watobo 0.9.8.677
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/bin/watobo_gui.rb +39 -0
- data/certificates/cert.pem +19 -0
- data/certificates/privkey.pem +15 -0
- data/certificates/watobo_dh.key +5 -0
- data/config/datastore.yml +5 -0
- data/config/forwarding_proxy.yml +12 -0
- data/config/general.yml +4 -0
- data/config/gui.yml +23 -0
- data/config/interceptor.yml +16 -0
- data/config/scan_policy.yml +13 -0
- data/config/scanner.yml +34 -0
- data/icons/Add.ico +0 -0
- data/icons/Add_24x24.ico +0 -0
- data/icons/Bandwidth.ico +0 -0
- data/icons/Bandwidth_24x24.ico +0 -0
- data/icons/Mr. Bomb.ico +0 -0
- data/icons/Mr. Bomb_16x16.ico +0 -0
- data/icons/Mr. Bomb_24x24.ico +0 -0
- data/icons/Orange Ball.ico +0 -0
- data/icons/Orange Ball_16x16.ico +0 -0
- data/icons/Orange Ball_24x24.ico +0 -0
- data/icons/Pause.ico +0 -0
- data/icons/Play.ico +0 -0
- data/icons/Play_24x24.ico +0 -0
- data/icons/Red Ball.ico +0 -0
- data/icons/Red Ball_16x16.ico +0 -0
- data/icons/Red Ball_24x24.ico +0 -0
- data/icons/Run.ico +0 -0
- data/icons/Stop.ico +0 -0
- data/icons/Stop_24x24.ico +0 -0
- data/icons/Terminal.ico +0 -0
- data/icons/Transfer.ico +0 -0
- data/icons/Transfer_16x16.ico +0 -0
- data/icons/User.ico +0 -0
- data/icons/User_16x16.ico +0 -0
- data/icons/User_24x24.ico +0 -0
- data/icons/Web Browser.ico +0 -0
- data/icons/Web Browser_16x16.ico +0 -0
- data/icons/Write Document.ico +0 -0
- data/icons/Yellow Ball.ico +0 -0
- data/icons/Yellow Ball_16x16.ico +0 -0
- data/icons/Yellow Ball_24x24.ico +0 -0
- data/icons/advanced.ico +0 -0
- data/icons/advanced_16x16.ico +0 -0
- data/icons/advanced_24x24.ico +0 -0
- data/icons/applications.ico +0 -0
- data/icons/applications_16x16.ico +0 -0
- data/icons/applications_24x24.ico +0 -0
- data/icons/browser_16x16.ico +0 -0
- data/icons/browser_24x24.ico +0 -0
- data/icons/burn.ico +0 -0
- data/icons/burn_16x16.ico +0 -0
- data/icons/burn_24x24.ico +0 -0
- data/icons/calculator.ico +0 -0
- data/icons/calculator_24x24.ico +0 -0
- data/icons/cb_checked.ico +0 -0
- data/icons/cb_checked_orange.ico +0 -0
- data/icons/cb_unchecked.ico +0 -0
- data/icons/coin_24x24.ico +0 -0
- data/icons/conversation.ico +0 -0
- data/icons/conversation_24x24.ico +0 -0
- data/icons/engine.ico +0 -0
- data/icons/filter.ico +0 -0
- data/icons/folder.ico +0 -0
- data/icons/folder_16x16.ico +0 -0
- data/icons/fuzzer_16x16.ico +0 -0
- data/icons/fuzzer_24x24.ico +0 -0
- data/icons/go-down_16x16.png +0 -0
- data/icons/go-up_16x16.png +0 -0
- data/icons/help.ico +0 -0
- data/icons/help_16x16.ico +0 -0
- data/icons/help_24x24.ico +0 -0
- data/icons/iChat.ico +0 -0
- data/icons/iChat_16x16.ico +0 -0
- data/icons/iChat_24x24.ico +0 -0
- data/icons/icons.txt +3 -0
- data/icons/info.ico +0 -0
- data/icons/info_16x16.ico +0 -0
- data/icons/info_24x24.ico +0 -0
- data/icons/interceptor_24x24.ico +0 -0
- data/icons/lock.ico +0 -0
- data/icons/lock_12x12.ico +0 -0
- data/icons/lock_16x16.ico +0 -0
- data/icons/monitor.ico +0 -0
- data/icons/plugin.ico +0 -0
- data/icons/plugin_24x24.ico +0 -0
- data/icons/scan_16x16.png +0 -0
- data/icons/send.ico +0 -0
- data/icons/server.ico +0 -0
- data/icons/server_16x16.ico +0 -0
- data/icons/siberas_logo_x24.gif +0 -0
- data/icons/tag_blue_32x32.ico +0 -0
- data/icons/watobo-48x48.png +0 -0
- data/icons/watobo-logo.png +0 -0
- data/icons/watobo.ico +0 -0
- data/lib/watobo/adapters/data_store.rb +38 -0
- data/lib/watobo/adapters/file/file_store.rb +211 -0
- data/lib/watobo/adapters/session_store.rb +27 -0
- data/lib/watobo/adapters.rb +26 -0
- data/lib/watobo/config.rb +143 -0
- data/lib/watobo/constants.rb +92 -0
- data/lib/watobo/core/active_check.rb +404 -0
- data/lib/watobo/core/cookie.rb +69 -0
- data/lib/watobo/core/fuzz_gen.rb +160 -0
- data/lib/watobo/core/http_socket.rb +142 -0
- data/lib/watobo/core/interceptor.rb +729 -0
- data/lib/watobo/core/passive_check.rb +141 -0
- data/lib/watobo/core/project.rb +1058 -0
- data/lib/watobo/core/scanner.rb +396 -0
- data/lib/watobo/core/session.rb +1320 -0
- data/lib/watobo/core/simple_ca.rb +393 -0
- data/lib/watobo/core.rb +34 -0
- data/lib/watobo/defaults.rb +40 -0
- data/lib/watobo/external/diff/lcs/array.rb +42 -0
- data/lib/watobo/external/diff/lcs/block.rb +72 -0
- data/lib/watobo/external/diff/lcs/callbacks.rb +343 -0
- data/lib/watobo/external/diff/lcs/change.rb +190 -0
- data/lib/watobo/external/diff/lcs/hunk.rb +279 -0
- data/lib/watobo/external/diff/lcs/ldiff.rb +247 -0
- data/lib/watobo/external/diff/lcs/string.rb +40 -0
- data/lib/watobo/external/diff/lcs.rb +1124 -0
- data/lib/watobo/external/ntlm/ntlm.rb +797 -0
- data/lib/watobo/externals.rb +28 -0
- data/lib/watobo/framework/create_project.rb +55 -0
- data/lib/watobo/framework/init.rb +149 -0
- data/lib/watobo/framework/init_modules.rb +116 -0
- data/lib/watobo/framework/license_text.rb +50 -0
- data/lib/watobo/framework.rb +26 -0
- data/lib/watobo/gui/about_watobo.rb +68 -0
- data/lib/watobo/gui/browser_preview.rb +460 -0
- data/lib/watobo/gui/certificate_dialog.rb +132 -0
- data/lib/watobo/gui/chat_diff.rb +415 -0
- data/lib/watobo/gui/chatviewer_frame.rb +427 -0
- data/lib/watobo/gui/checkboxtree.rb +221 -0
- data/lib/watobo/gui/checks_policy_frame.rb +123 -0
- data/lib/watobo/gui/client_cert_dialog.rb +227 -0
- data/lib/watobo/gui/confirm_scan_dialog.rb +67 -0
- data/lib/watobo/gui/conversation_table.rb +386 -0
- data/lib/watobo/gui/conversation_table_ctrl.rb +175 -0
- data/lib/watobo/gui/csrf_token_dialog.rb +446 -0
- data/lib/watobo/gui/dashboard.rb +341 -0
- data/lib/watobo/gui/define_scope_frame.rb +380 -0
- data/lib/watobo/gui/edit_comment.rb +70 -0
- data/lib/watobo/gui/edit_scope_dialog.rb +69 -0
- data/lib/watobo/gui/finding_info.rb +212 -0
- data/lib/watobo/gui/findings_tree.rb +459 -0
- data/lib/watobo/gui/full_scan_dialog.rb +269 -0
- data/lib/watobo/gui/fuzzer_gui.rb +1522 -0
- data/lib/watobo/gui/hex_viewer.rb +106 -0
- data/lib/watobo/gui/interceptor_gui.rb +994 -0
- data/lib/watobo/gui/interceptor_settings_dialog.rb +201 -0
- data/lib/watobo/gui/log_viewer.rb +97 -0
- data/lib/watobo/gui/login_wizzard.rb +301 -0
- data/lib/watobo/gui/main_window.rb +1815 -0
- data/lib/watobo/gui/manual_request_editor.rb +1105 -0
- data/lib/watobo/gui/master_pw_dialog.rb +142 -0
- data/lib/watobo/gui/password_policy_dialog.rb +98 -0
- data/lib/watobo/gui/plugin/base.rb +82 -0
- data/lib/watobo/gui/plugin_board.rb +95 -0
- data/lib/watobo/gui/preferences_dialog.rb +116 -0
- data/lib/watobo/gui/progress_window.rb +102 -0
- data/lib/watobo/gui/project_wizzard.rb +369 -0
- data/lib/watobo/gui/proxy_dialog.rb +550 -0
- data/lib/watobo/gui/quick_scan_dialog.rb +242 -0
- data/lib/watobo/gui/request_editor.rb +480 -0
- data/lib/watobo/gui/save_chat_dialog.rb +158 -0
- data/lib/watobo/gui/scanner_settings_dialog.rb +360 -0
- data/lib/watobo/gui/select_chat_dialog.rb +169 -0
- data/lib/watobo/gui/session_management_dialog.rb +688 -0
- data/lib/watobo/gui/sites_tree.rb +347 -0
- data/lib/watobo/gui/status_bar.rb +88 -0
- data/lib/watobo/gui/table_editor.rb +445 -0
- data/lib/watobo/gui/tagless_viewer.rb +62 -0
- data/lib/watobo/gui/templates/plugin.rb +80 -0
- data/lib/watobo/gui/templates/plugin2.rb +103 -0
- data/lib/watobo/gui/text_viewer.rb +247 -0
- data/lib/watobo/gui/transcoder_window.rb +215 -0
- data/lib/watobo/gui/utils/gui_utils.rb +129 -0
- data/lib/watobo/gui/utils/init_icons.rb +106 -0
- data/lib/watobo/gui/utils/load_icons.rb +54 -0
- data/lib/watobo/gui/utils/load_plugins.rb +94 -0
- data/lib/watobo/gui/utils/master_password.rb +90 -0
- data/lib/watobo/gui/utils/save_default_settings.rb +99 -0
- data/lib/watobo/gui/utils/save_project_settings.rb +21 -0
- data/lib/watobo/gui/utils/save_proxy_settings.rb +45 -0
- data/lib/watobo/gui/utils/save_session_settings.rb +21 -0
- data/lib/watobo/gui/utils/session_history.rb +134 -0
- data/lib/watobo/gui/workspace_dialog.rb +89 -0
- data/lib/watobo/gui/www_auth_dialog.rb +348 -0
- data/lib/watobo/gui/xml_viewer_frame.rb +114 -0
- data/lib/watobo/gui.rb +139 -0
- data/lib/watobo/mixins/httpparser.rb +664 -0
- data/lib/watobo/mixins/request_parser.rb +210 -0
- data/lib/watobo/mixins/shapers.rb +345 -0
- data/lib/watobo/mixins/transcoders.rb +88 -0
- data/lib/watobo/mixins.rb +32 -0
- data/lib/watobo/utils/check_regex.rb +36 -0
- data/lib/watobo/utils/copy_object.rb +29 -0
- data/lib/watobo/utils/crypto.rb +74 -0
- data/lib/watobo/utils/expand_range.rb +45 -0
- data/lib/watobo/utils/file_management.rb +73 -0
- data/lib/watobo/utils/load_chat.rb +219 -0
- data/lib/watobo/utils/load_icon.rb +47 -0
- data/lib/watobo/utils/print_debug.rb +34 -0
- data/lib/watobo/utils/response_hash.rb +143 -0
- data/lib/watobo/utils/secure_eval.rb +57 -0
- data/lib/watobo/utils/text2request.rb +96 -0
- data/lib/watobo/utils.rb +32 -0
- data/lib/watobo.rb +76 -0
- data/modules/active/Apache/mod_status.rb +123 -0
- data/modules/active/Flash/crossdomain.rb +102 -0
- data/modules/active/directories/dirwalker.rb +89 -0
- data/modules/active/discovery/fileextensions.rb +151 -0
- data/modules/active/discovery/http_methods.rb +135 -0
- data/modules/active/domino/domino_db.lst +164 -0
- data/modules/active/domino/domino_db.rb +128 -0
- data/modules/active/fileinclusion/lfi_simple.rb +134 -0
- data/modules/active/jboss/jboss_basic.rb +119 -0
- data/modules/active/sap/business_objects.rb +73 -0
- data/modules/active/sap/its_commands.rb +101 -0
- data/modules/active/sap/its_service_parameter.rb +105 -0
- data/modules/active/sap/its_services.rb +103 -0
- data/modules/active/sap/its_xss.rb +98 -0
- data/modules/active/sqlinjection/sql_boolean.rb +262 -0
- data/modules/active/sqlinjection/sqli_simple.rb +205 -0
- data/modules/active/xss/xss_simple.rb +179 -0
- data/modules/passive/cookie_options.rb +97 -0
- data/modules/passive/cookie_xss.rb +85 -0
- data/modules/passive/detect_code.rb +89 -0
- data/modules/passive/detect_fileupload.rb +80 -0
- data/modules/passive/detect_infrastructure.rb +98 -0
- data/modules/passive/detect_one_time_tokens.rb +86 -0
- data/modules/passive/dirindexing.rb +81 -0
- data/modules/passive/disclosure_emails.rb +82 -0
- data/modules/passive/disclosure_ipaddr.rb +87 -0
- data/modules/passive/filename_as_parameter.rb +85 -0
- data/modules/passive/form_spotter.rb +75 -0
- data/modules/passive/hotspots.rb +86 -0
- data/modules/passive/in_script_parameter.rb +92 -0
- data/modules/passive/multiple_server_headers.rb +98 -0
- data/modules/passive/possible_login.rb +134 -0
- data/modules/passive/redirect_url.rb +88 -0
- data/modules/passive/redirectionz.rb +96 -0
- data/modules/passive/xss_dom.rb +91 -0
- data/plugins/catalog/catalog.ico +0 -0
- data/plugins/catalog/catalog.rb +726 -0
- data/plugins/catalog/db_tests +6483 -0
- data/plugins/catalog/db_variables +29 -0
- data/plugins/filefinder/dbs/hbci.db +12 -0
- data/plugins/filefinder/filefinder.rb +602 -0
- data/plugins/sslchecker/cli/sslchecker_cli.rb +21 -0
- data/plugins/sslchecker/gui/cipher_table.rb +260 -0
- data/plugins/sslchecker/gui/gui.rb +245 -0
- data/plugins/sslchecker/gui/sslchecker.rb +26 -0
- data/plugins/sslchecker/icons/green_16x16.ico +0 -0
- data/plugins/sslchecker/icons/grey_16x16.ico +0 -0
- data/plugins/sslchecker/icons/red_16x16.ico +0 -0
- data/plugins/sslchecker/icons/sslchecker.ico +0 -0
- data/plugins/sslchecker/lib/check.rb +117 -0
- metadata +317 -0
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
# .
|
|
2
|
+
# its_xss.rb
|
|
3
|
+
#
|
|
4
|
+
# Copyright 2012 by siberas, http://www.siberas.de
|
|
5
|
+
#
|
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
|
+
# http://watobo.sourceforge.com
|
|
8
|
+
#
|
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
|
12
|
+
#
|
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
16
|
+
# GNU General Public License for more details.
|
|
17
|
+
#
|
|
18
|
+
# You should have received a copy of the GNU General Public License
|
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
|
+
# .
|
|
22
|
+
require 'digest/md5'
|
|
23
|
+
require 'digest/sha1'
|
|
24
|
+
|
|
25
|
+
module Watobo
|
|
26
|
+
module Modules
|
|
27
|
+
module Active
|
|
28
|
+
module Sap
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
class Its_xss < Watobo::ActiveCheck
|
|
32
|
+
|
|
33
|
+
def initialize(project, prefs={})
|
|
34
|
+
@project = project
|
|
35
|
+
super(project, prefs)
|
|
36
|
+
|
|
37
|
+
|
|
38
|
+
@info.update(
|
|
39
|
+
:check_name => 'SAP ITS: XSS', # name of check which briefly describes functionality, will be used for tree and progress views
|
|
40
|
+
:description => "Checks for generic XSS flaws in SAP ITS Systems.", # description of checkfunction
|
|
41
|
+
:author => "Andreas Schmidt", # author of check
|
|
42
|
+
:version => "0.9", # check version
|
|
43
|
+
:check_group => AC_GROUP_SAP
|
|
44
|
+
)
|
|
45
|
+
|
|
46
|
+
@finding.update(
|
|
47
|
+
:threat => 'Information Disclosure (and maybe more)', # thread of vulnerability, e.g. loss of information
|
|
48
|
+
:class => "SAP ITS: XSS", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
|
49
|
+
:type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
|
50
|
+
)
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def generateChecks(chat)
|
|
54
|
+
|
|
55
|
+
#
|
|
56
|
+
# Check GET-Parameters
|
|
57
|
+
#
|
|
58
|
+
begin
|
|
59
|
+
|
|
60
|
+
if chat.request.url =~ /!$/ then
|
|
61
|
+
checker = proc{
|
|
62
|
+
test = chat.copyRequest
|
|
63
|
+
new_p = "~urlmime"
|
|
64
|
+
new_v = "\"><script>alert('watobo')</script><img src=\""
|
|
65
|
+
test.add_get_parm(new_p,new_v)
|
|
66
|
+
|
|
67
|
+
test_request,test_response = doRequest(test,:default => true)
|
|
68
|
+
|
|
69
|
+
if test_response.join =~ /watobo/i then
|
|
70
|
+
#test_chat = Chat.new(test,test_response,chat.id)
|
|
71
|
+
addFinding(test_request,test_response,
|
|
72
|
+
:test_item => chat.request.url,
|
|
73
|
+
:check_pattern => "#{new_p}",
|
|
74
|
+
:proof_pattern => "#{new_v}",
|
|
75
|
+
:chat => chat,
|
|
76
|
+
:title => new_p
|
|
77
|
+
)
|
|
78
|
+
end
|
|
79
|
+
[ test_request, test_response ]
|
|
80
|
+
}
|
|
81
|
+
yield checker
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
rescue => bang
|
|
85
|
+
puts bang
|
|
86
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
|
87
|
+
raise
|
|
88
|
+
|
|
89
|
+
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
# --> eo namespace
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
end
|
|
@@ -0,0 +1,262 @@
|
|
|
1
|
+
# .
|
|
2
|
+
# sql_boolean.rb
|
|
3
|
+
#
|
|
4
|
+
# Copyright 2012 by siberas, http://www.siberas.de
|
|
5
|
+
#
|
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
|
+
# http://watobo.sourceforge.com
|
|
8
|
+
#
|
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
|
12
|
+
#
|
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
16
|
+
# GNU General Public License for more details.
|
|
17
|
+
#
|
|
18
|
+
# You should have received a copy of the GNU General Public License
|
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
|
+
# .
|
|
22
|
+
require 'digest/md5'
|
|
23
|
+
require 'digest/sha1'
|
|
24
|
+
|
|
25
|
+
module Watobo
|
|
26
|
+
module Modules
|
|
27
|
+
module Active
|
|
28
|
+
module Sqlinjection
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
class Sql_boolean < Watobo::ActiveCheck
|
|
32
|
+
|
|
33
|
+
def initialize(project, prefs={})
|
|
34
|
+
super(project, prefs)
|
|
35
|
+
@info.update(
|
|
36
|
+
:check_name => 'Boolean SQL-Injection', # name of check which briefly describes functionality, will be used for tree and progress views
|
|
37
|
+
:check_group => AC_GROUP_SQL,
|
|
38
|
+
:description => "Checks parameter values for boolean-style SQL-Injection flaws.", # description of checkfunction
|
|
39
|
+
:author => "Andreas Schmidt", # author of check
|
|
40
|
+
:version => "0.9" # check version
|
|
41
|
+
)
|
|
42
|
+
|
|
43
|
+
threat =<<'EOF'
|
|
44
|
+
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input.
|
|
45
|
+
When successful, the attacker is able to change the logic of SQL statements executed against the database.
|
|
46
|
+
Structured Query Language (SQL) is a specialized programming language for sending queries to databases.
|
|
47
|
+
The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with
|
|
48
|
+
proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements.
|
|
49
|
+
If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure
|
|
50
|
+
and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user
|
|
51
|
+
specified by the application executing the statement. This capability allows attackers to gain control of all database resources
|
|
52
|
+
accessible by that user, up to and including the ability to execute commands on the hosting system.
|
|
53
|
+
|
|
54
|
+
Source: http://projects.webappsec.org/SQL-Injection
|
|
55
|
+
EOF
|
|
56
|
+
|
|
57
|
+
measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
|
|
58
|
+
|
|
59
|
+
@finding.update(
|
|
60
|
+
:threat => threat, # thread of vulnerability, e.g. loss of information
|
|
61
|
+
:class => "SQL-Injection", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
|
62
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
|
63
|
+
:rating => VULN_RATING_CRITICAL,
|
|
64
|
+
:measure => measure
|
|
65
|
+
)
|
|
66
|
+
|
|
67
|
+
@boolean_checks = [
|
|
68
|
+
[ ' and 1=1', ' and 1=2'],
|
|
69
|
+
[ '\' and \'1\'=\'1', '\' and \'1\'=\'2'],
|
|
70
|
+
[ '\') and \'1\'=\'1\'(\'', '\') and \'1\'=\'2\'(\'' ],
|
|
71
|
+
[ '\')) and \'1\'=\'1\'((\'', '\')) and \'1\'=\'2\'((\'' ],
|
|
72
|
+
[ '\'))) and \'1\'=\'1\'(((\'', '\'))) and \'1\'=\'2\'(((\'' ],
|
|
73
|
+
[ ') and \'1\'=\'1\'(', ') and \'1\'=\'2\'(' ],
|
|
74
|
+
[ ')) and \'1\'=\'1\'((', ')) and \'1\'=\'2\'((' ],
|
|
75
|
+
[ '))) and \'1\'=\'1\'(((', '))) and \'1\'=\'2\'(((' ],
|
|
76
|
+
]
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def generateChecks(chat)
|
|
80
|
+
|
|
81
|
+
#
|
|
82
|
+
# Check GET-Parameters
|
|
83
|
+
#
|
|
84
|
+
begin
|
|
85
|
+
chat.request.get_parm_names.each do |get_parm|
|
|
86
|
+
|
|
87
|
+
@boolean_checks.each do |check_true, check_false|
|
|
88
|
+
|
|
89
|
+
|
|
90
|
+
checker = proc {
|
|
91
|
+
parm = get_parm.dup
|
|
92
|
+
check_t = CGI::escape(check_true)
|
|
93
|
+
check_f = CGI::escape(check_false)
|
|
94
|
+
|
|
95
|
+
begin
|
|
96
|
+
test_request = nil
|
|
97
|
+
test_response = nil
|
|
98
|
+
|
|
99
|
+
# first do request double time to check if hashes are the same
|
|
100
|
+
test = chat.copyRequest
|
|
101
|
+
value = test.get_parm_value(parm)
|
|
102
|
+
test_request,test_response = doRequest(test,:default => true)
|
|
103
|
+
# puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
|
|
104
|
+
text_1, hash_1 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
105
|
+
test = chat.copyRequest
|
|
106
|
+
test_request,test_response = doRequest(test,:default => true)
|
|
107
|
+
text_2, hash_2 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
108
|
+
# puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
|
|
109
|
+
|
|
110
|
+
if hash_1 == hash_2 then
|
|
111
|
+
test = chat.copyRequest
|
|
112
|
+
val = test.get_parm_value(parm)
|
|
113
|
+
val += check_f
|
|
114
|
+
test.replace_get_parm(parm, val)
|
|
115
|
+
|
|
116
|
+
test_request,test_response = doRequest(test,:default => true)
|
|
117
|
+
text_false, hash_false = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
118
|
+
# check if hash is the same, if yes then this parameter is not good for us
|
|
119
|
+
if hash_1 != hash_false then
|
|
120
|
+
|
|
121
|
+
test = chat.copyRequest
|
|
122
|
+
val = test.get_parm_value(parm)
|
|
123
|
+
val += check_t
|
|
124
|
+
test.replace_get_parm(parm, val)
|
|
125
|
+
test_request, test_response = doRequest(test, :default => true)
|
|
126
|
+
#puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
|
|
127
|
+
text_true, hash_true = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
128
|
+
|
|
129
|
+
if hash_true == hash_1 then
|
|
130
|
+
path = "/" + test_request.path
|
|
131
|
+
# test_chat = Chat.new(test, test_response,chat.id)
|
|
132
|
+
addFinding( test_request,test_response,
|
|
133
|
+
:test_item => parm,
|
|
134
|
+
:check_pattern => "#{parm}",
|
|
135
|
+
:chat => chat,
|
|
136
|
+
:title => "[#{parm}] - #{path}",
|
|
137
|
+
:debug => true
|
|
138
|
+
)
|
|
139
|
+
end
|
|
140
|
+
else
|
|
141
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Get parameter #{parm} is imune :("
|
|
142
|
+
end
|
|
143
|
+
else
|
|
144
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Hashes don't match for get parameter #{parm} :("
|
|
145
|
+
end
|
|
146
|
+
rescue => bang
|
|
147
|
+
puts bang
|
|
148
|
+
raise
|
|
149
|
+
end
|
|
150
|
+
[ test_request, test_response ]
|
|
151
|
+
}
|
|
152
|
+
yield checker
|
|
153
|
+
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
end
|
|
157
|
+
|
|
158
|
+
chat.request.post_parm_names.each do |post_parm|
|
|
159
|
+
|
|
160
|
+
@boolean_checks.each do |check_true, check_false|
|
|
161
|
+
|
|
162
|
+
checker = proc {
|
|
163
|
+
begin
|
|
164
|
+
parm = post_parm.dup
|
|
165
|
+
check_t = CGI::escape(check_true)
|
|
166
|
+
check_f = CGI::escape(check_false)
|
|
167
|
+
test_request = nil
|
|
168
|
+
test_response = nil
|
|
169
|
+
|
|
170
|
+
# first do request double time to check if hashes are the same
|
|
171
|
+
test = chat.copyRequest
|
|
172
|
+
test_request,test_response = doRequest(test, :default => true)
|
|
173
|
+
text_1, hash_1 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
174
|
+
test = chat.copyRequest
|
|
175
|
+
test_request,test_response = doRequest(test, :default => true)
|
|
176
|
+
text_2, hash_2 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
177
|
+
#puts "=== SQL BOOLEAN (#{parm}) ===="
|
|
178
|
+
#puts "=TEXT_1 (#{parm})\r\n#{text_1}\r\n=HASH_1\r\n#{hash_1}" if parm =~ /button/
|
|
179
|
+
#puts "=TEXT_2 (#{parm})\r\n#{text_2}\r\n=HASH_2\r\n#{hash_2}" if parm =~ /button/
|
|
180
|
+
if hash_1 == hash_2 then
|
|
181
|
+
test = chat.copyRequest
|
|
182
|
+
val = test.post_parm_value(parm)
|
|
183
|
+
val += check_f
|
|
184
|
+
|
|
185
|
+
test.replace_post_parm(parm, val)
|
|
186
|
+
test_request,test_response = doRequest(test, :default => true)
|
|
187
|
+
text_false, hash_false = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
188
|
+
# puts "=TEXT_FALSE (#{parm})\r\n#{text_false}\r\n=HASH_FALSE\r\n#{hash_false}" if parm =~ /button/
|
|
189
|
+
|
|
190
|
+
|
|
191
|
+
# check if hash is the same, if yes then this parameter is not good for us
|
|
192
|
+
if hash_1 != hash_false then
|
|
193
|
+
test = chat.copyRequest
|
|
194
|
+
val = test.post_parm_value(parm)
|
|
195
|
+
val += check_t
|
|
196
|
+
test.replace_post_parm(parm, val)
|
|
197
|
+
test_request,test_response = doRequest(test, :default => true)
|
|
198
|
+
text_true, hash_true = Watobo::Utils.smartHash(chat.request, test_request, test_response)
|
|
199
|
+
# puts "=TEXT_TRUE (#{parm})\r\n#{text_true}\r\n=HASH_TRUE\r\n#{hash_true}" if parm =~ /button/
|
|
200
|
+
|
|
201
|
+
|
|
202
|
+
# if parm =~ /account/ then
|
|
203
|
+
# filename = File.join(File.dirname($0), "bc_1.txt")
|
|
204
|
+
# puts filename
|
|
205
|
+
# fh = File.new(filename, "w")
|
|
206
|
+
# fh.puts text_1
|
|
207
|
+
# fh.close
|
|
208
|
+
# filename = File.join(File.dirname($0), "bc_true.txt")
|
|
209
|
+
# puts filename
|
|
210
|
+
# fh = File.new(filename, "w")
|
|
211
|
+
#
|
|
212
|
+
# fh.puts text_true
|
|
213
|
+
# fh.close
|
|
214
|
+
#
|
|
215
|
+
# end
|
|
216
|
+
|
|
217
|
+
if hash_true == hash_1 then
|
|
218
|
+
puts "!GOTCHA! #{hash_1} / #{hash_true}\r\n=TEXT_1 (#{parm})\r\n#{text_1}\r\n=HASH_1\r\n#{hash_1}\r\n=TEXT_2 (#{parm})\r\n#{text_2}\r\n=HASH_2\r\n#{hash_2}\r\n=TEXT_FALSE (#{parm})\r\n#{text_false}\r\n=HASH_FALSE\r\n#{hash_false}\r\n=TEXT_TRUE (#{parm})\r\n#{text_true}\r\n=HASH_TRUE\r\n#{hash_true}"
|
|
219
|
+
|
|
220
|
+
path = "/" + test_request.path
|
|
221
|
+
# test_chat = Chat.new(test,test_response,chat.id)
|
|
222
|
+
addFinding(test_request,test_response,
|
|
223
|
+
:test_item => parm,
|
|
224
|
+
:check_pattern => "#{parm}",
|
|
225
|
+
:chat => chat,
|
|
226
|
+
:title => "[#{parm}] - #{path}",
|
|
227
|
+
:debug => true
|
|
228
|
+
)
|
|
229
|
+
end
|
|
230
|
+
else
|
|
231
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Postparmeter #{parm} is imune :("
|
|
232
|
+
end
|
|
233
|
+
else
|
|
234
|
+
# puts "\n! Boolean check not possible on chat #{chat.id}. Hashes don't match for post parameter #{parm} :("
|
|
235
|
+
# fh = File.new("bc_1e.txt", "w")
|
|
236
|
+
# fh.puts text_1
|
|
237
|
+
# fh.close
|
|
238
|
+
# fh = File.new("bc_truee.txt", "w")
|
|
239
|
+
# fh.puts text_true
|
|
240
|
+
# fh.close
|
|
241
|
+
|
|
242
|
+
end
|
|
243
|
+
rescue => bang
|
|
244
|
+
puts bang
|
|
245
|
+
raise
|
|
246
|
+
end
|
|
247
|
+
[ test_request, test_response ]
|
|
248
|
+
}
|
|
249
|
+
yield checker
|
|
250
|
+
|
|
251
|
+
end
|
|
252
|
+
end
|
|
253
|
+
rescue => bang
|
|
254
|
+
puts bang
|
|
255
|
+
end
|
|
256
|
+
end
|
|
257
|
+
end
|
|
258
|
+
# --> eo namespace
|
|
259
|
+
end
|
|
260
|
+
end
|
|
261
|
+
end
|
|
262
|
+
end
|
|
@@ -0,0 +1,205 @@
|
|
|
1
|
+
# .
|
|
2
|
+
# sqli_simple.rb
|
|
3
|
+
#
|
|
4
|
+
# Copyright 2012 by siberas, http://www.siberas.de
|
|
5
|
+
#
|
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
|
+
# http://watobo.sourceforge.com
|
|
8
|
+
#
|
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
|
12
|
+
#
|
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
16
|
+
# GNU General Public License for more details.
|
|
17
|
+
#
|
|
18
|
+
# You should have received a copy of the GNU General Public License
|
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
|
+
# .
|
|
22
|
+
module Watobo
|
|
23
|
+
module Modules
|
|
24
|
+
module Active
|
|
25
|
+
module Sqlinjection
|
|
26
|
+
|
|
27
|
+
|
|
28
|
+
class Sqli_simple < Watobo::ActiveCheck
|
|
29
|
+
|
|
30
|
+
def initialize(project, prefs={})
|
|
31
|
+
super(project, prefs)
|
|
32
|
+
@info.update(
|
|
33
|
+
:check_name => 'Simple SQL-Injection', # name of check which briefly describes functionality, will be used for tree and progress views
|
|
34
|
+
:check_group => AC_GROUP_SQL,
|
|
35
|
+
:description => "Check every parameter for SQL-Injection flaws.", # description of checkfunction
|
|
36
|
+
:author => "Andreas Schmidt", # author of check
|
|
37
|
+
:version => "0.9" # check version
|
|
38
|
+
)
|
|
39
|
+
|
|
40
|
+
threat =<<'EOF'
|
|
41
|
+
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input.
|
|
42
|
+
When successful, the attacker is able to change the logic of SQL statements executed against the database.
|
|
43
|
+
Structured Query Language (SQL) is a specialized programming language for sending queries to databases.
|
|
44
|
+
The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with
|
|
45
|
+
proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements.
|
|
46
|
+
If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure
|
|
47
|
+
and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user
|
|
48
|
+
specified by the application executing the statement. This capability allows attackers to gain control of all database resources
|
|
49
|
+
accessible by that user, up to and including the ability to execute commands on the hosting system.
|
|
50
|
+
|
|
51
|
+
Source: http://projects.webappsec.org/SQL-Injection
|
|
52
|
+
EOF
|
|
53
|
+
#
|
|
54
|
+
measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
|
|
55
|
+
|
|
56
|
+
@finding.update(
|
|
57
|
+
:threat => threat, # threat of vulnerability, e.g. loss of information
|
|
58
|
+
:class => "SQL-Injection", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
|
59
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
|
60
|
+
:rating => VULN_RATING_CRITICAL,
|
|
61
|
+
:measure => measure
|
|
62
|
+
)
|
|
63
|
+
|
|
64
|
+
@sql_checks=[
|
|
65
|
+
"';--",
|
|
66
|
+
"'",
|
|
67
|
+
]
|
|
68
|
+
|
|
69
|
+
@sql_patterns = [
|
|
70
|
+
"OleDBException",
|
|
71
|
+
"SQL Server",
|
|
72
|
+
"Microsoft OLE DB Provider",
|
|
73
|
+
"Incorrect syntax near",
|
|
74
|
+
"ADODB",
|
|
75
|
+
"DB2 SQL",
|
|
76
|
+
"DB2.*SQL\d+N",
|
|
77
|
+
"ODBC Microsoft Access Driver",
|
|
78
|
+
"(PLS|ORA).[0-9]{2,}",
|
|
79
|
+
"PostgreSQL query",
|
|
80
|
+
"error in your SQL syntax"
|
|
81
|
+
|
|
82
|
+
]
|
|
83
|
+
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
def generateChecks(chat)
|
|
87
|
+
|
|
88
|
+
begin
|
|
89
|
+
urlParmNames(chat).each do |parm|
|
|
90
|
+
# puts "#{Module.nesting[0].name}: run check on chat-id (#{chat.id}) with parm (#{parm})"
|
|
91
|
+
#@sql_checks.each do |check, pattern|
|
|
92
|
+
test_values = []
|
|
93
|
+
@sql_checks.each do |check|
|
|
94
|
+
test_values << check
|
|
95
|
+
test_values << "#{chat.request.get_parm_value(parm)}#{check}"
|
|
96
|
+
test_values << "#{check}#{chat.request.get_parm_value(parm)}"
|
|
97
|
+
end
|
|
98
|
+
test_values.each do |check|
|
|
99
|
+
checker = proc {
|
|
100
|
+
|
|
101
|
+
test_request = nil
|
|
102
|
+
test_response = nil
|
|
103
|
+
# IMPORTANT!!!
|
|
104
|
+
# use prepareRequest(chat) for cloning the original request
|
|
105
|
+
test = chat.copyRequest
|
|
106
|
+
test_parm = "#{parm.clone}"
|
|
107
|
+
# modify the test request
|
|
108
|
+
test.replace_get_parm(test_parm, check)
|
|
109
|
+
# fire it up!
|
|
110
|
+
#puts req_copy
|
|
111
|
+
test_request,test_response = doRequest(test)
|
|
112
|
+
|
|
113
|
+
# puts test_response
|
|
114
|
+
# verify response
|
|
115
|
+
match = nil
|
|
116
|
+
@sql_patterns.each do |pattern|
|
|
117
|
+
if test_response.join =~ /(#{pattern})/i
|
|
118
|
+
match = $1
|
|
119
|
+
# test_chat = Chat.new(test,test_response,chat.id)
|
|
120
|
+
# path = "/" + test_request.path_ext
|
|
121
|
+
addFinding(test_request,test_response,
|
|
122
|
+
:test_item => parm,
|
|
123
|
+
:check_pattern => "#{check}",
|
|
124
|
+
:proof_pattern => "#{match}",
|
|
125
|
+
:chat => chat,
|
|
126
|
+
:title => "[#{test_parm}] - #{test_request.path}"
|
|
127
|
+
)
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
[ test_request, test_response ]
|
|
133
|
+
}
|
|
134
|
+
yield checker
|
|
135
|
+
end
|
|
136
|
+
end
|
|
137
|
+
|
|
138
|
+
|
|
139
|
+
#
|
|
140
|
+
# Check POST-Parameters
|
|
141
|
+
#
|
|
142
|
+
|
|
143
|
+
chat.request.post_parm_names.each do |parm|
|
|
144
|
+
#puts "#{chat.id}: run check on post parm #{parm}"
|
|
145
|
+
test_values = []
|
|
146
|
+
@sql_checks.each do |check|
|
|
147
|
+
test_values << check
|
|
148
|
+
test_values << "#{chat.request.post_parm_value(parm)}#{check}"
|
|
149
|
+
test_values << "#{check}#{chat.request.post_parm_value(parm)}"
|
|
150
|
+
end
|
|
151
|
+
test_values.each do |check,pattern|
|
|
152
|
+
checker = proc {
|
|
153
|
+
test_request = nil
|
|
154
|
+
test_response = nil
|
|
155
|
+
# IMPORTANT!!!
|
|
156
|
+
# use prepareRequest(chat) for cloning the original request
|
|
157
|
+
test = chat.copyRequest
|
|
158
|
+
test_parm = "#{parm.clone}"
|
|
159
|
+
|
|
160
|
+
|
|
161
|
+
# modify the test request
|
|
162
|
+
test.replace_post_parm(test_parm,check)
|
|
163
|
+
# puts test.last
|
|
164
|
+
# fire it up!
|
|
165
|
+
#puts req_copy
|
|
166
|
+
test_request,test_response = doRequest(test)
|
|
167
|
+
|
|
168
|
+
# puts test_response
|
|
169
|
+
# verify response
|
|
170
|
+
match = nil
|
|
171
|
+
@sql_patterns.each do |pattern|
|
|
172
|
+
if test_response.join =~ /(#{pattern})/i
|
|
173
|
+
match = $1
|
|
174
|
+
# puts "found xss (post)"
|
|
175
|
+
# test_chat = Chat.new(test,test_response,chat.id)
|
|
176
|
+
#resource = "/" + test_request.resource
|
|
177
|
+
addFinding(test_request,test_response,
|
|
178
|
+
:test_item => parm,
|
|
179
|
+
:check_pattern => "#{check}",
|
|
180
|
+
:proof_pattern => "#{match}",
|
|
181
|
+
:chat => chat,
|
|
182
|
+
:title => "[#{test_parm}] - #{test_request.path}"
|
|
183
|
+
)
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
end
|
|
187
|
+
[ test_request, test_response ]
|
|
188
|
+
}
|
|
189
|
+
yield checker
|
|
190
|
+
|
|
191
|
+
end
|
|
192
|
+
end
|
|
193
|
+
rescue => bang
|
|
194
|
+
puts bang
|
|
195
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
|
196
|
+
raise
|
|
197
|
+
end
|
|
198
|
+
end
|
|
199
|
+
|
|
200
|
+
end
|
|
201
|
+
|
|
202
|
+
end
|
|
203
|
+
end
|
|
204
|
+
end
|
|
205
|
+
end
|