RubyGems - sitecore_scan - Versions diffs - 0.0.2 - Mend

sitecore_scan 0.0.2

Files changed (4) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    OGExOWRjNzc1NjRiNWYzZmQ5NjYyMGZjOTk4MmQ4ZDRjY2YyNWRkMw==
+  data.tar.gz: !binary |-
+    NDU2NWU1ZTc0MWNhZDEyNmY3NzMwNDdkNmFlZWM4YjU3NDZlNjE2MQ==
+SHA512:
+  metadata.gz: !binary |-
+    Y2Q2NGU2MjMzNjJlODlhNmM5OGQxM2ZiMWJiOWE3ZGUzOTlmZDgyNGE3OTc0
+    Zjk2N2YyODJlN2Y1YzhjYjBkYTVhMmQ4MzhhNGYxYWZiZDliODUwNzVmMDQ5
+    MmMyYWE3OTE0Y2ZmYWRkNTUxZGNkNmRlNzYwMzBhMGRkM2EyNzA=
+  data.tar.gz: !binary |-
+    MDFiM2QyYmZmZGY0NWNiNjNhNzJjMWE3NGY1ODRiNmE4MDk1ZGQxMTlhN2E4
+    MDJkNGRmMzZmMDJhYzJlMDI5NDg3OTk0ZmRjODYwYmE3M2QzZDkyMmY0NTM3
+    MzQ3MjQxYWI3ZmVmZTVkOWJlZjEyNjYyNGVhZmYyZTE2NDFhNjM=

data/bin/sitecore-scan ADDED Viewed

@@ -0,0 +1,133 @@
+#!/usr/bin/env ruby
+#
+# This file is part of SitecoreScan
+# https://github.com/bcoles/sitecore_scan
+#
+require 'sitecore_scan'
+require 'optparse'
+require 'resolv'
+def banner
+  puts "
+   _____ _ _                           _____
+  / ____(_) |                         / ____|
+ | (___  _| |_ ___  ___ ___  _ __ ___| (___   ___ __ _ _ __
+  \\___ \\| | __/ _ \\/ __/ _ \\| '__/ _ \\\\___ \\ / __/ _` | '_ \\
+  ____) | | ||  __/ (_| (_) | | |  __/____) | (_| (_| | | | |
+ |_____/|_|\\__\\___|\\___\\___/|_|  \\___|_____/ \\___\\__,_|_| |_|
+                                               version 0.0.2"
+  puts
+  puts '-' * 60
+end
+banner
+options = {}
+opts = OptionParser.new do |o|
+  o.banner = "Usage: sitecore-scan [options]"
+  o.on('-u URL', '--url URL', 'Sitecore URL to scan') do |v|
+    unless v.match(%r{\Ahttps?://})
+      puts "- Invalid URL: #{v}"
+      exit(1)
+    end
+    options[:url] = v
+  end
+  o.on('-s', '--skip', 'Skip check for Sitecore') do
+    options[:skip] = true
+  end
+  o.on('-i', '--insecure', 'Skip SSL/TLS validation') do
+    options[:insecure] = true
+  end
+  o.on('-v', '--verbose', 'Enable verbose output') do
+    options[:verbose] = true
+  end
+  o.on('-h', '--help', 'Show this help') do
+    puts opts
+    exit
+  end
+end
+opts.parse!
+if options[:url].nil?
+ puts opts
+ exit(1)
+end
+def scan(url, check: true, insecure: false, verbose: false)
+  SitecoreScan.logger = ::Logger.new($stdout).tap do |log|
+    log.progname = 'sitecore-scan'
+    log.level = verbose ? ::Logger::INFO : ::Logger::WARN
+    log.datetime_format = '%Y-%m-%d %H:%M:%S '
+  end
+  SitecoreScan.insecure = insecure
+  puts "Scan started at #{Time.now.getutc}"
+  puts "URL: #{url}"
+  # parse URL
+  target = nil
+  begin
+    target = URI::parse(url.split('?').first)
+  rescue
+    puts "- Could not parse target URL: #{url}"
+  end
+  exit(1) if target.nil?
+  # resolve IP address
+  begin
+    ip = Resolv.getaddress(target.host).to_s
+    puts "IP: #{ip}" unless ip.nil?
+  rescue
+    puts "- Could not resolve hostname #{target.host}"
+  end
+  puts "Port: #{target.port}"
+  puts '-' * 60
+  # Check if the URL is Sitecore
+  if check
+    is_sitecore = SitecoreScan::detectSitecore(url)
+    unless is_sitecore
+      puts '- Sitecore not found'
+      exit(1)
+    end
+    puts '+ Found Sitecore'
+  end
+  # Retrieve Sitecore version from Login page
+  version = SitecoreScan::getVersionFromLogin(url)
+  puts "+ Version: #{version}" if version
+  # Check if Glimpse debugging is enabled
+  glimpse = SitecoreScan::glimpseDebugging(url)
+  puts "+ Glimpse debugging is enabled" if glimpse
+  # Check if SOAP API is accessible
+  soap_api = SitecoreScan::soapApi(url)
+  puts "+ SOAP API is available" if soap_api
+  # Check if Executive Insight Dashboard reporting is accessible
+  reporting = SitecoreScan::dashboardReporting(url)
+  puts "+ Executive Insight Dashboard reporting is available" if reporting
+  # Check if Telerik Web UI is accessible
+  telerik = SitecoreScan::telerikWebUi(url)
+  puts "+ Telerik Web Ui is available" if telerik
+  puts "Scan finished at #{Time.now.getutc}"
+  puts '-' * 60
+end
+scan(
+  options[:url],
+  insecure: options[:insecure],
+  check: !options[:skip],
+  verbose: options[:verbose]
+)

data/lib/sitecore_scan.rb ADDED Viewed

@@ -0,0 +1,183 @@
+#
+# This file is part of SitecoreScan
+# https://github.com/bcoles/sitecore_scan
+#
+require 'uri'
+require 'cgi'
+require 'logger'
+require 'net/http'
+require 'openssl'
+class SitecoreScan
+  VERSION = '0.0.2'.freeze
+  def self.logger
+    @logger
+  end
+  def self.logger=(logger)
+    @logger = logger
+  end
+  def self.insecure
+    @insecure ||= false
+  end
+  def self.insecure=(insecure)
+    @insecure = insecure
+  end
+  #
+  # Check if URL is running Sitecore using edit mode
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.detectSitecore(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}?sc_mode=edit")
+    return false unless res
+    return true if res['sitecore-item']
+    return true if res['set-cookies'].to_s.include?('sc_mode=edit')
+    return true if res.code.to_i == 302 && (res['location'].to_s.downcase.include?('sitecore/login') || res['location'].to_s.downcase.include?('user=sitecore'))
+    false
+  end
+  #
+  # Retrieve Sitecore version from Login page
+  #
+  # @param [String] URL
+  #
+  # @return [String] Sitecore version
+  #
+  def self.getVersionFromLogin(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}sitecore/login")
+    return unless res
+    version = res.body.to_s.scan(%r{(Sitecore\.NET [\d\.]+ \(rev\. \d+\))}).flatten.first
+    return version if version
+    res.body.to_s.scan(%r{<iframe src="https://sdn.sitecore.net/startpage.aspx\?[^"]+v=([\d\.]+)"}).flatten.first
+  end
+  #
+  # Check if Glimpse debugging is enabled
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.glimpseDebugging(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}Glimpse.axd")
+    return false unless res
+    return false unless res.code.to_i == 200
+    return false unless (res.body.to_s.include?('Glimpse - Configuration Page') || res.body.to_s.include?('Glimpse.AspNet'))
+    true
+  end
+  #
+  # Check if SOAP API is accessible
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.soapApi(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}sitecore/shell/WebService/Service.asmx")
+    return false unless res
+    return false unless res.code.to_i == 200
+    return false unless res.body.to_s.include? 'Visual Sitecore Service Web Service'
+    true
+  end
+  #
+  # Check if Executive Insight Dashboard reporting is accessible (CVE-2021-42237)
+  # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.dashboardReporting(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}sitecore/shell/ClientBin/Reporting/Report.ashx")
+    return false unless res
+    return false unless res.code.to_i == 200
+    return false unless res.body.to_s.include? 'Sitecore.Analytics.Reporting'
+    true
+  end
+  #
+  # Check if Telerik Web UI is accessible (CVE-2017-9248)
+  # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0978654
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.telerikWebUi(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}/Telerik.Web.UI.WebResource.axd")
+    return false unless res
+    return false unless res.code.to_i == 200
+    true
+  end
+  #
+  # Fetch URL
+  #
+  # @param [String] URL
+  #
+  # @return [Net::HTTPResponse] HTTP response
+  #
+  def self.sendHttpRequest(url)
+    target = URI.parse(url)
+    @logger.info("Fetching #{target}")
+    http = Net::HTTP.new(target.host, target.port)
+    if target.scheme.to_s.eql?('https')
+      http.use_ssl = true
+      http.verify_mode = @insecure ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
+    end
+    http.open_timeout = 20
+    http.read_timeout = 20
+    headers = {}
+    headers['User-Agent'] = "SitecoreScan/#{VERSION}"
+    headers['Accept-Encoding'] = 'gzip,deflate'
+    begin
+      res = http.request(Net::HTTP::Get.new(target, headers.to_hash))
+      if res.body && res['Content-Encoding'].eql?('gzip')
+        sio = StringIO.new(res.body)
+        gz = Zlib::GzipReader.new(sio)
+        res.body = gz.read
+      end
+    rescue Timeout::Error, Errno::ETIMEDOUT
+      @logger.error("Could not retrieve URL #{target}: Timeout")
+      return nil
+    rescue => e
+      @logger.error("Could not retrieve URL #{target}: #{e}")
+      return nil
+    end
+    @logger.info("Received reply (#{res.body.length} bytes)")
+    res
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,61 @@
+--- !ruby/object:Gem::Specification
+name: sitecore_scan
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Brendan Coles
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-11-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description: A simple remote scanner for Sitecore CMS
+email: bcoles@gmail.com
+executables:
+- sitecore-scan
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/sitecore-scan
+- lib/sitecore_scan.rb
+homepage: https://github.com/bcoles/sitecore_scan
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 2.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.2
+signing_key:
+specification_version: 4
+summary: Sitecore scanner
+test_files: []
+has_rdoc: