain(unescape(url))
+          })();
+        }
+
      }
    }
    http.open("GET", infos, true);
@ -95,7 +113,7 @@ function send_target(server, url, deep, impact){
 }

 // Set a clean local storage
-chrome.storage.sync.set({'xss': 0, 'sql': 0, 'lfi': 0, 'work': 0, 'list':'' })
+chrome.storage.sync.set({'rce':0, 'xss': 0, 'sql': 0, 'lfi': 0, 'work': 0, 'list':'' })

 // Launch a scan when the tab change
 chrome.tabs.onActivated.addListener(function(activeInfo) {
--- a/Plugin/popup.html
+++ b/Plugin/popup.html
@ -56,6 +56,7 @@
        <li><span id='xss'>0 Cross Site Scripting</span></li>
        <li><span id='sql'>0 Injection SQL</span></li>
        <li><span id='lfi'>0 Local File Inclusion</span></li>
+        <li><span id='rce'>0 Remote Commands Execution</span></li>
      </ul>
     
      <span id='total'>Total : 0 vulnerability found</span>
--- a/Plugin/popup.js
+++ b/Plugin/popup.js
@ -87,7 +87,7 @@ document.addEventListener('DOMContentLoaded', function() {
  getCurrentTab(function(tab) {

    // Display local storage
-    chrome.storage.sync.get(['xss','sql','lfi','list','work'], function(items) {
+    chrome.storage.sync.get(['rce', 'xss','sql','lfi','list','work'], function(items) {

      // Update start button
      if (items['work'] == 0){
@ -127,10 +127,11 @@ document.addEventListener('DOMContentLoaded', function() {
      );

      // Display vulnerabilities' count
+      document.getElementById("rce").textContent   = items['rce'] + " Remote Commands Execution";
      document.getElementById("xss").textContent   = items['xss'] + " Cross Site Scripting";
      document.getElementById("sql").textContent   = items['sql'] + " Injection SQL";
      document.getElementById("lfi").textContent   = items['lfi'] + " Local File Inclusion";
-      document.getElementById("total").textContent = "Total : "+ (items['lfi']+items['xss']+items['sql']) +" vulnerability found";
+      document.getElementById("total").textContent = "Total : "+ (items['lfi']+items['xss']+items['sql']+items['rce']) +" vulnerability found";
    });

    // Display infos (URL - Server's availability)
--- a/Plugin/vulns.html
+++ b/Plugin/vulns.html
@ -84,6 +84,7 @@
        <li><span id='xss'>0 Cross Site Scripting</span></li>
        <li><span id='sql'>0 Injection SQL</span></li>
        <li><span id='lfi'>0 Local File Inclusion</span></li>
+        <li><span id='rce'>0 Remote Commands Execution</span></li>
      </ul>
    
    </div>
--- a/README.md
+++ b/README.md
@ -46,11 +46,10 @@ var config_server = "http://127.0.0.1:8000";
 - Should detect target in source code.. (list of targets, then launch scan)
 - Should detect and work with POST requests
 - Export function for vulnerabilities
- Add some functions from https://sergeybelove.ru/one-button-scan/result/3004e0b978f19e58e3239087d119742779e1efbc/
 - Deep and impact : args['url'],args['deep'],args['impact']
- Command injection :&sleep 5&'\"0&sleep 5&`'
- Launch scan when a button is clicked/ form submitted / page opened via URL
- LFI scan improvement with data: wrapper
+- Launch scan when a button is clicked/ form submitted / page opened via URL - chrome.tabs.onActivated.addListener
+- Cookies and User Agent in server request
+- BUG multiples vulns not added

 ## Thanks
 - Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
--- a/Server/server.py
+++ b/Server/server.py
@ -87,6 +87,7 @@ def scan_sql_blind_time(vulns, url, fuzz):
 		else:
 			print "\t\t\033[94mTime Based SQLi (", name ,") Failed \033[0m for ", fuzz, " with the payload :", payload

+
 """scan_lfi
 Description: will scan every parameter for LFI, checking for the common root:x:0:0
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
@ -104,6 +105,45 @@ def scan_lfi(vulns, url, fuzz):
 		print "\t\t\033[94mLFI Failed \033[0m for ", fuzz, " with the payload :", payload, inject


+"""scan_rce
+Description: use a polyglot vector to detect a RCE based on the response time
+Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
+"""
+def scan_rce(vulns, url, fuzz):
+	""" Some tests of context
+	$ time (ping -c 3 127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 )     -   real	0m4.113s
+	ping: unknown host 127.0.0.1|sleep 	
+	4|
+	
+	$ time (ping -c 3 '127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 ')   -   real	0m4.012s
+	ping: unknown host 127.0.0.1`#
+	`"|sleep${IFS}4|";sleep${IFS}4  : commande introuvable
+	
+	$ time (ping -c 3 "127.0.0.1`#'|sleep${IFS}4|'`"|sleep${IFS}4|";sleep${IFS}4 ")   -   real	0m4.008s
+	;sleep 	
+	4  : commande introuvable
+	"""
+	# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4 "
+	payload = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4%20"
+
+	# Do a request and check the response time
+	inject  = url.replace(fuzz+"=", fuzz+"="+payload)
+	time1   = datetime.datetime.now()
+	content = requests.get(inject).text
+	time2   = datetime.datetime.now()
+	diff    = time2 - time1
+	diff    = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
+
+	# The payload will force a delay of 5s at least.
+	if diff > 2:
+		print "\t\t\033[93mRCE Detected \033[0m for ", fuzz, " with the payload :", payload
+		vulns['rce']  += 1
+		vulns['list'] += 'RCE|TYPE|'+inject+'|DELIMITER|'
+
+	else:
+		print "\t\t\033[94mRCE Failed \033[0m for ", fuzz, " with the payload :", payload
+
+
 """ Route /ping
 Description: Simple ping implementation to check if the server is up via the extension
 """
@ -117,7 +157,7 @@ Description: main route for the flask application, every scan is launched from h
 """
@app.route('/',methods=['GET'])
 def index():
-	vulns = {'xss': 0, 'sql': 0, 'lfi': 0, 'list':''}
+	vulns = {'rce': 0, 'xss': 0, 'sql': 0, 'lfi': 0, 'list':''}
 	
 	# Parse requests - extract arguments
 	args  = request.args
@ -130,12 +170,14 @@ def index():

 		# Launch scans
 		for fuzz in matches:
-			print "\n---[ New parameter : "+fuzz+" ]---"
+			print "\n---[ New parameter " + fuzz + " for url: " + url + " ]---"
 			scan_xss(vulns, url, fuzz)
 			scan_lfi(vulns, url, fuzz)
 			scan_sql_error(vulns, url, fuzz)
 			scan_sql_blind_time(vulns, url, fuzz)
+			scan_rce(vulns, url, fuzz)

+	print vulns
 	# Display results as a json
 	return jsonify(vulns)