Class: Arachni::Modules::Audit::Eval

Inherits:
Arachni::Module::Base show all
Includes:
Arachni::Module::Registrar, Arachni::UI::Output
Defined in:
modules/audit/eval.rb

Overview

eval() recon module.

It audits links, forms and cookies for code injection.

It’s designed to work with PHP, Perl, Python, Java, ASP and Ruby but still needs some more testing.

@author: Anastasios “Zapotek” Laskos 

                                     <tasos.laskos@gmail.com>
                                     <zapotek@segfault.gr>

@version: $Rev: 371 $

See Also:

Class Method Summary (collapse)

Instance Method Summary (collapse)

Methods included from Arachni::Module::Registrar

#add_storage, #get_storage, #get_store, included, #register_results

Methods included from Arachni::UI::Output

#debug!, #debug?, #only_positives!, #only_positives?, #print_debug, #print_debug_backtrace, #print_debug_pp, #print_error, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #verbose!, #verbose?

Methods inherited from Arachni::Module::Base

#clean_up, deps, #get_cookie_simple, #get_cookies, #get_cookies_simple, #get_data_file, #get_form_simple, #get_forms, #get_forms_simple, #get_links, #get_links_simple, #get_request_headers, #get_response_headers

Methods included from Arachni::Module::Auditor

#audit_cookies, #audit_forms, #audit_headers, #audit_links, #get_matches, #inject_each_var

Methods included from Arachni::Module::Trainer

#train

Methods included from Arachni::Module::ElementDB

#init_cookies, #init_forms, #init_links, #update_cookies, #update_forms, #update_links, #work_on_cookies, #work_on_forms, #work_on_links

Constructor Details

- (Eval) initialize(page)

A new instance of Eval 



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'modules/audit/eval.rb', line 46

def initialize( page )
    super( page )

    # code to inject
    @__injection_strs = []
    
    # digits from a sha1 hash
    # the codes in @__injection_strs with tell the web app
    # to sum them and echo them
    @__rand1 = '287630581954'
    @__rand2 = '4196403186331128'
    
    # the sum of the 2 numbers as a string
    @__rand  =  (287630581954 + 4196403186331128).to_s
    
    # our results hash
    @results = []
end

Class Method Details

+ (Object) info 



108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
# File 'modules/audit/eval.rb', line 108

def self.info
    {
        'Name'           => 'Eval',
        'Description'    => %q{eval() recon module. Tries to inject code
            into the web application.},
        'Elements'       => [
            Vulnerability::Element::FORM,
            Vulnerability::Element::LINK,
            Vulnerability::Element::COOKIE
        ],
        'Author'         => 'zapotek',
        'Version'        => '$Rev: 371 $',
        'References'     => {
            'PHP'    => 'http://php.net/manual/en/function.eval.php',
            'Perl'   => 'http://perldoc.perl.org/functions/eval.html',
            'Python' => 'http://docs.python.org/py3k/library/functions.html#eval',
            'ASP'    => 'http://www.aspdev.org/asp/asp-eval-execute/',
            'Ruby'   => 'http://en.wikipedia.org/wiki/Eval#Ruby'
         },
        'Targets'        => { 'Generic' => 'all' },
            
        'Vulnerability'   => {
            'Name'        => %q{Code injection},
            'Description' => %q{Code can be injected into the web application.},
            'CWE'         => '94',
            'Severity'    => Vulnerability::Severity::HIGH,
            'CVSSV2'       => '7.5',
            'Remedy_Guidance'    => '',
            'Remedy_Code' => '',
        }

    }
end

Instance Method Details

- (Object) prepare 



65
66
67
68
69
70
71
72
73
74
75
 
# File 'modules/audit/eval.rb', line 65

def prepare( )
    
    # code to be injected to the webapp
    @__injection_strs = [
        "echo " + @__rand1 + "+" + @__rand2 + ";", # PHP
        "print " + @__rand1 + "+" + @__rand2 + ";", # Perl
        "print " + @__rand1 + " + " + @__rand2, # Python
        "Response.Write\x28" +  @__rand1  + '+' + @__rand2 + "\x29", # ASP
        "puts " + @__rand1 + " + " + @__rand2 # Ruby
    ]
end

- (Object) run 



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'modules/audit/eval.rb', line 77

def run( )
    
    # iterate through the injection codes
    @__injection_strs.each {
        |str|
        
        # audit forms and add the results to the results array
        audit_forms( str, Regexp.new( @__rand ), @__rand ).each {
            |res|
            @results << Vulnerability.new( res.merge( self.class.info ) )
        }
        
        # audit links and add the results to the results array    
        audit_links( str, Regexp.new( @__rand ), @__rand ).each {
            |res|
            @results << Vulnerability.new( res.merge( self.class.info ) )
        }
        
        # audit cookies and add the results to the results array
        audit_cookies( str, Regexp.new( @__rand ), @__rand ).each {
            |res|
            @results << Vulnerability.new( res.merge( self.class.info ) )
        }
        
    }
    
    # register our results with the system
    register_results( @results )
end