* Updated documentation (removed remaining references to sourceforge, changed instructions about Windows, added missing information about options, regenerated manpages)
* Removed make_exe.py * Updated copyright dates * Increased version number
This commit is contained in:
parent
f3f121254e
commit
f956154462
|
@ -39,12 +39,6 @@ Now let's activate it (make it our current working environment) :
|
|||
. wapiti3/bin/activate
|
||||
```
|
||||
|
||||
Or alternatively on Windows :
|
||||
|
||||
```sh
|
||||
wapiti3\Scripts\activate.bat
|
||||
```
|
||||
|
||||
Now you are in the virtual environment you can install Wapiti and its dependencies :
|
||||
|
||||
```sh
|
||||
|
@ -87,6 +81,5 @@ Then use setup.py for installation. Remember that dev version may contain unknow
|
|||
|
||||
I made several YouTube videos to show Wapiti installation :
|
||||
|
||||
* on Windows : https://www.youtube.com/watch?v=j3LCVj15VBE
|
||||
* on OpenSUSE : https://www.youtube.com/watch?v=RmF2Sr2B3ZA
|
||||
* on Ubuntu : https://www.youtube.com/watch?v=TD5rehelHPY
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2017-2021 Nicolas SURRIBAS
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2017-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2017-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2017-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Main Developer - Nicolas Surribas <nicolas.surribas (at) gmail.com>
|
||||
http://devloop.users.sourceforge.net/
|
||||
https://wapiti.sourceforge.io/
|
||||
https://wapiti-scanner.github.io/
|
||||
|
||||
A Special thanks to the following people for the work on the version 2.3.0 :
|
||||
* David del Pozo (spanish translations)
|
||||
|
|
|
@ -302,15 +302,15 @@
|
|||
Some modifications have been made on getccokie.py so it can work
|
||||
on Webmin (and probably more web applications)
|
||||
Added -t (--timeout) option to set the timeout in seconds
|
||||
Added -v (--verbose) option to set the verbosity. Three availables
|
||||
Added -v (--verbose) option to set the verbosity. Three available
|
||||
modes :
|
||||
0: only print found vulnerabilities
|
||||
1: print current attacked urls (existing urls)
|
||||
2: print every attack payload and url (very much informations... good
|
||||
2: print every attack payload and url (very much information... good
|
||||
for debugging)
|
||||
Wapiti is much more modular and comes with some functions to set scan
|
||||
and attack options... look the code ;)
|
||||
Some defaults options are availables as "modules" with option -m
|
||||
Some defaults options are available as "modules" with option -m
|
||||
(--module) :
|
||||
GET_XSS: only scan for XSS with HTTP GET method (no post)
|
||||
POST_XSS: XSS attacks using POST and not GET
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
Version 2.3.1
|
||||
Fixed a bug in lswww if root url is not given complete.
|
||||
Fixed a bug in lswww with a call to BeautifulSoup made on non text files.
|
||||
Fixed a bug that occured when verbosity = 2. Unicode error on stderr.
|
||||
Fixed a bug that occurred when verbosity = 2. Unicode error on stderr.
|
||||
|
||||
27/12/2009
|
||||
Version 2.3.0
|
||||
|
@ -29,7 +29,7 @@
|
|||
argument.
|
||||
Fixed bug ID 2779441 "Python Version 2.5 required?"
|
||||
Use an home made cookie library instead or urllib2's one.
|
||||
Keep aditionnal informations on the webpages (headers + encoding)
|
||||
Keep additional information on the webpages (headers + encoding)
|
||||
Use BeautifulSoup to detect webpage encoding and handle parsing errors.
|
||||
Fixed a bug when "a href" or "form action" have an empty string as value.
|
||||
Better support of Unicode.
|
||||
|
|
16
doc/FAQ.md
16
doc/FAQ.md
|
@ -14,9 +14,10 @@ Details of installation can be found in the INSTALL.md file.
|
|||
|
||||
Any operating system with a recent Python3 installation should be ok.
|
||||
|
||||
### Will you release a standalone Windows executable like the one made for Wapiti 2.3.0 ? ###
|
||||
### Is Wapiti still supported for Windows ###
|
||||
|
||||
I'd like to but Microsoft make it so hard to actually doing it. py2exe and pyinstaller seems broken with latests Windows versions.
|
||||
Wapiti won't work out of the box on Microsoft Windows system, but you should be able to run it from inside a WSL environment.
|
||||
See this link for more information about WSL: https://docs.microsoft.com/en-us/windows/wsl/
|
||||
|
||||
### Can I modify and share the software code ? ###
|
||||
|
||||
|
@ -24,10 +25,9 @@ Sure as long as you respect the GPLv2 license.
|
|||
|
||||
### How do I execute Wapiti ? ###
|
||||
|
||||
Wapiti is a console tool so it must be launched from a terminal (cmd.exe on Windows, Konsole or GnomeTerminal on Linux, etc)
|
||||
Wapiti is a console tool so it must be launched from a terminal (Konsole or GnomeTerminal on Linux, etc)
|
||||
If you installed Wapiti then the binary should be in your path. Otherwise you will have to launch it from the bin folder once the archive is uncompressed.
|
||||
On Linux and OSX, just typing `wapiti` should work.
|
||||
On Windows you will have to specify the interpreter (`python wapiti`).
|
||||
On Linux and OSX, just typing `wapiti` should work.
|
||||
|
||||
### Where can I get some help about options ? ###
|
||||
|
||||
|
@ -41,7 +41,7 @@ On Windows you can use the command `chcp 65001` to change the codepage before us
|
|||
|
||||
### I found a bug. Where to report ? ###
|
||||
|
||||
Please create an issue on https://sourceforge.net/p/wapiti/bugs/
|
||||
Please create an issue on https://github.com/wapiti-scanner/wapiti/issues
|
||||
|
||||
### Can I help the project ? ###
|
||||
|
||||
|
@ -109,7 +109,7 @@ Don't hesitate to move to OWASP Zed Attack Proxy for in-depth pentesting.
|
|||
An HTTP endpoint is used for some modules in order to see if the target is vulnerable.
|
||||
Such modules are currently XXE and SSRF. The endpoint is necessary to see if the target generates an external HTTP request.
|
||||
The default endpoint is hosted at wapiti3.ovh so your computer and the target must be able to contact it to check vulnerability results.
|
||||
You can set up your own endpoint, all required files can be found here : https://sourceforge.net/p/wapiti/git/ci/master/tree/endpoint/
|
||||
You can set up your own endpoint, all required files can be found here : https://github.com/wapiti-scanner/wapiti/tree/master/endpoint
|
||||
You will need URL rewriting to set up the endpoint.
|
||||
Wapiti have several options that can be used to specify the endpoint's URL.
|
||||
|
||||
|
@ -126,4 +126,4 @@ Crash reports are also sent to the wapiti3.ovh website so I can try to fix bugs.
|
|||
|
||||
Yes you can follow me on Twitter @devl00p.
|
||||
My website is http://devloop.users.sourceforge.net/
|
||||
I write some CTF walkthrough. Articles are in french though.
|
||||
I write some CTF walkthrough. Articles are in French though.
|
||||
|
|
|
@ -29,4 +29,10 @@ you will have to make the endpoint listen on an IP of that network. You may end
|
|||
- External endpoint: http://192.168.1.85/ - this is the URL that the target will request
|
||||
- Internal endpoint: http://127.0.0.1/ - this is the URL that Wapiti will request at the end of the attack to get results
|
||||
|
||||
The XXE module also use the endpoints options. The whole process is described in the `doc/xxe_module.md` file.
|
||||
The XXE module also use the endpoints options. The whole process is described in the `doc/xxe_module.md` file.
|
||||
|
||||
## What is the DNS endpoint?
|
||||
|
||||
The log4shell attack module uses a DNS endpoint to see if a scanned website is vulnerable to the popular log4j vulnerability.
|
||||
|
||||
The default endpoint used is dns.wapiti3.ovh which is a DNS server.
|
|
@ -34,7 +34,7 @@ bash-4.2$ wapiti -u http://wackopicko/ -x http://wackopicko/users/logout.php -c
|
|||
██║███╗██║██╔══██║██╔═══╝ ██║ ██║ ██║ ╚═══██╗
|
||||
╚███╔███╔╝██║ ██║██║ ██║ ██║ ██║██████╔╝
|
||||
╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝╚═════╝
|
||||
Wapiti-3.0.9 (wapiti.sourceforge.io)
|
||||
Wapiti-3.1.0 (wapiti-scanner.github.io)
|
||||
[*] Saving scan state, please wait...
|
||||
|
||||
Note
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "WAPITI\-GETCOOKIE" "1" "May 2021" "" ""
|
||||
.TH "WAPITI\-GETCOOKIE" "1" "February 2022" "" ""
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBwapiti\-getcookie\fR \- A Wapiti utility to fetch cookies from a webpage and store them in the Wapiti JSON format\.
|
||||
|
@ -92,13 +92,13 @@ Example: \-d \'login=admin&password=letmein&submit=Login\'
|
|||
Wapiti is covered by the GNU General Public License (GPL), version 2\. Please read the LICENSE file for more information\.
|
||||
.
|
||||
.SH "COPYRIGHT"
|
||||
Copyright (c) 2006\-2021 Nicolas Surribas\.
|
||||
Copyright (c) 2006\-2022 Nicolas Surribas\.
|
||||
.
|
||||
.SH "AUTHORS"
|
||||
Nicolas Surribas is the main author, but the whole list of contributors is found in the separate AUTHORS file\.
|
||||
.
|
||||
.SH "WWW"
|
||||
https://wapiti\.sourceforge\.io/
|
||||
https://wapiti\-scanner\.github\.io/
|
||||
.
|
||||
.SH "BUG REPORTS"
|
||||
If you find a bug in Wapiti please report it to https://github\.com/wapiti\-scanner/wapiti/issues
|
||||
|
|
|
@ -122,7 +122,7 @@ Please read the LICENSE file for more information.</p>
|
|||
|
||||
<h2 id="COPYRIGHT">COPYRIGHT</h2>
|
||||
|
||||
<p>Copyright (c) 2006-2021 Nicolas Surribas.</p>
|
||||
<p>Copyright (c) 2006-2022 Nicolas Surribas.</p>
|
||||
|
||||
<h2 id="AUTHORS">AUTHORS</h2>
|
||||
|
||||
|
@ -130,7 +130,7 @@ Please read the LICENSE file for more information.</p>
|
|||
|
||||
<h2 id="WWW">WWW</h2>
|
||||
|
||||
<p>https://wapiti.sourceforge.io/</p>
|
||||
<p>https://wapiti-scanner.github.io/</p>
|
||||
|
||||
<h2 id="BUG-REPORTS">BUG REPORTS</h2>
|
||||
|
||||
|
@ -139,7 +139,7 @@ Please read the LICENSE file for more information.</p>
|
|||
|
||||
<ol class='man-decor man-foot man foot'>
|
||||
<li class='tl'></li>
|
||||
<li class='tc'>May 2021</li>
|
||||
<li class='tc'>February 2022</li>
|
||||
<li class='tr'>wapiti-getcookie(1)</li>
|
||||
</ol>
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ Please read the LICENSE file for more information.
|
|||
|
||||
## COPYRIGHT
|
||||
|
||||
Copyright (c) 2006-2021 Nicolas Surribas.
|
||||
Copyright (c) 2006-2022 Nicolas Surribas.
|
||||
|
||||
## AUTHORS
|
||||
|
||||
|
@ -59,7 +59,7 @@ Nicolas Surribas is the main author, but the whole list of contributors is found
|
|||
|
||||
## WWW
|
||||
|
||||
https://wapiti.sourceforge.io/
|
||||
https://wapiti-scanner.github.io/
|
||||
|
||||
## BUG REPORTS
|
||||
|
||||
|
|
58
doc/wapiti.1
58
doc/wapiti.1
|
@ -1,7 +1,7 @@
|
|||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "WAPITI" "1" "May 2021" "" ""
|
||||
.TH "WAPITI" "1" "February 2022" "" ""
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBwapiti\fR \- A web application vulnerability scanner in Python
|
||||
|
@ -134,6 +134,23 @@ SCAN AND ATTACKS TUNING:
|
|||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
ENDPOINT OPTIONS:
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-external\-endpoint\fR \fIEXTERNAL_ENDPOINT_URL\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-internal\-endpoint\fR \fIINTERNAL_ENDPOINT_URL\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-endpoint\fR \fIENDPOINT_URL\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-dns\-endpoint\fR \fIDNS_ENDPOINT_DOMAIN\fR
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
HTTP AND NETWORK OPTIONS:
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
|
@ -159,6 +176,9 @@ OUTPUT OPTIONS:
|
|||
.IP "\(bu" 4
|
||||
\fB\-v\fR \fILEVEL\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-log\fR \fIOUTPUT_PATH\fR
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
|
@ -226,7 +246,7 @@ punk : will scan and attack every URL found whatever the domain\. Think twice be
|
|||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "ATTACK SPECIFICATION"
|
||||
.SH "ATTACKS SPECIFICATION"
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-m\fR, \fB\-\-module\fR \fIMODULE_LIST\fR
|
||||
|
@ -278,7 +298,7 @@ Default value for this option is 1\.
|
|||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "PROXY AND AUTHENTICATION OPTIONS"
|
||||
.SH "PROXY AND AUTHENTICATION"
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-p\fR, \fB\-\-proxy\fR \fIPROXY_URL\fR
|
||||
|
@ -327,7 +347,7 @@ Ignore cookies given in HTTP responses\. Cookies that have been loaded using \fB
|
|||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "SESSION OPTIONS"
|
||||
.SH "SESSIONS"
|
||||
Since Wapiti 3\.0\.0, scanned URLs, discovered vulnerabilities and attacks status are stored in sqlite3 databases used as Wapiti session files\.
|
||||
.
|
||||
.br
|
||||
|
@ -511,21 +531,20 @@ Paranoid mode will attack 30 URLs with 1 parameter, 5 for 2, and just 1 for 3 an
|
|||
.br
|
||||
Wapiti leverages Python\'s asyncio framework for this\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-endpoint\fR \fIURL\fR Some attack modules are using an HTTP endpoint to check for vulnerabilities\.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "ENDPOINT OPTIONS"
|
||||
Some attack modules are using an HTTP endpoint to check for vulnerabilities\.
|
||||
.
|
||||
.br
|
||||
For example the SSRF module inject the endpoint URL into webpage arguments to check if the target script try to fetch that URL\.
|
||||
.
|
||||
.br
|
||||
Default endpoint is http://wapiti3\.ovh/\. Keep in mind that the target and your computer must be able to join that endpoint for the module to work\.
|
||||
Default HTTP endpoint is http://wapiti3\.ovh/\. Keep in mind that the target and your computer must be able to join that endpoint for the module to work\.
|
||||
.
|
||||
.br
|
||||
On internal pentests this endpoint may not be accessible to the target hence you may prefer to set up your own endpoint\.
|
||||
.
|
||||
.br
|
||||
This option will set both internal and external endpoint URL to the same value\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-internal\-endpoint\fR \fIURL\fR You may want to specify an internal endpoint different from the external one\.
|
||||
.
|
||||
|
@ -541,6 +560,15 @@ If you are behind a NAT it may be an URL for a local server (for example http://
|
|||
.br
|
||||
Using your own endpoint may reduce risk of being caught by NIDS or WAF\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-endpoint\fR \fIURL\fR This option will set both internal and external endpoint URL to the same value\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-dns\-endpoint\fR \fIDNS\fR This options specify the DNS endpoint to use for the log4shell attack module\.
|
||||
.
|
||||
.br
|
||||
The default value is dns\.wapiti3\.ovh
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "HTTP AND NETWORK OPTIONS"
|
||||
|
@ -584,7 +612,7 @@ Wapiti prints its status to standard output\. The two following options allow to
|
|||
\fB\-\-color\fR
|
||||
.
|
||||
.br
|
||||
Outpout will be colorized based on the severity of the information (red is critical, orange for warnings, green for information)\.
|
||||
Output will be colorized based on the severity of the information (red is critical, orange for warnings, green for information)\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-v\fR, \fB\-\-verbose\fR \fILEVEL\fR
|
||||
|
@ -592,6 +620,12 @@ Outpout will be colorized based on the severity of the information (red is criti
|
|||
.br
|
||||
Set the level of verbosity for the output\. Possible values are quiet (O), normal (1, default behavior) and verbose (2)\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-log\fR \fIOUTPUT_PATH\fR In addition to getting information from the console you can also log the output to a local file\.
|
||||
.
|
||||
.br
|
||||
Debug information will also be stored in that file so this option should be mainly used to debug Wapiti\.
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "REPORT OPTIONS"
|
||||
|
@ -646,7 +680,7 @@ Show detailed options description\. More details are available in this manpage t
|
|||
Wapiti is covered by the GNU General Public License (GPL), version 2\. Please read the LICENSE file for more information\.
|
||||
.
|
||||
.SH "COPYRIGHT"
|
||||
Copyright (c) 2006\-2021 Nicolas Surribas\.
|
||||
Copyright (c) 2006\-2022 Nicolas Surribas\.
|
||||
.
|
||||
.SH "AUTHORS"
|
||||
Nicolas Surribas is the main author, but the whole list of contributors is found in the separate AUTHORS file\.
|
||||
|
|
|
@ -58,10 +58,11 @@
|
|||
<a href="#DESCRIPTION">DESCRIPTION</a>
|
||||
<a href="#OPTIONS-SUMMARY">OPTIONS SUMMARY</a>
|
||||
<a href="#TARGET-SPECIFICATION">TARGET SPECIFICATION</a>
|
||||
<a href="#ATTACK-SPECIFICATION">ATTACK SPECIFICATION</a>
|
||||
<a href="#PROXY-AND-AUTHENTICATION-OPTIONS">PROXY AND AUTHENTICATION OPTIONS</a>
|
||||
<a href="#SESSION-OPTIONS">SESSION OPTIONS</a>
|
||||
<a href="#ATTACKS-SPECIFICATION">ATTACKS SPECIFICATION</a>
|
||||
<a href="#PROXY-AND-AUTHENTICATION">PROXY AND AUTHENTICATION</a>
|
||||
<a href="#SESSIONS">SESSIONS</a>
|
||||
<a href="#SCAN-AND-ATTACKS-TUNING">SCAN AND ATTACKS TUNING</a>
|
||||
<a href="#ENDPOINT-OPTIONS">ENDPOINT OPTIONS</a>
|
||||
<a href="#HTTP-AND-NETWORK-OPTIONS">HTTP AND NETWORK OPTIONS</a>
|
||||
<a href="#OUTPUT-OPTIONS">OUTPUT OPTIONS</a>
|
||||
<a href="#REPORT-OPTIONS">REPORT OPTIONS</a>
|
||||
|
@ -162,6 +163,16 @@ More detail on each option can be found in the following sections.</p>
|
|||
</ul>
|
||||
|
||||
|
||||
<p>ENDPOINT OPTIONS:</p>
|
||||
|
||||
<ul>
|
||||
<li><code>--external-endpoint</code> <var>EXTERNAL_ENDPOINT_URL</var></li>
|
||||
<li><code>--internal-endpoint</code> <var>INTERNAL_ENDPOINT_URL</var></li>
|
||||
<li><code>--endpoint</code> <var>ENDPOINT_URL</var></li>
|
||||
<li><code>--dns-endpoint</code> <var>DNS_ENDPOINT_DOMAIN</var></li>
|
||||
</ul>
|
||||
|
||||
|
||||
<p>HTTP AND NETWORK OPTIONS:</p>
|
||||
|
||||
<ul>
|
||||
|
@ -177,6 +188,7 @@ More detail on each option can be found in the following sections.</p>
|
|||
<ul>
|
||||
<li><code>--color</code></li>
|
||||
<li><code>-v</code> <var>LEVEL</var></li>
|
||||
<li><code>--log</code> <var>OUTPUT_PATH</var></li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -218,7 +230,7 @@ Define the scope of the scan and attacks. Valid choices are :</p>
|
|||
</ul>
|
||||
|
||||
|
||||
<h2 id="ATTACK-SPECIFICATION">ATTACK SPECIFICATION</h2>
|
||||
<h2 id="ATTACKS-SPECIFICATION">ATTACKS SPECIFICATION</h2>
|
||||
|
||||
<ul>
|
||||
<li><p><code>-m</code>, <code>--module</code> <var>MODULE_LIST</var><br />
|
||||
|
@ -240,7 +252,7 @@ Default value for this option is 1.</p></li>
|
|||
</ul>
|
||||
|
||||
|
||||
<h2 id="PROXY-AND-AUTHENTICATION-OPTIONS">PROXY AND AUTHENTICATION OPTIONS</h2>
|
||||
<h2 id="PROXY-AND-AUTHENTICATION">PROXY AND AUTHENTICATION</h2>
|
||||
|
||||
<ul>
|
||||
<li><p><code>-p</code>, <code>--proxy</code> <var>PROXY_URL</var><br />
|
||||
|
@ -262,7 +274,7 @@ Ignore cookies given in HTTP responses. Cookies that have been loaded using <cod
|
|||
</ul>
|
||||
|
||||
|
||||
<h2 id="SESSION-OPTIONS">SESSION OPTIONS</h2>
|
||||
<h2 id="SESSIONS">SESSIONS</h2>
|
||||
|
||||
<p>Since Wapiti 3.0.0, scanned URLs, discovered vulnerabilities and attacks status are stored in sqlite3 databases used as Wapiti session files.<br />
|
||||
Default behavior when a previous scan session exists for the given base URL and scope is to resume the scan and attack status.<br />
|
||||
|
@ -343,12 +355,17 @@ Paranoid mode will attack 30 URLs with 1 parameter, 5 for 2, and just 1 for 3 an
|
|||
<li><p><code>--tasks</code> <var>TASKS</var>
|
||||
Set how many concurrent tasks Wapiti should use.<br />
|
||||
Wapiti leverages Python's asyncio framework for this.</p></li>
|
||||
<li><p><code>--endpoint</code> <var>URL</var>
|
||||
Some attack modules are using an HTTP endpoint to check for vulnerabilities.<br />
|
||||
</ul>
|
||||
|
||||
|
||||
<h2 id="ENDPOINT-OPTIONS">ENDPOINT OPTIONS</h2>
|
||||
|
||||
<p>Some attack modules are using an HTTP endpoint to check for vulnerabilities.<br />
|
||||
For example the SSRF module inject the endpoint URL into webpage arguments to check if the target script try to fetch that URL.<br />
|
||||
Default endpoint is http://wapiti3.ovh/. Keep in mind that the target and your computer must be able to join that endpoint for the module to work.<br />
|
||||
On internal pentests this endpoint may not be accessible to the target hence you may prefer to set up your own endpoint.<br />
|
||||
This option will set both internal and external endpoint URL to the same value.</p></li>
|
||||
Default HTTP endpoint is http://wapiti3.ovh/. Keep in mind that the target and your computer must be able to join that endpoint for the module to work.<br />
|
||||
On internal pentests this endpoint may not be accessible to the target hence you may prefer to set up your own endpoint.</p>
|
||||
|
||||
<ul>
|
||||
<li><p><code>--internal-endpoint</code> <var>URL</var>
|
||||
You may want to specify an internal endpoint different from the external one.<br />
|
||||
The internal endpoint is used by Wapiti to fetch results of attacks.<br />
|
||||
|
@ -356,6 +373,11 @@ If you are behind a NAT it may be an URL for a local server (for example http://
|
|||
<li><p><code>--external-endpoint</code> <var>URL</var>
|
||||
Set the endpoint URL (the one that the target will fetch in case of vulnerability).<br />
|
||||
Using your own endpoint may reduce risk of being caught by NIDS or WAF.</p></li>
|
||||
<li><p><code>--endpoint</code> <var>URL</var>
|
||||
This option will set both internal and external endpoint URL to the same value.</p></li>
|
||||
<li><p><code>--dns-endpoint</code> <var>DNS</var>
|
||||
This options specify the DNS endpoint to use for the log4shell attack module.<br />
|
||||
The default value is dns.wapiti3.ovh</p></li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -382,10 +404,13 @@ Wapiti doesn't care of certificates validation by default. That behavior can be
|
|||
|
||||
<ul>
|
||||
<li><p><code>--color</code><br />
|
||||
Outpout will be colorized based on the severity of the information (red is critical, orange for warnings, green for information).</p></li>
|
||||
Output will be colorized based on the severity of the information (red is critical, orange for warnings, green for information).</p></li>
|
||||
<li><p><code>-v</code>, <code>--verbose</code> <var>LEVEL</var><br />
|
||||
Set the level of verbosity for the output.
|
||||
Possible values are quiet (O), normal (1, default behavior) and verbose (2).</p></li>
|
||||
<li><p><code>--log</code> <var>OUTPUT_PATH</var>
|
||||
In addition to getting information from the console you can also log the output to a local file.<br />
|
||||
Debug information will also be stored in that file so this option should be mainly used to debug Wapiti.</p></li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -425,7 +450,7 @@ Please read the LICENSE file for more information.</p>
|
|||
|
||||
<h2 id="COPYRIGHT">COPYRIGHT</h2>
|
||||
|
||||
<p>Copyright (c) 2006-2021 Nicolas Surribas.</p>
|
||||
<p>Copyright (c) 2006-2022 Nicolas Surribas.</p>
|
||||
|
||||
<h2 id="AUTHORS">AUTHORS</h2>
|
||||
|
||||
|
@ -446,7 +471,7 @@ Please read the LICENSE file for more information.</p>
|
|||
|
||||
<ol class='man-decor man-foot man foot'>
|
||||
<li class='tl'></li>
|
||||
<li class='tc'>May 2021</li>
|
||||
<li class='tc'>February 2022</li>
|
||||
<li class='tr'>wapiti(1)</li>
|
||||
</ol>
|
||||
|
||||
|
|
|
@ -63,6 +63,13 @@ SCAN AND ATTACKS TUNING:
|
|||
* `-S`, `--scan-force` {paranoid,sneaky,polite,normal,aggressive,insane}
|
||||
* `--tasks` <TASKS>
|
||||
|
||||
ENDPOINT OPTIONS:
|
||||
|
||||
* `--external-endpoint` <EXTERNAL_ENDPOINT_URL>
|
||||
* `--internal-endpoint` <INTERNAL_ENDPOINT_URL>
|
||||
* `--endpoint` <ENDPOINT_URL>
|
||||
* `--dns-endpoint` <DNS_ENDPOINT_DOMAIN>
|
||||
|
||||
HTTP AND NETWORK OPTIONS:
|
||||
|
||||
* `-t` <SECONDS>
|
||||
|
@ -74,6 +81,7 @@ OUTPUT OPTIONS:
|
|||
|
||||
* `--color`
|
||||
* `-v` <LEVEL>
|
||||
* `--log` <OUTPUT_PATH>
|
||||
|
||||
REPORT OPTIONS:
|
||||
|
||||
|
@ -101,7 +109,7 @@ OTHER OPTIONS:
|
|||
- domain : will scan and attack every URL whose domain name match the one from the base URL.
|
||||
- punk : will scan and attack every URL found whatever the domain. Think twice before using that scope.
|
||||
|
||||
## ATTACK SPECIFICATION
|
||||
## ATTACKS SPECIFICATION
|
||||
|
||||
* `-m`, `--module` <MODULE_LIST>
|
||||
Set the list of attack modules (modules names separated with commas) to launch against the target.
|
||||
|
@ -122,7 +130,7 @@ OTHER OPTIONS:
|
|||
It may be useful on CGIs when developers have to parse the query-string themselves.
|
||||
Default value for this option is 1.
|
||||
|
||||
## PROXY AND AUTHENTICATION OPTIONS
|
||||
## PROXY AND AUTHENTICATION
|
||||
|
||||
* `-p`, `--proxy` <PROXY_URL>
|
||||
The given URL will be used as a proxy for HTTP and HTTPS requests. This URL can have one of the following scheme : http, https, socks.
|
||||
|
@ -146,7 +154,7 @@ OTHER OPTIONS:
|
|||
* `--drop-set-cookie`
|
||||
Ignore cookies given in HTTP responses. Cookies that have been loaded using `-c` will be kept.
|
||||
|
||||
## SESSION OPTIONS
|
||||
## SESSIONS
|
||||
|
||||
Since Wapiti 3.0.0, scanned URLs, discovered vulnerabilities and attacks status are stored in sqlite3 databases used as Wapiti session files.
|
||||
Default behavior when a previous scan session exists for the given base URL and scope is to resume the scan and attack status.
|
||||
|
@ -240,13 +248,13 @@ Following options allows you to bypass this behavior/
|
|||
Set how many concurrent tasks Wapiti should use.
|
||||
Wapiti leverages Python's asyncio framework for this.
|
||||
|
||||
* `--endpoint` <URL>
|
||||
Some attack modules are using an HTTP endpoint to check for vulnerabilities.
|
||||
For example the SSRF module inject the endpoint URL into webpage arguments to check if the target script try to fetch that URL.
|
||||
Default endpoint is http://wapiti3.ovh/. Keep in mind that the target and your computer must be able to join that endpoint for the module to work.
|
||||
On internal pentests this endpoint may not be accessible to the target hence you may prefer to set up your own endpoint.
|
||||
This option will set both internal and external endpoint URL to the same value.
|
||||
|
||||
## ENDPOINT OPTIONS
|
||||
|
||||
Some attack modules are using an HTTP endpoint to check for vulnerabilities.
|
||||
For example the SSRF module inject the endpoint URL into webpage arguments to check if the target script try to fetch that URL.
|
||||
Default HTTP endpoint is http://wapiti3.ovh/. Keep in mind that the target and your computer must be able to join that endpoint for the module to work.
|
||||
On internal pentests this endpoint may not be accessible to the target hence you may prefer to set up your own endpoint.
|
||||
|
||||
* `--internal-endpoint` <URL>
|
||||
You may want to specify an internal endpoint different from the external one.
|
||||
The internal endpoint is used by Wapiti to fetch results of attacks.
|
||||
|
@ -255,6 +263,13 @@ Following options allows you to bypass this behavior/
|
|||
* `--external-endpoint` <URL>
|
||||
Set the endpoint URL (the one that the target will fetch in case of vulnerability).
|
||||
Using your own endpoint may reduce risk of being caught by NIDS or WAF.
|
||||
|
||||
* `--endpoint` <URL>
|
||||
This option will set both internal and external endpoint URL to the same value.
|
||||
|
||||
* `--dns-endpoint` <DNS>
|
||||
This options specify the DNS endpoint to use for the log4shell attack module.
|
||||
The default value is dns.wapiti3.ovh
|
||||
|
||||
## HTTP AND NETWORK OPTIONS
|
||||
|
||||
|
@ -279,12 +294,16 @@ Following options allows you to bypass this behavior/
|
|||
Wapiti prints its status to standard output. The two following options allow to tune the output.
|
||||
|
||||
* `--color`
|
||||
Outpout will be colorized based on the severity of the information (red is critical, orange for warnings, green for information).
|
||||
Output will be colorized based on the severity of the information (red is critical, orange for warnings, green for information).
|
||||
|
||||
* `-v`, `--verbose` <LEVEL>
|
||||
Set the level of verbosity for the output.
|
||||
Possible values are quiet (O), normal (1, default behavior) and verbose (2).
|
||||
|
||||
* `--log` <OUTPUT_PATH>
|
||||
In addition to getting information from the console you can also log the output to a local file.
|
||||
Debug information will also be stored in that file so this option should be mainly used to debug Wapiti.
|
||||
|
||||
## REPORT OPTIONS
|
||||
|
||||
Wapiti will generate a report at the end of the attack process. Several formats of reports are available.
|
||||
|
@ -319,7 +338,7 @@ Please read the LICENSE file for more information.
|
|||
|
||||
## COPYRIGHT
|
||||
|
||||
Copyright (c) 2006-2021 Nicolas Surribas.
|
||||
Copyright (c) 2006-2022 Nicolas Surribas.
|
||||
|
||||
## AUTHORS
|
||||
|
||||
|
|
128
make_exe.py
128
make_exe.py
|
@ -1,128 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
# Don't use this script unless you know exactly what you are doing !
|
||||
from distutils.core import setup
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
# dirty hack so we don't have to give any argument
|
||||
if "py2exe" not in sys.argv:
|
||||
sys.argv.append("py2exe")
|
||||
|
||||
VERSION = "3.0.9"
|
||||
|
||||
|
||||
# Build file lists
|
||||
def build_file_list(results, dest, files_root, src=""):
|
||||
cwd = os.getcwd()
|
||||
if src != "":
|
||||
os.chdir(src)
|
||||
for root, dirs, files in os.walk(files_root):
|
||||
if ".svn" in dirs:
|
||||
dirs.remove(".svn")
|
||||
if files:
|
||||
results.append((os.path.join(dest, root), [os.path.join(src, root, x) for x in files]))
|
||||
os.chdir(cwd)
|
||||
|
||||
|
||||
data_files = [
|
||||
("data", ["INSTALL", "README", "TODO", "VERSION"])
|
||||
]
|
||||
|
||||
build_file_list(data_files, "data", "doc", src="")
|
||||
build_file_list(data_files, "data", "data", src="wapitiCore")
|
||||
build_file_list(data_files, "data", "report_template", src="wapitiCore")
|
||||
build_file_list(data_files, "data", "language_sources", src="wapitiCore")
|
||||
|
||||
|
||||
# Main
|
||||
setup(
|
||||
name="wapiti3",
|
||||
version=VERSION,
|
||||
description="A web application vulnerability scanner",
|
||||
long_description="""\
|
||||
Wapiti allows you to audit the security of your web applications.
|
||||
It performs "black-box" scans, i.e. it does not study the source code of the
|
||||
application but will scans the webpages of the deployed webapp, looking for
|
||||
scripts and forms where it can inject data.
|
||||
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see
|
||||
if a script is vulnerable.""",
|
||||
url="https://wapiti.sourceforge.io/",
|
||||
author="Nicolas SURRIBAS",
|
||||
author_email="nicolas.surribas@gmail.com",
|
||||
license="GPLv2",
|
||||
platforms=["Any"],
|
||||
packages=[
|
||||
'wapitiCore',
|
||||
'wapitiCore.attack',
|
||||
'wapitiCore.language',
|
||||
'wapitiCore.report',
|
||||
'wapitiCore.net',
|
||||
'wapitiCore.file',
|
||||
'wapitiCore.net.jsparser'
|
||||
],
|
||||
data_files=data_files,
|
||||
console=[
|
||||
{
|
||||
"script": "bin/wapiti",
|
||||
"icon_resources": [(1, "doc/wapiti.ico")]
|
||||
},
|
||||
{
|
||||
"script": "bin/wapiti-cookie",
|
||||
"icon_resources": [(1, "doc/cookie.ico")]
|
||||
},
|
||||
{
|
||||
"script": "bin/wapiti-getcookie",
|
||||
"icon_resources": [(1, "doc/cookie.ico")]
|
||||
}
|
||||
],
|
||||
classifiers=[
|
||||
'Development Status :: 2 - Pre-Alpha',
|
||||
'Environment :: Console',
|
||||
'Intended Audience :: End Users/Desktop',
|
||||
'Intended Audience :: Developers',
|
||||
'Intended Audience :: System Administrators',
|
||||
'License :: OSI Approved :: GNU General Public License (GPL)',
|
||||
'Operating System :: MacOS :: MacOS X',
|
||||
'Operating System :: Microsoft :: Windows',
|
||||
'Operating System :: POSIX',
|
||||
'Operating System :: Unix',
|
||||
'Programming Language :: Python',
|
||||
'Topic :: Security',
|
||||
'Topic :: Internet :: WWW/HTTP :: Indexing/Search',
|
||||
'Topic :: Software Development :: Testing'
|
||||
],
|
||||
options={
|
||||
"py2exe": {
|
||||
"includes": [
|
||||
"wapitiCore.attack.mod_backup",
|
||||
"wapitiCore.attack.mod_brute_login_form",
|
||||
"wapitiCore.attack.mod_timesql",
|
||||
"wapitiCore.attack.mod_buster",
|
||||
"wapitiCore.attack.mod_cookieflags",
|
||||
"wapitiCore.attack.mod_crlf",
|
||||
"wapitiCore.attack.mod_csp",
|
||||
"wapitiCore.attack.mod_drupal_enum",
|
||||
"wapitiCore.attack.mod_exec",
|
||||
"wapitiCore.attack.mod_file",
|
||||
"wapitiCore.attack.mod_htaccess",
|
||||
"wapitiCore.attack.mod_http_headers",
|
||||
"wapitiCore.attack.mod_methods",
|
||||
"wapitiCore.attack.mod_nikto",
|
||||
"wapitiCore.attack.mod_permanentxss",
|
||||
"wapitiCore.attack.mod_redirect",
|
||||
"wapitiCore.attack.mod_shellshock",
|
||||
"wapitiCore.attack.mod_sql",
|
||||
"wapitiCore.attack.mod_ssrf",
|
||||
"wapitiCore.attack.mod_xss",
|
||||
"wapitiCore.attack.mod_xxe",
|
||||
"wapitiCore.attack.mod_wp_enum",
|
||||
"wapitiCore.report.reportgenerator",
|
||||
"wapitiCore.report.htmlreportgenerator",
|
||||
"wapitiCore.report.jsonreportgenerator",
|
||||
"wapitiCore.report.txtreportgenerator",
|
||||
"wapitiCore.report.xmlreportgenerator"
|
||||
]
|
||||
}
|
||||
}
|
||||
)
|
|
@ -325,7 +325,7 @@ The recommended approach to using `pylint-ignore` is:
|
|||
```
|
||||
> 1: #!/usr/bin/env python3
|
||||
2: # -*- coding: utf-8 -*-
|
||||
3: # This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
3: # This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
```
|
||||
|
||||
|
||||
|
|
5
setup.py
5
setup.py
|
@ -5,7 +5,7 @@ from multiprocessing import cpu_count
|
|||
from setuptools import setup, find_packages
|
||||
from setuptools.command.test import test as TestCommand
|
||||
|
||||
VERSION = "3.0.9"
|
||||
VERSION = "3.1.0"
|
||||
DOC_DIR = "share/doc/wapiti"
|
||||
|
||||
|
||||
|
@ -73,7 +73,7 @@ application but will scans the webpages of the deployed webapp, looking for
|
|||
scripts and forms where it can inject data.
|
||||
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see
|
||||
if a script is vulnerable.""",
|
||||
url="https://wapiti.sourceforge.io/",
|
||||
url="https://wapiti-scanner.github.io/",
|
||||
author="Nicolas Surribas",
|
||||
author_email="nicolas.surribas@gmail.com",
|
||||
license="GPLv2",
|
||||
|
@ -94,7 +94,6 @@ if a script is vulnerable.""",
|
|||
"License :: OSI Approved :: GNU General Public License v2 (GPLv2)",
|
||||
"Natural Language :: English",
|
||||
"Operating System :: MacOS :: MacOS X",
|
||||
"Operating System :: Microsoft :: Windows",
|
||||
"Operating System :: POSIX",
|
||||
"Operating System :: Unix",
|
||||
"Programming Language :: Python :: 3",
|
||||
|
|
|
@ -17,7 +17,7 @@ async def test_whole_stuff():
|
|||
# Test attacking all kind of parameter without crashing
|
||||
respx.get(url__regex=r"http://perdu\.com/\?a=.*&foo=bar").mock(return_value=httpx.Response(200, text="Hello there"))
|
||||
respx.get(url__regex=r"http://perdu.com/\?a=b*&foo=.*wapiti.*").mock(
|
||||
return_value=httpx.Response(200, text="Hello there", headers={"wapiti": "3.0.9 version"})
|
||||
return_value=httpx.Response(200, text="Hello there", headers={"wapiti": "3.1.0 version"})
|
||||
)
|
||||
|
||||
persister = AsyncMock()
|
||||
|
|
|
@ -260,7 +260,7 @@ async def test_xss_uppercase_no_script():
|
|||
@pytest.mark.asyncio
|
||||
async def test_frame_src_escape():
|
||||
persister = AsyncMock()
|
||||
request = Request("http://127.0.0.1:65081/frame_src_escape.php?url=https://wapiti.sourceforge.io/")
|
||||
request = Request("http://127.0.0.1:65081/frame_src_escape.php?url=https://wapiti-scanner.github.io/")
|
||||
request.path_id = 42
|
||||
crawler = AsyncCrawler("http://127.0.0.1:65081/")
|
||||
options = {"timeout": 10, "level": 2}
|
||||
|
@ -279,7 +279,7 @@ async def test_frame_src_escape():
|
|||
@pytest.mark.asyncio
|
||||
async def test_frame_src_no_escape():
|
||||
persister = AsyncMock()
|
||||
request = Request("http://127.0.0.1:65081/frame_src_no_escape.php?url=https://wapiti.sourceforge.io/")
|
||||
request = Request("http://127.0.0.1:65081/frame_src_no_escape.php?url=https://wapiti-scanner.github.io/")
|
||||
request.path_id = 42
|
||||
crawler = AsyncCrawler("http://127.0.0.1:65081/")
|
||||
options = {"timeout": 10, "level": 2}
|
||||
|
|
|
@ -61,7 +61,7 @@ def test_forms():
|
|||
"text": "default",
|
||||
"textarea": "Hi there!",
|
||||
"time": "13:37",
|
||||
"url": "https://wapiti.sourceforge.io/",
|
||||
"url": "https://wapiti-scanner.github.io/",
|
||||
"week": "2019-W24"
|
||||
}
|
||||
elif form.file_path == "/upload.php":
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2017-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2017-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2009-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2009-2022 Nicolas Surribas
|
||||
#
|
||||
# Original authors :
|
||||
# Anthony DUBOCAGE
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2014-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2014-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -36,7 +36,7 @@ class ModuleCrlf(Attack):
|
|||
MSG_VULN = _("CRLF Injection")
|
||||
do_get = True
|
||||
do_post = True
|
||||
payloads = (quote("http://www.google.fr\r\nwapiti: 3.0.9 version"), Flags())
|
||||
payloads = (quote("http://www.google.fr\r\nwapiti: 3.1.0 version"), Flags())
|
||||
|
||||
def __init__(self, crawler, persister, attack_options, stop_event):
|
||||
super().__init__(crawler, persister, attack_options, stop_event)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -158,7 +158,7 @@ class ModuleFile(Attack):
|
|||
return False
|
||||
else:
|
||||
if pattern in response.content:
|
||||
# Store false positive informations in order to prevent doing unnecessary requests
|
||||
# Store false positive information in order to prevent doing unnecessary requests
|
||||
self.known_false_positives[request.path_id].add(pattern)
|
||||
return True
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2009-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2009-2022 Nicolas Surribas
|
||||
#
|
||||
# Original authors :
|
||||
# Anthony DUBOCAGE
|
||||
|
|
|
@ -20,6 +20,7 @@ MSG_TECHNO_VERSIONED = _("The range for {0} is from {1} to {2}")
|
|||
Technology = str
|
||||
Version = str
|
||||
|
||||
|
||||
class ModuleHtp(Attack):
|
||||
"""
|
||||
Identify web technologies used by the web server using the HashThePlanet database.
|
||||
|
@ -100,9 +101,8 @@ class ModuleHtp(Attack):
|
|||
async def finish(self):
|
||||
if self._db is None:
|
||||
return
|
||||
|
||||
root_url = await self.persister.get_root_url()
|
||||
truth_table: List[Version] = None
|
||||
ranges_tables = None
|
||||
|
||||
for technology, versions_list in self.tech_versions.items():
|
||||
# First we retrieve all the stored versions in the same order as they have been added to the database
|
||||
|
@ -125,9 +125,10 @@ class ModuleHtp(Attack):
|
|||
# We get the max range by sorting the ranges by descending order and retrieving the first value
|
||||
max_index = sorted(max_range, reverse=True)[0]
|
||||
|
||||
tech_info = {}
|
||||
tech_info["name"] = technology
|
||||
tech_info["versions"] = truth_table[min_index:max_index + 1]
|
||||
tech_info = {
|
||||
"name": technology,
|
||||
"versions": truth_table[min_index:max_index + 1]
|
||||
}
|
||||
|
||||
await self.add_vuln_info(
|
||||
category=WEB_SERVER_VERSIONED,
|
||||
|
@ -177,6 +178,7 @@ class ModuleHtp(Attack):
|
|||
logging.info(_("Downloading from the web..."))
|
||||
await self.update()
|
||||
|
||||
|
||||
def regexp(expr, item):
|
||||
reg = re.compile(expr)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -64,8 +64,6 @@ class ModuleLog4Shell(Attack):
|
|||
return
|
||||
await self._verify_header_vulnerability(malicious_request, header_target, payload, payload_unique_id)
|
||||
|
||||
|
||||
|
||||
async def attack_apache_solr_url(self, request_url: str):
|
||||
payload_unique_id = uuid.uuid4()
|
||||
payload = self._generate_payload(payload_unique_id).replace("{", "%7B").replace("}", "%7D")
|
||||
|
@ -186,21 +184,21 @@ class ModuleLog4Shell(Attack):
|
|||
log_red("---")
|
||||
|
||||
async def _verify_headers_vulnerability(
|
||||
self,
|
||||
modified_request: Request,
|
||||
malicious_headers: dict,
|
||||
headers_uuid_record: dict
|
||||
self,
|
||||
modified_request: Request,
|
||||
malicious_headers: dict,
|
||||
headers_uuid_record: dict
|
||||
):
|
||||
for header, payload in malicious_headers.items():
|
||||
header_uuid = headers_uuid_record.get(header)
|
||||
await self._verify_header_vulnerability(modified_request, header, payload, header_uuid)
|
||||
|
||||
async def _verify_header_vulnerability(
|
||||
self,
|
||||
modified_request: Request,
|
||||
header: str,
|
||||
payload: str,
|
||||
unique_id: uuid.UUID
|
||||
self,
|
||||
modified_request: Request,
|
||||
header: str,
|
||||
payload: str,
|
||||
unique_id: uuid.UUID
|
||||
):
|
||||
if await self._verify_dns(str(unique_id)) is True:
|
||||
await self.add_vuln_critical(
|
||||
|
@ -271,9 +269,9 @@ class ModuleLog4Shell(Attack):
|
|||
return batch_malicious_headers, headers_uuid_record
|
||||
|
||||
def _inject_payload(
|
||||
self,
|
||||
original_request: Request,
|
||||
params: List[Tuple[str, str]],
|
||||
self,
|
||||
original_request: Request,
|
||||
params: List[Tuple[str, str]],
|
||||
) -> Tuple[Request, str, uuid.UUID]:
|
||||
for idx, _ in enumerate(params):
|
||||
malicious_params = copy.deepcopy(params)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2018-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2018-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2009-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2009-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2019-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2019-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2014-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2014-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2018-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2018-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env python3
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2019-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2019-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# Original author :
|
||||
# David del Pozo
|
||||
|
@ -25,21 +25,13 @@
|
|||
import os
|
||||
import locale
|
||||
import gettext
|
||||
import sys
|
||||
from pkg_resources import resource_filename
|
||||
|
||||
AVAILABLE_LANGS = ["en", "es", "fr", "pt", "zh"] # "de", "ms"]
|
||||
|
||||
if sys.platform == "win32":
|
||||
import ctypes
|
||||
|
||||
windll = ctypes.windll.kernel32
|
||||
def_locale = locale.windows_locale[windll.GetUserDefaultUILanguage()] # for example fr_FR
|
||||
lang_country = def_locale[:2]
|
||||
else:
|
||||
# getdefaultlocale will return (None, None) if locale settings are incorrectly set (ex: LANG=C)
|
||||
def_locale = locale.getdefaultlocale() # for example ('fr_FR', 'cp1252')
|
||||
lang_country = def_locale[0]
|
||||
# getdefaultlocale will return (None, None) if locale settings are incorrectly set (ex: LANG=C)
|
||||
def_locale = locale.getdefaultlocale() # for example ('fr_FR', 'cp1252')
|
||||
lang_country = def_locale[0]
|
||||
|
||||
lang = None
|
||||
if isinstance(lang_country, str) and len(lang_country) >= 2:
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2013-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2013-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# --no-location ne pas créer les commentaires de numérotation du type "#: fichier:ligne"
|
||||
# --omit-header ne pas créer d'en-têtes de la forme 'msgid ""'
|
||||
# First generate the template with all current strings, it will delete the previous file (so remove old strings)
|
||||
xgettext --copyright-holder="2009-2021 Nicolas SURRIBAS" --package-name="Wapiti" --package-version="GIT" --from-code=UTF-8 -L Python --no-wrap -d wapiti -o template.po -f file_list.txt --no-location --omit-header
|
||||
xgettext --copyright-holder="2009-2022 Nicolas SURRIBAS" --package-name="Wapiti" --package-version="GIT" --from-code=UTF-8 -L Python --no-wrap -d wapiti -o template.po -f file_list.txt --no-location --omit-header
|
||||
|
||||
# Next, update the translation files by adding entry for new strings
|
||||
# while keeping already translated strings if they are still used.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR 2009-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) YEAR 2009-2022 Nicolas SURRIBAS
|
||||
# This file is distributed under the same license as the Wapiti package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2006-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2006-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2006-2021 Nicolas SURRIBAS
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2006-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2006-2021 Nicolas SURRIBAS
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2006-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -51,7 +51,7 @@ from wapitiCore.net.sql_persister import SqlPersister
|
|||
from wapitiCore.net.web import Request
|
||||
from wapitiCore.report import GENERATORS, get_report_generator_instance
|
||||
|
||||
WAPITI_VERSION = "Wapiti 3.0.9"
|
||||
WAPITI_VERSION = "Wapiti 3.1.0"
|
||||
|
||||
SCAN_FORCE_VALUES = {
|
||||
"paranoid": 1,
|
||||
|
@ -1053,6 +1053,34 @@ async def wapiti_main():
|
|||
type=int, default=32
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--external-endpoint",
|
||||
metavar="EXTERNAL_ENDPOINT_URL",
|
||||
default=argparse.SUPPRESS,
|
||||
help=_("Url serving as endpoint for target")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--internal-endpoint",
|
||||
metavar="INTERNAL_ENDPOINT_URL",
|
||||
default=argparse.SUPPRESS,
|
||||
help=_("Url serving as endpoint for attacker")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--endpoint",
|
||||
metavar="ENDPOINT_URL",
|
||||
default="https://wapiti3.ovh/",
|
||||
help=_("Url serving as endpoint for both attacker and target")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--dns-endpoint",
|
||||
metavar="DNS_ENDPOINT_DOMAIN",
|
||||
default="dns.wapiti3.ovh",
|
||||
help=_("Domain serving as DNS endpoint for Log4Shell attack")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"-t", "--timeout",
|
||||
type=float, default=6.0,
|
||||
|
@ -1102,6 +1130,13 @@ async def wapiti_main():
|
|||
choices=range(0, 3)
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--log",
|
||||
metavar="OUTPUT_PATH",
|
||||
default=None,
|
||||
help=_("Output log file")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"-f", "--format",
|
||||
metavar="FORMAT",
|
||||
|
@ -1117,41 +1152,6 @@ async def wapiti_main():
|
|||
help=_("Output file or folder")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--log",
|
||||
metavar="OUTPUT_PATH",
|
||||
default=None,
|
||||
help=_("Output log file")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--external-endpoint",
|
||||
metavar="EXTERNAL_ENDPOINT_URL",
|
||||
default=argparse.SUPPRESS,
|
||||
help=_("Url serving as endpoint for target")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--internal-endpoint",
|
||||
metavar="INTERNAL_ENDPOINT_URL",
|
||||
default=argparse.SUPPRESS,
|
||||
help=_("Url serving as endpoint for attacker")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--dns-endpoint",
|
||||
metavar="DNS_ENDPOINT_DOMAIN",
|
||||
default="dns.wapiti3.ovh",
|
||||
help=_("Domain serving as DNS endpoint for Log4Shell attack")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--endpoint",
|
||||
metavar="ENDPOINT_URL",
|
||||
default="https://wapiti3.ovh/",
|
||||
help=_("Url serving as endpoint for both attacker and target")
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--no-bugreport",
|
||||
action="store_true",
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2006-2021 Nicolas SURRIBAS
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2006-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2012-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2012-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# LameJs - A very basic javascript interpreter in Python
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2013-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2013-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2006-2021 Nicolas SURRIBAS
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2006-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -761,7 +761,7 @@ class Page:
|
|||
"tel": "0606060606",
|
||||
"text": "default",
|
||||
"time": "13:37",
|
||||
"url": "https://wapiti.sourceforge.io/",
|
||||
"url": "https://wapiti-scanner.github.io/",
|
||||
"username": "alice",
|
||||
"week": "2019-W24"
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2017-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2017-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2017-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2017-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2020-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2020-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2021-2022 Nicolas Surribas
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
# CSV Report Generator Module for Wapiti Project
|
||||
# Wapiti Project (https://wapiti.sourceforge.io)
|
||||
# Wapiti Project (https://wapiti-scanner.github.io)
|
||||
#
|
||||
# Copyright (C) 2021 Nicolas SURRIBAS
|
||||
# Copyright (C) 2021-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
# HTML Report Generator Module for Wapiti Project
|
||||
# Wapiti Project (https://wapiti.sourceforge.io)
|
||||
# Wapiti Project (https://wapiti-scanner.github.io)
|
||||
#
|
||||
# Copyright (C) 2017-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) 2017-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
# JSON Report Generator Module for Wapiti Project
|
||||
# Wapiti Project (https://wapiti.sourceforge.io)
|
||||
# Wapiti Project (https://wapiti-scanner.github.io)
|
||||
#
|
||||
# Copyright (C) 2014-2021 Nicolas SURRIBAS
|
||||
# Copyright (C) 2014-2022 Nicolas SURRIBAS
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -30,7 +30,7 @@ class JSONReportGenerator(ReportGenerator):
|
|||
- vulnerabilities : each key is matching a vulnerability class. Value is a list of found vulnerabilities.
|
||||
- anomalies : same as vulnerabilities but used only for error messages and timeouts (items of less importance).
|
||||
- additionals : some additional information about the target.
|
||||
- infos : several informations about the scan.
|
||||
- infos : several information about the scan.
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
|
@ -59,7 +59,7 @@ class JSONReportGenerator(ReportGenerator):
|
|||
|
||||
# Vulnerabilities
|
||||
def add_vulnerability_type(self, name, description="", solution="", references=None, wstg=None):
|
||||
"""Add informations on a type of vulnerability"""
|
||||
"""Add information on a type of vulnerability"""
|
||||
if name not in self._flaw_types:
|
||||
self._flaw_types[name] = {
|
||||
"desc": description,
|
||||
|
@ -72,7 +72,7 @@ class JSONReportGenerator(ReportGenerator):
|
|||
|
||||
def add_vulnerability(self, module: str, category=None, level=0, request=None, parameter="", info="", wstg=None):
|
||||
"""
|
||||
Store the informations about a found vulnerability.
|
||||
Store the information about a found vulnerability.
|
||||
"""
|
||||
|
||||
vuln_dict = {
|
||||
|
@ -105,7 +105,7 @@ class JSONReportGenerator(ReportGenerator):
|
|||
self._anomalies[name] = []
|
||||
|
||||
def add_anomaly(self, module: str, category=None, level=0, request=None, parameter="", info="", wstg=None):
|
||||
"""Store the informations about an anomaly met during the attack."""
|
||||
"""Store the information about an anomaly met during the attack."""
|
||||
anom_dict = {
|
||||
"method": request.method,
|
||||
"path": request.file_path,
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
|
||||
# Copyright (C) 2008-2021 Nicolas Surribas
|
||||
# This file is part of the Wapiti project (https://wapiti-scanner.github.io)
|
||||
# Copyright (C) 2008-2022 Nicolas Surribas
|
||||
#
|
||||
# Original authors :
|
||||
# Alberto Pastor
|
||||
|
@ -31,7 +31,7 @@ class ReportGenerator:
|
|||
self._date = None
|
||||
|
||||
def set_report_info(self, target, scope, date, version, auth, crawled_pages: int):
|
||||
"""Set the informations about the scan"""
|
||||
"""Set the information about the scan"""
|
||||
self._infos["target"] = target
|
||||
self._infos["date"] = time.strftime("%a, %d %b %Y %H:%M:%S +0000", date)
|
||||
self._infos["version"] = version
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue