watobo 0.9.20 → 0.9.21

data/modules/active/struts2/include_params_ognl.rb

@@ -75,7 +75,7 @@ EOD
                   tparam = Watobo::UrlParameter.new( :name => "watobo", :value => CGI::escape(test_value) )
                   
                   test_request.url.set tparam
-                  puts test_request.first
+                  #puts test_request.first
                   
                   request, response = doRequest(test_request)
                   

data/modules/active/xml/xml_xxe.rb

@@ -18,7 +18,12 @@ module Watobo#:nodoc: all
           # if the result is the same, chances are good that XXE attacks will work
           #
           # Links:
-          # http://www.w3.org/TR/2004/REC-xml-20040204/#sec-external-ent
+          # http://www.w3.org/TR/2004/REC-xml-20040204/#sec-external-ent
+          
+          # Exploitation notes:
+          # https://www.christian-schneider.net/GenericXxeDetection.html
+          # <!ENTITY % three SYSTEM "file:///etc/passwd">
+          # <!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">
           
           @info.update(
             :check_name => 'XML-XXE',    # name of check which briefly describes functionality, will be used for tree and progress views

data/modules/passive/disclosure_domino.rb

@@ -33,7 +33,7 @@ module Watobo#:nodoc: all
           )
           
         
-          @pattern = '([\w\/\-0-9\.:]+\.nsf)'
+          @pattern = '([a-zA-Z\/\-0-9\.:]+\.nsf)'
           @dbs = []
         end
         

data/modules/passive/in_script_parameter.rb

@@ -35,9 +35,11 @@ module Watobo#:nodoc: all
           
         end
         
-        def showError(chatid, message)
-          puts "!!! Error #{Module.nesting[0].name}"  
-          puts "Chat: [#{chatid}]"
+        def showError(chat, message)
+          puts "!!! Error in module #{Module.nesting[0].name}"  
+          puts "Chat: [#{chat.id}]"
+          puts "URL: #{chat.request.url}"
+          puts "-- Error --"
           puts message
         end
         
@@ -78,7 +80,10 @@ module Watobo#:nodoc: all
             end
           rescue => bang
             # raise
-            showError(chat.id, bang)
+            
+            showError(chat, bang)
+            puts bang
+            puts "-- trace --"
             puts bang.backtrace
             
           end

data/plugins/aem/aem.rb

@@ -0,0 +1,21 @@
+#.
+# aem.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# @private 
+module Watobo#:nodoc: all::Plugin
+  module Plugin
+    class AEM < Watobo::PluginBase
+      plugin_name "AEM"
+      description "Adobe Experience Manager Enumerator"
+      load_libs
+      load_gui :main, :tree_view
+    end
+  end
+end
+

data/plugins/aem/gui/main.rb

@@ -0,0 +1,128 @@
+#.
+# main.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# @private
+module Watobo#:nodoc: all
+  module Plugin
+    class AEM
+      class Gui < Watobo::PluginGui
+
+        window_title "Adobe Experience Manager Enumerator"
+        icon_file "aem.ico"
+        def start
+          @results = []
+          @tree_view.clear
+          @tree_view.set_base_dir @url.text
+          Watobo::Plugin::CQ5.reset
+         # Watobo::Plugin::CQ5.use_relative_path = @relative_path_cb.checked?
+          Watobo::Plugin::CQ5.ignore_patterns = @ignore_cb.checked? ? @ignore_patterns_list.to_a : []
+          Watobo::Plugin::CQ5.run( @url.text , @results_queue)
+        end
+
+        def stop
+          Watobo::Plugin::CQ5.stop
+        end
+
+        def initialize()
+          @results = []
+          @export_path = Watobo.workspace_path
+          @results_queue = Queue.new
+
+          super()
+
+          main_frame = FXVerticalFrame.new(self, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
+          
+          url_frame = FXHorizontalFrame.new(main_frame, :opts => LAYOUT_FILL_X)
+          @url = FXTextField.new(url_frame, 25, nil, 0, :opts => TEXTFIELD_NORMAL|LAYOUT_FILL_X|LAYOUT_LEFT)
+
+          @url.setFocus()
+          @url.setDefault()
+
+          @start_btn = FXButton.new(url_frame, "start")
+
+          @url.connect(SEL_COMMAND){ start }
+          @start_btn.connect(SEL_COMMAND){ start }
+
+          @stop_btn = FXButton.new(url_frame, "stop")
+          @stop_btn.connect(SEL_COMMAND){ stop }
+          
+          splitter = FXSplitter.new(main_frame, LAYOUT_FILL_X|SPLITTER_HORIZONTAL|LAYOUT_FILL_Y|SPLITTER_TRACKING)
+          opts_frame  = FXVerticalFrame.new(splitter, :opts => LAYOUT_SIDE_BOTTOM|LAYOUT_FIX_WIDTH, :width => 450)
+         
+          
+          gbframe = FXGroupBox.new(opts_frame, "Ignore Path Patterns", FRAME_GROOVE|LAYOUT_FILL_Y, 0, 0, 0, 0)
+            iframe = FXVerticalFrame.new(gbframe, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
+            @ignore_cb = FXCheckButton.new(iframe, "enable", nil, 0, JUSTIFY_LEFT|JUSTIFY_TOP|ICON_BEFORE_TEXT|LAYOUT_SIDE_TOP)
+            @ignore_cb.checkState = true
+
+            @invert_cb = FXCheckButton.new(iframe, "invert", nil, 0, JUSTIFY_LEFT|JUSTIFY_TOP|ICON_BEFORE_TEXT|LAYOUT_SIDE_TOP)
+            @invert_cb.checkState = false
+            @invert_cb.disable
+            
+            FXLabel.new(iframe, "Ignore if url matches one of the following patterns (regex):")
+            @ignore_patterns_list = Watobo::Gui::ListBox.new(iframe)
+            @ignore_patterns_list.set %w( replication\/data jcr.*versionstorage workflow\/instances audit\/com.day.cq.replication\/content )
+          #@scope_only_cb.connect(SEL_COMMAND) {  }
+
+          #mr_splitter = FXSplitter.new(main_frame, LAYOUT_FILL_X|LAYOUT_FILL_Y|SPLITTER_HORIZONTAL|SPLITTER_REVERSED|SPLITTER_TRACKING)
+          # top = FXHorizontalFrame.new(mr_splitter, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|LAYOUT_SIDE_BOTTOM)
+          top_frame = FXVerticalFrame.new(splitter, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|LAYOUT_FIX_HEIGHT|FRAME_SUNKEN,:height => 500)
+          @tree_view = TreeView.new top_frame
+          
+         
+          frame = FXHorizontalFrame.new(main_frame, :opts => LAYOUT_FILL_X)
+          @counter = FXLabel.new(frame, "")
+          @queue_size = FXLabel.new(frame, "")
+          update_counter
+
+          @tree_view.subscribe(:show_info){|item|
+            puts "Item clicked"
+            puts item[:url]
+          }
+
+          @save_btn = FXButton.new(frame, "save", :opts => BUTTON_NORMAL|LAYOUT_RIGHT)
+          @save_btn.connect(SEL_COMMAND){ save_results }
+
+          update_timer(500){            
+            max = 100
+            count = 0
+            while @results_queue.size > 0 and count < max
+              r = @results_queue.deq
+              @results << r
+              #puts @results.length
+              @tree_view.add r
+              count += 1
+            end            
+            update_counter 
+          }
+        end
+
+        private
+
+        def update_counter
+          @counter.text = "Total: #{@results.length}"
+          @queue_size.text = "Queue: #{Watobo::Plugin::CQ5.queue_size}"
+        end
+
+        def save_results
+          fname = "cq5_" + Time.now.to_i.to_s + ".json"
+          dst_file = File.join(@export_path, fname)
+          filename = FXFileDialog.getSaveFilename(self, "Select Export File", dst_file)
+          if filename != "" then
+            @export_path = File.dirname filename
+            Thread.new(filename){|fn|
+              File.open(fn,"wb"){|fh| fh.print JSON.pretty_generate(@results) }
+            }
+          end
+        end
+
+      end
+    end
+  end
+end

data/plugins/aem/gui/tree_view.rb

@@ -0,0 +1,180 @@
+#.
+# tree_view.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+#require 'qcustomize.rb'
+
+# @private 
+module Watobo#:nodoc: all
+  module Plugin
+    class AEM
+      class Gui
+    class TreeView < FXTreeList
+      
+      include Watobo::Constants
+      include Watobo::Gui::Icons
+      
+      def subscribe(event, &callback)
+        (@event_dispatcher_listeners[event] ||= []) << callback
+      end
+
+      def clear()
+        @results = []
+        self.clearItems
+      end
+
+      #def refresh_tree()
+      #  self.clearItems
+
+        #Watobo::Chats.each do |chat|
+        #  addChat(chat)
+        #end
+
+      # @interface.updateRequestTable(@project)
+      #end
+
+      def expandFullTree(item)
+        self.expandTree(item)
+        item.each do |c|
+          expandFullTree(c) if !self.itemLeaf?(c)
+        end
+      end
+
+      def collapseFullTree(item)
+        self.collapseTree(item)
+        item.each do |c|
+          collapseFullTree(c) if !self.itemLeaf?(c)
+        end
+      end
+
+
+
+      def add(result)        
+        addItem(result)
+      end
+      
+      def set_base_dir(url)
+        url.gsub!(/^.*\/\//,'')
+        subdirs = url.split '/'
+        subdirs.shift
+        item = nil
+        subdirs.each do |d|
+         # puts "* append #{d}"
+          nxt = self.appendItem(item, d)#, @folderIcon, @folderIcon)              
+          self.setItemData(nxt, :base_dir)
+         # puts nxt.class
+          item = nxt
+        end
+        
+       # @base_dir = subdirs.join '/'
+      end
+
+      # end
+      def addItem(result)
+        #puts result
+        url = "#{result[:url].to_s}"
+        url.gsub!(/^.*\/\//,'')
+        subdirs = url.split '/'
+        subdirs.shift
+        
+        puts subdirs.join ' | '
+        
+        item = nil
+        subdirs.each do |d|
+          nxt = self.findItem(d, item, SEARCH_FORWARD)          
+          break if nxt.nil?
+          item = nxt 
+        end
+        
+        unless item.nil? 
+          unless subdirs.last == item.text
+            new_item = self.appendItem(item, subdirs.last)#, @folderIcon, @folderIcon)              
+            self.setItemData(new_item, result)
+          end
+        end
+        
+      end
+
+      def initialize(parent)
+        
+        @parent = parent
+        @quick_filter = Hash.new
+        @show_scope_only = false
+        
+        @results = []
+
+        super(parent, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|LAYOUT_TOP|LAYOUT_RIGHT|TREELIST_SHOWS_LINES|TREELIST_SHOWS_BOXES|TREELIST_ROOT_BOXES|TREELIST_EXTENDEDSELECT)
+
+        @event_dispatcher_listeners = Hash.new
+
+        @projectIcon = ICON_PROJECT
+
+        @folderIcon = ICON_FOLDER
+        @reqIcon = ICON_REQUEST
+        @siteIcon= ICON_SITE
+
+        @filtered_domains = Hash.new # domains which already have been filtered
+
+        @tree_filters = {
+          :response_status => []
+        }
+        
+        #    session_leaf = self.appendItem(nil, @session_name, @projectIcon, @projectIcon)
+
+        self.connect(SEL_COMMAND) do |sender, sel, item|
+          url_parts = []
+          begin
+            if item.data.is_a? Hash
+               #if item.data.class.to_s =~ /Qchat/
+               #@interface.show_chat(item.data)
+                  notify(:show_info, item.data)
+             end
+                
+          rescue => bang
+              #  puts bang
+              #  puts bang.backtrace if $DEBUG
+              #puts "!!! Error: could not show selected tree item"
+          end
+          
+          getApp().beginWaitCursor do
+            notify(:show_conversation, @quick_filter[item.object_id]) if @quick_filter[item.object_id]
+          end
+        end
+
+        self.connect(SEL_RIGHTBUTTONRELEASE) do |sender, sel, event|
+          exclude_site = nil
+          unless event.moved?
+            FXMenuPane.new(self) do |menu_pane|
+
+              target = FXMenuCheck.new(menu_pane, "test" )
+
+              menu_pane.create
+              menu_pane.popup(nil, event.root_x, event.root_y)
+              app.runModalWhileShown(menu_pane)
+
+            end
+          end
+        end
+      end
+
+private
+
+      def notify(event, *args)
+        if @event_dispatcher_listeners[event]
+          @event_dispatcher_listeners[event].each do |m|
+            m.call(*args) if m.respond_to? :call
+          end
+        end
+      end
+      
+    end
+  # namespace end
+  end
+  end
+  end
+end

data/plugins/aem/lib/agent.rb

@@ -0,0 +1,140 @@
+#.
+# agent.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# @private 
+module Watobo#:nodoc: all
+  module Plugin
+    class CQ5
+      class Agent < Watobo::Session
+         def initialize(base_request, in_queue, out_queue )
+            @work_queue = in_queue
+            @disp_queue = out_queue
+            @request = base_request
+            
+            
+            super(@request.object_id,  Watobo::Conf::Scanner.to_h )
+
+         end
+         
+         def stop
+           @agent_thread.kill
+         end
+         
+         def run
+           return nil if @work_queue.nil? or @disp_queue.nil?
+           
+           @agent_thread = Thread.new(){
+             puts "#{self} running ..." 
+             loop do
+             begin
+              
+               item = @work_queue.deq
+               # not interested in jcr:content ... skip ... 
+               next if item[:url] =~ /jcr%3acontent$/
+              
+               get_pages item
+               file_info item
+               
+             rescue => bang
+               puts bang
+               puts bang.backtrace
+               exit
+             end
+             end
+           }
+           @agent_thread
+         end
+         
+         def get_pages(item)           
+           test = @request.copy
+          # puts item
+           url = item[:url].gsub(/\/$/,'') + '/.pages.json'
+           test.replaceURL( url )
+           
+           request, response = sendRequest test
+           
+           return false unless response.respond_to? :status
+           item[:pages_status] = response.status
+          # @disp_queue << item
+             
+                  
+           if response.content_type =~ /json/i
+             begin
+             ntpages = JSON.parse response.body.to_s
+             
+             if ntpages['pages']
+                            
+              ntpages['pages'].each do |p|
+                #unless @use_relative_path
+                ep = p['escapedPath']
+                next if ep.nil?
+                next if ep.empty?
+                 
+                purl = ''
+               
+                purl = @request.url.to_s.gsub(/\/$/, '') + p['escapedPath']
+                puts "+ #{purl}"
+                
+                next if purl.empty?
+                
+                item = {
+                  :url => purl,
+                  :page_info => p,
+                  :file_info => nil,
+                  :status => nil
+                }
+                                 
+                @disp_queue << item
+               end              
+             end      
+           
+             rescue => bang
+                puts bang
+                puts ntpages
+                puts "---"
+              end   
+           end
+           #puts response.body.to_s 
+           true
+         end
+         
+         def file_info(item)
+           #url = item[:url]
+           #@request.replaceURL "#{url}/.json"
+           test = @request.copy
+           test.set_file_extension "json"
+          # puts "\n>> #{@request.url}"
+           request, response = sendRequest test
+           
+           return false unless response.respond_to? :status
+           item[:info_status] = response.status
+           
+           if response.content_type =~ /json/i
+             info = JSON.parse response.body.to_s
+             item[:file_info] = info
+           end
+           #@disp_queue << item
+           true
+         end
+
+         def sendRequest(request, prefs={})
+           begin
+              test_req, test_resp = self.doRequest(request, prefs)
+              return test_req, test_resp
+           rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+           end
+           return nil, nil            
+         end
+      end
+      
+    end
+  end
+end