ronin-vulns 0.1.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.document +5 -0
- data/.github/workflows/ruby.yml +31 -0
- data/.gitignore +13 -0
- data/.rspec +1 -0
- data/.ruby-version +1 -0
- data/.yardopts +1 -0
- data/COPYING.txt +165 -0
- data/ChangeLog.md +22 -0
- data/Gemfile +34 -0
- data/README.md +328 -0
- data/Rakefile +34 -0
- data/bin/ronin-vulns +19 -0
- data/data/rfi_test.asp +21 -0
- data/data/rfi_test.aspx +25 -0
- data/data/rfi_test.cfm +27 -0
- data/data/rfi_test.jsp +19 -0
- data/data/rfi_test.php +24 -0
- data/data/rfi_test.pl +25 -0
- data/gemspec.yml +41 -0
- data/lib/ronin/vulns/cli/command.rb +39 -0
- data/lib/ronin/vulns/cli/commands/lfi.rb +145 -0
- data/lib/ronin/vulns/cli/commands/open_redirect.rb +119 -0
- data/lib/ronin/vulns/cli/commands/reflected_xss.rb +99 -0
- data/lib/ronin/vulns/cli/commands/rfi.rb +156 -0
- data/lib/ronin/vulns/cli/commands/scan.rb +316 -0
- data/lib/ronin/vulns/cli/commands/sqli.rb +133 -0
- data/lib/ronin/vulns/cli/commands/ssti.rb +126 -0
- data/lib/ronin/vulns/cli/logging.rb +78 -0
- data/lib/ronin/vulns/cli/web_vuln_command.rb +347 -0
- data/lib/ronin/vulns/cli.rb +45 -0
- data/lib/ronin/vulns/lfi/test_file.rb +91 -0
- data/lib/ronin/vulns/lfi.rb +266 -0
- data/lib/ronin/vulns/open_redirect.rb +118 -0
- data/lib/ronin/vulns/reflected_xss/context.rb +224 -0
- data/lib/ronin/vulns/reflected_xss/test_string.rb +149 -0
- data/lib/ronin/vulns/reflected_xss.rb +184 -0
- data/lib/ronin/vulns/rfi.rb +224 -0
- data/lib/ronin/vulns/root.rb +28 -0
- data/lib/ronin/vulns/sqli/error_pattern.rb +89 -0
- data/lib/ronin/vulns/sqli.rb +397 -0
- data/lib/ronin/vulns/ssti/test_expression.rb +104 -0
- data/lib/ronin/vulns/ssti.rb +203 -0
- data/lib/ronin/vulns/url_scanner.rb +218 -0
- data/lib/ronin/vulns/version.rb +26 -0
- data/lib/ronin/vulns/vuln.rb +49 -0
- data/lib/ronin/vulns/web_vuln/http_request.rb +223 -0
- data/lib/ronin/vulns/web_vuln.rb +774 -0
- data/man/ronin-vulns-lfi.1 +107 -0
- data/man/ronin-vulns-lfi.1.md +80 -0
- data/man/ronin-vulns-open-redirect.1 +98 -0
- data/man/ronin-vulns-open-redirect.1.md +73 -0
- data/man/ronin-vulns-reflected-xss.1 +95 -0
- data/man/ronin-vulns-reflected-xss.1.md +71 -0
- data/man/ronin-vulns-rfi.1 +107 -0
- data/man/ronin-vulns-rfi.1.md +80 -0
- data/man/ronin-vulns-scan.1 +138 -0
- data/man/ronin-vulns-scan.1.md +103 -0
- data/man/ronin-vulns-sqli.1 +107 -0
- data/man/ronin-vulns-sqli.1.md +80 -0
- data/man/ronin-vulns-ssti.1 +99 -0
- data/man/ronin-vulns-ssti.1.md +74 -0
- data/ronin-vulns.gemspec +60 -0
- metadata +161 -0
@@ -0,0 +1,126 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/ssti'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for Server Side Template Injection (SSTI)
|
30
|
+
# vulnerabilities.
|
31
|
+
#
|
32
|
+
# ## Usage
|
33
|
+
#
|
34
|
+
# ronin-vulns ssti [options] {URL ... | --input FILE}
|
35
|
+
#
|
36
|
+
# ## Options
|
37
|
+
#
|
38
|
+
# --first Only find the first vulnerability for each URL
|
39
|
+
# -A, --all Find all vulnerabilities for each URL
|
40
|
+
# -H, --header "Name: value" Sets an additional header
|
41
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
42
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
43
|
+
# -R, --referer URL Sets the Referer header
|
44
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
45
|
+
# --test-query-param NAME Tests the URL query param name
|
46
|
+
# --test-all-query-params Test all URL query param names
|
47
|
+
# --test-header-name NAME Tests the HTTP Header name
|
48
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
49
|
+
# --test-all-cookie-params Test all Cookie param names
|
50
|
+
# --test-form-param NAME Tests the form param name
|
51
|
+
# -i, --input FILE Reads URLs from the list file
|
52
|
+
# -T {X*Y | X/Z | X+Y | X-Y}, Optional numeric test to use
|
53
|
+
# --test-expr
|
54
|
+
# -h, --help Print help information
|
55
|
+
#
|
56
|
+
# ## Arguments
|
57
|
+
#
|
58
|
+
# [URL ...] The URL(s) to scan
|
59
|
+
#
|
60
|
+
class Ssti < WebVulnCommand
|
61
|
+
|
62
|
+
usage '[options] {URL ... | --input FILE}'
|
63
|
+
|
64
|
+
option :test_expr, short: '-T',
|
65
|
+
value: {
|
66
|
+
type: /\A\d+\s*[\*\/\+\-]\s*\d+\z/,
|
67
|
+
usage: '{X*Y | X/Z | X+Y | X-Y}'
|
68
|
+
},
|
69
|
+
desc: 'Optional numeric test to use' do |expr|
|
70
|
+
@test_expr = Vulns::SSTI::TestExpression.parse(expr)
|
71
|
+
end
|
72
|
+
|
73
|
+
description 'Scans URL(s) for Server Side Template Injection (SSTI) vulnerabilities'
|
74
|
+
|
75
|
+
man_page 'ronin-vulns-ssti.1'
|
76
|
+
|
77
|
+
# The expression to use to test for SSTI.
|
78
|
+
#
|
79
|
+
# @return [Vulns::SSTI::TestExpression, nil]
|
80
|
+
attr_reader :test_expr
|
81
|
+
|
82
|
+
#
|
83
|
+
# Keyword arguments for `Vulns::SSTI.scan` and `Vulns::SSTI.test`.
|
84
|
+
#
|
85
|
+
# @return [Hash{Symbol => Object}]
|
86
|
+
#
|
87
|
+
def scan_kwargs
|
88
|
+
kwargs = super()
|
89
|
+
kwargs[:test_expr] = @test_expr if @test_expr
|
90
|
+
return kwargs
|
91
|
+
end
|
92
|
+
|
93
|
+
#
|
94
|
+
# Scans a URL for SSTI vulnerabiltiies.
|
95
|
+
#
|
96
|
+
# @param [String] url
|
97
|
+
# The URL to scan.
|
98
|
+
#
|
99
|
+
# @yield [vuln]
|
100
|
+
# The given block will be passed each discovered SSTI vulnerability.
|
101
|
+
#
|
102
|
+
# @yieldparam [Vulns::SSTI] vuln
|
103
|
+
# A SSTI vulnerability discovered on the URL.
|
104
|
+
#
|
105
|
+
def scan_url(url,&block)
|
106
|
+
Vulns::SSTI.scan(url,**scan_kwargs,&block)
|
107
|
+
end
|
108
|
+
|
109
|
+
#
|
110
|
+
# Tests a URL for SSTI vulnerabiltiies.
|
111
|
+
#
|
112
|
+
# @param [String] url
|
113
|
+
# The URL to test.
|
114
|
+
#
|
115
|
+
# @return [Vulns::SSTI, nil]
|
116
|
+
# The first SSTI vulnerability discovered on the URL.
|
117
|
+
#
|
118
|
+
def test_url(url,&block)
|
119
|
+
Vulns::SSTI.test(url,**scan_kwargs)
|
120
|
+
end
|
121
|
+
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
125
|
+
end
|
126
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/core/cli/logging'
|
22
|
+
|
23
|
+
module Ronin
|
24
|
+
module Vulns
|
25
|
+
class CLI
|
26
|
+
module Logging
|
27
|
+
include Core::CLI::Logging
|
28
|
+
|
29
|
+
# Known vulnerability types and their printable names.
|
30
|
+
VULN_TYPES = {
|
31
|
+
open_redirect: 'Open Redirect',
|
32
|
+
reflected_xss: 'reflected XSS',
|
33
|
+
|
34
|
+
lfi: 'LFI',
|
35
|
+
rfi: 'RFI',
|
36
|
+
sqli: 'SQLi',
|
37
|
+
ssti: 'SSTI'
|
38
|
+
}
|
39
|
+
|
40
|
+
#
|
41
|
+
# Returns the printable vulnerability type for the vulnerability object.
|
42
|
+
#
|
43
|
+
# @param [Vuln] vuln
|
44
|
+
#
|
45
|
+
# @return [String]
|
46
|
+
#
|
47
|
+
def vuln_type(vuln)
|
48
|
+
VULN_TYPES.fetch(vuln.class.vuln_type,'vulnerability')
|
49
|
+
end
|
50
|
+
|
51
|
+
#
|
52
|
+
# Prints a web vulnerability.
|
53
|
+
#
|
54
|
+
# @param [WebVuln] vuln
|
55
|
+
# The web vulnerability to print.
|
56
|
+
#
|
57
|
+
def log_vuln(vuln)
|
58
|
+
vuln_name = vuln_type(vuln)
|
59
|
+
location = if vuln.query_param
|
60
|
+
"query param #{vuln.query_param}"
|
61
|
+
elsif vuln.header_name
|
62
|
+
"Header #{vuln.header_name}"
|
63
|
+
elsif vuln.cookie_param
|
64
|
+
"Cookie param #{vuln.cookie_param}"
|
65
|
+
elsif vuln.form_param
|
66
|
+
"form param #{vuln.form_param}"
|
67
|
+
end
|
68
|
+
|
69
|
+
if location
|
70
|
+
log_info "Found #{vuln_name} on #{vuln.url} via #{location}!"
|
71
|
+
else
|
72
|
+
log_info "Found #{vuln_name} on #{vuln.url}!"
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -0,0 +1,347 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/command'
|
22
|
+
require 'ronin/vulns/cli/logging'
|
23
|
+
|
24
|
+
require 'ronin/support/network/http/cookie'
|
25
|
+
|
26
|
+
require 'set'
|
27
|
+
|
28
|
+
module Ronin
|
29
|
+
module Vulns
|
30
|
+
class CLI
|
31
|
+
#
|
32
|
+
# Base class for all web vulnerability commands.
|
33
|
+
#
|
34
|
+
class WebVulnCommand < Command
|
35
|
+
|
36
|
+
include Logging
|
37
|
+
|
38
|
+
option :first, short: '-F',
|
39
|
+
desc: 'Only find the first vulnerability for each URL' do
|
40
|
+
@scan_mode = :first
|
41
|
+
end
|
42
|
+
|
43
|
+
option :all, short: '-A',
|
44
|
+
desc: 'Find all vulnerabilities for each URL' do
|
45
|
+
@scan_mode = :all
|
46
|
+
end
|
47
|
+
|
48
|
+
option :header, short: '-H',
|
49
|
+
value: {
|
50
|
+
type: /[A-Za-z0-9-]+:\s*\w+/,
|
51
|
+
usage: '"Name: value"'
|
52
|
+
},
|
53
|
+
desc: 'Sets an additional header' do |header|
|
54
|
+
name, value = header.split(/:\s*/,2)
|
55
|
+
|
56
|
+
@headers ||= {}
|
57
|
+
@headers[name] = value
|
58
|
+
end
|
59
|
+
|
60
|
+
option :cookie, short: '-C',
|
61
|
+
value: {
|
62
|
+
type: String,
|
63
|
+
usage: 'COOKIE'
|
64
|
+
},
|
65
|
+
desc: 'Sets the raw Cookie header' do |cookie|
|
66
|
+
@raw_cookie = cookie
|
67
|
+
end
|
68
|
+
|
69
|
+
option :cookie_param, short: '-c',
|
70
|
+
value: {
|
71
|
+
type: /[^\s=]+=\w+/,
|
72
|
+
usage: 'NAME=VALUE'
|
73
|
+
},
|
74
|
+
desc: 'Sets an additional cookie param' do |param|
|
75
|
+
name, value = param.split('=',2)
|
76
|
+
|
77
|
+
@cookie ||= Support::Network::HTTP::Cookie.new
|
78
|
+
@cookie[name] = value
|
79
|
+
end
|
80
|
+
|
81
|
+
option :referer, short: '-R',
|
82
|
+
value: {
|
83
|
+
type: String,
|
84
|
+
usage: 'URL',
|
85
|
+
},
|
86
|
+
desc: 'Sets the Referer header' do |referer|
|
87
|
+
@referer = referer
|
88
|
+
end
|
89
|
+
|
90
|
+
option :form_param, short: '-F',
|
91
|
+
value: {
|
92
|
+
type: /[^\s=]+=\w+/,
|
93
|
+
usage: 'NAME=VALUE'
|
94
|
+
},
|
95
|
+
desc: 'Sets an additional form param' do |param|
|
96
|
+
name, value = param.split('=',2)
|
97
|
+
|
98
|
+
@form_data ||= {}
|
99
|
+
@form_data[name] = value
|
100
|
+
end
|
101
|
+
|
102
|
+
option :test_query_param, value: {
|
103
|
+
type: String,
|
104
|
+
usage: 'NAME'
|
105
|
+
},
|
106
|
+
desc: 'Tests the URL query param name' do |name|
|
107
|
+
@test_query_params ||= Set.new
|
108
|
+
@test_query_params << name
|
109
|
+
end
|
110
|
+
|
111
|
+
option :test_all_query_params, desc: 'Test all URL query param names' do
|
112
|
+
@test_all_query_params = true
|
113
|
+
end
|
114
|
+
|
115
|
+
option :test_header_name, value: {
|
116
|
+
type: String,
|
117
|
+
usage: 'NAME'
|
118
|
+
},
|
119
|
+
desc: 'Tests the HTTP Header name' do |name|
|
120
|
+
@test_header_names ||= Set.new
|
121
|
+
@test_header_names << name
|
122
|
+
end
|
123
|
+
|
124
|
+
option :test_cookie_param, value: {
|
125
|
+
type: String,
|
126
|
+
usage: 'NAME'
|
127
|
+
},
|
128
|
+
desc: 'Tests the HTTP Cookie name' do |name|
|
129
|
+
@test_cookie_params ||= Set.new
|
130
|
+
@test_cookie_params << name
|
131
|
+
end
|
132
|
+
|
133
|
+
option :test_all_cookie_params, desc: 'Test all Cookie param names' do
|
134
|
+
@test_all_cookie_params = true
|
135
|
+
end
|
136
|
+
|
137
|
+
option :test_form_param, value: {
|
138
|
+
type: String,
|
139
|
+
usage: 'NAME'
|
140
|
+
},
|
141
|
+
desc: 'Tests the form param name' do |name|
|
142
|
+
@test_form_params ||= Set.new
|
143
|
+
@test_form_params << name
|
144
|
+
end
|
145
|
+
|
146
|
+
option :input, short: '-i',
|
147
|
+
value: {
|
148
|
+
type: String,
|
149
|
+
usage: 'FILE'
|
150
|
+
},
|
151
|
+
desc: 'Reads URLs from the list file'
|
152
|
+
|
153
|
+
argument :url, required: false,
|
154
|
+
repeats: true,
|
155
|
+
desc: 'The URL(s) to scan'
|
156
|
+
|
157
|
+
# The scan mode.
|
158
|
+
#
|
159
|
+
# @return [:first, :all]
|
160
|
+
# * `:first` - Only find the first vulnerability for each URL.
|
161
|
+
# * `:all` - Find all vulnerabilities for each URL.
|
162
|
+
attr_reader :scan_mode
|
163
|
+
|
164
|
+
# Additional headers.
|
165
|
+
#
|
166
|
+
# @return [Hash{String => String}, nil]
|
167
|
+
attr_reader :headers
|
168
|
+
|
169
|
+
# The raw `Cookie` header to send.
|
170
|
+
#
|
171
|
+
# @return [String, nil]
|
172
|
+
attr_reader :raw_cookie
|
173
|
+
|
174
|
+
# The optional `Cookie` header to send.
|
175
|
+
#
|
176
|
+
# @return [Ronin::Support::Network::HTTP::Cookie, nil]
|
177
|
+
attr_reader :cookie
|
178
|
+
|
179
|
+
# The optional `Referer` header to send.
|
180
|
+
#
|
181
|
+
# @return [String, nil]
|
182
|
+
attr_reader :referer
|
183
|
+
|
184
|
+
# Additional form params.
|
185
|
+
#
|
186
|
+
# @return [Hash{String => String}, nil]
|
187
|
+
attr_reader :form_data
|
188
|
+
|
189
|
+
# The URL query params to test.
|
190
|
+
#
|
191
|
+
# @return [Set<String>, nil]
|
192
|
+
attr_reader :test_query_params
|
193
|
+
|
194
|
+
# Indiciates whether to test all of the query params of the URL.
|
195
|
+
#
|
196
|
+
# @return [Boolean, nil]
|
197
|
+
attr_reader :test_all_query_params
|
198
|
+
|
199
|
+
# The HTTP Header names to test.
|
200
|
+
#
|
201
|
+
# @return [Set<String>, nil]
|
202
|
+
attr_reader :test_header_names
|
203
|
+
|
204
|
+
# The HTTP Cookie to test.
|
205
|
+
#
|
206
|
+
# @return [Set<String>, nil]
|
207
|
+
attr_reader :test_cookie_params
|
208
|
+
|
209
|
+
# Indiciates whether to test all `Cookie` params for the URL.
|
210
|
+
#
|
211
|
+
# @return [Boolean, nil]
|
212
|
+
attr_reader :test_all_cookie_params
|
213
|
+
|
214
|
+
# The form params to test.
|
215
|
+
#
|
216
|
+
# @return [Set<String>, nil]
|
217
|
+
attr_reader :test_form_params
|
218
|
+
|
219
|
+
#
|
220
|
+
# Initializes the command.
|
221
|
+
#
|
222
|
+
# @param [Hash{Symbol => Object}] kwargs
|
223
|
+
# Additional keyword arguments.
|
224
|
+
#
|
225
|
+
def initialize(**kwargs)
|
226
|
+
super(**kwargs)
|
227
|
+
|
228
|
+
@scan_mode = :first
|
229
|
+
end
|
230
|
+
|
231
|
+
#
|
232
|
+
# Runs the command.
|
233
|
+
#
|
234
|
+
# @param [Array<String>] urls
|
235
|
+
# The URL(s) to scan.
|
236
|
+
#
|
237
|
+
def run(*urls)
|
238
|
+
if options[:input]
|
239
|
+
File.open(options[:input]) do |file|
|
240
|
+
file.each_line(chomp: true) do |url|
|
241
|
+
process_url(url)
|
242
|
+
end
|
243
|
+
end
|
244
|
+
elsif !urls.empty?
|
245
|
+
urls.each do |url|
|
246
|
+
process_url(url)
|
247
|
+
end
|
248
|
+
else
|
249
|
+
print_error "must specify URL(s) or --input"
|
250
|
+
exit(-1)
|
251
|
+
end
|
252
|
+
end
|
253
|
+
|
254
|
+
#
|
255
|
+
# Prcesses a URL.
|
256
|
+
#
|
257
|
+
# @param [String] url
|
258
|
+
# A URL to scan.
|
259
|
+
#
|
260
|
+
def process_url(url)
|
261
|
+
if @scan_mode == :first
|
262
|
+
if (first_vuln = test_url(url))
|
263
|
+
print_vuln(first_vuln)
|
264
|
+
end
|
265
|
+
else
|
266
|
+
scan_url(url) do |vuln|
|
267
|
+
print_vuln(vuln)
|
268
|
+
end
|
269
|
+
end
|
270
|
+
end
|
271
|
+
|
272
|
+
#
|
273
|
+
# The keyword arguments for {WebVuln.scan}.
|
274
|
+
#
|
275
|
+
# @return [Hash{String => String}]
|
276
|
+
# The keyword arguments.
|
277
|
+
#
|
278
|
+
def scan_kwargs
|
279
|
+
kwargs = {}
|
280
|
+
|
281
|
+
kwargs[:headers] = @headers if @headers
|
282
|
+
|
283
|
+
if @raw_cookie
|
284
|
+
kwargs[:cookie] = @raw_cookie
|
285
|
+
elsif @cookie
|
286
|
+
kwargs[:cookie] = @cookie
|
287
|
+
end
|
288
|
+
|
289
|
+
kwargs[:referer] = @referer if @referer
|
290
|
+
kwargs[:form_data] = @form_data if @form_data
|
291
|
+
|
292
|
+
if @test_query_params
|
293
|
+
kwargs[:query_params] = @test_query_params
|
294
|
+
elsif @test_all_query_params
|
295
|
+
kwargs[:query_params] = true
|
296
|
+
end
|
297
|
+
|
298
|
+
kwargs[:header_names] = @test_header_names if @test_header_names
|
299
|
+
|
300
|
+
if @test_cookie_params
|
301
|
+
kwargs[:cookie_params] = @test_cookie_params
|
302
|
+
elsif @test_all_cookie_params
|
303
|
+
kwargs[:cookie_params] = true
|
304
|
+
end
|
305
|
+
|
306
|
+
kwargs[:form_params] = @test_form_params if @test_form_params
|
307
|
+
|
308
|
+
return kwargs
|
309
|
+
end
|
310
|
+
|
311
|
+
#
|
312
|
+
# Scans a URL for web vulnerabiltiies.
|
313
|
+
#
|
314
|
+
# @param [String] url
|
315
|
+
# The URL to scan.
|
316
|
+
#
|
317
|
+
# @yield [vuln]
|
318
|
+
# The given block will be passed each discovered web vulnerability.
|
319
|
+
#
|
320
|
+
# @yieldparam [WebVuln] vuln
|
321
|
+
# A web vulnerability discovered on the URL.
|
322
|
+
#
|
323
|
+
# @abstract
|
324
|
+
#
|
325
|
+
def scan_url(url,&block)
|
326
|
+
raise(NotImplementedError,"#{self.class}#scan_url was not defined")
|
327
|
+
end
|
328
|
+
|
329
|
+
#
|
330
|
+
# Tests a URL for web vulnerabiltiies.
|
331
|
+
#
|
332
|
+
# @param [String] url
|
333
|
+
# The URL to test.
|
334
|
+
#
|
335
|
+
# @return [WebVuln, nil] vuln
|
336
|
+
# The first web vulnerability discovered on the URL.
|
337
|
+
#
|
338
|
+
# @abstract
|
339
|
+
#
|
340
|
+
def test_url(url)
|
341
|
+
raise(NotImplementedError,"#{self.class}#test_url was not defined")
|
342
|
+
end
|
343
|
+
|
344
|
+
end
|
345
|
+
end
|
346
|
+
end
|
347
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'command_kit/commands'
|
22
|
+
require 'command_kit/commands/auto_load'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
#
|
27
|
+
# The `ronin-vulns` command-line interface (CLI).
|
28
|
+
#
|
29
|
+
# @api private
|
30
|
+
#
|
31
|
+
class CLI
|
32
|
+
|
33
|
+
include CommandKit::Commands
|
34
|
+
include CommandKit::Commands::AutoLoad.new(
|
35
|
+
dir: "#{__dir__}/cli/commands",
|
36
|
+
namespace: "#{self}::Commands"
|
37
|
+
)
|
38
|
+
|
39
|
+
command_name 'ronin-vulns'
|
40
|
+
|
41
|
+
command_aliases['xss'] = 'reflected-xss'
|
42
|
+
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,91 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library to blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/web_vuln'
|
22
|
+
|
23
|
+
module Ronin
|
24
|
+
module Vulns
|
25
|
+
class LFI < WebVuln
|
26
|
+
#
|
27
|
+
# Represents a single Local File Inclusion (LFI) test for a given file
|
28
|
+
# path and a regexp that matches the file.
|
29
|
+
#
|
30
|
+
# @api private
|
31
|
+
#
|
32
|
+
class TestFile
|
33
|
+
|
34
|
+
# The path of the file to attempt including.
|
35
|
+
#
|
36
|
+
# @return [String]
|
37
|
+
attr_reader :path
|
38
|
+
|
39
|
+
# The regexp to identify a successful Local File Inclusion (LFI)
|
40
|
+
# of the {#path}.
|
41
|
+
#
|
42
|
+
# @return [Regexp]
|
43
|
+
attr_reader :regexp
|
44
|
+
|
45
|
+
#
|
46
|
+
# Initializes the Local File Inclusion (LFI) test.
|
47
|
+
#
|
48
|
+
# @param [String] path
|
49
|
+
# The path to attempt including.
|
50
|
+
#
|
51
|
+
# @param [Regexp] regexp
|
52
|
+
# The regexp to identify a successful Local File Inclusion (LFI)
|
53
|
+
# of the {#path}.
|
54
|
+
#
|
55
|
+
def initialize(path,regexp)
|
56
|
+
@path = path
|
57
|
+
@regexp = regexp
|
58
|
+
end
|
59
|
+
|
60
|
+
#
|
61
|
+
# Tests whether the file was successfully included into the response
|
62
|
+
# body.
|
63
|
+
#
|
64
|
+
# @param [String] response_body
|
65
|
+
# The HTTP response body.
|
66
|
+
#
|
67
|
+
# @return [MatchData, nil]
|
68
|
+
# The match data if the {#regexp} is found within the response body.
|
69
|
+
#
|
70
|
+
def match(response_body)
|
71
|
+
response_body.match(@regexp)
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# Tests whether the file was successfully included into the response
|
76
|
+
# body.
|
77
|
+
#
|
78
|
+
# @param [String] response_body
|
79
|
+
# The HTTP response body.
|
80
|
+
#
|
81
|
+
# @return [Integer, nil]
|
82
|
+
# Indicates whether the {#regexp} was found in the response body.
|
83
|
+
#
|
84
|
+
def =~(response_body)
|
85
|
+
response_body =~ @regexp
|
86
|
+
end
|
87
|
+
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|