watobo 0.9.21 → 0.9.23

data/modules/active/siebel/siebel_apps.rb

@@ -1,170 +1,161 @@
-#.
-# siebel_apps.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Siebel
-        
-        class Siebel_apps < Watobo::ActiveCheck
-          check_group = File.dirname(File.expand_path(__FILE__)).split("/").last.capitalize!
-          @@tested_directories = Hash.new
-          
-          @info.update(
-                         :check_name => 'Siebel Applications',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :description => "Enumerate Siebel Applications And Default Files, e.g. base.txt",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "1.0",   # check version
-            :check_group =>  check_group
-            )
-            
-            @finding.update(
-                            :threat => 'Information',        # thread of vulnerability, e.g. loss of information
-            :class => "Siebel: Default Applications",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
-            )
-          
-          def initialize(project, prefs={})
-           
-            super(project, prefs)
-            
-            @apps = %w( callcenter cgce cra eCommunicationsWireless eEnergyOilGasChemicals eaf eai eai_anon eauctionswexml eautomotive echannelaf echannelcg echannelcme eclinical ecommunications econsumer econsumerpharma econsumersector ecustomer ecustomercme edealer edealerscw eenergy eevents ehospitality eloyalty emarketing emedia emedical ememb epharma epharmace eprofessionalpharma epublicsector eretail erm ermadmin esales esalescme eservice esitesclinical etraining finesales fins finsconsole finscustomer finsebanking finsebrokerage finsechannel finseenenrollment finssalespam htim htimpim loyalty loyaltyscw marketing medicalce pimportal pmmanager prmmanager prmportal pseservice sales salesce service servicece siasalesce siaservicece sismarketing smc wpeserv wppm wpsales wpserv )
-            @langs = %w( cat chs cht csy dan deu ell enu esn euq fin fra frc heb hun ita jpn kor nld nor plk pse psl ptb ptg rus shl sky slv sve tha trk )
-            
-            
-          end
-          
-           def reset()
-            @@tested_directories.clear
-
-          end
-          
-          
-          def generateChecks(chat)
-            
-            begin
-              path = chat.request.dir
-             # puts "!!!!#{self}: #{path}"
-              unless @@tested_directories.has_key?(path)
-                @@tested_directories[path] = true
-                
-                @apps.each do |app|
-                  @langs.each do |lang|
-                    
-                    
-                  checker = proc{
-                    begin
-                    app_dir = "#{app}_#{lang}"
-                    #puts app_dir
-                    test_request = nil
-                    test_response = nil
-                    test = chat.copyRequest
-                    test.appendDir app_dir
-                    
-                    status, test_request, test_response = fileExists?(test, :default => true)
-                    
-                    if status == true 
-                     
-                   #   test_chat = Chat.new(test,test_response, :id => chat.id)
-                      
-                        addFinding( test_request,test_response,
-                          :test_item => chat.request.url.to_s,
-                          :check_pattern => "#{app_dir}",
-                          :proof_pattern => "#{test_response.status}",
-                          :chat => chat,
-                          :title => "#{app_dir}"
-                      )
-                      
-                      # check for _stats.swe
-                      stats_test = chat.copyRequest
-                      stats_test.replaceFileExt("_stats.swe")
-                      status, stats_request, stats_response = fileExists?( stats_test, :default => true)
-                    
-                      if status == true and stats_response.has_body?
-                         addFinding( stats_request,stats_response,
-                          :test_item => stats_request.url.to_s,
-                          :check_pattern => "#{app_dir}",
-                          :proof_pattern => "#{stats_response.status}",
-                          :chat => chat,
-                          :title => "#{app_dir}",
-                          :check_name => "Siebel Stats Page",
-                          :class => "Siebel: Stats Page"
-                        )
-                      end
-                      
-                      # check for base.txt
-                      base_test = chat.copyRequest
-                      base_test.appendDir app_dir
-                      base_test.replaceFileExt("base.txt")
-                     # puts base_test.url
-                      status, base_request, base_response = fileExists?(base_test, :default => true)
-                    
-                      if status == true and base_response.has_body?
-                        version = nil
-                        if base_response.body.strip =~ /^([0-9.]*) /
-                          version = $1
-                        end
-                         addFinding( base_request,base_response,
-                          :test_item => base_request.url.to_s,
-                          :check_pattern => "base.txt",
-                          :proof_pattern => "#{base_response.status}",
-                          :chat => chat,
-                          :title => "#{app_dir}",
-                          :check_name => "Siebel Version #{version}",
-                          :class => "Siebel: Version #{version}"
-                        )
-                      end
-                      
-                      # check for About_Siebel.htm and siebindex.htm                      
-                      %w( About_Siebel.htm help/siebindex.htm siebindex.htm ).each do |df|
-                        default_test = chat.copyRequest
-                      default_test.appendDir app_dir
-                      default_test.replaceFileExt(df)
-                      status, default_request, default_response = fileExists?(default_test, :default => true)
-                    
-                      if status == true 
-                         addFinding( default_request,default_response,
-                          :test_item => "#{default_request.url.to_s}",
-                          :check_pattern => "#{df}",
-                          :proof_pattern => "#{default_response.status}",
-                          :chat => chat,
-                          :title => "#{df}",
-                          #:check_name => "Siebel Version #{version}",
-                          :class => "Siebel: Default Files"
-                        )
-                      end
-                      end
-                    
-                    end
-                    rescue => bang
-                      puts bang
-                      puts bang.backtrace
-                    end
-                    [ test_request, test_response ]
-                  }
-                  yield checker
-                  end
-                end
-              end            
-              
-            rescue => bang
-              puts bang
-              puts "ERROR!! #{Module.nesting[0].name}"
-              raise
-              
-            end
-          end
-          
-        end
-        # --> eo namespace    
-      end
-    end
-  end
-end
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Siebel
+        
+        class Siebel_apps < Watobo::ActiveCheck
+          check_group = File.dirname(File.expand_path(__FILE__)).split("/").last.capitalize!
+          @@tested_directories = Hash.new
+          
+          @info.update(
+                         :check_name => 'Siebel Applications',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "Enumerate Siebel Applications And Default Files, e.g. base.txt",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "1.0",   # check version
+            :check_group =>  check_group
+            )
+            
+            @finding.update(
+                            :threat => 'Information',        # thread of vulnerability, e.g. loss of information
+            :class => "Siebel: Default Applications",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+            )
+          
+          def initialize(project, prefs={})
+           
+            super(project, prefs)
+            
+            @apps = %w( callcenter cgce cra eCommunicationsWireless eEnergyOilGasChemicals eaf eai eai_anon eauctionswexml eautomotive echannelaf echannelcg echannelcme eclinical ecommunications econsumer econsumerpharma econsumersector ecustomer ecustomercme edealer edealerscw eenergy eevents ehospitality eloyalty emarketing emedia emedical ememb epharma epharmace eprofessionalpharma epublicsector eretail erm ermadmin esales esalescme eservice esitesclinical etraining finesales fins finsconsole finscustomer finsebanking finsebrokerage finsechannel finseenenrollment finssalespam htim htimpim loyalty loyaltyscw marketing medicalce pimportal pmmanager prmmanager prmportal pseservice sales salesce service servicece siasalesce siaservicece sismarketing smc wpeserv wppm wpsales wpserv )
+            @langs = %w( cat chs cht csy dan deu ell enu esn euq fin fra frc heb hun ita jpn kor nld nor plk pse psl ptb ptg rus shl sky slv sve tha trk )
+            
+            
+          end
+          
+           def reset()
+            @@tested_directories.clear
+
+          end
+          
+          
+          def generateChecks(chat)
+            
+            begin
+              path = chat.request.dir
+             # puts "!!!!#{self}: #{path}"
+              unless @@tested_directories.has_key?(path)
+                @@tested_directories[path] = true
+                
+                @apps.each do |app|
+                  @langs.each do |lang|
+                    
+                    
+                  checker = proc{
+                    begin
+                    app_dir = "#{app}_#{lang}"
+                    #puts app_dir
+                    test_request = nil
+                    test_response = nil
+                    test = chat.copyRequest
+                    test.appendDir app_dir
+                    
+                    status, test_request, test_response = fileExists?(test, :default => true)
+                    
+                    if status == true 
+                     
+                   #   test_chat = Chat.new(test,test_response, :id => chat.id)
+                      
+                        addFinding( test_request,test_response,
+                          :test_item => chat.request.url.to_s,
+                          :check_pattern => "#{app_dir}",
+                          :proof_pattern => "#{test_response.status}",
+                          :chat => chat,
+                          :title => "#{app_dir}"
+                      )
+                      
+                      # check for _stats.swe
+                      stats_test = chat.copyRequest
+                      stats_test.replaceFileExt("_stats.swe")
+                      status, stats_request, stats_response = fileExists?( stats_test, :default => true)
+                    
+                      if status == true and stats_response.has_body?
+                         addFinding( stats_request,stats_response,
+                          :test_item => stats_request.url.to_s,
+                          :check_pattern => "#{app_dir}",
+                          :proof_pattern => "#{stats_response.status}",
+                          :chat => chat,
+                          :title => "#{app_dir}",
+                          :check_name => "Siebel Stats Page",
+                          :class => "Siebel: Stats Page"
+                        )
+                      end
+                      
+                      # check for base.txt
+                      base_test = chat.copyRequest
+                      base_test.appendDir app_dir
+                      base_test.replaceFileExt("base.txt")
+                     # puts base_test.url
+                      status, base_request, base_response = fileExists?(base_test, :default => true)
+                    
+                      if status == true and base_response.has_body?
+                        version = nil
+                        if base_response.body.strip =~ /^([0-9.]*) /
+                          version = $1
+                        end
+                         addFinding( base_request,base_response,
+                          :test_item => base_request.url.to_s,
+                          :check_pattern => "base.txt",
+                          :proof_pattern => "#{base_response.status}",
+                          :chat => chat,
+                          :title => "#{app_dir}",
+                          :check_name => "Siebel Version #{version}",
+                          :class => "Siebel: Version #{version}"
+                        )
+                      end
+                      
+                      # check for About_Siebel.htm and siebindex.htm                      
+                      %w( About_Siebel.htm help/siebindex.htm siebindex.htm ).each do |df|
+                        default_test = chat.copyRequest
+                      default_test.appendDir app_dir
+                      default_test.replaceFileExt(df)
+                      status, default_request, default_response = fileExists?(default_test, :default => true)
+                    
+                      if status == true 
+                         addFinding( default_request,default_response,
+                          :test_item => "#{default_request.url.to_s}",
+                          :check_pattern => "#{df}",
+                          :proof_pattern => "#{default_response.status}",
+                          :chat => chat,
+                          :title => "#{df}",
+                          #:check_name => "Siebel Version #{version}",
+                          :class => "Siebel: Default Files"
+                        )
+                      end
+                      end
+                    
+                    end
+                    rescue => bang
+                      puts bang
+                      puts bang.backtrace
+                    end
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                  end
+                end
+              end            
+              
+            rescue => bang
+              puts bang
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+              
+            end
+          end
+          
+        end
+        # --> eo namespace    
+      end
+    end
+  end
+end

data/modules/active/sqlinjection/sql_boolean.rb

@@ -1,12 +1,3 @@
-#.
-# sql_boolean.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'digest/md5'
 require 'digest/sha1'
 

data/modules/active/sqlinjection/sql_numerical.rb

@@ -0,0 +1,198 @@
+require 'digest/md5'
+require 'digest/sha1'
+
+# @private 
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Sqlinjection
+        
+        
+        class Sql_numerical < Watobo::ActiveCheck
+          
+          @info.update(
+                         :check_name => 'Numerical SQL-Injection',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :check_group => AC_GROUP_SQL,
+            :description => "Checks numerical parameter values for SQL-Injection flaws.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "0.9"   # check version
+            )
+            
+            threat =<<'EOF'
+SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. 
+When successful, the attacker is able to change the logic of SQL statements executed against the database.
+Structured Query Language (SQL) is a specialized programming language for sending queries to databases. 
+The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with 
+proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. 
+If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure 
+and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user 
+specified by the application executing the statement. This capability allows attackers to gain control of all database resources 
+accessible by that user, up to and including the ability to execute commands on the hosting system.
+
+Source: http://projects.webappsec.org/SQL-Injection
+EOF
+            
+            measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
+            
+            @finding.update(
+                            :threat => threat,        # thread of vulnerability, e.g. loss of information
+                            :class => "SQL-Injection",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+            :rating => VULN_RATING_CRITICAL,
+            :measure => measure
+            )
+          
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+            
+          end
+          
+          def generateChecks(chat)
+            
+            #
+            #  Check GET-Parameters
+            #
+            begin
+              urlParmNames(chat).each do |parm|
+                vint = nil
+                # first check if parameter is integer value
+                value = chat.request.get_parm_value(parm)
+                if value.strip =~ /^\d+$/ then
+                #  puts "*!* #"
+                  vint = value.to_i
+                end
+                
+                if vint then
+                  #puts "* found integer get parameter #{parm}"
+                  checker = proc {
+                    begin
+                      test_request = nil
+                      test_response = nil
+                      
+                      # first do request double time to check if hashes are the same
+                      test = chat.copyRequest
+                      test_request,test_response = doRequest(test,:default => true)
+                      # hash_1 = Digest::MD5.hexdigest(test_response.body.join)
+                      hash_1 = Watobo::Utils.responseHash(test_request, test_response)
+                      test = chat.copyRequest
+                      test_request,test_response = doRequest(test,:default => true)
+                      hash_2 = Watobo::Utils.responseHash(test_request, test_response)
+                      #hash_2 = Digest::MD5.hexdigest(test_response.body.join)
+                      
+                      test = chat.copyRequest
+                      # also need to check if altered parm will change response
+                      new_value = "#{vint+1}"
+                      test.replace_get_parm(parm,new_value)
+                      test_request,test_response = doRequest(test,:default => true)
+                      hash_3 = Watobo::Utils.responseHash(test_request, test_response)
+                   #   puts "Hash 1: #{hash_1}"
+                    #  puts "Hash 2: #{hash_2}"
+                    #  puts "Hash 3: #{hash_3}"
+                      # if hash_1 == hash_2 then
+                      if hash_1 == hash_2 and hash_1 != hash_3 then # same hashes? now we can start the test
+                        test = chat.copyRequest
+                        # first add one to the original value and append "-1"
+                        new_value = "#{vint+1}-1"
+                        test.replace_get_parm(parm,new_value)
+                        test_request,test_response = doRequest(test,:default => true)
+                        
+                        hash_test = Watobo::Utils.responseHash(test_request, test_response)
+                        if hash_test == hash_1 then
+                          path = "/" + test_request.path
+                        #  test_chat = Chat.new(test,test_response, :id => chat.id)
+                          addFinding(test_request, test_response,
+                                     :check_pattern => "#{parm}",
+                          :chat => chat,
+                          :title => "[#{parm}] - #{path}"
+                          )
+                          
+                        end
+                        
+                      end
+                    rescue => bang
+                      puts bang
+                      raise
+                    end
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                  
+                end
+                
+              end
+              
+              postParmNames(chat).each do |parm|
+                vint = nil
+                # first check if parameter is integer value
+                value = chat.request.post_parm_value(parm)
+                if value.strip =~ /^\d+$/ then
+                  vint = value.to_i
+                end
+                
+                if vint then
+                  checker = proc {
+                    test_request = nil
+                    test_response = nil
+                    #puts "* found integer post parameter #{parm}"
+                    # first do request double time to check if hashes are the same
+                    test = chat.copyRequest
+                    test_request,test_response = doRequest(test, :default => true)
+                    hash_1 = Watobo::Utils.responseHash(test_request, test_response)
+                    hash_ref = Watobo::Utils.responseHash(test_request, test_response)
+                    test = chat.copyRequest
+                    test_request,test_response = doRequest(test, :default => true)
+                    hash_2 = Watobo::Utils.responseHash(test_request, test_response)
+                    # also need to check if altered parm will change response
+                    test = chat.copyRequest                   
+                    new_value = "#{vint+1}"
+                    test.replace_get_parm(parm,new_value)
+                    test_request,test_response = doRequest(test,:default => true)
+                    hash_3 = Watobo::Utils.responseHash(test_request, test_response)
+                  #  puts
+                  #  puts "#{value}, #{new_value}, #{parm}"
+                  #  puts "Hash 1: #{hash_1}"
+                  #  puts "Hash 2: #{hash_2}"
+                  #  puts "Hash 3: #{hash_3}"
+                    
+                    # if hash_1 == hash_2 then
+                    if hash_1 == hash_2 and hash_1 != hash_3 then # same hashes? now we can start the test
+                      test = chat.copyRequest
+                      # first add one to the original value and append "-1"
+                      new_value = "#{vint+1}-1"
+                      test.replace_post_parm(parm,new_value)
+                      test_request,test_response = doRequest(test, :default => true)
+                      
+                      hash_test = Watobo::Utils.responseHash(test_request, test_response)
+                   #   puts "Hash Test: #{hash_test}"
+                      if hash_test == hash_ref then
+                      #  test_chat = Chat.new(test, test_response, :id => chat.id)
+                        path = "/" + test_request.path
+                        addFinding(test_request, test_response,
+                                   :check_pattern => "#{parm}",
+                        :chat => chat,
+                        :title => "[#{parm}] - #{path}"
+                        )
+                        
+                        
+                      end
+                    end
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                end
+              end
+              
+            rescue => bang
+              puts bang
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+            end
+          end
+          
+        end
+        # --> eo namespace    
+      end
+    end
+  end
+end