ronin-vulns 0.1.0.beta1

data/lib/ronin/vulns/reflected_xss/test_string.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+
+module Ronin
+  module Vulns
+    class ReflectedXSS < WebVuln
+      #
+      # A test string of characters to determine which special characters are
+      # escaped/filtered and which are passed through.
+      #
+      # @api private
+      #
+      class TestString
+
+        # The test string.
+        #
+        # @return [String]
+        attr_reader :string
+
+        # The test regexp to determine which special characters were
+        # escaped/filtered and which were passed through unescaped.
+        #
+        # @return [Regexp]
+        attr_reader :regexp
+
+        #
+        # Initializes the test string.
+        #
+        # @param [String] string
+        #   The test string.
+        #
+        # @param [Regexp] regexp
+        #   The test regexp to determine which special characters were
+        #   escaped/filtered and which were passed through unescaped.
+        #
+        def initialize(string,regexp)
+          @string = string
+          @regexp = regexp
+        end
+
+        # Special characters and their common escaped equivalents.
+        ESCAPED_CHARS = {
+          "'" => ['%27', '&#39;', "\\'"],
+          '"' => ['%22', '&quot;', "\\\""],
+          ' ' => ['+', '%20', '&nbsp;'],
+          '=' => ['%3D'],
+          '/' => ['%2F'],
+          '<' => ['%3C', '&lt;'],
+          '>' => ['%3E', '&gt;'],
+          '&' => ['%26', '&amp;'],
+        }
+
+        #
+        # Builds a test string from a mapping of characters and their HTML
+        # escaped equivalents.
+        #
+        # @param [String] chars
+        #   The characters for the test string.
+        #
+        # @return [TestString]
+        #   The built test string.
+        #
+        def self.build(chars)
+          string = String.new
+          regexp = String.new
+
+          chars.each_char do |char|
+            string << char
+
+            regexp << "(?:(#{Regexp.escape(char)})"
+
+            if (escaped_chars = ESCAPED_CHARS[char])
+              escaped_chars.each do |string|
+                regexp << "|#{Regexp.escape(string)}"
+              end
+            end
+
+            regexp << ')?'
+          end
+
+          return new(string,Regexp.new(regexp))
+        end
+
+        #
+        # Wraps the test string with a prefix and suffix.
+        #
+        # @param [String] prefix
+        #   The prefix string to prepend to the test string.
+        #
+        # @param [String] suffix
+        #   The suffix string to append to the test string.
+        #
+        # @return [TestString]
+        #   The new test string with the prefix and suffix.
+        #
+        def wrap(prefix,suffix)
+          self.class.new(
+            "#{prefix}#{@string}#{suffix}",
+            /#{Regexp.escape(prefix)}#{@regexp}#{Regexp.escape(suffix)}/
+          )
+        end
+
+        #
+        # Matches the response body against {#regexp}.
+        #
+        # @param [String] body
+        #   The response body to try matching.
+        #
+        # @return [MatchData, nil]
+        #   The match data or `nil` if the body did not match {#regexp}.
+        #
+        def match(body)
+          body.match(@regexp)
+        end
+
+        #
+        # Converts the test string to a String.
+        #
+        # @return [String]
+        #   The {#string}.
+        #
+        def to_s
+          @string
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/vulns/reflected_xss.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+require 'ronin/vulns/reflected_xss/test_string'
+require 'ronin/vulns/reflected_xss/context'
+
+require 'set'
+
+module Ronin
+  module Vulns
+    #
+    # Represents a (Reflected) Cross Site Scripting (XSS) vulnerability.
+    #
+    # ## Features
+    #
+    # * Tests a URL with just one HTTP request (per param).
+    # * Tests which HTML special characters are allowed.
+    # * Identifies the context, tag name, and/or attribute name of the XSS.
+    # * Determines viability of XSS based on the context.
+    # * Includes random data in the test values.
+    #
+    class ReflectedXSS < WebVuln
+
+      # The characters that are allowed and will not be escaped or filtered.
+      #
+      # @return [Set<String>, nil]
+      attr_reader :allowed_chars
+
+      # The context the XSS occurred in.
+      #
+      # @return [Context, nil]
+      attr_reader :context
+
+      #
+      # Tests the test string by sending an HTTP request with the test string
+      # embedded.
+      #
+      # @param [TestString] test_string
+      #
+      # @yield [body, match]
+      #   If the response was `text/html` and the test string appears (at least
+      #   partially) in the response body, the response body and match data will
+      #   be yielded.
+      #
+      # @yieldparam [String] body
+      #   The response body.
+      #
+      # @yieldparam [MatchData] match
+      #   The matched data for the test string.
+      #
+      # @api private
+      #
+      def test_string(test_string)
+        test_string = test_string.wrap(random_value,random_value)
+
+        response     = exploit("#{original_value}#{test_string}")
+        content_type = response.content_type
+        body         = response.body
+
+        if content_type && content_type.include?('text/html')
+          if (match = test_string.match(body))
+            yield body, match
+          end
+        end
+      end
+
+      #
+      # Tests whether characters in the test string will be escaped/filtered or
+      # passed through and updates {#allowed_chars}.
+      #
+      # @param [TestString] test_string
+      #   The test string to send.
+      #
+      # @yield [body, match]
+      #   If a block is given, it will be passed the response body and the 
+      #   regular expression match data, if the response contains the test
+      #   string.
+      #
+      # @yieldparam [String] body
+      #   The response body.
+      #
+      # @yieldparam [MatchData] match
+      #   The matched data for the test string.
+      #
+      # @api private
+      #
+      def test_chars(test_string)
+        test_string(test_string) do |body,match|
+          @allowed_chars ||= Set.new
+          @allowed_chars.merge(match.captures.compact)
+
+          yield body, match if block_given?
+        end
+      end
+
+      # HTML special characters to test.
+      HTML_TEST_STRING = TestString.build("'\"= /><")
+
+      #
+      # Tests which HTML characters are accepted or escaped/filtered.
+      #
+      # @yield [body, match]
+      #   If a block is given, it will be passed the response body and the 
+      #   regular expression match data, if the response contains the test
+      #   string.
+      #
+      # @yieldparam [String] body
+      #   The response body.
+      #
+      # @yieldparam [MatchData] match
+      #   The matched data for the test string.
+      #
+      # @api private
+      #
+      def test_html_chars(&block)
+        test_chars(HTML_TEST_STRING,&block)
+      end
+
+      #
+      # Tests whether the URL is vulnerable to (Reflected) Cross Site Scripting
+      # (XSS).
+      #
+      # @return [Boolean]
+      #   Indicates whether the URL is vulnerable to (Reflected) Cross Site
+      #   Scripting (XSS).
+      #
+      # @note
+      #   If the URL is vulnerable, {#allowed_chars} and {#context} will be set.
+      #
+      def vulnerable?
+        # test HTML special characters
+        test_html_chars do |body,match|
+          xss_index = match.begin(0)
+
+          # determine the contents which the XSS occurs
+          if (@context = Context.identify(body,xss_index))
+            # determine whether enough special HTML characters are allowed to
+            # escape the context which the XSS occurs.
+            return @context.viable?(@allowed_chars)
+          end
+        end
+
+        return false
+      end
+
+      #
+      # Returns the type or kind of vulnerability.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an vulnerability class to a printable
+      #   type.
+      #
+      # @api private
+      #
+      # @abstract
+      #
+      def self.vuln_type
+        :reflected_xss
+      end
+
+    end
+  end
+end

data/lib/ronin/vulns/rfi.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+require 'ronin/vulns/version'
+
+require 'ronin/support/network/http'
+require 'uri/query_params'
+
+module Ronin
+  module Vulns
+    #
+    # Represents a Remote File Inclusion (RFI) vulnerability.
+    #
+    class RFI < WebVuln
+
+      # The script extensions and their languages
+      URL_EXTS = {
+        '.asp'  => :asp,
+        '.aspx' => :asp_net,
+        '.cfm'  => :cold_fusion,
+        '.cfml' => :cold_fusion,
+        '.jsp'  => :jsp,
+        '.php'  => :php,
+        '.pl'   => :perl
+      }
+
+      # The github.com base URL for all RFI test scripts.
+      GITHUB_BASE_URL = "https://raw.githubusercontent.com/ronin-rb/ronin-vulns/#{VERSION}/data"
+
+      # Mapping of scripting languages to RFI test scripts.
+      TEST_SCRIPT_URLS = {
+        asp:         "#{GITHUB_BASE_URL}/rfi_test.asp",
+        asp_net:     "#{GITHUB_BASE_URL}/rfi_test.aspx",
+        cold_fusion: "#{GITHUB_BASE_URL}/rfi_test.cfm",
+        jsp:         "#{GITHUB_BASE_URL}/rfi_test.jsp",
+        php:         "#{GITHUB_BASE_URL}/rfi_test.php",
+        perl:        "#{GITHUB_BASE_URL}/rfi_test.pl"
+      }
+
+      # The string that will be returned if the Remote File Inclusion (RFI)
+      # script is executed.
+      VULN_RESPONSE_STRING = "Security Alert: Remote File Inclusion Detected!"
+
+      # The filter bypass technique to use.
+      #
+      # @return [nil, :double_encode, :suffix_escape, :null_byte]
+      attr_reader :filter_bypass
+
+      # URL of the Remote File Inclusion (RFI) Test script
+      # 
+      # @return [URI::HTTP, String]
+      attr_reader :test_script_url
+
+      #
+      # Creates a new Remote File Inclusion (RFI) object.
+      #
+      # @param [String, URI::HTTP] url
+      #   The URL to attempt to exploit.
+      #
+      # @param [:null_byte, :double_encode, nil] filter_bypass
+      #   Specifies which filter bypass technique to use.
+      #   * `:double_encode` - will cause the inclusion URL to be URI escaped
+      #     twice.
+      #   * `:suffix_escape` - escape any appended suffix (ex: `param + ".php"`)
+      #     by adding a URI fragment character (`#`) to the end of the RFI
+      #     script URL. The fragment component of the URI is not sent to the
+      #     web server.
+      #   * `:null_byte` - will cause the inclusion URL to be appended with a
+      #     `%00` character. **Note:* this technique only works on PHP < 5.3.
+      #
+      # @param [:asp, :asp_net, :cold_fusion, :jsp, :php, :perl, nil] script_lang
+      #   Explicitly specifies the scripting language that the URL uses.
+      #
+      # @param [String, URI::HTTP, nil] test_script_url
+      #   The URL of the RFI test script. If not specified, it will default to
+      #   {test_script_for}.
+      #
+      def initialize(url, script_lang: nil, test_script_url: nil, filter_bypass: nil, **kwargs)
+        super(url,**kwargs)
+
+        @test_script_url = if test_script_url
+                             test_script_url
+                           elsif script_lang
+                             self.class.test_script_url_for(script_lang)
+                           else
+                             self.class.test_script_for(@url)
+                           end
+
+        @filter_bypass = filter_bypass
+      end
+
+      #
+      # Returns the test script URL for the given scripting language.
+      #
+      # @param [:asp, :asp_net, :cold_fusion, :jsp, :php, :perl] script_lang
+      #   The scripting language.
+      #
+      # @return [String]
+      #   The test script URL for the given scripting language.
+      #
+      # @raise [ArgumentError]
+      #   An unknown scripting language value was given.
+      #
+      def self.test_script_url_for(script_lang)
+        TEST_SCRIPT_URLS.fetch(script_lang) do
+          raise(ArgumentError,"unknown scripting language: #{script_lang.inspect}")
+        end
+      end
+
+      #
+      # Attempts to infer the programming language used for the web page at the
+      # given URL.
+      #
+      # @param [String, URI::HTTP] url
+      #   The URL to infer from.
+      #
+      # @return [:asp, :cold_fusion, :jsp, :php, :perl, nil]
+      #   The programming language inferred from the URL.
+      #
+      def self.infer_script_lang(url)
+        url = URI(url)
+
+        return URL_EXTS[File.extname(url.path)]
+      end
+
+      #
+      # Selects the RFI test script for the scripting language used by the given
+      # URL.
+      #
+      # @param [String, URI::HTTP] url
+      #   The URL to test.
+      #
+      # @return [String, nil]
+      #   The RFI test script URL or `nil` if the scripting language could not
+      #   be inferred from the URL.
+      #
+      def self.test_script_for(url)
+        if (lang = infer_script_lang(url))
+          TEST_SCRIPT_URLS.fetch(lang)
+        end
+      end
+
+      #
+      # Optionally applies a filter bypass technique to the RFI URL.
+      #
+      # @param [URI::HTTP, String] url
+      #   The RFI URL to optionall encode before it will be injected into a
+      #   HTTP request.
+      #
+      # @return [String]
+      #   The optionally encoded RFI URL.
+      #
+      def encode_payload(url)
+        url = url.to_s
+
+        case @filter_bypass
+        when :double_encode
+          # Optionally double URI encodes the script URL
+          url = URI::QueryParams.escape(url)
+        when :suffix_escape
+          # Optionally append a '#' character to escape any appended suffixes
+          # (ex: `param + ".php"`).
+          url = "#{url}#"
+        when :null_byte
+          # Optionally append a null-byte
+          # NOTE: uri-query_params will automatically URI encode the null byte
+          url = "#{url}\0"
+        end
+
+        return url
+      end
+
+      #
+      # Tests whether the URL and query parameter are vulnerable to Remote File
+      # Inclusion (RFI).
+      #
+      # @return [Boolean]
+      #   Specifies whether the URL and query parameter are vulnerable to RFI.
+      #
+      def vulnerable?
+        response = exploit(@test_script_url)
+        body     = response.body
+
+        return body.include?(VULN_RESPONSE_STRING)
+      end
+
+      #
+      # Returns the type or kind of vulnerability.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an vulnerability class to a printable
+      #   type.
+      #
+      # @api private
+      #
+      # @abstract
+      #
+      def self.vuln_type
+        :rfi
+      end
+
+    end
+  end
+end

data/lib/ronin/vulns/root.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Vulns
+    # Path to `ronin-vulns` root directory.
+    #
+    # @api private
+    ROOT = File.expand_path(File.join(__dir__,'..','..','..'))
+  end
+end

data/lib/ronin/vulns/sqli/error_pattern.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+
+module Ronin
+  module Vulns
+    class SQLI < WebVuln
+      #
+      # Represents a collection of patterns for SQL error messages for a
+      # particular database.
+      #
+      # @api private
+      #
+      class ErrorPattern
+
+        # The combined error message regexp.
+        #
+        # @return [Regexp]
+        attr_reader :regexp
+
+        #
+        # Initializes the error pattern.
+        #
+        # @param [Regexp] regexp
+        #   The combined of regular expression.
+        #
+        def initialize(regexp)
+          @regexp = regexp
+        end
+
+        #
+        # Creates an error pattern from multiple different regexps.
+        #
+        # @param [Array<Regexp>] regexps
+        #   The collection of regular expressions.
+        #
+        def self.[](*regexps)
+          new(Regexp.union(regexps))
+        end
+
+        #
+        # Tests whether the respones body contains a SQL error.
+        #
+        # @param [String] response_body
+        #   The HTTP response body.
+        #
+        # @return [MatchData, nil]
+        #   The match data if the {#regexp} is found within the response body.
+        #
+        def match(response_body)
+          @regexp.match(response_body)
+        end
+
+        #
+        # Tests whether the file was successfully included into the response
+        # body.
+        #
+        # @param [String] response_body
+        #   The HTTP response body.
+        #
+        # @return [Integer, nil]
+        #   Indicates whether the {#regexp} was found in the response body.
+        #
+        def =~(response_body)
+          response_body =~ @regexp
+        end
+
+      end
+    end
+  end
+end