Agartha

Payload Injection (LFI, RCE, SQLi, with optional BCheck), Auth Issues (Access Matrix, HTTP 403), Copy as JavaScript, and Bambdas

<hr/>

Agartha, specializes in advance payload generation and access control assessment. It adeptly identifies vulnerabilities related to injection attacks, and authentication/authorization issues. The dynamic payload generator crafts extensive wordlists for various injection vectors, including SQL Injection, Local File Inclusion (LFI), and Remote Code Execution(RCE). Furthermore, the extension constructs a comprehensive user access matrix, revealing potential access violations and privilege escalation paths. It also assists in performing HTTP 403 bypass checks, shedding light on auth misconfigurations. Additionally, it can convert HTTP requests to JavaScript code to help digging up XSS issues more.

In summary:

• Payload Generator: It dynamically constructs comprehensive wordlists for injection attacks, incorporating various encoding and escaping characters to enhance the effectiveness of security testing. These wordlists cover critical vulnerabilities such as SQL Injection (SQLi), Local File Inclusion (LFI), Remote Code Execution (RCE), and now also support BCheck syntax for seamless integration with Burp's BCheck framework.
  • Local File Inclusion, Path Traversal: It helps identifying vulnerabilities that allow attackers to access files on the server's filesystem.
  • Remote Code Execution, Command Injection: It aims to detects potential command injection points, enabling robust testing for code execution vulnerabilities.
  • SQL Injection: It assists to uncover SQL Injection vulnerabilities, including Stacked Queries, Boolean-Based, Union-Based, and Time-Based.
• Auth Matrix: By constructing a comprehensive access matrix, the tool reveals potential access violations and privilege escalation paths. This feature enhances security posture by addressing authentication and authorization issues.
  • You can use the web Spider feature to generate a sitemap/URL list, and it will crawl visible links from the user's session automatically.
• 403 Bypass: It aims to tackle common access restrictions, such as HTTP 403 Forbidden responses. It utilizes techniques like URL manipulation and request header modification to bypass implemented limitations.
• Copy as JavaScript: It converts Http requests to JavaScript code for further XSS exploitation and more.
• Bambdas Script Generator: The feature supports automatic generation of Bambdas-compatible scripts based on user input. It eliminates the need for manual coding, enabling faster creation of custom scripts and streamlining integration with the Bambdas engine.<br/><br/>

Here is a small tutorial how to use.

Installation

You should download 'Jython' file and set your environment first:

• Burp Menu > Extender > Options > Python Environment > Locate Jython standalone jar file.

You can install Agartha through official store:

• Burp Menu > Extender > BApp Store > Agartha

Or for manual installation:

• Burp Menu > Extender > Extensions > Add > Extension Type: Python > Extension file(.py): Select 'Agartha.py' file

After all, you will see 'Agartha' tab in the main window and it will be also registered the right click, under:

• 'Extensions > Agartha', with three sub-menus:

  • 'Auth Matrix'

  • '403 Bypass'

  • 'Copy as JavaScript'

    <img width="600" alt="Agartha Menu" src="https://github.com/user-attachments/assets/95be70fe-184c-4195-9455-8c3930926fcc">

<br/><br/>

Local File Inclusion / Path Traversal

It supports both Unix and Windows file syntaxes, enabling dynamic wordlist generation for any desired path. Additionally, it can attempt to bypass Web Application Firewall (WAF) implementations, with various encodings and other techniques.

• 'Depth' specifies the extent of directory traversal for wordlist generation. You can create wordlists that reach up to or equal to this specified level. The default value is 5.
• 'Waf Bypass' inquires whether you want to enable all bypass features, such as the use of null bytes, various encoding techniques, and other methods to circumvent web application firewalls.

<img width="1000" alt="Directory Traversal/Local File Inclusion wordlist" src="https://github.com/volkandindar/agartha/assets/50321735/b457e6c2-0829-4959-84aa-9116886b99f7"><br/><br/>

Remote Code Execution / Command Injection

It generates dynamic wordlists for command execution based on the supplied command. It combines various separators and terminators for both Unix and Windows environments.

• 'URL Encoding' encodes the output.

<img width="1000" alt="Remote Code Execution wordlist" src="https://github.com/volkandindar/agartha/assets/50321735/d28c12c9-c6fb-4509-9299-888f3f048c12"><br/><br/>

SQL Injection

It generates payloads for various types of SQL injection attacks, including Stacked Queries, Boolean-Based, Union-Based, and Time-Based. It doesn’t require any user inputs; you simply select the desired SQL attack types and databases, and it generates a wordlist with different combinations.

• 'URL Encoding' encodes the output.
• 'Waf Bypass' inquires whether you want to enable all bypass features, such as the use of null bytes, various encoding techniques, and other methods to circumvent web application firewalls.
• 'Union-Based' requires the specified depth for payload generation. You can create wordlists that reach up to the given value. The default value is 5.
• The remaining aspects pertain to database types and various attack vectors.

<img width="1000" alt="SQL Injection wordlist" src="https://github.com/volkandindar/agartha/assets/50321735/51a010b6-4d9a-4dc9-a634-b353f6b30b95"><br/><br/>

BCheck Code Generator

BCheck is Burp Suite's framework for creating and importing custom scan checks. These user-defined checks run alongside Burp Scanner’s built-in routines, allowing you to tailor scans to specific vulnerabilities or testing needs. By using BChecks, you can extend Burp’s scanning capabilities and streamline your workflow for more targeted and efficient assessments. Now you can generate the code automatically:

<img width="1000" alt="BCheck Code Generator" src="https://github.com/user-attachments/assets/a614dc20-dfce-4449-ba47-7762158da6db">

• You can click the “Generate the Payloads” button in the blue box above to create a classic wordlist, which can be used manually in Burp's Intruder or Repeater.
• Now, you also have the option to click the “Generate payloads for BCheck” button in the red box to generate the same payloads formatted in BCheck syntax, ready to be used in scans.

Please be aware that as the Bambdas script increases in size, it may cause performance issues, particularly during scanning. Larger scripts can slow down responsiveness, increase memory usage, and lead to delays in executing tasks.

<img width="1000" alt="BCheck Code Generator" src="https://github.com/user-attachments/assets/c38b5816-2a24-4f13-b3f3-a7c62b3ca236">

After clicking the "Generate payloads for BCheck" button, the BCheck code will be automatically copied to your clipboard.

Next, go to 'Extensions > BChecks > New > Blank' from the Burp Suite menu, and simply paste the generated code.

Your payloads are now integrated into a BCheck. You can either manually send or scan HTTP requests, or initiate a Burp scan that incorporates BCheck controls to automatically test the injection payloads generated by the tool.

• Manual scanning: Right-click an HTTP request and select "Send to BChecks Editor". Then click the generated BCheck item and select "Run test".
• Automatic scanning: Right-click an HTTP request, choose 'Open Scan Launcher', then go to 'Scan configuration > Select from library > Audit checks – BChecks only'. Close the dialog, and your scan will now run exclusively with the BChecks you have defined.

<img width="1000" alt="BCheck Code Generator" src="https://github.com/user-attachments/assets/0ff1ecf5-1a84-444b-bc6e-7e2d7153dc5d">

Fine-tuning advises: The generated code serves as a template and may require some adjustments, as behavior can vary between different applications and servers.

Refining filters—such as specifying HTTP response codes or keywords within responses—can help reduce false positives and make the results more precise and less noisy.<br/><br/>

Authorization Matrix / User Access Table

This part focuses on analyzing user session and URL relationships to identify access violations. The tool systematically visits all URLs associated with pre-defined user sessions and populates a table with HTTP responses. Essentially, it creates an access matrix, which aids in identifying authentication and authorization issues. Ultimately, this process reveals which users can access specific page contents.

• You can right-click on any request and navigate to 'Extensions > Agartha > Auth Matrix' to define user sessions.
• Next, you need to provide the URL addresses that the user (HTTP header/session owner) can access. You can utilize the web 'Spider' feature for automated crawling or supply a manually curated list of URLs.
• Afterward, you can use the 'Add User' button to include the user sessions.
• Now, it's ready for execution. Simply click the 'Run' button, and the table will be populated accordingly.

<img width="1000" alt="Authorization Matrix" src="https://github.com/volkandindar/agartha/assets/50321735/6f89e22c-e29c-413d-96d8-c2a8d7ac39d4">

A little bit more details:

1. This is the field where you enter the username for the session you provide. You can add up to four different users, with each user being assigned a unique color to enhance readability.
   • The 'Add User' button allows you to include user sessions in the matrix.
   • You can change the HTTP request method to 'GET', 'POST', or 'Dynamic', the latter of which is based on proxy history.
   • The 'Reset' button clears all contents.
   • The 'R