truefinder / tonbi Goto Github PK

8.0 2.0 4.0 245 KB

TONBI is a source code auditing scanner against framework based web application. It hunts for various vulnerabilites in such as Laravel, Codeigniter, Django, Flask, Rails , etc ... It's simple, easy, and intuitive! It gives the most efficient code auditing method especially for security researchers and also all the web application developers.

Python 54.25% YARA 45.75%

auditing codeigniter php laravel django flask fuelphp python golang nodejs

tonbi's Introduction

TONBI

1. What's TONBI?

Frameworks

Supporting	laravel, codeigniter, django, flask, gorilla, ethna, nodejs, rails
Planning	symfony, fuelphp, cakePHP, silex, phalcon, express

Languages

Supporting	go, php, javascript, python, typescript, ruby
Planning	jsp, asp, java, .NET

Viewes

Supporting	smarty, twig, blade, flexy, electron, slim
Planning	react

2. Install

Download tonbi from github

git clone http://github.com/truefinder/tonbi.git

Install yara-python

$ pip install yara-python

But you can also get the source from GitHub and compile it yourself:

$ git clone --recursive https://github.com/VirusTotal/yara-python
$ cd yara-python
$ python setup.py build
$ sudo python setup.py install

Notice the --recursive option used with git. This is important because we need to download the yara subproject containing the source code for libyara (the core YARA library). It’s also important to note that the two methods above link libyara statically into yara-python. If you want to link dynamically against a shared libyara library use:

$ python setup.py build --dynamic-linking

3. Usage

$python tonbi.py -d SOURCE_DIR -f YOUR_FRAMEWORK -l YOUR_LANGUAGE -v YOUR_VIEW

Options

Usage: tonbi.py [options] args

Options:
  -h, --help            show this help message and exit
  -c CONFIG, --config=CONFIG
                        set configuration file  ex) -c config.json
  -d DIRECTORY, --directory=DIRECTORY
                        set source directory ex ) -d /src
  -l LANGUAGE, --language=LANGUAGE
                        set language  ex) -l php
  -f FRAMEWORK, --framework=FRAMEWORK
                        set framework  ex) -p laravel
  -v VIEW, --view=VIEW  set render or view ex) -v smarty

  Output Options:
    -o OUTPUT, --output=OUTPUT
                        save result into file ex) -o output.txt
    -e EXCLUDE, --exclude=EXCLUDE
                        exclude some vulnerability ex) -e 'ssl_misconfiguration'
    --head=HEAD         show above lines ex) --head 5
    --tail=TAIL         show below lines ex) --tail 5

  Debug Options:
    -D, --debug         debug mode output of dbg_print

4. Config File

Write your own configuration file

config.json looks like this

{
	"source_directory" : "../sample/codeigniter/src",
	"framework_name" : "codeigniter",
	"language" : "php", 
	"view_name" : "twig",
	"head_count" : 5,
	"tail_count" : 5,
	"output" : "output.txt",
	"plugins" : [  ],
	"ignore_files" :  [ "jpg", "png", "jpeg", "ico", "gif", "tif" , "tiff", "bmp",  "db", "css", "map", "md", "gitkeep", "sql", "DS_Store", "js", "propreties" , "csv", "gz", "tgz", "zip", "swf", "pyc", "phar" ], 
	"ignore_dirs" : ["node_modules"],
	"exclude" : ["ssl_misconfiguration"] 
}

Run tonbi with config file

$python tonbi.py -c config.json

Config Variables

Name	Description
source_directory (*)	source code directory
framework_name (*)	framework
language (*)	language
view_name	view template
head_count	it shows above lines (default :3)
tail_count	it shows below lines (default :3)
output	it prints result out into filename
plugins	it loads plugins under /plugin
ignore_files	it ignores files which are not related with source code
ignore_dirs	it ignores directories which you don't want to scan
exclude	it exculdes vulnerabilities that you already knew

(*) thies variables are essential in your config file

5. Rules

How to add your own rules

Add your own rules for your findings (for example : framework)

vi  framework/<framework_name>.yar
/* please read yara rule page  
 * https://yara.readthedocs.io/en/stable/writingrules.html
 */  

rule my_xss : <framework_name>  
{
    strings : 
        $xss1 = /render(.*false/ 
        $xss2 = /autoescape.*false/ nocase 
    condition:
        $xss1 or $xss2 
}

6. Plugins

How to write your own plugin

Please create plugin file under /plugin directory

mkdir plugin/your_plugin
cat > plugin/your_plugin/your_plugin.py

And, please write class MyPlugin define three functions init(), audit(), finish()

class MyPlugin :
    def init(self):
        # firstly loaded 
    def audit(self, audititem):
        # called by every line 
	# audititem (class AuditItem) parametered to your audit()     
        #    .line <= (string) target string 
        #    .i <= (int) target line number 
        #    .filename <= (string) target filename  
        #    .lines <= (string) use this reference lines when you find out something  
        #    .output <= (Class Output) for your result, use output.list.append("your string") 
                    
    def finish(self)
        # please clear all resources when finished

7.Result

==============================================
filename : ../targets/laravel/XXXX-Server/app/Libs/ImageMagic/Convert.php
dangerous php function : cmd_excute
dangerous matches : exec(
tag : php
==============================================
35:      * @return int
36:      */
37:     protected function executeCommand(string $command)
38:     {
39:         Log::debug(__METHOD__ . ' : ' . $command);
40:         exec($command .' 2>&1',$array, $code);
41:         if ($code !== 0) {
42:             // error
43:             $errorMsg = implode($array, "\n");
44:             Log::error(__METHOD__ . ' Convert failed. code: ' . $code);
45:             Log::error($errorMsg);
==================================================
filename : ../targets/laravel/ZZZZZ-server/resources/views/webview/information/index.blade.php
vulnerability : xss
matches : {!! $detail["information"] !!}
tag : laravel
=================================================
140:           @else
141:             <span id="info_new">NEW</span><br>
142:           @endif
143: 
144: 
145:           <span>{!! $detail["information"] !!}</span>
146:         </div>
147:       </a>
148:     </li>
149:     @endforeach
150:   </ul>

tonbi's People

Contributors

Stargazers

Watchers

Forkers

v1ajeros nux-xader securityigi arcticvenom

tonbi's Issues

음... python 스크립트만 스캔하는게 아닌듯 합니다.

python3 ~/Downloads/tonbi/tonbi.py -d src -p flask -l python

와 같이 실행을 했더니, 아래와 같이 오류를 출력합니다.

[python][flask][] : src/translations/messages.pot
[python][flask][] : src/translations/README.md
[python][flask][] : src/translations/messages.xml
[python][flask][] : src/translations/es_ES/LC_MESSAGES/messages.po
[python][flask][] : src/translations/es_ES/LC_MESSAGES/messages.mo
failed to analysis : one line is too long ... 
failed to analysis : one line is too long ... 
failed to analysis : one line is too long ... 
failed to analysis : one line is too long ... 
failed to analysis : one line is too long ... 
failed to analysis : one line is too long ...

먼가 해당 디렉토리 내부에 있는 모든 파일들을 스캔하는 듯 보이네요.

-c 옵션을 다른 옵션과 섞어 섰을 때 오류

$ cat ~/Downloads/tonbi/config.json
{
        "head_count" : 5,
        "tail_count" : 5,
        "plugins" : [ "" ],
        "ignore_files" :  [ "jpg", "png", "jpeg", "ico", "gif", "tif" , "tiff", "bmp", ".po" ] ,
        "ignore_dirs" : [ ".git", "node_modules"]
}
$ python3 ~/Downloads/tonbi/tonbi.py -c ~/Downloads/tonbi/config.json -d src -p flask -l python --exclude=sql_injection1 --exclude=sql_injection_var --exclude=sql_injection_raw
load config setting 
Traceback (most recent call last):
  File "/home/weongyo/Downloads/tonbi/tonbi.py", line 555, in <module>
    main()
  File "/home/weongyo/Downloads/tonbi/tonbi.py", line 498, in main
    load_config()
  File "/home/weongyo/Downloads/tonbi/tonbi.py", line 136, in load_config
    config.source_directory = config_dic["source_directory"] 
KeyError: 'source_directory'

설정 파일을 위와 같이 구성하고, 아래의 명령처럼 실행하면 오류가 납니다.

잘못된 룰셋: file_temper

아래와 같이 나오지만, 일단 룰이 잘못된 것이 아닐까 생각이 듭니다.

==================================================
filename : src/mudfish.py
vulnerability : file_temper
matches : link(
=================================================
249:     return href
250: app.jinja_env.globals.update(a_link_raw=a_link_raw)
251: 
252: def a_link(href, icon, color="gray", title="", subject=""):
253:     href = a_link_raw(href)
254:     if len(subject) > 0:
255:         subject = " " + mud_gettext(subject)

잘못된 룰셋: sql_injection1

==================================================
filename : src/mudfish.py
vulnerability : sql_injection1
matches : execute(
tag : python
=================================================
630:     if conn == None:
631:         return None
632:     cursor = conn.cursor()
633:     cursor.execute("""
634:         SELECT
635:             `mudfish.fullvpn_sid`,
636:             `mudfish.fullvpn_vid`,

이 부분의 경우, 전체 구문은 아래와 같은데요, argument 를 tuple 로 넘김에도 불구하고 SQL injection 이슈가 있다고 나옵니다.

    cursor.execute("""
        SELECT
            `mudfish.fullvpn_sid`,
            `mudfish.fullvpn_vid`,
            .....
            `mudflow.rttmethod`
        FROM users_conf WHERE uid=%s""", (uid, ))

python3 용인지 모르는 이슈..

처음에 python2 인지 알고 시도를 했더니, python3 로 짜인 것으로 확인됨.

#!/usr/bin/python3 와 같은 줄이 처음 있거나, 아니면 어딘가 python3 용이라고 명시가 있어야 할 듯 함.

기능요청: 특정 vulnerability 무시기능.

현재 소스를 돌려보면 sql_injection 관련해서 너무 많은 오탐(?) 관련 리포트가 나와서, 특정 취약점의 경우, 아예 실행이 안되게 하거나 혹은 리포트 결과에서 무시하도록 하는 옵션이 있었음 합니다.

==================================================
filename : src/mudfish.py
vulnerability : sql_injection1
matches : cursor.execute(
tag : python
=================================================
630:     if conn == None:
631:         return None
632:     cursor = conn.cursor()
633:     cursor.execute("""
634:         SELECT
635:             `mudfish.fullvpn_sid`,
636:             `mudfish.fullvpn_vid`,

예를 들어, --exclude=sql_injection1 --exclude=sql_injection_var 라고 입력하면, sql_injection1 룰과 sql_injection_var 이 실행이 안되거나 리포팅이 안되는 형식입니다.

KeyError: 0 이슈

실행시 아래와 같이 오류남

$ python3 tonbi.py -d ~/Sources/src/ -p flask -l python
check configuration
load platform ...
load language ...
load plugins ...
start audit ...
audit file with yara : /home/weongyo/Sources/src/mudfish_conf.py
audit file with yara : /home/weongyo/Sources/src/mudfish_form.py
audit file with yara : /home/weongyo/Sources/src/mudfish.py
==> {'main': [{'strings': [{'identifier': '$file11', 'flags': 19, 'data': 'link(', 'offset': 6}], 'meta': {}, 'rule': 'file_temper', 'matches': True, 'tags': []}]}
Traceback (most recent call last):
  File "tonbi.py", line 475, in <module>
    main()
  File "tonbi.py", line 468, in main
    start_audit() 
  File "tonbi.py", line 231, in start_audit
    walk_around( config.source_directory) 
  File "tonbi.py", line 400, in walk_around
    yara_audit(full_filename)
  File "tonbi.py", line 361, in yara_audit
    yara_add_vulnerability(filename, lines, matches[0]) 
KeyError: 0

matches 변수의 내용은 ==> 에 있음..

relative path 이슈

설치 후 당연히 웹 소스가 있는 디렉토리에서 다음과 같이 실행을 시도함..

$ python ~/Downloads/tonbi/tonby.py -d src/ -p flask -l python

다음과 같이 실행 오류남.

check configuration
load platform ...
Traceback (most recent call last):
  File "/home/weongyo/Downloads/tonbi/tonbi.py", line 475, in <module>
    main()
  File "/home/weongyo/Downloads/tonbi/tonbi.py", line 460, in main
    yara_load_platform() 
  File "/home/weongyo/Downloads/tonbi/tonbi.py", line 139, in yara_load_platform
    with open( filename  ) as f : 
FileNotFoundError: [Errno 2] No such file or directory: './platform/flask.yar'

yara dependency 관련 문서화 이슈

Ubuntu 에서는 libyara3 패키지를 설치를 해야 했음... 어딘가 문서화를 해놓아야 사용자들이 헷갈리지 않은 듯..

그리고 tonby.py 실행시 아래와 같이 뜸.. libyara.so 는 python-yara 패키지의 파일이었고, 결국 강제로 ln -s 명령으로 soft-link 를 걸어줬어야 했음... 당황했음..

$ python3 tonbi.py 
Failed to import '/usr/lib/libyara.so'
PATH = /bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/home/weongyo/.local/bin;/usr/lib
Traceback (most recent call last):
  File "tonbi.py", line 6, in <module>
    import yara 
  File "/home/weongyo/.local/lib/python3.5/site-packages/yara/__init__.py", line 7, in <module>
    from yara.rules import compile
  File "/home/weongyo/.local/lib/python3.5/site-packages/yara/rules.py", line 17, in <module>
    from yara.libyara_wrapper import *
  File "/home/weongyo/.local/lib/python3.5/site-packages/yara/libyara_wrapper.py", line 315, in <module>
    libyaradll = cdll.LoadLibrary(library)
  File "/usr/lib/python3.5/ctypes/__init__.py", line 425, in LoadLibrary
    return self._dlltype(name)
  File "/usr/lib/python3.5/ctypes/__init__.py", line 347, in __init__
    self._handle = _dlopen(self._name, mode)
OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory

잘못된 룰셋: sql_injection_raw

==================================================
filename : src/mudfish.py
vulnerability : sql_injection_raw
matches : query
tag : sql
=================================================
387:             host = "http://" + x_host
388:     query = ""
389:     if needRedirect and urlkey == "signin":
390:         query = "?url=%s" % urllib.quote(request.url)
391:     return redirect(host + url_for(urlkey) + query)
392: 
393: def redirect_error(urlkey, msg, needRedirect=False):

해당 부분은 SQL 과 관련이 없는데, SQL 로 생각하는 듯 합니다.