watobo 0.9.14 → 0.9.15
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +29 -0
- data/config/interceptor.yml +1 -0
- data/lib/watobo/core/active_check.rb +1 -2
- data/lib/watobo/core/client_cert_store.rb +47 -0
- data/lib/watobo/core/scanner3.rb +124 -88
- data/lib/watobo/core/session.rb +52 -47
- data/lib/watobo/core.rb +1 -11
- data/lib/watobo/gui/chatviewer_frame.rb +5 -3
- data/lib/watobo/gui/checkboxtree.rb +59 -14
- data/lib/watobo/gui/checks_policy_frame.rb +1 -5
- data/lib/watobo/gui/client_cert_dialog.rb +260 -96
- data/lib/watobo/gui/conversation_table.rb +7 -1
- data/lib/watobo/gui/conversation_table_ctrl2.rb +14 -5
- data/lib/watobo/gui/edit_comment.rb +1 -1
- data/lib/watobo/gui/main_window.rb +40 -5
- data/lib/watobo/gui/manual_request_editor.rb +10 -8
- data/lib/watobo/gui/quick_scan_dialog.rb +8 -6
- data/lib/watobo/gui/scanner_settings_dialog.rb +1 -0
- data/lib/watobo/gui/text_viewer.rb +5 -3
- data/lib/watobo/http/cookies/cookies.rb +3 -1
- data/lib/watobo/http_socket/agent.rb +1 -1
- data/lib/watobo/http_socket/client_socket.rb +409 -98
- data/lib/watobo/http_socket/connection.rb +1 -1
- data/lib/watobo/http_socket/http_socket.rb +47 -39
- data/lib/watobo/interceptor/proxy.rb +41 -212
- data/lib/watobo/mixins/httpparser.rb +17 -16
- data/lib/watobo/mixins/shapers.rb +3 -7
- data/lib/watobo.rb +2 -1
- data/modules/active/domino/domino_db.rb +5 -7
- data/modules/active/struts2/default_handler_ognl.rb +128 -0
- data/modules/active/struts2/include_params_ognl.rb +127 -0
- data/modules/passive/ajax.rb +5 -3
- data/modules/passive/detect_infrastructure.rb +2 -3
- data/modules/passive/dirindexing.rb +8 -6
- data/modules/passive/disclosure_emails.rb +13 -14
- data/modules/passive/disclosure_ipaddr.rb +13 -13
- data/modules/passive/hotspots.rb +6 -4
- data/modules/passive/in_script_parameter.rb +25 -19
- data/modules/passive/redirectionz.rb +1 -1
- data/modules/passive/sap-headers.rb +78 -0
- data/modules/passive/xss_dom.rb +5 -3
- data/plugins/catalog/catalog.rb +7 -2
- data/plugins/crawler/gui/auth_frame.rb +20 -5
- data/plugins/crawler/gui/crawler_gui.rb +56 -9
- data/plugins/crawler/lib/engine.rb +12 -14
- data/plugins/filefinder/dbs/sap.db +157 -0
- metadata +23 -2
@@ -0,0 +1,78 @@
|
|
1
|
+
# .
|
2
|
+
# sap-headers.rb
|
3
|
+
#
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
|
23
|
+
# @private
|
24
|
+
module Watobo#:nodoc: all
|
25
|
+
module Modules
|
26
|
+
module Passive
|
27
|
+
|
28
|
+
|
29
|
+
class Sap_headers < Watobo::PassiveCheck
|
30
|
+
|
31
|
+
def initialize(project)
|
32
|
+
@project = project
|
33
|
+
super(project)
|
34
|
+
@info.update(
|
35
|
+
:check_name => 'SAP Headers', # name of check which briefly describes functionality, will be used for tree and progress views
|
36
|
+
:description => "checks for headers which contain 'sap-', e.g. sap-srt_server_info.", # description of checkfunction
|
37
|
+
:author => "Andreas Schmidt", # author of check
|
38
|
+
:version => "0.9" # check version
|
39
|
+
)
|
40
|
+
|
41
|
+
@finding.update(
|
42
|
+
:threat => 'May reveal sensitive information..', # thread of vulnerability, e.g. loss of information
|
43
|
+
:class => "SAP Header", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
44
|
+
:type => FINDING_TYPE_INFO # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
45
|
+
)
|
46
|
+
|
47
|
+
@tested_directories = []
|
48
|
+
|
49
|
+
@pattern_list = [ '^sap-' ]
|
50
|
+
|
51
|
+
|
52
|
+
end
|
53
|
+
|
54
|
+
def do_test(chat)
|
55
|
+
begin
|
56
|
+
|
57
|
+
@pattern_list.each do |pat|
|
58
|
+
chat.response.headers(pat) do |header|
|
59
|
+
next unless chat.response.has_body?
|
60
|
+
match = header.split(":")[0]
|
61
|
+
addFinding(
|
62
|
+
:proof_pattern => "#{header}",
|
63
|
+
:chat => chat,
|
64
|
+
:title => "#{match}"
|
65
|
+
)
|
66
|
+
|
67
|
+
end
|
68
|
+
end
|
69
|
+
rescue => bang
|
70
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
71
|
+
puts bang
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
data/modules/passive/xss_dom.rb
CHANGED
@@ -60,18 +60,20 @@ module Watobo#:nodoc: all
|
|
60
60
|
end
|
61
61
|
|
62
62
|
def showError(chatid, message)
|
63
|
-
puts "!!! Error"
|
63
|
+
puts "!!! Error #{Module.nesting[0].name}"
|
64
64
|
puts "Chat: [#{chatid}]"
|
65
65
|
puts message
|
66
66
|
end
|
67
67
|
|
68
68
|
def do_test(chat)
|
69
69
|
begin
|
70
|
-
|
70
|
+
return false if chat.response.nil?
|
71
|
+
return false unless chat.response.has_body?
|
71
72
|
return true unless chat.response.content_type =~ /(text|script)/
|
72
73
|
|
73
74
|
@dom_functions.each do |pattern|
|
74
|
-
|
75
|
+
body = chat.response.body.unpack("C*").pack("C*")
|
76
|
+
if body =~ /(#{pattern})/i then
|
75
77
|
match = $1.strip
|
76
78
|
match.gsub!(/^[\.\(\)]+/,'')
|
77
79
|
match.gsub!(/[\.\(\)]+$/,'')
|
data/plugins/catalog/catalog.rb
CHANGED
@@ -126,6 +126,10 @@ module Watobo#:nodoc: all
|
|
126
126
|
count = 0
|
127
127
|
@dbvars.each_key do |k| dummy << k; end
|
128
128
|
pattern = "(#{dummy.join("|")})" if dummy.length > 0
|
129
|
+
@catalog_checks.each do |dbid, osvdb, threat, uri, method, match, or_match, and_match, fail, or_fail, summary, post_data, headers|
|
130
|
+
next if uri =~ /\/$/
|
131
|
+
@catalog_checks << [ dbid, osvdb, threat, "#{uri}/", method, match, or_match, and_match, fail, or_fail, summary, post_data, headers ]
|
132
|
+
end
|
129
133
|
@catalog_checks.each do |dbid, osvdb, threat, uri, method, match, or_match, and_match, fail, or_fail, summary, post_data, headers|
|
130
134
|
|
131
135
|
if pattern and uri =~ /(#{pattern})/
|
@@ -740,7 +744,7 @@ module Watobo#:nodoc: all
|
|
740
744
|
end
|
741
745
|
|
742
746
|
def start_update_timer
|
743
|
-
@timer = FXApp.instance.addTimeout(
|
747
|
+
@timer = FXApp.instance.addTimeout( 1000, :repeat => true) {
|
744
748
|
unless @scanner.nil?
|
745
749
|
progress = @scanner.progress
|
746
750
|
sum_progress = progress.values.inject(0){|i, v| i += v[:progress] }
|
@@ -750,7 +754,8 @@ module Watobo#:nodoc: all
|
|
750
754
|
if @scanner.finished?
|
751
755
|
msg = "Scan Finished!"
|
752
756
|
@log_viewer.log(LOG_INFO, msg)
|
753
|
-
Watobo.log(msg, :sender => "Catalog")
|
757
|
+
Watobo.log(msg, :sender => "Catalog")
|
758
|
+
@scanner.stop
|
754
759
|
@scanner = nil
|
755
760
|
reset_pbar()
|
756
761
|
|
@@ -113,6 +113,21 @@ module Watobo#:nodoc: all
|
|
113
113
|
def clearEvents(event)
|
114
114
|
@event_dispatcher_listener[event].clear
|
115
115
|
end
|
116
|
+
|
117
|
+
def set(settings)
|
118
|
+
return false unless settings.has_key? :auth_type
|
119
|
+
if settings[:auth_type] == :basic
|
120
|
+
@auth_type_dt.value = 1
|
121
|
+
@basic_auth_user_txt.text = settings.has_key?(:username) ? settings[:username] : ""
|
122
|
+
pw = settings.has_key?(:password) ? settings[:password] : ""
|
123
|
+
@basic_auth_passwd_txt.text = pw
|
124
|
+
@basic_auth_retype_txt.text = pw
|
125
|
+
|
126
|
+
end
|
127
|
+
@switcher.current = @auth_type_dt.value
|
128
|
+
update_form
|
129
|
+
return true
|
130
|
+
end
|
116
131
|
|
117
132
|
def to_h
|
118
133
|
a = case @auth_type_dt.value
|
@@ -141,13 +156,13 @@ module Watobo#:nodoc: all
|
|
141
156
|
|
142
157
|
end
|
143
158
|
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
159
|
+
# def set(settings)
|
160
|
+
# @form_auth_url_txt.text = settings[:form_auth_url].to_s if settings.has_key? :form_auth_url
|
161
|
+
# update_form
|
162
|
+
# end
|
148
163
|
|
149
164
|
def update_form
|
150
|
-
[
|
165
|
+
[ @form_auth_url_txt, @no_auth_rb, @basic_auth_rb, @form_auth_rb ].each do |e|
|
151
166
|
e.handle(self, FXSEL(SEL_UPDATE, 0), nil)
|
152
167
|
end
|
153
168
|
end
|
@@ -72,7 +72,7 @@ module Watobo#:nodoc: all
|
|
72
72
|
@settings_tabbook.setCurrent index
|
73
73
|
end
|
74
74
|
|
75
|
-
def initialize(owner, project=nil)
|
75
|
+
def initialize(owner, project=nil, chat=nil)
|
76
76
|
super(owner, "Crawler", project, :opts => DECOR_ALL, :width=>800, :height=>600)
|
77
77
|
@plugin_name = "Crawler"
|
78
78
|
@project = project
|
@@ -83,13 +83,14 @@ module Watobo#:nodoc: all
|
|
83
83
|
:link_size => 0,
|
84
84
|
:skipped_domains => 0
|
85
85
|
}
|
86
|
+
@cookie_jar = nil
|
86
87
|
|
87
88
|
main = FXVerticalFrame.new(self, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
|
88
89
|
FXLabel.new(main, "Start URL, e.g. http://my.target.to/scan/:")
|
89
90
|
frame = FXHorizontalFrame.new(main, :opts => LAYOUT_FILL_X)
|
90
91
|
# FXLabel.new(frame, "http://")
|
91
92
|
@url_txt = FXTextField.new(frame, 60, nil, 0, :opts => TEXTFIELD_NORMAL|LAYOUT_SIDE_RIGHT|LAYOUT_FILL_X)
|
92
|
-
|
93
|
+
|
93
94
|
@start_button = FXButton.new(frame, "start", :opts => BUTTON_DEFAULT|BUTTON_NORMAL )
|
94
95
|
@start_button.disable
|
95
96
|
|
@@ -101,13 +102,7 @@ module Watobo#:nodoc: all
|
|
101
102
|
}
|
102
103
|
|
103
104
|
@url_txt.connect(SEL_CHANGED){
|
104
|
-
|
105
|
-
|
106
|
-
@start_button.enable
|
107
|
-
else
|
108
|
-
@start_button.disable
|
109
|
-
# Watobo::Plugin::Crawler.start_url = nil
|
110
|
-
end
|
105
|
+
update_url_state
|
111
106
|
}
|
112
107
|
|
113
108
|
@start_button.connect(SEL_COMMAND){ |sender, sel, item|
|
@@ -125,6 +120,42 @@ module Watobo#:nodoc: all
|
|
125
120
|
@settings_tabbook.general.set @crawler.settings
|
126
121
|
@settings_tabbook.auth.crawler = @crawler
|
127
122
|
@settings_tabbook.scope.set @crawler.settings
|
123
|
+
|
124
|
+
unless chat.nil?
|
125
|
+
begin
|
126
|
+
url = chat.request.url
|
127
|
+
@url_txt.text = "#{url}"
|
128
|
+
chat.request.headers("Authorization"){ |h|
|
129
|
+
if h =~ /Basic (.*)/i
|
130
|
+
user, pw = Base64.decode64($1).strip.split(":")
|
131
|
+
auth = { :username => user,
|
132
|
+
:password => pw,
|
133
|
+
:auth_type => :basic
|
134
|
+
}
|
135
|
+
@settings_tabbook.auth.set(auth)
|
136
|
+
end
|
137
|
+
}
|
138
|
+
unless chat.request.cookies.empty?
|
139
|
+
@cookie_jar = Mechanize::CookieJar.new
|
140
|
+
domain = chat.request.host
|
141
|
+
|
142
|
+
chat.request.cookies.each do |c|
|
143
|
+
name, value = c.split("=")
|
144
|
+
cprefs = { :domain => domain,
|
145
|
+
:name => name,
|
146
|
+
:value => value,
|
147
|
+
:path => '/',
|
148
|
+
:expires => (Date.today+1).to_s
|
149
|
+
}
|
150
|
+
cookie = Mechanize::Cookie.new cprefs
|
151
|
+
@cookie_jar << cookie
|
152
|
+
end
|
153
|
+
end
|
154
|
+
rescue => bang
|
155
|
+
puts bang
|
156
|
+
puts bang.backtrace
|
157
|
+
end
|
158
|
+
end
|
128
159
|
|
129
160
|
@log_viewer = @settings_tabbook.log_viewer
|
130
161
|
|
@@ -142,10 +173,22 @@ module Watobo#:nodoc: all
|
|
142
173
|
@log_viewer.log(LOG_INFO, msg)
|
143
174
|
}
|
144
175
|
end
|
176
|
+
|
177
|
+
update_url_state
|
145
178
|
|
146
179
|
end
|
147
180
|
|
148
181
|
private
|
182
|
+
|
183
|
+
def update_url_state
|
184
|
+
if url_valid?
|
185
|
+
|
186
|
+
@start_button.enable
|
187
|
+
else
|
188
|
+
@start_button.disable
|
189
|
+
# Watobo::Plugin::Crawler.start_url = nil
|
190
|
+
end
|
191
|
+
end
|
149
192
|
|
150
193
|
def remove_update_timer
|
151
194
|
app = FXApp.instance
|
@@ -265,6 +308,10 @@ module Watobo#:nodoc: all
|
|
265
308
|
prefs.update scope_settings
|
266
309
|
prefs.update general_settings
|
267
310
|
prefs.update hook_settings
|
311
|
+
|
312
|
+
unless @cookie_jar.nil?
|
313
|
+
prefs[:cookie_jar] = @cookie_jar
|
314
|
+
end
|
268
315
|
|
269
316
|
add_update_timer(250)
|
270
317
|
|
@@ -134,10 +134,6 @@ module Watobo#:nodoc: all
|
|
134
134
|
@opts.update opts
|
135
135
|
@opts[:head_request_pattern] = '' if @opts[:head_request_pattern].nil?
|
136
136
|
|
137
|
-
if $DEBUG
|
138
|
-
puts "* initializing crawler engine"
|
139
|
-
puts @opts.to_yaml
|
140
|
-
end
|
141
137
|
@stats = {
|
142
138
|
:total_requests => 0
|
143
139
|
}
|
@@ -184,7 +180,11 @@ false
|
|
184
180
|
@engine_status = CRAWL_RUNNING
|
185
181
|
|
186
182
|
@opts.update opts
|
187
|
-
@opts[:head_request_pattern] = '' if @opts[:head_request_pattern].nil?
|
183
|
+
@opts[:head_request_pattern] = '' if @opts[:head_request_pattern].nil?
|
184
|
+
|
185
|
+
puts "crawler settings:"
|
186
|
+
puts @opts.to_json
|
187
|
+
|
188
188
|
|
189
189
|
@link_queue = Queue.new
|
190
190
|
@page_queue = Queue.new
|
@@ -204,12 +204,8 @@ false
|
|
204
204
|
|
205
205
|
@link_queue.enq LinkBag.new(start_link, 0)
|
206
206
|
|
207
|
-
|
208
|
-
|
209
|
-
puts "#{k}: #{v}"
|
210
|
-
end
|
211
|
-
puts "---"
|
212
|
-
notify(:log, "Crawling #{url} started ..." )
|
207
|
+
|
208
|
+
notify(:log, "Crawling #{url} started ..." )
|
213
209
|
|
214
210
|
@opts[:max_threads].times do |i|
|
215
211
|
g = Grabber.new(@link_queue, @page_queue, @opts )
|
@@ -295,7 +291,8 @@ end
|
|
295
291
|
page.links.each do |l|
|
296
292
|
begin
|
297
293
|
link = l
|
298
|
-
|
294
|
+
next if l.href.nil?
|
295
|
+
|
299
296
|
link = page.uri.merge l.uri unless l.href =~ /^http/
|
300
297
|
# puts "FOLLOW LINK #{link} ?"
|
301
298
|
if follow_link? link
|
@@ -306,6 +303,7 @@ end
|
|
306
303
|
end
|
307
304
|
rescue => bang
|
308
305
|
puts bang
|
306
|
+
puts bang.backtrace if $DEBUG
|
309
307
|
end
|
310
308
|
end
|
311
309
|
|
@@ -415,11 +413,11 @@ end
|
|
415
413
|
def url_allowed?(uri)
|
416
414
|
# puts "* excluded_urls"
|
417
415
|
# puts exluded_urls
|
418
|
-
return false if excluded_urls.select{ |url| uri.
|
416
|
+
return false if excluded_urls.select{ |url| uri.path_ext =~ /#{url}/ }.length > 0
|
419
417
|
# puts "* allowed_urls"
|
420
418
|
# puts allowed_urls
|
421
419
|
return true if allowed_urls.empty?
|
422
|
-
return true if allowed_urls.select{ |url| uri.
|
420
|
+
return true if allowed_urls.select{ |url| uri.path_ext =~ /#{url}/ }.length > 0
|
423
421
|
# puts "> URL is NOT allowed"
|
424
422
|
return false
|
425
423
|
end
|
@@ -0,0 +1,157 @@
|
|
1
|
+
# http://blog.csdn.net/cnbird2008/article/details/7386333
|
2
|
+
/rep/build_info.html
|
3
|
+
/rep/build_info.jsp
|
4
|
+
/run/build_info.html
|
5
|
+
/run/build_info.jsp
|
6
|
+
/rwb/version.html
|
7
|
+
/sap/bc/bsp/esh_os_service/favicon.gif
|
8
|
+
/sap/bc/bsp/sap
|
9
|
+
/sap/bc/bsp/sap/alertinbox
|
10
|
+
/sap/bc/bsp/sap/bsp_dlc_frcmp
|
11
|
+
/sap/bc/bsp/sap/bsp_veri
|
12
|
+
/sap/bc/bsp/sap/bsp_verificatio
|
13
|
+
/sap/bc/bsp/sap/bsp_wd_base
|
14
|
+
/sap/bc/bsp/sap/bspwd_basics
|
15
|
+
/sap/bc/bsp/sap/certmap
|
16
|
+
/sap/bc/bsp/sap/certreq
|
17
|
+
/sap/bc/bsp/sap/crm_bsp_frame
|
18
|
+
/sap/bc/bsp/sap/crmcmp_bpident/
|
19
|
+
/sap/bc/bsp/sap/crmcmp_brfcase
|
20
|
+
/sap/bc/bsp/sap/crmcmp_hdr
|
21
|
+
/sap/bc/bsp/sap/crmcmp_hdr_std
|
22
|
+
/sap/bc/bsp/sap/crmcmp_ic_frame
|
23
|
+
/sap/bc/bsp/sap/crm_thtmlb_util
|
24
|
+
/sap/bc/bsp/sap/crm_ui_frame
|
25
|
+
/sap/bc/bsp/sap/crm_ui_start
|
26
|
+
/sap/bc/bsp/sap/esh_sap_link
|
27
|
+
/sap/bc/bsp/sap/esh_sapgui_exe
|
28
|
+
/sap/bc/bsp/sap/graph_bsp_test
|
29
|
+
/sap/bc/bsp/sap/graph_bsp_test/Mimes
|
30
|
+
/sap/bc/bsp/sap/gsbirp
|
31
|
+
/sap/bc/bsp/sap/htmlb_samples
|
32
|
+
/sap/bc/bsp/sap/iccmp_bp_cnfirm
|
33
|
+
/sap/bc/bsp/sap/iccmp_hdr_cntnr
|
34
|
+
/sap/bc/bsp/sap/iccmp_hdr_cntnt
|
35
|
+
/sap/bc/bsp/sap/iccmp_header
|
36
|
+
/sap/bc/bsp/sap/iccmp_ssc_ll/
|
37
|
+
/sap/bc/bsp/sap/ic_frw_notify
|
38
|
+
/sap/bc/bsp/sap/it00
|
39
|
+
/sap/bc/bsp/sap/public/bc
|
40
|
+
/sap/bc/bsp/sap/public/graphics
|
41
|
+
/sap/bc/bsp/sap/sam_demo
|
42
|
+
/sap/bc/bsp/sap/sam_notifying
|
43
|
+
/sap/bc/bsp/sap/sam_sess_queue
|
44
|
+
/sap/bc/bsp/sap/sbspext_htmlb
|
45
|
+
/sap/bc/bsp/sap/sbspext_xhtmlb
|
46
|
+
/sap/bc/bsp/sap/spi_admin
|
47
|
+
/sap/bc/bsp/sap/spi_monitor
|
48
|
+
/sap/bc/bsp/sap/sxms_alertrules
|
49
|
+
/sap/bc/bsp/sap/system
|
50
|
+
/sap/bc/bsp/sap/thtmlb_scripts
|
51
|
+
/sap/bc/bsp/sap/thtmlb_styles
|
52
|
+
/sap/bc/bsp/sap/uicmp_ltx
|
53
|
+
/sap/bc/bsp/sap/xmb_bsp_log
|
54
|
+
/sap/bc/contentserver
|
55
|
+
/sap/bc/echo
|
56
|
+
/sap/bc/error
|
57
|
+
/sap/bc/FormToRfc
|
58
|
+
/sap/bc/graphics/net
|
59
|
+
/sap/bc/gui/sap/its/CERTREQ
|
60
|
+
/sap/bc/gui/sap/its/designs
|
61
|
+
/sap/bc/gui/sap/its/webgui
|
62
|
+
/sap/bc/IDoc_XML
|
63
|
+
/sap/bc/ping
|
64
|
+
/sap/bc/report
|
65
|
+
/sap/bc/soap/ici
|
66
|
+
/sap/bc/soap/rfc
|
67
|
+
/sap/bc/srt/IDoc
|
68
|
+
/sap/bc/wdvd
|
69
|
+
/sap/bc/webdynpro/sap/apb_launchpad
|
70
|
+
/sap/bc/webdynpro/sap/apb_launchpad_nwbc
|
71
|
+
/sap/bc/webdynpro/sap/apb_lpd_light_start
|
72
|
+
/sap/bc/webdynpro/sap/apb_lpd_start_url
|
73
|
+
/sap/bc/webdynpro/sap/application_exit
|
74
|
+
/sap/bc/webdynpro/sap/appl_log_trc_viewer
|
75
|
+
/sap/bc/webdynpro/sap/appl_soap_management
|
76
|
+
/sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
|
77
|
+
/sap/bc/webdynpro/sap/cnp_light_test
|
78
|
+
/sap/bc/webdynpro/sap/configure_application
|
79
|
+
/sap/bc/webdynpro/sap/configure_component
|
80
|
+
/sap/bc/webdynpro/sap/esh_search_results.ui
|
81
|
+
/sap/bc/webdynpro/sap/esh_adm_smoketest_ui
|
82
|
+
/sap/bc/webdynpro/sap/sh_adm_smoketest_files
|
83
|
+
/sap/bc/webdynpro/sap/esh_eng_modelling
|
84
|
+
/sap/bc/webdynpro/sap/esh_admin_ui_component
|
85
|
+
/sap/bc/webdynpro/sap/wdhc_application
|
86
|
+
/sap/bc/webdynpro/sap/wd_analyze_config_appl
|
87
|
+
/sap/bc/webdynpro/sap/wd_analyze_config_comp
|
88
|
+
/sap/bc/webdynpro/sap/wd_analyze_config_user
|
89
|
+
/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
|
90
|
+
/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
|
91
|
+
/sap/bc/webdynpro/sap/wdr_test_popups_rt
|
92
|
+
/sap/bc/webdynpro/sap/WDR_TEST_TABLE
|
93
|
+
/sap/bc/webdynpro/sap/wdr_test_ui_elements
|
94
|
+
/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
|
95
|
+
/sap/bc/webrfc
|
96
|
+
/sap/bc/xrfc
|
97
|
+
/sap/bc/xrfc_test
|
98
|
+
/sap/es/cockpit
|
99
|
+
/sap/es/getdocument
|
100
|
+
/sap/es/opensearch
|
101
|
+
/sap/es/opensearch/description
|
102
|
+
/sap/es/opensearch/list
|
103
|
+
/sap/es/opensearch/search
|
104
|
+
/sap/es/saplink
|
105
|
+
/sap/es/search
|
106
|
+
/sap/es/redirect
|
107
|
+
/sap/crm
|
108
|
+
/sap/public/bc
|
109
|
+
/sap/public/bc/icons
|
110
|
+
/sap/public/bc/icons_rtl
|
111
|
+
/sap/public/bc/its/mimes
|
112
|
+
/sap/public/bc/its/mimes/system/SL/page/hourglass.html
|
113
|
+
/sap/public/bc/its/mobile/itsmobile00
|
114
|
+
/sap/public/bc/its/mobile/itsmobile01
|
115
|
+
/sap/public/bc/its/mobile/rfid
|
116
|
+
/sap/public/bc/its/mobile/start
|
117
|
+
/sap/public/bc/its/mobile/test
|
118
|
+
/sap/public/bc/NWDEMO_MODEL
|
119
|
+
/sap/public/bc/NW_ESH_TST_AUTO
|
120
|
+
/sap/public/bc/pictograms
|
121
|
+
/sap/public/bc/sicf_login_run
|
122
|
+
/sap/public/bc/trex
|
123
|
+
/sap/public/bc/ur
|
124
|
+
/sap/public/bc/wdtracetool
|
125
|
+
/sap/public/bc/webdynpro/adobechallenge
|
126
|
+
/sap/public/bc/webdynpro/mimes
|
127
|
+
/sap/public/bc/webdynpro/ssr
|
128
|
+
/sap/public/bc/webdynpro/viewdesigner
|
129
|
+
/sap/public/bc/webicons
|
130
|
+
/sap/public/bc/workflow
|
131
|
+
/sap/public/bc/workflow/shortcut
|
132
|
+
/sap/public/bsp/sap
|
133
|
+
/sap/public/bsp/sap/htmlb
|
134
|
+
/sap/public/bsp/sap/public
|
135
|
+
/sap/public/bsp/sap/public/bc
|
136
|
+
/sap/public/bsp/sap/public/faa
|
137
|
+
/sap/public/bsp/sap/public/graphics
|
138
|
+
/sap/public/bsp/sap/public/graphics/jnet_handler
|
139
|
+
/sap/public/bsp/sap/public/graphics/mimes
|
140
|
+
/sap/public/bsp/sap/system
|
141
|
+
/sap/public/bsp/sap/system_public
|
142
|
+
/sap/public/icf_check
|
143
|
+
/sap/public/icf_info
|
144
|
+
/sap/public/icf_info/icr_groups
|
145
|
+
/sap/public/icf_info/icr_urlprefix
|
146
|
+
/sap/public/icf_info/logon_groups
|
147
|
+
/sap/public/icf_info/urlprefix
|
148
|
+
/sap/public/icman
|
149
|
+
/sap/public/info
|
150
|
+
/sap/public/myssocntl
|
151
|
+
/sap/public/ping
|
152
|
+
/sap/webcuif
|
153
|
+
# https://code.google.com/p/golismero/source/browse/wordlist/wfuzz/Discovery/SAP.fuzz.txt
|
154
|
+
/sap/public/icman/ping
|
155
|
+
/sap/admin
|
156
|
+
/sap/wdisp/admin
|
157
|
+
/scripts/wgate
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: watobo
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.9.
|
4
|
+
version: 0.9.15
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,8 +9,24 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-
|
12
|
+
date: 2013-10-01 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
15
|
+
name: json
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
17
|
+
none: false
|
18
|
+
requirements:
|
19
|
+
- - ! '>='
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: '0'
|
22
|
+
type: :runtime
|
23
|
+
prerelease: false
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
26
|
+
requirements:
|
27
|
+
- - ! '>='
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: '0'
|
14
30
|
- !ruby/object:Gem::Dependency
|
15
31
|
name: mechanize
|
16
32
|
requirement: !ruby/object:Gem::Requirement
|
@@ -85,6 +101,7 @@ files:
|
|
85
101
|
- lib/watobo/core/cert_store.rb
|
86
102
|
- lib/watobo/core/chat.rb
|
87
103
|
- lib/watobo/core/chats.rb
|
104
|
+
- lib/watobo/core/client_cert_store.rb
|
88
105
|
- lib/watobo/core/conversation.rb
|
89
106
|
- lib/watobo/core/cookie.rb
|
90
107
|
- lib/watobo/core/finding.rb
|
@@ -270,6 +287,8 @@ files:
|
|
270
287
|
- modules/active/sqlinjection/sqli_error.rb
|
271
288
|
- modules/active/sqlinjection/sqli_timing.rb
|
272
289
|
- modules/active/sqlinjection/sql_boolean.rb
|
290
|
+
- modules/active/struts2/default_handler_ognl.rb
|
291
|
+
- modules/active/struts2/include_params_ognl.rb
|
273
292
|
- modules/active/xml/xml_xxe.rb
|
274
293
|
- modules/active/xss/xss_ng.rb
|
275
294
|
- modules/active/xss/xss_simple.rb
|
@@ -294,6 +313,7 @@ files:
|
|
294
313
|
- modules/passive/possible_login.rb
|
295
314
|
- modules/passive/redirectionz.rb
|
296
315
|
- modules/passive/redirect_url.rb
|
316
|
+
- modules/passive/sap-headers.rb
|
297
317
|
- modules/passive/xss_dom.rb
|
298
318
|
- plugins/catalog/catalog.ico
|
299
319
|
- plugins/catalog/catalog.rb
|
@@ -315,6 +335,7 @@ files:
|
|
315
335
|
- plugins/crawler/lib/grabber.rb
|
316
336
|
- plugins/crawler/lib/uri_mp.rb
|
317
337
|
- plugins/filefinder/dbs/hbci.db
|
338
|
+
- plugins/filefinder/dbs/sap.db
|
318
339
|
- plugins/filefinder/dbs/well_known.db
|
319
340
|
- plugins/filefinder/filefinder.rb
|
320
341
|
- plugins/sqlmap/bin/test.rb
|