lib/scanner/plugins/servers/apache.rb in yawast-0.6.0 vs lib/scanner/plugins/servers/apache.rb in yawast-0.7.0.beta1

- old
+ new

@@ -69,21 +69,23 @@ #check to see if there's a version number version = /Apache Tomcat\/\d*.\d*.\d*\b/.match res.body if version != nil && version[0] != nil Yawast::Utilities.puts_warn "Apache Tomcat Version Found: #{version[0]}" + Yawast::Shared::Output.log_value 'apache', 'tomcat_version', version[0] + puts "\t\t\"curl -X XYZ #{uri}\"" puts '' end end end end def self.check_tomcat_manager(uri) - check_tomcat_manager_paths uri, 'manager', 'Manager' - check_tomcat_manager_paths uri, 'host-manager', 'Host Manager' + check_tomcat_manager_paths uri.copy, 'manager', 'Manager' + check_tomcat_manager_paths uri.copy, 'host-manager', 'Host Manager' end def self.check_tomcat_manager_paths(uri, base_path, manager) uri.path = "/#{base_path}/html" uri.query = '' if uri.query != nil @@ -91,20 +93,23 @@ ret = Yawast::Shared::Http.get(uri) if ret.include? '<tt>conf/tomcat-users.xml</tt>' #this will get Tomcat 7+ Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}" + Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr', manager, uri check_tomcat_manager_passwords uri, manager puts '' else #check for Tomcat 6 and below + uri = uri.copy uri.path = "/#{base_path}" ret = Yawast::Shared::Http.get(uri) if ret.include? '<tt>conf/tomcat-users.xml</tt>' Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}" + Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr', manager, uri check_tomcat_manager_passwords uri, manager puts '' end end @@ -123,30 +128,42 @@ def self.check_tomcat_manager_pwd_check(uri, manager, credentials) ret = Yawast::Shared::Http.get(uri, {'Authorization' => "Basic #{Base64.encode64(credentials)}"}) if ret.include?('<font size="+2">Tomcat Web Application Manager</font>') || ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>') Yawast::Utilities.puts_vuln "Apache Tomcat #{manager} weak password: #{credentials}" + + Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr_pwd', uri, credentials end end def self.check_tomcat_put_rce(uri) # CVE-2017-12615 uri.path = "/#{SecureRandom.hex}.jsp/" uri.query = '' if uri.query != nil + Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'path', uri + # we'll use this to verify that it actually worked check_value = SecureRandom.hex + Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'check_value', check_value + # upload the JSP file req_data = "<% out.println(\"#{check_value}\");%>" Yawast::Shared::Http.put(uri, req_data) # check to see of we get check_value back uri.path = uri.path.chomp('/') res = Yawast::Shared::Http.get(uri) + + Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'body', res + if res.include? check_value Yawast::Utilities.puts_vuln "Apache Tomcat PUT RCE (CVE-2017-12615): #{uri}" + Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'vulnerable', true + else + Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'vulnerable', false end end def self.check_struts2_samples(uri) search = Array.new @@ -157,13 +174,16 @@ search.push '/struts2-showcase/index.action' search.push '/struts2-bootstrap-showcase/index.action' search.push '/struts2-rest-showcase/' search.each do |path| + uri = uri.copy uri.path = path ret = Yawast::Shared::Http.get_status_code uri + Yawast::Shared::Output.log_value 'apache', 'struts2_sample_files', uri, ret + if ret == 200 Yawast::Utilities.puts_warn "Apache Struts2 Sample Files: #{uri}" end end end @@ -174,9 +194,10 @@ ret = Yawast::Shared::Http.get(uri) if ret.include? search Yawast::Utilities.puts_vuln "#{search} page found: #{uri}" + Yawast::Shared::Output.log_value 'apache', 'page_search', search, uri puts '' end end end