devl00p
commented
2 weeks ago Quick way to reproduce:
wapiti -v2 -u http://testphp.vulnweb.com/userinfo.php --flush-session --color --scope page -s http://testphp.vulnweb.com/login.php -m sqlThe crash occurs in the HTML report generation, never saw that case before so it is a recent bug.
Mako generation is called in htmlreportgenerator.py:
mytemplate.render_unicode(
wapiti_version=self._infos["version"],
target=self._infos["target"],
scan_date=self._infos["date"],
scan_scope=self._infos["scope"],
auth_dict=self._infos["auth"],
auth_form_dict=self._infos["auth"]["form"] if self._infos.get("auth") is not None else None,
crawled_pages_nbr=self._infos["crawled_pages_nbr"],
vulnerabilities=self._vulns,
anomalies=self._anomalies,
additionals=self._additionals,
flaws=self._flaw_types,
level_to_emoji=level_to_emoji,
detailed_report_level=self._infos["detailed_report_level"]
)The most obvious cause concerns the flaw definitions, especially the flaw type should be SQL Injection which has its corresponding vulnerability definition while SQL Injection (DBMS: MySQL) doesn't have it.
Using the debugger, it is easy to check it out.
Dump of self._vulns:
{
'Backup file': [],
'Weak credentials': [],
'CRLF Injection': [],
'Content Security Policy Configuration': [],
'Cross Site Request Forgery': [],
'Potentially dangerous file': [],
'Command execution': [],
'Path Traversal': [],
'Fingerprint web application framework': [],
'Fingerprint web server': [],
'Htaccess Bypass': [],
'HTML Injection': [],
'HTTP Secure Headers': [],
'HttpOnly Flag cookie': [],
'Unencrypted Channels': [],
'LDAP Injection': [],
'Log4Shell': [],
'Open Redirect': [],
'Reflected Cross Site Scripting': [],
'Secure Flag cookie': [],
'Spring4Shell': [],
'SQL Injection': [],
'TLS/SSL misconfigurations': [],
'Server Side Request Forgery': [],
'Stored HTML Injection': [],
'Stored Cross Site Scripting': [],
'Subdomain takeover': [],
'Blind SQL Injection': [],
'Unrestricted File Upload': [],
'XPATH Injection': [],
'XML External Entity': [],
'SQL Injection (DBMS: MySQL)': [
{'method': 'POST', 'path': '/userinfo.php', 'info': 'SQL Injection (DBMS: MySQL) via injection in the parameter uname', 'level': 4, 'parameter': 'uname', 'referer': 'http://testphp.vulnweb.com/login.php', 'module': 'sql', 'http_request': 'POST /userinfo.php HTTP/1.1\nhost: testphp.vulnweb.com\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://testphp.vulnweb.com/login.php\ncontent-length: 42\nContent-Type: application/x-www-form-urlencoded\n\nuname=default%C2%BF%27%22%28&pass=Letm3in_', 'curl_command': 'curl "http://testphp.vulnweb.com/userinfo.php" -e "http://testphp.vulnweb.com/login.php" -d "uname=default%C2%BF%27%22%28&pass=Letm3in_"', 'wstg': ['WSTG-INPV-05']},
{'method': 'POST', 'path': '/userinfo.php', 'info': 'SQL Injection (DBMS: MySQL) via injection in the parameter pass', 'level': 4, 'parameter': 'pass', 'referer': 'http://testphp.vulnweb.com/login.php', 'module': 'sql', 'http_request': 'POST /userinfo.php HTTP/1.1\nhost: testphp.vulnweb.com\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://testphp.vulnweb.com/login.php\ncontent-length: 41\nContent-Type: application/x-www-form-urlencoded\n\nuname=default&pass=default%C2%BF%27%22%28', 'curl_command': 'curl "http://testphp.vulnweb.com/userinfo.php" -e "http://testphp.vulnweb.com/login.php" -d "uname=default&pass=default%C2%BF%27%22%28"', 'wstg': ['WSTG-INPV-05']}
]
}Dump of self._flaw_types.keys():
dict_keys(['Backup file', 'Weak credentials', 'CRLF Injection', 'Content Security Policy Configuration', 'Cross Site Request Forgery', 'Potentially dangerous file', 'Command execution', 'Path Traversal', 'Fingerprint web application framework', 'Fingerprint web server', 'Htaccess Bypass', 'HTML Injection', 'HTTP Secure Headers', 'HttpOnly Flag cookie', 'Unencrypted Channels', 'LDAP Injection', 'Log4Shell', 'Open Redirect', 'Reflected Cross Site Scripting', 'Secure Flag cookie', 'Spring4Shell', 'SQL Injection', 'TLS/SSL misconfigurations', 'Server Side Request Forgery', 'Stored HTML Injection', 'Stored Cross Site Scripting', 'Subdomain takeover', 'Blind SQL Injection', 'Unrestricted File Upload', 'XPATH Injection', 'XML External Entity', 'Internal Server Error', 'Resource consumption', 'Review Webserver Metafiles for Information Leakage', 'Fingerprint web technology', 'HTTP Methods'])This is related to the latest change made to mod_sql:
We need to put back NAME as parameter for add_vuln_critical.
As LDAP injection is also covered by that module we should either:
- import both NAME variables from each definition, use each one accordingly
- put the ldap logic in a new module (mod_ldap)
As there is now an ini file for ldap payloads and functions specific to LDAP it should be better to create a specific module and tackle the bug.
bretfourbe
Bumped into that one, requires more investigation. Python 3.12.