refining the vstate module and altering reporting behavior slightly

blacklanternsecurity · Nov 27, 2023 · bf88791 · bf88791
1 parent 03fab63
commit bf88791
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 9 deletions.
diff --git a/badsecrets/examples/cli.py b/badsecrets/examples/cli.py
@@ -68,13 +68,13 @@ def report(self):
         elif severity == "INFO":
             severity_color = Fore.BLUE
         print_status(f"Severity: {self.x['description']['severity']}", color=severity_color)
-        print(f"Details: {self.x['details']}")
+        print(f"Details: {self.x['details']}\n")
 
 
 class ReportIdentify(BaseReport):
     def report(self):
         self.print_report(
-            print_status("Cryptographic Product Identified (no vulnerability)\n", color=Fore.YELLOW, passthru=True)
+            print_status("Cryptographic Product Identified (no vulnerability, or not confirmed vulnerable)\n", color=Fore.YELLOW, passthru=True)
         )
         if self.x["hashcat"] is not None:
             print_hashcat_results(self.x["hashcat"])
@@ -117,7 +117,7 @@ def validate_file(file):
 def print_hashcat_results(hashcat_candidates):
     print_status("\nPotential matching hashcat commands:\n", color=Fore.YELLOW)
     for hc in hashcat_candidates:
-        print(f"Module: [{hc['detecting_module']}] {hc['hashcat_description']} Command: [{hc['hashcat_command']}]")
+        print(f"Module: [{hc['detecting_module']}] {hc['hashcat_description']} Command: [{hc['hashcat_command']}]\n")
 
 
 def main():

diff --git a/badsecrets/modules/aspnet_vstate.py b/badsecrets/modules/aspnet_vstate.py
@@ -3,15 +3,21 @@
 from badsecrets.base import BadsecretsBase
 from badsecrets.modules.aspnet_viewstate import ASPNET_Viewstate
 
-# Reference: https://www.graa.nl/articles/2010.html
+# Reference: https://blog.sorcery.ie/posts/higherlogic_rce/
 
 
 class ASPNET_vstate(BadsecretsBase):
     identify_regex = re.compile(r"^H4sI.+$")
     description = {"product": "ASP.NET Compressed Vstate", "secret": "unprotected", "severity": "CRITICAL"}
 
     def carve_regex(self):
-        return re.compile(r"<input.+__VSTATE\"\svalue=\"(H4sI.+)\"")
+        return re.compile(r"<input.+__VSTATE\"\svalue=\"(.*)\"")
+
+    def get_product_from_carve(self, regex_search):
+        product = regex_search.groups()[0]
+        if len(product) == 0:
+            return "EMPTY '__VSTATE' FORM FIELD"
+        return product
 
     def check_secret(self, compressed_vstate):
         if not self.identify(compressed_vstate):
@@ -20,5 +26,4 @@ def check_secret(self, compressed_vstate):
         uncompressed = self.attempt_decompress(compressed_vstate)
         if uncompressed and ASPNET_Viewstate.valid_preamble(uncompressed):
             r = {"source": compressed_vstate, "info": "ASP.NET Vstate (Unprotected, Compressed)"}
-            return {"secret": "UNPROTECTED (compressed)", "details": r}
-        return None
+            return {"secret": "UNPROTECTED (compressed)", "details": r}
diff --git a/tests/all_modules_test.py b/tests/all_modules_test.py
@@ -125,3 +125,24 @@ def test_carve_all_cookies():
         res = requests.get(f"http://cookies.carve-all.badsecrets.com/")
         r_list = carve_all_modules(requests_response=res)
         assert len(r_list) == 7
+
+def test_carve_multiple_vulns():
+
+
+    multiple_vuln_html = """
+    <div class="aspNetHidden">
+<input type="hidden" name="__VSTATE" id="__VSTATE" value="H4sIAAAAAAAA/81VXW/TMBRNltZNsnVsCBCMFwvxAFrVde3G2EORpo6PagJNZOJlqpib3LURiT0cRyg888p/4Q/xW4Zv6w6GG" />
+<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="jxwpcd5AwfMUcwXM5rJFA9dtrSgoT3ezfxneYLjsXW7pB/TjlgNbzsx3dY/P+FlXTZReIQ==" />
+<input type="hidden" name="__VIEWSTATEGENERATOR" value="AAAAAAAA" />
+"""
+
+    with requests_mock.Mocker() as m:
+        m.get(
+        f"http://multiplevulns.carve-all.badsecrets.com/",
+        status_code=200,
+        text=multiple_vuln_html,
+        )
+
+        res = requests.get(f"http://multiplevulns.carve-all.badsecrets.com/")
+        r_list = carve_all_modules(requests_response=res)
+        assert len(r_list) == 2
diff --git a/tests/examples_cli_test.py b/tests/examples_cli_test.py
@@ -184,7 +184,7 @@ def test_example_cli_vulnerable_headersidentifyonly(monkeypatch, capsys):
             "Data Cookie: [session=eyJ1c2VybmFtZSI6IkJib3RJc0xpZmUifQ==] Signature Cookie: [8BrG9wzvqxuPCtKmfgdyXXGGqA7]"
             in captured.out
         )
-        assert "Cryptographic Product Identified (no vulnerability)" in captured.out
+        assert "Cryptographic Product Identified (no vulnerability, or not confirmed vulnerable)" in captured.out
 
 
 def test_example_cli_not_vulnerable_url(monkeypatch, capsys):
@@ -213,7 +213,7 @@ def test_example_cli_identifyonly_url(monkeypatch, capsys):
         cli.main()
         captured = capsys.readouterr()
         print(captured)
-        assert "Cryptographic Product Identified (no vulnerability)" in captured.out
+        assert "Cryptographic Product Identified (no vulnerability, or not confirmed vulnerable)" in captured.out
 
 
 def test_example_cli_identifyonly_hashcat(monkeypatch, capsys):