watobo 0.9.19 → 0.9.20
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +104 -0
- data/bin/nfq_server.rb +8 -20
- data/bin/watobo_gui.rb +8 -20
- data/config/forwarding_proxy.yml +2 -2
- data/lib/watobo.rb +12 -22
- data/lib/watobo/adapters.rb +12 -24
- data/lib/watobo/adapters/data_store.rb +76 -66
- data/lib/watobo/adapters/file/file_store.rb +295 -307
- data/lib/watobo/adapters/session_store.rb +13 -25
- data/lib/watobo/ca.rb +9 -21
- data/lib/watobo/config.rb +205 -217
- data/lib/watobo/constants.rb +8 -20
- data/lib/watobo/core.rb +11 -23
- data/lib/watobo/core/active_check.rb +11 -21
- data/lib/watobo/core/active_checks.rb +57 -69
- data/lib/watobo/core/ca.rb +388 -398
- data/lib/watobo/core/cert_store.rb +42 -54
- data/lib/watobo/core/chat.rb +100 -112
- data/lib/watobo/core/chats.rb +271 -275
- data/lib/watobo/core/client_cert_store.rb +33 -45
- data/lib/watobo/core/conversation.rb +56 -68
- data/lib/watobo/core/cookie.rb +31 -43
- data/lib/watobo/core/finding.rb +74 -86
- data/lib/watobo/core/findings.rb +113 -125
- data/lib/watobo/core/forwarding_proxy.rb +44 -35
- data/lib/watobo/core/fuzz_gen.rb +8 -20
- data/lib/watobo/core/intercept_carver.rb +176 -188
- data/lib/watobo/core/intercept_filter.rb +243 -255
- data/lib/watobo/core/interceptor.rb +106 -118
- data/lib/watobo/core/min_class.rb +12 -24
- data/lib/watobo/core/netfilter_queue.rb +178 -190
- data/lib/watobo/core/ott_cache.rb +152 -148
- data/lib/watobo/core/parameter.rb +53 -58
- data/lib/watobo/core/passive_check.rb +8 -20
- data/lib/watobo/core/passive_checks.rb +56 -68
- data/lib/watobo/core/passive_scanner.rb +54 -66
- data/lib/watobo/core/plugin.rb +19 -31
- data/lib/watobo/core/project.rb +8 -20
- data/lib/watobo/core/proxy.rb +51 -63
- data/lib/watobo/core/request.rb +128 -120
- data/lib/watobo/core/response.rb +59 -61
- data/lib/watobo/core/scanner.rb +8 -20
- data/lib/watobo/core/scanner3.rb +413 -425
- data/lib/watobo/core/scope.rb +91 -103
- data/lib/watobo/core/session.rb +109 -87
- data/lib/watobo/core/sid_cache.rb +106 -118
- data/lib/watobo/core/subscriber.rb +33 -45
- data/lib/watobo/defaults.rb +29 -41
- data/lib/watobo/external/diff/lcs.rb +8 -20
- data/lib/watobo/external/diff/lcs/array.rb +8 -20
- data/lib/watobo/external/diff/lcs/block.rb +8 -20
- data/lib/watobo/external/diff/lcs/callbacks.rb +8 -20
- data/lib/watobo/external/diff/lcs/change.rb +8 -20
- data/lib/watobo/external/diff/lcs/hunk.rb +8 -20
- data/lib/watobo/external/diff/lcs/ldiff.rb +8 -20
- data/lib/watobo/external/diff/lcs/string.rb +8 -20
- data/lib/watobo/externals.rb +14 -26
- data/lib/watobo/framework.rb +12 -24
- data/lib/watobo/framework/create_project.rb +68 -80
- data/lib/watobo/framework/init.rb +8 -20
- data/lib/watobo/framework/init_modules.rb +8 -20
- data/lib/watobo/framework/license_text.rb +36 -48
- data/lib/watobo/framework/load_chat.rb +21 -33
- data/lib/watobo/gui.rb +121 -133
- data/lib/watobo/gui/about_watobo.rb +8 -20
- data/lib/watobo/gui/browser_preview.rb +8 -20
- data/lib/watobo/gui/certificate_dialog.rb +8 -20
- data/lib/watobo/gui/chat_diff.rb +11 -21
- data/lib/watobo/gui/chatviewer_frame.rb +10 -22
- data/lib/watobo/gui/checkboxtree.rb +8 -20
- data/lib/watobo/gui/checks_policy_frame.rb +8 -20
- data/lib/watobo/gui/client_cert_dialog.rb +10 -21
- data/lib/watobo/gui/confirm_scan_dialog.rb +8 -20
- data/lib/watobo/gui/conversation_table.rb +54 -44
- data/lib/watobo/gui/conversation_table_ctrl.rb +215 -227
- data/lib/watobo/gui/conversation_table_ctrl2.rb +385 -393
- data/lib/watobo/gui/csrf_token_dialog.rb +11 -25
- data/lib/watobo/gui/custom_viewer.rb +357 -369
- data/lib/watobo/gui/dashboard.rb +8 -20
- data/lib/watobo/gui/define_scope_frame.rb +8 -20
- data/lib/watobo/gui/differ_frame.rb +223 -235
- data/lib/watobo/gui/edit_comment.rb +8 -20
- data/lib/watobo/gui/edit_scope_dialog.rb +8 -20
- data/lib/watobo/gui/export_dialog.rb +114 -0
- data/lib/watobo/gui/finding_info.rb +9 -21
- data/lib/watobo/gui/findings_tree.rb +8 -20
- data/lib/watobo/gui/full_scan_dialog.rb +8 -20
- data/lib/watobo/gui/fuzzer_gui.rb +8 -20
- data/lib/watobo/gui/goto_url_dialog.rb +78 -90
- data/lib/watobo/gui/hex_viewer.rb +25 -27
- data/lib/watobo/gui/html_viewer.rb +295 -307
- data/lib/watobo/gui/intercept_filter_dialog.rb +196 -208
- data/lib/watobo/gui/interceptor_gui.rb +1046 -1041
- data/lib/watobo/gui/interceptor_settings_dialog.rb +8 -20
- data/lib/watobo/gui/list_box.rb +109 -121
- data/lib/watobo/gui/log_file_viewer.rb +40 -52
- data/lib/watobo/gui/log_viewer.rb +87 -99
- data/lib/watobo/gui/login_wizzard.rb +8 -20
- data/lib/watobo/gui/main_window.rb +34 -33
- data/lib/watobo/gui/manual_request_editor.rb +25 -35
- data/lib/watobo/gui/master_pw_dialog.rb +8 -20
- data/lib/watobo/gui/mixins/gui_settings.rb +37 -49
- data/lib/watobo/gui/page_tree.rb +225 -237
- data/lib/watobo/gui/password_policy_dialog.rb +8 -20
- data/lib/watobo/gui/plugin_board.rb +8 -20
- data/lib/watobo/gui/preferences_dialog.rb +8 -20
- data/lib/watobo/gui/progress_window.rb +8 -20
- data/lib/watobo/gui/project_wizzard.rb +8 -20
- data/lib/watobo/gui/proxy_dialog.rb +117 -85
- data/lib/watobo/gui/quick_scan_dialog.rb +8 -20
- data/lib/watobo/gui/request_builder_frame.rb +125 -122
- data/lib/watobo/gui/request_editor.rb +53 -28
- data/lib/watobo/gui/rewrite_filters_dialog.rb +402 -414
- data/lib/watobo/gui/rewrite_rules_dialog.rb +380 -392
- data/lib/watobo/gui/save_chat_dialog.rb +148 -160
- data/lib/watobo/gui/scanner_settings_dialog.rb +8 -20
- data/lib/watobo/gui/select_chat_dialog.rb +8 -20
- data/lib/watobo/gui/session_management_dialog.rb +8 -20
- data/lib/watobo/gui/sites_tree.rb +118 -22
- data/lib/watobo/gui/status_bar.rb +8 -20
- data/lib/watobo/gui/table_editor.rb +76 -53
- data/lib/watobo/gui/tagless_viewer.rb +10 -21
- data/lib/watobo/gui/templates/plugin.rb +8 -20
- data/lib/watobo/gui/templates/plugin2.rb +99 -111
- data/lib/watobo/gui/templates/plugin_base.rb +152 -164
- data/lib/watobo/gui/text_viewer.rb +8 -20
- data/lib/watobo/gui/transcoder_window.rb +15 -22
- data/lib/watobo/gui/utils/gui_utils.rb +8 -20
- data/lib/watobo/gui/utils/init_icons.rb +94 -106
- data/lib/watobo/gui/utils/load_icons.rb +41 -53
- data/lib/watobo/gui/utils/load_plugins.rb +118 -130
- data/lib/watobo/gui/utils/master_password.rb +76 -88
- data/lib/watobo/gui/utils/save_default_settings.rb +121 -133
- data/lib/watobo/gui/utils/save_project_settings.rb +8 -20
- data/lib/watobo/gui/utils/save_proxy_settings.rb +53 -21
- data/lib/watobo/gui/utils/save_scanner_settings.rb +26 -38
- data/lib/watobo/gui/utils/session_history.rb +120 -132
- data/lib/watobo/gui/workspace_dialog.rb +8 -20
- data/lib/watobo/gui/www_auth_dialog.rb +8 -20
- data/lib/watobo/gui/xml_viewer_frame.rb +8 -20
- data/lib/watobo/http.rb +12 -23
- data/lib/watobo/http/cookies/cookies.rb +63 -70
- data/lib/watobo/http/data/data.rb +56 -64
- data/lib/watobo/http/data/json.rb +51 -0
- data/lib/watobo/http/url/url.rb +46 -58
- data/lib/watobo/http/xml/xml.rb +129 -141
- data/lib/watobo/interceptor.rb +11 -23
- data/lib/watobo/interceptor/proxy.rb +624 -625
- data/lib/watobo/interceptor/transparent.rb +22 -34
- data/lib/watobo/mixins.rb +18 -30
- data/lib/watobo/mixins/check_info.rb +35 -47
- data/lib/watobo/mixins/httpparser.rb +42 -35
- data/lib/watobo/mixins/request_parser.rb +8 -20
- data/lib/watobo/mixins/shapers.rb +484 -477
- data/lib/watobo/mixins/transcoders.rb +8 -20
- data/lib/watobo/parser.rb +9 -21
- data/lib/watobo/parser/html.rb +91 -103
- data/lib/watobo/sockets.rb +11 -23
- data/lib/watobo/sockets/agent.rb +836 -848
- data/lib/watobo/sockets/client_socket.rb +283 -277
- data/lib/watobo/sockets/connection.rb +409 -421
- data/lib/watobo/sockets/http_socket.rb +16 -23
- data/lib/watobo/sockets/ntlm_auth.rb +137 -149
- data/lib/watobo/utils.rb +18 -30
- data/lib/watobo/utils/check_regex.rb +8 -20
- data/lib/watobo/utils/copy_object.rb +8 -20
- data/lib/watobo/utils/crypto.rb +8 -20
- data/lib/watobo/utils/expand_range.rb +31 -43
- data/lib/watobo/utils/export_xml.rb +108 -0
- data/lib/watobo/utils/file_management.rb +8 -20
- data/lib/watobo/utils/hexprint.rb +17 -29
- data/lib/watobo/utils/load_chat.rb +8 -20
- data/lib/watobo/utils/load_icon.rb +8 -20
- data/lib/watobo/{external/ntlm → utils}/ntlm.rb +874 -796
- data/lib/watobo/utils/print_debug.rb +20 -32
- data/lib/watobo/utils/response_builder.rb +98 -110
- data/lib/watobo/utils/response_hash.rb +9 -20
- data/lib/watobo/utils/secure_eval.rb +10 -22
- data/lib/watobo/utils/strings.rb +18 -30
- data/lib/watobo/utils/text2request.rb +12 -20
- data/lib/watobo/utils/url.rb +31 -43
- data/lib/watobo/utils/utf16.rb +22 -0
- data/modules/active/Apache/mod_status.rb +9 -0
- data/modules/active/Apache/multiview.rb +161 -0
- data/modules/active/Flash/crossdomain.rb +9 -0
- data/modules/active/directories/dirwalker.rb +8 -20
- data/modules/active/discovery/fileextensions.rb +10 -22
- data/modules/active/discovery/http_methods.rb +8 -20
- data/modules/active/domino/domino_db.rb +8 -20
- data/modules/active/dotNET/custom_errors.rb +110 -122
- data/modules/active/dotNET/dotnet_files.rb +98 -110
- data/modules/active/fileinclusion/lfi_simple.rb +8 -20
- data/modules/active/jboss/jboss_basic.rb +8 -20
- data/modules/active/sap/business_objects.rb +63 -0
- data/modules/active/sap/its_commands.rb +8 -20
- data/modules/active/sap/its_service_parameter.rb +8 -20
- data/modules/active/sap/its_services.rb +8 -20
- data/modules/active/sap/its_xss.rb +8 -20
- data/modules/active/shell_shock/shell_shock.rb +149 -0
- data/modules/active/siebel/siebel_apps.rb +168 -180
- data/modules/active/sqlinjection/sql_boolean.rb +9 -21
- data/modules/active/sqlinjection/sqli_error.rb +10 -22
- data/modules/active/sqlinjection/sqli_timing.rb +228 -240
- data/modules/active/struts2/default_handler_ognl.rb +114 -126
- data/modules/active/struts2/include_params_ognl.rb +113 -125
- data/modules/active/xml/xml_xxe.rb +122 -127
- data/modules/active/xss/xss_ng.rb +223 -234
- data/modules/active/xss/xss_simple.rb +8 -20
- data/modules/passive/ajax.rb +76 -84
- data/modules/passive/autocomplete.rb +64 -76
- data/modules/passive/cookie_options.rb +8 -20
- data/modules/passive/cookie_xss.rb +9 -21
- data/modules/passive/detect_code.rb +9 -21
- data/modules/passive/detect_fileupload.rb +11 -22
- data/modules/passive/detect_infrastructure.rb +23 -35
- data/modules/passive/detect_one_time_tokens.rb +8 -20
- data/modules/passive/dirindexing.rb +9 -21
- data/modules/passive/disclosure_domino.rb +66 -79
- data/modules/passive/disclosure_emails.rb +9 -21
- data/modules/passive/disclosure_ipaddr.rb +15 -23
- data/modules/passive/filename_as_parameter.rb +8 -20
- data/modules/passive/form_spotter.rb +15 -21
- data/modules/passive/hidden_fields.rb +64 -70
- data/modules/passive/hotspots.rb +13 -22
- data/modules/passive/in_script_parameter.rb +15 -24
- data/modules/passive/multiple_server_headers.rb +8 -20
- data/modules/passive/possible_login.rb +12 -23
- data/modules/passive/redirect_url.rb +10 -22
- data/modules/passive/redirectionz.rb +9 -21
- data/modules/passive/sap-headers.rb +64 -76
- data/modules/passive/xss_dom.rb +10 -21
- data/plugins/catalog/catalog.rb +17 -23
- data/plugins/crawler/crawler.rb +12 -24
- data/plugins/crawler/gui.rb +13 -25
- data/plugins/crawler/gui/auth_frame.rb +278 -290
- data/plugins/crawler/gui/crawler_gui.rb +302 -320
- data/plugins/crawler/gui/general_settings_frame.rb +104 -116
- data/plugins/crawler/gui/hooks_frame.rb +88 -100
- data/plugins/crawler/gui/scope_frame.rb +58 -70
- data/plugins/crawler/gui/settings_tabbook.rb +46 -58
- data/plugins/crawler/gui/status_frame.rb +67 -78
- data/plugins/crawler/lib/bags.rb +26 -38
- data/plugins/crawler/lib/constants.rb +19 -31
- data/plugins/crawler/lib/engine.rb +505 -508
- data/plugins/crawler/lib/grabber.rb +77 -87
- data/plugins/crawler/lib/status.rb +82 -0
- data/plugins/crawler/lib/uri_mp.rb +20 -32
- data/plugins/filefinder/dbs/siebel_paths.txt +1118 -0
- data/plugins/filefinder/dbs/subs-big.lst +31986 -0
- data/plugins/filefinder/filefinder.rb +13 -23
- data/plugins/sqlmap/bin/test.rb +86 -98
- data/plugins/sqlmap/gui.rb +12 -24
- data/plugins/sqlmap/gui/main.rb +226 -238
- data/plugins/sqlmap/gui/options_frame.rb +105 -117
- data/plugins/sqlmap/lib/sqlmap_ctrl.rb +103 -115
- data/plugins/sqlmap/sqlmap.rb +10 -22
- data/plugins/sslchecker/cli/sslchecker_cli.rb +8 -20
- data/plugins/sslchecker/gui/cipher_table.rb +252 -264
- data/plugins/sslchecker/gui/gui.rb +267 -276
- data/plugins/sslchecker/gui/sslchecker.rb +12 -24
- data/plugins/sslchecker/lib/check.rb +172 -80
- data/plugins/wshell/gui/main.rb +115 -127
- data/plugins/wshell/lib/core.rb +85 -97
- data/plugins/wshell/wshell.rb +19 -31
- metadata +14 -6
- data/.yardopts +0 -24
data/lib/watobo/core/scope.rb
CHANGED
@@ -1,106 +1,94 @@
|
|
1
|
-
|
1
|
+
#.
|
2
2
|
# scope.rb
|
3
|
-
|
4
|
-
# Copyright
|
5
|
-
#
|
6
|
-
#
|
7
|
-
#
|
8
|
-
#
|
9
|
-
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
-
# it under the terms of the GNU General Public License as published by
|
11
|
-
# the Free Software Foundation version 2 of the License.
|
12
|
-
#
|
13
|
-
# WATOBO is distributed in the hope that it will be useful,
|
14
|
-
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
-
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
-
# GNU General Public License for more details.
|
17
|
-
#
|
18
|
-
# You should have received a copy of the GNU General Public License
|
19
|
-
# along with WATOBO; if not, write to the Free Software
|
20
|
-
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
-
# .
|
22
|
-
# @private
|
23
|
-
module Watobo#:nodoc: all
|
24
|
-
class Scope
|
25
|
-
@scope = {}
|
26
|
-
def self.to_s
|
27
|
-
@scope.to_yaml
|
28
|
-
end
|
29
|
-
|
30
|
-
def self.to_yaml
|
31
|
-
@scope.to_yaml
|
32
|
-
end
|
33
|
-
|
34
|
-
def self.set(scope)
|
35
|
-
@scope = scope
|
36
|
-
end
|
37
|
-
|
38
|
-
def self.exist?
|
39
|
-
return false if @scope.empty?
|
40
|
-
@scope.each_value do |s|
|
41
|
-
return true if s[:enabled] == true
|
42
|
-
end
|
43
|
-
return false
|
44
|
-
end
|
45
|
-
|
46
|
-
def self.reset
|
47
|
-
@scope = {}
|
48
|
-
end
|
49
|
-
|
50
|
-
def self.each(&block)
|
51
|
-
if block_given?
|
52
|
-
@scope.each do |site, scope|
|
53
|
-
yield [ site, scope]
|
54
|
-
end
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
def self.match_site?(site)
|
59
|
-
return true if @scope.empty?
|
60
|
-
@scope.has_key? site
|
61
|
-
end
|
62
|
-
|
63
|
-
def self.match_chat?(chat)
|
64
|
-
#puts @scope.to_yaml
|
65
|
-
return true if @scope.empty?
|
3
|
+
#.
|
4
|
+
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
+
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
+
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
+
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
+
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
66
9
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
return
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
10
|
+
# @private
|
11
|
+
module Watobo#:nodoc: all
|
12
|
+
class Scope
|
13
|
+
@scope = {}
|
14
|
+
def self.to_s
|
15
|
+
@scope.to_yaml
|
16
|
+
end
|
17
|
+
|
18
|
+
def self.to_yaml
|
19
|
+
@scope.to_yaml
|
20
|
+
end
|
21
|
+
|
22
|
+
def self.set(scope)
|
23
|
+
@scope = scope
|
24
|
+
end
|
25
|
+
|
26
|
+
def self.exist?
|
27
|
+
return false if @scope.empty?
|
28
|
+
@scope.each_value do |s|
|
29
|
+
return true if s[:enabled] == true
|
30
|
+
end
|
31
|
+
return false
|
32
|
+
end
|
33
|
+
|
34
|
+
def self.reset
|
35
|
+
@scope = {}
|
36
|
+
end
|
37
|
+
|
38
|
+
def self.each(&block)
|
39
|
+
if block_given?
|
40
|
+
@scope.each do |site, scope|
|
41
|
+
yield [ site, scope]
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
def self.match_site?(site)
|
47
|
+
return true if @scope.empty?
|
48
|
+
@scope.has_key? site
|
49
|
+
end
|
50
|
+
|
51
|
+
def self.match_chat?(chat)
|
52
|
+
#puts @scope.to_yaml
|
53
|
+
return true if @scope.empty?
|
54
|
+
|
55
|
+
site = chat.request.site
|
56
|
+
|
57
|
+
if @scope.has_key? site
|
58
|
+
|
59
|
+
path = chat.request.path
|
60
|
+
url = chat.request.url.to_s
|
61
|
+
scope = @scope[site]
|
62
|
+
|
63
|
+
if scope.has_key? :root_path
|
64
|
+
unless scope[:root_path].empty?
|
65
|
+
return false unless path =~ /^(\/)?#{scope[:root_path]}/i
|
66
|
+
end
|
67
|
+
end
|
68
|
+
return true unless scope.has_key? :excluded_paths
|
69
|
+
|
70
|
+
|
71
|
+
scope[:excluded_paths].each do |p|
|
72
|
+
# puts "#{url} - #{p}"
|
73
|
+
return false if url =~ /#{p}/
|
74
|
+
end
|
75
|
+
|
76
|
+
return true
|
77
|
+
end
|
78
|
+
return false
|
79
|
+
end
|
80
|
+
|
81
|
+
def self.add(site)
|
82
|
+
|
83
|
+
scope_details = {
|
84
|
+
:site => site,
|
85
|
+
:enabled => true,
|
86
|
+
:root_path => '',
|
87
|
+
:excluded_paths => [],
|
88
|
+
}
|
89
|
+
|
90
|
+
@scope[site] = scope_details
|
91
|
+
return true
|
92
|
+
end
|
93
|
+
end
|
106
94
|
end
|
data/lib/watobo/core/session.rb
CHANGED
@@ -1,24 +1,12 @@
|
|
1
|
-
|
1
|
+
#.
|
2
2
|
# session.rb
|
3
|
-
|
4
|
-
# Copyright
|
5
|
-
#
|
6
|
-
#
|
7
|
-
#
|
8
|
-
#
|
9
|
-
|
10
|
-
# it under the terms of the GNU General Public License as published by
|
11
|
-
# the Free Software Foundation version 2 of the License.
|
12
|
-
#
|
13
|
-
# WATOBO is distributed in the hope that it will be useful,
|
14
|
-
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
-
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
-
# GNU General Public License for more details.
|
17
|
-
#
|
18
|
-
# You should have received a copy of the GNU General Public License
|
19
|
-
# along with WATOBO; if not, write to the Free Software
|
20
|
-
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
-
# .
|
3
|
+
#.
|
4
|
+
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
+
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
+
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
+
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
+
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
+
|
22
10
|
# @private
|
23
11
|
module Watobo#:nodoc: all
|
24
12
|
|
@@ -114,7 +102,17 @@ module Watobo#:nodoc: all
|
|
114
102
|
#end
|
115
103
|
#puts
|
116
104
|
if current_prefs[:update_contentlength] == true and request.has_body? then
|
105
|
+
# puts "\n* Updating Content-Length ..."
|
106
|
+
# puts "OLD: #{request.content_length}"
|
107
|
+
# puts "BodyLen: #{request.body.length}"
|
108
|
+
b = request.body
|
109
|
+
#puts b.length
|
110
|
+
#puts request.body.unpack("H*")[0]
|
111
|
+
#puts (request.body.unpack("H*")[0].length / 2).to_s
|
117
112
|
request.fix_content_length()
|
113
|
+
#puts "New: #{request.content_length}"
|
114
|
+
#puts request.body.encoding
|
115
|
+
#puts "--"
|
118
116
|
end
|
119
117
|
|
120
118
|
#request.add_header("Via", "Watobo") if use_proxy
|
@@ -156,14 +154,14 @@ module Watobo#:nodoc: all
|
|
156
154
|
response_header = readHTTPHeader(socket, current_prefs)
|
157
155
|
end
|
158
156
|
end
|
159
|
-
return socket, request, response_header
|
157
|
+
return socket, Request.new(request), Response.new(response_header)
|
160
158
|
end
|
161
159
|
# puts "* doProxyRequest"
|
162
160
|
socket, response_header = doProxyRequest(request, proxy, current_prefs)
|
163
161
|
# puts socket.class
|
164
162
|
return socket, response_header, error_response("Could Not Connect To Proxy: #{proxy.name} (#{proxy.host}:#{proxy.port})\n", "#{response_header}") if socket.nil?
|
165
163
|
|
166
|
-
return socket, request, response_header
|
164
|
+
return socket, Request.new(request), Response.new(response_header)
|
167
165
|
else
|
168
166
|
# direct connection to host
|
169
167
|
tcp_socket = nil
|
@@ -221,12 +219,24 @@ module Watobo#:nodoc: all
|
|
221
219
|
else
|
222
220
|
# puts "========== Add Headers"
|
223
221
|
|
224
|
-
|
222
|
+
request.set_header("Connection", "close") #if not use_proxy
|
225
223
|
|
226
224
|
data = request.join
|
227
225
|
unless request.has_body?
|
228
226
|
data << "\r\n" unless data =~ /\r\n\r\n$/
|
229
227
|
end
|
228
|
+
|
229
|
+
# puts "\n*** SENDING ..."
|
230
|
+
# puts data
|
231
|
+
# if request.has_body?
|
232
|
+
# puts request.body.length
|
233
|
+
# bhex = request.body.unpack("H*")[0]
|
234
|
+
# puts bhex
|
235
|
+
# puts bhex.length
|
236
|
+
# end
|
237
|
+
|
238
|
+
|
239
|
+
|
230
240
|
# puts "= SESSION ="
|
231
241
|
# puts data
|
232
242
|
# puts data.unpack("H*")[0]#.gsub(/0d0a/,"0d0a\n")
|
@@ -261,12 +271,13 @@ module Watobo#:nodoc: all
|
|
261
271
|
response = error_response "TimeOut (#{host}:#{port})"
|
262
272
|
socket = nil
|
263
273
|
rescue Errno::ETIMEDOUT
|
274
|
+
puts "TimeOut (#{host}:#{port})"
|
264
275
|
response = error_response "TimeOut (#{host}:#{port})"
|
265
276
|
socket = nil
|
266
277
|
rescue Errno::ENOTCONN
|
267
278
|
puts "!!!ENOTCONN"
|
268
279
|
rescue OpenSSL::SSL::SSLError
|
269
|
-
response = error_response "SSL-Error", $!.backtrace.join
|
280
|
+
response = error_response "SSL-Error", $!.to_s + "<br>" + $!.backtrace.join("<br>")
|
270
281
|
socket = nil
|
271
282
|
rescue => bang
|
272
283
|
response = error_response "ERROR:", "#{bang}\n#{bang.backtrace}"
|
@@ -316,8 +327,15 @@ module Watobo#:nodoc: all
|
|
316
327
|
# p "*"
|
317
328
|
# csrf_response = readHTTPHeader(socket)
|
318
329
|
readHTTPBody(socket, csrf_response, csrf_request, opts)
|
330
|
+
|
331
|
+
# response = Response.new(csrf_response)
|
332
|
+
|
319
333
|
|
320
|
-
next
|
334
|
+
next unless csrf_response.has_body?
|
335
|
+
|
336
|
+
csrf_response.unchunk!
|
337
|
+
csrf_response.unzip!
|
338
|
+
|
321
339
|
@sid_cache.update_sids(csrf_request.site, [csrf_response.body]) if @session[:update_sids] == true
|
322
340
|
|
323
341
|
# updateCSRFCache(csrf_cache, csrf_request, [csrf_response.body]) if csrf_response.content_type =~ /text\//
|
@@ -342,14 +360,18 @@ module Watobo#:nodoc: all
|
|
342
360
|
|
343
361
|
if @session[:follow_redirect]
|
344
362
|
# puts response.status
|
345
|
-
if response.status =~ /^
|
363
|
+
if response.status =~ /^30(1|2|8)/
|
346
364
|
#response.extend Watobo::Mixin::Parser::Web10
|
347
365
|
#request.extend Watobo::Mixin::Shaper::Web10
|
348
366
|
|
349
367
|
loc_header = response.headers("Location:").first
|
350
368
|
new_location = loc_header.gsub(/^[^:]*:/,'').strip
|
351
369
|
unless new_location =~ /^http/
|
352
|
-
new_location
|
370
|
+
if new_location =~ /^\//
|
371
|
+
new_location = request.proto + "://" + request.site + new_location
|
372
|
+
else
|
373
|
+
new_location = request.proto + "://" + request.site + "/" + request.dir + "/" + new_location.sub(/^[\.\/]*/,'')
|
374
|
+
end
|
353
375
|
end
|
354
376
|
|
355
377
|
notify(:follow_redirect, new_location)
|
@@ -384,14 +406,19 @@ end
|
|
384
406
|
# puts "! Error in doRequest"
|
385
407
|
puts "! Module #{Module.nesting[0].name}"
|
386
408
|
puts bang
|
387
|
-
|
409
|
+
puts bang.backtrace if $DEBUG
|
388
410
|
@lasterror = bang
|
389
411
|
# raise
|
390
412
|
# ensure
|
391
413
|
end
|
392
414
|
|
393
|
-
response.extend Watobo::Mixin::Parser::Web10
|
394
|
-
|
415
|
+
#response.extend Watobo::Mixin::Parser::Web10
|
416
|
+
# resp = Watobo::Response.new(response)
|
417
|
+
|
418
|
+
response.unchunk!
|
419
|
+
response.unzip!
|
420
|
+
|
421
|
+
return Request.new(request), response
|
395
422
|
end
|
396
423
|
|
397
424
|
def addProxy(prefs=nil)
|
@@ -431,7 +458,7 @@ end
|
|
431
458
|
# :update_valid_sids => false,
|
432
459
|
# :update_sids => false,
|
433
460
|
# :update_contentlength => true
|
434
|
-
def initialize( session_id, prefs={} )
|
461
|
+
def initialize( session_id=nil, prefs={} )
|
435
462
|
|
436
463
|
@event_dispatcher_listeners = Hash.new
|
437
464
|
# @session = {}
|
@@ -488,6 +515,7 @@ end
|
|
488
515
|
elsif clen > 0
|
489
516
|
# puts "* read #{clen} bytes for body"
|
490
517
|
Watobo::HTTPSocket.read_body(socket, :max_bytes => clen) { |c|
|
518
|
+
|
491
519
|
data += c
|
492
520
|
break if data.length == clen
|
493
521
|
}
|
@@ -522,29 +550,40 @@ end
|
|
522
550
|
#def doNtlmAuth(socket, request, ntlm_credentials)
|
523
551
|
def wwwAuthNTLM(socket, request, ntlm_credentials)
|
524
552
|
response_header = nil
|
553
|
+
auth_method = "NTLM"
|
525
554
|
begin
|
526
|
-
|
555
|
+
head_request = request.copy
|
556
|
+
head_request.setMethod(:head)
|
557
|
+
head_request.removeBody
|
558
|
+
head_request.removeHeader("Content-Length")
|
559
|
+
data = head_request.join + "\r\n"
|
560
|
+
|
561
|
+
socket.print data
|
562
|
+
|
563
|
+
response_header = readHTTPHeader(socket)
|
564
|
+
response_header.each do |line|
|
565
|
+
if line =~ /^www-authenticat.*((Negotiate|NTLM))/i then
|
566
|
+
#puts line
|
567
|
+
auth_method = $1
|
568
|
+
break
|
569
|
+
end
|
570
|
+
#break if line.strip.empty?
|
571
|
+
end
|
527
572
|
|
528
573
|
ntlm_challenge = nil
|
529
|
-
t1 =
|
530
|
-
|
531
|
-
|
532
|
-
|
533
|
-
|
534
|
-
|
535
|
-
auth_request.set_header("Authorization", msg)
|
536
|
-
auth_request.set_header("Connection", "Keep-Alive")
|
537
|
-
|
538
|
-
if $DEBUG
|
539
|
-
puts "============= T1 ======================="
|
540
|
-
puts auth_request
|
541
|
-
end
|
574
|
+
t1 = Watobo::NTLM::Message::Type1.new()
|
575
|
+
%w(workstation domain).each do |a|
|
576
|
+
t1.send("#{a}=",'')
|
577
|
+
t1.enable(a.to_sym)
|
578
|
+
end
|
542
579
|
|
543
|
-
|
580
|
+
msg = "#{auth_method} #{t1.encode64}"
|
581
|
+
head_request.set_header("Authorization", msg)
|
582
|
+
|
583
|
+
data = head_request.join + "\r\n"
|
584
|
+
|
544
585
|
socket.print data
|
545
586
|
|
546
|
-
puts "-----------------" if $DEBUG
|
547
|
-
|
548
587
|
response_header = []
|
549
588
|
rcode = nil
|
550
589
|
clen = nil
|
@@ -555,7 +594,7 @@ end
|
|
555
594
|
rcode = $1.to_i
|
556
595
|
rmsg = $2
|
557
596
|
end
|
558
|
-
if line =~ /^WWW-Authenticate: (NTLM) (.+)\r\n/
|
597
|
+
if line =~ /^WWW-Authenticate: (NTLM|Negotiate) (.+)\r\n/
|
559
598
|
ntlm_challenge = $2
|
560
599
|
end
|
561
600
|
if line =~ /^Content-Length: (\d{1,})\r\n/
|
@@ -563,13 +602,7 @@ end
|
|
563
602
|
end
|
564
603
|
break if line.strip.empty?
|
565
604
|
end
|
566
|
-
|
567
|
-
|
568
|
-
if $DEBUG
|
569
|
-
puts "--- T1 RESPONSE HEADERS ---"
|
570
|
-
puts response_header
|
571
|
-
puts "---"
|
572
|
-
end
|
605
|
+
|
573
606
|
if rcode == 401 #Authentication Required
|
574
607
|
puts "[NTLM] got ntlm challenge: #{ntlm_challenge}" if $DEBUG
|
575
608
|
return socket, response_header if ntlm_challenge.nil?
|
@@ -584,45 +617,33 @@ end
|
|
584
617
|
return socket, Watobo::Response.new(response_header)
|
585
618
|
end
|
586
619
|
|
587
|
-
|
588
|
-
|
589
|
-
Watobo::
|
590
|
-
|
591
|
-
}
|
592
|
-
|
593
|
-
if $DEBUG
|
594
|
-
puts "--- T1 RESPONSE BODY ---"
|
595
|
-
puts rest
|
596
|
-
puts "---"
|
597
|
-
end
|
598
|
-
t2 = Net::NTLM::Message.decode64(ntlm_challenge)
|
599
|
-
t3 = t2.response({:user => ntlm_credentials[:username],
|
620
|
+
|
621
|
+
t2 = Watobo::NTLM::Message.decode64(ntlm_challenge)
|
622
|
+
domain = ntlm_credentials.has_key?(:domain) ? Watobo::UTF16.encode_utf16le(ntlm_credentials[:domain].upcase) : ""
|
623
|
+
creds = {:user => ntlm_credentials[:username],
|
600
624
|
:password => ntlm_credentials[:password],
|
601
|
-
:domain =>
|
602
|
-
|
603
|
-
|
604
|
-
|
605
|
-
|
606
|
-
|
625
|
+
:domain => domain,
|
626
|
+
:workstation => Watobo::UTF16.encode_utf16le(Socket.gethostname)
|
627
|
+
}
|
628
|
+
|
629
|
+
t3 = t2.response( creds,
|
630
|
+
{:ntlmv2 => true}
|
631
|
+
)
|
632
|
+
|
633
|
+
auth_request = request.copy
|
607
634
|
|
608
635
|
auth_request.set_header("Connection", "close")
|
609
636
|
|
610
|
-
msg = "
|
637
|
+
msg = "#{auth_method} #{t3.encode64}"
|
611
638
|
auth_request.set_header("Authorization", msg)
|
612
639
|
# puts "============= T3 ======================="
|
613
640
|
|
614
641
|
data = auth_request.join + "\r\n"
|
615
|
-
|
616
|
-
if $DEBUG
|
617
|
-
puts "= NTLM Type 3 ="
|
618
|
-
puts data
|
619
|
-
end
|
620
642
|
socket.print data
|
621
643
|
|
622
644
|
response_header = []
|
623
645
|
response_header = readHTTPHeader(socket)
|
624
646
|
response_header.each do |line|
|
625
|
-
# puts line
|
626
647
|
|
627
648
|
if line =~ /^HTTP\/\d\.\d (\d+) (.*)/ then
|
628
649
|
rcode = $1.to_i
|
@@ -637,7 +658,6 @@ end
|
|
637
658
|
# TODO: authorization didn't work -> do some notification
|
638
659
|
# ...
|
639
660
|
puts "[NTLM] could not authenticate. Bad credentials?"
|
640
|
-
puts ntlm_credentials.to_yaml
|
641
661
|
end
|
642
662
|
|
643
663
|
return socket, Watobo::Response.new(response_header)
|
@@ -748,7 +768,7 @@ end
|
|
748
768
|
case proxy.auth_type
|
749
769
|
when AUTH_TYPE_NTLM
|
750
770
|
|
751
|
-
t1 =
|
771
|
+
t1 = Watobo::NTLM::Message::Type1.new()
|
752
772
|
msg = "NTLM " + t1.encode64
|
753
773
|
request.addHeader("Proxy-Authorization", msg)
|
754
774
|
|
@@ -794,7 +814,7 @@ end
|
|
794
814
|
|
795
815
|
return socket, response_header if ntlm_challenge.nil? or ntlm_challenge == ""
|
796
816
|
|
797
|
-
t2 =
|
817
|
+
t2 = Watobo::NTLM::Message.decode64(ntlm_challenge)
|
798
818
|
t3 = t2.response( { :user => proxy.username,
|
799
819
|
:password => proxy.password,
|
800
820
|
:domain => proxy.domain },
|
@@ -857,6 +877,8 @@ end
|
|
857
877
|
return socket, response_header
|
858
878
|
rescue => bang
|
859
879
|
puts bang
|
880
|
+
puts proxy
|
881
|
+
puts prefs
|
860
882
|
return nil, error_response(bang)
|
861
883
|
end
|
862
884
|
# return nil, nil
|
@@ -878,7 +900,7 @@ end
|
|
878
900
|
response_header = []
|
879
901
|
|
880
902
|
ntlm_challenge = nil
|
881
|
-
t1 =
|
903
|
+
t1 = Watobo::NTLM::Message::Type1.new()
|
882
904
|
msg = "NTLM " + t1.encode64
|
883
905
|
|
884
906
|
request.addHeader("Proxy-Authorization", msg)
|
@@ -923,7 +945,7 @@ end
|
|
923
945
|
#puts d
|
924
946
|
}
|
925
947
|
|
926
|
-
t2 =
|
948
|
+
t2 = Watobo::NTLM::Message.decode64(ntlm_challenge)
|
927
949
|
t3 = t2.response({:user => proxy.username, :password => proxy.password, :workstation => proxy.workstation, :domain => proxy.domain}, {:ntlmv2 => true})
|
928
950
|
#request.removeHeader("Proxy-Authorization")
|
929
951
|
# request.removeHeader("Proxy-Connection")
|