ronin-vulns 0.1.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. checksums.yaml +7 -0
  2. data/.document +5 -0
  3. data/.github/workflows/ruby.yml +31 -0
  4. data/.gitignore +13 -0
  5. data/.rspec +1 -0
  6. data/.ruby-version +1 -0
  7. data/.yardopts +1 -0
  8. data/COPYING.txt +165 -0
  9. data/ChangeLog.md +22 -0
  10. data/Gemfile +34 -0
  11. data/README.md +328 -0
  12. data/Rakefile +34 -0
  13. data/bin/ronin-vulns +19 -0
  14. data/data/rfi_test.asp +21 -0
  15. data/data/rfi_test.aspx +25 -0
  16. data/data/rfi_test.cfm +27 -0
  17. data/data/rfi_test.jsp +19 -0
  18. data/data/rfi_test.php +24 -0
  19. data/data/rfi_test.pl +25 -0
  20. data/gemspec.yml +41 -0
  21. data/lib/ronin/vulns/cli/command.rb +39 -0
  22. data/lib/ronin/vulns/cli/commands/lfi.rb +145 -0
  23. data/lib/ronin/vulns/cli/commands/open_redirect.rb +119 -0
  24. data/lib/ronin/vulns/cli/commands/reflected_xss.rb +99 -0
  25. data/lib/ronin/vulns/cli/commands/rfi.rb +156 -0
  26. data/lib/ronin/vulns/cli/commands/scan.rb +316 -0
  27. data/lib/ronin/vulns/cli/commands/sqli.rb +133 -0
  28. data/lib/ronin/vulns/cli/commands/ssti.rb +126 -0
  29. data/lib/ronin/vulns/cli/logging.rb +78 -0
  30. data/lib/ronin/vulns/cli/web_vuln_command.rb +347 -0
  31. data/lib/ronin/vulns/cli.rb +45 -0
  32. data/lib/ronin/vulns/lfi/test_file.rb +91 -0
  33. data/lib/ronin/vulns/lfi.rb +266 -0
  34. data/lib/ronin/vulns/open_redirect.rb +118 -0
  35. data/lib/ronin/vulns/reflected_xss/context.rb +224 -0
  36. data/lib/ronin/vulns/reflected_xss/test_string.rb +149 -0
  37. data/lib/ronin/vulns/reflected_xss.rb +184 -0
  38. data/lib/ronin/vulns/rfi.rb +224 -0
  39. data/lib/ronin/vulns/root.rb +28 -0
  40. data/lib/ronin/vulns/sqli/error_pattern.rb +89 -0
  41. data/lib/ronin/vulns/sqli.rb +397 -0
  42. data/lib/ronin/vulns/ssti/test_expression.rb +104 -0
  43. data/lib/ronin/vulns/ssti.rb +203 -0
  44. data/lib/ronin/vulns/url_scanner.rb +218 -0
  45. data/lib/ronin/vulns/version.rb +26 -0
  46. data/lib/ronin/vulns/vuln.rb +49 -0
  47. data/lib/ronin/vulns/web_vuln/http_request.rb +223 -0
  48. data/lib/ronin/vulns/web_vuln.rb +774 -0
  49. data/man/ronin-vulns-lfi.1 +107 -0
  50. data/man/ronin-vulns-lfi.1.md +80 -0
  51. data/man/ronin-vulns-open-redirect.1 +98 -0
  52. data/man/ronin-vulns-open-redirect.1.md +73 -0
  53. data/man/ronin-vulns-reflected-xss.1 +95 -0
  54. data/man/ronin-vulns-reflected-xss.1.md +71 -0
  55. data/man/ronin-vulns-rfi.1 +107 -0
  56. data/man/ronin-vulns-rfi.1.md +80 -0
  57. data/man/ronin-vulns-scan.1 +138 -0
  58. data/man/ronin-vulns-scan.1.md +103 -0
  59. data/man/ronin-vulns-sqli.1 +107 -0
  60. data/man/ronin-vulns-sqli.1.md +80 -0
  61. data/man/ronin-vulns-ssti.1 +99 -0
  62. data/man/ronin-vulns-ssti.1.md +74 -0
  63. data/ronin-vulns.gemspec +60 -0
  64. metadata +161 -0
@@ -0,0 +1,126 @@
1
+ # frozen_string_literal: true
2
+ #
3
+ # ronin-vulns - A Ruby library for blind vulnerability testing.
4
+ #
5
+ # Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
6
+ #
7
+ # ronin-vulns is free software: you can redistribute it and/or modify
8
+ # it under the terms of the GNU Lesser General Public License as published
9
+ # by the Free Software Foundation, either version 3 of the License, or
10
+ # (at your option) any later version.
11
+ #
12
+ # ronin-vulns is distributed in the hope that it will be useful,
13
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+ # GNU Lesser General Public License for more details.
16
+ #
17
+ # You should have received a copy of the GNU Lesser General Public License
18
+ # along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
19
+ #
20
+
21
+ require 'ronin/vulns/cli/web_vuln_command'
22
+ require 'ronin/vulns/ssti'
23
+
24
+ module Ronin
25
+ module Vulns
26
+ class CLI
27
+ module Commands
28
+ #
29
+ # Scans URL(s) for Server Side Template Injection (SSTI)
30
+ # vulnerabilities.
31
+ #
32
+ # ## Usage
33
+ #
34
+ # ronin-vulns ssti [options] {URL ... | --input FILE}
35
+ #
36
+ # ## Options
37
+ #
38
+ # --first Only find the first vulnerability for each URL
39
+ # -A, --all Find all vulnerabilities for each URL
40
+ # -H, --header "Name: value" Sets an additional header
41
+ # -C, --cookie COOKIE Sets the raw Cookie header
42
+ # -c, --cookie-param NAME=VALUE Sets an additional cookie param
43
+ # -R, --referer URL Sets the Referer header
44
+ # -F, --form-param NAME=VALUE Sets an additional form param
45
+ # --test-query-param NAME Tests the URL query param name
46
+ # --test-all-query-params Test all URL query param names
47
+ # --test-header-name NAME Tests the HTTP Header name
48
+ # --test-cookie-param NAME Tests the HTTP Cookie name
49
+ # --test-all-cookie-params Test all Cookie param names
50
+ # --test-form-param NAME Tests the form param name
51
+ # -i, --input FILE Reads URLs from the list file
52
+ # -T {X*Y | X/Z | X+Y | X-Y}, Optional numeric test to use
53
+ # --test-expr
54
+ # -h, --help Print help information
55
+ #
56
+ # ## Arguments
57
+ #
58
+ # [URL ...] The URL(s) to scan
59
+ #
60
+ class Ssti < WebVulnCommand
61
+
62
+ usage '[options] {URL ... | --input FILE}'
63
+
64
+ option :test_expr, short: '-T',
65
+ value: {
66
+ type: /\A\d+\s*[\*\/\+\-]\s*\d+\z/,
67
+ usage: '{X*Y | X/Z | X+Y | X-Y}'
68
+ },
69
+ desc: 'Optional numeric test to use' do |expr|
70
+ @test_expr = Vulns::SSTI::TestExpression.parse(expr)
71
+ end
72
+
73
+ description 'Scans URL(s) for Server Side Template Injection (SSTI) vulnerabilities'
74
+
75
+ man_page 'ronin-vulns-ssti.1'
76
+
77
+ # The expression to use to test for SSTI.
78
+ #
79
+ # @return [Vulns::SSTI::TestExpression, nil]
80
+ attr_reader :test_expr
81
+
82
+ #
83
+ # Keyword arguments for `Vulns::SSTI.scan` and `Vulns::SSTI.test`.
84
+ #
85
+ # @return [Hash{Symbol => Object}]
86
+ #
87
+ def scan_kwargs
88
+ kwargs = super()
89
+ kwargs[:test_expr] = @test_expr if @test_expr
90
+ return kwargs
91
+ end
92
+
93
+ #
94
+ # Scans a URL for SSTI vulnerabiltiies.
95
+ #
96
+ # @param [String] url
97
+ # The URL to scan.
98
+ #
99
+ # @yield [vuln]
100
+ # The given block will be passed each discovered SSTI vulnerability.
101
+ #
102
+ # @yieldparam [Vulns::SSTI] vuln
103
+ # A SSTI vulnerability discovered on the URL.
104
+ #
105
+ def scan_url(url,&block)
106
+ Vulns::SSTI.scan(url,**scan_kwargs,&block)
107
+ end
108
+
109
+ #
110
+ # Tests a URL for SSTI vulnerabiltiies.
111
+ #
112
+ # @param [String] url
113
+ # The URL to test.
114
+ #
115
+ # @return [Vulns::SSTI, nil]
116
+ # The first SSTI vulnerability discovered on the URL.
117
+ #
118
+ def test_url(url,&block)
119
+ Vulns::SSTI.test(url,**scan_kwargs)
120
+ end
121
+
122
+ end
123
+ end
124
+ end
125
+ end
126
+ end
@@ -0,0 +1,78 @@
1
+ # frozen_string_literal: true
2
+ #
3
+ # ronin-vulns - A Ruby library for blind vulnerability testing.
4
+ #
5
+ # Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
6
+ #
7
+ # ronin-vulns is free software: you can redistribute it and/or modify
8
+ # it under the terms of the GNU Lesser General Public License as published
9
+ # by the Free Software Foundation, either version 3 of the License, or
10
+ # (at your option) any later version.
11
+ #
12
+ # ronin-vulns is distributed in the hope that it will be useful,
13
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+ # GNU Lesser General Public License for more details.
16
+ #
17
+ # You should have received a copy of the GNU Lesser General Public License
18
+ # along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
19
+ #
20
+
21
+ require 'ronin/core/cli/logging'
22
+
23
+ module Ronin
24
+ module Vulns
25
+ class CLI
26
+ module Logging
27
+ include Core::CLI::Logging
28
+
29
+ # Known vulnerability types and their printable names.
30
+ VULN_TYPES = {
31
+ open_redirect: 'Open Redirect',
32
+ reflected_xss: 'reflected XSS',
33
+
34
+ lfi: 'LFI',
35
+ rfi: 'RFI',
36
+ sqli: 'SQLi',
37
+ ssti: 'SSTI'
38
+ }
39
+
40
+ #
41
+ # Returns the printable vulnerability type for the vulnerability object.
42
+ #
43
+ # @param [Vuln] vuln
44
+ #
45
+ # @return [String]
46
+ #
47
+ def vuln_type(vuln)
48
+ VULN_TYPES.fetch(vuln.class.vuln_type,'vulnerability')
49
+ end
50
+
51
+ #
52
+ # Prints a web vulnerability.
53
+ #
54
+ # @param [WebVuln] vuln
55
+ # The web vulnerability to print.
56
+ #
57
+ def log_vuln(vuln)
58
+ vuln_name = vuln_type(vuln)
59
+ location = if vuln.query_param
60
+ "query param #{vuln.query_param}"
61
+ elsif vuln.header_name
62
+ "Header #{vuln.header_name}"
63
+ elsif vuln.cookie_param
64
+ "Cookie param #{vuln.cookie_param}"
65
+ elsif vuln.form_param
66
+ "form param #{vuln.form_param}"
67
+ end
68
+
69
+ if location
70
+ log_info "Found #{vuln_name} on #{vuln.url} via #{location}!"
71
+ else
72
+ log_info "Found #{vuln_name} on #{vuln.url}!"
73
+ end
74
+ end
75
+ end
76
+ end
77
+ end
78
+ end
@@ -0,0 +1,347 @@
1
+ # frozen_string_literal: true
2
+ #
3
+ # ronin-vulns - A Ruby library for blind vulnerability testing.
4
+ #
5
+ # Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
6
+ #
7
+ # ronin-vulns is free software: you can redistribute it and/or modify
8
+ # it under the terms of the GNU Lesser General Public License as published
9
+ # by the Free Software Foundation, either version 3 of the License, or
10
+ # (at your option) any later version.
11
+ #
12
+ # ronin-vulns is distributed in the hope that it will be useful,
13
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+ # GNU Lesser General Public License for more details.
16
+ #
17
+ # You should have received a copy of the GNU Lesser General Public License
18
+ # along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
19
+ #
20
+
21
+ require 'ronin/vulns/cli/command'
22
+ require 'ronin/vulns/cli/logging'
23
+
24
+ require 'ronin/support/network/http/cookie'
25
+
26
+ require 'set'
27
+
28
+ module Ronin
29
+ module Vulns
30
+ class CLI
31
+ #
32
+ # Base class for all web vulnerability commands.
33
+ #
34
+ class WebVulnCommand < Command
35
+
36
+ include Logging
37
+
38
+ option :first, short: '-F',
39
+ desc: 'Only find the first vulnerability for each URL' do
40
+ @scan_mode = :first
41
+ end
42
+
43
+ option :all, short: '-A',
44
+ desc: 'Find all vulnerabilities for each URL' do
45
+ @scan_mode = :all
46
+ end
47
+
48
+ option :header, short: '-H',
49
+ value: {
50
+ type: /[A-Za-z0-9-]+:\s*\w+/,
51
+ usage: '"Name: value"'
52
+ },
53
+ desc: 'Sets an additional header' do |header|
54
+ name, value = header.split(/:\s*/,2)
55
+
56
+ @headers ||= {}
57
+ @headers[name] = value
58
+ end
59
+
60
+ option :cookie, short: '-C',
61
+ value: {
62
+ type: String,
63
+ usage: 'COOKIE'
64
+ },
65
+ desc: 'Sets the raw Cookie header' do |cookie|
66
+ @raw_cookie = cookie
67
+ end
68
+
69
+ option :cookie_param, short: '-c',
70
+ value: {
71
+ type: /[^\s=]+=\w+/,
72
+ usage: 'NAME=VALUE'
73
+ },
74
+ desc: 'Sets an additional cookie param' do |param|
75
+ name, value = param.split('=',2)
76
+
77
+ @cookie ||= Support::Network::HTTP::Cookie.new
78
+ @cookie[name] = value
79
+ end
80
+
81
+ option :referer, short: '-R',
82
+ value: {
83
+ type: String,
84
+ usage: 'URL',
85
+ },
86
+ desc: 'Sets the Referer header' do |referer|
87
+ @referer = referer
88
+ end
89
+
90
+ option :form_param, short: '-F',
91
+ value: {
92
+ type: /[^\s=]+=\w+/,
93
+ usage: 'NAME=VALUE'
94
+ },
95
+ desc: 'Sets an additional form param' do |param|
96
+ name, value = param.split('=',2)
97
+
98
+ @form_data ||= {}
99
+ @form_data[name] = value
100
+ end
101
+
102
+ option :test_query_param, value: {
103
+ type: String,
104
+ usage: 'NAME'
105
+ },
106
+ desc: 'Tests the URL query param name' do |name|
107
+ @test_query_params ||= Set.new
108
+ @test_query_params << name
109
+ end
110
+
111
+ option :test_all_query_params, desc: 'Test all URL query param names' do
112
+ @test_all_query_params = true
113
+ end
114
+
115
+ option :test_header_name, value: {
116
+ type: String,
117
+ usage: 'NAME'
118
+ },
119
+ desc: 'Tests the HTTP Header name' do |name|
120
+ @test_header_names ||= Set.new
121
+ @test_header_names << name
122
+ end
123
+
124
+ option :test_cookie_param, value: {
125
+ type: String,
126
+ usage: 'NAME'
127
+ },
128
+ desc: 'Tests the HTTP Cookie name' do |name|
129
+ @test_cookie_params ||= Set.new
130
+ @test_cookie_params << name
131
+ end
132
+
133
+ option :test_all_cookie_params, desc: 'Test all Cookie param names' do
134
+ @test_all_cookie_params = true
135
+ end
136
+
137
+ option :test_form_param, value: {
138
+ type: String,
139
+ usage: 'NAME'
140
+ },
141
+ desc: 'Tests the form param name' do |name|
142
+ @test_form_params ||= Set.new
143
+ @test_form_params << name
144
+ end
145
+
146
+ option :input, short: '-i',
147
+ value: {
148
+ type: String,
149
+ usage: 'FILE'
150
+ },
151
+ desc: 'Reads URLs from the list file'
152
+
153
+ argument :url, required: false,
154
+ repeats: true,
155
+ desc: 'The URL(s) to scan'
156
+
157
+ # The scan mode.
158
+ #
159
+ # @return [:first, :all]
160
+ # * `:first` - Only find the first vulnerability for each URL.
161
+ # * `:all` - Find all vulnerabilities for each URL.
162
+ attr_reader :scan_mode
163
+
164
+ # Additional headers.
165
+ #
166
+ # @return [Hash{String => String}, nil]
167
+ attr_reader :headers
168
+
169
+ # The raw `Cookie` header to send.
170
+ #
171
+ # @return [String, nil]
172
+ attr_reader :raw_cookie
173
+
174
+ # The optional `Cookie` header to send.
175
+ #
176
+ # @return [Ronin::Support::Network::HTTP::Cookie, nil]
177
+ attr_reader :cookie
178
+
179
+ # The optional `Referer` header to send.
180
+ #
181
+ # @return [String, nil]
182
+ attr_reader :referer
183
+
184
+ # Additional form params.
185
+ #
186
+ # @return [Hash{String => String}, nil]
187
+ attr_reader :form_data
188
+
189
+ # The URL query params to test.
190
+ #
191
+ # @return [Set<String>, nil]
192
+ attr_reader :test_query_params
193
+
194
+ # Indiciates whether to test all of the query params of the URL.
195
+ #
196
+ # @return [Boolean, nil]
197
+ attr_reader :test_all_query_params
198
+
199
+ # The HTTP Header names to test.
200
+ #
201
+ # @return [Set<String>, nil]
202
+ attr_reader :test_header_names
203
+
204
+ # The HTTP Cookie to test.
205
+ #
206
+ # @return [Set<String>, nil]
207
+ attr_reader :test_cookie_params
208
+
209
+ # Indiciates whether to test all `Cookie` params for the URL.
210
+ #
211
+ # @return [Boolean, nil]
212
+ attr_reader :test_all_cookie_params
213
+
214
+ # The form params to test.
215
+ #
216
+ # @return [Set<String>, nil]
217
+ attr_reader :test_form_params
218
+
219
+ #
220
+ # Initializes the command.
221
+ #
222
+ # @param [Hash{Symbol => Object}] kwargs
223
+ # Additional keyword arguments.
224
+ #
225
+ def initialize(**kwargs)
226
+ super(**kwargs)
227
+
228
+ @scan_mode = :first
229
+ end
230
+
231
+ #
232
+ # Runs the command.
233
+ #
234
+ # @param [Array<String>] urls
235
+ # The URL(s) to scan.
236
+ #
237
+ def run(*urls)
238
+ if options[:input]
239
+ File.open(options[:input]) do |file|
240
+ file.each_line(chomp: true) do |url|
241
+ process_url(url)
242
+ end
243
+ end
244
+ elsif !urls.empty?
245
+ urls.each do |url|
246
+ process_url(url)
247
+ end
248
+ else
249
+ print_error "must specify URL(s) or --input"
250
+ exit(-1)
251
+ end
252
+ end
253
+
254
+ #
255
+ # Prcesses a URL.
256
+ #
257
+ # @param [String] url
258
+ # A URL to scan.
259
+ #
260
+ def process_url(url)
261
+ if @scan_mode == :first
262
+ if (first_vuln = test_url(url))
263
+ print_vuln(first_vuln)
264
+ end
265
+ else
266
+ scan_url(url) do |vuln|
267
+ print_vuln(vuln)
268
+ end
269
+ end
270
+ end
271
+
272
+ #
273
+ # The keyword arguments for {WebVuln.scan}.
274
+ #
275
+ # @return [Hash{String => String}]
276
+ # The keyword arguments.
277
+ #
278
+ def scan_kwargs
279
+ kwargs = {}
280
+
281
+ kwargs[:headers] = @headers if @headers
282
+
283
+ if @raw_cookie
284
+ kwargs[:cookie] = @raw_cookie
285
+ elsif @cookie
286
+ kwargs[:cookie] = @cookie
287
+ end
288
+
289
+ kwargs[:referer] = @referer if @referer
290
+ kwargs[:form_data] = @form_data if @form_data
291
+
292
+ if @test_query_params
293
+ kwargs[:query_params] = @test_query_params
294
+ elsif @test_all_query_params
295
+ kwargs[:query_params] = true
296
+ end
297
+
298
+ kwargs[:header_names] = @test_header_names if @test_header_names
299
+
300
+ if @test_cookie_params
301
+ kwargs[:cookie_params] = @test_cookie_params
302
+ elsif @test_all_cookie_params
303
+ kwargs[:cookie_params] = true
304
+ end
305
+
306
+ kwargs[:form_params] = @test_form_params if @test_form_params
307
+
308
+ return kwargs
309
+ end
310
+
311
+ #
312
+ # Scans a URL for web vulnerabiltiies.
313
+ #
314
+ # @param [String] url
315
+ # The URL to scan.
316
+ #
317
+ # @yield [vuln]
318
+ # The given block will be passed each discovered web vulnerability.
319
+ #
320
+ # @yieldparam [WebVuln] vuln
321
+ # A web vulnerability discovered on the URL.
322
+ #
323
+ # @abstract
324
+ #
325
+ def scan_url(url,&block)
326
+ raise(NotImplementedError,"#{self.class}#scan_url was not defined")
327
+ end
328
+
329
+ #
330
+ # Tests a URL for web vulnerabiltiies.
331
+ #
332
+ # @param [String] url
333
+ # The URL to test.
334
+ #
335
+ # @return [WebVuln, nil] vuln
336
+ # The first web vulnerability discovered on the URL.
337
+ #
338
+ # @abstract
339
+ #
340
+ def test_url(url)
341
+ raise(NotImplementedError,"#{self.class}#test_url was not defined")
342
+ end
343
+
344
+ end
345
+ end
346
+ end
347
+ end
@@ -0,0 +1,45 @@
1
+ # frozen_string_literal: true
2
+ #
3
+ # ronin-vulns - A Ruby library for blind vulnerability testing.
4
+ #
5
+ # Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
6
+ #
7
+ # ronin-vulns is free software: you can redistribute it and/or modify
8
+ # it under the terms of the GNU Lesser General Public License as published
9
+ # by the Free Software Foundation, either version 3 of the License, or
10
+ # (at your option) any later version.
11
+ #
12
+ # ronin-vulns is distributed in the hope that it will be useful,
13
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+ # GNU Lesser General Public License for more details.
16
+ #
17
+ # You should have received a copy of the GNU Lesser General Public License
18
+ # along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
19
+ #
20
+
21
+ require 'command_kit/commands'
22
+ require 'command_kit/commands/auto_load'
23
+
24
+ module Ronin
25
+ module Vulns
26
+ #
27
+ # The `ronin-vulns` command-line interface (CLI).
28
+ #
29
+ # @api private
30
+ #
31
+ class CLI
32
+
33
+ include CommandKit::Commands
34
+ include CommandKit::Commands::AutoLoad.new(
35
+ dir: "#{__dir__}/cli/commands",
36
+ namespace: "#{self}::Commands"
37
+ )
38
+
39
+ command_name 'ronin-vulns'
40
+
41
+ command_aliases['xss'] = 'reflected-xss'
42
+
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,91 @@
1
+ # frozen_string_literal: true
2
+ #
3
+ # ronin-vulns - A Ruby library to blind vulnerability testing.
4
+ #
5
+ # Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
6
+ #
7
+ # ronin-vulns is free software: you can redistribute it and/or modify
8
+ # it under the terms of the GNU Lesser General Public License as published
9
+ # by the Free Software Foundation, either version 3 of the License, or
10
+ # (at your option) any later version.
11
+ #
12
+ # ronin-vulns is distributed in the hope that it will be useful,
13
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+ # GNU Lesser General Public License for more details.
16
+ #
17
+ # You should have received a copy of the GNU Lesser General Public License
18
+ # along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
19
+ #
20
+
21
+ require 'ronin/vulns/web_vuln'
22
+
23
+ module Ronin
24
+ module Vulns
25
+ class LFI < WebVuln
26
+ #
27
+ # Represents a single Local File Inclusion (LFI) test for a given file
28
+ # path and a regexp that matches the file.
29
+ #
30
+ # @api private
31
+ #
32
+ class TestFile
33
+
34
+ # The path of the file to attempt including.
35
+ #
36
+ # @return [String]
37
+ attr_reader :path
38
+
39
+ # The regexp to identify a successful Local File Inclusion (LFI)
40
+ # of the {#path}.
41
+ #
42
+ # @return [Regexp]
43
+ attr_reader :regexp
44
+
45
+ #
46
+ # Initializes the Local File Inclusion (LFI) test.
47
+ #
48
+ # @param [String] path
49
+ # The path to attempt including.
50
+ #
51
+ # @param [Regexp] regexp
52
+ # The regexp to identify a successful Local File Inclusion (LFI)
53
+ # of the {#path}.
54
+ #
55
+ def initialize(path,regexp)
56
+ @path = path
57
+ @regexp = regexp
58
+ end
59
+
60
+ #
61
+ # Tests whether the file was successfully included into the response
62
+ # body.
63
+ #
64
+ # @param [String] response_body
65
+ # The HTTP response body.
66
+ #
67
+ # @return [MatchData, nil]
68
+ # The match data if the {#regexp} is found within the response body.
69
+ #
70
+ def match(response_body)
71
+ response_body.match(@regexp)
72
+ end
73
+
74
+ #
75
+ # Tests whether the file was successfully included into the response
76
+ # body.
77
+ #
78
+ # @param [String] response_body
79
+ # The HTTP response body.
80
+ #
81
+ # @return [Integer, nil]
82
+ # Indicates whether the {#regexp} was found in the response body.
83
+ #
84
+ def =~(response_body)
85
+ response_body =~ @regexp
86
+ end
87
+
88
+ end
89
+ end
90
+ end
91
+ end