watobo 0.9.8.677
Sign up to get free protection for your applications and to get access to all the features.
- data/bin/watobo_gui.rb +39 -0
- data/certificates/cert.pem +19 -0
- data/certificates/privkey.pem +15 -0
- data/certificates/watobo_dh.key +5 -0
- data/config/datastore.yml +5 -0
- data/config/forwarding_proxy.yml +12 -0
- data/config/general.yml +4 -0
- data/config/gui.yml +23 -0
- data/config/interceptor.yml +16 -0
- data/config/scan_policy.yml +13 -0
- data/config/scanner.yml +34 -0
- data/icons/Add.ico +0 -0
- data/icons/Add_24x24.ico +0 -0
- data/icons/Bandwidth.ico +0 -0
- data/icons/Bandwidth_24x24.ico +0 -0
- data/icons/Mr. Bomb.ico +0 -0
- data/icons/Mr. Bomb_16x16.ico +0 -0
- data/icons/Mr. Bomb_24x24.ico +0 -0
- data/icons/Orange Ball.ico +0 -0
- data/icons/Orange Ball_16x16.ico +0 -0
- data/icons/Orange Ball_24x24.ico +0 -0
- data/icons/Pause.ico +0 -0
- data/icons/Play.ico +0 -0
- data/icons/Play_24x24.ico +0 -0
- data/icons/Red Ball.ico +0 -0
- data/icons/Red Ball_16x16.ico +0 -0
- data/icons/Red Ball_24x24.ico +0 -0
- data/icons/Run.ico +0 -0
- data/icons/Stop.ico +0 -0
- data/icons/Stop_24x24.ico +0 -0
- data/icons/Terminal.ico +0 -0
- data/icons/Transfer.ico +0 -0
- data/icons/Transfer_16x16.ico +0 -0
- data/icons/User.ico +0 -0
- data/icons/User_16x16.ico +0 -0
- data/icons/User_24x24.ico +0 -0
- data/icons/Web Browser.ico +0 -0
- data/icons/Web Browser_16x16.ico +0 -0
- data/icons/Write Document.ico +0 -0
- data/icons/Yellow Ball.ico +0 -0
- data/icons/Yellow Ball_16x16.ico +0 -0
- data/icons/Yellow Ball_24x24.ico +0 -0
- data/icons/advanced.ico +0 -0
- data/icons/advanced_16x16.ico +0 -0
- data/icons/advanced_24x24.ico +0 -0
- data/icons/applications.ico +0 -0
- data/icons/applications_16x16.ico +0 -0
- data/icons/applications_24x24.ico +0 -0
- data/icons/browser_16x16.ico +0 -0
- data/icons/browser_24x24.ico +0 -0
- data/icons/burn.ico +0 -0
- data/icons/burn_16x16.ico +0 -0
- data/icons/burn_24x24.ico +0 -0
- data/icons/calculator.ico +0 -0
- data/icons/calculator_24x24.ico +0 -0
- data/icons/cb_checked.ico +0 -0
- data/icons/cb_checked_orange.ico +0 -0
- data/icons/cb_unchecked.ico +0 -0
- data/icons/coin_24x24.ico +0 -0
- data/icons/conversation.ico +0 -0
- data/icons/conversation_24x24.ico +0 -0
- data/icons/engine.ico +0 -0
- data/icons/filter.ico +0 -0
- data/icons/folder.ico +0 -0
- data/icons/folder_16x16.ico +0 -0
- data/icons/fuzzer_16x16.ico +0 -0
- data/icons/fuzzer_24x24.ico +0 -0
- data/icons/go-down_16x16.png +0 -0
- data/icons/go-up_16x16.png +0 -0
- data/icons/help.ico +0 -0
- data/icons/help_16x16.ico +0 -0
- data/icons/help_24x24.ico +0 -0
- data/icons/iChat.ico +0 -0
- data/icons/iChat_16x16.ico +0 -0
- data/icons/iChat_24x24.ico +0 -0
- data/icons/icons.txt +3 -0
- data/icons/info.ico +0 -0
- data/icons/info_16x16.ico +0 -0
- data/icons/info_24x24.ico +0 -0
- data/icons/interceptor_24x24.ico +0 -0
- data/icons/lock.ico +0 -0
- data/icons/lock_12x12.ico +0 -0
- data/icons/lock_16x16.ico +0 -0
- data/icons/monitor.ico +0 -0
- data/icons/plugin.ico +0 -0
- data/icons/plugin_24x24.ico +0 -0
- data/icons/scan_16x16.png +0 -0
- data/icons/send.ico +0 -0
- data/icons/server.ico +0 -0
- data/icons/server_16x16.ico +0 -0
- data/icons/siberas_logo_x24.gif +0 -0
- data/icons/tag_blue_32x32.ico +0 -0
- data/icons/watobo-48x48.png +0 -0
- data/icons/watobo-logo.png +0 -0
- data/icons/watobo.ico +0 -0
- data/lib/watobo/adapters/data_store.rb +38 -0
- data/lib/watobo/adapters/file/file_store.rb +211 -0
- data/lib/watobo/adapters/session_store.rb +27 -0
- data/lib/watobo/adapters.rb +26 -0
- data/lib/watobo/config.rb +143 -0
- data/lib/watobo/constants.rb +92 -0
- data/lib/watobo/core/active_check.rb +404 -0
- data/lib/watobo/core/cookie.rb +69 -0
- data/lib/watobo/core/fuzz_gen.rb +160 -0
- data/lib/watobo/core/http_socket.rb +142 -0
- data/lib/watobo/core/interceptor.rb +729 -0
- data/lib/watobo/core/passive_check.rb +141 -0
- data/lib/watobo/core/project.rb +1058 -0
- data/lib/watobo/core/scanner.rb +396 -0
- data/lib/watobo/core/session.rb +1320 -0
- data/lib/watobo/core/simple_ca.rb +393 -0
- data/lib/watobo/core.rb +34 -0
- data/lib/watobo/defaults.rb +40 -0
- data/lib/watobo/external/diff/lcs/array.rb +42 -0
- data/lib/watobo/external/diff/lcs/block.rb +72 -0
- data/lib/watobo/external/diff/lcs/callbacks.rb +343 -0
- data/lib/watobo/external/diff/lcs/change.rb +190 -0
- data/lib/watobo/external/diff/lcs/hunk.rb +279 -0
- data/lib/watobo/external/diff/lcs/ldiff.rb +247 -0
- data/lib/watobo/external/diff/lcs/string.rb +40 -0
- data/lib/watobo/external/diff/lcs.rb +1124 -0
- data/lib/watobo/external/ntlm/ntlm.rb +797 -0
- data/lib/watobo/externals.rb +28 -0
- data/lib/watobo/framework/create_project.rb +55 -0
- data/lib/watobo/framework/init.rb +149 -0
- data/lib/watobo/framework/init_modules.rb +116 -0
- data/lib/watobo/framework/license_text.rb +50 -0
- data/lib/watobo/framework.rb +26 -0
- data/lib/watobo/gui/about_watobo.rb +68 -0
- data/lib/watobo/gui/browser_preview.rb +460 -0
- data/lib/watobo/gui/certificate_dialog.rb +132 -0
- data/lib/watobo/gui/chat_diff.rb +415 -0
- data/lib/watobo/gui/chatviewer_frame.rb +427 -0
- data/lib/watobo/gui/checkboxtree.rb +221 -0
- data/lib/watobo/gui/checks_policy_frame.rb +123 -0
- data/lib/watobo/gui/client_cert_dialog.rb +227 -0
- data/lib/watobo/gui/confirm_scan_dialog.rb +67 -0
- data/lib/watobo/gui/conversation_table.rb +386 -0
- data/lib/watobo/gui/conversation_table_ctrl.rb +175 -0
- data/lib/watobo/gui/csrf_token_dialog.rb +446 -0
- data/lib/watobo/gui/dashboard.rb +341 -0
- data/lib/watobo/gui/define_scope_frame.rb +380 -0
- data/lib/watobo/gui/edit_comment.rb +70 -0
- data/lib/watobo/gui/edit_scope_dialog.rb +69 -0
- data/lib/watobo/gui/finding_info.rb +212 -0
- data/lib/watobo/gui/findings_tree.rb +459 -0
- data/lib/watobo/gui/full_scan_dialog.rb +269 -0
- data/lib/watobo/gui/fuzzer_gui.rb +1522 -0
- data/lib/watobo/gui/hex_viewer.rb +106 -0
- data/lib/watobo/gui/interceptor_gui.rb +994 -0
- data/lib/watobo/gui/interceptor_settings_dialog.rb +201 -0
- data/lib/watobo/gui/log_viewer.rb +97 -0
- data/lib/watobo/gui/login_wizzard.rb +301 -0
- data/lib/watobo/gui/main_window.rb +1815 -0
- data/lib/watobo/gui/manual_request_editor.rb +1105 -0
- data/lib/watobo/gui/master_pw_dialog.rb +142 -0
- data/lib/watobo/gui/password_policy_dialog.rb +98 -0
- data/lib/watobo/gui/plugin/base.rb +82 -0
- data/lib/watobo/gui/plugin_board.rb +95 -0
- data/lib/watobo/gui/preferences_dialog.rb +116 -0
- data/lib/watobo/gui/progress_window.rb +102 -0
- data/lib/watobo/gui/project_wizzard.rb +369 -0
- data/lib/watobo/gui/proxy_dialog.rb +550 -0
- data/lib/watobo/gui/quick_scan_dialog.rb +242 -0
- data/lib/watobo/gui/request_editor.rb +480 -0
- data/lib/watobo/gui/save_chat_dialog.rb +158 -0
- data/lib/watobo/gui/scanner_settings_dialog.rb +360 -0
- data/lib/watobo/gui/select_chat_dialog.rb +169 -0
- data/lib/watobo/gui/session_management_dialog.rb +688 -0
- data/lib/watobo/gui/sites_tree.rb +347 -0
- data/lib/watobo/gui/status_bar.rb +88 -0
- data/lib/watobo/gui/table_editor.rb +445 -0
- data/lib/watobo/gui/tagless_viewer.rb +62 -0
- data/lib/watobo/gui/templates/plugin.rb +80 -0
- data/lib/watobo/gui/templates/plugin2.rb +103 -0
- data/lib/watobo/gui/text_viewer.rb +247 -0
- data/lib/watobo/gui/transcoder_window.rb +215 -0
- data/lib/watobo/gui/utils/gui_utils.rb +129 -0
- data/lib/watobo/gui/utils/init_icons.rb +106 -0
- data/lib/watobo/gui/utils/load_icons.rb +54 -0
- data/lib/watobo/gui/utils/load_plugins.rb +94 -0
- data/lib/watobo/gui/utils/master_password.rb +90 -0
- data/lib/watobo/gui/utils/save_default_settings.rb +99 -0
- data/lib/watobo/gui/utils/save_project_settings.rb +21 -0
- data/lib/watobo/gui/utils/save_proxy_settings.rb +45 -0
- data/lib/watobo/gui/utils/save_session_settings.rb +21 -0
- data/lib/watobo/gui/utils/session_history.rb +134 -0
- data/lib/watobo/gui/workspace_dialog.rb +89 -0
- data/lib/watobo/gui/www_auth_dialog.rb +348 -0
- data/lib/watobo/gui/xml_viewer_frame.rb +114 -0
- data/lib/watobo/gui.rb +139 -0
- data/lib/watobo/mixins/httpparser.rb +664 -0
- data/lib/watobo/mixins/request_parser.rb +210 -0
- data/lib/watobo/mixins/shapers.rb +345 -0
- data/lib/watobo/mixins/transcoders.rb +88 -0
- data/lib/watobo/mixins.rb +32 -0
- data/lib/watobo/utils/check_regex.rb +36 -0
- data/lib/watobo/utils/copy_object.rb +29 -0
- data/lib/watobo/utils/crypto.rb +74 -0
- data/lib/watobo/utils/expand_range.rb +45 -0
- data/lib/watobo/utils/file_management.rb +73 -0
- data/lib/watobo/utils/load_chat.rb +219 -0
- data/lib/watobo/utils/load_icon.rb +47 -0
- data/lib/watobo/utils/print_debug.rb +34 -0
- data/lib/watobo/utils/response_hash.rb +143 -0
- data/lib/watobo/utils/secure_eval.rb +57 -0
- data/lib/watobo/utils/text2request.rb +96 -0
- data/lib/watobo/utils.rb +32 -0
- data/lib/watobo.rb +76 -0
- data/modules/active/Apache/mod_status.rb +123 -0
- data/modules/active/Flash/crossdomain.rb +102 -0
- data/modules/active/directories/dirwalker.rb +89 -0
- data/modules/active/discovery/fileextensions.rb +151 -0
- data/modules/active/discovery/http_methods.rb +135 -0
- data/modules/active/domino/domino_db.lst +164 -0
- data/modules/active/domino/domino_db.rb +128 -0
- data/modules/active/fileinclusion/lfi_simple.rb +134 -0
- data/modules/active/jboss/jboss_basic.rb +119 -0
- data/modules/active/sap/business_objects.rb +73 -0
- data/modules/active/sap/its_commands.rb +101 -0
- data/modules/active/sap/its_service_parameter.rb +105 -0
- data/modules/active/sap/its_services.rb +103 -0
- data/modules/active/sap/its_xss.rb +98 -0
- data/modules/active/sqlinjection/sql_boolean.rb +262 -0
- data/modules/active/sqlinjection/sqli_simple.rb +205 -0
- data/modules/active/xss/xss_simple.rb +179 -0
- data/modules/passive/cookie_options.rb +97 -0
- data/modules/passive/cookie_xss.rb +85 -0
- data/modules/passive/detect_code.rb +89 -0
- data/modules/passive/detect_fileupload.rb +80 -0
- data/modules/passive/detect_infrastructure.rb +98 -0
- data/modules/passive/detect_one_time_tokens.rb +86 -0
- data/modules/passive/dirindexing.rb +81 -0
- data/modules/passive/disclosure_emails.rb +82 -0
- data/modules/passive/disclosure_ipaddr.rb +87 -0
- data/modules/passive/filename_as_parameter.rb +85 -0
- data/modules/passive/form_spotter.rb +75 -0
- data/modules/passive/hotspots.rb +86 -0
- data/modules/passive/in_script_parameter.rb +92 -0
- data/modules/passive/multiple_server_headers.rb +98 -0
- data/modules/passive/possible_login.rb +134 -0
- data/modules/passive/redirect_url.rb +88 -0
- data/modules/passive/redirectionz.rb +96 -0
- data/modules/passive/xss_dom.rb +91 -0
- data/plugins/catalog/catalog.ico +0 -0
- data/plugins/catalog/catalog.rb +726 -0
- data/plugins/catalog/db_tests +6483 -0
- data/plugins/catalog/db_variables +29 -0
- data/plugins/filefinder/dbs/hbci.db +12 -0
- data/plugins/filefinder/filefinder.rb +602 -0
- data/plugins/sslchecker/cli/sslchecker_cli.rb +21 -0
- data/plugins/sslchecker/gui/cipher_table.rb +260 -0
- data/plugins/sslchecker/gui/gui.rb +245 -0
- data/plugins/sslchecker/gui/sslchecker.rb +26 -0
- data/plugins/sslchecker/icons/green_16x16.ico +0 -0
- data/plugins/sslchecker/icons/grey_16x16.ico +0 -0
- data/plugins/sslchecker/icons/red_16x16.ico +0 -0
- data/plugins/sslchecker/icons/sslchecker.ico +0 -0
- data/plugins/sslchecker/lib/check.rb +117 -0
- metadata +317 -0
@@ -0,0 +1,98 @@
|
|
1
|
+
# .
|
2
|
+
# its_xss.rb
|
3
|
+
#
|
4
|
+
# Copyright 2012 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
require 'digest/md5'
|
23
|
+
require 'digest/sha1'
|
24
|
+
|
25
|
+
module Watobo
|
26
|
+
module Modules
|
27
|
+
module Active
|
28
|
+
module Sap
|
29
|
+
|
30
|
+
|
31
|
+
class Its_xss < Watobo::ActiveCheck
|
32
|
+
|
33
|
+
def initialize(project, prefs={})
|
34
|
+
@project = project
|
35
|
+
super(project, prefs)
|
36
|
+
|
37
|
+
|
38
|
+
@info.update(
|
39
|
+
:check_name => 'SAP ITS: XSS', # name of check which briefly describes functionality, will be used for tree and progress views
|
40
|
+
:description => "Checks for generic XSS flaws in SAP ITS Systems.", # description of checkfunction
|
41
|
+
:author => "Andreas Schmidt", # author of check
|
42
|
+
:version => "0.9", # check version
|
43
|
+
:check_group => AC_GROUP_SAP
|
44
|
+
)
|
45
|
+
|
46
|
+
@finding.update(
|
47
|
+
:threat => 'Information Disclosure (and maybe more)', # thread of vulnerability, e.g. loss of information
|
48
|
+
:class => "SAP ITS: XSS", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
49
|
+
:type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
50
|
+
)
|
51
|
+
end
|
52
|
+
|
53
|
+
def generateChecks(chat)
|
54
|
+
|
55
|
+
#
|
56
|
+
# Check GET-Parameters
|
57
|
+
#
|
58
|
+
begin
|
59
|
+
|
60
|
+
if chat.request.url =~ /!$/ then
|
61
|
+
checker = proc{
|
62
|
+
test = chat.copyRequest
|
63
|
+
new_p = "~urlmime"
|
64
|
+
new_v = "\"><script>alert('watobo')</script><img src=\""
|
65
|
+
test.add_get_parm(new_p,new_v)
|
66
|
+
|
67
|
+
test_request,test_response = doRequest(test,:default => true)
|
68
|
+
|
69
|
+
if test_response.join =~ /watobo/i then
|
70
|
+
#test_chat = Chat.new(test,test_response,chat.id)
|
71
|
+
addFinding(test_request,test_response,
|
72
|
+
:test_item => chat.request.url,
|
73
|
+
:check_pattern => "#{new_p}",
|
74
|
+
:proof_pattern => "#{new_v}",
|
75
|
+
:chat => chat,
|
76
|
+
:title => new_p
|
77
|
+
)
|
78
|
+
end
|
79
|
+
[ test_request, test_response ]
|
80
|
+
}
|
81
|
+
yield checker
|
82
|
+
end
|
83
|
+
|
84
|
+
rescue => bang
|
85
|
+
puts bang
|
86
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
87
|
+
raise
|
88
|
+
|
89
|
+
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
93
|
+
|
94
|
+
# --> eo namespace
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
@@ -0,0 +1,262 @@
|
|
1
|
+
# .
|
2
|
+
# sql_boolean.rb
|
3
|
+
#
|
4
|
+
# Copyright 2012 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
require 'digest/md5'
|
23
|
+
require 'digest/sha1'
|
24
|
+
|
25
|
+
module Watobo
|
26
|
+
module Modules
|
27
|
+
module Active
|
28
|
+
module Sqlinjection
|
29
|
+
|
30
|
+
|
31
|
+
class Sql_boolean < Watobo::ActiveCheck
|
32
|
+
|
33
|
+
def initialize(project, prefs={})
|
34
|
+
super(project, prefs)
|
35
|
+
@info.update(
|
36
|
+
:check_name => 'Boolean SQL-Injection', # name of check which briefly describes functionality, will be used for tree and progress views
|
37
|
+
:check_group => AC_GROUP_SQL,
|
38
|
+
:description => "Checks parameter values for boolean-style SQL-Injection flaws.", # description of checkfunction
|
39
|
+
:author => "Andreas Schmidt", # author of check
|
40
|
+
:version => "0.9" # check version
|
41
|
+
)
|
42
|
+
|
43
|
+
threat =<<'EOF'
|
44
|
+
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input.
|
45
|
+
When successful, the attacker is able to change the logic of SQL statements executed against the database.
|
46
|
+
Structured Query Language (SQL) is a specialized programming language for sending queries to databases.
|
47
|
+
The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with
|
48
|
+
proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements.
|
49
|
+
If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure
|
50
|
+
and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user
|
51
|
+
specified by the application executing the statement. This capability allows attackers to gain control of all database resources
|
52
|
+
accessible by that user, up to and including the ability to execute commands on the hosting system.
|
53
|
+
|
54
|
+
Source: http://projects.webappsec.org/SQL-Injection
|
55
|
+
EOF
|
56
|
+
|
57
|
+
measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
|
58
|
+
|
59
|
+
@finding.update(
|
60
|
+
:threat => threat, # thread of vulnerability, e.g. loss of information
|
61
|
+
:class => "SQL-Injection", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
62
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
63
|
+
:rating => VULN_RATING_CRITICAL,
|
64
|
+
:measure => measure
|
65
|
+
)
|
66
|
+
|
67
|
+
@boolean_checks = [
|
68
|
+
[ ' and 1=1', ' and 1=2'],
|
69
|
+
[ '\' and \'1\'=\'1', '\' and \'1\'=\'2'],
|
70
|
+
[ '\') and \'1\'=\'1\'(\'', '\') and \'1\'=\'2\'(\'' ],
|
71
|
+
[ '\')) and \'1\'=\'1\'((\'', '\')) and \'1\'=\'2\'((\'' ],
|
72
|
+
[ '\'))) and \'1\'=\'1\'(((\'', '\'))) and \'1\'=\'2\'(((\'' ],
|
73
|
+
[ ') and \'1\'=\'1\'(', ') and \'1\'=\'2\'(' ],
|
74
|
+
[ ')) and \'1\'=\'1\'((', ')) and \'1\'=\'2\'((' ],
|
75
|
+
[ '))) and \'1\'=\'1\'(((', '))) and \'1\'=\'2\'(((' ],
|
76
|
+
]
|
77
|
+
end
|
78
|
+
|
79
|
+
def generateChecks(chat)
|
80
|
+
|
81
|
+
#
|
82
|
+
# Check GET-Parameters
|
83
|
+
#
|
84
|
+
begin
|
85
|
+
chat.request.get_parm_names.each do |get_parm|
|
86
|
+
|
87
|
+
@boolean_checks.each do |check_true, check_false|
|
88
|
+
|
89
|
+
|
90
|
+
checker = proc {
|
91
|
+
parm = get_parm.dup
|
92
|
+
check_t = CGI::escape(check_true)
|
93
|
+
check_f = CGI::escape(check_false)
|
94
|
+
|
95
|
+
begin
|
96
|
+
test_request = nil
|
97
|
+
test_response = nil
|
98
|
+
|
99
|
+
# first do request double time to check if hashes are the same
|
100
|
+
test = chat.copyRequest
|
101
|
+
value = test.get_parm_value(parm)
|
102
|
+
test_request,test_response = doRequest(test,:default => true)
|
103
|
+
# puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
|
104
|
+
text_1, hash_1 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
105
|
+
test = chat.copyRequest
|
106
|
+
test_request,test_response = doRequest(test,:default => true)
|
107
|
+
text_2, hash_2 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
108
|
+
# puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
|
109
|
+
|
110
|
+
if hash_1 == hash_2 then
|
111
|
+
test = chat.copyRequest
|
112
|
+
val = test.get_parm_value(parm)
|
113
|
+
val += check_f
|
114
|
+
test.replace_get_parm(parm, val)
|
115
|
+
|
116
|
+
test_request,test_response = doRequest(test,:default => true)
|
117
|
+
text_false, hash_false = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
118
|
+
# check if hash is the same, if yes then this parameter is not good for us
|
119
|
+
if hash_1 != hash_false then
|
120
|
+
|
121
|
+
test = chat.copyRequest
|
122
|
+
val = test.get_parm_value(parm)
|
123
|
+
val += check_t
|
124
|
+
test.replace_get_parm(parm, val)
|
125
|
+
test_request, test_response = doRequest(test, :default => true)
|
126
|
+
#puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
|
127
|
+
text_true, hash_true = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
128
|
+
|
129
|
+
if hash_true == hash_1 then
|
130
|
+
path = "/" + test_request.path
|
131
|
+
# test_chat = Chat.new(test, test_response,chat.id)
|
132
|
+
addFinding( test_request,test_response,
|
133
|
+
:test_item => parm,
|
134
|
+
:check_pattern => "#{parm}",
|
135
|
+
:chat => chat,
|
136
|
+
:title => "[#{parm}] - #{path}",
|
137
|
+
:debug => true
|
138
|
+
)
|
139
|
+
end
|
140
|
+
else
|
141
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Get parameter #{parm} is imune :("
|
142
|
+
end
|
143
|
+
else
|
144
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Hashes don't match for get parameter #{parm} :("
|
145
|
+
end
|
146
|
+
rescue => bang
|
147
|
+
puts bang
|
148
|
+
raise
|
149
|
+
end
|
150
|
+
[ test_request, test_response ]
|
151
|
+
}
|
152
|
+
yield checker
|
153
|
+
|
154
|
+
end
|
155
|
+
|
156
|
+
end
|
157
|
+
|
158
|
+
chat.request.post_parm_names.each do |post_parm|
|
159
|
+
|
160
|
+
@boolean_checks.each do |check_true, check_false|
|
161
|
+
|
162
|
+
checker = proc {
|
163
|
+
begin
|
164
|
+
parm = post_parm.dup
|
165
|
+
check_t = CGI::escape(check_true)
|
166
|
+
check_f = CGI::escape(check_false)
|
167
|
+
test_request = nil
|
168
|
+
test_response = nil
|
169
|
+
|
170
|
+
# first do request double time to check if hashes are the same
|
171
|
+
test = chat.copyRequest
|
172
|
+
test_request,test_response = doRequest(test, :default => true)
|
173
|
+
text_1, hash_1 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
174
|
+
test = chat.copyRequest
|
175
|
+
test_request,test_response = doRequest(test, :default => true)
|
176
|
+
text_2, hash_2 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
177
|
+
#puts "=== SQL BOOLEAN (#{parm}) ===="
|
178
|
+
#puts "=TEXT_1 (#{parm})\r\n#{text_1}\r\n=HASH_1\r\n#{hash_1}" if parm =~ /button/
|
179
|
+
#puts "=TEXT_2 (#{parm})\r\n#{text_2}\r\n=HASH_2\r\n#{hash_2}" if parm =~ /button/
|
180
|
+
if hash_1 == hash_2 then
|
181
|
+
test = chat.copyRequest
|
182
|
+
val = test.post_parm_value(parm)
|
183
|
+
val += check_f
|
184
|
+
|
185
|
+
test.replace_post_parm(parm, val)
|
186
|
+
test_request,test_response = doRequest(test, :default => true)
|
187
|
+
text_false, hash_false = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
188
|
+
# puts "=TEXT_FALSE (#{parm})\r\n#{text_false}\r\n=HASH_FALSE\r\n#{hash_false}" if parm =~ /button/
|
189
|
+
|
190
|
+
|
191
|
+
# check if hash is the same, if yes then this parameter is not good for us
|
192
|
+
if hash_1 != hash_false then
|
193
|
+
test = chat.copyRequest
|
194
|
+
val = test.post_parm_value(parm)
|
195
|
+
val += check_t
|
196
|
+
test.replace_post_parm(parm, val)
|
197
|
+
test_request,test_response = doRequest(test, :default => true)
|
198
|
+
text_true, hash_true = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
199
|
+
# puts "=TEXT_TRUE (#{parm})\r\n#{text_true}\r\n=HASH_TRUE\r\n#{hash_true}" if parm =~ /button/
|
200
|
+
|
201
|
+
|
202
|
+
# if parm =~ /account/ then
|
203
|
+
# filename = File.join(File.dirname($0), "bc_1.txt")
|
204
|
+
# puts filename
|
205
|
+
# fh = File.new(filename, "w")
|
206
|
+
# fh.puts text_1
|
207
|
+
# fh.close
|
208
|
+
# filename = File.join(File.dirname($0), "bc_true.txt")
|
209
|
+
# puts filename
|
210
|
+
# fh = File.new(filename, "w")
|
211
|
+
#
|
212
|
+
# fh.puts text_true
|
213
|
+
# fh.close
|
214
|
+
#
|
215
|
+
# end
|
216
|
+
|
217
|
+
if hash_true == hash_1 then
|
218
|
+
puts "!GOTCHA! #{hash_1} / #{hash_true}\r\n=TEXT_1 (#{parm})\r\n#{text_1}\r\n=HASH_1\r\n#{hash_1}\r\n=TEXT_2 (#{parm})\r\n#{text_2}\r\n=HASH_2\r\n#{hash_2}\r\n=TEXT_FALSE (#{parm})\r\n#{text_false}\r\n=HASH_FALSE\r\n#{hash_false}\r\n=TEXT_TRUE (#{parm})\r\n#{text_true}\r\n=HASH_TRUE\r\n#{hash_true}"
|
219
|
+
|
220
|
+
path = "/" + test_request.path
|
221
|
+
# test_chat = Chat.new(test,test_response,chat.id)
|
222
|
+
addFinding(test_request,test_response,
|
223
|
+
:test_item => parm,
|
224
|
+
:check_pattern => "#{parm}",
|
225
|
+
:chat => chat,
|
226
|
+
:title => "[#{parm}] - #{path}",
|
227
|
+
:debug => true
|
228
|
+
)
|
229
|
+
end
|
230
|
+
else
|
231
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Postparmeter #{parm} is imune :("
|
232
|
+
end
|
233
|
+
else
|
234
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Hashes don't match for post parameter #{parm} :("
|
235
|
+
# fh = File.new("bc_1e.txt", "w")
|
236
|
+
# fh.puts text_1
|
237
|
+
# fh.close
|
238
|
+
# fh = File.new("bc_truee.txt", "w")
|
239
|
+
# fh.puts text_true
|
240
|
+
# fh.close
|
241
|
+
|
242
|
+
end
|
243
|
+
rescue => bang
|
244
|
+
puts bang
|
245
|
+
raise
|
246
|
+
end
|
247
|
+
[ test_request, test_response ]
|
248
|
+
}
|
249
|
+
yield checker
|
250
|
+
|
251
|
+
end
|
252
|
+
end
|
253
|
+
rescue => bang
|
254
|
+
puts bang
|
255
|
+
end
|
256
|
+
end
|
257
|
+
end
|
258
|
+
# --> eo namespace
|
259
|
+
end
|
260
|
+
end
|
261
|
+
end
|
262
|
+
end
|
@@ -0,0 +1,205 @@
|
|
1
|
+
# .
|
2
|
+
# sqli_simple.rb
|
3
|
+
#
|
4
|
+
# Copyright 2012 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
module Watobo
|
23
|
+
module Modules
|
24
|
+
module Active
|
25
|
+
module Sqlinjection
|
26
|
+
|
27
|
+
|
28
|
+
class Sqli_simple < Watobo::ActiveCheck
|
29
|
+
|
30
|
+
def initialize(project, prefs={})
|
31
|
+
super(project, prefs)
|
32
|
+
@info.update(
|
33
|
+
:check_name => 'Simple SQL-Injection', # name of check which briefly describes functionality, will be used for tree and progress views
|
34
|
+
:check_group => AC_GROUP_SQL,
|
35
|
+
:description => "Check every parameter for SQL-Injection flaws.", # description of checkfunction
|
36
|
+
:author => "Andreas Schmidt", # author of check
|
37
|
+
:version => "0.9" # check version
|
38
|
+
)
|
39
|
+
|
40
|
+
threat =<<'EOF'
|
41
|
+
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input.
|
42
|
+
When successful, the attacker is able to change the logic of SQL statements executed against the database.
|
43
|
+
Structured Query Language (SQL) is a specialized programming language for sending queries to databases.
|
44
|
+
The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with
|
45
|
+
proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements.
|
46
|
+
If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure
|
47
|
+
and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user
|
48
|
+
specified by the application executing the statement. This capability allows attackers to gain control of all database resources
|
49
|
+
accessible by that user, up to and including the ability to execute commands on the hosting system.
|
50
|
+
|
51
|
+
Source: http://projects.webappsec.org/SQL-Injection
|
52
|
+
EOF
|
53
|
+
#
|
54
|
+
measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
|
55
|
+
|
56
|
+
@finding.update(
|
57
|
+
:threat => threat, # threat of vulnerability, e.g. loss of information
|
58
|
+
:class => "SQL-Injection", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
59
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
60
|
+
:rating => VULN_RATING_CRITICAL,
|
61
|
+
:measure => measure
|
62
|
+
)
|
63
|
+
|
64
|
+
@sql_checks=[
|
65
|
+
"';--",
|
66
|
+
"'",
|
67
|
+
]
|
68
|
+
|
69
|
+
@sql_patterns = [
|
70
|
+
"OleDBException",
|
71
|
+
"SQL Server",
|
72
|
+
"Microsoft OLE DB Provider",
|
73
|
+
"Incorrect syntax near",
|
74
|
+
"ADODB",
|
75
|
+
"DB2 SQL",
|
76
|
+
"DB2.*SQL\d+N",
|
77
|
+
"ODBC Microsoft Access Driver",
|
78
|
+
"(PLS|ORA).[0-9]{2,}",
|
79
|
+
"PostgreSQL query",
|
80
|
+
"error in your SQL syntax"
|
81
|
+
|
82
|
+
]
|
83
|
+
|
84
|
+
end
|
85
|
+
|
86
|
+
def generateChecks(chat)
|
87
|
+
|
88
|
+
begin
|
89
|
+
urlParmNames(chat).each do |parm|
|
90
|
+
# puts "#{Module.nesting[0].name}: run check on chat-id (#{chat.id}) with parm (#{parm})"
|
91
|
+
#@sql_checks.each do |check, pattern|
|
92
|
+
test_values = []
|
93
|
+
@sql_checks.each do |check|
|
94
|
+
test_values << check
|
95
|
+
test_values << "#{chat.request.get_parm_value(parm)}#{check}"
|
96
|
+
test_values << "#{check}#{chat.request.get_parm_value(parm)}"
|
97
|
+
end
|
98
|
+
test_values.each do |check|
|
99
|
+
checker = proc {
|
100
|
+
|
101
|
+
test_request = nil
|
102
|
+
test_response = nil
|
103
|
+
# IMPORTANT!!!
|
104
|
+
# use prepareRequest(chat) for cloning the original request
|
105
|
+
test = chat.copyRequest
|
106
|
+
test_parm = "#{parm.clone}"
|
107
|
+
# modify the test request
|
108
|
+
test.replace_get_parm(test_parm, check)
|
109
|
+
# fire it up!
|
110
|
+
#puts req_copy
|
111
|
+
test_request,test_response = doRequest(test)
|
112
|
+
|
113
|
+
# puts test_response
|
114
|
+
# verify response
|
115
|
+
match = nil
|
116
|
+
@sql_patterns.each do |pattern|
|
117
|
+
if test_response.join =~ /(#{pattern})/i
|
118
|
+
match = $1
|
119
|
+
# test_chat = Chat.new(test,test_response,chat.id)
|
120
|
+
# path = "/" + test_request.path_ext
|
121
|
+
addFinding(test_request,test_response,
|
122
|
+
:test_item => parm,
|
123
|
+
:check_pattern => "#{check}",
|
124
|
+
:proof_pattern => "#{match}",
|
125
|
+
:chat => chat,
|
126
|
+
:title => "[#{test_parm}] - #{test_request.path}"
|
127
|
+
)
|
128
|
+
end
|
129
|
+
|
130
|
+
end
|
131
|
+
|
132
|
+
[ test_request, test_response ]
|
133
|
+
}
|
134
|
+
yield checker
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
|
139
|
+
#
|
140
|
+
# Check POST-Parameters
|
141
|
+
#
|
142
|
+
|
143
|
+
chat.request.post_parm_names.each do |parm|
|
144
|
+
#puts "#{chat.id}: run check on post parm #{parm}"
|
145
|
+
test_values = []
|
146
|
+
@sql_checks.each do |check|
|
147
|
+
test_values << check
|
148
|
+
test_values << "#{chat.request.post_parm_value(parm)}#{check}"
|
149
|
+
test_values << "#{check}#{chat.request.post_parm_value(parm)}"
|
150
|
+
end
|
151
|
+
test_values.each do |check,pattern|
|
152
|
+
checker = proc {
|
153
|
+
test_request = nil
|
154
|
+
test_response = nil
|
155
|
+
# IMPORTANT!!!
|
156
|
+
# use prepareRequest(chat) for cloning the original request
|
157
|
+
test = chat.copyRequest
|
158
|
+
test_parm = "#{parm.clone}"
|
159
|
+
|
160
|
+
|
161
|
+
# modify the test request
|
162
|
+
test.replace_post_parm(test_parm,check)
|
163
|
+
# puts test.last
|
164
|
+
# fire it up!
|
165
|
+
#puts req_copy
|
166
|
+
test_request,test_response = doRequest(test)
|
167
|
+
|
168
|
+
# puts test_response
|
169
|
+
# verify response
|
170
|
+
match = nil
|
171
|
+
@sql_patterns.each do |pattern|
|
172
|
+
if test_response.join =~ /(#{pattern})/i
|
173
|
+
match = $1
|
174
|
+
# puts "found xss (post)"
|
175
|
+
# test_chat = Chat.new(test,test_response,chat.id)
|
176
|
+
#resource = "/" + test_request.resource
|
177
|
+
addFinding(test_request,test_response,
|
178
|
+
:test_item => parm,
|
179
|
+
:check_pattern => "#{check}",
|
180
|
+
:proof_pattern => "#{match}",
|
181
|
+
:chat => chat,
|
182
|
+
:title => "[#{test_parm}] - #{test_request.path}"
|
183
|
+
)
|
184
|
+
end
|
185
|
+
|
186
|
+
end
|
187
|
+
[ test_request, test_response ]
|
188
|
+
}
|
189
|
+
yield checker
|
190
|
+
|
191
|
+
end
|
192
|
+
end
|
193
|
+
rescue => bang
|
194
|
+
puts bang
|
195
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
196
|
+
raise
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
200
|
+
end
|
201
|
+
|
202
|
+
end
|
203
|
+
end
|
204
|
+
end
|
205
|
+
end
|