ronin-vulns 0.1.0.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.document +5 -0
- data/.github/workflows/ruby.yml +31 -0
- data/.gitignore +13 -0
- data/.rspec +1 -0
- data/.ruby-version +1 -0
- data/.yardopts +1 -0
- data/COPYING.txt +165 -0
- data/ChangeLog.md +22 -0
- data/Gemfile +34 -0
- data/README.md +328 -0
- data/Rakefile +34 -0
- data/bin/ronin-vulns +19 -0
- data/data/rfi_test.asp +21 -0
- data/data/rfi_test.aspx +25 -0
- data/data/rfi_test.cfm +27 -0
- data/data/rfi_test.jsp +19 -0
- data/data/rfi_test.php +24 -0
- data/data/rfi_test.pl +25 -0
- data/gemspec.yml +41 -0
- data/lib/ronin/vulns/cli/command.rb +39 -0
- data/lib/ronin/vulns/cli/commands/lfi.rb +145 -0
- data/lib/ronin/vulns/cli/commands/open_redirect.rb +119 -0
- data/lib/ronin/vulns/cli/commands/reflected_xss.rb +99 -0
- data/lib/ronin/vulns/cli/commands/rfi.rb +156 -0
- data/lib/ronin/vulns/cli/commands/scan.rb +316 -0
- data/lib/ronin/vulns/cli/commands/sqli.rb +133 -0
- data/lib/ronin/vulns/cli/commands/ssti.rb +126 -0
- data/lib/ronin/vulns/cli/logging.rb +78 -0
- data/lib/ronin/vulns/cli/web_vuln_command.rb +347 -0
- data/lib/ronin/vulns/cli.rb +45 -0
- data/lib/ronin/vulns/lfi/test_file.rb +91 -0
- data/lib/ronin/vulns/lfi.rb +266 -0
- data/lib/ronin/vulns/open_redirect.rb +118 -0
- data/lib/ronin/vulns/reflected_xss/context.rb +224 -0
- data/lib/ronin/vulns/reflected_xss/test_string.rb +149 -0
- data/lib/ronin/vulns/reflected_xss.rb +184 -0
- data/lib/ronin/vulns/rfi.rb +224 -0
- data/lib/ronin/vulns/root.rb +28 -0
- data/lib/ronin/vulns/sqli/error_pattern.rb +89 -0
- data/lib/ronin/vulns/sqli.rb +397 -0
- data/lib/ronin/vulns/ssti/test_expression.rb +104 -0
- data/lib/ronin/vulns/ssti.rb +203 -0
- data/lib/ronin/vulns/url_scanner.rb +218 -0
- data/lib/ronin/vulns/version.rb +26 -0
- data/lib/ronin/vulns/vuln.rb +49 -0
- data/lib/ronin/vulns/web_vuln/http_request.rb +223 -0
- data/lib/ronin/vulns/web_vuln.rb +774 -0
- data/man/ronin-vulns-lfi.1 +107 -0
- data/man/ronin-vulns-lfi.1.md +80 -0
- data/man/ronin-vulns-open-redirect.1 +98 -0
- data/man/ronin-vulns-open-redirect.1.md +73 -0
- data/man/ronin-vulns-reflected-xss.1 +95 -0
- data/man/ronin-vulns-reflected-xss.1.md +71 -0
- data/man/ronin-vulns-rfi.1 +107 -0
- data/man/ronin-vulns-rfi.1.md +80 -0
- data/man/ronin-vulns-scan.1 +138 -0
- data/man/ronin-vulns-scan.1.md +103 -0
- data/man/ronin-vulns-sqli.1 +107 -0
- data/man/ronin-vulns-sqli.1.md +80 -0
- data/man/ronin-vulns-ssti.1 +99 -0
- data/man/ronin-vulns-ssti.1.md +74 -0
- data/ronin-vulns.gemspec +60 -0
- metadata +161 -0
@@ -0,0 +1,126 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/web_vuln_command'
|
22
|
+
require 'ronin/vulns/ssti'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
class CLI
|
27
|
+
module Commands
|
28
|
+
#
|
29
|
+
# Scans URL(s) for Server Side Template Injection (SSTI)
|
30
|
+
# vulnerabilities.
|
31
|
+
#
|
32
|
+
# ## Usage
|
33
|
+
#
|
34
|
+
# ronin-vulns ssti [options] {URL ... | --input FILE}
|
35
|
+
#
|
36
|
+
# ## Options
|
37
|
+
#
|
38
|
+
# --first Only find the first vulnerability for each URL
|
39
|
+
# -A, --all Find all vulnerabilities for each URL
|
40
|
+
# -H, --header "Name: value" Sets an additional header
|
41
|
+
# -C, --cookie COOKIE Sets the raw Cookie header
|
42
|
+
# -c, --cookie-param NAME=VALUE Sets an additional cookie param
|
43
|
+
# -R, --referer URL Sets the Referer header
|
44
|
+
# -F, --form-param NAME=VALUE Sets an additional form param
|
45
|
+
# --test-query-param NAME Tests the URL query param name
|
46
|
+
# --test-all-query-params Test all URL query param names
|
47
|
+
# --test-header-name NAME Tests the HTTP Header name
|
48
|
+
# --test-cookie-param NAME Tests the HTTP Cookie name
|
49
|
+
# --test-all-cookie-params Test all Cookie param names
|
50
|
+
# --test-form-param NAME Tests the form param name
|
51
|
+
# -i, --input FILE Reads URLs from the list file
|
52
|
+
# -T {X*Y | X/Z | X+Y | X-Y}, Optional numeric test to use
|
53
|
+
# --test-expr
|
54
|
+
# -h, --help Print help information
|
55
|
+
#
|
56
|
+
# ## Arguments
|
57
|
+
#
|
58
|
+
# [URL ...] The URL(s) to scan
|
59
|
+
#
|
60
|
+
class Ssti < WebVulnCommand
|
61
|
+
|
62
|
+
usage '[options] {URL ... | --input FILE}'
|
63
|
+
|
64
|
+
option :test_expr, short: '-T',
|
65
|
+
value: {
|
66
|
+
type: /\A\d+\s*[\*\/\+\-]\s*\d+\z/,
|
67
|
+
usage: '{X*Y | X/Z | X+Y | X-Y}'
|
68
|
+
},
|
69
|
+
desc: 'Optional numeric test to use' do |expr|
|
70
|
+
@test_expr = Vulns::SSTI::TestExpression.parse(expr)
|
71
|
+
end
|
72
|
+
|
73
|
+
description 'Scans URL(s) for Server Side Template Injection (SSTI) vulnerabilities'
|
74
|
+
|
75
|
+
man_page 'ronin-vulns-ssti.1'
|
76
|
+
|
77
|
+
# The expression to use to test for SSTI.
|
78
|
+
#
|
79
|
+
# @return [Vulns::SSTI::TestExpression, nil]
|
80
|
+
attr_reader :test_expr
|
81
|
+
|
82
|
+
#
|
83
|
+
# Keyword arguments for `Vulns::SSTI.scan` and `Vulns::SSTI.test`.
|
84
|
+
#
|
85
|
+
# @return [Hash{Symbol => Object}]
|
86
|
+
#
|
87
|
+
def scan_kwargs
|
88
|
+
kwargs = super()
|
89
|
+
kwargs[:test_expr] = @test_expr if @test_expr
|
90
|
+
return kwargs
|
91
|
+
end
|
92
|
+
|
93
|
+
#
|
94
|
+
# Scans a URL for SSTI vulnerabiltiies.
|
95
|
+
#
|
96
|
+
# @param [String] url
|
97
|
+
# The URL to scan.
|
98
|
+
#
|
99
|
+
# @yield [vuln]
|
100
|
+
# The given block will be passed each discovered SSTI vulnerability.
|
101
|
+
#
|
102
|
+
# @yieldparam [Vulns::SSTI] vuln
|
103
|
+
# A SSTI vulnerability discovered on the URL.
|
104
|
+
#
|
105
|
+
def scan_url(url,&block)
|
106
|
+
Vulns::SSTI.scan(url,**scan_kwargs,&block)
|
107
|
+
end
|
108
|
+
|
109
|
+
#
|
110
|
+
# Tests a URL for SSTI vulnerabiltiies.
|
111
|
+
#
|
112
|
+
# @param [String] url
|
113
|
+
# The URL to test.
|
114
|
+
#
|
115
|
+
# @return [Vulns::SSTI, nil]
|
116
|
+
# The first SSTI vulnerability discovered on the URL.
|
117
|
+
#
|
118
|
+
def test_url(url,&block)
|
119
|
+
Vulns::SSTI.test(url,**scan_kwargs)
|
120
|
+
end
|
121
|
+
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
125
|
+
end
|
126
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/core/cli/logging'
|
22
|
+
|
23
|
+
module Ronin
|
24
|
+
module Vulns
|
25
|
+
class CLI
|
26
|
+
module Logging
|
27
|
+
include Core::CLI::Logging
|
28
|
+
|
29
|
+
# Known vulnerability types and their printable names.
|
30
|
+
VULN_TYPES = {
|
31
|
+
open_redirect: 'Open Redirect',
|
32
|
+
reflected_xss: 'reflected XSS',
|
33
|
+
|
34
|
+
lfi: 'LFI',
|
35
|
+
rfi: 'RFI',
|
36
|
+
sqli: 'SQLi',
|
37
|
+
ssti: 'SSTI'
|
38
|
+
}
|
39
|
+
|
40
|
+
#
|
41
|
+
# Returns the printable vulnerability type for the vulnerability object.
|
42
|
+
#
|
43
|
+
# @param [Vuln] vuln
|
44
|
+
#
|
45
|
+
# @return [String]
|
46
|
+
#
|
47
|
+
def vuln_type(vuln)
|
48
|
+
VULN_TYPES.fetch(vuln.class.vuln_type,'vulnerability')
|
49
|
+
end
|
50
|
+
|
51
|
+
#
|
52
|
+
# Prints a web vulnerability.
|
53
|
+
#
|
54
|
+
# @param [WebVuln] vuln
|
55
|
+
# The web vulnerability to print.
|
56
|
+
#
|
57
|
+
def log_vuln(vuln)
|
58
|
+
vuln_name = vuln_type(vuln)
|
59
|
+
location = if vuln.query_param
|
60
|
+
"query param #{vuln.query_param}"
|
61
|
+
elsif vuln.header_name
|
62
|
+
"Header #{vuln.header_name}"
|
63
|
+
elsif vuln.cookie_param
|
64
|
+
"Cookie param #{vuln.cookie_param}"
|
65
|
+
elsif vuln.form_param
|
66
|
+
"form param #{vuln.form_param}"
|
67
|
+
end
|
68
|
+
|
69
|
+
if location
|
70
|
+
log_info "Found #{vuln_name} on #{vuln.url} via #{location}!"
|
71
|
+
else
|
72
|
+
log_info "Found #{vuln_name} on #{vuln.url}!"
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -0,0 +1,347 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/cli/command'
|
22
|
+
require 'ronin/vulns/cli/logging'
|
23
|
+
|
24
|
+
require 'ronin/support/network/http/cookie'
|
25
|
+
|
26
|
+
require 'set'
|
27
|
+
|
28
|
+
module Ronin
|
29
|
+
module Vulns
|
30
|
+
class CLI
|
31
|
+
#
|
32
|
+
# Base class for all web vulnerability commands.
|
33
|
+
#
|
34
|
+
class WebVulnCommand < Command
|
35
|
+
|
36
|
+
include Logging
|
37
|
+
|
38
|
+
option :first, short: '-F',
|
39
|
+
desc: 'Only find the first vulnerability for each URL' do
|
40
|
+
@scan_mode = :first
|
41
|
+
end
|
42
|
+
|
43
|
+
option :all, short: '-A',
|
44
|
+
desc: 'Find all vulnerabilities for each URL' do
|
45
|
+
@scan_mode = :all
|
46
|
+
end
|
47
|
+
|
48
|
+
option :header, short: '-H',
|
49
|
+
value: {
|
50
|
+
type: /[A-Za-z0-9-]+:\s*\w+/,
|
51
|
+
usage: '"Name: value"'
|
52
|
+
},
|
53
|
+
desc: 'Sets an additional header' do |header|
|
54
|
+
name, value = header.split(/:\s*/,2)
|
55
|
+
|
56
|
+
@headers ||= {}
|
57
|
+
@headers[name] = value
|
58
|
+
end
|
59
|
+
|
60
|
+
option :cookie, short: '-C',
|
61
|
+
value: {
|
62
|
+
type: String,
|
63
|
+
usage: 'COOKIE'
|
64
|
+
},
|
65
|
+
desc: 'Sets the raw Cookie header' do |cookie|
|
66
|
+
@raw_cookie = cookie
|
67
|
+
end
|
68
|
+
|
69
|
+
option :cookie_param, short: '-c',
|
70
|
+
value: {
|
71
|
+
type: /[^\s=]+=\w+/,
|
72
|
+
usage: 'NAME=VALUE'
|
73
|
+
},
|
74
|
+
desc: 'Sets an additional cookie param' do |param|
|
75
|
+
name, value = param.split('=',2)
|
76
|
+
|
77
|
+
@cookie ||= Support::Network::HTTP::Cookie.new
|
78
|
+
@cookie[name] = value
|
79
|
+
end
|
80
|
+
|
81
|
+
option :referer, short: '-R',
|
82
|
+
value: {
|
83
|
+
type: String,
|
84
|
+
usage: 'URL',
|
85
|
+
},
|
86
|
+
desc: 'Sets the Referer header' do |referer|
|
87
|
+
@referer = referer
|
88
|
+
end
|
89
|
+
|
90
|
+
option :form_param, short: '-F',
|
91
|
+
value: {
|
92
|
+
type: /[^\s=]+=\w+/,
|
93
|
+
usage: 'NAME=VALUE'
|
94
|
+
},
|
95
|
+
desc: 'Sets an additional form param' do |param|
|
96
|
+
name, value = param.split('=',2)
|
97
|
+
|
98
|
+
@form_data ||= {}
|
99
|
+
@form_data[name] = value
|
100
|
+
end
|
101
|
+
|
102
|
+
option :test_query_param, value: {
|
103
|
+
type: String,
|
104
|
+
usage: 'NAME'
|
105
|
+
},
|
106
|
+
desc: 'Tests the URL query param name' do |name|
|
107
|
+
@test_query_params ||= Set.new
|
108
|
+
@test_query_params << name
|
109
|
+
end
|
110
|
+
|
111
|
+
option :test_all_query_params, desc: 'Test all URL query param names' do
|
112
|
+
@test_all_query_params = true
|
113
|
+
end
|
114
|
+
|
115
|
+
option :test_header_name, value: {
|
116
|
+
type: String,
|
117
|
+
usage: 'NAME'
|
118
|
+
},
|
119
|
+
desc: 'Tests the HTTP Header name' do |name|
|
120
|
+
@test_header_names ||= Set.new
|
121
|
+
@test_header_names << name
|
122
|
+
end
|
123
|
+
|
124
|
+
option :test_cookie_param, value: {
|
125
|
+
type: String,
|
126
|
+
usage: 'NAME'
|
127
|
+
},
|
128
|
+
desc: 'Tests the HTTP Cookie name' do |name|
|
129
|
+
@test_cookie_params ||= Set.new
|
130
|
+
@test_cookie_params << name
|
131
|
+
end
|
132
|
+
|
133
|
+
option :test_all_cookie_params, desc: 'Test all Cookie param names' do
|
134
|
+
@test_all_cookie_params = true
|
135
|
+
end
|
136
|
+
|
137
|
+
option :test_form_param, value: {
|
138
|
+
type: String,
|
139
|
+
usage: 'NAME'
|
140
|
+
},
|
141
|
+
desc: 'Tests the form param name' do |name|
|
142
|
+
@test_form_params ||= Set.new
|
143
|
+
@test_form_params << name
|
144
|
+
end
|
145
|
+
|
146
|
+
option :input, short: '-i',
|
147
|
+
value: {
|
148
|
+
type: String,
|
149
|
+
usage: 'FILE'
|
150
|
+
},
|
151
|
+
desc: 'Reads URLs from the list file'
|
152
|
+
|
153
|
+
argument :url, required: false,
|
154
|
+
repeats: true,
|
155
|
+
desc: 'The URL(s) to scan'
|
156
|
+
|
157
|
+
# The scan mode.
|
158
|
+
#
|
159
|
+
# @return [:first, :all]
|
160
|
+
# * `:first` - Only find the first vulnerability for each URL.
|
161
|
+
# * `:all` - Find all vulnerabilities for each URL.
|
162
|
+
attr_reader :scan_mode
|
163
|
+
|
164
|
+
# Additional headers.
|
165
|
+
#
|
166
|
+
# @return [Hash{String => String}, nil]
|
167
|
+
attr_reader :headers
|
168
|
+
|
169
|
+
# The raw `Cookie` header to send.
|
170
|
+
#
|
171
|
+
# @return [String, nil]
|
172
|
+
attr_reader :raw_cookie
|
173
|
+
|
174
|
+
# The optional `Cookie` header to send.
|
175
|
+
#
|
176
|
+
# @return [Ronin::Support::Network::HTTP::Cookie, nil]
|
177
|
+
attr_reader :cookie
|
178
|
+
|
179
|
+
# The optional `Referer` header to send.
|
180
|
+
#
|
181
|
+
# @return [String, nil]
|
182
|
+
attr_reader :referer
|
183
|
+
|
184
|
+
# Additional form params.
|
185
|
+
#
|
186
|
+
# @return [Hash{String => String}, nil]
|
187
|
+
attr_reader :form_data
|
188
|
+
|
189
|
+
# The URL query params to test.
|
190
|
+
#
|
191
|
+
# @return [Set<String>, nil]
|
192
|
+
attr_reader :test_query_params
|
193
|
+
|
194
|
+
# Indiciates whether to test all of the query params of the URL.
|
195
|
+
#
|
196
|
+
# @return [Boolean, nil]
|
197
|
+
attr_reader :test_all_query_params
|
198
|
+
|
199
|
+
# The HTTP Header names to test.
|
200
|
+
#
|
201
|
+
# @return [Set<String>, nil]
|
202
|
+
attr_reader :test_header_names
|
203
|
+
|
204
|
+
# The HTTP Cookie to test.
|
205
|
+
#
|
206
|
+
# @return [Set<String>, nil]
|
207
|
+
attr_reader :test_cookie_params
|
208
|
+
|
209
|
+
# Indiciates whether to test all `Cookie` params for the URL.
|
210
|
+
#
|
211
|
+
# @return [Boolean, nil]
|
212
|
+
attr_reader :test_all_cookie_params
|
213
|
+
|
214
|
+
# The form params to test.
|
215
|
+
#
|
216
|
+
# @return [Set<String>, nil]
|
217
|
+
attr_reader :test_form_params
|
218
|
+
|
219
|
+
#
|
220
|
+
# Initializes the command.
|
221
|
+
#
|
222
|
+
# @param [Hash{Symbol => Object}] kwargs
|
223
|
+
# Additional keyword arguments.
|
224
|
+
#
|
225
|
+
def initialize(**kwargs)
|
226
|
+
super(**kwargs)
|
227
|
+
|
228
|
+
@scan_mode = :first
|
229
|
+
end
|
230
|
+
|
231
|
+
#
|
232
|
+
# Runs the command.
|
233
|
+
#
|
234
|
+
# @param [Array<String>] urls
|
235
|
+
# The URL(s) to scan.
|
236
|
+
#
|
237
|
+
def run(*urls)
|
238
|
+
if options[:input]
|
239
|
+
File.open(options[:input]) do |file|
|
240
|
+
file.each_line(chomp: true) do |url|
|
241
|
+
process_url(url)
|
242
|
+
end
|
243
|
+
end
|
244
|
+
elsif !urls.empty?
|
245
|
+
urls.each do |url|
|
246
|
+
process_url(url)
|
247
|
+
end
|
248
|
+
else
|
249
|
+
print_error "must specify URL(s) or --input"
|
250
|
+
exit(-1)
|
251
|
+
end
|
252
|
+
end
|
253
|
+
|
254
|
+
#
|
255
|
+
# Prcesses a URL.
|
256
|
+
#
|
257
|
+
# @param [String] url
|
258
|
+
# A URL to scan.
|
259
|
+
#
|
260
|
+
def process_url(url)
|
261
|
+
if @scan_mode == :first
|
262
|
+
if (first_vuln = test_url(url))
|
263
|
+
print_vuln(first_vuln)
|
264
|
+
end
|
265
|
+
else
|
266
|
+
scan_url(url) do |vuln|
|
267
|
+
print_vuln(vuln)
|
268
|
+
end
|
269
|
+
end
|
270
|
+
end
|
271
|
+
|
272
|
+
#
|
273
|
+
# The keyword arguments for {WebVuln.scan}.
|
274
|
+
#
|
275
|
+
# @return [Hash{String => String}]
|
276
|
+
# The keyword arguments.
|
277
|
+
#
|
278
|
+
def scan_kwargs
|
279
|
+
kwargs = {}
|
280
|
+
|
281
|
+
kwargs[:headers] = @headers if @headers
|
282
|
+
|
283
|
+
if @raw_cookie
|
284
|
+
kwargs[:cookie] = @raw_cookie
|
285
|
+
elsif @cookie
|
286
|
+
kwargs[:cookie] = @cookie
|
287
|
+
end
|
288
|
+
|
289
|
+
kwargs[:referer] = @referer if @referer
|
290
|
+
kwargs[:form_data] = @form_data if @form_data
|
291
|
+
|
292
|
+
if @test_query_params
|
293
|
+
kwargs[:query_params] = @test_query_params
|
294
|
+
elsif @test_all_query_params
|
295
|
+
kwargs[:query_params] = true
|
296
|
+
end
|
297
|
+
|
298
|
+
kwargs[:header_names] = @test_header_names if @test_header_names
|
299
|
+
|
300
|
+
if @test_cookie_params
|
301
|
+
kwargs[:cookie_params] = @test_cookie_params
|
302
|
+
elsif @test_all_cookie_params
|
303
|
+
kwargs[:cookie_params] = true
|
304
|
+
end
|
305
|
+
|
306
|
+
kwargs[:form_params] = @test_form_params if @test_form_params
|
307
|
+
|
308
|
+
return kwargs
|
309
|
+
end
|
310
|
+
|
311
|
+
#
|
312
|
+
# Scans a URL for web vulnerabiltiies.
|
313
|
+
#
|
314
|
+
# @param [String] url
|
315
|
+
# The URL to scan.
|
316
|
+
#
|
317
|
+
# @yield [vuln]
|
318
|
+
# The given block will be passed each discovered web vulnerability.
|
319
|
+
#
|
320
|
+
# @yieldparam [WebVuln] vuln
|
321
|
+
# A web vulnerability discovered on the URL.
|
322
|
+
#
|
323
|
+
# @abstract
|
324
|
+
#
|
325
|
+
def scan_url(url,&block)
|
326
|
+
raise(NotImplementedError,"#{self.class}#scan_url was not defined")
|
327
|
+
end
|
328
|
+
|
329
|
+
#
|
330
|
+
# Tests a URL for web vulnerabiltiies.
|
331
|
+
#
|
332
|
+
# @param [String] url
|
333
|
+
# The URL to test.
|
334
|
+
#
|
335
|
+
# @return [WebVuln, nil] vuln
|
336
|
+
# The first web vulnerability discovered on the URL.
|
337
|
+
#
|
338
|
+
# @abstract
|
339
|
+
#
|
340
|
+
def test_url(url)
|
341
|
+
raise(NotImplementedError,"#{self.class}#test_url was not defined")
|
342
|
+
end
|
343
|
+
|
344
|
+
end
|
345
|
+
end
|
346
|
+
end
|
347
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'command_kit/commands'
|
22
|
+
require 'command_kit/commands/auto_load'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Vulns
|
26
|
+
#
|
27
|
+
# The `ronin-vulns` command-line interface (CLI).
|
28
|
+
#
|
29
|
+
# @api private
|
30
|
+
#
|
31
|
+
class CLI
|
32
|
+
|
33
|
+
include CommandKit::Commands
|
34
|
+
include CommandKit::Commands::AutoLoad.new(
|
35
|
+
dir: "#{__dir__}/cli/commands",
|
36
|
+
namespace: "#{self}::Commands"
|
37
|
+
)
|
38
|
+
|
39
|
+
command_name 'ronin-vulns'
|
40
|
+
|
41
|
+
command_aliases['xss'] = 'reflected-xss'
|
42
|
+
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,91 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-vulns - A Ruby library to blind vulnerability testing.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-vulns is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/vulns/web_vuln'
|
22
|
+
|
23
|
+
module Ronin
|
24
|
+
module Vulns
|
25
|
+
class LFI < WebVuln
|
26
|
+
#
|
27
|
+
# Represents a single Local File Inclusion (LFI) test for a given file
|
28
|
+
# path and a regexp that matches the file.
|
29
|
+
#
|
30
|
+
# @api private
|
31
|
+
#
|
32
|
+
class TestFile
|
33
|
+
|
34
|
+
# The path of the file to attempt including.
|
35
|
+
#
|
36
|
+
# @return [String]
|
37
|
+
attr_reader :path
|
38
|
+
|
39
|
+
# The regexp to identify a successful Local File Inclusion (LFI)
|
40
|
+
# of the {#path}.
|
41
|
+
#
|
42
|
+
# @return [Regexp]
|
43
|
+
attr_reader :regexp
|
44
|
+
|
45
|
+
#
|
46
|
+
# Initializes the Local File Inclusion (LFI) test.
|
47
|
+
#
|
48
|
+
# @param [String] path
|
49
|
+
# The path to attempt including.
|
50
|
+
#
|
51
|
+
# @param [Regexp] regexp
|
52
|
+
# The regexp to identify a successful Local File Inclusion (LFI)
|
53
|
+
# of the {#path}.
|
54
|
+
#
|
55
|
+
def initialize(path,regexp)
|
56
|
+
@path = path
|
57
|
+
@regexp = regexp
|
58
|
+
end
|
59
|
+
|
60
|
+
#
|
61
|
+
# Tests whether the file was successfully included into the response
|
62
|
+
# body.
|
63
|
+
#
|
64
|
+
# @param [String] response_body
|
65
|
+
# The HTTP response body.
|
66
|
+
#
|
67
|
+
# @return [MatchData, nil]
|
68
|
+
# The match data if the {#regexp} is found within the response body.
|
69
|
+
#
|
70
|
+
def match(response_body)
|
71
|
+
response_body.match(@regexp)
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# Tests whether the file was successfully included into the response
|
76
|
+
# body.
|
77
|
+
#
|
78
|
+
# @param [String] response_body
|
79
|
+
# The HTTP response body.
|
80
|
+
#
|
81
|
+
# @return [Integer, nil]
|
82
|
+
# Indicates whether the {#regexp} was found in the response body.
|
83
|
+
#
|
84
|
+
def =~(response_body)
|
85
|
+
response_body =~ @regexp
|
86
|
+
end
|
87
|
+
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|