Updated support for Web modules and analysis techniques #1000
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This request contains core classes for the new Web-related functionality (along with a few updates to existing code) such as:
Anemone
Has been hacked to support modular path extractors and dirbusting.
Path extractors (/lib/anemone/extractors)
Single-responsibility components which when passed an Anemone::Page return an array of paths.
Dirbuster (/lib/anemone/extractors/dirbuster.rb /lib/anemone/extractors/dirbuster/directories)
Implemented as a path extractor, feeds the crawler a bunch of directory names.
Auxiliary::Web (/lib/msf/core/auxiliary/web.rb)
Mixin which provides a bunch of helpers to the web modules for:
Auxiliary::Web::HTTP (/msf3/lib/msf/core/auxiliary/web/http.rb)
Provides a more sensible interface for the task at hand, much more high-level than Rex::Proto::Http::Client, which it wraps into a pretty bow.
Takes into account query params and merges them with explicit get params, handles redirects, can detect custom 404 pages, etc.
Generally makes life much easier...
Auxiliary::Web::Target (/msf3/lib/msf/core/auxiliary/web/target.rb)
Holds target info like Mdm::Service, Mdm::WebSite, along with a bunch of helper attributes (like vhost, host, port, etc.).
Most interesting attributes are:
Auxiliary::Web::Form (/msf3/lib/msf/core/auxiliary/web/form.rb)
Represents a form element and holds its method, action, inputs and the original Mdm::WebForm model.
Also provides a bunch of domain relevant helpers like query parsing, encoding, permutation generation and more.
Inherits from Auxiliary::Web::Fuzzable.
Auxiliary::Web::Path (/msf3/lib/msf/core/auxiliary/web/path.rb)
Same deal as Auxiliary::Web::Form apart from a few differences in their guts since even though their
API needs to be identical their internal representation differs wildly.
Inherits from Auxiliary::Web::Fuzzable.
Auxiliary::Web::Fuzzable (/msf3/lib/msf/core/auxiliary/web/fuzzable.rb)
Doesn't do much, provides a way to #submit the elements and #fuzz them using their permutations.
Also provides comparison and #dup methods.
The cool stuff is that it dynamically loads and includes analysis modules (Ruby modules, not framework components) under its namespace.
Auxiliary::Web::Analysis (/msf3/lib/msf/core/auxiliary/web/analysis/)
Namespace under which all analysis techniques reside.
Auxiliary::Web::Analysis::Taint (/pro/msf3/lib/msf/core/auxiliary/web/analysis/taint.rb)
Provides Taint analysis support to Fuzzzable elements, basically submits their permutations and uses the fuzzer's (web module's) #find_proof to determine whether or not a response matches a vulnerability signature.
Auxiliary::Web::Analysis::Differential (/msf3/lib/msf/core/auxiliary/web/analysis/differential.rb)
Provides Differential analysis using fault/boolean injection pairs to determine whether the back-end logic can be manipulated and uses text refinement (Rex::Text.refine) to remove irrelevant/out-of-context noise data in order to make response comparisons possible.
Auxiliary::Web::Analysis::Timing (/pro/msf3/lib/msf/core/auxiliary/web/analysis/timing.rb)
Provides timing-attack/response-time analysis. Injects delay increments and ensures responsiveness between injections to make sure that the response times are manipulatable and not just dumb luck or a dead server.
Changes to core libs
Added:
Rex::Text.to_words
-- Splits aString
to anArray
of words.Rex::Text.refine
-- Removes noise from 2Strings
and return a refinedString
version.