summaryrefslogtreecommitdiffstats
path: root/freewvs
blob: 618dcfa4626d236868ae3a9cc1ed8a4a428869b6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#!/usr/bin/python -tO

# freewvs 0.1 - the free web vulnerability scanner
#
# http://source.schokokeks.org/freewvs/
#
# Written 2007-2012 by schokokeks.org Hosting, http://www.schokokeks.org
#
# Contributions by
# Hanno Boeck, http://hboeck.de/
# Fabian Fingerle, http://www.fabian-fingerle.de/
# Bernd Wurst, http://bwurst.org/
#
# To the extent possible under law, the author(s) have dedicated all copyright
# and related and neighboring rights to this software to the public domain
# worldwide. This software is distributed without any warranty.
#
# You should have received a copy of the CC0 Public Domain Dedication along
# with this software. If not, see
# http://creativecommons.org/publicdomain/zero/1.0/
# Nevertheless, in case you use a significant part of this code, we ask (but
# not require, see the license) that you keep the authors' names in place and
# return your changes to the public. We would be especially happy if you tell
# us what you're going to do with this code.

try:					# python3
    import configparser
except ImportError:			# python2
    import ConfigParser as configparser
    # overwrite default open() function
    # this one supports encoding='...'
    from codecs import open

import os
import glob
import pprint
import re
import optparse
import sys
import gettext
from xml.sax.saxutils import escape

gettext.textdomain('freewvs')
_ = gettext.gettext


def versioncompare(safe_version, find_version):
    if safe_version == [""]:
        return True
    for i in range(min(len(find_version), len(safe_version))):
        if int(find_version[i]) < int(safe_version[i]):
            return True
        if int(find_version[i]) > int(safe_version[i]):
            return False
    return (len(find_version) < len(safe_version))


def vulnprint(appname, version, safeversion, vuln, vfilename, subdir,
              style=None):
    appdir = '/'.join(os.path.abspath(vfilename).split('/')[:-1-subdir])
    if not style:
        print("%(appname)s %(version)s (%(safeversion)s) %(vuln)s"
              "%(appdir)s" % vars())
    elif style == 'fancy':
        print(_("Directory: %(appdir)s") % vars())
        if safeversion != "ok":
            if safeversion != "":
                print(_("Vulnerable %(appname)s %(version)s found, please "
                        "update to %(safeversion)s or above.") % vars())
            else:
                print(_("Vulnerable %(appname)s %(version)s found, no fixed "
                        "version available.") % vars())
            if vuln[:3] == "CVE":
                print(_("http://cve.mitre.org/cgi-bin/cvename.cgi?name="
                        "%(vuln)s") % vars())
            else:
                print(vuln)
        else:
            print(_("%(appname)s %(version)s found.") % vars())
        print("")
    elif style == 'xml':
        state = 'vulnerable'
        if safeversion == 'ok':
            state = 'ok'
        print('  <app state="%s">' % state)
        print('    <appname>%s</appname>' % escape(appname))
        print('    <version>%s</version>' % escape(version))
        print('    <directory>%s</directory>' % escape(appdir))
        if state == 'vulnerable':
            print('    <safeversion>%s</safeversion>' % escape(safeversion))
            print('    <vulninfo>%s</vulninfo>' % escape(vuln))
        print('  </app>')


pp = pprint.PrettyPrinter(indent=4)

# Command-line options
parser = optparse.OptionParser(usage="usage: %prog [options] <path>"
                               "[<path2> ...]")
parser.add_option("-a", "--all", action="store_true", dest="ALL",
                  help="Show all webapps found, not just vulnerable")
parser.add_option("-d", "--debug", action="store_true", dest="DEBUG",
                  help="Show lots of debugging output, mainly useful"
                  "for development")
parser.add_option("-f", "--fancy", action="store_const", dest="OUTPUT",
                  const="fancy", help="Show more fancy output")
parser.add_option("-x", "--xml", action="store_const", dest="OUTPUT",
                  const="xml", help="Output results as XML")
opts, args = parser.parse_args()

# Parse vulnerability database
config = configparser.ConfigParser()
try:
    config.read(glob.glob('/usr/share/freewvs/*.freewvs'))
    config.read(glob.glob('/usr/local/share/freewvs/*.freewvs'))
    config.read(glob.glob(os.path.dirname(sys.argv[0])+'/freewvsdb/*.freewvs'))
except configparser.MissingSectionHeaderError as err:
    print("Error parsing config files: %s" % err)

vdb = []
for sect in config.sections():
    item = {}

    # base options
    item['name'] = sect
    item['safe'] = config.get(sect, 'safe')
    item['file'] = config.get(sect, 'file')
    item['vuln'] = config.get(sect, 'vuln')
    item['subdir'] = int(config.get(sect, 'subdir'))

    # match magic
    item['variable'] = []
    for var in config.get(sect, 'variable').split(","):
        item['variable'].append(re.compile(re.escape(var) +
                                r"[^0-9.\n\r]*[.]*([0-9.]*[0-9])[^0-9.]"))

    # optional options
    if config.has_option(sect, 'extra_match'):
        item['extra_match'] = config.get(sect, 'extra_match')
    else:
        item['extra_match'] = False
    if config.has_option(sect, 'extra_nomatch'):
        item['extra_nomatch'] = config.get(sect, 'extra_nomatch')
    else:
        item['extra_nomatch'] = False
    if config.has_option(sect, 'add_minor'):
        item['add_minor'] = config.get(sect, 'add_minor')
    else:
        item['add_minor'] = False
    if config.has_option(sect, 'old_safe'):
        item['old_safe'] = config.get(sect, 'old_safe').split(",")
    else:
        item['old_safe'] = []

    vdb.append(item)
if opts.DEBUG:
    pp.pprint(vdb)

if opts.OUTPUT == 'xml':
    print('<?xml version="1.0" ?>')
    print('<freewvs>')

# start the search

for fdir in args:
    for root, NULL, files in os.walk(fdir):
        for filename in files:
            for item in vdb:
                if filename == item['file']:
                    mfile = os.path.join(root, filename)
                    try:
                        file = open(mfile)
                    except:
                        continue
                    filestr = file.read()
                    file.close()

                    if item['extra_match']:
                        ematch = (filestr.find(item['extra_match']) != -1)
                    elif item['extra_nomatch']:
                        ematch = not (filestr.find(item['extra_nomatch']) != -1)
                    else:
                        ematch = True

                    findversion = []
                    for var in item['variable']:
                        var = var.search(filestr)
                        if not var:
                            findversion = False
                            break
                        else:
                            findversion.append(var.group(1))

                    if findversion and ematch:
                        findversion = '.'.join(findversion)

                        # Very ugly phpbb workaround
                        if item['add_minor']:
                            findversion = findversion.split('.')
                            findversion[-1] = str(int(findversion[-1]) +
                                                  int(item['add_minor']))
                            findversion = '.'.join(findversion)

                        if not (versioncompare(item['safe'].split('.'),
                                findversion.split('.'))) or \
                                item['old_safe'].count(findversion) > 0:
                            if opts.ALL:
                                if opts.DEBUG:
                                    print("File "+mfile)
                                vulnprint(item['name'], findversion,
                                          "ok", "", mfile, item['subdir'],
                                          opts.OUTPUT)
                        else:
                            if opts.DEBUG:
                                print("File " + mfile)
                            safev = "9999"
                            for ver in item['old_safe']:
                                if(versioncompare(ver.split('.'),
                                   findversion.split('.')) and
                                   not versioncompare(ver.split('.'),
                                   safev.split('.'))):
                                    safev = ver
                            if safev == "9999":
                                safev = item['safe']

                            vulnprint(item['name'], findversion,
                                      safev, item['vuln'],
                                      mfile, item['subdir'], opts.OUTPUT)

                    else:
                        if opts.DEBUG:
                            print("regexp failed for " +
                                  item['name'] + " on " + mfile)

if opts.OUTPUT == 'xml':
    print('</freewvs>')