ronin-vulns 0.1.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.document +5 -0
- data/.github/workflows/ruby.yml +31 -0
- data/.gitignore +13 -0
- data/.rspec +1 -0
- data/.ruby-version +1 -0
- data/.yardopts +1 -0
- data/COPYING.txt +165 -0
- data/ChangeLog.md +22 -0
- data/Gemfile +34 -0
- data/README.md +328 -0
- data/Rakefile +34 -0
- data/bin/ronin-vulns +19 -0
- data/data/rfi_test.asp +21 -0
- data/data/rfi_test.aspx +25 -0
- data/data/rfi_test.cfm +27 -0
- data/data/rfi_test.jsp +19 -0
- data/data/rfi_test.php +24 -0
- data/data/rfi_test.pl +25 -0
- data/gemspec.yml +41 -0
- data/lib/ronin/vulns/cli/command.rb +39 -0
- data/lib/ronin/vulns/cli/commands/lfi.rb +145 -0
- data/lib/ronin/vulns/cli/commands/open_redirect.rb +119 -0
- data/lib/ronin/vulns/cli/commands/reflected_xss.rb +99 -0
- data/lib/ronin/vulns/cli/commands/rfi.rb +156 -0
- data/lib/ronin/vulns/cli/commands/scan.rb +316 -0
- data/lib/ronin/vulns/cli/commands/sqli.rb +133 -0
- data/lib/ronin/vulns/cli/commands/ssti.rb +126 -0
- data/lib/ronin/vulns/cli/logging.rb +78 -0
- data/lib/ronin/vulns/cli/web_vuln_command.rb +347 -0
- data/lib/ronin/vulns/cli.rb +45 -0
- data/lib/ronin/vulns/lfi/test_file.rb +91 -0
- data/lib/ronin/vulns/lfi.rb +266 -0
- data/lib/ronin/vulns/open_redirect.rb +118 -0
- data/lib/ronin/vulns/reflected_xss/context.rb +224 -0
- data/lib/ronin/vulns/reflected_xss/test_string.rb +149 -0
- data/lib/ronin/vulns/reflected_xss.rb +184 -0
- data/lib/ronin/vulns/rfi.rb +224 -0
- data/lib/ronin/vulns/root.rb +28 -0
- data/lib/ronin/vulns/sqli/error_pattern.rb +89 -0
- data/lib/ronin/vulns/sqli.rb +397 -0
- data/lib/ronin/vulns/ssti/test_expression.rb +104 -0
- data/lib/ronin/vulns/ssti.rb +203 -0
- data/lib/ronin/vulns/url_scanner.rb +218 -0
- data/lib/ronin/vulns/version.rb +26 -0
- data/lib/ronin/vulns/vuln.rb +49 -0
- data/lib/ronin/vulns/web_vuln/http_request.rb +223 -0
- data/lib/ronin/vulns/web_vuln.rb +774 -0
- data/man/ronin-vulns-lfi.1 +107 -0
- data/man/ronin-vulns-lfi.1.md +80 -0
- data/man/ronin-vulns-open-redirect.1 +98 -0
- data/man/ronin-vulns-open-redirect.1.md +73 -0
- data/man/ronin-vulns-reflected-xss.1 +95 -0
- data/man/ronin-vulns-reflected-xss.1.md +71 -0
- data/man/ronin-vulns-rfi.1 +107 -0
- data/man/ronin-vulns-rfi.1.md +80 -0
- data/man/ronin-vulns-scan.1 +138 -0
- data/man/ronin-vulns-scan.1.md +103 -0
- data/man/ronin-vulns-sqli.1 +107 -0
- data/man/ronin-vulns-sqli.1.md +80 -0
- data/man/ronin-vulns-ssti.1 +99 -0
- data/man/ronin-vulns-ssti.1.md +74 -0
- data/ronin-vulns.gemspec +60 -0
- metadata +161 -0
data/data/rfi_test.asp
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
<%
|
2
|
+
response.write("<style type=\"text/css\">");
|
3
|
+
response.write("#rfi-security-alert {");
|
4
|
+
response.write(" position: relative;");
|
5
|
+
response.write(" margin: 25vh 25vw 25vh 25vw;");
|
6
|
+
response.write(" padding: 5em;");
|
7
|
+
response.write(" color: black;")
|
8
|
+
response.write(" background-color: white;");
|
9
|
+
response.write(" border: 4em solid red;");
|
10
|
+
response.write(" z-index: 10000;");
|
11
|
+
response.write("}");
|
12
|
+
response.write("#rfi-security-alert p {");
|
13
|
+
response.write(" text-align: center;");
|
14
|
+
response.write(" font-weight: bold;");
|
15
|
+
response.write(" font-size: 4em;");
|
16
|
+
response.write("}");
|
17
|
+
response.write("</style>");
|
18
|
+
response.write("<div id=\"rfi-security-alert\">");
|
19
|
+
response.write(strReverse("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS"));
|
20
|
+
response.write("</div>");
|
21
|
+
%>
|
data/data/rfi_test.aspx
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
<style type="text/css">
|
2
|
+
#rfi-security-alert {
|
3
|
+
position: relative;
|
4
|
+
margin: 25vh 25vw 25vh 25vw;
|
5
|
+
padding: 5em;
|
6
|
+
color: black;
|
7
|
+
background-color: white;
|
8
|
+
border: 4em solid red;
|
9
|
+
z-index: 10000;
|
10
|
+
}
|
11
|
+
#rfi-security-alert p {
|
12
|
+
text-align: center;
|
13
|
+
font-weight: bold;
|
14
|
+
font-size: 4em;
|
15
|
+
}
|
16
|
+
</style>
|
17
|
+
@{
|
18
|
+
string reversed_security_alert = "!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS";
|
19
|
+
char[] security_alert_chars = reversed_security_alert.ToCharArray();
|
20
|
+
Array.Reverse(security_alert_chars);
|
21
|
+
string security_alert = new string(security_alert_chars);
|
22
|
+
}
|
23
|
+
<div id="rfi-security-alert">
|
24
|
+
<p>@security_alert</p>
|
25
|
+
</div>
|
data/data/rfi_test.cfm
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
<cfoutput>
|
2
|
+
<style type="text/css">
|
3
|
+
##rfi-security-alert {
|
4
|
+
position: relative;
|
5
|
+
margin: 25vh 25vw 25vh 25vw;
|
6
|
+
padding: 5em;
|
7
|
+
color: black;
|
8
|
+
background-color: white;
|
9
|
+
border: 4em solid red;
|
10
|
+
z-index: 10000;
|
11
|
+
}
|
12
|
+
##rfi-security-alert p {
|
13
|
+
text-align: center;
|
14
|
+
font-weight: bold;
|
15
|
+
font-size: 4em;
|
16
|
+
}
|
17
|
+
</style>
|
18
|
+
<div id="rfi-security-alert">
|
19
|
+
<p>
|
20
|
+
</cfoutput>
|
21
|
+
<cfscript>
|
22
|
+
writeOutput(reverse("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS"));
|
23
|
+
</cfscript>
|
24
|
+
<cfoutput>
|
25
|
+
</p>
|
26
|
+
</div>
|
27
|
+
</cfoutput>
|
data/data/rfi_test.jsp
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
<%= "<style type=\"text/css\">" %>
|
2
|
+
<%= "#rfi-security-alert {" %>
|
3
|
+
<%= " position: relative;" %>
|
4
|
+
<%= " margin: 25vh 25vw 25vh 25vw;" %>
|
5
|
+
<%= " padding: 5em;" %>
|
6
|
+
<%= " color: black;" %>
|
7
|
+
<%= " background-color: white;" %>
|
8
|
+
<%= " border: 4em solid red;" %>
|
9
|
+
<%= " z-index: 10000;" %>
|
10
|
+
<%= "}" %>
|
11
|
+
<%= "#rfi-security-alert p {" %>
|
12
|
+
<%= " text-align: center;" %>
|
13
|
+
<%= " font-weight: bold;" %>
|
14
|
+
<%= " font-size: 4em;" %>
|
15
|
+
<%= "}" %>
|
16
|
+
<%= "</style>" %>
|
17
|
+
<%= "<div id=\"rfi-security-alert\">" %>
|
18
|
+
<%= " <p>" + new StringBuffer("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS").reverse() + "</p>" %>
|
19
|
+
<%= "</div>" %>
|
data/data/rfi_test.php
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
<?php
|
2
|
+
echo <<<EOS
|
3
|
+
<style type="text/css">
|
4
|
+
#rfi-security-alert {
|
5
|
+
position: relative;
|
6
|
+
margin: 25vh 25vw 25vh 25vw;
|
7
|
+
padding: 5em;
|
8
|
+
color: black;
|
9
|
+
background-color: white;
|
10
|
+
border: 4em solid red;
|
11
|
+
z-index: 10000;
|
12
|
+
}
|
13
|
+
#rfi-security-alert p {
|
14
|
+
text-align: center;
|
15
|
+
font-weight: bold;
|
16
|
+
font-size: 4em;
|
17
|
+
}
|
18
|
+
</style>
|
19
|
+
EOS . PHP_EOL;
|
20
|
+
|
21
|
+
echo "<div id=\"rfi-security-alert\">" . PHP_EOL;
|
22
|
+
echo " <p>" . strrev("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS") . "</p>" . PHP_EOL;
|
23
|
+
echo "</div>" . PHP_EOL;
|
24
|
+
?>
|
data/data/rfi_test.pl
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
print <<'EOS';
|
2
|
+
<style type="text/css">
|
3
|
+
#rfi-security-alert {
|
4
|
+
position: relative;
|
5
|
+
margin: 25vh 25vw 25vh 25vw;
|
6
|
+
padding: 5em;
|
7
|
+
color: black;
|
8
|
+
background-color: white;
|
9
|
+
border: 4em solid red;
|
10
|
+
z-index: 10000;
|
11
|
+
}
|
12
|
+
#rfi-security-alert p {
|
13
|
+
text-align: center;
|
14
|
+
font-weight: bold;
|
15
|
+
font-size: 4em;
|
16
|
+
}
|
17
|
+
</style>
|
18
|
+
EOS
|
19
|
+
|
20
|
+
my $reversed_security_alert = "!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS";
|
21
|
+
my $security_alert = reverse($reversed_security_alert);
|
22
|
+
|
23
|
+
print "<div id=\"rfi-security-alert\">", "\n";
|
24
|
+
print " <p>", $security_alert, "</p>\n";
|
25
|
+
print "</div>", "\n";
|
data/gemspec.yml
ADDED
@@ -0,0 +1,41 @@
|
|
1
|
+
name: ronin-vulns
|
2
|
+
summary:
|
3
|
+
Tests URLs for Local File Inclusion (LFI), Remove File Inclusion (RFI),
|
4
|
+
SQL injection (SQLi), Cross Site Scripting (XSS), Server Side Template
|
5
|
+
Injection (SSTI), and Open Redirects.
|
6
|
+
description: |
|
7
|
+
ronin-vulns is a Ruby library for blind vulnerability testing.
|
8
|
+
It currently supports testing for Local File Inclusion (LFI),
|
9
|
+
Remote File Inclusion (RFI), SQL injection (SQLi), reflective Cross Site
|
10
|
+
Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects.
|
11
|
+
|
12
|
+
license: LGPL-3.0
|
13
|
+
authors: Postmodern
|
14
|
+
email: postmodern.mod3@gmail.com
|
15
|
+
homepage: https://ronin-rb.dev/
|
16
|
+
has_yard: true
|
17
|
+
|
18
|
+
metadata:
|
19
|
+
documentation_uri: https://rubydoc.info/gems/ronin-vulns
|
20
|
+
source_code_uri: https://github.com/ronin-rb/ronin-vulns
|
21
|
+
bug_tracker_uri: https://github.com/ronin-rb/ronin-vulns/issues
|
22
|
+
changelog_uri: https://github.com/ronin-rb/ronin-vulns/blob/master/ChangeLog.md
|
23
|
+
rubygems_mfa_required: 'true'
|
24
|
+
|
25
|
+
required_ruby_version: ">= 3.0.0"
|
26
|
+
|
27
|
+
generated_files:
|
28
|
+
- man/ronin-vulns-lfi.1
|
29
|
+
- man/ronin-vulns-rfi.1
|
30
|
+
- man/ronin-vulns-sqli.1
|
31
|
+
- man/ronin-vulns-ssti.1
|
32
|
+
- man/ronin-vulns-open-redirect.1
|
33
|
+
- man/ronin-vulns-reflected-xss.1
|
34
|
+
- man/ronin-vulns-scan.1
|
35
|
+
|
36
|
+
dependencies:
|
37
|
+
ronin-support: ~> 1.0.0.beta1
|
38
|
+
ronin-core: ~> 0.1.0.beta1
|
39
|
+
|
40
|
+
development_dependencies:
|
41
|
+
bundler: ~> 2.0
|
@@ -0,0 +1,39 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/root'
|
22
|
+
require 'ronin/core/cli/command'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
#
|
28
|
+
# Base class for all `ronin-vulns` commands.
|
29
|
+
#
|
30
|
+
class Command < Core::CLI::Command
|
31
|
+
|
32
|
+
man_dir File.join(ROOT,'man')
|
33
|
+
|
34
|
+
bug_report_url 'https://github.com/ronin-rb/ronin-vulns/issues/new'
|
35
|
+
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
@@ -0,0 +1,145 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/lfi'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for Local File Inclusion (LFI) vulnerabilities
|
30
|
+
#
|
31
|
+
# ## Usage
|
32
|
+
#
|
33
|
+
# ronin-vulns lfi [options] {URL ... | --input FILE}
|
34
|
+
#
|
35
|
+
# ## Options
|
36
|
+
#
|
37
|
+
# --first Only find the first vulnerability for each URL
|
38
|
+
# -A, --all Find all vulnerabilities for each URL
|
39
|
+
# -H, --header "Name: value" Sets an additional header
|
40
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
41
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
42
|
+
# -R, --referer URL Sets the Referer header
|
43
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
44
|
+
# --test-query-param NAME Tests the URL query param name
|
45
|
+
# --test-all-query-params Test all URL query param names
|
46
|
+
# --test-header-name NAME Tests the HTTP Header name
|
47
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
48
|
+
# --test-all-cookie-params Test all Cookie param names
|
49
|
+
# --test-form-param NAME Tests the form param name
|
50
|
+
# -i, --input FILE Reads URLs from the list file
|
51
|
+
# -O, --os unix|windows Sets the OS to test for
|
52
|
+
# -D, --depth COUNT Sets the directory depth to escape up
|
53
|
+
# -B null_byte|double_escape|base64|rot13|zlib,
|
54
|
+
# --filter-bypass Sets the filter bypass strategy to use
|
55
|
+
# -h, --help Print help information
|
56
|
+
#
|
57
|
+
# ## Arguments
|
58
|
+
#
|
59
|
+
# [URL ...] The URL(s) to scan
|
60
|
+
#
|
61
|
+
class Lfi < WebVulnCommand
|
62
|
+
|
63
|
+
usage '[options] {URL ... | --input FILE}'
|
64
|
+
|
65
|
+
option :os, short: '-O',
|
66
|
+
value: {
|
67
|
+
type: [:unix, :windows]
|
68
|
+
},
|
69
|
+
desc: 'Sets the OS to test for'
|
70
|
+
|
71
|
+
option :depth, short: '-D',
|
72
|
+
value: {
|
73
|
+
type: Integer,
|
74
|
+
usage: 'COUNT'
|
75
|
+
},
|
76
|
+
desc: 'Sets the directory depth to escape up'
|
77
|
+
|
78
|
+
option :filter_bypass, short: '-B',
|
79
|
+
value: {
|
80
|
+
type: [
|
81
|
+
:null_byte,
|
82
|
+
:double_escape,
|
83
|
+
:base64,
|
84
|
+
:rot13,
|
85
|
+
:zlib
|
86
|
+
]
|
87
|
+
},
|
88
|
+
desc: 'Sets the filter bypass strategy to use'
|
89
|
+
|
90
|
+
description 'Scans URL(s) for Local File Inclusion (LFI) vulnerabilities'
|
91
|
+
|
92
|
+
man_page 'ronin-vulns-lfi.1'
|
93
|
+
|
94
|
+
#
|
95
|
+
# Keyword arguments for `Vulns::LFI.scan` and `Vulns::LFI.test`.
|
96
|
+
#
|
97
|
+
# @return [Hash{Symbol => Object}]
|
98
|
+
#
|
99
|
+
def scan_kwargs
|
100
|
+
kwargs = super()
|
101
|
+
|
102
|
+
kwargs[:os] = options[:os] if options[:os]
|
103
|
+
kwargs[:depth] = options[:depth] if options[:depth]
|
104
|
+
|
105
|
+
if options[:filter_bypass]
|
106
|
+
kwargs[:filter_bypass] = options[:filter_bypass]
|
107
|
+
end
|
108
|
+
|
109
|
+
return kwargs
|
110
|
+
end
|
111
|
+
|
112
|
+
#
|
113
|
+
# Scans a URL for LFI vulnerabiltiies.
|
114
|
+
#
|
115
|
+
# @param [String] url
|
116
|
+
# The URL to scan.
|
117
|
+
#
|
118
|
+
# @yield [vuln]
|
119
|
+
# The given block will be passed each discovered LFI vulnerability.
|
120
|
+
#
|
121
|
+
# @yieldparam [Vulns::LFI] vuln
|
122
|
+
# A LFI vulnerability discovered on the URL.
|
123
|
+
#
|
124
|
+
def scan_url(url,&block)
|
125
|
+
Vulns::LFI.scan(url,**scan_kwargs,&block)
|
126
|
+
end
|
127
|
+
|
128
|
+
#
|
129
|
+
# Tests a URL for LFI vulnerabiltiies.
|
130
|
+
#
|
131
|
+
# @param [String] url
|
132
|
+
# The URL to test.
|
133
|
+
#
|
134
|
+
# @return [Vulns::LFI, nil]
|
135
|
+
# The first LFI vulnerability discovered on the URL.
|
136
|
+
#
|
137
|
+
def test_url(url,&block)
|
138
|
+
Vulns::LFI.test(url,**scan_kwargs)
|
139
|
+
end
|
140
|
+
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
@@ -0,0 +1,119 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/open_redirect'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for Open Redirect vulnerabilities.
|
30
|
+
#
|
31
|
+
# ## Usage
|
32
|
+
#
|
33
|
+
# ronin-vulns open-redirect [options] {URL ... | --input FILE}
|
34
|
+
#
|
35
|
+
# ## Options
|
36
|
+
#
|
37
|
+
# --first Only find the first vulnerability for each URL
|
38
|
+
# -A, --all Find all vulnerabilities for each URL
|
39
|
+
# -H, --header "Name: value" Sets an additional header
|
40
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
41
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
42
|
+
# -R, --referer URL Sets the Referer header
|
43
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
44
|
+
# --test-query-param NAME Tests the URL query param name
|
45
|
+
# --test-all-query-params Test all URL query param names
|
46
|
+
# --test-header-name NAME Tests the HTTP Header name
|
47
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
48
|
+
# --test-all-cookie-params Test all Cookie param names
|
49
|
+
# --test-form-param NAME Tests the form param name
|
50
|
+
# -i, --input FILE Reads URLs from the list file
|
51
|
+
# -T, --test-url URL Optional test URL to try to redirect to
|
52
|
+
# -h, --help Print help information
|
53
|
+
#
|
54
|
+
# ## Arguments
|
55
|
+
#
|
56
|
+
# [URL ...] The URL(s) to scan
|
57
|
+
#
|
58
|
+
class OpenRedirect < WebVulnCommand
|
59
|
+
|
60
|
+
usage '[options] {URL ... | --input FILE}'
|
61
|
+
|
62
|
+
option :test_url, short: '-T',
|
63
|
+
value: {
|
64
|
+
type: String,
|
65
|
+
usage: 'URL'
|
66
|
+
},
|
67
|
+
desc: 'Optional test URL to try to redirect to'
|
68
|
+
|
69
|
+
description 'Scans URL(s) for Open Redirect vulnerabilities'
|
70
|
+
|
71
|
+
man_page 'ronin-vulns-open-redirect.1'
|
72
|
+
|
73
|
+
#
|
74
|
+
# Keyword arguments for `Vulns::OpenRedirect.scan` and
|
75
|
+
# `Vulns::OpenRedirect.test`.
|
76
|
+
#
|
77
|
+
# @return [Hash{Symbol => Object}]
|
78
|
+
#
|
79
|
+
def scan_kwargs
|
80
|
+
kwargs = super()
|
81
|
+
kwargs[:test_url] = options[:test_url] if options[:test_url]
|
82
|
+
return kwargs
|
83
|
+
end
|
84
|
+
|
85
|
+
#
|
86
|
+
# Scans a URL for Open Redirect vulnerabiltiies.
|
87
|
+
#
|
88
|
+
# @param [String] url
|
89
|
+
# The URL to scan.
|
90
|
+
#
|
91
|
+
# @yield [vuln]
|
92
|
+
# The given block will be passed each discovered OpenRedirect
|
93
|
+
# vulnerability.
|
94
|
+
#
|
95
|
+
# @yieldparam [Vulns::OpenRedirect] vuln
|
96
|
+
# A OpenRedirect vulnerability discovered on the URL.
|
97
|
+
#
|
98
|
+
def scan_url(url,&block)
|
99
|
+
Vulns::OpenRedirect.scan(url,**scan_kwargs,&block)
|
100
|
+
end
|
101
|
+
|
102
|
+
#
|
103
|
+
# Tests a URL for Open Redirect vulnerabiltiies.
|
104
|
+
#
|
105
|
+
# @param [String] url
|
106
|
+
# The URL to test.
|
107
|
+
#
|
108
|
+
# @return [Vulns::OpenRedirect, nil]
|
109
|
+
# The first Open Redirect vulnerability discovered on the URL.
|
110
|
+
#
|
111
|
+
def test_url(url,&block)
|
112
|
+
Vulns::OpenRedirect.test(url,**scan_kwargs)
|
113
|
+
end
|
114
|
+
|
115
|
+
end
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
119
|
+
end
|
@@ -0,0 +1,99 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/reflected_xss'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for Reflected Cross Site Scripting (XSS) vulnerabilities.
|
30
|
+
#
|
31
|
+
# ## Usage
|
32
|
+
#
|
33
|
+
# ronin-vulns reflected-xss [options] {URL ... | --input FILE}
|
34
|
+
#
|
35
|
+
# ## Options
|
36
|
+
#
|
37
|
+
# --first Only find the first vulnerability for each URL
|
38
|
+
# -A, --all Find all vulnerabilities for each URL
|
39
|
+
# -H, --header "Name: value" Sets an additional header
|
40
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
41
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
42
|
+
# -R, --referer URL Sets the Referer header
|
43
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
44
|
+
# --test-query-param NAME Tests the URL query param name
|
45
|
+
# --test-all-query-params Test all URL query param names
|
46
|
+
# --test-header-name NAME Tests the HTTP Header name
|
47
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
48
|
+
# --test-all-cookie-params Test all Cookie param names
|
49
|
+
# --test-form-param NAME Tests the form param name
|
50
|
+
# -i, --input FILE Reads URLs from the list file
|
51
|
+
# -h, --help Print help information
|
52
|
+
#
|
53
|
+
# ## Arguments
|
54
|
+
#
|
55
|
+
# [URL ...] The URL(s) to scan
|
56
|
+
#
|
57
|
+
class ReflectedXss < WebVulnCommand
|
58
|
+
|
59
|
+
usage '[options] {URL ... | --input FILE}'
|
60
|
+
|
61
|
+
description 'Scans URL(s) for Reflected Cross Site Scripting (XSS) vulnerabilities'
|
62
|
+
|
63
|
+
man_page 'ronin-vulns-reflected-xss.1'
|
64
|
+
|
65
|
+
#
|
66
|
+
# Scans a URL for Reflected XSS vulnerabiltiies.
|
67
|
+
#
|
68
|
+
# @param [String] url
|
69
|
+
# The URL to scan.
|
70
|
+
#
|
71
|
+
# @yield [vuln]
|
72
|
+
# The given block will be passed each discovered Reflected XSS
|
73
|
+
# vulnerability.
|
74
|
+
#
|
75
|
+
# @yieldparam [Vulns::ReflectedXSS] vuln
|
76
|
+
# A Reflected XSS vulnerability discovered on the URL.
|
77
|
+
#
|
78
|
+
def scan_url(url,&block)
|
79
|
+
Vulns::ReflectedXSS.scan(url,**scan_kwargs,&block)
|
80
|
+
end
|
81
|
+
|
82
|
+
#
|
83
|
+
# Tests a URL for Reflected XSS vulnerabiltiies.
|
84
|
+
#
|
85
|
+
# @param [String] url
|
86
|
+
# The URL to test.
|
87
|
+
#
|
88
|
+
# @return [Vulns::ReflectedXSS, nil]
|
89
|
+
# The first Reflected XSS vulnerability discovered on the URL.
|
90
|
+
#
|
91
|
+
def test_url(url,&block)
|
92
|
+
Vulns::ReflectedXSS.test(url,**scan_kwargs)
|
93
|
+
end
|
94
|
+
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|