ronin-php 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/COPYING.txt +339 -0
- data/History.txt +10 -0
- data/Manifest.txt +36 -0
- data/README.txt +70 -0
- data/Rakefile +19 -0
- data/lib/ronin/php.rb +27 -0
- data/lib/ronin/php/extensions.rb +24 -0
- data/lib/ronin/php/extensions/string.rb +42 -0
- data/lib/ronin/php/lfi.rb +28 -0
- data/lib/ronin/php/lfi/exceptions.rb +24 -0
- data/lib/ronin/php/lfi/exceptions/unknown_target.rb +31 -0
- data/lib/ronin/php/lfi/extensions.rb +24 -0
- data/lib/ronin/php/lfi/extensions/uri.rb +24 -0
- data/lib/ronin/php/lfi/extensions/uri/http.rb +58 -0
- data/lib/ronin/php/lfi/file.rb +86 -0
- data/lib/ronin/php/lfi/lfi.rb +245 -0
- data/lib/ronin/php/lfi/target.rb +344 -0
- data/lib/ronin/php/rfi.rb +25 -0
- data/lib/ronin/php/rfi/extensions.rb +24 -0
- data/lib/ronin/php/rfi/extensions/uri.rb +24 -0
- data/lib/ronin/php/rfi/extensions/uri/http.rb +54 -0
- data/lib/ronin/php/rfi/rfi.rb +127 -0
- data/lib/ronin/rpc/php.rb +28 -0
- data/lib/ronin/rpc/php/call.rb +45 -0
- data/lib/ronin/rpc/php/client.rb +152 -0
- data/lib/ronin/rpc/php/console.rb +42 -0
- data/lib/ronin/rpc/php/response.rb +63 -0
- data/lib/ronin/rpc/php/rfi.rb +46 -0
- data/lib/ronin/rpc/php/shell.rb +70 -0
- data/spec/spec_helper.rb +5 -0
- data/static/rfi/test.php +27 -0
- data/static/rpc/server.php +482 -0
- data/tasks/helpers.rb +1 -0
- data/tasks/helpers/minify.rb +54 -0
- data/tasks/spec.rb +7 -0
- data/tasks/static.rb +34 -0
- metadata +132 -0
@@ -0,0 +1,344 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module PHP
|
26
|
+
class LFI
|
27
|
+
class Target
|
28
|
+
|
29
|
+
# Hash of OS specific paths for the target
|
30
|
+
attr_reader :paths
|
31
|
+
|
32
|
+
# Hash of patterns to recognize the target by
|
33
|
+
attr_accessor :recognizor
|
34
|
+
|
35
|
+
# Hash of extractor rules
|
36
|
+
attr_reader :extractors
|
37
|
+
|
38
|
+
#
|
39
|
+
# Creates a new Path object with the specified _path_ and _pattern_.
|
40
|
+
#
|
41
|
+
def initialize(&block)
|
42
|
+
@paths = Hash.new { |hash,key| hash[key] = [] }
|
43
|
+
|
44
|
+
@recognizor = nil
|
45
|
+
@extractors = {}
|
46
|
+
|
47
|
+
block.call(self) if block
|
48
|
+
end
|
49
|
+
|
50
|
+
#
|
51
|
+
# Returns the supported OSes.
|
52
|
+
#
|
53
|
+
def oses
|
54
|
+
@paths.keys
|
55
|
+
end
|
56
|
+
|
57
|
+
#
|
58
|
+
# Returns all the paths of the target.
|
59
|
+
#
|
60
|
+
def all_paths
|
61
|
+
@paths.values.flatten.uniq
|
62
|
+
end
|
63
|
+
|
64
|
+
#
|
65
|
+
# Returns the paths for the target commonly found on the specified _os_.
|
66
|
+
#
|
67
|
+
def paths_for(os)
|
68
|
+
@paths[os]
|
69
|
+
end
|
70
|
+
|
71
|
+
#
|
72
|
+
# Iterates over each path passing each one to the specified _block_.
|
73
|
+
#
|
74
|
+
def each_path(&block)
|
75
|
+
@paths.each_value do |os_paths|
|
76
|
+
os_paths.each(&block)
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
#
|
81
|
+
# Returns +true+ if the specified _body_ has the path included in
|
82
|
+
# it, returns +false+ otherwise.
|
83
|
+
#
|
84
|
+
def included_in?(body)
|
85
|
+
if @recognizor
|
86
|
+
return !((body =~ @recognizor).nil?)
|
87
|
+
else
|
88
|
+
return false
|
89
|
+
end
|
90
|
+
end
|
91
|
+
|
92
|
+
#
|
93
|
+
# Add an extraction rule with the specified _name_ and the
|
94
|
+
# specified _pattern_.
|
95
|
+
#
|
96
|
+
def extract(name,pattern)
|
97
|
+
@extractors[name] = pattern
|
98
|
+
end
|
99
|
+
|
100
|
+
def extract_from(body)
|
101
|
+
data = {}
|
102
|
+
|
103
|
+
@extractors.each do |name,pattern|
|
104
|
+
match = pattern.match(body)
|
105
|
+
|
106
|
+
if match
|
107
|
+
if match.length > 2
|
108
|
+
data[name] = match[1..-1]
|
109
|
+
elsif match.length == 2
|
110
|
+
data[name] = match[1]
|
111
|
+
else
|
112
|
+
data[name] = match[0]
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
return data
|
118
|
+
end
|
119
|
+
|
120
|
+
def Target.categories
|
121
|
+
@@categories ||= Hash.new { |hash,key| hash[key] = [] }
|
122
|
+
end
|
123
|
+
|
124
|
+
def Target.category(name)
|
125
|
+
Target.categories[name]
|
126
|
+
end
|
127
|
+
|
128
|
+
def Target.all
|
129
|
+
Target.categories.values.flatten
|
130
|
+
end
|
131
|
+
|
132
|
+
def Target.each(&block)
|
133
|
+
Target.categories.each_value do |targets|
|
134
|
+
targets.each(&block)
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
def Target.test(&block)
|
139
|
+
Target.define(:test,&block)
|
140
|
+
end
|
141
|
+
|
142
|
+
def Target.tests
|
143
|
+
Target.category(:test)
|
144
|
+
end
|
145
|
+
|
146
|
+
def Target.config(&block)
|
147
|
+
Target.define(:config,&block)
|
148
|
+
end
|
149
|
+
|
150
|
+
def Target.configs
|
151
|
+
Target.category(:config)
|
152
|
+
end
|
153
|
+
|
154
|
+
def Target.log(&block)
|
155
|
+
Target.define(:log,&block)
|
156
|
+
end
|
157
|
+
|
158
|
+
def Target.logs
|
159
|
+
Target.category(:logs)
|
160
|
+
end
|
161
|
+
|
162
|
+
def Target.targets_for(os)
|
163
|
+
Target.each do |target|
|
164
|
+
if target.oses.include?(os)
|
165
|
+
return target
|
166
|
+
end
|
167
|
+
end
|
168
|
+
end
|
169
|
+
|
170
|
+
def Target.with_extractors
|
171
|
+
targets = []
|
172
|
+
|
173
|
+
Target.each do |target|
|
174
|
+
unless target.extractors.empty?
|
175
|
+
targets << target
|
176
|
+
end
|
177
|
+
end
|
178
|
+
|
179
|
+
return targets
|
180
|
+
end
|
181
|
+
|
182
|
+
def Target.with_file(name)
|
183
|
+
Target.each do |target|
|
184
|
+
target.each_path do |path|
|
185
|
+
if path =~ /#{name}$/
|
186
|
+
return target
|
187
|
+
end
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
191
|
+
|
192
|
+
protected
|
193
|
+
|
194
|
+
def self.define(name,&block)
|
195
|
+
new_target = Target.new(&block)
|
196
|
+
|
197
|
+
Target.categories[name] << new_target
|
198
|
+
return new_target
|
199
|
+
end
|
200
|
+
|
201
|
+
Target.test do |target|
|
202
|
+
target.paths['Linux'] = ['/etc/group']
|
203
|
+
target.paths['Solaris'] = ['/etc/group']
|
204
|
+
|
205
|
+
target.recognizor = /root:/
|
206
|
+
end
|
207
|
+
|
208
|
+
Target.test do |target|
|
209
|
+
target.paths['Windows'] = ['/boot.ini']
|
210
|
+
|
211
|
+
target.recognizor = /\[boot loader\]/
|
212
|
+
end
|
213
|
+
|
214
|
+
Target.config do |target|
|
215
|
+
target.paths['Linux'] = ['/etc/passwd']
|
216
|
+
target.paths['Solaris'] = ['/etc/passwd']
|
217
|
+
|
218
|
+
target.recognizor = /root:/
|
219
|
+
end
|
220
|
+
|
221
|
+
Target.config do |target|
|
222
|
+
target.paths['Linux'] = ['/etc/group']
|
223
|
+
target.paths['Solaris'] = ['/etc/group']
|
224
|
+
|
225
|
+
target.recognizor = /root:/
|
226
|
+
end
|
227
|
+
|
228
|
+
Target.config do |target|
|
229
|
+
target.paths['Linux'] = ['/etc/fstab']
|
230
|
+
target.paths['Solaris'] = ['/etc/vfstab']
|
231
|
+
|
232
|
+
target.recognizor = /\/?proc\s+(-\s+)?\/proc\s+proc/
|
233
|
+
end
|
234
|
+
|
235
|
+
Target.config do |target|
|
236
|
+
target.paths['Linux'] = ['/etc/mtab']
|
237
|
+
target.paths['Solaris'] = ['/etc/mnttab']
|
238
|
+
|
239
|
+
target.recognizor = /proc\s+\/proc\s+proc/
|
240
|
+
end
|
241
|
+
|
242
|
+
Target.config do |target|
|
243
|
+
target.paths['Linux'] = ['/etc/apache/apache.conf', '/etc/apache2/apache.conf']
|
244
|
+
target.paths['Solaris'] = ['/etc/apache/apache.conf', '/etc/apache2/apache.conf']
|
245
|
+
|
246
|
+
target.recognizor = /ServerRoot/
|
247
|
+
|
248
|
+
apache_setting = lambda { |name,setting|
|
249
|
+
target.extract name, /^[^#]*#{setting}\s+\"?[^\"]+\"?\n/
|
250
|
+
}
|
251
|
+
|
252
|
+
apache_setting.call(:apache_server_name,'ServerName')
|
253
|
+
apache_setting.call(:apache_server_listen,'Listen')
|
254
|
+
apache_setting.call(:apache_server_bind,'BindAddress')
|
255
|
+
apache_setting.call(:apache_server_port,'Port')
|
256
|
+
apache_setting.call(:apache_server_root,'ServerRoot')
|
257
|
+
apache_setting.call(:apache_server_admin,'ServerAdmin')
|
258
|
+
apache_setting.call(:apache_document_root,'DocumentRoot')
|
259
|
+
apache_setting.call(:apache_pid_file,'PidTarget')
|
260
|
+
apache_setting.call(:apache_user,'User')
|
261
|
+
apache_setting.call(:apache_group,'Group')
|
262
|
+
apache_setting.call(:apache_log_level,'LogLevel')
|
263
|
+
apache_setting.call(:apache_error_log,'ErrorLog')
|
264
|
+
apache_setting.call(:apache_access_log,'CustomLog')
|
265
|
+
apache_setting.call(:apache_access_filename,'AccessFileName')
|
266
|
+
apache_setting.call(:apache_user_dir,'UserDir')
|
267
|
+
apache_setting.call(:apache_script_alias,'ScriptAlias')
|
268
|
+
end
|
269
|
+
|
270
|
+
Target.config do |target|
|
271
|
+
target.paths['Linux'] = ['/etc/lighttpd/lighttpd.conf']
|
272
|
+
target.paths['Solaris'] = ['/etc/lighttpd/lighttpd.conf']
|
273
|
+
|
274
|
+
target.recognizor = /server\.modules/
|
275
|
+
|
276
|
+
lighttpd_string = lambda { |name,setting|
|
277
|
+
target.extract name, /^[^#]*#{Regexp.escape(setting)}\s*=\s*\"([^\"]+)\"\n/
|
278
|
+
}
|
279
|
+
|
280
|
+
lighttpd_number = lambda { |name,setting|
|
281
|
+
target.extract name, /^[^#]*#{Regexp.escape(setting)}\s*=\s*(\d+)\n/
|
282
|
+
}
|
283
|
+
|
284
|
+
lighttpd_string.call(:lighttpd_name,'server.name')
|
285
|
+
lighttpd_string.call(:lighttpd_bind,'server.bind')
|
286
|
+
lighttpd_number.call(:lighttpd_port,'server.port')
|
287
|
+
lighttpd_string.call(:lighttpd_tag,'server.tag')
|
288
|
+
lighttpd_string.call(:lighttpd_pid_file,'server.pid-file')
|
289
|
+
lighttpd_string.call(:lighttpd_chroot,'server.chroot')
|
290
|
+
lighttpd_string.call(:lighttpd_user,'server.username')
|
291
|
+
lighttpd_string.call(:lighttpd_group,'server.groupname')
|
292
|
+
lighttpd_string.call(:lighttpd_server_root,'server.root')
|
293
|
+
lighttpd_string.call(:lighttpd_error_log,'server.errorlog')
|
294
|
+
lighttpd_string.call(:lighttpd_access_log,'accesslog.filename')
|
295
|
+
lighttpd_string.call(:lighttpd_auth,'auth.backend')
|
296
|
+
lighttpd_string.call(:lighttpd_auth_plain_file,'auth.backend.plain.userfile')
|
297
|
+
lighttpd_string.call(:lighttpd_auth_htpasswd_file,'auth.backend.htpasswd.userfile')
|
298
|
+
lighttpd_string.call(:lighttpd_status_url,'status.status-url')
|
299
|
+
lighttpd_string.call(:lighttpd_config_url,'status.config-url')
|
300
|
+
lighttpd_string.call(:lighttpd_ssl,'ssl.engine')
|
301
|
+
lighttpd_string.call(:lighttpd_ssl_pem,'ssl.pemfile')
|
302
|
+
end
|
303
|
+
|
304
|
+
Target.config do |target|
|
305
|
+
target.paths['Linux'] = ['/etc/mysql/my.cnf']
|
306
|
+
|
307
|
+
target.recognizor = /^\[mysql[^\]]*\]/
|
308
|
+
|
309
|
+
mysql_setting = lambda { |name,setting|
|
310
|
+
target.extract name, /\[mysqld\]\n[^\[]+#{setting}\s*=\s*(.*)\n/
|
311
|
+
}
|
312
|
+
|
313
|
+
mysql_setting.call(:mysql_user, 'user')
|
314
|
+
mysql_setting.call(:mysql_port, 'port')
|
315
|
+
mysql_setting.call(:mysql_socket, 'socket')
|
316
|
+
mysql_setting.call(:mysql_log, 'log-error')
|
317
|
+
mysql_setting.call(:mysql_data_dir, 'datadir')
|
318
|
+
mysql_setting.call(:mysql_bind, 'bind-address')
|
319
|
+
end
|
320
|
+
|
321
|
+
Target.log do |target|
|
322
|
+
target.paths['Linux'] = ['/var/log/wtmp']
|
323
|
+
target.paths['Solaris'] = ['/var/log/wtmp']
|
324
|
+
|
325
|
+
target.recognizor = /(tty\d+|:\d+)/
|
326
|
+
end
|
327
|
+
|
328
|
+
Target.log do |target|
|
329
|
+
target.paths['Linux'] = ['/var/log/apache/rewrite.log', '/var/log/apache2/rewrite.log']
|
330
|
+
|
331
|
+
target.recognizor = /init rewrite engine with requested uri/
|
332
|
+
end
|
333
|
+
|
334
|
+
Target.log do |target|
|
335
|
+
target.paths['Linux'] = ['/etc/syslog.conf']
|
336
|
+
target.paths['Solaris'] = ['/etc/syslog.conf']
|
337
|
+
|
338
|
+
target.recognizor = /kern\.(\*|emerg|alert|crit|err|warn(ing)?|notice|info|debug)/
|
339
|
+
end
|
340
|
+
|
341
|
+
end
|
342
|
+
end
|
343
|
+
end
|
344
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/rfi/extensions'
|
25
|
+
require 'ronin/php/rfi/rfi'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/rfi/extensions/uri'
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/rfi/extensions/uri/http'
|
@@ -0,0 +1,54 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/php/rfi/rfi'
|
25
|
+
require 'ronin/extensions/uri'
|
26
|
+
|
27
|
+
module URI
|
28
|
+
class HTTP < Generic
|
29
|
+
|
30
|
+
def test_rfi(options={})
|
31
|
+
vulns = []
|
32
|
+
|
33
|
+
query_params.each_key do |param|
|
34
|
+
rfi = Ronin::PHP::RFI.new(self,param)
|
35
|
+
|
36
|
+
if rfi.vulnerable?(options)
|
37
|
+
vulns << rfi
|
38
|
+
break
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
return vulns
|
43
|
+
end
|
44
|
+
|
45
|
+
def rfi(options={})
|
46
|
+
test_rfi(options).first
|
47
|
+
end
|
48
|
+
|
49
|
+
def has_rfi?(options={})
|
50
|
+
!(test_rfi(options).empty?)
|
51
|
+
end
|
52
|
+
|
53
|
+
end
|
54
|
+
end
|