ronin-app 0.1.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.dockerignore +3 -0
- data/.document +6 -0
- data/.env.dev +1 -0
- data/.github/workflows/ruby.yml +44 -0
- data/.gitignore +16 -0
- data/.rspec +1 -0
- data/.rubocop.yml +26 -0
- data/.ruby-version +1 -0
- data/.yardopts +1 -0
- data/CONTRIBUTING.md +34 -0
- data/COPYING.txt +661 -0
- data/ChangeLog.md +38 -0
- data/Dockerfile +27 -0
- data/Gemfile +61 -0
- data/Procfile +2 -0
- data/Procfile.dev +2 -0
- data/README.md +215 -0
- data/Rakefile +44 -0
- data/app/db.rb +680 -0
- data/app/scanning.rb +173 -0
- data/app.rb +372 -0
- data/bin/ronin-app +34 -0
- data/config/database.rb +17 -0
- data/config/puma.rb +24 -0
- data/config/redis.rb +4 -0
- data/config/sidekiq.rb +23 -0
- data/config/sidekiq.yml +12 -0
- data/config.ru +33 -0
- data/docker-compose.yml +45 -0
- data/etc/systemd/user/ronin-app-sidekiq.1.service +17 -0
- data/etc/systemd/user/ronin-app-web.1.service +18 -0
- data/etc/systemd/user/ronin-app.target +5 -0
- data/gemspec.yml +55 -0
- data/lib/middleware/sidekiq/active_record_connection_pool.rb +47 -0
- data/lib/ronin/app/cli.rb +197 -0
- data/lib/ronin/app/helpers/html.rb +71 -0
- data/lib/ronin/app/root.rb +28 -0
- data/lib/ronin/app/schemas/params_schema.rb +66 -0
- data/lib/ronin/app/schemas/payloads/build_schema.rb +56 -0
- data/lib/ronin/app/schemas/payloads/encoders/encode_schema.rb +60 -0
- data/lib/ronin/app/types/import.rb +35 -0
- data/lib/ronin/app/types/nmap.rb +81 -0
- data/lib/ronin/app/types/spider.rb +49 -0
- data/lib/ronin/app/types/vulns.rb +69 -0
- data/lib/ronin/app/types.rb +66 -0
- data/lib/ronin/app/validations/import_params.rb +71 -0
- data/lib/ronin/app/validations/install_repo_params.rb +78 -0
- data/lib/ronin/app/validations/masscan_params.rb +122 -0
- data/lib/ronin/app/validations/nmap_params.rb +183 -0
- data/lib/ronin/app/validations/recon_params.rb +86 -0
- data/lib/ronin/app/validations/spider_params.rb +103 -0
- data/lib/ronin/app/validations/vulns_params.rb +83 -0
- data/lib/ronin/app/version.rb +26 -0
- data/log/.gitkeep +0 -0
- data/man/ronin-app.1 +63 -0
- data/man/ronin-app.1.md +61 -0
- data/public/images/favicon.png +0 -0
- data/public/images/favicon.svg +78 -0
- data/public/images/logo.svg +78 -0
- data/public/images/sidekiq.svg +24 -0
- data/public/javascript/app.js +60 -0
- data/public/javascript/notes.js +28 -0
- data/public/javascript/tabs.js +40 -0
- data/public/stylesheets/app.css +216 -0
- data/public/stylesheets/bulma.min.css +1 -0
- data/ronin-app.gemspec +63 -0
- data/scripts/console +7 -0
- data/scripts/server +134 -0
- data/scripts/setup +447 -0
- data/scripts/update +55 -0
- data/tmp/.gitkeep +0 -0
- data/views/_authors.erb +62 -0
- data/views/_delete.erb +4 -0
- data/views/_delete_all.erb +4 -0
- data/views/_encoding_tabs.erb +25 -0
- data/views/_notes.erb +33 -0
- data/views/_pagination.erb +1 -0
- data/views/_param_fields.erb +66 -0
- data/views/_params.erb +35 -0
- data/views/about.erb +30 -0
- data/views/db/advisories/index.erb +30 -0
- data/views/db/advisories/show.erb +105 -0
- data/views/db/asns/index.erb +19 -0
- data/views/db/asns/show.erb +61 -0
- data/views/db/credentials/index.erb +30 -0
- data/views/db/credentials/show.erb +51 -0
- data/views/db/email_addresses/index.erb +30 -0
- data/views/db/email_addresses/show.erb +44 -0
- data/views/db/host_names/index.erb +30 -0
- data/views/db/host_names/show.erb +52 -0
- data/views/db/ip_addresses/index.erb +19 -0
- data/views/db/ip_addresses/show.erb +98 -0
- data/views/db/mac_addresses/index.erb +19 -0
- data/views/db/mac_addresses/show.erb +62 -0
- data/views/db/open_ports/index.erb +19 -0
- data/views/db/open_ports/show.erb +87 -0
- data/views/db/organizations/departments/show.erb +82 -0
- data/views/db/organizations/index.erb +28 -0
- data/views/db/organizations/members/show.erb +87 -0
- data/views/db/organizations/show.erb +111 -0
- data/views/db/oses/index.erb +19 -0
- data/views/db/oses/show.erb +46 -0
- data/views/db/passwords/index.erb +30 -0
- data/views/db/passwords/show.erb +52 -0
- data/views/db/people/index.erb +31 -0
- data/views/db/people/show.erb +120 -0
- data/views/db/phone_numbers/index.erb +30 -0
- data/views/db/phone_numbers/show.erb +63 -0
- data/views/db/ports/index.erb +30 -0
- data/views/db/ports/show.erb +70 -0
- data/views/db/services/index.erb +30 -0
- data/views/db/services/show.erb +65 -0
- data/views/db/software/index.erb +19 -0
- data/views/db/software/show.erb +52 -0
- data/views/db/software_vendors/index.erb +19 -0
- data/views/db/software_vendors/show.erb +36 -0
- data/views/db/street_addresses/index.erb +19 -0
- data/views/db/street_addresses/show.erb +63 -0
- data/views/db/url_query_param_names/index.erb +19 -0
- data/views/db/url_query_param_names/show.erb +50 -0
- data/views/db/url_schemes/index.erb +19 -0
- data/views/db/url_schemes/show.erb +36 -0
- data/views/db/urls/index.erb +30 -0
- data/views/db/urls/show.erb +103 -0
- data/views/db/user_names/index.erb +30 -0
- data/views/db/user_names/show.erb +48 -0
- data/views/db/vulns/index.erb +19 -0
- data/views/db/vulns/show.erb +104 -0
- data/views/db.erb +152 -0
- data/views/exploits/index.erb +9 -0
- data/views/exploits/show.erb +100 -0
- data/views/import.erb +30 -0
- data/views/index.erb +7 -0
- data/views/layout.erb +98 -0
- data/views/masscan.erb +459 -0
- data/views/nmap.erb +1009 -0
- data/views/payloads/build.erb +19 -0
- data/views/payloads/encoders/encode.erb +35 -0
- data/views/payloads/encoders/index.erb +9 -0
- data/views/payloads/encoders/show.erb +47 -0
- data/views/payloads/index.erb +9 -0
- data/views/payloads/show.erb +47 -0
- data/views/queue.erb +28 -0
- data/views/recon.erb +55 -0
- data/views/repos/index.erb +30 -0
- data/views/repos/install.erb +45 -0
- data/views/repos/show.erb +39 -0
- data/views/spider.erb +372 -0
- data/views/vulns.erb +214 -0
- data/workers/import.rb +96 -0
- data/workers/install_repo.rb +40 -0
- data/workers/masscan.rb +135 -0
- data/workers/nmap.rb +216 -0
- data/workers/purge_repos.rb +40 -0
- data/workers/recon.rb +95 -0
- data/workers/remove_repo.rb +40 -0
- data/workers/spider.rb +148 -0
- data/workers/update_repo.rb +42 -0
- data/workers/update_repos.rb +40 -0
- data/workers/vulns.rb +111 -0
- data/workers.rb +37 -0
- metadata +538 -0
@@ -0,0 +1,183 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-app - a local web app for Ronin.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-app is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Affero General Public License as published by
|
9
|
+
# the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-app is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Affero General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Affero General Public License
|
18
|
+
# along with ronin-app. If not, see <http://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'dry/validation'
|
22
|
+
require 'ronin/app/types'
|
23
|
+
require 'ronin/app/types/nmap'
|
24
|
+
|
25
|
+
require 'nmap/command'
|
26
|
+
|
27
|
+
module Ronin
|
28
|
+
module App
|
29
|
+
module Validations
|
30
|
+
#
|
31
|
+
# Validations for the form params submitted to `POST /nmap`.
|
32
|
+
#
|
33
|
+
class NmapParams < Dry::Validation::Contract
|
34
|
+
|
35
|
+
params do
|
36
|
+
required(:targets).filled(Types::Args).each(:filled?)
|
37
|
+
optional(:ports).maybe(Types::Nmap::PortRangeList)
|
38
|
+
|
39
|
+
# TARGET SPECIFICATIONS:
|
40
|
+
optional(:target_file).maybe(:string)
|
41
|
+
optional(:random_targets).maybe(:integer)
|
42
|
+
optional(:exclude).maybe(Types::List)
|
43
|
+
optional(:exclude_file).maybe(:string)
|
44
|
+
|
45
|
+
# HOST DISCOVERY:
|
46
|
+
optional(:ping).maybe(:bool)
|
47
|
+
optional(:skip_discovery).maybe(:bool)
|
48
|
+
optional(:syn_discovery).maybe(Types::Bool | Types::Nmap::PortRangeList)
|
49
|
+
optional(:ack_discovery).maybe(Types::Bool | Types::Nmap::PortRangeList)
|
50
|
+
optional(:udp_discovery).maybe(Types::Bool | Types::Nmap::PortRangeList)
|
51
|
+
optional(:sctp_init_ping).maybe(Types::Bool | Types::Nmap::PortRangeList)
|
52
|
+
optional(:icmp_echo_discovery).maybe(:bool)
|
53
|
+
optional(:icmp_timestamp_discovery).maybe(:bool)
|
54
|
+
optional(:icmp_netmask_discovery).maybe(:bool)
|
55
|
+
optional(:ip_ping).maybe(Types::Bool | Types::Nmap::ProtocolList)
|
56
|
+
optional(:arp_ping).maybe(:bool)
|
57
|
+
optional(:traceroute).maybe(:bool)
|
58
|
+
optional(:disable_dns).maybe(:bool)
|
59
|
+
optional(:enable_dns).maybe(:bool)
|
60
|
+
optional(:resolve_all).maybe(:bool)
|
61
|
+
optional(:unique).maybe(:bool)
|
62
|
+
optional(:dns_servers).maybe(Types::List)
|
63
|
+
optional(:system_dns).maybe(:bool)
|
64
|
+
|
65
|
+
# PORT SCANNING TECHNIQUES:
|
66
|
+
optional(:syn_scan).maybe(:bool)
|
67
|
+
optional(:connect_scan).maybe(:bool)
|
68
|
+
optional(:udp_scan).maybe(:bool)
|
69
|
+
optional(:sctp_init_scan).maybe(:bool)
|
70
|
+
optional(:null_scan).maybe(:bool)
|
71
|
+
optional(:fin_scan).maybe(:bool)
|
72
|
+
optional(:xmas_scan).maybe(:bool)
|
73
|
+
optional(:ack_scan).maybe(:bool)
|
74
|
+
optional(:window_scan).maybe(:bool)
|
75
|
+
optional(:maimon_scan).maybe(:bool)
|
76
|
+
optional(:scan_flags).maybe(Types::Nmap::ScanFlags)
|
77
|
+
optional(:sctp_cookie_echo_scan).maybe(:bool)
|
78
|
+
optional(:idle_scan).maybe(:string)
|
79
|
+
optional(:ip_scan).maybe(:bool)
|
80
|
+
optional(:ftp_bounce_scan).maybe(:string)
|
81
|
+
|
82
|
+
# PORT SPECIFICATION AND SCAN ORDER:
|
83
|
+
optional(:ports).maybe(Types::Nmap::PortRangeList)
|
84
|
+
optional(:exclude_ports).maybe(Types::Nmap::PortRangeList)
|
85
|
+
optional(:fast).maybe(:bool)
|
86
|
+
optional(:consecutively).maybe(:bool)
|
87
|
+
optional(:top_ports).maybe(:integer)
|
88
|
+
optional(:port_ratio).maybe(:float)
|
89
|
+
|
90
|
+
# SERVICE/VERSION DETECTION:
|
91
|
+
optional(:service_scan).maybe(:bool)
|
92
|
+
optional(:all_ports).maybe(:bool)
|
93
|
+
optional(:version_intensity).maybe(:integer)
|
94
|
+
optional(:version_light).maybe(:bool)
|
95
|
+
optional(:version_all).maybe(:bool)
|
96
|
+
optional(:version_trace).maybe(:bool)
|
97
|
+
|
98
|
+
# OS DETECTION:
|
99
|
+
optional(:os_fingerprint).maybe(:bool)
|
100
|
+
optional(:limit_os_scan).maybe(:bool)
|
101
|
+
optional(:max_os_scan).maybe(:bool)
|
102
|
+
optional(:max_os_tries).maybe(:bool)
|
103
|
+
|
104
|
+
# TIMING AND PERFORMANCE:
|
105
|
+
optional(:min_host_group).maybe(:integer)
|
106
|
+
optional(:max_host_group).maybe(:integer)
|
107
|
+
optional(:min_parallelism).maybe(:integer)
|
108
|
+
optional(:max_parallelism).maybe(:integer)
|
109
|
+
optional(:min_rtt_timeout).maybe(Types::Nmap::Time)
|
110
|
+
optional(:max_rtt_timeout).maybe(Types::Nmap::Time)
|
111
|
+
optional(:initial_rtt_timeout).maybe(Types::Nmap::Time)
|
112
|
+
optional(:max_retries).maybe(:integer)
|
113
|
+
optional(:host_timeout).maybe(Types::Nmap::Time)
|
114
|
+
optional(:script_timeout).maybe(Types::Nmap::Time)
|
115
|
+
optional(:scan_delay).maybe(Types::Nmap::Time)
|
116
|
+
optional(:max_scan_delay).maybe(Types::Nmap::Time)
|
117
|
+
optional(:min_rate).maybe(:integer)
|
118
|
+
optional(:max_rate).maybe(:integer)
|
119
|
+
optional(:defeat_rst_ratelimit).maybe(:bool)
|
120
|
+
optional(:defeat_icmp_ratelimit).maybe(:bool)
|
121
|
+
optional(:nsock_engine).maybe(Types::Nmap::NsockEngine)
|
122
|
+
optional(:timing_template).maybe(Types::Nmap::TimingTemplate)
|
123
|
+
|
124
|
+
# FIREWALL/IDS EVASION AND SPOOFING:
|
125
|
+
optional(:packet_fragments).maybe(:bool)
|
126
|
+
optional(:mtu).maybe(Types::Bool | Types::Integer)
|
127
|
+
optional(:decoys).maybe(Types::List)
|
128
|
+
optional(:spoof).maybe(:string)
|
129
|
+
optional(:interface).maybe(:string)
|
130
|
+
optional(:source_port).maybe(Types::Nmap::Port)
|
131
|
+
optional(:proxies).maybe(Types::List)
|
132
|
+
optional(:data).maybe(Types::Nmap::HexString)
|
133
|
+
optional(:data_string).maybe(:string)
|
134
|
+
optional(:data_length).maybe(:integer)
|
135
|
+
optional(:ip_options).maybe(:string)
|
136
|
+
optional(:ttl).maybe(:integer)
|
137
|
+
optional(:randomize_hosts).maybe(:bool)
|
138
|
+
optional(:spoof_mac).maybe(:string)
|
139
|
+
optional(:bad_checksum).maybe(:bool)
|
140
|
+
optional(:sctp_adler32).maybe(:bool)
|
141
|
+
|
142
|
+
# MISC:
|
143
|
+
optional(:ipv6).maybe(:bool)
|
144
|
+
optional(:all).maybe(:bool)
|
145
|
+
optional(:nmap_datadir).maybe(:string)
|
146
|
+
optional(:servicedb).maybe(:string)
|
147
|
+
optional(:versiondb).maybe(:string)
|
148
|
+
optional(:send_eth).maybe(:bool)
|
149
|
+
optional(:send_ip).maybe(:bool)
|
150
|
+
optional(:privileged).maybe(:bool)
|
151
|
+
optional(:unprivileged).maybe(:bool)
|
152
|
+
optional(:release_memory).maybe(:bool)
|
153
|
+
end
|
154
|
+
|
155
|
+
rule(:port_ratio) do
|
156
|
+
if (value && !(value >= 0.0 && value <= 1.0))
|
157
|
+
key.failure('value must be between 0.0 and 1.0')
|
158
|
+
end
|
159
|
+
end
|
160
|
+
|
161
|
+
rule(:version_intensity) do
|
162
|
+
if (value && !(value >= 0 && value <= 9))
|
163
|
+
key.failure('value must be between 0 and 9')
|
164
|
+
end
|
165
|
+
end
|
166
|
+
|
167
|
+
#
|
168
|
+
# Initializes and calls the validation contract.
|
169
|
+
#
|
170
|
+
# @param [Hash{String => Object}] params
|
171
|
+
# The HTTP params to validate.
|
172
|
+
#
|
173
|
+
# @return [Dry::Validation::Result]
|
174
|
+
# The validation result.
|
175
|
+
#
|
176
|
+
def self.call(params)
|
177
|
+
new.call(params)
|
178
|
+
end
|
179
|
+
|
180
|
+
end
|
181
|
+
end
|
182
|
+
end
|
183
|
+
end
|
@@ -0,0 +1,86 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-app - a local web app for Ronin.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-app is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Affero General Public License as published by
|
9
|
+
# the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-app is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Affero General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Affero General Public License
|
18
|
+
# along with ronin-app. If not, see <http://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'dry/validation'
|
22
|
+
require 'ronin/app/types'
|
23
|
+
|
24
|
+
require 'ronin/recon/value/parser'
|
25
|
+
|
26
|
+
module Ronin
|
27
|
+
module App
|
28
|
+
module Validations
|
29
|
+
#
|
30
|
+
# Validations for the form params submitted to `POST /recon`.
|
31
|
+
#
|
32
|
+
class ReconParams < Dry::Validation::Contract
|
33
|
+
|
34
|
+
include Ronin::Recon::Value::Parser
|
35
|
+
|
36
|
+
# Regex to match a value string.
|
37
|
+
VALUE_REGEX = /#{IP_RANGE_REGEX}|#{IP_REGEX}|#{WEBSITE_REGEX}|#{WILDCARD_REGEX}|#{HOSTNAME_REGEX}|#{DOMAIN_REGEX}/
|
38
|
+
|
39
|
+
params do
|
40
|
+
required(:scope).filled(Types::Args).each(:filled?)
|
41
|
+
|
42
|
+
optional(:ignore).maybe(Types::Args)
|
43
|
+
optional(:max_depth).maybe(:integer)
|
44
|
+
end
|
45
|
+
|
46
|
+
rule(:scope) do
|
47
|
+
bad_values = value.grep_v(VALUE_REGEX)
|
48
|
+
|
49
|
+
unless bad_values.empty?
|
50
|
+
key.failure("value must be an IP address, CIDR IP range, domain, sub-domain, wildcard hostname, or website base URL: #{bad_values.join(', ')}")
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
rule(:ignore) do
|
55
|
+
if value
|
56
|
+
bad_values = value.grep_v(VALUE_REGEX)
|
57
|
+
|
58
|
+
unless bad_values.empty?
|
59
|
+
key.failure("ignore value must be an IP address, CIDR IP range, domain, sub-domain, wildcard hostname, or website base URL: #{bad_values.join(', ')}")
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
rule(:max_depth) do
|
65
|
+
if value && value < 2
|
66
|
+
key.failure("max_depth must be greater than 1")
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
#
|
71
|
+
# Initializes and calls the validation contract.
|
72
|
+
#
|
73
|
+
# @param [Hash{String => Object}] params
|
74
|
+
# The HTTP params to validate.
|
75
|
+
#
|
76
|
+
# @return [Dry::Validation::Result]
|
77
|
+
# The validation result.
|
78
|
+
#
|
79
|
+
def self.call(params)
|
80
|
+
new.call(params)
|
81
|
+
end
|
82
|
+
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
@@ -0,0 +1,103 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-app - a local web app for Ronin.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-app is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Affero General Public License as published by
|
9
|
+
# the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-app is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Affero General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Affero General Public License
|
18
|
+
# along with ronin-app. If not, see <http://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'dry/validation'
|
22
|
+
require 'ronin/app/types/spider'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module App
|
26
|
+
module Validations
|
27
|
+
#
|
28
|
+
# Validations for form params submitted to `POST /web/spider`.
|
29
|
+
#
|
30
|
+
class SpiderParams < Dry::Validation::Contract
|
31
|
+
|
32
|
+
# Regular expression to loosely validate any hostname (local or DNS).
|
33
|
+
HOST_NAME_REGEX = /\A[A-Za-z0-9\._-]+\z/
|
34
|
+
|
35
|
+
params do
|
36
|
+
required(:type).filled(Types::Spider::TargetType)
|
37
|
+
required(:target).filled(:string)
|
38
|
+
|
39
|
+
optional(:host_header).maybe(:string)
|
40
|
+
# optional(:host_headers)
|
41
|
+
# optional(:default_headers)
|
42
|
+
optional(:user_agent).maybe(:string)
|
43
|
+
optional(:referer).maybe(:string)
|
44
|
+
optional(:open_timeout).maybe(:integer)
|
45
|
+
optional(:read_timeout).maybe(:integer)
|
46
|
+
optional(:ssl_timeout).maybe(:integer)
|
47
|
+
optional(:continue_timeout).maybe(:integer)
|
48
|
+
optional(:keep_alive_timeout).maybe(:integer)
|
49
|
+
optional(:proxy).maybe(:string)
|
50
|
+
optional(:delay).maybe(:integer)
|
51
|
+
optional(:limit).maybe(:integer)
|
52
|
+
optional(:max_depth).maybe(:integer)
|
53
|
+
optional(:strip_fragments).maybe(:bool)
|
54
|
+
optional(:strip_query).maybe(:bool)
|
55
|
+
optional(:hosts).maybe(Types::Spider::HostList)
|
56
|
+
optional(:ignore_hosts).maybe(Types::Spider::HostList)
|
57
|
+
optional(:ports).maybe(Types::Spider::PortList)
|
58
|
+
optional(:ignore_ports).maybe(Types::Spider::PortList)
|
59
|
+
optional(:urls).maybe(Types::Spider::URLList)
|
60
|
+
optional(:ignore_urls).maybe(Types::Spider::URLList)
|
61
|
+
optional(:exts).maybe(Types::Spider::ExtList)
|
62
|
+
optional(:ignore_exts).maybe(Types::Spider::ExtList)
|
63
|
+
optional(:robots).maybe(:bool)
|
64
|
+
|
65
|
+
before(:value_coercer) do |result|
|
66
|
+
result.to_h.reject { |key,value| value.empty? }
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
rule(:target) do
|
71
|
+
case values[:type]
|
72
|
+
when 'host'
|
73
|
+
unless values[:target] =~ HOST_NAME_REGEX
|
74
|
+
key.failure('host must be a valid host name')
|
75
|
+
end
|
76
|
+
when 'domain'
|
77
|
+
unless values[:target] =~ HOST_NAME_REGEX
|
78
|
+
key.failure('domain must be a valid host name')
|
79
|
+
end
|
80
|
+
when 'site'
|
81
|
+
unless values[:target] =~ %r{\Ahttp(?:s)?://.+\z}
|
82
|
+
key.failure('site must be a valid http:// or https:// URI')
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
#
|
88
|
+
# Initializes and calls the validation contract.
|
89
|
+
#
|
90
|
+
# @param [Hash{String => Object}] params
|
91
|
+
# The HTTP params to validate.
|
92
|
+
#
|
93
|
+
# @return [Dry::Validation::Result]
|
94
|
+
# The validation result.
|
95
|
+
#
|
96
|
+
def self.call(params)
|
97
|
+
new.call(params)
|
98
|
+
end
|
99
|
+
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
@@ -0,0 +1,83 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-app - a local web app for Ronin.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-app is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Affero General Public License as published by
|
9
|
+
# the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-app is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Affero General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Affero General Public License
|
18
|
+
# along with ronin-app. If not, see <http://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'dry/validation'
|
22
|
+
require 'ronin/app/types/vulns'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module App
|
26
|
+
module Validations
|
27
|
+
#
|
28
|
+
# Validations for form params submitted to `POST /vulns`.
|
29
|
+
#
|
30
|
+
class VulnsParams < Dry::Validation::Contract
|
31
|
+
|
32
|
+
params do
|
33
|
+
required(:url).filled(:string)
|
34
|
+
|
35
|
+
optional(:lfi).hash do
|
36
|
+
optional(:os).maybe(Types::Vulns::LFI::OSType)
|
37
|
+
optional(:depth).maybe(:integer)
|
38
|
+
optional(:filter_bypass).maybe(Types::Vulns::LFI::FilterBypassType)
|
39
|
+
end
|
40
|
+
|
41
|
+
optional(:rfi).hash do
|
42
|
+
optional(:filter_bypass).maybe(Types::Vulns::RFI::FilterBypassType)
|
43
|
+
optional(:test_script_url).maybe(:string)
|
44
|
+
end
|
45
|
+
|
46
|
+
optional(:sqli).hash do
|
47
|
+
optional(:escape_quote).maybe(:bool)
|
48
|
+
optional(:escape_parens).maybe(:bool)
|
49
|
+
optional(:terminate).maybe(:bool)
|
50
|
+
end
|
51
|
+
|
52
|
+
optional(:ssti).hash do
|
53
|
+
optional(:escape).maybe(Types::Vulns::SSTI::EscapeType)
|
54
|
+
end
|
55
|
+
|
56
|
+
optional(:command_injection).hash do
|
57
|
+
optional(:escape_quote).maybe(:string)
|
58
|
+
optional(:escape_operator).maybe(:string)
|
59
|
+
optional(:terminate).maybe(:string)
|
60
|
+
end
|
61
|
+
|
62
|
+
optional(:open_redirect).hash do
|
63
|
+
optional(:test_url).maybe(:string)
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
#
|
68
|
+
# Initializes and calls the validation contract.
|
69
|
+
#
|
70
|
+
# @param [Hash{String => Object}] params
|
71
|
+
# The HTTP params to validate.
|
72
|
+
#
|
73
|
+
# @return [Dry::Validation::Result]
|
74
|
+
# The validation result.
|
75
|
+
#
|
76
|
+
def self.call(params)
|
77
|
+
new.call(params)
|
78
|
+
end
|
79
|
+
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-app - a local web app for Ronin.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-app is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Affero General Public License as published by
|
9
|
+
# the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-app is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Affero General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Affero General Public License
|
18
|
+
# along with ronin-app. If not, see <http://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
module Ronin
|
22
|
+
module App
|
23
|
+
# The ronin-app version
|
24
|
+
VERSION = '0.1.0.rc1'
|
25
|
+
end
|
26
|
+
end
|
data/log/.gitkeep
ADDED
File without changes
|
data/man/ronin-app.1
ADDED
@@ -0,0 +1,63 @@
|
|
1
|
+
.\" Generated by kramdown-man 1.0.1
|
2
|
+
.\" https://github.com/postmodern/kramdown-man#readme
|
3
|
+
.TH ronin-app 1 "2023-08-30" Ronin App "User Manuals"
|
4
|
+
.SH NAME
|
5
|
+
.PP
|
6
|
+
ronin\-app \- A local web interface for Ronin
|
7
|
+
.SH SYNOPSIS
|
8
|
+
.PP
|
9
|
+
\fBronin\-app\fR \[lB]\fIoptions\fP\[rB] \[lB]\fICOMMAND\fP\[rB]
|
10
|
+
.SH DESCRIPTION
|
11
|
+
.PP
|
12
|
+
Starts the local Ronin web application\.
|
13
|
+
.SH OPTIONS
|
14
|
+
.TP
|
15
|
+
\fB\-H\fR, \fB\-\-host\fR \fIIP\fP
|
16
|
+
The IP address to listen on\. Defaults to \fBlocalhost\fR if not specified\.
|
17
|
+
.TP
|
18
|
+
\fB\-p\fR, \fB\-\-port\fR \fIPORT\fP
|
19
|
+
The port to listen on\. Defaults to \fB1337\fR if not specified\.
|
20
|
+
.TP
|
21
|
+
\fB\-\-db\fR \fINAME\fP
|
22
|
+
Specifies the \fBronin\-db\fR database name for the app to connect to\.
|
23
|
+
.TP
|
24
|
+
\fB\-\-db\-uri\fR \fIURI\fP
|
25
|
+
Specifies a database URI for the app to connect to\.
|
26
|
+
.RS
|
27
|
+
.RS
|
28
|
+
.IP \(bu 2
|
29
|
+
\fBsqlite3\fP: \fBsqlite3:relative\[sl]path\.db\fR or \fBsqlite3:\[sl]\[sl]\[sl]absolute\[sl]path\.db\fR
|
30
|
+
.IP \(bu 2
|
31
|
+
\fBmysql\fP: \fBmysql:\[sl]\[sl]user:password\[at]host\[sl]database\fR
|
32
|
+
.IP \(bu 2
|
33
|
+
\fBpostgres\fP: \fBpostgres:\[sl]\[sl]user:password\[at]host\[sl]database\fR
|
34
|
+
.RE
|
35
|
+
.RE
|
36
|
+
.TP
|
37
|
+
\fB\-V\fR, \fB\-\-version\fR
|
38
|
+
Prints the \fBronin\-app\fR version\.
|
39
|
+
.TP
|
40
|
+
\fB\-h\fR, \fB\-\-help\fR
|
41
|
+
Prints help information\.
|
42
|
+
.SH ENVIRONMENT
|
43
|
+
.TP
|
44
|
+
\fIHOME\fP
|
45
|
+
Alternate location for the user\[cq]s home directory\.
|
46
|
+
.TP
|
47
|
+
\fIXDG\[ru]CONFIG\[ru]HOME\fP
|
48
|
+
Alternate location for the \fB\[ti]\[sl]\.config\fR directory\.
|
49
|
+
.TP
|
50
|
+
\fIXDG\[ru]DATA\[ru]HOME\fP
|
51
|
+
Alternate location for the \fB\[ti]\[sl]\.local\[sl]share\fR directory\.
|
52
|
+
.SH FILES
|
53
|
+
.TP
|
54
|
+
\fB\[ti]\[sl]\.local\[sl]share\[sl]ronin\-db\[sl]database\.sqlite3\fR
|
55
|
+
The default sqlite3 database file\.
|
56
|
+
.TP
|
57
|
+
\fB\[ti]\[sl]\.config\[sl]ronin\-db\[sl]database\.yml\fR
|
58
|
+
Optional database configuration\.
|
59
|
+
.SH AUTHOR
|
60
|
+
.PP
|
61
|
+
Postmodern
|
62
|
+
.MT postmodern\.mod3\[at]gmail\.com
|
63
|
+
.ME
|
data/man/ronin-app.1.md
ADDED
@@ -0,0 +1,61 @@
|
|
1
|
+
# ronin-app 1 "2023-08-30" Ronin App "User Manuals"
|
2
|
+
|
3
|
+
## NAME
|
4
|
+
|
5
|
+
ronin-app - A local web interface for Ronin
|
6
|
+
|
7
|
+
## SYNOPSIS
|
8
|
+
|
9
|
+
`ronin-app` [*options*] [*COMMAND*]
|
10
|
+
|
11
|
+
## DESCRIPTION
|
12
|
+
|
13
|
+
Starts the local Ronin web application.
|
14
|
+
|
15
|
+
## OPTIONS
|
16
|
+
|
17
|
+
`-H`, `--host` *IP*
|
18
|
+
: The IP address to listen on. Defaults to `localhost` if not specified.
|
19
|
+
|
20
|
+
`-p`, `--port` *PORT*
|
21
|
+
: The port to listen on. Defaults to `1337` if not specified.
|
22
|
+
|
23
|
+
`--db` *NAME*
|
24
|
+
: Specifies the `ronin-db` database name for the app to connect to.
|
25
|
+
|
26
|
+
`--db-uri` *URI*
|
27
|
+
: Specifies a database URI for the app to connect to.
|
28
|
+
|
29
|
+
* **sqlite3**: `sqlite3:relative/path.db` or `sqlite3:///absolute/path.db`
|
30
|
+
* **mysql**: `mysql://user:password@host/database`
|
31
|
+
* **postgres**: `postgres://user:password@host/database`
|
32
|
+
|
33
|
+
`-V`, `--version`
|
34
|
+
: Prints the `ronin-app` version.
|
35
|
+
|
36
|
+
`-h`, `--help`
|
37
|
+
: Prints help information.
|
38
|
+
|
39
|
+
## ENVIRONMENT
|
40
|
+
|
41
|
+
*HOME*
|
42
|
+
: Alternate location for the user's home directory.
|
43
|
+
|
44
|
+
*XDG_CONFIG_HOME*
|
45
|
+
: Alternate location for the `~/.config` directory.
|
46
|
+
|
47
|
+
*XDG_DATA_HOME*
|
48
|
+
: Alternate location for the `~/.local/share` directory.
|
49
|
+
|
50
|
+
## FILES
|
51
|
+
|
52
|
+
`~/.local/share/ronin-db/database.sqlite3`
|
53
|
+
: The default sqlite3 database file.
|
54
|
+
|
55
|
+
`~/.config/ronin-db/database.yml`
|
56
|
+
: Optional database configuration.
|
57
|
+
|
58
|
+
## AUTHOR
|
59
|
+
|
60
|
+
Postmodern <postmodern.mod3@gmail.com>
|
61
|
+
|
Binary file
|
@@ -0,0 +1,78 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
2
|
+
<!-- Created with Inkscape (http://www.inkscape.org/) -->
|
3
|
+
|
4
|
+
<svg
|
5
|
+
width="32"
|
6
|
+
height="32"
|
7
|
+
viewBox="0 0 8.4666662 8.4666662"
|
8
|
+
version="1.1"
|
9
|
+
id="svg324"
|
10
|
+
xmlns="http://www.w3.org/2000/svg"
|
11
|
+
xmlns:svg="http://www.w3.org/2000/svg"
|
12
|
+
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
13
|
+
xmlns:cc="http://creativecommons.org/ns#"
|
14
|
+
xmlns:dc="http://purl.org/dc/elements/1.1/">
|
15
|
+
<title
|
16
|
+
id="title447">Ronin</title>
|
17
|
+
<style>
|
18
|
+
path { fill: #000000; }
|
19
|
+
@media (prefers-color-scheme: dark) {
|
20
|
+
path { fill: #ffffff; }
|
21
|
+
}
|
22
|
+
</style>
|
23
|
+
<defs
|
24
|
+
id="defs321" />
|
25
|
+
<g
|
26
|
+
id="layer1">
|
27
|
+
<g
|
28
|
+
id="g6932"
|
29
|
+
transform="matrix(0.0208635,0,0,0.0208635,-2.4801773,-3.1118599)"
|
30
|
+
style="display:inline">
|
31
|
+
<g
|
32
|
+
id="g350">
|
33
|
+
<path
|
34
|
+
style="font-variation-settings:'wght' 700;display:inline;fill:none;stroke:#000000;stroke-width:3;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:7;stroke-dasharray:none;stroke-opacity:0.991918"
|
35
|
+
d="M 10.556199,32.237999 35.277035,27.91055 72.742093,32.490384 66.652961,55.405256 45.288701,61.015098 62.972493,89.246954 35.726284,66.293348 10.397131,101.36149 32.991476,34.955974 Z"
|
36
|
+
id="path904"
|
37
|
+
class="UnoptimicedTransforms"
|
38
|
+
transform="matrix(4.8235651,0,0,4.8235651,141.024,21.83731)" />
|
39
|
+
<path
|
40
|
+
style="font-variation-settings:'wght' 700;display:inline;fill:none;stroke:#ffffff;stroke-width:14.4707;stroke-linecap:square;stroke-miterlimit:7;stroke-dasharray:none;stroke-opacity:0.991918"
|
41
|
+
d="m 342.21527,195.81028 103.34653,12.69086 -14.06653,51.18699 -119.65288,25.46828 z"
|
42
|
+
id="path1799" />
|
43
|
+
<path
|
44
|
+
style="font-variation-settings:'wght' 700;fill:#000000;stroke:#000000;stroke-width:15.8166;stroke-linecap:square;stroke-miterlimit:7.5;stroke-opacity:0.991918"
|
45
|
+
d="m 311.14109,159.64411 c -20.21344,4.23648 -41.28571,5.48348 -60.90879,12.03137 -6.32158,3.74656 0.0386,10.9274 5.6154,9.96607 16.13661,2.5686 32.40244,4.20214 48.6157,6.19567 -30.90135,89.9687 -61.49081,180.04724 -91.66838,270.2606 -1.46878,6.80489 8.4863,8.002 10.3885,1.87713 30.44717,-40.08696 59.20005,-81.51916 89.06101,-121.95603 33.50724,24.95491 63.86279,53.93701 97.17414,79.14896 6.64432,2.19405 6.72304,-6.25505 3.04054,-9.50025 -18.55988,-31.49151 -38.53903,-62.11618 -57.41306,-93.41711 34.38372,-9.34933 68.99526,-17.88434 103.27156,-27.6099 6.14812,-7.55269 5.69051,-18.86028 9.24056,-27.83752 6.31539,-24.65117 13.25336,-49.19081 18.77258,-74.02001 -2.92843,-7.20626 -13.42398,-3.74059 -19.58309,-6.03564 -51.84339,-6.53554 -103.71905,-13.08667 -155.60667,-19.10334 z m 29.28551,33.71021 c 36.31995,3.48281 72.47493,7.76831 108.59243,12.76147 -4.56709,18.76009 -9.57555,37.22359 -15.51316,55.49496 -41.84395,10.46883 -84.24342,18.37316 -126.37794,27.70801 11.14562,-31.90735 21.37954,-64.58812 33.29867,-95.96444 z"
|
46
|
+
id="path6851" />
|
47
|
+
</g>
|
48
|
+
</g>
|
49
|
+
</g>
|
50
|
+
<metadata
|
51
|
+
id="metadata445">
|
52
|
+
<rdf:RDF>
|
53
|
+
<cc:Work
|
54
|
+
rdf:about="">
|
55
|
+
<dc:title>Ronin</dc:title>
|
56
|
+
<dc:date>2023-01-31</dc:date>
|
57
|
+
<dc:creator>
|
58
|
+
<cc:Agent>
|
59
|
+
<dc:title>Hal Brodigan</dc:title>
|
60
|
+
</cc:Agent>
|
61
|
+
</dc:creator>
|
62
|
+
<cc:license
|
63
|
+
rdf:resource="http://creativecommons.org/licenses/by-nd/4.0/" />
|
64
|
+
</cc:Work>
|
65
|
+
<cc:License
|
66
|
+
rdf:about="http://creativecommons.org/licenses/by-nd/4.0/">
|
67
|
+
<cc:permits
|
68
|
+
rdf:resource="http://creativecommons.org/ns#Reproduction" />
|
69
|
+
<cc:permits
|
70
|
+
rdf:resource="http://creativecommons.org/ns#Distribution" />
|
71
|
+
<cc:requires
|
72
|
+
rdf:resource="http://creativecommons.org/ns#Notice" />
|
73
|
+
<cc:requires
|
74
|
+
rdf:resource="http://creativecommons.org/ns#Attribution" />
|
75
|
+
</cc:License>
|
76
|
+
</rdf:RDF>
|
77
|
+
</metadata>
|
78
|
+
</svg>
|