Merge pull request #85 from blacklanternsecurity/multiarg_product_han…

…dling identify_only multi product display support
blacklanternsecurity · Jul 16, 2023 · 11c6ae7 · 11c6ae7
2 parents 2557c8b + 50078b9
commit 11c6ae7
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 3 deletions.
diff --git a/badsecrets/base.py b/badsecrets/base.py
@@ -44,6 +44,9 @@ def check_secret(self, secret):
     def get_description(self):
         return self.description
 
+    def get_product_from_carve(self, regex_search):
+        return regex_search.groups()[0]
+
     def get_hashcat_commands(self, s):
         return None
 
@@ -117,7 +120,7 @@ def carve(self, body=None, cookies=None, headers=None, requests_response=None, *
                             r = {"type": "IdentifyOnly"}
                             r["hashcat"] = self.get_hashcat_commands(s)
                         if "product" not in r.keys():
-                            r["product"] = s.groups()[0]
+                            r["product"] = self.get_product_from_carve(s)
                         r["location"] = "headers"
                         results.append(r)
 
@@ -134,7 +137,7 @@ def carve(self, body=None, cookies=None, headers=None, requests_response=None, *
                         r = {"type": "IdentifyOnly"}
                         r["hashcat"] = self.get_hashcat_commands(s.groups()[0])
                     if "product" not in r.keys():
-                        r["product"] = s.groups()[0]
+                        r["product"] = self.get_product_from_carve(s)
                     r["location"] = "body"
                     results.append(r)
 

diff --git a/badsecrets/modules/aspnet_viewstate.py b/badsecrets/modules/aspnet_viewstate.py
@@ -198,7 +198,7 @@ def check_secret(self, viewstate_B64, *args):
 
                         product_string = f"Viewstate: {viewstate_B64}"
                         if generator != "0000":
-                            product_string += f" Generator: {generator}"
+                            product_string += f" Generator: {generator[::-1].hex().upper()}"
                         return {"secret": result, "product": product_string, "details": f"Mode [{mode}]"}
         return None
 

diff --git a/badsecrets/modules/express_signedcookies_cs.py b/badsecrets/modules/express_signedcookies_cs.py
@@ -28,6 +28,9 @@ class ExpressSignedCookies_CS(BadsecretsBase):
     def carve_regex(self):
         return re.compile(r"(\w+=[^;]{4,512}).+\w+.sig=([^;]{27,86})")
 
+    def get_product_from_carve(self, regex_search):
+        return f"Data Cookie: [{regex_search.groups()[0]}] Signature Cookie: [{regex_search.groups()[1]}]"
+
     def carve_to_check_secret(self, s):
         if len(s.groups()) == 2:
             r = self.check_secret(s.groups()[0], s.groups()[1])

diff --git a/tests/examples_cli_test.py b/tests/examples_cli_test.py
@@ -80,6 +80,17 @@ def test_examples_cli_manualtwovalues(monkeypatch, capsys):
     )
 
 
+def test_examples_cli_manualtwovalues_identifyonly(monkeypatch, capsys):
+    monkeypatch.setattr(
+        "sys.argv",
+        ["python", "/wEPDwUJODExMDE5NzY5ZGSglOSr1rG6xN5rzh/4C9UEuwa64w==", "EDD8C9AE"],
+    )
+
+    cli.main()
+    captured = capsys.readouterr()
+    assert "Viewstate: /wEPDwUJODExMDE5NzY5ZGSglOSr1rG6xN5rzh/4C9UEuwa64w== Generator: EDD8C9AE" in captured.out
+
+
 def test_examples_cli_url_invalid(monkeypatch, capsys):
     with patch("sys.exit") as exit_mock:
         monkeypatch.setattr("sys.argv", ["python", "--url", "hxxp://notaurl"])
@@ -147,6 +158,33 @@ def test_example_cli_vulnerable_headers(monkeypatch, capsys):
         )
 
 
+def test_example_cli_vulnerable_headersidentifyonly(monkeypatch, capsys):
+    with requests_mock.Mocker() as m:
+        m.get(
+            f"http://example.com/vulnerableexpress_cs.html",
+            status_code=200,
+            text="<html><body>content</body></html>",
+            headers={
+                "X-Powered-By": "Express",
+                "Content-Type": "text/html; charset=utf-8",
+                "Content-Length": "11",
+                "ETag": 'W/"b-LTx1jc/VQrBurpG4w6qnFsu3lHk"',
+                "Set-Cookie": "session=eyJ1c2VybmFtZSI6IkJib3RJc0xpZmUifQ==; path=/; expires=Sun, 16 Jul 2023 19:56:30 GMT; httponly, session.sig=8BrG9wzvqxuPCtKmfgdyXXGGqA7; path=/; expires=Sun, 16 Jul 2023 19:56:30 GMT; httponly",
+                "Date": "Sat, 15 Jul 2023 02:47:13 GMT",
+                "Connection": "close",
+            },
+        )
+
+        monkeypatch.setattr("sys.argv", ["python", "--url", "http://example.com/vulnerableexpress_cs.html"])
+        cli.main()
+        captured = capsys.readouterr()
+        assert (
+            "Data Cookie: [session=eyJ1c2VybmFtZSI6IkJib3RJc0xpZmUifQ==] Signature Cookie: [8BrG9wzvqxuPCtKmfgdyXXGGqA7]"
+            in captured.out
+        )
+        assert "Cryptographic Product Identified (no vulnerability)" in captured.out
+
+
 def test_example_cli_not_vulnerable_url(monkeypatch, capsys):
     with requests_mock.Mocker() as m:
         m.get(