require 'sinatra' require 'sinatra/contrib' def default "default.html" end FILE_TO_PLATFORM = { '/boot.ini' => :windows, '/windows/win.ini' => :windows, '/winnt/win.ini' => :windows, '/etc/passwd' => :unix, '/WEB-INF/web.xml' => :tomcat } OUT = { unix: 'root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh ', windows: '[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMC=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll MAPIX=1 ', tomcat: ' VulnerabilityDetectionChallenge index.html index.htm index.jsp default.html default.htm default.jsp Weak authentication - basic /passive/session/weak-authentication-basic.jsp tomcat role1 BASIC Application The role that is required to access protected pages tomcat The role that is required to access protected pages role1 ' } def get_variations( system, str ) return if !str str = str.split( "\0" ).first str = str.split( "file:/" ).last file = File.expand_path( str ).gsub( /\/+/, '/' ) OUT[FILE_TO_PLATFORM[file]] if system == FILE_TO_PLATFORM[file] end OUT.keys.each do |system| system_str = system.to_s get '/' + system_str do <<-EOHTML Link Form Cookie Header EOHTML end get "/#{system_str}/link" do <<-EOHTML Link Link EOHTML end get "/#{system_str}/link/straight" do return if params['input'].start_with?( default ) || params['input'].include?( "\0" ) get_variations( system, params['input'] ) end get "/#{system_str}/link/with_null" do return if !params['input'].end_with?( "\00.html" ) get_variations( system, params['input'].split( "\0.html" ).first ) end get "/#{system_str}/form" do <<-EOHTML
EOHTML end post "/#{system_str}/form/straight" do return if params['input'].start_with?( default ) || params['input'].include?( "\0" ) get_variations( system, params['input'] ) end post "/#{system_str}/form/with_null" do return if !params['input'].end_with?( "\00.html" ) get_variations( system, params['input'].split( "\0.html" ).first ) end get "/#{system_str}/cookie" do <<-HTML Cookie HTML end get "/#{system_str}/cookie/straight" do cookies['cookie'] ||= default return if cookies['cookie'].start_with?( default ) #|| cookies['cookie'].include?( "\0" ) get_variations( system, cookies['cookie'] ) end #get "/#{system_str}/cookie/with_null" do # cookies['cookie1'] ||= default # return if !cookies['cookie1'].end_with?( "\00.html" ) # # p cookies['cookie1'] # get_variations( system, cookies['cookie1'] ) #end get "/#{system_str}/header" do <<-EOHTML Header Header EOHTML end get "/#{system_str}/header/straight" do default = 'arachni_user' return if env['HTTP_USER_AGENT'].start_with?( default ) || env['HTTP_USER_AGENT'].include?( "\0" ) get_variations( system, env['HTTP_USER_AGENT'] ) end get "/#{system_str}/header/with_null" do default = 'arachni_user' return if !env['HTTP_USER_AGENT'].end_with?( "\00.html" ) get_variations( system, env['HTTP_USER_AGENT'] ) end end