ronin-vulns 0.1.0.beta1

data/data/rfi_test.asp

@@ -0,0 +1,21 @@
+<%
+response.write("<style type=\"text/css\">");
+response.write("#rfi-security-alert {");
+response.write("  position: relative;");
+response.write("  margin: 25vh 25vw 25vh 25vw;");
+response.write("  padding: 5em;");
+response.write("  color: black;")
+response.write("  background-color: white;");
+response.write("  border: 4em solid red;");
+response.write("  z-index: 10000;");
+response.write("}");
+response.write("#rfi-security-alert p {");
+response.write("  text-align: center;");
+response.write("  font-weight: bold;");
+response.write("  font-size: 4em;");
+response.write("}");
+response.write("</style>");
+response.write("<div id=\"rfi-security-alert\">");
+response.write(strReverse("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS"));
+response.write("</div>");
+%>

data/data/rfi_test.aspx

@@ -0,0 +1,25 @@
+<style type="text/css">
+#rfi-security-alert {
+  position: relative;
+  margin: 25vh 25vw 25vh 25vw;
+  padding: 5em;
+  color: black;
+  background-color: white;
+  border: 4em solid red;
+  z-index: 10000;
+}
+#rfi-security-alert p {
+  text-align: center;
+  font-weight: bold;
+  font-size: 4em;
+}
+</style>
+@{
+    string reversed_security_alert = "!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS";
+    char[] security_alert_chars = reversed_security_alert.ToCharArray();
+    Array.Reverse(security_alert_chars);
+    string security_alert = new string(security_alert_chars);
+}
+<div id="rfi-security-alert">
+  <p>@security_alert</p>
+</div>

data/data/rfi_test.cfm

@@ -0,0 +1,27 @@
+<cfoutput>
+<style type="text/css">
+##rfi-security-alert {
+  position: relative;
+  margin: 25vh 25vw 25vh 25vw;
+  padding: 5em;
+  color: black;
+  background-color: white;
+  border: 4em solid red;
+  z-index: 10000;
+}
+##rfi-security-alert p {
+  text-align: center;
+  font-weight: bold;
+  font-size: 4em;
+}
+</style>
+<div id="rfi-security-alert">
+  <p>
+</cfoutput>
+<cfscript>
+writeOutput(reverse("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS"));
+</cfscript>
+<cfoutput>
+  </p>
+</div>
+</cfoutput>

data/data/rfi_test.jsp

@@ -0,0 +1,19 @@
+<%= "<style type=\"text/css\">" %>
+<%= "#rfi-security-alert {" %>
+<%= "  position: relative;" %>
+<%= "  margin: 25vh 25vw 25vh 25vw;" %>
+<%= "  padding: 5em;" %>
+<%= "  color: black;" %>
+<%= "  background-color: white;" %>
+<%= "  border: 4em solid red;" %>
+<%= "  z-index: 10000;" %>
+<%= "}" %>
+<%= "#rfi-security-alert p {" %>
+<%= "  text-align: center;" %>
+<%= "  font-weight: bold;" %>
+<%= "  font-size: 4em;" %>
+<%= "}" %>
+<%= "</style>" %>
+<%= "<div id=\"rfi-security-alert\">" %>
+<%= "  <p>" + new StringBuffer("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS").reverse() + "</p>" %>
+<%= "</div>" %>

data/data/rfi_test.php

@@ -0,0 +1,24 @@
+<?php
+echo <<<EOS
+<style type="text/css">
+#rfi-security-alert {
+  position: relative;
+  margin: 25vh 25vw 25vh 25vw;
+  padding: 5em;
+  color: black;
+  background-color: white;
+  border: 4em solid red;
+  z-index: 10000;
+}
+#rfi-security-alert p {
+  text-align: center;
+  font-weight: bold;
+  font-size: 4em;
+}
+</style>
+EOS . PHP_EOL;
+
+echo "<div id=\"rfi-security-alert\">" . PHP_EOL;
+echo "  <p>" . strrev("!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS") . "</p>" . PHP_EOL;
+echo "</div>" . PHP_EOL;
+?>

data/data/rfi_test.pl

@@ -0,0 +1,25 @@
+print <<'EOS';
+<style type="text/css">
+#rfi-security-alert {
+  position: relative;
+  margin: 25vh 25vw 25vh 25vw;
+  padding: 5em;
+  color: black;
+  background-color: white;
+  border: 4em solid red;
+  z-index: 10000;
+}
+#rfi-security-alert p {
+  text-align: center;
+  font-weight: bold;
+  font-size: 4em;
+}
+</style>
+EOS
+
+my $reversed_security_alert = "!detceteD )IFR( noisulcnI eliF etomeR :trelA ytiruceS";
+my $security_alert = reverse($reversed_security_alert);
+
+print "<div id=\"rfi-security-alert\">", "\n";
+print "  <p>", $security_alert, "</p>\n";
+print "</div>", "\n";

data/gemspec.yml

@@ -0,0 +1,41 @@
+name: ronin-vulns
+summary:
+  Tests URLs for Local File Inclusion (LFI), Remove File Inclusion (RFI),
+  SQL injection (SQLi), Cross Site Scripting (XSS), Server Side Template
+  Injection (SSTI), and Open Redirects.
+description: |
+  ronin-vulns is a Ruby library for blind vulnerability testing.
+  It currently supports testing for Local File Inclusion (LFI),
+  Remote File Inclusion (RFI), SQL injection (SQLi), reflective Cross Site
+  Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects.
+
+license: LGPL-3.0
+authors: Postmodern
+email: postmodern.mod3@gmail.com
+homepage: https://ronin-rb.dev/
+has_yard: true
+
+metadata:
+  documentation_uri: https://rubydoc.info/gems/ronin-vulns
+  source_code_uri:   https://github.com/ronin-rb/ronin-vulns
+  bug_tracker_uri:   https://github.com/ronin-rb/ronin-vulns/issues
+  changelog_uri:     https://github.com/ronin-rb/ronin-vulns/blob/master/ChangeLog.md
+  rubygems_mfa_required: 'true'
+
+required_ruby_version: ">= 3.0.0"
+
+generated_files:
+  - man/ronin-vulns-lfi.1
+  - man/ronin-vulns-rfi.1
+  - man/ronin-vulns-sqli.1
+  - man/ronin-vulns-ssti.1
+  - man/ronin-vulns-open-redirect.1
+  - man/ronin-vulns-reflected-xss.1
+  - man/ronin-vulns-scan.1
+
+dependencies:
+  ronin-support: ~> 1.0.0.beta1
+  ronin-core: ~> 0.1.0.beta1
+
+development_dependencies:
+  bundler: ~> 2.0

data/lib/ronin/vulns/cli/command.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/root'
+require 'ronin/core/cli/command'
+
+module Ronin
+  module Vulns
+    class CLI
+      #
+      # Base class for all `ronin-vulns` commands.
+      #
+      class Command < Core::CLI::Command
+
+        man_dir File.join(ROOT,'man')
+
+        bug_report_url 'https://github.com/ronin-rb/ronin-vulns/issues/new'
+
+      end
+    end
+  end
+end

data/lib/ronin/vulns/cli/commands/lfi.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/cli/web_vuln_command'
+require 'ronin/vulns/lfi'
+
+module Ronin
+  module Vulns
+    class CLI
+      module Commands
+        #
+        # Scans URL(s) for Local File Inclusion (LFI) vulnerabilities
+        #
+        # ## Usage
+        #
+        #     ronin-vulns lfi [options] {URL ... | --input FILE}
+        #
+        # ## Options
+        #
+        #         --first                      Only find the first vulnerability for each URL
+        #     -A, --all                        Find all vulnerabilities for each URL
+        #     -H, --header "Name: value"       Sets an additional header
+        #     -C, --cookie COOKIE              Sets the raw Cookie header
+        #     -c, --cookie-param NAME=VALUE    Sets an additional cookie param
+        #     -R, --referer URL                Sets the Referer header
+        #     -F, --form-param NAME=VALUE      Sets an additional form param
+        #         --test-query-param NAME      Tests the URL query param name
+        #         --test-all-query-params      Test all URL query param names
+        #         --test-header-name NAME      Tests the HTTP Header name
+        #         --test-cookie-param NAME     Tests the HTTP Cookie name
+        #         --test-all-cookie-params     Test all Cookie param names
+        #         --test-form-param NAME       Tests the form param name
+        #     -i, --input FILE                 Reads URLs from the list file
+        #     -O, --os unix|windows            Sets the OS to test for
+        #     -D, --depth COUNT                Sets the directory depth to escape up
+        #     -B null_byte|double_escape|base64|rot13|zlib,
+        #         --filter-bypass              Sets the filter bypass strategy to use
+        #     -h, --help                       Print help information
+        #
+        # ## Arguments
+        #
+        #     [URL ...]                        The URL(s) to scan
+        #
+        class Lfi < WebVulnCommand
+
+          usage '[options] {URL ... | --input FILE}'
+
+          option :os, short: '-O',
+                      value: {
+                        type: [:unix, :windows]
+                      },
+                      desc: 'Sets the OS to test for'
+
+          option :depth, short: '-D',
+                         value: {
+                           type:  Integer,
+                           usage: 'COUNT'
+                         },
+                         desc: 'Sets the directory depth to escape up'
+
+          option :filter_bypass, short: '-B',
+                                 value: {
+                                   type: [
+                                     :null_byte,
+                                     :double_escape,
+                                     :base64,
+                                     :rot13,
+                                     :zlib
+                                   ]
+                                 },
+                                 desc: 'Sets the filter bypass strategy to use'
+
+          description 'Scans URL(s) for Local File Inclusion (LFI) vulnerabilities'
+
+          man_page 'ronin-vulns-lfi.1'
+
+          #
+          # Keyword arguments for `Vulns::LFI.scan` and `Vulns::LFI.test`.
+          #
+          # @return [Hash{Symbol => Object}]
+          #
+          def scan_kwargs
+            kwargs = super()
+
+            kwargs[:os]    = options[:os]    if options[:os]
+            kwargs[:depth] = options[:depth] if options[:depth]
+
+            if options[:filter_bypass]
+              kwargs[:filter_bypass] = options[:filter_bypass]
+            end
+
+            return kwargs
+          end
+
+          #
+          # Scans a URL for LFI vulnerabiltiies.
+          #
+          # @param [String] url
+          #   The URL to scan.
+          #
+          # @yield [vuln]
+          #   The given block will be passed each discovered LFI vulnerability.
+          #
+          # @yieldparam [Vulns::LFI] vuln
+          #   A LFI vulnerability discovered on the URL.
+          #
+          def scan_url(url,&block)
+            Vulns::LFI.scan(url,**scan_kwargs,&block)
+          end
+
+          #
+          # Tests a URL for LFI vulnerabiltiies.
+          #
+          # @param [String] url
+          #   The URL to test.
+          #
+          # @return [Vulns::LFI, nil]
+          #   The first LFI vulnerability discovered on the URL.
+          #
+          def test_url(url,&block)
+            Vulns::LFI.test(url,**scan_kwargs)
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/vulns/cli/commands/open_redirect.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/cli/web_vuln_command'
+require 'ronin/vulns/open_redirect'
+
+module Ronin
+  module Vulns
+    class CLI
+      module Commands
+        #
+        # Scans URL(s) for Open Redirect vulnerabilities.
+        #
+        # ## Usage
+        #
+        #     ronin-vulns open-redirect [options] {URL ... | --input FILE}
+        #
+        # ## Options
+        #
+        #         --first                      Only find the first vulnerability for each URL
+        #     -A, --all                        Find all vulnerabilities for each URL
+        #     -H, --header "Name: value"       Sets an additional header
+        #     -C, --cookie COOKIE              Sets the raw Cookie header
+        #     -c, --cookie-param NAME=VALUE    Sets an additional cookie param
+        #     -R, --referer URL                Sets the Referer header
+        #     -F, --form-param NAME=VALUE      Sets an additional form param
+        #         --test-query-param NAME      Tests the URL query param name
+        #         --test-all-query-params      Test all URL query param names
+        #         --test-header-name NAME      Tests the HTTP Header name
+        #         --test-cookie-param NAME     Tests the HTTP Cookie name
+        #         --test-all-cookie-params     Test all Cookie param names
+        #         --test-form-param NAME       Tests the form param name
+        #     -i, --input FILE                 Reads URLs from the list file
+        #     -T, --test-url URL               Optional test URL to try to redirect to
+        #     -h, --help                       Print help information
+        #
+        # ## Arguments
+        #
+        #     [URL ...]                        The URL(s) to scan
+        #
+        class OpenRedirect < WebVulnCommand
+
+          usage '[options] {URL ... | --input FILE}'
+
+          option :test_url, short: '-T',
+                            value: {
+                              type:  String,
+                              usage: 'URL'
+                            },
+                            desc: 'Optional test URL to try to redirect to'
+
+          description 'Scans URL(s) for Open Redirect vulnerabilities'
+
+          man_page 'ronin-vulns-open-redirect.1'
+
+          #
+          # Keyword arguments for `Vulns::OpenRedirect.scan` and
+          # `Vulns::OpenRedirect.test`.
+          #
+          # @return [Hash{Symbol => Object}]
+          #
+          def scan_kwargs
+            kwargs = super()
+            kwargs[:test_url] = options[:test_url] if options[:test_url]
+            return kwargs
+          end
+
+          #
+          # Scans a URL for Open Redirect vulnerabiltiies.
+          #
+          # @param [String] url
+          #   The URL to scan.
+          #
+          # @yield [vuln]
+          #   The given block will be passed each discovered OpenRedirect
+          #   vulnerability.
+          #
+          # @yieldparam [Vulns::OpenRedirect] vuln
+          #   A OpenRedirect vulnerability discovered on the URL.
+          #
+          def scan_url(url,&block)
+            Vulns::OpenRedirect.scan(url,**scan_kwargs,&block)
+          end
+
+          #
+          # Tests a URL for Open Redirect vulnerabiltiies.
+          #
+          # @param [String] url
+          #   The URL to test.
+          #
+          # @return [Vulns::OpenRedirect, nil]
+          #   The first Open Redirect vulnerability discovered on the URL.
+          #
+          def test_url(url,&block)
+            Vulns::OpenRedirect.test(url,**scan_kwargs)
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/vulns/cli/commands/reflected_xss.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/cli/web_vuln_command'
+require 'ronin/vulns/reflected_xss'
+
+module Ronin
+  module Vulns
+    class CLI
+      module Commands
+        #
+        # Scans URL(s) for Reflected Cross Site Scripting (XSS) vulnerabilities.
+        #
+        # ## Usage
+        #
+        #     ronin-vulns reflected-xss [options] {URL ... | --input FILE}
+        #
+        # ## Options
+        #
+        #         --first                      Only find the first vulnerability for each URL
+        #     -A, --all                        Find all vulnerabilities for each URL
+        #     -H, --header "Name: value"       Sets an additional header
+        #     -C, --cookie COOKIE              Sets the raw Cookie header
+        #     -c, --cookie-param NAME=VALUE    Sets an additional cookie param
+        #     -R, --referer URL                Sets the Referer header
+        #     -F, --form-param NAME=VALUE      Sets an additional form param
+        #         --test-query-param NAME      Tests the URL query param name
+        #         --test-all-query-params      Test all URL query param names
+        #         --test-header-name NAME      Tests the HTTP Header name
+        #         --test-cookie-param NAME     Tests the HTTP Cookie name
+        #         --test-all-cookie-params     Test all Cookie param names
+        #         --test-form-param NAME       Tests the form param name
+        #     -i, --input FILE                 Reads URLs from the list file
+        #     -h, --help                       Print help information
+        #
+        # ## Arguments
+        #
+        #     [URL ...]                        The URL(s) to scan
+        #
+        class ReflectedXss < WebVulnCommand
+
+          usage '[options] {URL ... | --input FILE}'
+
+          description 'Scans URL(s) for Reflected Cross Site Scripting (XSS) vulnerabilities'
+
+          man_page 'ronin-vulns-reflected-xss.1'
+
+          #
+          # Scans a URL for Reflected XSS vulnerabiltiies.
+          #
+          # @param [String] url
+          #   The URL to scan.
+          #
+          # @yield [vuln]
+          #   The given block will be passed each discovered Reflected XSS
+          #   vulnerability.
+          #
+          # @yieldparam [Vulns::ReflectedXSS] vuln
+          #   A Reflected XSS vulnerability discovered on the URL.
+          #
+          def scan_url(url,&block)
+            Vulns::ReflectedXSS.scan(url,**scan_kwargs,&block)
+          end
+
+          #
+          # Tests a URL for Reflected XSS vulnerabiltiies.
+          #
+          # @param [String] url
+          #   The URL to test.
+          #
+          # @return [Vulns::ReflectedXSS, nil]
+          #   The first Reflected XSS vulnerability discovered on the URL.
+          #
+          def test_url(url,&block)
+            Vulns::ReflectedXSS.test(url,**scan_kwargs)
+          end
+
+        end
+      end
+    end
+  end
+end