ronin-php 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,344 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ module Ronin
25
+ module PHP
26
+ class LFI
27
+ class Target
28
+
29
+ # Hash of OS specific paths for the target
30
+ attr_reader :paths
31
+
32
+ # Hash of patterns to recognize the target by
33
+ attr_accessor :recognizor
34
+
35
+ # Hash of extractor rules
36
+ attr_reader :extractors
37
+
38
+ #
39
+ # Creates a new Path object with the specified _path_ and _pattern_.
40
+ #
41
+ def initialize(&block)
42
+ @paths = Hash.new { |hash,key| hash[key] = [] }
43
+
44
+ @recognizor = nil
45
+ @extractors = {}
46
+
47
+ block.call(self) if block
48
+ end
49
+
50
+ #
51
+ # Returns the supported OSes.
52
+ #
53
+ def oses
54
+ @paths.keys
55
+ end
56
+
57
+ #
58
+ # Returns all the paths of the target.
59
+ #
60
+ def all_paths
61
+ @paths.values.flatten.uniq
62
+ end
63
+
64
+ #
65
+ # Returns the paths for the target commonly found on the specified _os_.
66
+ #
67
+ def paths_for(os)
68
+ @paths[os]
69
+ end
70
+
71
+ #
72
+ # Iterates over each path passing each one to the specified _block_.
73
+ #
74
+ def each_path(&block)
75
+ @paths.each_value do |os_paths|
76
+ os_paths.each(&block)
77
+ end
78
+ end
79
+
80
+ #
81
+ # Returns +true+ if the specified _body_ has the path included in
82
+ # it, returns +false+ otherwise.
83
+ #
84
+ def included_in?(body)
85
+ if @recognizor
86
+ return !((body =~ @recognizor).nil?)
87
+ else
88
+ return false
89
+ end
90
+ end
91
+
92
+ #
93
+ # Add an extraction rule with the specified _name_ and the
94
+ # specified _pattern_.
95
+ #
96
+ def extract(name,pattern)
97
+ @extractors[name] = pattern
98
+ end
99
+
100
+ def extract_from(body)
101
+ data = {}
102
+
103
+ @extractors.each do |name,pattern|
104
+ match = pattern.match(body)
105
+
106
+ if match
107
+ if match.length > 2
108
+ data[name] = match[1..-1]
109
+ elsif match.length == 2
110
+ data[name] = match[1]
111
+ else
112
+ data[name] = match[0]
113
+ end
114
+ end
115
+ end
116
+
117
+ return data
118
+ end
119
+
120
+ def Target.categories
121
+ @@categories ||= Hash.new { |hash,key| hash[key] = [] }
122
+ end
123
+
124
+ def Target.category(name)
125
+ Target.categories[name]
126
+ end
127
+
128
+ def Target.all
129
+ Target.categories.values.flatten
130
+ end
131
+
132
+ def Target.each(&block)
133
+ Target.categories.each_value do |targets|
134
+ targets.each(&block)
135
+ end
136
+ end
137
+
138
+ def Target.test(&block)
139
+ Target.define(:test,&block)
140
+ end
141
+
142
+ def Target.tests
143
+ Target.category(:test)
144
+ end
145
+
146
+ def Target.config(&block)
147
+ Target.define(:config,&block)
148
+ end
149
+
150
+ def Target.configs
151
+ Target.category(:config)
152
+ end
153
+
154
+ def Target.log(&block)
155
+ Target.define(:log,&block)
156
+ end
157
+
158
+ def Target.logs
159
+ Target.category(:logs)
160
+ end
161
+
162
+ def Target.targets_for(os)
163
+ Target.each do |target|
164
+ if target.oses.include?(os)
165
+ return target
166
+ end
167
+ end
168
+ end
169
+
170
+ def Target.with_extractors
171
+ targets = []
172
+
173
+ Target.each do |target|
174
+ unless target.extractors.empty?
175
+ targets << target
176
+ end
177
+ end
178
+
179
+ return targets
180
+ end
181
+
182
+ def Target.with_file(name)
183
+ Target.each do |target|
184
+ target.each_path do |path|
185
+ if path =~ /#{name}$/
186
+ return target
187
+ end
188
+ end
189
+ end
190
+ end
191
+
192
+ protected
193
+
194
+ def self.define(name,&block)
195
+ new_target = Target.new(&block)
196
+
197
+ Target.categories[name] << new_target
198
+ return new_target
199
+ end
200
+
201
+ Target.test do |target|
202
+ target.paths['Linux'] = ['/etc/group']
203
+ target.paths['Solaris'] = ['/etc/group']
204
+
205
+ target.recognizor = /root:/
206
+ end
207
+
208
+ Target.test do |target|
209
+ target.paths['Windows'] = ['/boot.ini']
210
+
211
+ target.recognizor = /\[boot loader\]/
212
+ end
213
+
214
+ Target.config do |target|
215
+ target.paths['Linux'] = ['/etc/passwd']
216
+ target.paths['Solaris'] = ['/etc/passwd']
217
+
218
+ target.recognizor = /root:/
219
+ end
220
+
221
+ Target.config do |target|
222
+ target.paths['Linux'] = ['/etc/group']
223
+ target.paths['Solaris'] = ['/etc/group']
224
+
225
+ target.recognizor = /root:/
226
+ end
227
+
228
+ Target.config do |target|
229
+ target.paths['Linux'] = ['/etc/fstab']
230
+ target.paths['Solaris'] = ['/etc/vfstab']
231
+
232
+ target.recognizor = /\/?proc\s+(-\s+)?\/proc\s+proc/
233
+ end
234
+
235
+ Target.config do |target|
236
+ target.paths['Linux'] = ['/etc/mtab']
237
+ target.paths['Solaris'] = ['/etc/mnttab']
238
+
239
+ target.recognizor = /proc\s+\/proc\s+proc/
240
+ end
241
+
242
+ Target.config do |target|
243
+ target.paths['Linux'] = ['/etc/apache/apache.conf', '/etc/apache2/apache.conf']
244
+ target.paths['Solaris'] = ['/etc/apache/apache.conf', '/etc/apache2/apache.conf']
245
+
246
+ target.recognizor = /ServerRoot/
247
+
248
+ apache_setting = lambda { |name,setting|
249
+ target.extract name, /^[^#]*#{setting}\s+\"?[^\"]+\"?\n/
250
+ }
251
+
252
+ apache_setting.call(:apache_server_name,'ServerName')
253
+ apache_setting.call(:apache_server_listen,'Listen')
254
+ apache_setting.call(:apache_server_bind,'BindAddress')
255
+ apache_setting.call(:apache_server_port,'Port')
256
+ apache_setting.call(:apache_server_root,'ServerRoot')
257
+ apache_setting.call(:apache_server_admin,'ServerAdmin')
258
+ apache_setting.call(:apache_document_root,'DocumentRoot')
259
+ apache_setting.call(:apache_pid_file,'PidTarget')
260
+ apache_setting.call(:apache_user,'User')
261
+ apache_setting.call(:apache_group,'Group')
262
+ apache_setting.call(:apache_log_level,'LogLevel')
263
+ apache_setting.call(:apache_error_log,'ErrorLog')
264
+ apache_setting.call(:apache_access_log,'CustomLog')
265
+ apache_setting.call(:apache_access_filename,'AccessFileName')
266
+ apache_setting.call(:apache_user_dir,'UserDir')
267
+ apache_setting.call(:apache_script_alias,'ScriptAlias')
268
+ end
269
+
270
+ Target.config do |target|
271
+ target.paths['Linux'] = ['/etc/lighttpd/lighttpd.conf']
272
+ target.paths['Solaris'] = ['/etc/lighttpd/lighttpd.conf']
273
+
274
+ target.recognizor = /server\.modules/
275
+
276
+ lighttpd_string = lambda { |name,setting|
277
+ target.extract name, /^[^#]*#{Regexp.escape(setting)}\s*=\s*\"([^\"]+)\"\n/
278
+ }
279
+
280
+ lighttpd_number = lambda { |name,setting|
281
+ target.extract name, /^[^#]*#{Regexp.escape(setting)}\s*=\s*(\d+)\n/
282
+ }
283
+
284
+ lighttpd_string.call(:lighttpd_name,'server.name')
285
+ lighttpd_string.call(:lighttpd_bind,'server.bind')
286
+ lighttpd_number.call(:lighttpd_port,'server.port')
287
+ lighttpd_string.call(:lighttpd_tag,'server.tag')
288
+ lighttpd_string.call(:lighttpd_pid_file,'server.pid-file')
289
+ lighttpd_string.call(:lighttpd_chroot,'server.chroot')
290
+ lighttpd_string.call(:lighttpd_user,'server.username')
291
+ lighttpd_string.call(:lighttpd_group,'server.groupname')
292
+ lighttpd_string.call(:lighttpd_server_root,'server.root')
293
+ lighttpd_string.call(:lighttpd_error_log,'server.errorlog')
294
+ lighttpd_string.call(:lighttpd_access_log,'accesslog.filename')
295
+ lighttpd_string.call(:lighttpd_auth,'auth.backend')
296
+ lighttpd_string.call(:lighttpd_auth_plain_file,'auth.backend.plain.userfile')
297
+ lighttpd_string.call(:lighttpd_auth_htpasswd_file,'auth.backend.htpasswd.userfile')
298
+ lighttpd_string.call(:lighttpd_status_url,'status.status-url')
299
+ lighttpd_string.call(:lighttpd_config_url,'status.config-url')
300
+ lighttpd_string.call(:lighttpd_ssl,'ssl.engine')
301
+ lighttpd_string.call(:lighttpd_ssl_pem,'ssl.pemfile')
302
+ end
303
+
304
+ Target.config do |target|
305
+ target.paths['Linux'] = ['/etc/mysql/my.cnf']
306
+
307
+ target.recognizor = /^\[mysql[^\]]*\]/
308
+
309
+ mysql_setting = lambda { |name,setting|
310
+ target.extract name, /\[mysqld\]\n[^\[]+#{setting}\s*=\s*(.*)\n/
311
+ }
312
+
313
+ mysql_setting.call(:mysql_user, 'user')
314
+ mysql_setting.call(:mysql_port, 'port')
315
+ mysql_setting.call(:mysql_socket, 'socket')
316
+ mysql_setting.call(:mysql_log, 'log-error')
317
+ mysql_setting.call(:mysql_data_dir, 'datadir')
318
+ mysql_setting.call(:mysql_bind, 'bind-address')
319
+ end
320
+
321
+ Target.log do |target|
322
+ target.paths['Linux'] = ['/var/log/wtmp']
323
+ target.paths['Solaris'] = ['/var/log/wtmp']
324
+
325
+ target.recognizor = /(tty\d+|:\d+)/
326
+ end
327
+
328
+ Target.log do |target|
329
+ target.paths['Linux'] = ['/var/log/apache/rewrite.log', '/var/log/apache2/rewrite.log']
330
+
331
+ target.recognizor = /init rewrite engine with requested uri/
332
+ end
333
+
334
+ Target.log do |target|
335
+ target.paths['Linux'] = ['/etc/syslog.conf']
336
+ target.paths['Solaris'] = ['/etc/syslog.conf']
337
+
338
+ target.recognizor = /kern\.(\*|emerg|alert|crit|err|warn(ing)?|notice|info|debug)/
339
+ end
340
+
341
+ end
342
+ end
343
+ end
344
+ end
@@ -0,0 +1,25 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/rfi/extensions'
25
+ require 'ronin/php/rfi/rfi'
@@ -0,0 +1,24 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/rfi/extensions/uri'
@@ -0,0 +1,24 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/rfi/extensions/uri/http'
@@ -0,0 +1,54 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/php/rfi/rfi'
25
+ require 'ronin/extensions/uri'
26
+
27
+ module URI
28
+ class HTTP < Generic
29
+
30
+ def test_rfi(options={})
31
+ vulns = []
32
+
33
+ query_params.each_key do |param|
34
+ rfi = Ronin::PHP::RFI.new(self,param)
35
+
36
+ if rfi.vulnerable?(options)
37
+ vulns << rfi
38
+ break
39
+ end
40
+ end
41
+
42
+ return vulns
43
+ end
44
+
45
+ def rfi(options={})
46
+ test_rfi(options).first
47
+ end
48
+
49
+ def has_rfi?(options={})
50
+ !(test_rfi(options).empty?)
51
+ end
52
+
53
+ end
54
+ end