lib/scanner/plugins/servers/apache.rb in yawast-0.6.0 vs lib/scanner/plugins/servers/apache.rb in yawast-0.7.0.beta1
- old
+ new
@@ -69,21 +69,23 @@
#check to see if there's a version number
version = /Apache Tomcat\/\d*.\d*.\d*\b/.match res.body
if version != nil && version[0] != nil
Yawast::Utilities.puts_warn "Apache Tomcat Version Found: #{version[0]}"
+ Yawast::Shared::Output.log_value 'apache', 'tomcat_version', version[0]
+
puts "\t\t\"curl -X XYZ #{uri}\""
puts ''
end
end
end
end
def self.check_tomcat_manager(uri)
- check_tomcat_manager_paths uri, 'manager', 'Manager'
- check_tomcat_manager_paths uri, 'host-manager', 'Host Manager'
+ check_tomcat_manager_paths uri.copy, 'manager', 'Manager'
+ check_tomcat_manager_paths uri.copy, 'host-manager', 'Host Manager'
end
def self.check_tomcat_manager_paths(uri, base_path, manager)
uri.path = "/#{base_path}/html"
uri.query = '' if uri.query != nil
@@ -91,20 +93,23 @@
ret = Yawast::Shared::Http.get(uri)
if ret.include? '<tt>conf/tomcat-users.xml</tt>'
#this will get Tomcat 7+
Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
+ Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr', manager, uri
check_tomcat_manager_passwords uri, manager
puts ''
else
#check for Tomcat 6 and below
+ uri = uri.copy
uri.path = "/#{base_path}"
ret = Yawast::Shared::Http.get(uri)
if ret.include? '<tt>conf/tomcat-users.xml</tt>'
Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
+ Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr', manager, uri
check_tomcat_manager_passwords uri, manager
puts ''
end
end
@@ -123,30 +128,42 @@
def self.check_tomcat_manager_pwd_check(uri, manager, credentials)
ret = Yawast::Shared::Http.get(uri, {'Authorization' => "Basic #{Base64.encode64(credentials)}"})
if ret.include?('<font size="+2">Tomcat Web Application Manager</font>') ||
ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>')
Yawast::Utilities.puts_vuln "Apache Tomcat #{manager} weak password: #{credentials}"
+
+ Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr_pwd', uri, credentials
end
end
def self.check_tomcat_put_rce(uri)
# CVE-2017-12615
uri.path = "/#{SecureRandom.hex}.jsp/"
uri.query = '' if uri.query != nil
+ Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'path', uri
+
# we'll use this to verify that it actually worked
check_value = SecureRandom.hex
+ Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'check_value', check_value
+
# upload the JSP file
req_data = "<% out.println(\"#{check_value}\");%>"
Yawast::Shared::Http.put(uri, req_data)
# check to see of we get check_value back
uri.path = uri.path.chomp('/')
res = Yawast::Shared::Http.get(uri)
+
+ Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'body', res
+
if res.include? check_value
Yawast::Utilities.puts_vuln "Apache Tomcat PUT RCE (CVE-2017-12615): #{uri}"
+ Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'vulnerable', true
+ else
+ Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'vulnerable', false
end
end
def self.check_struts2_samples(uri)
search = Array.new
@@ -157,13 +174,16 @@
search.push '/struts2-showcase/index.action'
search.push '/struts2-bootstrap-showcase/index.action'
search.push '/struts2-rest-showcase/'
search.each do |path|
+ uri = uri.copy
uri.path = path
ret = Yawast::Shared::Http.get_status_code uri
+ Yawast::Shared::Output.log_value 'apache', 'struts2_sample_files', uri, ret
+
if ret == 200
Yawast::Utilities.puts_warn "Apache Struts2 Sample Files: #{uri}"
end
end
end
@@ -174,9 +194,10 @@
ret = Yawast::Shared::Http.get(uri)
if ret.include? search
Yawast::Utilities.puts_vuln "#{search} page found: #{uri}"
+ Yawast::Shared::Output.log_value 'apache', 'page_search', search, uri
puts ''
end
end
end