watobo 0.9.8.677

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (260) hide show
  1. data/bin/watobo_gui.rb +39 -0
  2. data/certificates/cert.pem +19 -0
  3. data/certificates/privkey.pem +15 -0
  4. data/certificates/watobo_dh.key +5 -0
  5. data/config/datastore.yml +5 -0
  6. data/config/forwarding_proxy.yml +12 -0
  7. data/config/general.yml +4 -0
  8. data/config/gui.yml +23 -0
  9. data/config/interceptor.yml +16 -0
  10. data/config/scan_policy.yml +13 -0
  11. data/config/scanner.yml +34 -0
  12. data/icons/Add.ico +0 -0
  13. data/icons/Add_24x24.ico +0 -0
  14. data/icons/Bandwidth.ico +0 -0
  15. data/icons/Bandwidth_24x24.ico +0 -0
  16. data/icons/Mr. Bomb.ico +0 -0
  17. data/icons/Mr. Bomb_16x16.ico +0 -0
  18. data/icons/Mr. Bomb_24x24.ico +0 -0
  19. data/icons/Orange Ball.ico +0 -0
  20. data/icons/Orange Ball_16x16.ico +0 -0
  21. data/icons/Orange Ball_24x24.ico +0 -0
  22. data/icons/Pause.ico +0 -0
  23. data/icons/Play.ico +0 -0
  24. data/icons/Play_24x24.ico +0 -0
  25. data/icons/Red Ball.ico +0 -0
  26. data/icons/Red Ball_16x16.ico +0 -0
  27. data/icons/Red Ball_24x24.ico +0 -0
  28. data/icons/Run.ico +0 -0
  29. data/icons/Stop.ico +0 -0
  30. data/icons/Stop_24x24.ico +0 -0
  31. data/icons/Terminal.ico +0 -0
  32. data/icons/Transfer.ico +0 -0
  33. data/icons/Transfer_16x16.ico +0 -0
  34. data/icons/User.ico +0 -0
  35. data/icons/User_16x16.ico +0 -0
  36. data/icons/User_24x24.ico +0 -0
  37. data/icons/Web Browser.ico +0 -0
  38. data/icons/Web Browser_16x16.ico +0 -0
  39. data/icons/Write Document.ico +0 -0
  40. data/icons/Yellow Ball.ico +0 -0
  41. data/icons/Yellow Ball_16x16.ico +0 -0
  42. data/icons/Yellow Ball_24x24.ico +0 -0
  43. data/icons/advanced.ico +0 -0
  44. data/icons/advanced_16x16.ico +0 -0
  45. data/icons/advanced_24x24.ico +0 -0
  46. data/icons/applications.ico +0 -0
  47. data/icons/applications_16x16.ico +0 -0
  48. data/icons/applications_24x24.ico +0 -0
  49. data/icons/browser_16x16.ico +0 -0
  50. data/icons/browser_24x24.ico +0 -0
  51. data/icons/burn.ico +0 -0
  52. data/icons/burn_16x16.ico +0 -0
  53. data/icons/burn_24x24.ico +0 -0
  54. data/icons/calculator.ico +0 -0
  55. data/icons/calculator_24x24.ico +0 -0
  56. data/icons/cb_checked.ico +0 -0
  57. data/icons/cb_checked_orange.ico +0 -0
  58. data/icons/cb_unchecked.ico +0 -0
  59. data/icons/coin_24x24.ico +0 -0
  60. data/icons/conversation.ico +0 -0
  61. data/icons/conversation_24x24.ico +0 -0
  62. data/icons/engine.ico +0 -0
  63. data/icons/filter.ico +0 -0
  64. data/icons/folder.ico +0 -0
  65. data/icons/folder_16x16.ico +0 -0
  66. data/icons/fuzzer_16x16.ico +0 -0
  67. data/icons/fuzzer_24x24.ico +0 -0
  68. data/icons/go-down_16x16.png +0 -0
  69. data/icons/go-up_16x16.png +0 -0
  70. data/icons/help.ico +0 -0
  71. data/icons/help_16x16.ico +0 -0
  72. data/icons/help_24x24.ico +0 -0
  73. data/icons/iChat.ico +0 -0
  74. data/icons/iChat_16x16.ico +0 -0
  75. data/icons/iChat_24x24.ico +0 -0
  76. data/icons/icons.txt +3 -0
  77. data/icons/info.ico +0 -0
  78. data/icons/info_16x16.ico +0 -0
  79. data/icons/info_24x24.ico +0 -0
  80. data/icons/interceptor_24x24.ico +0 -0
  81. data/icons/lock.ico +0 -0
  82. data/icons/lock_12x12.ico +0 -0
  83. data/icons/lock_16x16.ico +0 -0
  84. data/icons/monitor.ico +0 -0
  85. data/icons/plugin.ico +0 -0
  86. data/icons/plugin_24x24.ico +0 -0
  87. data/icons/scan_16x16.png +0 -0
  88. data/icons/send.ico +0 -0
  89. data/icons/server.ico +0 -0
  90. data/icons/server_16x16.ico +0 -0
  91. data/icons/siberas_logo_x24.gif +0 -0
  92. data/icons/tag_blue_32x32.ico +0 -0
  93. data/icons/watobo-48x48.png +0 -0
  94. data/icons/watobo-logo.png +0 -0
  95. data/icons/watobo.ico +0 -0
  96. data/lib/watobo/adapters/data_store.rb +38 -0
  97. data/lib/watobo/adapters/file/file_store.rb +211 -0
  98. data/lib/watobo/adapters/session_store.rb +27 -0
  99. data/lib/watobo/adapters.rb +26 -0
  100. data/lib/watobo/config.rb +143 -0
  101. data/lib/watobo/constants.rb +92 -0
  102. data/lib/watobo/core/active_check.rb +404 -0
  103. data/lib/watobo/core/cookie.rb +69 -0
  104. data/lib/watobo/core/fuzz_gen.rb +160 -0
  105. data/lib/watobo/core/http_socket.rb +142 -0
  106. data/lib/watobo/core/interceptor.rb +729 -0
  107. data/lib/watobo/core/passive_check.rb +141 -0
  108. data/lib/watobo/core/project.rb +1058 -0
  109. data/lib/watobo/core/scanner.rb +396 -0
  110. data/lib/watobo/core/session.rb +1320 -0
  111. data/lib/watobo/core/simple_ca.rb +393 -0
  112. data/lib/watobo/core.rb +34 -0
  113. data/lib/watobo/defaults.rb +40 -0
  114. data/lib/watobo/external/diff/lcs/array.rb +42 -0
  115. data/lib/watobo/external/diff/lcs/block.rb +72 -0
  116. data/lib/watobo/external/diff/lcs/callbacks.rb +343 -0
  117. data/lib/watobo/external/diff/lcs/change.rb +190 -0
  118. data/lib/watobo/external/diff/lcs/hunk.rb +279 -0
  119. data/lib/watobo/external/diff/lcs/ldiff.rb +247 -0
  120. data/lib/watobo/external/diff/lcs/string.rb +40 -0
  121. data/lib/watobo/external/diff/lcs.rb +1124 -0
  122. data/lib/watobo/external/ntlm/ntlm.rb +797 -0
  123. data/lib/watobo/externals.rb +28 -0
  124. data/lib/watobo/framework/create_project.rb +55 -0
  125. data/lib/watobo/framework/init.rb +149 -0
  126. data/lib/watobo/framework/init_modules.rb +116 -0
  127. data/lib/watobo/framework/license_text.rb +50 -0
  128. data/lib/watobo/framework.rb +26 -0
  129. data/lib/watobo/gui/about_watobo.rb +68 -0
  130. data/lib/watobo/gui/browser_preview.rb +460 -0
  131. data/lib/watobo/gui/certificate_dialog.rb +132 -0
  132. data/lib/watobo/gui/chat_diff.rb +415 -0
  133. data/lib/watobo/gui/chatviewer_frame.rb +427 -0
  134. data/lib/watobo/gui/checkboxtree.rb +221 -0
  135. data/lib/watobo/gui/checks_policy_frame.rb +123 -0
  136. data/lib/watobo/gui/client_cert_dialog.rb +227 -0
  137. data/lib/watobo/gui/confirm_scan_dialog.rb +67 -0
  138. data/lib/watobo/gui/conversation_table.rb +386 -0
  139. data/lib/watobo/gui/conversation_table_ctrl.rb +175 -0
  140. data/lib/watobo/gui/csrf_token_dialog.rb +446 -0
  141. data/lib/watobo/gui/dashboard.rb +341 -0
  142. data/lib/watobo/gui/define_scope_frame.rb +380 -0
  143. data/lib/watobo/gui/edit_comment.rb +70 -0
  144. data/lib/watobo/gui/edit_scope_dialog.rb +69 -0
  145. data/lib/watobo/gui/finding_info.rb +212 -0
  146. data/lib/watobo/gui/findings_tree.rb +459 -0
  147. data/lib/watobo/gui/full_scan_dialog.rb +269 -0
  148. data/lib/watobo/gui/fuzzer_gui.rb +1522 -0
  149. data/lib/watobo/gui/hex_viewer.rb +106 -0
  150. data/lib/watobo/gui/interceptor_gui.rb +994 -0
  151. data/lib/watobo/gui/interceptor_settings_dialog.rb +201 -0
  152. data/lib/watobo/gui/log_viewer.rb +97 -0
  153. data/lib/watobo/gui/login_wizzard.rb +301 -0
  154. data/lib/watobo/gui/main_window.rb +1815 -0
  155. data/lib/watobo/gui/manual_request_editor.rb +1105 -0
  156. data/lib/watobo/gui/master_pw_dialog.rb +142 -0
  157. data/lib/watobo/gui/password_policy_dialog.rb +98 -0
  158. data/lib/watobo/gui/plugin/base.rb +82 -0
  159. data/lib/watobo/gui/plugin_board.rb +95 -0
  160. data/lib/watobo/gui/preferences_dialog.rb +116 -0
  161. data/lib/watobo/gui/progress_window.rb +102 -0
  162. data/lib/watobo/gui/project_wizzard.rb +369 -0
  163. data/lib/watobo/gui/proxy_dialog.rb +550 -0
  164. data/lib/watobo/gui/quick_scan_dialog.rb +242 -0
  165. data/lib/watobo/gui/request_editor.rb +480 -0
  166. data/lib/watobo/gui/save_chat_dialog.rb +158 -0
  167. data/lib/watobo/gui/scanner_settings_dialog.rb +360 -0
  168. data/lib/watobo/gui/select_chat_dialog.rb +169 -0
  169. data/lib/watobo/gui/session_management_dialog.rb +688 -0
  170. data/lib/watobo/gui/sites_tree.rb +347 -0
  171. data/lib/watobo/gui/status_bar.rb +88 -0
  172. data/lib/watobo/gui/table_editor.rb +445 -0
  173. data/lib/watobo/gui/tagless_viewer.rb +62 -0
  174. data/lib/watobo/gui/templates/plugin.rb +80 -0
  175. data/lib/watobo/gui/templates/plugin2.rb +103 -0
  176. data/lib/watobo/gui/text_viewer.rb +247 -0
  177. data/lib/watobo/gui/transcoder_window.rb +215 -0
  178. data/lib/watobo/gui/utils/gui_utils.rb +129 -0
  179. data/lib/watobo/gui/utils/init_icons.rb +106 -0
  180. data/lib/watobo/gui/utils/load_icons.rb +54 -0
  181. data/lib/watobo/gui/utils/load_plugins.rb +94 -0
  182. data/lib/watobo/gui/utils/master_password.rb +90 -0
  183. data/lib/watobo/gui/utils/save_default_settings.rb +99 -0
  184. data/lib/watobo/gui/utils/save_project_settings.rb +21 -0
  185. data/lib/watobo/gui/utils/save_proxy_settings.rb +45 -0
  186. data/lib/watobo/gui/utils/save_session_settings.rb +21 -0
  187. data/lib/watobo/gui/utils/session_history.rb +134 -0
  188. data/lib/watobo/gui/workspace_dialog.rb +89 -0
  189. data/lib/watobo/gui/www_auth_dialog.rb +348 -0
  190. data/lib/watobo/gui/xml_viewer_frame.rb +114 -0
  191. data/lib/watobo/gui.rb +139 -0
  192. data/lib/watobo/mixins/httpparser.rb +664 -0
  193. data/lib/watobo/mixins/request_parser.rb +210 -0
  194. data/lib/watobo/mixins/shapers.rb +345 -0
  195. data/lib/watobo/mixins/transcoders.rb +88 -0
  196. data/lib/watobo/mixins.rb +32 -0
  197. data/lib/watobo/utils/check_regex.rb +36 -0
  198. data/lib/watobo/utils/copy_object.rb +29 -0
  199. data/lib/watobo/utils/crypto.rb +74 -0
  200. data/lib/watobo/utils/expand_range.rb +45 -0
  201. data/lib/watobo/utils/file_management.rb +73 -0
  202. data/lib/watobo/utils/load_chat.rb +219 -0
  203. data/lib/watobo/utils/load_icon.rb +47 -0
  204. data/lib/watobo/utils/print_debug.rb +34 -0
  205. data/lib/watobo/utils/response_hash.rb +143 -0
  206. data/lib/watobo/utils/secure_eval.rb +57 -0
  207. data/lib/watobo/utils/text2request.rb +96 -0
  208. data/lib/watobo/utils.rb +32 -0
  209. data/lib/watobo.rb +76 -0
  210. data/modules/active/Apache/mod_status.rb +123 -0
  211. data/modules/active/Flash/crossdomain.rb +102 -0
  212. data/modules/active/directories/dirwalker.rb +89 -0
  213. data/modules/active/discovery/fileextensions.rb +151 -0
  214. data/modules/active/discovery/http_methods.rb +135 -0
  215. data/modules/active/domino/domino_db.lst +164 -0
  216. data/modules/active/domino/domino_db.rb +128 -0
  217. data/modules/active/fileinclusion/lfi_simple.rb +134 -0
  218. data/modules/active/jboss/jboss_basic.rb +119 -0
  219. data/modules/active/sap/business_objects.rb +73 -0
  220. data/modules/active/sap/its_commands.rb +101 -0
  221. data/modules/active/sap/its_service_parameter.rb +105 -0
  222. data/modules/active/sap/its_services.rb +103 -0
  223. data/modules/active/sap/its_xss.rb +98 -0
  224. data/modules/active/sqlinjection/sql_boolean.rb +262 -0
  225. data/modules/active/sqlinjection/sqli_simple.rb +205 -0
  226. data/modules/active/xss/xss_simple.rb +179 -0
  227. data/modules/passive/cookie_options.rb +97 -0
  228. data/modules/passive/cookie_xss.rb +85 -0
  229. data/modules/passive/detect_code.rb +89 -0
  230. data/modules/passive/detect_fileupload.rb +80 -0
  231. data/modules/passive/detect_infrastructure.rb +98 -0
  232. data/modules/passive/detect_one_time_tokens.rb +86 -0
  233. data/modules/passive/dirindexing.rb +81 -0
  234. data/modules/passive/disclosure_emails.rb +82 -0
  235. data/modules/passive/disclosure_ipaddr.rb +87 -0
  236. data/modules/passive/filename_as_parameter.rb +85 -0
  237. data/modules/passive/form_spotter.rb +75 -0
  238. data/modules/passive/hotspots.rb +86 -0
  239. data/modules/passive/in_script_parameter.rb +92 -0
  240. data/modules/passive/multiple_server_headers.rb +98 -0
  241. data/modules/passive/possible_login.rb +134 -0
  242. data/modules/passive/redirect_url.rb +88 -0
  243. data/modules/passive/redirectionz.rb +96 -0
  244. data/modules/passive/xss_dom.rb +91 -0
  245. data/plugins/catalog/catalog.ico +0 -0
  246. data/plugins/catalog/catalog.rb +726 -0
  247. data/plugins/catalog/db_tests +6483 -0
  248. data/plugins/catalog/db_variables +29 -0
  249. data/plugins/filefinder/dbs/hbci.db +12 -0
  250. data/plugins/filefinder/filefinder.rb +602 -0
  251. data/plugins/sslchecker/cli/sslchecker_cli.rb +21 -0
  252. data/plugins/sslchecker/gui/cipher_table.rb +260 -0
  253. data/plugins/sslchecker/gui/gui.rb +245 -0
  254. data/plugins/sslchecker/gui/sslchecker.rb +26 -0
  255. data/plugins/sslchecker/icons/green_16x16.ico +0 -0
  256. data/plugins/sslchecker/icons/grey_16x16.ico +0 -0
  257. data/plugins/sslchecker/icons/red_16x16.ico +0 -0
  258. data/plugins/sslchecker/icons/sslchecker.ico +0 -0
  259. data/plugins/sslchecker/lib/check.rb +117 -0
  260. metadata +317 -0
@@ -0,0 +1,98 @@
1
+ # .
2
+ # its_xss.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ require 'digest/md5'
23
+ require 'digest/sha1'
24
+
25
+ module Watobo
26
+ module Modules
27
+ module Active
28
+ module Sap
29
+
30
+
31
+ class Its_xss < Watobo::ActiveCheck
32
+
33
+ def initialize(project, prefs={})
34
+ @project = project
35
+ super(project, prefs)
36
+
37
+
38
+ @info.update(
39
+ :check_name => 'SAP ITS: XSS', # name of check which briefly describes functionality, will be used for tree and progress views
40
+ :description => "Checks for generic XSS flaws in SAP ITS Systems.", # description of checkfunction
41
+ :author => "Andreas Schmidt", # author of check
42
+ :version => "0.9", # check version
43
+ :check_group => AC_GROUP_SAP
44
+ )
45
+
46
+ @finding.update(
47
+ :threat => 'Information Disclosure (and maybe more)', # thread of vulnerability, e.g. loss of information
48
+ :class => "SAP ITS: XSS", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
49
+ :type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
50
+ )
51
+ end
52
+
53
+ def generateChecks(chat)
54
+
55
+ #
56
+ # Check GET-Parameters
57
+ #
58
+ begin
59
+
60
+ if chat.request.url =~ /!$/ then
61
+ checker = proc{
62
+ test = chat.copyRequest
63
+ new_p = "~urlmime"
64
+ new_v = "\"><script>alert('watobo')</script><img src=\""
65
+ test.add_get_parm(new_p,new_v)
66
+
67
+ test_request,test_response = doRequest(test,:default => true)
68
+
69
+ if test_response.join =~ /watobo/i then
70
+ #test_chat = Chat.new(test,test_response,chat.id)
71
+ addFinding(test_request,test_response,
72
+ :test_item => chat.request.url,
73
+ :check_pattern => "#{new_p}",
74
+ :proof_pattern => "#{new_v}",
75
+ :chat => chat,
76
+ :title => new_p
77
+ )
78
+ end
79
+ [ test_request, test_response ]
80
+ }
81
+ yield checker
82
+ end
83
+
84
+ rescue => bang
85
+ puts bang
86
+ puts "ERROR!! #{Module.nesting[0].name}"
87
+ raise
88
+
89
+
90
+ end
91
+ end
92
+ end
93
+
94
+ # --> eo namespace
95
+ end
96
+ end
97
+ end
98
+ end
@@ -0,0 +1,262 @@
1
+ # .
2
+ # sql_boolean.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ require 'digest/md5'
23
+ require 'digest/sha1'
24
+
25
+ module Watobo
26
+ module Modules
27
+ module Active
28
+ module Sqlinjection
29
+
30
+
31
+ class Sql_boolean < Watobo::ActiveCheck
32
+
33
+ def initialize(project, prefs={})
34
+ super(project, prefs)
35
+ @info.update(
36
+ :check_name => 'Boolean SQL-Injection', # name of check which briefly describes functionality, will be used for tree and progress views
37
+ :check_group => AC_GROUP_SQL,
38
+ :description => "Checks parameter values for boolean-style SQL-Injection flaws.", # description of checkfunction
39
+ :author => "Andreas Schmidt", # author of check
40
+ :version => "0.9" # check version
41
+ )
42
+
43
+ threat =<<'EOF'
44
+ SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input.
45
+ When successful, the attacker is able to change the logic of SQL statements executed against the database.
46
+ Structured Query Language (SQL) is a specialized programming language for sending queries to databases.
47
+ The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with
48
+ proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements.
49
+ If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure
50
+ and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user
51
+ specified by the application executing the statement. This capability allows attackers to gain control of all database resources
52
+ accessible by that user, up to and including the ability to execute commands on the hosting system.
53
+
54
+ Source: http://projects.webappsec.org/SQL-Injection
55
+ EOF
56
+
57
+ measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
58
+
59
+ @finding.update(
60
+ :threat => threat, # thread of vulnerability, e.g. loss of information
61
+ :class => "SQL-Injection", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
62
+ :type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
63
+ :rating => VULN_RATING_CRITICAL,
64
+ :measure => measure
65
+ )
66
+
67
+ @boolean_checks = [
68
+ [ ' and 1=1', ' and 1=2'],
69
+ [ '\' and \'1\'=\'1', '\' and \'1\'=\'2'],
70
+ [ '\') and \'1\'=\'1\'(\'', '\') and \'1\'=\'2\'(\'' ],
71
+ [ '\')) and \'1\'=\'1\'((\'', '\')) and \'1\'=\'2\'((\'' ],
72
+ [ '\'))) and \'1\'=\'1\'(((\'', '\'))) and \'1\'=\'2\'(((\'' ],
73
+ [ ') and \'1\'=\'1\'(', ') and \'1\'=\'2\'(' ],
74
+ [ ')) and \'1\'=\'1\'((', ')) and \'1\'=\'2\'((' ],
75
+ [ '))) and \'1\'=\'1\'(((', '))) and \'1\'=\'2\'(((' ],
76
+ ]
77
+ end
78
+
79
+ def generateChecks(chat)
80
+
81
+ #
82
+ # Check GET-Parameters
83
+ #
84
+ begin
85
+ chat.request.get_parm_names.each do |get_parm|
86
+
87
+ @boolean_checks.each do |check_true, check_false|
88
+
89
+
90
+ checker = proc {
91
+ parm = get_parm.dup
92
+ check_t = CGI::escape(check_true)
93
+ check_f = CGI::escape(check_false)
94
+
95
+ begin
96
+ test_request = nil
97
+ test_response = nil
98
+
99
+ # first do request double time to check if hashes are the same
100
+ test = chat.copyRequest
101
+ value = test.get_parm_value(parm)
102
+ test_request,test_response = doRequest(test,:default => true)
103
+ # puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
104
+ text_1, hash_1 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
105
+ test = chat.copyRequest
106
+ test_request,test_response = doRequest(test,:default => true)
107
+ text_2, hash_2 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
108
+ # puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
109
+
110
+ if hash_1 == hash_2 then
111
+ test = chat.copyRequest
112
+ val = test.get_parm_value(parm)
113
+ val += check_f
114
+ test.replace_get_parm(parm, val)
115
+
116
+ test_request,test_response = doRequest(test,:default => true)
117
+ text_false, hash_false = Watobo::Utils.smartHash(chat.request, test_request, test_response)
118
+ # check if hash is the same, if yes then this parameter is not good for us
119
+ if hash_1 != hash_false then
120
+
121
+ test = chat.copyRequest
122
+ val = test.get_parm_value(parm)
123
+ val += check_t
124
+ test.replace_get_parm(parm, val)
125
+ test_request, test_response = doRequest(test, :default => true)
126
+ #puts "test(Request/Response): #{test.object_id}(#{test_request.object_id}/#{test_response.object_id})"
127
+ text_true, hash_true = Watobo::Utils.smartHash(chat.request, test_request, test_response)
128
+
129
+ if hash_true == hash_1 then
130
+ path = "/" + test_request.path
131
+ # test_chat = Chat.new(test, test_response,chat.id)
132
+ addFinding( test_request,test_response,
133
+ :test_item => parm,
134
+ :check_pattern => "#{parm}",
135
+ :chat => chat,
136
+ :title => "[#{parm}] - #{path}",
137
+ :debug => true
138
+ )
139
+ end
140
+ else
141
+ # puts "\n! Boolean check not possible on chat #{chat.id}. Get parameter #{parm} is imune :("
142
+ end
143
+ else
144
+ # puts "\n! Boolean check not possible on chat #{chat.id}. Hashes don't match for get parameter #{parm} :("
145
+ end
146
+ rescue => bang
147
+ puts bang
148
+ raise
149
+ end
150
+ [ test_request, test_response ]
151
+ }
152
+ yield checker
153
+
154
+ end
155
+
156
+ end
157
+
158
+ chat.request.post_parm_names.each do |post_parm|
159
+
160
+ @boolean_checks.each do |check_true, check_false|
161
+
162
+ checker = proc {
163
+ begin
164
+ parm = post_parm.dup
165
+ check_t = CGI::escape(check_true)
166
+ check_f = CGI::escape(check_false)
167
+ test_request = nil
168
+ test_response = nil
169
+
170
+ # first do request double time to check if hashes are the same
171
+ test = chat.copyRequest
172
+ test_request,test_response = doRequest(test, :default => true)
173
+ text_1, hash_1 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
174
+ test = chat.copyRequest
175
+ test_request,test_response = doRequest(test, :default => true)
176
+ text_2, hash_2 = Watobo::Utils.smartHash(chat.request, test_request, test_response)
177
+ #puts "=== SQL BOOLEAN (#{parm}) ===="
178
+ #puts "=TEXT_1 (#{parm})\r\n#{text_1}\r\n=HASH_1\r\n#{hash_1}" if parm =~ /button/
179
+ #puts "=TEXT_2 (#{parm})\r\n#{text_2}\r\n=HASH_2\r\n#{hash_2}" if parm =~ /button/
180
+ if hash_1 == hash_2 then
181
+ test = chat.copyRequest
182
+ val = test.post_parm_value(parm)
183
+ val += check_f
184
+
185
+ test.replace_post_parm(parm, val)
186
+ test_request,test_response = doRequest(test, :default => true)
187
+ text_false, hash_false = Watobo::Utils.smartHash(chat.request, test_request, test_response)
188
+ # puts "=TEXT_FALSE (#{parm})\r\n#{text_false}\r\n=HASH_FALSE\r\n#{hash_false}" if parm =~ /button/
189
+
190
+
191
+ # check if hash is the same, if yes then this parameter is not good for us
192
+ if hash_1 != hash_false then
193
+ test = chat.copyRequest
194
+ val = test.post_parm_value(parm)
195
+ val += check_t
196
+ test.replace_post_parm(parm, val)
197
+ test_request,test_response = doRequest(test, :default => true)
198
+ text_true, hash_true = Watobo::Utils.smartHash(chat.request, test_request, test_response)
199
+ # puts "=TEXT_TRUE (#{parm})\r\n#{text_true}\r\n=HASH_TRUE\r\n#{hash_true}" if parm =~ /button/
200
+
201
+
202
+ # if parm =~ /account/ then
203
+ # filename = File.join(File.dirname($0), "bc_1.txt")
204
+ # puts filename
205
+ # fh = File.new(filename, "w")
206
+ # fh.puts text_1
207
+ # fh.close
208
+ # filename = File.join(File.dirname($0), "bc_true.txt")
209
+ # puts filename
210
+ # fh = File.new(filename, "w")
211
+ #
212
+ # fh.puts text_true
213
+ # fh.close
214
+ #
215
+ # end
216
+
217
+ if hash_true == hash_1 then
218
+ puts "!GOTCHA! #{hash_1} / #{hash_true}\r\n=TEXT_1 (#{parm})\r\n#{text_1}\r\n=HASH_1\r\n#{hash_1}\r\n=TEXT_2 (#{parm})\r\n#{text_2}\r\n=HASH_2\r\n#{hash_2}\r\n=TEXT_FALSE (#{parm})\r\n#{text_false}\r\n=HASH_FALSE\r\n#{hash_false}\r\n=TEXT_TRUE (#{parm})\r\n#{text_true}\r\n=HASH_TRUE\r\n#{hash_true}"
219
+
220
+ path = "/" + test_request.path
221
+ # test_chat = Chat.new(test,test_response,chat.id)
222
+ addFinding(test_request,test_response,
223
+ :test_item => parm,
224
+ :check_pattern => "#{parm}",
225
+ :chat => chat,
226
+ :title => "[#{parm}] - #{path}",
227
+ :debug => true
228
+ )
229
+ end
230
+ else
231
+ # puts "\n! Boolean check not possible on chat #{chat.id}. Postparmeter #{parm} is imune :("
232
+ end
233
+ else
234
+ # puts "\n! Boolean check not possible on chat #{chat.id}. Hashes don't match for post parameter #{parm} :("
235
+ # fh = File.new("bc_1e.txt", "w")
236
+ # fh.puts text_1
237
+ # fh.close
238
+ # fh = File.new("bc_truee.txt", "w")
239
+ # fh.puts text_true
240
+ # fh.close
241
+
242
+ end
243
+ rescue => bang
244
+ puts bang
245
+ raise
246
+ end
247
+ [ test_request, test_response ]
248
+ }
249
+ yield checker
250
+
251
+ end
252
+ end
253
+ rescue => bang
254
+ puts bang
255
+ end
256
+ end
257
+ end
258
+ # --> eo namespace
259
+ end
260
+ end
261
+ end
262
+ end
@@ -0,0 +1,205 @@
1
+ # .
2
+ # sqli_simple.rb
3
+ #
4
+ # Copyright 2012 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ module Watobo
23
+ module Modules
24
+ module Active
25
+ module Sqlinjection
26
+
27
+
28
+ class Sqli_simple < Watobo::ActiveCheck
29
+
30
+ def initialize(project, prefs={})
31
+ super(project, prefs)
32
+ @info.update(
33
+ :check_name => 'Simple SQL-Injection', # name of check which briefly describes functionality, will be used for tree and progress views
34
+ :check_group => AC_GROUP_SQL,
35
+ :description => "Check every parameter for SQL-Injection flaws.", # description of checkfunction
36
+ :author => "Andreas Schmidt", # author of check
37
+ :version => "0.9" # check version
38
+ )
39
+
40
+ threat =<<'EOF'
41
+ SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input.
42
+ When successful, the attacker is able to change the logic of SQL statements executed against the database.
43
+ Structured Query Language (SQL) is a specialized programming language for sending queries to databases.
44
+ The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with
45
+ proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements.
46
+ If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure
47
+ and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user
48
+ specified by the application executing the statement. This capability allows attackers to gain control of all database resources
49
+ accessible by that user, up to and including the ability to execute commands on the hosting system.
50
+
51
+ Source: http://projects.webappsec.org/SQL-Injection
52
+ EOF
53
+ #
54
+ measure = "All user input must be escaped and/or filtered thoroughly before the sql statement is put together. Additionally prepared statements should be used."
55
+
56
+ @finding.update(
57
+ :threat => threat, # threat of vulnerability, e.g. loss of information
58
+ :class => "SQL-Injection", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
59
+ :type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
60
+ :rating => VULN_RATING_CRITICAL,
61
+ :measure => measure
62
+ )
63
+
64
+ @sql_checks=[
65
+ "';--",
66
+ "'",
67
+ ]
68
+
69
+ @sql_patterns = [
70
+ "OleDBException",
71
+ "SQL Server",
72
+ "Microsoft OLE DB Provider",
73
+ "Incorrect syntax near",
74
+ "ADODB",
75
+ "DB2 SQL",
76
+ "DB2.*SQL\d+N",
77
+ "ODBC Microsoft Access Driver",
78
+ "(PLS|ORA).[0-9]{2,}",
79
+ "PostgreSQL query",
80
+ "error in your SQL syntax"
81
+
82
+ ]
83
+
84
+ end
85
+
86
+ def generateChecks(chat)
87
+
88
+ begin
89
+ urlParmNames(chat).each do |parm|
90
+ # puts "#{Module.nesting[0].name}: run check on chat-id (#{chat.id}) with parm (#{parm})"
91
+ #@sql_checks.each do |check, pattern|
92
+ test_values = []
93
+ @sql_checks.each do |check|
94
+ test_values << check
95
+ test_values << "#{chat.request.get_parm_value(parm)}#{check}"
96
+ test_values << "#{check}#{chat.request.get_parm_value(parm)}"
97
+ end
98
+ test_values.each do |check|
99
+ checker = proc {
100
+
101
+ test_request = nil
102
+ test_response = nil
103
+ # IMPORTANT!!!
104
+ # use prepareRequest(chat) for cloning the original request
105
+ test = chat.copyRequest
106
+ test_parm = "#{parm.clone}"
107
+ # modify the test request
108
+ test.replace_get_parm(test_parm, check)
109
+ # fire it up!
110
+ #puts req_copy
111
+ test_request,test_response = doRequest(test)
112
+
113
+ # puts test_response
114
+ # verify response
115
+ match = nil
116
+ @sql_patterns.each do |pattern|
117
+ if test_response.join =~ /(#{pattern})/i
118
+ match = $1
119
+ # test_chat = Chat.new(test,test_response,chat.id)
120
+ # path = "/" + test_request.path_ext
121
+ addFinding(test_request,test_response,
122
+ :test_item => parm,
123
+ :check_pattern => "#{check}",
124
+ :proof_pattern => "#{match}",
125
+ :chat => chat,
126
+ :title => "[#{test_parm}] - #{test_request.path}"
127
+ )
128
+ end
129
+
130
+ end
131
+
132
+ [ test_request, test_response ]
133
+ }
134
+ yield checker
135
+ end
136
+ end
137
+
138
+
139
+ #
140
+ # Check POST-Parameters
141
+ #
142
+
143
+ chat.request.post_parm_names.each do |parm|
144
+ #puts "#{chat.id}: run check on post parm #{parm}"
145
+ test_values = []
146
+ @sql_checks.each do |check|
147
+ test_values << check
148
+ test_values << "#{chat.request.post_parm_value(parm)}#{check}"
149
+ test_values << "#{check}#{chat.request.post_parm_value(parm)}"
150
+ end
151
+ test_values.each do |check,pattern|
152
+ checker = proc {
153
+ test_request = nil
154
+ test_response = nil
155
+ # IMPORTANT!!!
156
+ # use prepareRequest(chat) for cloning the original request
157
+ test = chat.copyRequest
158
+ test_parm = "#{parm.clone}"
159
+
160
+
161
+ # modify the test request
162
+ test.replace_post_parm(test_parm,check)
163
+ # puts test.last
164
+ # fire it up!
165
+ #puts req_copy
166
+ test_request,test_response = doRequest(test)
167
+
168
+ # puts test_response
169
+ # verify response
170
+ match = nil
171
+ @sql_patterns.each do |pattern|
172
+ if test_response.join =~ /(#{pattern})/i
173
+ match = $1
174
+ # puts "found xss (post)"
175
+ # test_chat = Chat.new(test,test_response,chat.id)
176
+ #resource = "/" + test_request.resource
177
+ addFinding(test_request,test_response,
178
+ :test_item => parm,
179
+ :check_pattern => "#{check}",
180
+ :proof_pattern => "#{match}",
181
+ :chat => chat,
182
+ :title => "[#{test_parm}] - #{test_request.path}"
183
+ )
184
+ end
185
+
186
+ end
187
+ [ test_request, test_response ]
188
+ }
189
+ yield checker
190
+
191
+ end
192
+ end
193
+ rescue => bang
194
+ puts bang
195
+ puts "ERROR!! #{Module.nesting[0].name}"
196
+ raise
197
+ end
198
+ end
199
+
200
+ end
201
+
202
+ end
203
+ end
204
+ end
205
+ end