ronin-vulns 0.1.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.document +5 -0
- data/.github/workflows/ruby.yml +31 -0
- data/.gitignore +13 -0
- data/.rspec +1 -0
- data/.ruby-version +1 -0
- data/.yardopts +1 -0
- data/COPYING.txt +165 -0
- data/ChangeLog.md +22 -0
- data/Gemfile +34 -0
- data/README.md +328 -0
- data/Rakefile +34 -0
- data/bin/ronin-vulns +19 -0
- data/data/rfi_test.asp +21 -0
- data/data/rfi_test.aspx +25 -0
- data/data/rfi_test.cfm +27 -0
- data/data/rfi_test.jsp +19 -0
- data/data/rfi_test.php +24 -0
- data/data/rfi_test.pl +25 -0
- data/gemspec.yml +41 -0
- data/lib/ronin/vulns/cli/command.rb +39 -0
- data/lib/ronin/vulns/cli/commands/lfi.rb +145 -0
- data/lib/ronin/vulns/cli/commands/open_redirect.rb +119 -0
- data/lib/ronin/vulns/cli/commands/reflected_xss.rb +99 -0
- data/lib/ronin/vulns/cli/commands/rfi.rb +156 -0
- data/lib/ronin/vulns/cli/commands/scan.rb +316 -0
- data/lib/ronin/vulns/cli/commands/sqli.rb +133 -0
- data/lib/ronin/vulns/cli/commands/ssti.rb +126 -0
- data/lib/ronin/vulns/cli/logging.rb +78 -0
- data/lib/ronin/vulns/cli/web_vuln_command.rb +347 -0
- data/lib/ronin/vulns/cli.rb +45 -0
- data/lib/ronin/vulns/lfi/test_file.rb +91 -0
- data/lib/ronin/vulns/lfi.rb +266 -0
- data/lib/ronin/vulns/open_redirect.rb +118 -0
- data/lib/ronin/vulns/reflected_xss/context.rb +224 -0
- data/lib/ronin/vulns/reflected_xss/test_string.rb +149 -0
- data/lib/ronin/vulns/reflected_xss.rb +184 -0
- data/lib/ronin/vulns/rfi.rb +224 -0
- data/lib/ronin/vulns/root.rb +28 -0
- data/lib/ronin/vulns/sqli/error_pattern.rb +89 -0
- data/lib/ronin/vulns/sqli.rb +397 -0
- data/lib/ronin/vulns/ssti/test_expression.rb +104 -0
- data/lib/ronin/vulns/ssti.rb +203 -0
- data/lib/ronin/vulns/url_scanner.rb +218 -0
- data/lib/ronin/vulns/version.rb +26 -0
- data/lib/ronin/vulns/vuln.rb +49 -0
- data/lib/ronin/vulns/web_vuln/http_request.rb +223 -0
- data/lib/ronin/vulns/web_vuln.rb +774 -0
- data/man/ronin-vulns-lfi.1 +107 -0
- data/man/ronin-vulns-lfi.1.md +80 -0
- data/man/ronin-vulns-open-redirect.1 +98 -0
- data/man/ronin-vulns-open-redirect.1.md +73 -0
- data/man/ronin-vulns-reflected-xss.1 +95 -0
- data/man/ronin-vulns-reflected-xss.1.md +71 -0
- data/man/ronin-vulns-rfi.1 +107 -0
- data/man/ronin-vulns-rfi.1.md +80 -0
- data/man/ronin-vulns-scan.1 +138 -0
- data/man/ronin-vulns-scan.1.md +103 -0
- data/man/ronin-vulns-sqli.1 +107 -0
- data/man/ronin-vulns-sqli.1.md +80 -0
- data/man/ronin-vulns-ssti.1 +99 -0
- data/man/ronin-vulns-ssti.1.md +74 -0
- data/ronin-vulns.gemspec +60 -0
- metadata +161 -0
@@ -0,0 +1,156 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/rfi'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for Remote File Inclusion (RFI) vulnerabilities.
|
30
|
+
#
|
31
|
+
# ## Usage
|
32
|
+
#
|
33
|
+
# ronin-vulns rfi [options] {URL ... | --input FILE}
|
34
|
+
#
|
35
|
+
# ## Options
|
36
|
+
#
|
37
|
+
# --first Only find the first vulnerability for each URL
|
38
|
+
# -A, --all Find all vulnerabilities for each URL
|
39
|
+
# -H, --header "Name: value" Sets an additional header
|
40
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
41
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
42
|
+
# -R, --referer URL Sets the Referer header
|
43
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
44
|
+
# --test-query-param NAME Tests the URL query param name
|
45
|
+
# --test-all-query-params Test all URL query param names
|
46
|
+
# --test-header-name NAME Tests the HTTP Header name
|
47
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
48
|
+
# --test-all-cookie-params Test all Cookie param names
|
49
|
+
# --test-form-param NAME Tests the form param name
|
50
|
+
# -i, --input FILE Reads URLs from the list file
|
51
|
+
# -B double-encode|suffix-escape|null-byte,
|
52
|
+
# --filter-bypass Optional filter-bypass strategy to use
|
53
|
+
# -S asp|asp.net|coldfusion|jsp|php|perl,
|
54
|
+
# --script-lang Explicitly specify the scripting language to test for
|
55
|
+
# -T, --test-script-url URL Use an altnerative test script URL
|
56
|
+
# -h, --help Print help information
|
57
|
+
#
|
58
|
+
# ## Arguments
|
59
|
+
#
|
60
|
+
# [URL ...] The URL(s) to scan
|
61
|
+
#
|
62
|
+
class Rfi < WebVulnCommand
|
63
|
+
|
64
|
+
usage '[options] {URL ... | --input FILE}'
|
65
|
+
|
66
|
+
option :filter_bypass, short: '-B',
|
67
|
+
value: {
|
68
|
+
type: {
|
69
|
+
'double-encode' => :double_encode,
|
70
|
+
'suffix-escape' => :suffix_escape,
|
71
|
+
'null-byte' => :null_byte
|
72
|
+
},
|
73
|
+
},
|
74
|
+
desc: 'Optional filter-bypass strategy to use'
|
75
|
+
|
76
|
+
option :script_lang, short: '-S',
|
77
|
+
value: {
|
78
|
+
type: {
|
79
|
+
'asp' => :asp,
|
80
|
+
'asp.net' => :asp_net,
|
81
|
+
'coldfusion' => :cold_fusion,
|
82
|
+
'jsp' => :jsp,
|
83
|
+
'php' => :php,
|
84
|
+
'perl' => :perl
|
85
|
+
}
|
86
|
+
},
|
87
|
+
desc: 'Explicitly specify the scripting language to test for'
|
88
|
+
|
89
|
+
option :test_script_url, short: '-T',
|
90
|
+
value: {
|
91
|
+
type: String,
|
92
|
+
usage: 'URL'
|
93
|
+
},
|
94
|
+
desc: 'Use an altnerative test script URL'
|
95
|
+
|
96
|
+
description 'Scans URL(s) for Remote File Inclusion (RFI) vulnerabilities'
|
97
|
+
|
98
|
+
man_page 'ronin-vulns-rfi.1'
|
99
|
+
|
100
|
+
#
|
101
|
+
# Keyword arguments for `Vulns::RFI.scan` and `Vulns::RFI.test`.
|
102
|
+
#
|
103
|
+
# @return [Hash{Symbol => Object}]
|
104
|
+
#
|
105
|
+
def scan_kwargs
|
106
|
+
kwargs = super()
|
107
|
+
|
108
|
+
if options[:filter_bypass]
|
109
|
+
kwargs[:filter_bypass] = options[:filter_bypass]
|
110
|
+
end
|
111
|
+
|
112
|
+
if options[:script_lang]
|
113
|
+
kwargs[:script_lang] = options[:script_lang]
|
114
|
+
end
|
115
|
+
|
116
|
+
if options[:test_script_url]
|
117
|
+
kwargs[:test_script_url] = options[:test_script_url]
|
118
|
+
end
|
119
|
+
|
120
|
+
return kwargs
|
121
|
+
end
|
122
|
+
|
123
|
+
#
|
124
|
+
# Scans a URL for RFI vulnerabiltiies.
|
125
|
+
#
|
126
|
+
# @param [String] url
|
127
|
+
# The URL to scan.
|
128
|
+
#
|
129
|
+
# @yield [vuln]
|
130
|
+
# The given block will be passed each discovered RFI vulnerability.
|
131
|
+
#
|
132
|
+
# @yieldparam [Vulns::RFI] vuln
|
133
|
+
# A RFI vulnerability discovered on the URL.
|
134
|
+
#
|
135
|
+
def scan_url(url,&block)
|
136
|
+
Vulns::RFI.scan(url,**scan_kwargs,&block)
|
137
|
+
end
|
138
|
+
|
139
|
+
#
|
140
|
+
# Tests a URL for RFI vulnerabiltiies.
|
141
|
+
#
|
142
|
+
# @param [String] url
|
143
|
+
# The URL to test.
|
144
|
+
#
|
145
|
+
# @return [Vulns::RFI, nil]
|
146
|
+
# The first RFI vulnerability discovered on the URL.
|
147
|
+
#
|
148
|
+
def test_url(url,&block)
|
149
|
+
Vulns::RFI.test(url,**scan_kwargs)
|
150
|
+
end
|
151
|
+
|
152
|
+
end
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
156
|
+
end
|
@@ -0,0 +1,316 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/url_scanner'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for web vulnerabilities.
|
30
|
+
#
|
31
|
+
# ## Usage
|
32
|
+
#
|
33
|
+
# ronin-vulns scan [options] {URL ... | --input FILE}
|
34
|
+
#
|
35
|
+
# ## Options
|
36
|
+
#
|
37
|
+
# --first Only find the first vulnerability for each URL
|
38
|
+
# -A, --all Find all vulnerabilities for each URL
|
39
|
+
# -H, --header "Name: value" Sets an additional header
|
40
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
41
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
42
|
+
# -R, --referer URL Sets the Referer header
|
43
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
44
|
+
# --test-query-param NAME Tests the URL query param name
|
45
|
+
# --test-header-names NAME Tests the HTTP Header name
|
46
|
+
# --test-cookie-params NAME Tests the HTTP Cookie name
|
47
|
+
# --test-form-params NAME Tests the form param name
|
48
|
+
# -i, --input FILE Reads URLs from the list file
|
49
|
+
# --lfi-os unix|windows Sets the OS to test for
|
50
|
+
# --lfi-depth COUNT Sets the directory depth to escape up
|
51
|
+
# --lfi-filter-bypass null_byte|double_escape|base64|rot13|zlib
|
52
|
+
# Sets the filter bypass strategy to use
|
53
|
+
# --rfi-filter-bypass double-encode|suffix-escape|null-byte
|
54
|
+
# Optional filter-bypass strategy to use
|
55
|
+
# --rfi-script-lang asp|asp.net|coldfusion|jsp|php|perl
|
56
|
+
# Explicitly specify the scripting language to test for
|
57
|
+
# --rfi-test-script-url URL Use an altnerative test script URL
|
58
|
+
# --sqli-escape-quote Escapes quotation marks
|
59
|
+
# --sqli-escape-parens Escapes parenthesis
|
60
|
+
# --sqli-terminate Terminates the SQL expression with a --
|
61
|
+
# --ssti-test-expr {X*Y | X/Z | X+Y | X-Y}
|
62
|
+
# Optional numeric test to use
|
63
|
+
# --open-redirect-url URL Optional test URL to try to redirect to
|
64
|
+
# -h, --help Print help information
|
65
|
+
#
|
66
|
+
# ## Arguments
|
67
|
+
#
|
68
|
+
# [URL ...] The URL(s) to scan
|
69
|
+
#
|
70
|
+
class Scan < WebVulnCommand
|
71
|
+
|
72
|
+
usage '[options] {URL ... | --input FILE}'
|
73
|
+
|
74
|
+
option :lfi_os, value: {
|
75
|
+
type: [:unix, :windows]
|
76
|
+
},
|
77
|
+
desc: 'Sets the OS to test for'
|
78
|
+
|
79
|
+
option :lfi_depth, value: {
|
80
|
+
type: Integer,
|
81
|
+
usage: 'COUNT'
|
82
|
+
},
|
83
|
+
desc: 'Sets the directory depth to escape up'
|
84
|
+
|
85
|
+
option :lfi_filter_bypass, value: {
|
86
|
+
type: [
|
87
|
+
:null_byte,
|
88
|
+
:double_escape,
|
89
|
+
:base64,
|
90
|
+
:rot13,
|
91
|
+
:zlib
|
92
|
+
]
|
93
|
+
},
|
94
|
+
desc: 'Sets the filter bypass strategy to use'
|
95
|
+
|
96
|
+
option :rfi_filter_bypass, value: {
|
97
|
+
type: {
|
98
|
+
'double-encode' => :double_encode,
|
99
|
+
'suffix-escape' => :suffix_escape,
|
100
|
+
'null-byte' => :null_byte
|
101
|
+
},
|
102
|
+
},
|
103
|
+
desc: 'Optional filter-bypass strategy to use'
|
104
|
+
|
105
|
+
option :rfi_script_lang, value: {
|
106
|
+
type: {
|
107
|
+
'asp' => :asp,
|
108
|
+
'asp.net' => :asp_net,
|
109
|
+
'coldfusion' => :cold_fusion,
|
110
|
+
'jsp' => :jsp,
|
111
|
+
'php' => :php,
|
112
|
+
'perl' => :perl
|
113
|
+
}
|
114
|
+
},
|
115
|
+
desc: 'Explicitly specify the scripting language to test for'
|
116
|
+
|
117
|
+
option :rfi_test_script_url, value: {
|
118
|
+
type: String,
|
119
|
+
usage: 'URL'
|
120
|
+
},
|
121
|
+
desc: 'Use an altnerative test script URL'
|
122
|
+
|
123
|
+
option :sqli_escape_quote, desc: 'Escapes quotation marks'
|
124
|
+
|
125
|
+
option :sqli_escape_parens, desc: 'Escapes parenthesis'
|
126
|
+
|
127
|
+
option :sqli_terminate, desc: 'Terminates the SQL expression with a --'
|
128
|
+
|
129
|
+
option :ssti_test_expr, value: {
|
130
|
+
type: /\A\d+\s*[\*\/\+\-]\s*\d+\z/,
|
131
|
+
usage: '{X*Y | X/Z | X+Y | X-Y}'
|
132
|
+
},
|
133
|
+
desc: 'Optional numeric test to use' do |expr|
|
134
|
+
@ssti_test_expr = Vulns::SSTI::TestExpression.parse(expr)
|
135
|
+
end
|
136
|
+
|
137
|
+
option :open_redirect_url, value: {
|
138
|
+
type: String,
|
139
|
+
usage: 'URL'
|
140
|
+
},
|
141
|
+
desc: 'Optional test URL to try to redirect to'
|
142
|
+
|
143
|
+
description 'Scans URL(s) for web vulnerabilities'
|
144
|
+
|
145
|
+
man_page 'ronin-vulns-scan.1'
|
146
|
+
|
147
|
+
#
|
148
|
+
# Keyword arguments which will be passed to {URLScanner.scan} or
|
149
|
+
# {URLScanner.test} via the `lfi:` keyword.
|
150
|
+
#
|
151
|
+
# @return [Hash{Symbol => Object}]
|
152
|
+
#
|
153
|
+
def lfi_kwargs
|
154
|
+
kwargs = {}
|
155
|
+
|
156
|
+
kwargs[:os] = options[:lfi_os] if options[:lfi_os]
|
157
|
+
kwargs[:depth] = options[:lfi_depth] if options[:lfi_depth]
|
158
|
+
|
159
|
+
if options[:lfi_filter_bypass]
|
160
|
+
kwargs[:filter_bypass] = options[:lfi_filter_bypass]
|
161
|
+
end
|
162
|
+
|
163
|
+
return kwargs
|
164
|
+
end
|
165
|
+
|
166
|
+
#
|
167
|
+
# Keyword arguments which will be passed to {URLScanner.scan} or
|
168
|
+
# {URLScanner.test} via the `rfi:` keyword.
|
169
|
+
#
|
170
|
+
# @return [Hash{Symbol => Object}]
|
171
|
+
#
|
172
|
+
def rfi_kwargs
|
173
|
+
kwargs = {}
|
174
|
+
|
175
|
+
if options[:rfi_filter_bypass]
|
176
|
+
kwargs[:filter_bypass] = options[:rfi_filter_bypass]
|
177
|
+
end
|
178
|
+
|
179
|
+
if options[:rfi_script_lang]
|
180
|
+
kwargs[:script_lang] = options[:rfi_script_lang]
|
181
|
+
end
|
182
|
+
|
183
|
+
if options[:rfi_test_script_url]
|
184
|
+
kwargs[:test_script_url] = options[:rfi_test_script_url]
|
185
|
+
end
|
186
|
+
|
187
|
+
return kwargs
|
188
|
+
end
|
189
|
+
|
190
|
+
#
|
191
|
+
# Keyword arguments which will be passed to {URLScanner.scan} or
|
192
|
+
# {URLScanner.test} via the `sqli:` keyword.
|
193
|
+
#
|
194
|
+
# @return [Hash{Symbol => Object}]
|
195
|
+
#
|
196
|
+
def sqli_kwargs
|
197
|
+
kwargs = {}
|
198
|
+
|
199
|
+
if options[:sqli_escape_quote]
|
200
|
+
kwargs[:escape_quote] = options[:sqli_escape_quote]
|
201
|
+
end
|
202
|
+
|
203
|
+
if options[:sqli_escape_parens]
|
204
|
+
kwargs[:escape_parens] = options[:sqli_escape_parens]
|
205
|
+
end
|
206
|
+
|
207
|
+
if options[:sqli_terminate]
|
208
|
+
kwargs[:terminate] = options[:sqli_terminate]
|
209
|
+
end
|
210
|
+
|
211
|
+
return kwargs
|
212
|
+
end
|
213
|
+
|
214
|
+
#
|
215
|
+
# Keyword arguments which will be passed to {URLScanner.scan} or
|
216
|
+
# {URLScanner.test} via the `ssti:` keyword.
|
217
|
+
#
|
218
|
+
# @return [Hash{Symbol => Object}]
|
219
|
+
#
|
220
|
+
def ssti_kwargs
|
221
|
+
kwargs = {}
|
222
|
+
|
223
|
+
kwargs[:test_expr] = @ssti_test_expr if @ssti_test_expr
|
224
|
+
|
225
|
+
return kwargs
|
226
|
+
end
|
227
|
+
|
228
|
+
#
|
229
|
+
# Keyword arguments which will be passed to {URLScanner.scan} or
|
230
|
+
# {URLScanner.test} via the `open_redirect:` keyword.
|
231
|
+
#
|
232
|
+
# @return [Hash{Symbol => Object}]
|
233
|
+
#
|
234
|
+
def open_redirect_kwargs
|
235
|
+
kwargs = {}
|
236
|
+
|
237
|
+
if options[:open_redirect_url]
|
238
|
+
kwargs[:test_url] = options[:open_redirect_url]
|
239
|
+
end
|
240
|
+
|
241
|
+
return kwargs
|
242
|
+
end
|
243
|
+
|
244
|
+
#
|
245
|
+
# Keyword arguments which will be passed to {URLScanner.scan} or
|
246
|
+
# {URLScanner.test} via the `reflected_xss:` keyword.
|
247
|
+
#
|
248
|
+
# @return [Hash{Symbol => Object}]
|
249
|
+
#
|
250
|
+
def reflected_xss_kwargs
|
251
|
+
{}
|
252
|
+
end
|
253
|
+
|
254
|
+
#
|
255
|
+
# Keyword arguments for `Vulns::URLScanner.scan` and
|
256
|
+
# `Vulns::URLScanner.test`.
|
257
|
+
#
|
258
|
+
# @return [Hash{Symbol => Object}]
|
259
|
+
#
|
260
|
+
def scan_kwargs
|
261
|
+
kwargs = super()
|
262
|
+
|
263
|
+
kwargs[:lfi] = lfi_kwargs
|
264
|
+
kwargs[:rfi] = rfi_kwargs
|
265
|
+
kwargs[:sqli] = sqli_kwargs
|
266
|
+
kwargs[:ssti] = ssti_kwargs
|
267
|
+
kwargs[:open_redirect] = open_redirect_kwargs
|
268
|
+
kwargs[:reflected_xss] = reflected_xss_kwargs
|
269
|
+
|
270
|
+
return kwargs
|
271
|
+
end
|
272
|
+
|
273
|
+
#
|
274
|
+
# Scans a URL for all web vulnerabiltiies.
|
275
|
+
#
|
276
|
+
# @param [String] url
|
277
|
+
# The URL to scan.
|
278
|
+
#
|
279
|
+
# @yield [vuln]
|
280
|
+
# The given block will be passed each discovered web vulnerability.
|
281
|
+
#
|
282
|
+
# @yieldparam [Vulns::LFI,
|
283
|
+
# Vulns::RFI,
|
284
|
+
# Vulns::SQLI,
|
285
|
+
# Vulns::SSTI,
|
286
|
+
# Vulns::OpenRedirect,
|
287
|
+
# Vulns::ReflectedXSS] vuln
|
288
|
+
# A LFI vulnerability discovered on the URL.
|
289
|
+
#
|
290
|
+
def scan_url(url,&block)
|
291
|
+
Vulns::URLScanner.scan(url,**scan_kwargs,&block)
|
292
|
+
end
|
293
|
+
|
294
|
+
#
|
295
|
+
# Tests a URL for any web vulnerabiltiies.
|
296
|
+
#
|
297
|
+
# @param [String] url
|
298
|
+
# The URL to test.
|
299
|
+
#
|
300
|
+
# @return [Vulns::LFI,
|
301
|
+
# Vulns::RFI,
|
302
|
+
# Vulns::SQLI,
|
303
|
+
# Vulns::SSTI,
|
304
|
+
# Vulns::OpenRedirect,
|
305
|
+
# Vulns::ReflectedXSS, nil]
|
306
|
+
# The first web vulnerability discovered on the URL.
|
307
|
+
#
|
308
|
+
def test_url(url,&block)
|
309
|
+
Vulns::URLScanner.test(url,**scan_kwargs)
|
310
|
+
end
|
311
|
+
|
312
|
+
end
|
313
|
+
end
|
314
|
+
end
|
315
|
+
end
|
316
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/sqli'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for SQL injection (SQLi) vulnerabilities.
|
30
|
+
#
|
31
|
+
# ## Usage
|
32
|
+
#
|
33
|
+
# ronin-vulns sqli [options] {URL ... | --input FILE}
|
34
|
+
#
|
35
|
+
# ## Options
|
36
|
+
#
|
37
|
+
# --first Only find the first vulnerability for each URL
|
38
|
+
# -A, --all Find all vulnerabilities for each URL
|
39
|
+
# -H, --header "Name: value" Sets an additional header
|
40
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
41
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
42
|
+
# -R, --referer URL Sets the Referer header
|
43
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
44
|
+
# --test-query-param NAME Tests the URL query param name
|
45
|
+
# --test-all-query-params Test all URL query param names
|
46
|
+
# --test-header-name NAME Tests the HTTP Header name
|
47
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
48
|
+
# --test-all-cookie-params Test all Cookie param names
|
49
|
+
# --test-form-param NAME Tests the form param name
|
50
|
+
# -i, --input FILE Reads URLs from the list file
|
51
|
+
# -Q, --escape-quote Escapes quotation marks
|
52
|
+
# -P, --escape-parens Escapes parenthesis
|
53
|
+
# -T, --terminate Terminates the SQL expression with a --
|
54
|
+
# -h, --help Print help information
|
55
|
+
#
|
56
|
+
# ## Arguments
|
57
|
+
#
|
58
|
+
# [URL ...] The URL(s) to scan
|
59
|
+
#
|
60
|
+
class Sqli < WebVulnCommand
|
61
|
+
|
62
|
+
usage '[options] {URL ... | --input FILE}'
|
63
|
+
|
64
|
+
option :escape_quote, short: '-Q',
|
65
|
+
desc: 'Escapes quotation marks'
|
66
|
+
|
67
|
+
option :escape_parens, short: '-P',
|
68
|
+
desc: 'Escapes parenthesis'
|
69
|
+
|
70
|
+
option :terminate, short: '-T',
|
71
|
+
desc: 'Terminates the SQL expression with a --'
|
72
|
+
|
73
|
+
description 'Scans URL(s) for SQL injection (SQLi) vulnerabilities'
|
74
|
+
|
75
|
+
man_page 'ronin-vulns-sqli.1'
|
76
|
+
|
77
|
+
#
|
78
|
+
# Keyword arguments for `Vulns::SQLI.scan` and `Vulns::SQLI.test`.
|
79
|
+
#
|
80
|
+
# @return [Hash{Symbol => Object}]
|
81
|
+
#
|
82
|
+
def scan_kwargs
|
83
|
+
kwargs = super()
|
84
|
+
|
85
|
+
if options[:escape_quote]
|
86
|
+
kwargs[:escape_quote] = options[:escape_quote]
|
87
|
+
end
|
88
|
+
|
89
|
+
if options[:escape_parens]
|
90
|
+
kwargs[:escape_parens] = options[:escape_parens]
|
91
|
+
end
|
92
|
+
|
93
|
+
if options[:terminate]
|
94
|
+
kwargs[:terminate] = options[:terminate]
|
95
|
+
end
|
96
|
+
|
97
|
+
return kwargs
|
98
|
+
end
|
99
|
+
|
100
|
+
#
|
101
|
+
# Scans a URL for SQLi vulnerabiltiies.
|
102
|
+
#
|
103
|
+
# @param [String] url
|
104
|
+
# The URL to scan.
|
105
|
+
#
|
106
|
+
# @yield [vuln]
|
107
|
+
# The given block will be passed each discovered SQLi vulnerability.
|
108
|
+
#
|
109
|
+
# @yieldparam [Vulns::SQLI] vuln
|
110
|
+
# A SQLi vulnerability discovered on the URL.
|
111
|
+
#
|
112
|
+
def scan_url(url,&block)
|
113
|
+
Vulns::SQLI.scan(url,**scan_kwargs,&block)
|
114
|
+
end
|
115
|
+
|
116
|
+
#
|
117
|
+
# Tests a URL for SQLi vulnerabiltiies.
|
118
|
+
#
|
119
|
+
# @param [String] url
|
120
|
+
# The URL to test.
|
121
|
+
#
|
122
|
+
# @return [Vulns::SQLI, nil]
|
123
|
+
# The first SQLi vulnerability discovered on the URL.
|
124
|
+
#
|
125
|
+
def test_url(url,&block)
|
126
|
+
Vulns::SQLI.test(url,**scan_kwargs)
|
127
|
+
end
|
128
|
+
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|