Merge pull request #130 from blacklanternsecurity/main

Main->Dev Sync
blacklanternsecurity · Oct 9, 2024 · d4a68a7 · d4a68a7
2 parents 4b12ac4 + 46255fb
commit d4a68a7
Show file tree

Hide file tree

Showing 8 changed files with 570 additions and 563 deletions.
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ Inspired by [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r), with a de
 | Express_SignedCookies_ES | Checks express.js express-session middleware for signed cookies and session cookies for known 'session secret' |
 | Express_SignedCookies_CS | Checks express.js cookie-session middleware for signed cookies and session cookies for known secret |
 | Laravel_SignedCookies | Checks 'laravel_session' cookies for known laravel 'APP_KEY' |
-| ASPNET_Vstate      | Checks for a once popular custom compressed Viewstate [code snippet](https://www.graa.nl/articles/2010.html) vulnerable to RCE|
+| ASPNET_Vstate      | Checks for a once popular custom compressed Viewstate [code snippet](https://blog.sorcery.ie/posts/higherlogic_rce/) vulnerable to RCE|
 
 ## Installation
 

diff --git a/badsecrets/examples/cli.py b/badsecrets/examples/cli.py
@@ -5,7 +5,7 @@
 
 from badsecrets.base import check_all_modules, carve_all_modules, hashcat_all_modules
 from badsecrets.helpers import print_status
-import pkg_resources
+from importlib.metadata import version, PackageNotFoundError
 import requests
 import argparse
 import sys
@@ -30,10 +30,12 @@
 
 
 def print_version():
-    version = pkg_resources.get_distribution("badsecrets").version
-    if version == "0.0.0":
-        version = "ersion Unknown (Running w/poetry?)"
-    print(f"v{version}\n")
+    try:
+        dist_version = version("badsecrets")
+    except PackageNotFoundError:
+        dist_version = "ersion Unknown (Running w/poetry?)"
+
+    print(f"v{dist_version}\n")
 
 
 class CustomArgumentParser(argparse.ArgumentParser):
@@ -104,9 +106,12 @@ def validate_file(file):
 
 
 def print_hashcat_results(hashcat_candidates):
-    print_status("\nPotential matching hashcat commands:\n", color="yellow")
-    for hc in hashcat_candidates:
-        print(f"Module: [{hc['detecting_module']}] {hc['hashcat_description']} Command: [{hc['hashcat_command']}]\n")
+    if hashcat_candidates:
+        print_status("\nPotential matching hashcat commands:\n", color="yellow")
+        for hc in hashcat_candidates:
+            print(
+                f"Module: [{hc['detecting_module']}] {hc['hashcat_description']} Command: [{hc['hashcat_command']}]\n"
+            )
 
 
 def main():

diff --git a/badsecrets/modules/aspnet_vstate.py b/badsecrets/modules/aspnet_vstate.py
@@ -11,7 +11,7 @@ class ASPNET_vstate(BadsecretsBase):
     description = {"product": "ASP.NET Compressed Vstate", "secret": "unprotected", "severity": "CRITICAL"}
 
     def carve_regex(self):
-        return re.compile(r"<input.+__VSTATE\"\svalue=\"(.*)\"")
+        return re.compile(r"<input[^>]+__VSTATE\"\s*value=\"(.*?)\"")
 
     def get_product_from_carve(self, regex_search):
         product = regex_search.groups()[0]

diff --git a/badsecrets/modules/express_signedcookies_cs.py b/badsecrets/modules/express_signedcookies_cs.py
@@ -16,17 +16,16 @@ def no_padding_urlsafe_base64_encode_cs(enc):
 
 class ExpressSignedCookies_CS(BadsecretsBase):
     check_secret_args = 2
-    identify_regex = re.compile(r"\w+\=eyJ[A-Za-z0-9=\\_]+")
+    identify_regex = re.compile(r"\w{1,200}\=eyJ[A-Za-z0-9=\\_]{4,512}")
     signature_regex = re.compile(r"^[A-Za-z0-9_-]{27}$")
-    # identify_regex =
     description = {
         "product": "Express.js Signed Cookie (cookie-session)",
         "secret": "Express.js Secret (cookie-session)",
         "severity": "HIGH",
     }
 
     def carve_regex(self):
-        return re.compile(r"(\w{1,64})=([^;]{4,512});.*?\1\.sig=([^;]{27,86})")
+        return re.compile(r"(\w{1,64})=([^;]{4,512});.{0,100}?\1\.sig=([^;]{27,86})")
 
     def get_product_from_carve(self, regex_search):
         return f"Data Cookie: [{regex_search.groups()[0]}={regex_search.groups()[1]}] Signature Cookie: [{regex_search.groups()[2]}]"

diff --git a/badsecrets/modules/jsf_viewstate.py b/badsecrets/modules/jsf_viewstate.py
@@ -176,7 +176,10 @@ def myfaces_decrypt(self, ct_bytes, password_bytes, dec_algos, hash_sizes):
 
     def get_hashcat_commands(self, jsf_viewstate_value, *args):
         commands = []
-        decoded_viewstate = base64.b64decode(urllib.parse.unquote(jsf_viewstate_value))
+        try:
+            decoded_viewstate = base64.b64decode(urllib.parse.unquote(jsf_viewstate_value))
+        except binascii.Error:
+            return []
         sig = decoded_viewstate[:32]
         data = decoded_viewstate[32:]
 

diff --git a/badsecrets/resources/express_session_secrets.txt b/badsecrets/resources/express_session_secrets.txt
@@ -163,6 +163,7 @@ $uper$ecret$e$$ionKey
 8b2864a9c1da71b4ccefe6872e8b9594
 8b9f1a13d558c663ad474fe69cd3a004387c008b
 8d24f7b0d358a923
+9238cca11a83d473e10981c49c4f
 923903nsdklfwsu83838
 96826587412301
 97ba74d6ad6634e4e480d9619d1623dd
@@ -242,6 +243,7 @@ adfasdfa
 adfasdfsd*&$43$*(Ggfdgdfgsdfg)
 adgnjhu6342cdfgdf
 Adrian
+af9442683372850a85a87150c47b4a31
 Affidaluffendorpfi
 agent, 007
 agsf-asdf-2r2d-SÄP#%ER-adsf
@@ -699,6 +701,7 @@ express.io makes me very happy
 expressbasicsisareallyawesomeapp
 expressbasicsisareallycoolapp
 expressive-fothzxhcgl9wiks
+extremely-secure-keyboard-cat
 ezSQL and ezAuth
 F1F2F3F4F5F6
 f541b79594f6e0d176058bd4e17874e397e89145
@@ -1827,6 +1830,7 @@ somethingsomething
 Somethingsomething1234!test
 SOMETHINGSUPERSECRET
 SomethingYouKnow
+someVerySecureString
 Sommer
 sonotsecret
 Sonrascrocks!