| 1 | + | using System; |
| 2 | + | using System.Collections.Generic; |
| 3 | + | using System.Linq; |
| 4 | + | using System.Management.Automation.Language; |
| 5 | + | using System.Text.RegularExpressions; |
| 6 | + | |
| 7 | + | namespace SharpMapExec.Helpers |
| 8 | + | { |
| 9 | + | public static class Extension |
| 10 | + | { |
| 11 | + | public static bool In(this string source, string toCheck, StringComparison comp) |
| 12 | + | { |
| 13 | + | return source?.IndexOf(toCheck, comp) >= 0; |
| 14 | + | } |
| 15 | + | |
| 16 | + | public static bool In<T>(this T item, bool regex, List<string> items) |
| 17 | + | { |
| 18 | + | if (items == null) |
| 19 | + | throw new ArgumentNullException("items"); |
| 20 | + | |
| 21 | + | if (regex) |
| 22 | + | { |
| 23 | + | string pattern = Regex.Escape(item.ToString()).Replace(@"\*", ".*").Replace(@"\?", "."); |
| 24 | + | return items.Any(testitem => Regex.IsMatch(testitem.ToString(), pattern)); |
| 25 | + | } |
| 26 | + | else |
| 27 | + | { |
| 28 | + | return items.Contains(item.ToString().ToLower()); |
| 29 | + | } |
| 30 | + | } |
| 31 | + | } |
| 32 | + | |
| 33 | + | public class Jea |
| 34 | + | { |
| 35 | + | //https://github.com/mkropat/PowershellAstWriter/blob/48140116ee3cd6ab9f20725c669c6c0fb8e7ce9d/PowershellAstWriterTests/PowershellAstWriterTests.cs |
| 36 | + | |
| 37 | + | public static void RunAllChecks(string scriptblock) |
| 38 | + | { |
| 39 | + | MeasureInvokeExpression(scriptblock); |
| 40 | + | //MeasureAddType(scriptblock); |
| 41 | + | MeasureDangerousMethod(scriptblock); |
| 42 | + | MeasureCommandInjection(scriptblock); |
| 43 | + | MeasureForeachObjectInjection(scriptblock); |
| 44 | + | MeasurePropertyInjection(scriptblock); |
| 45 | + | MeasureMethodInjection(scriptblock); |
| 46 | + | MeasureUnsafeEscaping(scriptblock); |
| 47 | + | } |
| 48 | + | |
| 49 | + | public static void MeasureInvokeExpression(string ScriptBlock) |
| 50 | + | { |
| 51 | + | Token[] token; |
| 52 | + | ParseError[] error; |
| 53 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 54 | + | |
| 55 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 56 | + | { |
| 57 | + | var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 58 | + | CommandAst targetAst = new CommandAst(ast.Extent, new[] { derpVar }, TokenKind.Unknown, Enumerable.Empty<RedirectionAst>()); |
| 59 | + | if (targetAst != null) |
| 60 | + | { |
| 61 | + | if (targetAst.CommandElements[0].Extent.Text.In(false, new List<string> { "iex", "invoke-expression" })) |
| 62 | + | { |
| 63 | + | return true; |
| 64 | + | } |
| 65 | + | } |
| 66 | + | return false; |
| 67 | + | }; |
| 68 | + | |
| 69 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 70 | + | if (foundNode != null) |
| 71 | + | { |
| 72 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 73 | + | Console.WriteLine(String.Format(@"Possible script injection risk via the Invoke-Expression cmdlet. Untrusted input can cause arbitrary PowerShell expressions to be run. |
| 74 | + | Variables may be used directly for dynamic parameter arguments, splatting can be used for dynamic parameter names, and the invocation operator can be used for dynamic command names. |
| 75 | + | If content escaping is truly needed, PowerShell has several valid quote characters, so [System.Management.Automation.Language.CodeGeneration]::Escape* should be used. |
| 76 | + | RuleName = InjectionRisk.InvokeExpression |
| 77 | + | Severity = Warning", foundNode.Extent |
| 78 | + | )); |
| 79 | + | } |
| 80 | + | } |
| 81 | + | |
| 82 | + | //public static void MeasureAddType(string ScriptBlock) |
| 83 | + | //{ |
| 84 | + | // Token[] token; |
| 85 | + | // ParseError[] error; |
| 86 | + | // ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 87 | + | // |
| 88 | + | // Func<Ast, bool> predicate = delegate (Ast ast) |
| 89 | + | // { |
| 90 | + | // var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 91 | + | // CommandAst targetAst = new CommandAst(ast.Extent, new[] { derpVar }, TokenKind.Unknown, Enumerable.Empty<RedirectionAst>()); |
| 92 | + | // if (targetAst.CommandElements[0].Extent.Text == "Add-Type") |
| 93 | + | // { |
| 94 | + | // var addTypeParameters = StaticParameterBinder.BindCommand(targetAst); |
| 95 | + | // var typeDefinitionParameter = addTypeParameters.BoundParameters.TypeDefinition; |
| 96 | + | // if (typeDefinitionParameter.ConstantValue) |
| 97 | + | // { |
| 98 | + | // if (addTypeParameters.BoundParameters.TypeDefinition.ValueSystem.Management.Automation.Language.VariableExpressionAst) |
| 99 | + | // { |
| 100 | + | // var variableName = addTypeParameters.BoundParameters.TypeDefinition.Value.VariablePath.UserPath; |
| 101 | + | // var constantAssignmentForVariable = ScriptBlockAst.FindAll(tempvar => tempvar is Ast, true); |
| 102 | + | // if (assignmentAst && assignmentAst.Left.VariablePath.UserPath == variableName && assignmentAst.Right.ExpressionSystem.Management.Automation.Language.ConstantExpressionAst) |
| 103 | + | // { |
| 104 | + | // return true; |
| 105 | + | // } |
| 106 | + | // if (constantAssignmentForVariable != null) |
| 107 | + | // { |
| 108 | + | // return false; |
| 109 | + | // } |
| 110 | + | // else |
| 111 | + | // { |
| 112 | + | // return true; |
| 113 | + | // } |
| 114 | + | // } |
| 115 | + | // return true; |
| 116 | + | // } |
| 117 | + | // } |
| 118 | + | // return false; |
| 119 | + | // }; |
| 120 | + | // |
| 121 | + | // var foundNode = ScriptBlockAst.Find(predicate, true); |
| 122 | + | // if (foundNode != null) |
| 123 | + | // { |
| 124 | + | // Console.WriteLine("[+] Possible injection vulnerability found"); |
| 125 | + | // Console.WriteLine(String.Format(@"Possible code injection risk via the Add-Type cmdlet. Untrusted input can cause arbitrary Win32 code to be run.. |
| 126 | + | //RuleName = InjectionRisk.AddType |
| 127 | + | //Severity = Warning", foundNode.Extent |
| 128 | + | // )); |
| 129 | + | // } |
| 130 | + | //} |
| 131 | + | |
| 132 | + | public static void MeasureDangerousMethod(string ScriptBlock) |
| 133 | + | { |
| 134 | + | Token[] token; |
| 135 | + | ParseError[] error; |
| 136 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 137 | + | |
| 138 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 139 | + | { |
| 140 | + | var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 141 | + | var derpVar2 = new StringConstantExpressionAst(ast.Extent, "derbvar2", StringConstantType.BareWord); |
| 142 | + | InvokeMemberExpressionAst targetAst = new InvokeMemberExpressionAst(ast.Extent, derpVar, derpVar2, Enumerable.Empty<ExpressionAst>(), false); |
| 143 | + | if (targetAst != null) |
| 144 | + | { |
| 145 | + | if (targetAst.Member.Extent.Text.In(false, new List<string> { "invokescript", "createnestedpipeline", "addscript", "newscriptblock", "expandstring" })) |
| 146 | + | { |
| 147 | + | return true; |
| 148 | + | } |
| 149 | + | if (targetAst.Member.Extent.Text.In(false, new List<string> { "create" }) && targetAst.Expression.Extent.Text.In(false, new List<string> { "scriptblock" })) |
| 150 | + | { |
| 151 | + | return true; |
| 152 | + | } |
| 153 | + | } |
| 154 | + | return false; |
| 155 | + | }; |
| 156 | + | |
| 157 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 158 | + | if (foundNode != null) |
| 159 | + | { |
| 160 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 161 | + | Console.WriteLine(String.Format(@"Possible script injection risk via the a dangerous method. Untrusted input can cause arbitrary PowerShell expressions to be run. |
| 162 | + | The PowerShell.AddCommand().AddParameter() APIs should be used instead. |
| 163 | + | RuleName = {1} |
| 164 | + | Severity = Warning", foundNode.Extent, foundNode.Extent.Text) |
| 165 | + | ); |
| 166 | + | } |
| 167 | + | } |
| 168 | + | |
| 169 | + | public static void MeasureCommandInjection(string ScriptBlock) |
| 170 | + | { |
| 171 | + | Token[] token; |
| 172 | + | ParseError[] error; |
| 173 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 174 | + | |
| 175 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 176 | + | { |
| 177 | + | var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 178 | + | CommandAst targetAst = new CommandAst(ast.Extent, new[] { derpVar }, TokenKind.Unknown, Enumerable.Empty<RedirectionAst>()); |
| 179 | + | if (targetAst != null) |
| 180 | + | { |
| 181 | + | if (targetAst.CommandElements[0].Extent.Text.In(false, new List<string> { "cmd", "powershell" })) |
| 182 | + | { |
| 183 | + | var commandInvoked = targetAst.CommandElements[1]; |
| 184 | + | for (int parameterPosition = 1; parameterPosition < targetAst.CommandElements.Count; parameterPosition++) |
| 185 | + | { |
| 186 | + | if (targetAst.CommandElements[parameterPosition].Extent.Text.In(false, new List<string> { "/c", "/k", "command", "-c", "-enc" })) |
| 187 | + | { |
| 188 | + | commandInvoked = targetAst.CommandElements[parameterPosition + 1]; |
| 189 | + | break; |
| 190 | + | } |
| 191 | + | } |
| 192 | + | if (commandInvoked is ExpandableStringExpressionAst) |
| 193 | + | { |
| 194 | + | return true; |
| 195 | + | } |
| 196 | + | } |
| 197 | + | } |
| 198 | + | return false; |
| 199 | + | }; |
| 200 | + | |
| 201 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 202 | + | if (foundNode != null) |
| 203 | + | { |
| 204 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 205 | + | Console.WriteLine(String.Format(@"Possible command injection risk via calling cmd.exe or powershell.exe. Untrusted input can cause arbitrary commands to be run. |
| 206 | + | Input should be provided as variable input directly (such as 'cmd /c ping $destination', rather than within an expandable string. |
| 207 | + | The PowerShell.AddCommand().AddParameter() APIs should be used instead. |
| 208 | + | RuleName = InjectionRisk.CommandInjection |
| 209 | + | Severity = Warning", foundNode.Extent)); |
| 210 | + | } |
| 211 | + | } |
| 212 | + | |
| 213 | + | public static void MeasureForeachObjectInjection(string ScriptBlock) |
| 214 | + | { |
| 215 | + | Token[] token; |
| 216 | + | ParseError[] error; |
| 217 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 218 | + | |
| 219 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 220 | + | { |
| 221 | + | var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 222 | + | CommandAst targetAst = new CommandAst(ast.Extent, new[] { derpVar }, TokenKind.Unknown, Enumerable.Empty<RedirectionAst>()); |
| 223 | + | if (targetAst != null) |
| 224 | + | { |
| 225 | + | if (targetAst.CommandElements[0].Extent.Text.In(false, new List<string> { "foreach", "%" })) |
| 226 | + | { |
| 227 | + | var memberInvoked = targetAst.CommandElements[1]; |
| 228 | + | for (int parameterPosition = 1; parameterPosition < targetAst.CommandElements.Count; parameterPosition++) |
| 229 | + | { |
| 230 | + | if (targetAst.CommandElements[parameterPosition].Extent.Text.In(false, new List<string> { "process", "membername" })) |
| 231 | + | { |
| 232 | + | memberInvoked = targetAst.CommandElements[parameterPosition + 1]; |
| 233 | + | break; |
| 234 | + | } |
| 235 | + | } |
| 236 | + | if (memberInvoked is ConstantExpressionAst && memberInvoked is ScriptBlockExpressionAst) |
| 237 | + | { |
| 238 | + | return true; |
| 239 | + | } |
| 240 | + | } |
| 241 | + | } |
| 242 | + | return false; |
| 243 | + | }; |
| 244 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 245 | + | if (foundNode != null) |
| 246 | + | { |
| 247 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 248 | + | Console.WriteLine(String.Format(@"Possible property access injection via Foreach-Object. Untrusted input can cause arbitrary properties /methods to be accessed: |
| 249 | + | RuleName = InjectionRisk.ForeachObjectInjection |
| 250 | + | Severity = Warning", foundNode.Extent)); |
| 251 | + | } |
| 252 | + | } |
| 253 | + | |
| 254 | + | public static void MeasurePropertyInjection(string ScriptBlock) |
| 255 | + | { |
| 256 | + | Token[] token; |
| 257 | + | ParseError[] error; |
| 258 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 259 | + | |
| 260 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 261 | + | { |
| 262 | + | var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 263 | + | var derpVar2 = new StringConstantExpressionAst(ast.Extent, "Derpvr2", StringConstantType.BareWord); |
| 264 | + | InvokeMemberExpressionAst methodAst = new InvokeMemberExpressionAst(ast.Extent, derpVar, derpVar2, Enumerable.Empty<ExpressionAst>(), @static: false); |
| 265 | + | var ast2 = ast.Copy(); |
| 266 | + | var derpVar3 = new VariableExpressionAst(ast2.Extent, "Derp3", splatted: false); |
| 267 | + | var derpVar4 = new StringConstantExpressionAst(ast2.Extent, "Derpvr4", StringConstantType.BareWord); |
| 268 | + | MemberExpressionAst targetAst = new MemberExpressionAst(ast2.Extent, derpVar3, derpVar4, @static: false); |
| 269 | + | if (targetAst != null && methodAst == null) |
| 270 | + | { |
| 271 | + | if (!(targetAst.Member is ConstantExpressionAst)) |
| 272 | + | { |
| 273 | + | return true; |
| 274 | + | } |
| 275 | + | } |
| 276 | + | return false; |
| 277 | + | }; |
| 278 | + | |
| 279 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 280 | + | if (foundNode != null) |
| 281 | + | { |
| 282 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 283 | + | Console.WriteLine(String.Format(@"Possible property access injection via dynamic member access. Untrusted input can cause arbitrary static properties to be accessed: |
| 284 | + | RuleName = InjectionRisk.StaticPropertyInjection |
| 285 | + | Severity = Warning", foundNode.Extent)); |
| 286 | + | } |
| 287 | + | } |
| 288 | + | |
| 289 | + | public static void MeasureMethodInjection(string ScriptBlock) |
| 290 | + | { |
| 291 | + | Token[] token; |
| 292 | + | ParseError[] error; |
| 293 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 294 | + | |
| 295 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 296 | + | { |
| 297 | + | var derpVar = new VariableExpressionAst(ast.Extent, "Derp", splatted: false); |
| 298 | + | var derpVar2 = new StringConstantExpressionAst(ast.Extent, "Derpvr2", StringConstantType.BareWord); |
| 299 | + | InvokeMemberExpressionAst targetAst = new InvokeMemberExpressionAst(ast.Extent, derpVar, derpVar2, Enumerable.Empty<ExpressionAst>(), @static: false); |
| 300 | + | if (targetAst != null) |
| 301 | + | { |
| 302 | + | if (targetAst.Member is ConstantExpressionAst) |
| 303 | + | { |
| 304 | + | return true; |
| 305 | + | } |
| 306 | + | } |
| 307 | + | return false; |
| 308 | + | }; |
| 309 | + | |
| 310 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 311 | + | if (foundNode != null) |
| 312 | + | { |
| 313 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 314 | + | Console.WriteLine(String.Format(@"Possible property access injection via dynamic member access. Untrusted input can cause arbitrary static properties to be accessed: |
| 315 | + | RuleName = InjectionRisk.MethodInjection |
| 316 | + | Severity = Warning", foundNode.Extent)); |
| 317 | + | } |
| 318 | + | } |
| 319 | + | |
| 320 | + | public static void MeasureUnsafeEscaping(string ScriptBlock) |
| 321 | + | { |
| 322 | + | Token[] token; |
| 323 | + | ParseError[] error; |
| 324 | + | ScriptBlockAst ScriptBlockAst = Parser.ParseInput(ScriptBlock, out token, out error); |
| 325 | + | |
| 326 | + | Func<Ast, bool> predicate = delegate (Ast ast) |
| 327 | + | { |
| 328 | + | var leftVariable = new VariableExpressionAst(ast.Extent, "herp", splatted: false); |
| 329 | + | var rightVariable = new VariableExpressionAst(ast.Extent, "derp", splatted: false); |
| 330 | + | var targetAst = new BinaryExpressionAst(ast.Extent, leftVariable, TokenKind.Ieq, rightVariable, ast.Extent); |
| 331 | + | if (targetAst != null) |
| 332 | + | { |
| 333 | + | if (targetAst.Operator.In(false, new List<string> { "replace" }) && targetAst.Right.Extent.Text.In(false, new List<string> { "`", "'" })) |
| 334 | + | { |
| 335 | + | return true; |
| 336 | + | } |
| 337 | + | } |
| 338 | + | return false; |
| 339 | + | }; |
| 340 | + | |
| 341 | + | var foundNode = ScriptBlockAst.Find(predicate, true); |
| 342 | + | if (foundNode != null) |
| 343 | + | { |
| 344 | + | Console.WriteLine("[+] Possible injection vulnerability found"); |
| 345 | + | Console.WriteLine(@"Possible unsafe use of input escaping. Variables may be used directly for dynamic parameter arguments, splatting can be used for dynamic parameter names, |
| 346 | + | and the invocation operator can be used for dynamic command names. If content escaping is truly needed, PowerShell has several valid quote characters, |
| 347 | + | so the [System.Management.Automation.Language.CodeGeneration]::Escape* should be used instead |
| 348 | + | RuleName = InjectionRisk.UnsafeEscaping |
| 349 | + | Severity = Warning"); |
| 350 | + | } |
| 351 | + | } |
| 352 | + | } |
| 353 | + | } |