Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on report generation #605

Closed
devl00p opened this issue Jul 8, 2024 · 4 comments
Closed

Crash on report generation #605

devl00p opened this issue Jul 8, 2024 · 4 comments
Assignees
@devl00p

Comments

@devl00p
Copy link
Contributor

devl00p commented Jul 8, 2024

Bumped into that one, requires more investigation. Python 3.12.

[*] Generating report...
Traceback (most recent call last):
  File "/home/devloop/wapiti/./bin/wapiti", line 34, in <module>
    wapiti_asyncio_wrapper()
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/main/wapiti.py", line 496, in wapiti_asyncio_wrapper
    asyncio.run(wapiti_main())
  File "/home/devloop/.pyenv/versions/3.12.4/lib/python3.12/asyncio/runners.py", line 194, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/3.12.4/lib/python3.12/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/3.12.4/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/main/wapiti.py", line 483, in wapiti_main
    await wap.attack(global_stop_event)
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/controller/wapiti.py", line 583, in attack
    await self.write_report()
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/controller/wapiti.py", line 630, in write_report
    self.report_gen.generate_report(self.output_file)
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/wapitiCore/report/htmlreportgenerator.py", line 97, in generate_report
    mytemplate.render_unicode(
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/template.py", line 443, in render_unicode
    return runtime._render(
           ^^^^^^^^^^^^^^^^
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/runtime.py", line 874, in _render
    _render_context(
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/runtime.py", line 916, in _render_context
    _exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
  File "/home/devloop/.pyenv/versions/my3124/lib/python3.12/site-packages/mako/runtime.py", line 943, in _exec_template
    callable_(context, *args, **kwargs)
  File "_home_devloop__pyenv_versions_my3124_lib_python3_12_site_packages_wapitiCore_report_template_report_html", line 111, in render_body
KeyError: 'SQL Injection (DBMS: MySQL)'
@devl00p
Copy link
Contributor Author

devl00p commented Jul 10, 2024

Quick way to reproduce:

wapiti -v2 -u http://testphp.vulnweb.com/userinfo.php --flush-session --color --scope page -s http://testphp.vulnweb.com/login.php -m sql

The crash occurs in the HTML report generation, never saw that case before so it is a recent bug.

Mako generation is called in htmlreportgenerator.py:

                mytemplate.render_unicode(
                    wapiti_version=self._infos["version"],
                    target=self._infos["target"],
                    scan_date=self._infos["date"],
                    scan_scope=self._infos["scope"],
                    auth_dict=self._infos["auth"],
                    auth_form_dict=self._infos["auth"]["form"] if self._infos.get("auth") is not None else None,
                    crawled_pages_nbr=self._infos["crawled_pages_nbr"],
                    vulnerabilities=self._vulns,
                    anomalies=self._anomalies,
                    additionals=self._additionals,
                    flaws=self._flaw_types,
                    level_to_emoji=level_to_emoji,
                    detailed_report_level=self._infos["detailed_report_level"]
                )

The most obvious cause concerns the flaw definitions, especially the flaw type should be SQL Injection which has its corresponding vulnerability definition while SQL Injection (DBMS: MySQL) doesn't have it.

Using the debugger, it is easy to check it out.

Dump of self._vulns:

{
    'Backup file': [],
    'Weak credentials': [],
    'CRLF Injection': [],
    'Content Security Policy Configuration': [],
    'Cross Site Request Forgery': [],
    'Potentially dangerous file': [], 
    'Command execution': [],
    'Path Traversal': [],
    'Fingerprint web application framework': [],
    'Fingerprint web server': [],
    'Htaccess Bypass': [], 
    'HTML Injection': [],
    'HTTP Secure Headers': [],
    'HttpOnly Flag cookie': [], 
    'Unencrypted Channels': [],
    'LDAP Injection': [],
    'Log4Shell': [],
    'Open Redirect': [],
    'Reflected Cross Site Scripting': [], 
    'Secure Flag cookie': [], 
    'Spring4Shell': [],
    'SQL Injection': [],
    'TLS/SSL misconfigurations': [],
    'Server Side Request Forgery': [],
    'Stored HTML Injection': [],
    'Stored Cross Site Scripting': [],
    'Subdomain takeover': [], 
    'Blind SQL Injection': [], 
    'Unrestricted File Upload': [],
    'XPATH Injection': [],
    'XML External Entity': [], 
    'SQL Injection (DBMS: MySQL)': [
        {'method': 'POST', 'path': '/userinfo.php', 'info': 'SQL Injection (DBMS: MySQL) via injection in the parameter uname', 'level': 4, 'parameter': 'uname', 'referer': 'http://testphp.vulnweb.com/login.php', 'module': 'sql', 'http_request': 'POST /userinfo.php HTTP/1.1\nhost: testphp.vulnweb.com\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://testphp.vulnweb.com/login.php\ncontent-length: 42\nContent-Type: application/x-www-form-urlencoded\n\nuname=default%C2%BF%27%22%28&pass=Letm3in_', 'curl_command': 'curl "http://testphp.vulnweb.com/userinfo.php" -e "http://testphp.vulnweb.com/login.php" -d "uname=default%C2%BF%27%22%28&pass=Letm3in_"', 'wstg': ['WSTG-INPV-05']},
        {'method': 'POST', 'path': '/userinfo.php', 'info': 'SQL Injection (DBMS: MySQL) via injection in the parameter pass', 'level': 4, 'parameter': 'pass', 'referer': 'http://testphp.vulnweb.com/login.php', 'module': 'sql', 'http_request': 'POST /userinfo.php HTTP/1.1\nhost: testphp.vulnweb.com\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncontent-type: application/x-www-form-urlencoded\nreferer: http://testphp.vulnweb.com/login.php\ncontent-length: 41\nContent-Type: application/x-www-form-urlencoded\n\nuname=default&pass=default%C2%BF%27%22%28', 'curl_command': 'curl "http://testphp.vulnweb.com/userinfo.php" -e "http://testphp.vulnweb.com/login.php" -d "uname=default&pass=default%C2%BF%27%22%28"', 'wstg': ['WSTG-INPV-05']}
    ]
}

Dump of self._flaw_types.keys():

dict_keys(['Backup file', 'Weak credentials', 'CRLF Injection', 'Content Security Policy Configuration', 'Cross Site Request Forgery', 'Potentially dangerous file', 'Command execution', 'Path Traversal', 'Fingerprint web application framework', 'Fingerprint web server', 'Htaccess Bypass', 'HTML Injection', 'HTTP Secure Headers', 'HttpOnly Flag cookie', 'Unencrypted Channels', 'LDAP Injection', 'Log4Shell', 'Open Redirect', 'Reflected Cross Site Scripting', 'Secure Flag cookie', 'Spring4Shell', 'SQL Injection', 'TLS/SSL misconfigurations', 'Server Side Request Forgery', 'Stored HTML Injection', 'Stored Cross Site Scripting', 'Subdomain takeover', 'Blind SQL Injection', 'Unrestricted File Upload', 'XPATH Injection', 'XML External Entity', 'Internal Server Error', 'Resource consumption', 'Review Webserver Metafiles for Information Leakage', 'Fingerprint web technology', 'HTTP Methods'])

This is related to the latest change made to mod_sql:

28f786d?diff=unified&w=0#diff-db48ed409620db2a8ba75ce5ebcd56cb5063506ea1cfd504f338eecc76f75872L388

We need to put back NAME as parameter for add_vuln_critical.

As LDAP injection is also covered by that module we should either:

  • import both NAME variables from each definition, use each one accordingly
  • put the ldap logic in a new module (mod_ldap)

As there is now an ini file for ldap payloads and functions specific to LDAP it should be better to create a specific module and tackle the bug.

@bretfourbe
Copy link
Collaborator

Hi @devl00p

We need to put back NAME as parameter for add_vuln_critical.

Yes indeed

As there is now an ini file for ldap payloads and functions specific to LDAP it should be better to create a specific module and tackle the bug.

Why not, if it does not add to much duplicate code

@devl00p devl00p self-assigned this Jul 12, 2024
@devl00p
Copy link
Contributor Author

devl00p commented Jul 30, 2024

PR #607

@devl00p devl00p mentioned this issue Jul 30, 2024
Merged
@devl00p
Copy link
Contributor Author

devl00p commented Aug 13, 2024

fixed

@devl00p devl00p closed this as completed Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devl00p devl00p

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devl00p @bretfourbe