watobo 0.9.8.677

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (260) hide show
  1. data/bin/watobo_gui.rb +39 -0
  2. data/certificates/cert.pem +19 -0
  3. data/certificates/privkey.pem +15 -0
  4. data/certificates/watobo_dh.key +5 -0
  5. data/config/datastore.yml +5 -0
  6. data/config/forwarding_proxy.yml +12 -0
  7. data/config/general.yml +4 -0
  8. data/config/gui.yml +23 -0
  9. data/config/interceptor.yml +16 -0
  10. data/config/scan_policy.yml +13 -0
  11. data/config/scanner.yml +34 -0
  12. data/icons/Add.ico +0 -0
  13. data/icons/Add_24x24.ico +0 -0
  14. data/icons/Bandwidth.ico +0 -0
  15. data/icons/Bandwidth_24x24.ico +0 -0
  16. data/icons/Mr. Bomb.ico +0 -0
  17. data/icons/Mr. Bomb_16x16.ico +0 -0
  18. data/icons/Mr. Bomb_24x24.ico +0 -0
  19. data/icons/Orange Ball.ico +0 -0
  20. data/icons/Orange Ball_16x16.ico +0 -0
  21. data/icons/Orange Ball_24x24.ico +0 -0
  22. data/icons/Pause.ico +0 -0
  23. data/icons/Play.ico +0 -0
  24. data/icons/Play_24x24.ico +0 -0
  25. data/icons/Red Ball.ico +0 -0
  26. data/icons/Red Ball_16x16.ico +0 -0
  27. data/icons/Red Ball_24x24.ico +0 -0
  28. data/icons/Run.ico +0 -0
  29. data/icons/Stop.ico +0 -0
  30. data/icons/Stop_24x24.ico +0 -0
  31. data/icons/Terminal.ico +0 -0
  32. data/icons/Transfer.ico +0 -0
  33. data/icons/Transfer_16x16.ico +0 -0
  34. data/icons/User.ico +0 -0
  35. data/icons/User_16x16.ico +0 -0
  36. data/icons/User_24x24.ico +0 -0
  37. data/icons/Web Browser.ico +0 -0
  38. data/icons/Web Browser_16x16.ico +0 -0
  39. data/icons/Write Document.ico +0 -0
  40. data/icons/Yellow Ball.ico +0 -0
  41. data/icons/Yellow Ball_16x16.ico +0 -0
  42. data/icons/Yellow Ball_24x24.ico +0 -0
  43. data/icons/advanced.ico +0 -0
  44. data/icons/advanced_16x16.ico +0 -0
  45. data/icons/advanced_24x24.ico +0 -0
  46. data/icons/applications.ico +0 -0
  47. data/icons/applications_16x16.ico +0 -0
  48. data/icons/applications_24x24.ico +0 -0
  49. data/icons/browser_16x16.ico +0 -0
  50. data/icons/browser_24x24.ico +0 -0
  51. data/icons/burn.ico +0 -0
  52. data/icons/burn_16x16.ico +0 -0
  53. data/icons/burn_24x24.ico +0 -0
  54. data/icons/calculator.ico +0 -0
  55. data/icons/calculator_24x24.ico +0 -0
  56. data/icons/cb_checked.ico +0 -0
  57. data/icons/cb_checked_orange.ico +0 -0
  58. data/icons/cb_unchecked.ico +0 -0
  59. data/icons/coin_24x24.ico +0 -0
  60. data/icons/conversation.ico +0 -0
  61. data/icons/conversation_24x24.ico +0 -0
  62. data/icons/engine.ico +0 -0
  63. data/icons/filter.ico +0 -0
  64. data/icons/folder.ico +0 -0
  65. data/icons/folder_16x16.ico +0 -0
  66. data/icons/fuzzer_16x16.ico +0 -0
  67. data/icons/fuzzer_24x24.ico +0 -0
  68. data/icons/go-down_16x16.png +0 -0
  69. data/icons/go-up_16x16.png +0 -0
  70. data/icons/help.ico +0 -0
  71. data/icons/help_16x16.ico +0 -0
  72. data/icons/help_24x24.ico +0 -0
  73. data/icons/iChat.ico +0 -0
  74. data/icons/iChat_16x16.ico +0 -0
  75. data/icons/iChat_24x24.ico +0 -0
  76. data/icons/icons.txt +3 -0
  77. data/icons/info.ico +0 -0
  78. data/icons/info_16x16.ico +0 -0
  79. data/icons/info_24x24.ico +0 -0
  80. data/icons/interceptor_24x24.ico +0 -0
  81. data/icons/lock.ico +0 -0
  82. data/icons/lock_12x12.ico +0 -0
  83. data/icons/lock_16x16.ico +0 -0
  84. data/icons/monitor.ico +0 -0
  85. data/icons/plugin.ico +0 -0
  86. data/icons/plugin_24x24.ico +0 -0
  87. data/icons/scan_16x16.png +0 -0
  88. data/icons/send.ico +0 -0
  89. data/icons/server.ico +0 -0
  90. data/icons/server_16x16.ico +0 -0
  91. data/icons/siberas_logo_x24.gif +0 -0
  92. data/icons/tag_blue_32x32.ico +0 -0
  93. data/icons/watobo-48x48.png +0 -0
  94. data/icons/watobo-logo.png +0 -0
  95. data/icons/watobo.ico +0 -0
  96. data/lib/watobo/adapters/data_store.rb +38 -0
  97. data/lib/watobo/adapters/file/file_store.rb +211 -0
  98. data/lib/watobo/adapters/session_store.rb +27 -0
  99. data/lib/watobo/adapters.rb +26 -0
  100. data/lib/watobo/config.rb +143 -0
  101. data/lib/watobo/constants.rb +92 -0
  102. data/lib/watobo/core/active_check.rb +404 -0
  103. data/lib/watobo/core/cookie.rb +69 -0
  104. data/lib/watobo/core/fuzz_gen.rb +160 -0
  105. data/lib/watobo/core/http_socket.rb +142 -0
  106. data/lib/watobo/core/interceptor.rb +729 -0
  107. data/lib/watobo/core/passive_check.rb +141 -0
  108. data/lib/watobo/core/project.rb +1058 -0
  109. data/lib/watobo/core/scanner.rb +396 -0
  110. data/lib/watobo/core/session.rb +1320 -0
  111. data/lib/watobo/core/simple_ca.rb +393 -0
  112. data/lib/watobo/core.rb +34 -0
  113. data/lib/watobo/defaults.rb +40 -0
  114. data/lib/watobo/external/diff/lcs/array.rb +42 -0
  115. data/lib/watobo/external/diff/lcs/block.rb +72 -0
  116. data/lib/watobo/external/diff/lcs/callbacks.rb +343 -0
  117. data/lib/watobo/external/diff/lcs/change.rb +190 -0
  118. data/lib/watobo/external/diff/lcs/hunk.rb +279 -0
  119. data/lib/watobo/external/diff/lcs/ldiff.rb +247 -0
  120. data/lib/watobo/external/diff/lcs/string.rb +40 -0
  121. data/lib/watobo/external/diff/lcs.rb +1124 -0
  122. data/lib/watobo/external/ntlm/ntlm.rb +797 -0
  123. data/lib/watobo/externals.rb +28 -0
  124. data/lib/watobo/framework/create_project.rb +55 -0
  125. data/lib/watobo/framework/init.rb +149 -0
  126. data/lib/watobo/framework/init_modules.rb +116 -0
  127. data/lib/watobo/framework/license_text.rb +50 -0
  128. data/lib/watobo/framework.rb +26 -0
  129. data/lib/watobo/gui/about_watobo.rb +68 -0
  130. data/lib/watobo/gui/browser_preview.rb +460 -0
  131. data/lib/watobo/gui/certificate_dialog.rb +132 -0
  132. data/lib/watobo/gui/chat_diff.rb +415 -0
  133. data/lib/watobo/gui/chatviewer_frame.rb +427 -0
  134. data/lib/watobo/gui/checkboxtree.rb +221 -0
  135. data/lib/watobo/gui/checks_policy_frame.rb +123 -0
  136. data/lib/watobo/gui/client_cert_dialog.rb +227 -0
  137. data/lib/watobo/gui/confirm_scan_dialog.rb +67 -0
  138. data/lib/watobo/gui/conversation_table.rb +386 -0
  139. data/lib/watobo/gui/conversation_table_ctrl.rb +175 -0
  140. data/lib/watobo/gui/csrf_token_dialog.rb +446 -0
  141. data/lib/watobo/gui/dashboard.rb +341 -0
  142. data/lib/watobo/gui/define_scope_frame.rb +380 -0
  143. data/lib/watobo/gui/edit_comment.rb +70 -0
  144. data/lib/watobo/gui/edit_scope_dialog.rb +69 -0
  145. data/lib/watobo/gui/finding_info.rb +212 -0
  146. data/lib/watobo/gui/findings_tree.rb +459 -0
  147. data/lib/watobo/gui/full_scan_dialog.rb +269 -0
  148. data/lib/watobo/gui/fuzzer_gui.rb +1522 -0
  149. data/lib/watobo/gui/hex_viewer.rb +106 -0
  150. data/lib/watobo/gui/interceptor_gui.rb +994 -0
  151. data/lib/watobo/gui/interceptor_settings_dialog.rb +201 -0
  152. data/lib/watobo/gui/log_viewer.rb +97 -0
  153. data/lib/watobo/gui/login_wizzard.rb +301 -0
  154. data/lib/watobo/gui/main_window.rb +1815 -0
  155. data/lib/watobo/gui/manual_request_editor.rb +1105 -0
  156. data/lib/watobo/gui/master_pw_dialog.rb +142 -0
  157. data/lib/watobo/gui/password_policy_dialog.rb +98 -0
  158. data/lib/watobo/gui/plugin/base.rb +82 -0
  159. data/lib/watobo/gui/plugin_board.rb +95 -0
  160. data/lib/watobo/gui/preferences_dialog.rb +116 -0
  161. data/lib/watobo/gui/progress_window.rb +102 -0
  162. data/lib/watobo/gui/project_wizzard.rb +369 -0
  163. data/lib/watobo/gui/proxy_dialog.rb +550 -0
  164. data/lib/watobo/gui/quick_scan_dialog.rb +242 -0
  165. data/lib/watobo/gui/request_editor.rb +480 -0
  166. data/lib/watobo/gui/save_chat_dialog.rb +158 -0
  167. data/lib/watobo/gui/scanner_settings_dialog.rb +360 -0
  168. data/lib/watobo/gui/select_chat_dialog.rb +169 -0
  169. data/lib/watobo/gui/session_management_dialog.rb +688 -0
  170. data/lib/watobo/gui/sites_tree.rb +347 -0
  171. data/lib/watobo/gui/status_bar.rb +88 -0
  172. data/lib/watobo/gui/table_editor.rb +445 -0
  173. data/lib/watobo/gui/tagless_viewer.rb +62 -0
  174. data/lib/watobo/gui/templates/plugin.rb +80 -0
  175. data/lib/watobo/gui/templates/plugin2.rb +103 -0
  176. data/lib/watobo/gui/text_viewer.rb +247 -0
  177. data/lib/watobo/gui/transcoder_window.rb +215 -0
  178. data/lib/watobo/gui/utils/gui_utils.rb +129 -0
  179. data/lib/watobo/gui/utils/init_icons.rb +106 -0
  180. data/lib/watobo/gui/utils/load_icons.rb +54 -0
  181. data/lib/watobo/gui/utils/load_plugins.rb +94 -0
  182. data/lib/watobo/gui/utils/master_password.rb +90 -0
  183. data/lib/watobo/gui/utils/save_default_settings.rb +99 -0
  184. data/lib/watobo/gui/utils/save_project_settings.rb +21 -0
  185. data/lib/watobo/gui/utils/save_proxy_settings.rb +45 -0
  186. data/lib/watobo/gui/utils/save_session_settings.rb +21 -0
  187. data/lib/watobo/gui/utils/session_history.rb +134 -0
  188. data/lib/watobo/gui/workspace_dialog.rb +89 -0
  189. data/lib/watobo/gui/www_auth_dialog.rb +348 -0
  190. data/lib/watobo/gui/xml_viewer_frame.rb +114 -0
  191. data/lib/watobo/gui.rb +139 -0
  192. data/lib/watobo/mixins/httpparser.rb +664 -0
  193. data/lib/watobo/mixins/request_parser.rb +210 -0
  194. data/lib/watobo/mixins/shapers.rb +345 -0
  195. data/lib/watobo/mixins/transcoders.rb +88 -0
  196. data/lib/watobo/mixins.rb +32 -0
  197. data/lib/watobo/utils/check_regex.rb +36 -0
  198. data/lib/watobo/utils/copy_object.rb +29 -0
  199. data/lib/watobo/utils/crypto.rb +74 -0
  200. data/lib/watobo/utils/expand_range.rb +45 -0
  201. data/lib/watobo/utils/file_management.rb +73 -0
  202. data/lib/watobo/utils/load_chat.rb +219 -0
  203. data/lib/watobo/utils/load_icon.rb +47 -0
  204. data/lib/watobo/utils/print_debug.rb +34 -0
  205. data/lib/watobo/utils/response_hash.rb +143 -0
  206. data/lib/watobo/utils/secure_eval.rb +57 -0
  207. data/lib/watobo/utils/text2request.rb +96 -0
  208. data/lib/watobo/utils.rb +32 -0
  209. data/lib/watobo.rb +76 -0
  210. data/modules/active/Apache/mod_status.rb +123 -0
  211. data/modules/active/Flash/crossdomain.rb +102 -0
  212. data/modules/active/directories/dirwalker.rb +89 -0
  213. data/modules/active/discovery/fileextensions.rb +151 -0
  214. data/modules/active/discovery/http_methods.rb +135 -0
  215. data/modules/active/domino/domino_db.lst +164 -0
  216. data/modules/active/domino/domino_db.rb +128 -0
  217. data/modules/active/fileinclusion/lfi_simple.rb +134 -0
  218. data/modules/active/jboss/jboss_basic.rb +119 -0
  219. data/modules/active/sap/business_objects.rb +73 -0
  220. data/modules/active/sap/its_commands.rb +101 -0
  221. data/modules/active/sap/its_service_parameter.rb +105 -0
  222. data/modules/active/sap/its_services.rb +103 -0
  223. data/modules/active/sap/its_xss.rb +98 -0
  224. data/modules/active/sqlinjection/sql_boolean.rb +262 -0
  225. data/modules/active/sqlinjection/sqli_simple.rb +205 -0
  226. data/modules/active/xss/xss_simple.rb +179 -0
  227. data/modules/passive/cookie_options.rb +97 -0
  228. data/modules/passive/cookie_xss.rb +85 -0
  229. data/modules/passive/detect_code.rb +89 -0
  230. data/modules/passive/detect_fileupload.rb +80 -0
  231. data/modules/passive/detect_infrastructure.rb +98 -0
  232. data/modules/passive/detect_one_time_tokens.rb +86 -0
  233. data/modules/passive/dirindexing.rb +81 -0
  234. data/modules/passive/disclosure_emails.rb +82 -0
  235. data/modules/passive/disclosure_ipaddr.rb +87 -0
  236. data/modules/passive/filename_as_parameter.rb +85 -0
  237. data/modules/passive/form_spotter.rb +75 -0
  238. data/modules/passive/hotspots.rb +86 -0
  239. data/modules/passive/in_script_parameter.rb +92 -0
  240. data/modules/passive/multiple_server_headers.rb +98 -0
  241. data/modules/passive/possible_login.rb +134 -0
  242. data/modules/passive/redirect_url.rb +88 -0
  243. data/modules/passive/redirectionz.rb +96 -0
  244. data/modules/passive/xss_dom.rb +91 -0
  245. data/plugins/catalog/catalog.ico +0 -0
  246. data/plugins/catalog/catalog.rb +726 -0
  247. data/plugins/catalog/db_tests +6483 -0
  248. data/plugins/catalog/db_variables +29 -0
  249. data/plugins/filefinder/dbs/hbci.db +12 -0
  250. data/plugins/filefinder/filefinder.rb +602 -0
  251. data/plugins/sslchecker/cli/sslchecker_cli.rb +21 -0
  252. data/plugins/sslchecker/gui/cipher_table.rb +260 -0
  253. data/plugins/sslchecker/gui/gui.rb +245 -0
  254. data/plugins/sslchecker/gui/sslchecker.rb +26 -0
  255. data/plugins/sslchecker/icons/green_16x16.ico +0 -0
  256. data/plugins/sslchecker/icons/grey_16x16.ico +0 -0
  257. data/plugins/sslchecker/icons/red_16x16.ico +0 -0
  258. data/plugins/sslchecker/icons/sslchecker.ico +0 -0
  259. data/plugins/sslchecker/lib/check.rb +117 -0
  260. metadata +317 -0
@@ -0,0 +1,134 @@
1
+ # .
2
+ # lfi_simple.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ require 'digest/md5'
23
+ require 'digest/sha1'
24
+
25
+ module Watobo
26
+ module Modules
27
+ module Active
28
+ module Fileinclusion
29
+
30
+
31
+ class Lfi_simple < Watobo::ActiveCheck
32
+
33
+ def initialize(project, prefs={})
34
+ super(project, prefs)
35
+
36
+ @info.update(
37
+ :check_name => 'Local File Inclusion', # name of check which briefly describes functionality, will be used for tree and progress views
38
+ :description => "Checks for parameters, which can lead to local file inclusion.", # description of checkfunction
39
+ :author => "Andreas Schmidt", # author of check
40
+ :check_group => AC_GROUP_FILE_INCLUSION,
41
+ :version => "1.0" # check version
42
+ )
43
+
44
+ @finding.update(
45
+ :threat => 'Code Execution or Information Leakage', # thread of vulnerability, e.g. loss of information
46
+ :class => "Local File Inclusion", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
47
+ :type => FINDING_TYPE_VULN # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
48
+ )
49
+
50
+ @include_checks = [
51
+ ["etc/passwd",'root:[^:]+:\w+:\w+' ],
52
+ ["etc/passwd%00",'root:[^:]+:\w+:\w+' ],
53
+ ["boot.ini", Regexp.quote('[boot loader]')],
54
+ ["boot.ini%00", Regexp.quote('[boot loader]')]
55
+ ]
56
+
57
+ @updirs = [0,5,10,15,20]
58
+
59
+ end
60
+
61
+ def generateChecks(chat)
62
+ begin
63
+ @updirs.each do |up|
64
+ @include_checks.each do |file, pattern|
65
+ chat.request.get_parm_names.each do |parm|
66
+ checker = proc{
67
+ test_request = nil
68
+ test_response = nil
69
+ test = chat.copyRequest
70
+ check = "../"*up + file
71
+ test.replace_get_parm(parm, check)
72
+
73
+ test_request,test_response = doRequest(test)
74
+
75
+
76
+ # test_chat = Chat.new(test, test_response, chat.id)
77
+ if test_response.join =~ /(#{pattern})/ # if default db found, check for content
78
+ match = $1
79
+ addFinding(test_request,test_response,
80
+ :check_pattern => "#{file}",
81
+ :test_item => parm,
82
+ :proof_pattern => "#{match}",
83
+ :chat => chat,
84
+ :rating => VULN_RATING_HIGH,
85
+ :title => "[#{parm}] - #{test_request.file}"
86
+ )
87
+ [ test_request, test_response ]
88
+ end
89
+ }
90
+ yield checker
91
+ end
92
+
93
+ chat.request.post_parm_names.each do |parm|
94
+ checker = proc{
95
+ test_request = nil
96
+ test_response = nil
97
+ test = chat.copyRequest
98
+ check = "../"*up + file
99
+ test.replace_post_parm(parm, check)
100
+
101
+ test_request,test_response = doRequest(test)
102
+
103
+ if test_response.join =~ /(#{pattern})/i # if default db found, check for content
104
+ match = $1
105
+ addFinding(test_request,test_response,
106
+ :test_item => parm,
107
+ :check_pattern => "#{file}",
108
+ :proof_pattern => "#{match}",
109
+ :chat => chat,
110
+ :rating => VULN_RATING_HIGH,
111
+ :title => "[#{parm}] - #{file}"
112
+ )
113
+ [ test_request, test_response ]
114
+ end
115
+ }
116
+ yield checker
117
+ end
118
+ end
119
+ end
120
+ rescue => bang
121
+ puts bang
122
+ puts bang.backtrace if $DEBUG
123
+ puts "ERROR!! #{Module.nesting[0].name}"
124
+ raise
125
+ end
126
+
127
+ end
128
+
129
+ end
130
+ # --> eo namespace
131
+ end
132
+ end
133
+ end
134
+ end
@@ -0,0 +1,119 @@
1
+ # .
2
+ # jboss_basic.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ module Watobo
23
+ module Modules
24
+ module Active
25
+ module Jboss
26
+
27
+
28
+ class Jboss_basic < Watobo::ActiveCheck
29
+
30
+ def reset()
31
+ @checked_dirs.clear
32
+ end
33
+
34
+ def initialize(project, prefs={})
35
+ super(project, prefs)
36
+ @info.update(
37
+ :check_name => 'Basic JBoss enumeration', # name of check which briefly describes functionality, will be used for tree and progress views
38
+ :check_group => AC_GROUP_JBOSS,
39
+ :description => "Check every parameter for SQL-Injection flaws.", # description of checkfunction
40
+ :author => "Andreas Schmidt", # author of check
41
+ :version => "0.9" # check version
42
+ )
43
+
44
+
45
+
46
+ @finding.update(
47
+ :class => "JBoss-AS (critical)", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
48
+ :type => FINDING_TYPE_VULN # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
49
+ )
50
+
51
+ measure = "Remove all unnecessary JBoss-Interfaces like JMX-Console."
52
+
53
+ @jboss_checks = Hash.new
54
+ @jboss_checks["JBoss-AS (critical)"] = { :dirs => ['/jmx-console/HtmlAdaptor', '/web-console/Invoker', '/invoker/JMXInvokerServlet'],
55
+ :rating => VULN_RATING_CRITICAL,
56
+ :threat => "This server supports dangerous JBoss interfaces. An attacker can use these interfaces to gain control over system by deploying its own malicious servlets.",
57
+ :measure => measure
58
+ }
59
+
60
+ #
61
+ measure = "Disable all unneeded functions."
62
+ @jboss_checks["JBoss-AS (info)"] = { :dirs => [ '/status', '/web-console/ServerInfo.jsp'],
63
+ :rating => VULN_RATING_LOW,
64
+ :threat => "There are some functions enabled on this server which leads to information disclosure.
65
+ An attacker can use these information to prepare more targeted attacks. ",
66
+ :measure => measure
67
+ }
68
+
69
+ @checked_dirs = Hash.new
70
+ end
71
+
72
+ def generateChecks(chat)
73
+ chat.request.subDirs do |dir|
74
+ if not @checked_dirs.has_key?(dir)
75
+ @checked_dirs[dir] = :checked
76
+ @jboss_checks.each do |ckey, check_settings|
77
+ check_settings[:dirs].each do |cdir|
78
+ checker = proc {
79
+ check_dir = cdir
80
+ test_request = nil
81
+ test_response = nil
82
+ # IMPORTANT!!!
83
+ # use copyRequest(chat) for cloning the original request
84
+ test = chat.copyRequest
85
+ puts "appending dir #{check_dir}"
86
+ test.setDir(dir)
87
+ test.appendDir(check_dir)
88
+
89
+ #puts test
90
+
91
+ status, test_request, test_response = fileExists?(test, :default => true)
92
+ if status == true
93
+ #test_chat = Chat.new(test, test_response,chat.id)
94
+ # resource = "/" + test_request.resource
95
+ addFinding( test_request, test_response,
96
+ :check_pattern => "#{check_dir}",
97
+ :test_item => dir,
98
+ :chat => chat,
99
+ :title => "[#{check_dir}]",
100
+ :rating => check_settings[:rating],
101
+ :threat => check_settings[:threat],
102
+ :measure => check_settings[:measure],
103
+ :class => ckey
104
+ )
105
+ end
106
+
107
+ [ test_request, test_response ]
108
+ }
109
+ yield checker
110
+ end
111
+ end
112
+ end
113
+ end
114
+ end
115
+ end
116
+ end
117
+ end
118
+ end
119
+ end
@@ -0,0 +1,73 @@
1
+ # .
2
+ # business_objects.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ =begin
23
+ http://www.example.com:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
24
+ http://www.example.com:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
25
+ http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1&sectionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
26
+ http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
27
+ http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
28
+ http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
29
+ http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
30
+ http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
31
+ http://www.example.com:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
32
+ http://www.example.com:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
33
+ http://www.example.com:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
34
+ http://www.example.com:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
35
+ http://www.example.com:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
36
+ http://www.example.com:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=�></script><script>alert(1)</script>
37
+ http://www.example.com:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
38
+ http://www.example.com:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
39
+ http://www.example.com:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=�><script>alert(1)</script>
40
+ http://www.example.com:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
41
+ http://www.example.com:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
42
+ http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
43
+ http://www.example.com:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
44
+ http://www.example.com:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=1&uid=1&variance=1&viewed=1&
45
+ http://www.example.com:6405//PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?&flowid="><script>alert(1)</script>&flowname=Procheckup&gacid=1&progtrend=1&progtrendImage=1&viewed=1&
46
+ http://www.example.com:8080/PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-*/STYLE=xss:e/**/xpression(location='http://www.procheckup.com')>
47
+ http://www.example.com:6405//PerformanceManagement/jsp/sb/roleframe.jsp?rid="<~/XSS/*-
48
+ http://www.example.com:8080/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
49
+ http://www.example.com:6405/PerformanceManagement/jsp/viewWebiReportHeader.jsp?sEntry=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
50
+ http://www.example.com:8080/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
51
+ http://www.example.com:6405/PerformanceManagement/jsp/wait-frameset.jsp?dummyParam="</script><script>alert(1)</script>
52
+ http://www.example.com:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=<SCRIPT>alert(1)</SCRIPT>&actId=541&appKind=CMC
53
+ =end
54
+
55
+
56
+ module Watobo
57
+ module Modules
58
+ module Active
59
+ module Sap
60
+
61
+
62
+ class Business_objects < Watobo::ActiveCheck
63
+
64
+ def initialize(project, prefs={})
65
+
66
+ super(project, prefs)
67
+ end
68
+ end
69
+
70
+ end
71
+ end
72
+ end
73
+ end
@@ -0,0 +1,101 @@
1
+ # .
2
+ # its_commands.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ module Watobo
23
+ module Modules
24
+ module Active
25
+ module Sap
26
+
27
+
28
+ class Its_commands < Watobo::ActiveCheck
29
+
30
+ def initialize(project, prefs={})
31
+
32
+ super(project, prefs)
33
+
34
+
35
+ @info.update(
36
+ :check_name => 'SAP ITS: Default Commands', # name of check which briefly describes functionality, will be used for tree and progress views
37
+ :description => "Identifies vulnerable SAP ITS commands", # description of checkfunction
38
+ :author => "Andreas Schmidt", # author of check
39
+ :version => "0.9", # check version
40
+ :check_group => AC_GROUP_SAP
41
+ )
42
+
43
+ @finding.update(
44
+ :threat => 'Multiple', # thread of vulnerability, e.g. loss of information
45
+ :class => "SAP ITS: Default Commands", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
46
+ :type => FINDING_TYPE_VULN # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
47
+ )
48
+
49
+ # commands 2d array containing the command name and risk rating
50
+ @commands=[
51
+ ["AgateInstallCheck", VULN_RATING_LOW],
52
+ ["fieldDump", VULN_RATING_LOW],
53
+ ]
54
+
55
+ end
56
+
57
+ def generateChecks(chat)
58
+
59
+ begin
60
+ if chat.request.url =~ /\/wgate\/(\w*)\// then
61
+
62
+ @commands.each do |cmd, risk|
63
+ checker = proc{
64
+ test_request = nil
65
+ test_response = nil
66
+ test = chat.copyRequest
67
+ test.add_get_parm("~command", "#{cmd.dup}")
68
+
69
+ test_request,test_response = doRequest(test,:default => true)
70
+ if test_response.status =~ /200/i then
71
+ test_chat = Chat.new(test,test_response,chat.id)
72
+ addFinding( test_request,test_response,
73
+ :test_item => chat.request.url,
74
+ :check_pattern => "#{cmd.dup}",
75
+ :proof_pattern => "#{test_response.status}",
76
+ :chat => chat,
77
+ :title => "#{cmd.dup}"
78
+ )
79
+
80
+
81
+ end
82
+ [ test_request, test_response ]
83
+ }
84
+ yield checker
85
+ end
86
+ end
87
+
88
+ rescue => bang
89
+ puts bang
90
+ puts "ERROR!! #{Module.nesting[0].name}"
91
+ raise
92
+
93
+ end
94
+ end
95
+
96
+ end
97
+ # --> eo namespace
98
+ end
99
+ end
100
+ end
101
+ end
@@ -0,0 +1,105 @@
1
+ # .
2
+ # its_service_parameter.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ require 'digest/md5'
23
+ require 'digest/sha1'
24
+
25
+ module Watobo
26
+ module Modules
27
+ module Active
28
+ module Sap
29
+
30
+
31
+ class Its_service_parameter < Watobo::ActiveCheck
32
+
33
+ def initialize(project,prefs={})
34
+
35
+ super(project, prefs)
36
+
37
+
38
+ @info.update(
39
+ :check_name => 'SAP ITS: Service Parameters', # name of check which briefly describes functionality, will be used for tree and progress views
40
+ :description => "Checks SAP ITS services for default parameters.", # description of checkfunction
41
+ :author => "Andreas Schmidt", # author of check
42
+ :version => "0.9", # check version
43
+ :check_group => AC_GROUP_SAP
44
+ )
45
+
46
+ @finding.update(
47
+ :threat => 'Information Disclosure (and maybe more)', # thread of vulnerability, e.g. loss of information
48
+ :class => "SAP ITS: Service Parameters", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
49
+ :type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
50
+ )
51
+
52
+ @default_service_parameters = [
53
+ ["~command","AgateInstallCheck"],
54
+ ["~runtimeMode", "DM"], # Development Mode vs PM (Production Mode)
55
+ ["~forcetarget", "sap.com"], # forcetarget only in old (maybe buggy) its-systems supported
56
+ ["~exitURL", "www.sap.com"], # exitURL only in old (maybe buggy) its-systems supported
57
+ ]
58
+
59
+ end
60
+
61
+ def generateChecks(chat)
62
+
63
+ begin
64
+
65
+ if chat.request.url =~ /\/wgate\/(\w*)\/!?/ then
66
+ @default_service_parameters.each do |sp, val|
67
+ checker = proc{
68
+ test_request = nil
69
+ test_response = nil
70
+ test = chat.copyRequest
71
+ service = "#{sp.dup}"
72
+ sparm = "#{val.dup}"
73
+
74
+ test.add_get_parm(service, sparm)
75
+
76
+ test_request,test_response = doRequest(test,:default => true)
77
+
78
+ if test_response.status =~ /200/i then
79
+ test_chat = Chat.new(test,test_response,chat.id)
80
+ addFinding( test_request,test_response,
81
+ :test_item => chat.request.url,
82
+ :check_pattern => "#{sparm}",
83
+ :proof_pattern => "#{test_response.status}",
84
+ :chat => chat,
85
+ :title => service
86
+ )
87
+
88
+ end
89
+ [ test_request, test_response ]
90
+ }
91
+ yield checker
92
+ end
93
+ end
94
+ rescue => bang
95
+ puts bang
96
+ puts "ERROR!! #{Module.nesting[0].name}"
97
+ end
98
+ end
99
+
100
+ end
101
+ # --> eo namespace
102
+ end
103
+ end
104
+ end
105
+ end
@@ -0,0 +1,103 @@
1
+ # .
2
+ # its_services.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ require 'digest/md5'
23
+ require 'digest/sha1'
24
+
25
+ module Watobo
26
+ module Modules
27
+ module Active
28
+ module Sap
29
+
30
+
31
+ class Its_services < Watobo::ActiveCheck
32
+
33
+ def initialize(project, prefs={})
34
+
35
+ super(project, prefs)
36
+
37
+
38
+ @info.update(
39
+ :check_name => 'SAP ITS: Default Services', # name of check which briefly describes functionality, will be used for tree and progress views
40
+ :description => "Checks SAP ITS System for enabled default services.", # description of checkfunction
41
+ :author => "Andreas Schmidt", # author of check
42
+ :version => "0.9", # check version
43
+ :check_group => AC_GROUP_SAP
44
+ )
45
+
46
+ @finding.update(
47
+ :threat => 'Information Disclosure (and maybe more)', # thread of vulnerability, e.g. loss of information
48
+ :class => "SAP ITS: Default Services", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
49
+ :type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
50
+ )
51
+
52
+ @its_services = [
53
+ "admin",
54
+ "webgui",
55
+ "systeminfo",
56
+ ]
57
+ end
58
+
59
+ def generateChecks(chat)
60
+
61
+ begin
62
+
63
+ if chat.request.url =~ /\/wgate\/(\w*\/!?)/ then
64
+ service_name = $1
65
+ @its_services.each do |service|
66
+ checker = proc{
67
+ test_request = nil
68
+ test_response = nil
69
+ c_service = "#{service.dup}"
70
+ c_srv_name = "#{service_name}"
71
+ test = chat.copyRequest
72
+ test.first.gsub!(c_srv_name, "#{c_service}/!")
73
+
74
+ test_request,test_response = doRequest(test, :default => true)
75
+
76
+
77
+ if test_response.status =~ /200/i then
78
+ #test_chat = Chat.new(test,test_response,chat.id)
79
+ addFinding( test_request,test_response,
80
+ :test_item => chat.request.url,
81
+ :check_pattern => "#{c_service}",
82
+ :proof_pattern => "#{test_response.status}",
83
+ :chat => chat,
84
+ :title => c_service
85
+ )
86
+ end
87
+ [ test_request, test_response ]
88
+ }
89
+ yield checker
90
+ end
91
+ end
92
+ rescue => bang
93
+ puts bang
94
+ puts "ERROR!! #{Module.nesting[0].name}"
95
+ end
96
+ end
97
+
98
+ end
99
+ # --> eo namespace
100
+ end
101
+ end
102
+ end
103
+ end