watobo 0.9.14 → 0.9.15

Sign up to get free protection for your applications and to get access to all the features.
Files changed (47) hide show
  1. data/CHANGELOG.md +29 -0
  2. data/config/interceptor.yml +1 -0
  3. data/lib/watobo/core/active_check.rb +1 -2
  4. data/lib/watobo/core/client_cert_store.rb +47 -0
  5. data/lib/watobo/core/scanner3.rb +124 -88
  6. data/lib/watobo/core/session.rb +52 -47
  7. data/lib/watobo/core.rb +1 -11
  8. data/lib/watobo/gui/chatviewer_frame.rb +5 -3
  9. data/lib/watobo/gui/checkboxtree.rb +59 -14
  10. data/lib/watobo/gui/checks_policy_frame.rb +1 -5
  11. data/lib/watobo/gui/client_cert_dialog.rb +260 -96
  12. data/lib/watobo/gui/conversation_table.rb +7 -1
  13. data/lib/watobo/gui/conversation_table_ctrl2.rb +14 -5
  14. data/lib/watobo/gui/edit_comment.rb +1 -1
  15. data/lib/watobo/gui/main_window.rb +40 -5
  16. data/lib/watobo/gui/manual_request_editor.rb +10 -8
  17. data/lib/watobo/gui/quick_scan_dialog.rb +8 -6
  18. data/lib/watobo/gui/scanner_settings_dialog.rb +1 -0
  19. data/lib/watobo/gui/text_viewer.rb +5 -3
  20. data/lib/watobo/http/cookies/cookies.rb +3 -1
  21. data/lib/watobo/http_socket/agent.rb +1 -1
  22. data/lib/watobo/http_socket/client_socket.rb +409 -98
  23. data/lib/watobo/http_socket/connection.rb +1 -1
  24. data/lib/watobo/http_socket/http_socket.rb +47 -39
  25. data/lib/watobo/interceptor/proxy.rb +41 -212
  26. data/lib/watobo/mixins/httpparser.rb +17 -16
  27. data/lib/watobo/mixins/shapers.rb +3 -7
  28. data/lib/watobo.rb +2 -1
  29. data/modules/active/domino/domino_db.rb +5 -7
  30. data/modules/active/struts2/default_handler_ognl.rb +128 -0
  31. data/modules/active/struts2/include_params_ognl.rb +127 -0
  32. data/modules/passive/ajax.rb +5 -3
  33. data/modules/passive/detect_infrastructure.rb +2 -3
  34. data/modules/passive/dirindexing.rb +8 -6
  35. data/modules/passive/disclosure_emails.rb +13 -14
  36. data/modules/passive/disclosure_ipaddr.rb +13 -13
  37. data/modules/passive/hotspots.rb +6 -4
  38. data/modules/passive/in_script_parameter.rb +25 -19
  39. data/modules/passive/redirectionz.rb +1 -1
  40. data/modules/passive/sap-headers.rb +78 -0
  41. data/modules/passive/xss_dom.rb +5 -3
  42. data/plugins/catalog/catalog.rb +7 -2
  43. data/plugins/crawler/gui/auth_frame.rb +20 -5
  44. data/plugins/crawler/gui/crawler_gui.rb +56 -9
  45. data/plugins/crawler/lib/engine.rb +12 -14
  46. data/plugins/filefinder/dbs/sap.db +157 -0
  47. metadata +23 -2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,32 @@
1
+ Version 0.9.15
2
+ ==
3
+ Fixes
4
+ --
5
+ **General**
6
+ * improved socket handling
7
+ * fixed some UTF-8 issues in passive modules
8
+ * added application/octet-stream to pass-through content-types
9
+ * `shapers.rb` didn't replace single quotes in `replace_post_parm`
10
+ * setting/replacing http-headers is now case-in-sensitive
11
+
12
+ **Passive Modules**
13
+ * fixed `Disclosure_ipaddr`; now all IPs inside body are reported
14
+
15
+ **Active Modules**
16
+ * Domino DB enumeration will now run on all requests
17
+
18
+ **Crawler Plugin**
19
+ * extended allowed/excluded URL checks on full url path /w query
20
+
21
+ News
22
+ ---
23
+ * Struts2 module for detecting CVE-2013-2251
24
+ * Struts2 module for detecting CVE-2013-1966
25
+ * conversation filter; added some shortcuts
26
+ * conversation table; added `send to->Crawler`
27
+ * client certificates; added PKCS12
28
+ * SAP passive module; extracts SAP headers, e.g. `sap-system`
29
+
1
30
  Version 0.9.14
2
31
  ===
3
32
  Fixes
data/config/interceptor.yml CHANGED
@@ -5,6 +5,7 @@
5
5
  - application\/image
6
6
  - application\/pdf
7
7
  - application\/.*flash
8
+ - application\/octet-stream
8
9
  - image\/
9
10
  :content_length: 100000
10
11
  :port: 8081
data/lib/watobo/core/active_check.rb CHANGED
@@ -92,10 +92,9 @@ module Watobo#:nodoc: all
92
92
  if id_string == '' then
93
93
  id_string = (Time.now.to_i + rand(10000)).to_s
94
94
  end
95
- puts id_string
96
95
  #
97
96
  new_details[:fid] = Digest::MD5.hexdigest(id_string)
98
- puts new_details[:fid]
97
+
99
98
  puts new_details[:fid] if $DEBUG
100
99
 
101
100
  new_details[:module] = self.class.to_s
data/lib/watobo/core/client_cert_store.rb ADDED
@@ -0,0 +1,47 @@
1
+ # .
2
+ # client_cert_store.rb
3
+ #
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ @private
23
+ module Watobo#:nodoc: all
24
+ module ClientCertStore#:nodoc: all
25
+ @client_certs = {}
26
+
27
+ # :ssl_client_cert
28
+ # :ssl_client_key
29
+ # :extra_chain_certs
30
+
31
+ def self.clear
32
+ @client_certs.clear
33
+ end
34
+
35
+ def self.set( site, cert )
36
+ return false if cert.nil?
37
+ @client_certs[ site.to_sym ] = cert
38
+ true
39
+ end
40
+
41
+ def self.get( site )
42
+ return nil unless @client_certs.has_key? site.to_sym
43
+ @client_certs[ site.to_sym ]
44
+ end
45
+
46
+ end
47
+ end
data/lib/watobo/core/scanner3.rb CHANGED
@@ -19,10 +19,10 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- # @private
22
+ # @private
23
23
  module Watobo#:nodoc: all
24
24
  class Scanner3
25
-
25
+
26
26
  include Watobo::Constants
27
27
  include Watobo::Subscriber
28
28
 
@@ -34,55 +34,58 @@ module Watobo#:nodoc: all
34
34
  class Worker
35
35
  include Watobo::Constants
36
36
  include Watobo::Subscriber
37
-
37
+
38
38
  attr :engine
39
-
39
+
40
40
  STATE_IDLE = 0x00
41
41
  STATE_RUNNING = 0x01
42
42
  STATE_WAIT_FOR_LOGIN = 0x02
43
-
44
43
  def state
45
44
  state = nil
46
- @state_mutex.synchronize do
45
+ @state_mutex.synchronize do
47
46
  state = @state
48
47
  end
49
48
  state
50
49
  end
51
-
50
+
52
51
  def run
53
52
  @state_mutex.synchronize do @state = STATE_RUNNING; end
54
53
  Thread.new{ @engine.run }
55
54
  end
56
-
55
+
57
56
  def start
58
- @engine = Thread.new(@tasks, @logged_out_queue, @prefs){ |tasks, logged_out_queue, prefs|
57
+ @engine = Thread.new(@prefs){ |prefs|
59
58
  relogin_count = 0
60
59
  loop do
61
- task = tasks.deq
60
+ Thread.current[:pos] = "wait for task"
61
+ task = @tasks.deq
62
62
  begin
63
63
  #puts "RUNNING #{task[:module]}"
64
64
  request, response = task[:check].call()
65
-
66
-
65
+
66
+ next if response.nil?
67
+
67
68
  unless prefs[:logout_signatures].empty? or prefs[:auto_login] == false
68
69
  logged_out = false
69
70
  prefs[:logout_signatures].each do |sig|
70
71
  logged_out = true if response.join =~ /#{sig}/
71
72
  end
72
-
73
- if logged_out
73
+
74
+ if logged_out
75
+ Thread.current[:pos] = "logged out"
74
76
  @state_mutex.synchronize do @state = STATE_WAIT_FOR_LOGIN; end
75
- logged_out_queue.push self
77
+ @logged_out_queue.push self
76
78
  # stop current thread, will be waked-up by scanner
77
79
  Thread.stop
78
80
  relogin_count += 1
81
+ Thread.current[:pos] = "set state"
79
82
  @state_mutex.synchronize do @state = STATE_RUNNING; end
80
83
  unless relogin_count > 5
81
84
  request, response = task[:check].call()
82
- end
85
+ end
83
86
  end
84
87
  end
85
-
88
+
86
89
  unless prefs[:scanlog_name].nil?
87
90
  chat = Chat.new(request, response, :id => 0, :chat_source => prefs[:chat_source])
88
91
  Watobo::DataStore.add_scan_log(chat, prefs[:scanlog_name])
@@ -93,6 +96,7 @@ module Watobo#:nodoc: all
93
96
  puts bang.backtrace if $DEBUG
94
97
  ensure
95
98
  #puts "FINISHED #{task[:module]}"
99
+ Thread.current[:pos] = "scan_finished"
96
100
  notify(:task_finished, task[:module])
97
101
  end
98
102
  Thread.exit if relogin_count > 5
@@ -102,10 +106,21 @@ module Watobo#:nodoc: all
102
106
  end
103
107
 
104
108
  def stop
105
- @state = STATE_IDLE
106
- Thread.kill @engine if @engine.alive?
109
+ @state_mutex.synchronize{ @state = STATE_IDLE }
110
+ begin
111
+ return false if @engine.nil?
112
+ if @engine.alive?
113
+ puts "[#{self}] got stopped"
114
+ Thread.kill @engine
115
+ end
116
+ @engine = nil
117
+ rescue => bang
118
+ puts "!!! could not stop worker !!!"
119
+ puts bang
120
+ puts bang.backtrace
121
+ end
107
122
  end
108
-
123
+
109
124
  def wait_for_login?
110
125
  state = false
111
126
  @state_mutex.synchronize do
@@ -113,7 +128,7 @@ module Watobo#:nodoc: all
113
128
  end
114
129
  state
115
130
  end
116
-
131
+
117
132
  def running?
118
133
  @state_mutex.synchronize do
119
134
  running = ( @state == STATE_RUNNING )
@@ -129,7 +144,7 @@ module Watobo#:nodoc: all
129
144
  @relogin_count = 0
130
145
  @state_mutex = Mutex.new
131
146
  @state = STATE_IDLE
132
-
147
+
133
148
  end
134
149
 
135
150
  end
@@ -139,42 +154,57 @@ module Watobo#:nodoc: all
139
154
  def tasks
140
155
  @tasks
141
156
  end
142
-
157
+
143
158
  def status_running?
144
159
  ( status & SCANNER_RUNNING ) > 0
145
160
  end
146
-
161
+
147
162
  def generation_finished?
148
163
  ( status & GENERATION_FINISHED ) > 0
149
164
  end
150
-
165
+
151
166
  def finished?
167
+ # puts "num_waiting: #{@tasks.num_waiting}"
168
+ # puts "workers: #{@workers.length}"
169
+ # puts "generation finished? #{generation_finished?.class}"
170
+ # puts "num tasks: #{@tasks.size}"
171
+ # puts "running workers: #{running_workers}"
152
172
  return true if (
153
- status_running? &&
154
- ( @tasks.num_waiting == @workers.length ) &&
155
- ( @tasks.size == 0 ) &&
156
- generation_finished?
157
- )
173
+ status_running? &&
174
+ ( @tasks.num_waiting == @workers.length ) &&
175
+ ( @tasks.size == 0 ) &&
176
+ generation_finished?
177
+ )
158
178
  false
159
179
  end
160
180
 
161
- def running?()
162
- return false if (
163
- status_running? &&
164
- ( @tasks.num_waiting == @workers.length ) &&
165
- ( @tasks.size == 0 ) &&
166
- generation_finished?
167
- )
168
- return true if status_running?
181
+ def running?()
182
+
183
+ return false if (
184
+ status_running? &&
185
+ ( @tasks.num_waiting == @workers.length ) &&
186
+ ( @tasks.size == 0 ) &&
187
+ generation_finished?
188
+ )
189
+ return true if status_running?
169
190
  return false
170
191
  end
171
192
 
172
193
  def stop()
194
+ print "\n[#{self}] stopping ... "
173
195
  begin
174
196
  @workers.each do |w|
175
197
  w.stop
176
198
  end
199
+ unless @ctrl_thread.nil?
200
+ if @ctrl_thread.alive?
201
+ puts "stop ctrl_thread"
202
+ Thread.kill @ctrl_thread
203
+ end
204
+ end
205
+ print "[OK]\n"
177
206
  rescue => bang
207
+ print "[OUTCH]\n"
178
208
  puts bang
179
209
  puts bang.backtrace if $DEBUG
180
210
  end
@@ -200,7 +230,7 @@ module Watobo#:nodoc: all
200
230
  YAML.load(YAML.dump(@task_counter))
201
231
  end
202
232
  end
203
-
233
+
204
234
  def sum_total
205
235
  sum = 0
206
236
  @task_count_lock.synchronize do
@@ -208,7 +238,7 @@ module Watobo#:nodoc: all
208
238
  end
209
239
  sum
210
240
  end
211
-
241
+
212
242
  def sum_progress
213
243
  sum = 0
214
244
  @task_count_lock.synchronize do
@@ -225,19 +255,28 @@ module Watobo#:nodoc: all
225
255
  @login_count = 0
226
256
  @max_login_count = 20
227
257
 
228
- Thread.new{
258
+ @ctrl_thread = Thread.new{
229
259
  size = -1
230
260
  loop do
231
261
  if @tasks.num_waiting == @workers.length and @tasks.size == 0 and generation_finished?
232
- @workers.map{|w| w.stop }
262
+ begin
263
+ puts "[#{self}] seems scan is finished. stopping workers now ..."
264
+ @workers.map{|w|
265
+ #puts "[]#{self}] stopping worker #{w}"
266
+ w.stop
267
+ }
233
268
  # suizide!
234
269
  Thread.exit
270
+ rescue => bang
271
+ puts bang
272
+ puts bang.backtrace
273
+ end
235
274
  end
236
-
275
+
237
276
  if @logged_out.size == ( @workers.length - @tasks.num_waiting) or @tasks.num_waiting == @workers.size
238
277
  @logged_out.clear
239
278
  #puts "!LOGOUT DETECTED!\n#{@logged_out.size} - #{@workers.length} - #{@tasks.num_waiting}\n\n"
240
- begin
279
+ begin
241
280
  puts "Run login ..."
242
281
  login
243
282
  @workers.each do |wrkr|
@@ -246,14 +285,14 @@ module Watobo#:nodoc: all
246
285
  wrkr.engine.run
247
286
  end
248
287
  end
249
-
288
+
250
289
  rescue => bang
251
290
  puts bang
252
291
  puts bang.backtrace
253
292
  end
254
-
293
+
255
294
  end
256
-
295
+
257
296
  sleep 1
258
297
  end
259
298
  }
@@ -262,32 +301,32 @@ module Watobo#:nodoc: all
262
301
  msg = "\n[Scanner] Starting Scan ..."
263
302
  notify(:logger, LOG_INFO, msg )
264
303
  puts msg
265
-
304
+
266
305
  # starting workers before check generation
267
306
  start_workers( @prefs)
268
307
  @max_tasks = 1000
269
-
308
+
270
309
  # start check generation in seperate thread
271
310
  Thread.new{
272
311
  begin
273
- set_status GENERATION_STARTED
274
- @chat_list.uniq.each do |chat|
275
- # puts chat.request.url.to_s
276
- @active_checks.uniq.each do |ac|
277
- ac.reset()
278
- if site_alive?(chat) then
279
- ac.generateChecks(chat){ |check|
280
- while @tasks.size > @max_tasks
281
- sleep 1
282
- end
283
- task = { :module => ac,
284
- :check => check
312
+ set_status GENERATION_STARTED
313
+ @chat_list.uniq.each do |chat|
314
+ # puts chat.request.url.to_s
315
+ @active_checks.uniq.each do |ac|
316
+ ac.reset()
317
+ if site_alive?(chat) then
318
+ ac.generateChecks(chat){ |check|
319
+ while @tasks.size > @max_tasks
320
+ sleep 1
321
+ end
322
+ task = { :module => ac,
323
+ :check => check
324
+ }
325
+ @tasks.push task
285
326
  }
286
- @tasks.push task
287
- }
327
+ end
288
328
  end
289
329
  end
290
- end
291
330
  rescue => bang
292
331
  puts bang
293
332
  puts bang.backtrace if $DEBUG
@@ -302,39 +341,36 @@ module Watobo#:nodoc: all
302
341
  @chat_list = chat_list
303
342
  @active_checks = []
304
343
  @passive_checks = passive_checks
305
-
344
+
306
345
  @tasks = Queue.new
307
346
  @logged_out = Queue.new
308
-
309
- @workers = []
310
347
 
311
-
348
+ @workers = []
312
349
 
313
350
  @status_lock = Mutex.new
314
351
 
315
352
  @task_count_lock = Mutex.new
316
353
  @task_counter = {}
354
+
355
+ @ctrl_thread = nil
317
356
 
318
357
  # @onlineCheck = OnlineCheck.new(@project)
319
358
  msg = "Initializing Scanner ..."
320
359
  notify(:logger, LOG_INFO, msg)
321
360
  puts msg
322
-
361
+
323
362
  @prefs = Watobo::Conf::Scanner.to_h
324
363
 
325
364
  @prefs.update prefs
326
- #puts "set up scanner"
327
- #puts @prefs[:login_chats]
328
- #puts @prefs[:logout_signatures]
329
- puts "= create scanner =" if $DEBUG
330
- puts @prefs.to_yaml
365
+
366
+ puts @prefs.to_yaml
331
367
 
332
368
  unique_checks = {}
333
369
  active_checks.each do |x|
334
370
  if x.respond_to? :new
335
- ac = x.new(self.object_id, @prefs)
371
+ ac = x.new(self.object_id, @prefs)
336
372
  else
337
- ac = x
373
+ ac = x
338
374
  end
339
375
  unique_checks[ac.class.to_s] = ac unless unique_checks.has_key?(ac.class.to_s)
340
376
  end
@@ -348,7 +384,7 @@ module Watobo#:nodoc: all
348
384
 
349
385
  check.resetCounters()
350
386
  @chat_list.each_with_index do |chat, index|
351
- #print "."
387
+ #print "."
352
388
  check.updateCounters(chat, @prefs)
353
389
  puts "* [#{index}] CheckCounter #{chat.id}: #{check.check_name} - #{check.numChecks}"
354
390
  end
@@ -361,7 +397,7 @@ module Watobo#:nodoc: all
361
397
  :progress => 0
362
398
  }
363
399
  end
364
- @status = SCANNER_READY
400
+ @status = SCANNER_READY
365
401
  msg = "Scanner Ready!"
366
402
  notify(:logger, LOG_INFO, msg)
367
403
  puts msg
@@ -388,7 +424,7 @@ module Watobo#:nodoc: all
388
424
 
389
425
  def start_workers(check_prefs)
390
426
  num_workers = @prefs.has_key?(:max_parallel_checks) ? @prefs[:max_parallel_checks] : Watobo::Conf::Scanner.max_parallel_checks
391
-
427
+
392
428
  puts "Starting #{num_workers} Workers ..."
393
429
 
394
430
  num_workers.times do |i|
@@ -401,26 +437,26 @@ module Watobo#:nodoc: all
401
437
  @task_counter[cn][:progress] += 1
402
438
  end
403
439
  }
404
-
440
+
405
441
  @logout_count ||= 0
406
442
  @logout_count_lock ||= Mutex.new
407
443
  @num_waiting = 0
408
-
444
+
409
445
  w.start
410
446
  @workers << w
411
447
  end
412
448
  print "\n"
413
449
 
414
450
  end
415
-
451
+
416
452
  def login
417
- puts "do relogin"
418
- login_chats = Watobo::Conf::Scanner.login_chat_ids.uniq.map{|id| Watobo::Chats.get_by_id(id) }
419
- # puts "running #{login_chats.length} login requests"
420
- # puts login_chats.first.class
421
-
453
+ puts "do relogin"
454
+ login_chats = Watobo::Conf::Scanner.login_chat_ids.uniq.map{|id| Watobo::Chats.get_by_id(id) }
455
+ # puts "running #{login_chats.length} login requests"
456
+ # puts login_chats.first.class
457
+
422
458
  @active_checks.first.runLogin(login_chats, @prefs)
423
-
459
+
424
460
  end
425
461
 
426
462
  def site_alive?(chat)