metasploit-framework/lib/rex/parser/netsparker_xml.rb

110 lines
2.3 KiB
Ruby
Raw Normal View History

# -*- coding: binary -*-
module Rex
module Parser
class NetSparkerXMLStreamParser
attr_accessor :on_found_vuln
def initialize(on_found_vuln = nil)
self.on_found_vuln = on_found_vuln if on_found_vuln
2012-05-24 23:10:26 +00:00
reset_state
end
def reset_state
@state = :generic_state
@vuln = {'info' => []}
@attr = {}
end
def tag_start(name, attributes)
@state = "in_#{name.downcase}".intern
@attr = attributes
2012-05-24 23:10:26 +00:00
case name
when "vulnerability"
@vuln = { 'info' => [] }
@vuln['confirmed'] = attributes['confirmed']
end
end
def text(str)
case @state
when :in_url
@vuln['url'] ||= ""
@vuln['url'] += str
when :in_type
2012-05-24 23:10:26 +00:00
@vuln['type'] ||= ""
@vuln['type'] += str
when :in_severity
@vuln['severity'] ||= ""
@vuln['severity'] += str
when :in_vulnerableparametertype
@vuln["vparam_type"] ||= ""
@vuln["vparam_type"] += str
when :in_vulnerableparameter
2012-05-24 23:10:26 +00:00
@vuln["vparam_name"] ||= ""
@vuln["vparam_name"] += str
when :in_vulnerableparametervalue
2012-05-24 23:10:26 +00:00
@vuln["vparam_value"] ||= ""
@vuln["vparam_value"] += str
when :in_rawrequest
2012-05-24 23:10:26 +00:00
@vuln["request"] ||= ""
@vuln["request"] += str
when :in_rawresponse
@vuln["response"] ||= ""
@vuln["response"] += str
when :in_info
# <info name="Identified Internal Path(s)">C:\AppServ\www\test-apps\dokeos\main\inc\banner.inc.php</info>
if not str.to_s.strip.empty?
@vuln['info'] << [@attr['name'] || "Information", str]
end
when :in_netsparker
when :in_target
when :in_scantime
when :generic_state
when :in_vulnerability
when :in_extrainformation
2012-05-24 23:10:26 +00:00
else
# $stderr.puts "unknown state: #{@state}"
end
end
def tag_end(name)
case name
when "vulnerability"
@vuln.keys.each do |k|
@vuln[k] = @vuln[k].strip if @vuln[k].kind_of?(::String)
end
on_found_vuln.call(@vuln) if on_found_vuln
reset_state
end
end
# We don't need these methods, but they're necessary to keep REXML happy
def xmldecl(version, encoding, standalone); end
def cdata(data)
puts "cdata for #{@state} (#{data.length})"
case @state
when :in_rawresponse
@vuln["response"] = data
when :in_rawrequest
@vuln["request"] = data
when :in_info
if not data.to_s.strip.empty?
@vuln['info'] << [@attr['name'] || "Information", data]
end
end
end
def comment(str); end
def instruction(name, instruction); end
def attlist; end
end
end
end
__END__