Optimizations + removed reliance on the X-Debug-Token header

Author: aevy-syn

.gitignore

@@ -0,0 +1,2 @@
+.idea
+__pycache__

README.md

@@ -42,7 +42,7 @@ usage: eos [-h] [-V] [-v] [--no-colors] {scan,sources,get,creds,cookies} ...
   █████╗  ██║   ██║███████╗
   ██╔══╝  ██║   ██║╚════██║
   ███████╗╚██████╔╝███████║  Enemies Of Symfony
-  ╚══════╝ ╚═════╝ ╚══════╝  v1.0.0
+  ╚══════╝ ╚═════╝ ╚══════╝  v1.1
 
 positional arguments:
   {scan,sources,get,creds,cookies}
@@ -60,7 +60,6 @@ optional arguments:
 
 examples:
   eos scan http://localhost
-  eos scan -v -t 4 http://localhost
   eos scan --headers 'Cookie: foo=bar; john=doe' 'User-Agent: EOS' -- http://localhost
   eos get http://localhost config/services.yaml
   eos cookies -u jane_admin -H '$2y$13$IMalnQpo7xfZD5FJGbEadOcqyj2mi/NQbQiI8v2wBXfjZ4nwshJlG' -s 67d829bf61dc5f87a73fd814e2c9f629
@@ -71,9 +70,6 @@ $ eos scan http://localhost --output results
 [+] Starting scan on http://localhost
 [+] 2020-04-23 14:21:26.463352 is a great day
 
-[+] Checks
-[!] Target found in debug mode
-
 [+] Info
 [!]   Symfony 5.0.1
 [!]   PHP 7.3.11-1~deb10u1

eos/__init__.py

@@ -2,7 +2,7 @@
 EOS Package.
 """
 
-__version__ = '1.0.0'
+__version__ = '1.1'
 __banner__ = """
   ███████╗ ██████╗ ███████╗
   ██╔════╝██╔═══██╗██╔════╝

eos/__main__.py

@@ -20,7 +20,6 @@
 
 scan_examples = [
     'eos scan http://localhost',
-    'eos scan -v -t 4 http://localhost',
     "eos scan --headers 'Cookie: foo=bar; john=doe' 'User-Agent: EOS' -- http://localhost",
 ]
 
@@ -45,7 +44,7 @@ class CLI:
     def scan(cls, args):
         """Scan handler."""
         eos = EOS(url=args.url, output=args.output, session=args.session)
-        eos.run(check_only=args.check_only, threads=args.threads)
+        eos.run(threads=args.threads)
 
     @classmethod
     def sources(cls, args):
@@ -140,7 +139,6 @@ def main():
     scan = sub.add_parser('scan', component='Scanner', help='perform a full scan', examples=scan_examples,
                           parents=[common, output, threads])
     scan.add_argument('--timestamps', action='store_true', help='log with timestamps')
-    scan.add_argument('--check-only', action='store_true', help='only check if target is vulnerable')
     scan.set_defaults(handler=CLI.scan)
 
     # Sources

eos/core/engine/worker.py

@@ -66,7 +66,8 @@ def process(self, request):
         :param request: the unprepared request to process
         """
 
-        response = self.session.send(request.prepare())
+        response = self.session.request(
+            method=request.method, url=request.url, params=request.params, data=request.data)
         response.request = request
         self.log.debug('[%d] %s', response.status_code, response.url)
         self.results.append(response)

eos/core/eos.py

@@ -43,18 +43,17 @@ def requests(self):
         """List of previously issued requests."""
         return self.symfony.requests
 
-    def run(self, check_only=False, wordlists=None, threads=10):
+    def run(self, wordlists=None, threads=10):
         """
         Run scan.
 
-        1. Ensure the target is reachable and in debug mode
+        1. Start engine
         2. Load plugins and run them
         3. Output tokens generated from issued requests
 
         Scans can be performed in aggressive mode where aggressive plugins will be run.
         The engine can be configured using a different wordlists and a specific number of threads.
 
-        :param check_only: only perform checks on target, do not run plugins
         :param wordlists: wordlists file or directory
         :param threads: number of workers to run simultaneously
         """
@@ -64,21 +63,15 @@ def run(self, check_only=False, wordlists=None, threads=10):
         self.log.info('%s is a great day', start)
         wordlists = wordlists or self.wordlists
 
-        # Checks
-        print()
-        self.check()
-
-        # Stop if only check
-        if not check_only:
-            # Start engine, load and run plugins
-            engine = Engine(threads, session=self.session)
-            engine.start()
-            try:
-                options = dict(wordlists=wordlists, output=self.output)
-                manager = PluginManager(symfony=self.symfony, engine=engine, **options)
-                manager.run()
-            finally:
-                engine.stop()
+        # Start engine, load and run plugins
+        engine = Engine(threads, session=self.session)
+        engine.start()
+        try:
+            options = dict(wordlists=wordlists, output=self.output)
+            manager = PluginManager(symfony=self.symfony, engine=engine, **options)
+            manager.run()
+        finally:
+            engine.stop()
 
         if self.symfony.files and self.output:
             print()

eos/core/profiler.py

@@ -4,6 +4,8 @@
 Contains a Profiler class for communicating with the Symfony profiler.
 """
 
+import csv
+from io import StringIO
 from pathlib import Path
 from urllib.parse import urljoin
 
@@ -22,6 +24,7 @@ class Profiler(Base):
     """
 
     path = '_profiler'
+    cache_path = 'profiler/index.csv'
 
     def __init__(self, url, session=None):
         """
@@ -32,6 +35,7 @@ def __init__(self, url, session=None):
 
         self._url = urljoin(url + '/', self.path)
         self.session = session or Session()
+        self._cache = None
 
     def get(self, token='', **kwargs):
         """
@@ -85,3 +89,16 @@ def parse_file_preview(data):
     def url(self, token=''):
         """URL builder."""
         return urljoin(self._url + '/' if token else self._url, token)
+
+    def cache(self, symfony_cache=None, refresh=True):
+        if refresh or self._cache is None:
+            cache_path = str(Path(symfony_cache, self.cache_path))
+            index = self.open(cache_path)
+            self._cache = list(csv.reader(StringIO(index)))
+        return self._cache
+
+    def logs(self, filters=None, symfony_cache=None, refresh=True):
+        all = lambda token, ip, method, url, timestamp, x, code: True
+        filters = filters or all
+        wrapper = lambda row: filters(*row)
+        return list(filter(wrapper, self.cache(symfony_cache, refresh)))

eos/plugins/info.py

@@ -35,7 +35,7 @@ def run(self):
         """
 
         # Perform request, and parse it
-        r = self.symfony.profiler.get(self.token, params={'panel': 'config'})
+        r = self.symfony.profiler.get('latest', params={'panel': 'config'})
         soup = self.parse(r.text)
 
         # Version

eos/plugins/logs.py

@@ -1,9 +1,6 @@
 """Request logs EOS plugin."""
 
 import re
-import csv
-from io import StringIO
-from pathlib import Path
 from datetime import datetime
 from urllib.parse import parse_qs
 
@@ -65,7 +62,6 @@ class Plugin(AbstractPlugin):
     """
 
     name = 'Request logs'
-    _cache = 'profiler/index.csv'
 
     usernames = ['user', 'login', 'usr', 'email']
     """List of possible username parameter keys."""
@@ -84,13 +80,8 @@ def run(self):
         """
 
         # Get list of POST requests
-        index = self.symfony.profiler.open(self.cache)
-        if index is not None:
-            self.symfony.files[self.cache] = index
-            rows = csv.reader(StringIO(index))
-            logs = list(row for row in rows if row and row[2] == 'POST')
-        else:
-            logs = self.list(self.limit)
+        filters = lambda token, ip, method, url, timestamp, x, code: method == 'POST'
+        logs = self.symfony.profiler.logs(filters, self.symfony.cache, refresh=False)
 
         # No POST requests
         if not logs:
@@ -150,10 +141,6 @@ def run(self):
             for user in users_without_session:
                 self.log.warning('  %s: %s', user.name, user.password)
 
-    @property
-    def cache(self):
-        return str(Path(self.symfony.cache, self._cache))
-
     def list(self, limit, method='POST'):
         """
         Get the requests list.

eos/plugins/routes.py

@@ -37,16 +37,32 @@ def run(self):
         prevent parameterized routes from matching it.
         """
 
+        token = None
+
+        # Find 404 in cache
+        filters = lambda token, ip, method, url, timestamp, x, code: code == 404
+        logs = self.symfony.profiler.logs(filters, self.symfony.cache, refresh=False)
+
         # Trigger and ensure a 404
-        self.log.debug('Triggering a 404 error')
-        rand = '/'.join(choice(ascii_lowercase) for _ in range(12))
-        r = self.symfony.get(rand)
-        if r.status_code != 404:
-            self.log.error('Target responded with status code %d!', r.status_code)
+        if not logs:
+            self.log.debug('Triggering a 404 error')
+            rand = '/'.join(choice(ascii_lowercase) for _ in range(12))
+            r = self.symfony.get(rand)
+            token = r.token
+            if not r.token:
+                mark = self.symfony.url(rand)
+                filters = lambda token, ip, method, url, timestamp, x, code: url == mark
+                logs = self.symfony.profiler.logs(filters, self.symfony.cache, refresh=True)
+
+        if not logs and not token:
+            self.log.warning('Could not find any suitable 404 response')
             return
 
+        if not token:
+            token = logs[-1][0]
+
         # Check that no route has matched
-        r = self.symfony.profiler.get(r.token, params={'panel': 'router'})
+        r = self.symfony.profiler.get(token, params={'panel': 'router'})
         soup = self.parse(r.text)
         label = soup.find('span', class_='label', string='Matched route')
         route = label.find_previous('span', class_='value').text