Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/spec/lib/rex/parser/acunetix_document_spec.rb
36035 views
1
require 'spec_helper'

2
require 'rex/parser/acunetix_document'

3


4
RSpec.describe Rex::Parser::AcunetixDocument do

5


6
  if ENV['REMOTE_DB']

7
    before {skip("Not supported for remote DB")}

8
  end

9


10
  include_context 'Msf::UIDriver'

11
  include_context 'Msf::DBManager'

12


13
  def web_vuln_xml

14
    %{

15
      <Request>GET /search.php?q=test HTTP/1.1\r\nHost: 192.168.200.142\r\n\r\n</Request>

16
      <Response>HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n<html><body>Results</body></html></Response>

17
    }

18
  end

19


20
  def other_vuln_xml

21
    %{<Request><![CDATA[Not available in the free trial]]></Request>}

22
  end

23


24
  def xml_block(interpolated_vuln)

25
    %{<?xml version="1.0"?>

26
<ScanGroup ExportedOn="26/04/2023, 00:33:40">

27
  <Scan>

28
    <Name><![CDATA[scan_name]]></Name>

29
    <ShortName><![CDATA[scan_short_name]]></ShortName>

30
    <StartURL><![CDATA[http://192.168.200.142]]></StartURL>

31
    <StartTime><![CDATA[26/04/2023, 00:27:04]]></StartTime>

32
    <FinishTime><![CDATA[26/04/2023, 00:32:06]]></FinishTime>

33
    <ScanTime><![CDATA[4 minutes, 57 seconds]]></ScanTime>

34
    <Aborted><![CDATA[True]]></Aborted>

35
    <Responsive><![CDATA[]]></Responsive>

36
    <Banner><![CDATA[]]></Banner>

37
    <Os><![CDATA[]]></Os>

38
    <WebServer><![CDATA[]]></WebServer>

39
    <Technologies>

40
      <![CDATA[]]>

41
    </Technologies>

42
    <Crawler StartUrl="http://192.168.200.142">

43
      <Cookies>

44


45
      </Cookies>

46
      <SiteFiles>

47
        <SiteFile id="1">

48
          <Name><![CDATA[http://192.168.200.142/]]></Name>

49
          <URL><![CDATA[/]]></URL>

50
          <FullURL><![CDATA[http://192.168.200.142/]]></FullURL>

51


52
        </SiteFile>

53
      </SiteFiles>

54
    </Crawler>

55
    <ReportItems>

56
      <ReportItem id="1" color="red">

57
        <Name><![CDATA[PHP-CGI remote code execution]]></Name>

58
        <ModuleName><![CDATA[Scripting (PHP_CGI_RCE_Force_Redirect.script)]]></ModuleName>

59
        <Details><![CDATA[Not available in the free trial]]></Details>

60
        <Affects><![CDATA[/]]></Affects>

61
        <Parameter><![CDATA[]]></Parameter>

62
        <AOP_SourceFile><![CDATA[]]></AOP_SourceFile>

63
        <AOP_SourceLine></AOP_SourceLine>

64
        <AOP_Additional><![CDATA[]]></AOP_Additional>

65
        <IsFalsePositive><![CDATA[]]></IsFalsePositive>

66
        <Severity><![CDATA[high]]></Severity>

67
        <Type><![CDATA[denialofservice]]></Type>

68
        <Impact><![CDATA[A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.]]></Impact>

69
        <Description><![CDATA[PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. <br/><br/>

70
An example of the -s command, allowing an attacker to view the source code of index.php is below:

71
<pre>

72
http://localhost/index.php?-s

73
</pre>

74
]]></Description>

75
        <DetailedInformation><![CDATA[]]></DetailedInformation>

76
        <Recommendation><![CDATA[An alternative is to configure your web server to not let these types of requests with query strings starting with a &quot;-&quot; and not containing a &quot;=&quot; through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this: <br/><br/>

77
<code><pre>

78
         RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]

79
         RewriteRule ^(.*) $1? [L]

80
</pre></code>]]></Recommendation>

81
        <TechnicalDetails>

82
          #{interpolated_vuln}

83
        </TechnicalDetails>

84
        <CWEList>

85


86
          <CWE id="20"><![CDATA[CWE-20]]></CWE>

87


88
        </CWEList>

89
        <CVEList>

90


91
          <CVE id="1823" year="2012"><![CDATA[CVE-2012-1823]]></CVE>

92


93
          <CVE id="2311" year="2012"><![CDATA[CVE-2012-2311]]></CVE>

94


95
        </CVEList>

96
        <CVSS>

97
          <Descriptor><![CDATA[AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C]]></Descriptor>

98
          <Score><![CDATA[7.5]]></Score>

99
          <AV><![CDATA[Network_Accessible]]></AV>

100
          <AC><![CDATA[Low]]></AC>

101
          <Au><![CDATA[None]]></Au>

102
          <C><![CDATA[Partial]]></C>

103
          <I><![CDATA[Partial]]></I>

104
          <A><![CDATA[Partial]]></A>

105
          <E><![CDATA[]]></E>

106
          <RL><![CDATA[]]></RL>

107
          <RC><![CDATA[]]></RC>

108
        </CVSS>

109


110
        <References>

111


112
          <Reference>

113
            <Database><![CDATA[Eindbazen PHP-CGI advisory (CVE-2012-1823)]]></Database>

114
            <URL><![CDATA[http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/]]></URL>

115
          </Reference>

116


117
          <Reference>

118
            <Database><![CDATA[CVE-2012-1823-mitigation]]></Database>

119
            <URL><![CDATA[http://eindbazen.net/wp-content/uploads/2012/05/CVE-2012-1823-mitigation.tar.gz]]></URL>

120
          </Reference>

121


122
          <Reference>

123
            <Database><![CDATA[PHP-CGI query string parameter vulnerability]]></Database>

124
            <URL><![CDATA[http://www.kb.cert.org/vuls/id/520827]]></URL>

125
          </Reference>

126


127
          <Reference>

128
            <Database><![CDATA[PHP 5.3.12 and PHP 5.4.2 Released!]]></Database>

129
            <URL><![CDATA[http://www.php.net/archive/2012.php#id2012-05-03-1]]></URL>

130
          </Reference>

131


132
        </References>

133
      </ReportItem>

134
    </ReportItems>

135
  </Scan>

136
</ScanGroup>}

137
  end

138


139
  let(:acunetix_web_vuln_report) do

140
    xml_block(web_vuln_xml)

141
  end

142


143
  let(:acunetix_other_vuln_report) do

144
    xml_block(other_vuln_xml)

145
  end

146


147
  let(:acunetix_args) {

148
    {

149
      # Only the workspace arg is necessary.

150
      # Others such as `options`, `filename` and `blacklist` are not necessary here.

151
      workspace: framework.db.workspace.name

152
    }

153
  }

154


155
  describe '#parse' do

156
    subject do

157
      doc = Rex::Parser::AcunetixDocument.new(acunetix_args, framework.db)

158
      ::Nokogiri::XML::SAX::Parser.new(doc)

159
    end

160


161
    context 'when importing a file containing a web vulnerability' do

162
      it 'should import a web vulnerability' do

163
        # Calling .parse here populates out `framework.db.workspace.web_vulns` and `vulns`. It does not return any value.

164
        subject.parse(acunetix_web_vuln_report)

165


166
        # After the fix, web vulnerabilities with request/response data should still be reported as web_vuln

167
        expect(framework.db.workspace.web_vulns.length).to be >= 1

168
        expect(framework.db.workspace.web_vulns.first.name).to eq('PHP-CGI remote code execution')

169
      end

170
    end

171


172
    context 'when importing a file containing a normal vulnerability' do

173
      it 'should import a normal vulnerability' do

174
        subject.parse(acunetix_other_vuln_report)

175


176
        expect(framework.db.workspace.vulns.length).to be >= 1

177
        expect(framework.db.workspace.vulns.first.name).to eq('PHP-CGI remote code execution')

178
      end

179
    end

180
  end

181
end

182


183