Class: Yawast::Scanner::Plugins::Servers::Apache
- Inherits:
-
Object
- Object
- Yawast::Scanner::Plugins::Servers::Apache
- Defined in:
- lib/scanner/plugins/servers/apache.rb
Class Method Summary collapse
- .check_all(uri, links = nil) ⇒ Object
- .check_banner(banner) ⇒ Object
- .check_cve_2019_0232(links) ⇒ Object
- .check_page_for_string(uri, path, search) ⇒ Object
- .check_server_info(uri) ⇒ Object
- .check_server_status(uri) ⇒ Object
- .check_struts2_samples(uri) ⇒ Object
- .check_tomcat_manager(uri) ⇒ Object
- .check_tomcat_manager_passwords(uri, manager) ⇒ Object
- .check_tomcat_manager_paths(uri, base_path, manager) ⇒ Object
- .check_tomcat_manager_pwd_check(uri, manager, credentials) ⇒ Object
- .check_tomcat_put_rce(uri) ⇒ Object
- .check_tomcat_version(uri) ⇒ Object
Class Method Details
.check_all(uri, links = nil) ⇒ Object
65 66 67 68 69 70 71 72 73 74 75 76 77 |
# File 'lib/scanner/plugins/servers/apache.rb', line 65 def self.check_all(uri, links = nil) # run all the defined checks check_server_status(uri.copy) check_server_info(uri.copy) check_tomcat_manager(uri.copy) check_tomcat_version(uri.copy) check_tomcat_put_rce(uri.copy) check_struts2_samples(uri.copy) unless links.nil? check_cve_2019_0232(links) end end |
.check_banner(banner) ⇒ Object
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
# File 'lib/scanner/plugins/servers/apache.rb', line 11 def self.() Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_openssl_version_exposed', {vulnerable: false, version: nil} Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_httpd_version_exposed', {vulnerable: false, version: nil} Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_httpd_modules_exposed', {vulnerable: false, modules: nil} # don't bother if this doesn't look like Apache return unless .include? 'Apache' @apache = true modules = .split(' ') server = modules[0] # fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)' # if we don't do this, it triggers a false positive on the module check if /\(\w*\)/.match? modules[1] server += " #{modules[1]}" modules.delete_at 1 end # print the server info no matter what we do next Yawast::Utilities.puts_info "Apache Server: #{server}" modules.delete_at 0 Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_httpd_version_exposed', {vulnerable: true, version: server} if modules.count.positive? Yawast::Utilities.puts_warn 'Apache Server: Module listing enabled' modules.each { |mod| Yawast::Utilities.puts_warn "\t\t#{mod}" } puts '' Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_httpd_modules_exposed', {vulnerable: true, modules: } # check for special items modules.each do |mod| if mod.include? 'OpenSSL' Yawast::Utilities.puts_warn "OpenSSL Version Disclosure: #{mod}" puts '' Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_openssl_version_exposed', {vulnerable: true, version: mod} end end end end |
.check_cve_2019_0232(links) ⇒ Object
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 |
# File 'lib/scanner/plugins/servers/apache.rb', line 239 def self.check_cve_2019_0232(links) Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_cve_2019_0232', {vulnerable: false, uri: nil, body: nil} # create a list of possible targets - this would be links that include "cgi-bin" targets = [] links.each do |link| targets.push link if link.include? '/cgi-bin/' end # check to see if we have any targets unless targets.count.zero? # we have targets targets.each do |target| # now, we need to build the URI we'll use target = if target.include? '?' target + '&dir' else target + '?dir' end # now, send the request and see if it includes "<DIR>" target_uri = URI.parse target body = Yawast::Shared::Http.get(target_uri) if body.include? '<DIR>' # we have a hit Yawast::Utilities.puts_vuln "Apache Tomcat RCE (CVE-2019-0232): #{uri}" Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_cve_2019_0232', {vulnerable: true, uri: target_uri, body: body} break end end end end |
.check_page_for_string(uri, path, search) ⇒ Object
280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 |
# File 'lib/scanner/plugins/servers/apache.rb', line 280 def self.check_page_for_string(uri, path, search) uri.path = path uri.query = '' unless uri.query.nil? body = Yawast::Shared::Http.get(uri) if body.include? search Yawast::Utilities.puts_vuln "#{search} page found: #{uri}" Yawast::Shared::Output.log_value 'apache', 'page_search', search, uri Yawast::Shared::Output.log_hash 'vulnerabilities', "apache_#{path.tr('-', '_').tr('/', '')}_found", {vulnerable: true, uri: uri, body: body} puts '' else Yawast::Shared::Output.log_hash 'vulnerabilities', "apache_#{path.tr('-', '_').chomp('/')}_found", {vulnerable: false, uri: uri, body: body} end end |
.check_server_info(uri) ⇒ Object
83 84 85 |
# File 'lib/scanner/plugins/servers/apache.rb', line 83 def self.check_server_info(uri) check_page_for_string uri, '/server-info', 'Apache Server Information' end |
.check_server_status(uri) ⇒ Object
79 80 81 |
# File 'lib/scanner/plugins/servers/apache.rb', line 79 def self.check_server_status(uri) check_page_for_string uri, '/server-status', 'Apache Server Status' end |
.check_struts2_samples(uri) ⇒ Object
218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 |
# File 'lib/scanner/plugins/servers/apache.rb', line 218 def self.check_struts2_samples(uri) search = [] search.push '/Struts2XMLHelloWorld/User/home.action' search.push '/struts2-showcase/showcase.action' search.push '/struts2-showcase/titles/index.action' search.push '/struts2-bootstrap-showcase/' search.push '/struts2-showcase/index.action' search.push '/struts2-bootstrap-showcase/index.action' search.push '/struts2-rest-showcase/' search.each do |path| uri = uri.copy uri.path = path ret = Yawast::Shared::Http.get_status_code uri Yawast::Shared::Output.log_value 'apache', 'struts2_sample_files', uri, ret Yawast::Utilities.puts_warn "Apache Struts2 Sample Files: #{uri}" if ret == 200 end end |
.check_tomcat_manager(uri) ⇒ Object
120 121 122 123 |
# File 'lib/scanner/plugins/servers/apache.rb', line 120 def self.check_tomcat_manager(uri) check_tomcat_manager_paths uri.copy, 'manager', 'Manager' check_tomcat_manager_paths uri.copy, 'host-manager', 'Host Manager' end |
.check_tomcat_manager_passwords(uri, manager) ⇒ Object
165 166 167 168 169 170 171 172 173 174 175 176 |
# File 'lib/scanner/plugins/servers/apache.rb', line 165 def self.check_tomcat_manager_passwords(uri, manager) Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_manager_weak_pass', {vulnerable: false, uri: nil, credentials: nil} # check for known passwords check_tomcat_manager_pwd_check uri, manager, 'tomcat:tomcat' check_tomcat_manager_pwd_check uri, manager, 'tomcat:password' check_tomcat_manager_pwd_check uri, manager, 'tomcat:' check_tomcat_manager_pwd_check uri, manager, 'admin:admin' check_tomcat_manager_pwd_check uri, manager, 'admin:password' check_tomcat_manager_pwd_check uri, manager, 'admin:' end |
.check_tomcat_manager_paths(uri, base_path, manager) ⇒ Object
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 |
# File 'lib/scanner/plugins/servers/apache.rb', line 125 def self.check_tomcat_manager_paths(uri, base_path, manager) Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_manager_exposed', {vulnerable: false, uri: nil} Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_host_manager_exposed', {vulnerable: false, uri: nil} uri.path = "/#{base_path}/html" uri.query = '' unless uri.query.nil? ret = Yawast::Shared::Http.get(uri) if ret.include? '<tt>conf/tomcat-users.xml</tt>' # this will get Tomcat 7+ Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}" Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_manager_exposed', {vulnerable: true, uri: uri} check_tomcat_manager_passwords uri, manager puts '' else # check for Tomcat 6 and below uri = uri.copy uri.path = "/#{base_path}" ret = Yawast::Shared::Http.get(uri) if ret.include? '<tt>conf/tomcat-users.xml</tt>' Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}" Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_host_manager_exposed', {vulnerable: true, uri: uri} check_tomcat_manager_passwords uri, manager puts '' end end end |
.check_tomcat_manager_pwd_check(uri, manager, credentials) ⇒ Object
178 179 180 181 182 183 184 185 186 187 188 |
# File 'lib/scanner/plugins/servers/apache.rb', line 178 def self.check_tomcat_manager_pwd_check(uri, manager, credentials) ret = Yawast::Shared::Http.get(uri, {'Authorization' => "Basic #{Base64.encode64(credentials)}"}) if ret.include?('<font size="+2">Tomcat Web Application Manager</font>') || ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>') Yawast::Utilities.puts_vuln "Apache Tomcat #{manager} weak password: #{credentials}" Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_manager_weak_pass', {vulnerable: true, uri: uri, credentials: credentials} end end |
.check_tomcat_put_rce(uri) ⇒ Object
190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 |
# File 'lib/scanner/plugins/servers/apache.rb', line 190 def self.check_tomcat_put_rce(uri) # CVE-2017-12615 uri.path = "/#{SecureRandom.hex}.jsp/" uri.query = '' unless uri.query.nil? # we'll use this to verify that it actually worked check_value = SecureRandom.hex # upload the JSP file req_data = "<% out.println(\"#{check_value}\");%>" Yawast::Shared::Http.put(uri, req_data) # check to see of we get check_value back uri.path = uri.path.chomp('/') res = Yawast::Shared::Http.get(uri) if res.include? check_value Yawast::Utilities.puts_vuln "Apache Tomcat PUT RCE (CVE-2017-12615): #{uri}" Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_cve_2017_12615', {vulnerable: true, uri: uri, check_value: check_value, body: res} else Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_cve_2017_12615', {vulnerable: false, uri: uri, check_value: check_value, body: res} end end |
.check_tomcat_version(uri) ⇒ Object
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/scanner/plugins/servers/apache.rb', line 87 def self.check_tomcat_version(uri) Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_version_exposed', {vulnerable: false, version: nil, body: nil} begin req = Yawast::Shared::Http.get_http(uri) req.use_ssl = uri.scheme == 'https' headers = Yawast::Shared::Http.get_headers res = req.request(Xyz.new('/', headers)) if !res.body.nil? && res.body.include?('Apache Tomcat') && res.code == '501' # check to see if there's a version number version = /Apache Tomcat\/\d*.\d*.\d*\b/.match res.body if !version.nil? && !version[0].nil? Yawast::Utilities.puts_warn "Apache Tomcat Version Found: #{version[0]}" Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_version_exposed', {vulnerable: true, version: version[0], body: res.body} puts "\t\t\"curl -X XYZ #{uri}\"" puts '' else Yawast::Shared::Output.log_hash 'vulnerabilities', 'apache_tomcat_version_exposed', {vulnerable: false, version: nil, body: res.body} end end end end |