Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2
require "rex/parser/nokogiri_doc_mixin"
3

4
module Rex
5
  module Parser
6

7
  load_nokogiri && class WapitiDocument < Nokogiri::XML::SAX::Document
8

9
    include NokogiriDocMixin
10

11
    def start_element(name=nil,attrs=[])
12
      attrs = normalize_attrs(attrs)
13
      block = @block
14
      @state[:current_tag][name] = true
15

16
      case name
17
      when "timestamp"
18
        @state[:has_text] = true
19
      when "url"
20
        @state[:has_text] = true
21
      when "addr"
22
        @state[:has_text] = true
23
      when "port"
24
        @state[:has_text] = true
25
      when "parameter"
26
        @state[:has_text] = true
27
      when "info"
28
        @state[:has_text] = true
29
      when "description"
30
        @state[:has_text] = true
31
      when "solution"
32
        @state[:has_text] = true
33
      when "title"
34
        @state[:has_text] = true
35
      end
36
    end
37

38
    def end_element(name=nil)
39
      block = @block
40
      case name
41
      when "timestamp"
42
        @state[:timestamp] = @text.strip
43
        @text = nil
44
      when "url"
45
        @state[:url] = @text.strip
46
        @text = nil
47
      when "addr"
48
        @state[:host] = @text.strip
49
        @text = nil
50
      when "port"
51
        @state[:port] = @text.strip
52
        @text = nil
53
      when "parameter"
54
        @state[:parameter] = @text.strip
55
        @text = nil
56
      when "info"
57
        @state[:info] = @text.strip
58
        @text = nil
59
      when "bug"
60
        report_vuln
61
      end
62
    end
63

64
    def report_vuln(&block)
65
      proto = @state[:url].split(":")[0]
66
      path = '/' + (@state[:url].split("/")[3..(@state[:url].split("/").length - 1)].join('/'))
67

68
      web_vuln_info = {}
69
      web_vuln_info[:web_site] = proto + "://" + @state[:host] + ":" + @state[:port]
70
      web_vuln_info[:path] = path
71
      web_vuln_info[:query] = @state[:url].split("?")[1]
72

73
      #if the URL contains the parameter found to be vulnerable, it is probably a GET
74
      #if it does not contains the parameter, it is probably a POST
75
      if @state[:url].index(@state[:parameter])
76
        web_vuln_info[:method] = "GET"
77
      else
78
        web_vuln_info[:method] = "POST"
79
      end
80

81
      @state[:parameter].split("&").each do |param|
82
        if param.index("%27") #apostrophe
83
          web_vuln_info[:pname] = param.split('=')[0] #sql injection
84
          break
85
        elsif param.index("alert")
86
          web_vuln_info[:pname] = param.split('=')[0] #xss
87
        end
88
      end
89

90
      web_vuln_info[:host] = @state[:host]
91
      web_vuln_info[:port] = @state[:port]
92
      web_vuln_info[:ssl] = (proto =~ /https/)
93
      web_vuln_info[:proof] = ""
94
      web_vuln_info[:risk] = ""
95
      web_vuln_info[:params] = @state[:parameter]
96
      web_vuln_info[:category] = "imported"
97
      web_vuln_info[:confidence] = 90
98
      web_vuln_info[:name] = @state[:info]
99

100
      db.emit(:web_vuln, web_vuln_info[:name], &block) if block
101
      vuln = db_report(:web_vuln, web_vuln_info)
102
    end
103
  end
104
end
105
end
106

107