wapiti-scanner / wapiti

Web vulnerability scanner written in Python3
https://github.com/wapiti-scanner/wapiti
GNU General Public License v2.0
1.22k stars 184 forks source link

Crash on report generation #605

Closed devl00p closed 3 months ago

devl00p commented 4 months ago

Bumped into that one, requires more investigation. Python 3.12.

[*] Generating report...
Traceback (most recent call last):
  File "/home/devloop/wapiti/./bin/wapiti", line 34, in <module>
    wapiti_asyncio_wrapper()
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/main/wapiti.py", line 496, in wapiti_asyncio_wrapper
    asyncio.run(wapiti_main())
  File "/home/devloop/.pyenv/versions/3.12.4/lib/python3.12/asyncio/runners.py", line 194, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/3.12.4/lib/python3.12/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/3.12.4/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/main/wapiti.py", line 483, in wapiti_main
    await wap.attack(global_stop_event)
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/controller/wapiti.py", line 583, in attack
    await self.write_report()
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/controller/wapiti.py", line 630, in write_report
    self.report_gen.generate_report(self.output_file)
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/report/htmlreportgenerator.py", line 97, in generate_report
    mytemplate.render_unicode(
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/template.py", line 443, in render_unicode
    return runtime._render(
           ^^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/runtime.py", line 874, in _render
    _render_context(
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/runtime.py", line 916, in _render_context
    _exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/runtime.py", line 943, in _exec_template
    callable_(context, *args, **kwargs)
  File "_home_devloop__pyenv_versions_my3124_lib_python3_12_site_packages_wapitiCore_report_template_report_html", line 111, in render_body
KeyError: 'SQL Injection (DBMS: MySQL)'
devl00p commented 4 months ago

Quick way to reproduce:

wapiti -v2 -u http://testphp.vulnweb.com/userinfo.php --flush-session --color --scope page -s http://testphp.vulnweb.com/login.php -m sql

The crash occurs in the HTML report generation, never saw that case before so it is a recent bug.

Mako generation is called in htmlreportgenerator.py:

                mytemplate.render_unicode(
                    wapiti_version=self._infos["version"],
                    target=self._infos["target"],
                    scan_date=self._infos["date"],
                    scan_scope=self._infos["scope"],
                    auth_dict=self._infos["auth"],
                    auth_form_dict=self._infos["auth"]["form"] if self._infos.get("auth") is not None else None,
                    crawled_pages_nbr=self._infos["crawled_pages_nbr"],
                    vulnerabilities=self._vulns,
                    anomalies=self._anomalies,
                    additionals=self._additionals,
                    flaws=self._flaw_types,
                    level_to_emoji=level_to_emoji,
                    detailed_report_level=self._infos["detailed_report_level"]
                )

The most obvious cause concerns the flaw definitions, especially the flaw type should be SQL Injection which has its corresponding vulnerability definition while SQL Injection (DBMS: MySQL) doesn't have it.

Using the debugger, it is easy to check it out.

Dump of self._vulns:

{
    'Backup file': [],
    'Weak credentials': [],
    'CRLF Injection': [],
    'Content Security Policy Configuration': [],
    'Cross Site Request Forgery': [],
    'Potentially dangerous file': [], 
    'Command execution': [],
    'Path Traversal': [],
    'Fingerprint web application framework': [],
    'Fingerprint web server': [],
    'Htaccess Bypass': [], 
    'HTML Injection': [],
    'HTTP Secure Headers': [],
    'HttpOnly Flag cookie': [], 
    'Unencrypted Channels': [],
    'LDAP Injection': [],
    'Log4Shell': [],
    'Open Redirect': [],
    'Reflected Cross Site Scripting': [], 
    'Secure Flag cookie': [], 
    'Spring4Shell': [],
    'SQL Injection': [],
    'TLS/SSL misconfigurations': [],
    'Server Side Request Forgery': [],
    'Stored HTML Injection': [],
    'Stored Cross Site Scripting': [],
    'Subdomain takeover': [], 
    'Blind SQL Injection': [], 
    'Unrestricted File Upload': [],
    'XPATH Injection': [],
    'XML External Entity': [], 
    'SQL Injection (DBMS: MySQL)': [
        {'method': 'POST', 'path': '/userinfo.php', 'info': 'SQL Injection (DBMS: MySQL) via injection in the parameter uname', 'level': 4, 'parameter': 'uname', 'referer': 'http://testphp.vulnweb.com/login.php', 'module': 'sql', 'http_request': 'POST /userinfo.php HTTP/1.1\nhost: testphp.vulnweb.com\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://testphp.vulnweb.com/login.php\ncontent-length: 42\nContent-Type: application/x-www-form-urlencoded\n\nuname=default%C2%BF%27%22%28&pass=Letm3in_', 'curl_command': 'curl "http://testphp.vulnweb.com/userinfo.php" -e "http://testphp.vulnweb.com/login.php" -d "uname=default%C2%BF%27%22%28&pass=Letm3in_"', 'wstg': ['WSTG-INPV-05']},
        {'method': 'POST', 'path': '/userinfo.php', 'info': 'SQL Injection (DBMS: MySQL) via injection in the parameter pass', 'level': 4, 'parameter': 'pass', 'referer': 'http://testphp.vulnweb.com/login.php', 'module': 'sql', 'http_request': 'POST /userinfo.php HTTP/1.1\nhost: testphp.vulnweb.com\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://testphp.vulnweb.com/login.php\ncontent-length: 41\nContent-Type: application/x-www-form-urlencoded\n\nuname=default&pass=default%C2%BF%27%22%28', 'curl_command': 'curl "http://testphp.vulnweb.com/userinfo.php" -e "http://testphp.vulnweb.com/login.php" -d "uname=default&pass=default%C2%BF%27%22%28"', 'wstg': ['WSTG-INPV-05']}
    ]
}

Dump of self._flaw_types.keys():

dict_keys(['Backup file', 'Weak credentials', 'CRLF Injection', 'Content Security Policy Configuration', 'Cross Site Request Forgery', 'Potentially dangerous file', 'Command execution', 'Path Traversal', 'Fingerprint web application framework', 'Fingerprint web server', 'Htaccess Bypass', 'HTML Injection', 'HTTP Secure Headers', 'HttpOnly Flag cookie', 'Unencrypted Channels', 'LDAP Injection', 'Log4Shell', 'Open Redirect', 'Reflected Cross Site Scripting', 'Secure Flag cookie', 'Spring4Shell', 'SQL Injection', 'TLS/SSL misconfigurations', 'Server Side Request Forgery', 'Stored HTML Injection', 'Stored Cross Site Scripting', 'Subdomain takeover', 'Blind SQL Injection', 'Unrestricted File Upload', 'XPATH Injection', 'XML External Entity', 'Internal Server Error', 'Resource consumption', 'Review Webserver Metafiles for Information Leakage', 'Fingerprint web technology', 'HTTP Methods'])

This is related to the latest change made to mod_sql:

https://github.com/wapiti-scanner/wapiti/commit/28f786dd0de6004c15403f8760b2032cfe4f76fa?diff=unified&w=0#diff-db48ed409620db2a8ba75ce5ebcd56cb5063506ea1cfd504f338eecc76f75872L388

We need to put back NAME as parameter for add_vuln_critical.

As LDAP injection is also covered by that module we should either:

As there is now an ini file for ldap payloads and functions specific to LDAP it should be better to create a specific module and tackle the bug.

bretfourbe commented 4 months ago

Hi @devl00p

We need to put back NAME as parameter for add_vuln_critical.

Yes indeed

As there is now an ini file for ldap payloads and functions specific to LDAP it should be better to create a specific module and tackle the bug.

Why not, if it does not add to much duplicate code

devl00p commented 3 months ago

PR https://github.com/wapiti-scanner/wapiti/pull/607

devl00p commented 3 months ago

fixed