ronin-vulns 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.document +0 -1
- data/ChangeLog.md +10 -0
- data/Gemfile +2 -2
- data/lib/ronin/vulns/reflected_xss/context.rb +20 -6
- data/lib/ronin/vulns/sqli.rb +25 -13
- data/lib/ronin/vulns/ssti.rb +11 -11
- data/lib/ronin/vulns/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b260c485d9272af5724bed43fc2959995463f8b78e276bf669d1bb98740e917c
|
|
4
|
+
data.tar.gz: de99077b9d9fe73bd167309af9c7c6d7688bd03a02d2af9bd2fc8eae133aa43a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1f4ce00d82035a11ade026eb6deee9be1244b499d692e47d4961be3cfc2a2dd9d8c609b6c11c5fab72e454f5ccc60adf9dd6ab7e4ceced5b0df9ea27fc18ec27
|
|
7
|
+
data.tar.gz: fb41c677b9eaf56c3cc3fabc028db365061ed98e745dfc3bf942238ebd6c2b642716a2e5dc7f010bb9fa2249112bf4ab66db715d35221783104a3702c694aeea
|
data/.document
CHANGED
data/ChangeLog.md
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
### 0.1.3 / 2023-07-07
|
|
2
|
+
|
|
3
|
+
* Fixed a bug in {Ronin::Vulns::SSTI.scan} where when called without `escape:`
|
|
4
|
+
it would not return all found vulnerabilities.
|
|
5
|
+
* Fixed a bug in {Ronin::Vulns::SQLI.scan} where repeat requests would be sent
|
|
6
|
+
even if `escape_quote:`, `escape_parens:`, or `terminate:` keyword arguments
|
|
7
|
+
are given.
|
|
8
|
+
* Improved {Ronin::Vulns::ReflectedXSS::Context} to detect when the XSS occurs
|
|
9
|
+
after or *inside of* an HTML comment.
|
|
10
|
+
|
|
1
11
|
### 0.1.2 / 2023-03-01
|
|
2
12
|
|
|
3
13
|
* Require `ronin-support` ~> 1.0, >= 1.0.1
|
data/Gemfile
CHANGED
|
@@ -10,9 +10,9 @@ gem 'jruby-openssl', '~> 0.7', platforms: :jruby
|
|
|
10
10
|
# branch: '0.4.0'
|
|
11
11
|
|
|
12
12
|
# Ronin dependencies
|
|
13
|
-
# gem 'ronin-support', '~> 1.0', github:
|
|
13
|
+
# gem 'ronin-support', '~> 1.0', github: 'ronin-rb/ronin-support',
|
|
14
14
|
# branch: 'main'
|
|
15
|
-
# gem 'ronin-core', '~> 0.1', github:
|
|
15
|
+
# gem 'ronin-core', '~> 0.1', github: 'ronin-rb/ronin-core',
|
|
16
16
|
# branch: 'main'
|
|
17
17
|
|
|
18
18
|
group :development do
|
|
@@ -30,7 +30,7 @@ module Ronin
|
|
|
30
30
|
|
|
31
31
|
# Where in the HTML the XSS occurs.
|
|
32
32
|
#
|
|
33
|
-
# @return [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body]
|
|
33
|
+
# @return [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body, :comment]
|
|
34
34
|
# The context which the XSS occurs in.
|
|
35
35
|
# * `:tag_body` occurred within a tag's body (ex: `<tag>XSS...</tag>`)
|
|
36
36
|
# * `:double_quoted_attr_value` - occurred in a double quoted
|
|
@@ -44,13 +44,14 @@ module Ronin
|
|
|
44
44
|
# * `:attr_list` - occurred in the attribute list
|
|
45
45
|
# (ex: `<tag XSS>...</tag>`)
|
|
46
46
|
# * `:tag_name` - occurred in the tag name (ex: `<tagXSS>...</tag>`)
|
|
47
|
+
# * `:comment` - occurred in a comment (ex: `<!-- XSS -->`)
|
|
47
48
|
#
|
|
48
49
|
# @api public
|
|
49
50
|
attr_reader :location
|
|
50
51
|
|
|
51
52
|
# The name of the parent tag which the XSS occurs in.
|
|
52
53
|
#
|
|
53
|
-
# @return [String]
|
|
54
|
+
# @return [String, nil]
|
|
54
55
|
#
|
|
55
56
|
# @api public
|
|
56
57
|
attr_reader :tag
|
|
@@ -65,9 +66,9 @@ module Ronin
|
|
|
65
66
|
#
|
|
66
67
|
# Initializes the context.
|
|
67
68
|
#
|
|
68
|
-
# @param [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body] location
|
|
69
|
+
# @param [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body, :comment] location
|
|
69
70
|
#
|
|
70
|
-
# @param [String] tag
|
|
71
|
+
# @param [String, nil] tag
|
|
71
72
|
#
|
|
72
73
|
# @param [String, nil] attr
|
|
73
74
|
#
|
|
@@ -100,6 +101,11 @@ module Ronin
|
|
|
100
101
|
# @api private
|
|
101
102
|
ATTR_LIST = /(?:\s+#{ATTR})*/
|
|
102
103
|
|
|
104
|
+
# HTML comment regexp.
|
|
105
|
+
#
|
|
106
|
+
# @api private
|
|
107
|
+
COMMENT = /<![^>]*>/
|
|
108
|
+
|
|
103
109
|
# HTML tag name regexp.
|
|
104
110
|
#
|
|
105
111
|
# @api private
|
|
@@ -108,7 +114,7 @@ module Ronin
|
|
|
108
114
|
# Regexp matching when an XSS occurs within a tag's inner HTML.
|
|
109
115
|
#
|
|
110
116
|
# @api private
|
|
111
|
-
IN_TAG_BODY = %r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)[^<>]*\z}
|
|
117
|
+
IN_TAG_BODY = %r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)([^<>]|#{COMMENT})*\z}
|
|
112
118
|
|
|
113
119
|
# Regexp matching when an XSS occurs within a double-quoted attribute
|
|
114
120
|
# value.
|
|
@@ -142,6 +148,11 @@ module Ronin
|
|
|
142
148
|
# @api private
|
|
143
149
|
IN_TAG_NAME = /<(#{TAG_NAME})\z/
|
|
144
150
|
|
|
151
|
+
# Regexp matching when an XSS occurs within a comment.
|
|
152
|
+
#
|
|
153
|
+
# @api private
|
|
154
|
+
IN_COMMENT = /<![^>]*\z/
|
|
155
|
+
|
|
145
156
|
#
|
|
146
157
|
# Determine the context of the XSS by checking the characters that come
|
|
147
158
|
# before the given index.
|
|
@@ -174,6 +185,8 @@ module Ronin
|
|
|
174
185
|
new(:attr_list, tag: match[1])
|
|
175
186
|
elsif (match = prefix.match(IN_TAG_NAME))
|
|
176
187
|
new(:tag_name, tag: match[1])
|
|
188
|
+
elsif prefix.match?(IN_COMMENT)
|
|
189
|
+
new(:comment)
|
|
177
190
|
end
|
|
178
191
|
end
|
|
179
192
|
|
|
@@ -193,7 +206,8 @@ module Ronin
|
|
|
193
206
|
attr_name: MINIMAL_REQUIRED_CHARS,
|
|
194
207
|
attr_list: MINIMAL_REQUIRED_CHARS,
|
|
195
208
|
tag_name: MINIMAL_REQUIRED_CHARS,
|
|
196
|
-
tag_body: MINIMAL_REQUIRED_CHARS
|
|
209
|
+
tag_body: MINIMAL_REQUIRED_CHARS,
|
|
210
|
+
comment: MINIMAL_REQUIRED_CHARS
|
|
197
211
|
}
|
|
198
212
|
|
|
199
213
|
#
|
data/lib/ronin/vulns/sqli.rb
CHANGED
|
@@ -105,6 +105,18 @@ module Ronin
|
|
|
105
105
|
# @param [URI::HTTP, String] url
|
|
106
106
|
# The URL to test or exploit.
|
|
107
107
|
#
|
|
108
|
+
# @param [Array<Boolean>, Boolean] escape_quote
|
|
109
|
+
# Controls whether to escape a quoted string value. If not specified,
|
|
110
|
+
# with and without quoted string escaping will be tested.
|
|
111
|
+
#
|
|
112
|
+
# @param [Array<Boolean>, Boolean] escape_parens
|
|
113
|
+
# Controls whether to escape parenthesis. If not specified, with and
|
|
114
|
+
# without parenthesis escaping will be tested.
|
|
115
|
+
#
|
|
116
|
+
# @param [Array<Boolean>, Boolean] terminate
|
|
117
|
+
# Controls whether to terminate the SQL statement with `--`.
|
|
118
|
+
# If not specified, with and without `--` terminate will be tested.
|
|
119
|
+
#
|
|
108
120
|
# @param [Ronin::Support::Network::HTTP, nil] http
|
|
109
121
|
# An HTTP session to use for testing the URL.
|
|
110
122
|
#
|
|
@@ -115,28 +127,28 @@ module Ronin
|
|
|
115
127
|
# If a block is given it will be yielded each discovered SQL injection
|
|
116
128
|
# vulnerability.
|
|
117
129
|
#
|
|
118
|
-
# @yieldparam [
|
|
130
|
+
# @yieldparam [SQLI] sqli
|
|
119
131
|
# A discovered SQL injection vulnerability in the URL.
|
|
120
132
|
#
|
|
121
|
-
# @return [Array<
|
|
133
|
+
# @return [Array<SQLI>]
|
|
122
134
|
# All discovered SQL injection vulnerabilities.
|
|
123
135
|
#
|
|
124
|
-
def self.scan(url,
|
|
136
|
+
def self.scan(url, escape_quote: [false, true],
|
|
137
|
+
escape_parens: [false, true],
|
|
138
|
+
terminate: [false, true],
|
|
139
|
+
# WebVuln.scan keyword arguments
|
|
140
|
+
http: nil, **kwargs, &block)
|
|
125
141
|
url = URI(url)
|
|
126
142
|
http ||= Support::Network::HTTP.connect_uri(url)
|
|
127
143
|
|
|
128
|
-
escape_quotes = [false, true]
|
|
129
|
-
escape_parens = [false, true]
|
|
130
|
-
terminations = [false, true]
|
|
131
|
-
|
|
132
144
|
vulns = []
|
|
133
145
|
|
|
134
|
-
|
|
135
|
-
escape_parens.each do |
|
|
136
|
-
|
|
137
|
-
vulns.concat(super(url, escape_quote:
|
|
138
|
-
escape_parens:
|
|
139
|
-
terminate:
|
|
146
|
+
Array(escape_quote).each do |escape_quote_value|
|
|
147
|
+
Array(escape_parens).each do |escape_parens_value|
|
|
148
|
+
Array(terminate).each do |terminate_value|
|
|
149
|
+
vulns.concat(super(url, escape_quote: escape_quote_value,
|
|
150
|
+
escape_parens: escape_parens_value,
|
|
151
|
+
terminate: terminate_value,
|
|
140
152
|
http: http,
|
|
141
153
|
**kwargs,
|
|
142
154
|
&block))
|
data/lib/ronin/vulns/ssti.rb
CHANGED
|
@@ -102,13 +102,13 @@ module Ronin
|
|
|
102
102
|
# @param [URI::HTTP, String] url
|
|
103
103
|
# The URL to scan.
|
|
104
104
|
#
|
|
105
|
-
# @param [
|
|
106
|
-
# Additional keyword arguments for {#initialize}.
|
|
107
|
-
#
|
|
108
|
-
# @option kwargs [Proc, nil] :escape
|
|
105
|
+
# @param [Array<Proc>, Proc, nil] escape
|
|
109
106
|
# The escape method to use. If `escape:` is not given, then all escapes
|
|
110
107
|
# in {ESCAPES} will be tested..
|
|
111
108
|
#
|
|
109
|
+
# @param [Hash{Symbol => Object}] kwargs
|
|
110
|
+
# Additional keyword arguments for {#initialize}.
|
|
111
|
+
#
|
|
112
112
|
# @option kwargs [Array<Symbol, String>, Symbol, String, true, nil] :query_params
|
|
113
113
|
# The query param name(s) to test.
|
|
114
114
|
#
|
|
@@ -145,14 +145,14 @@ module Ronin
|
|
|
145
145
|
# @return [Array<SSTI>]
|
|
146
146
|
# All discovered SSTI vulnerabilities.
|
|
147
147
|
#
|
|
148
|
-
def self.scan(url, **kwargs,&block)
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
super(url, escape: escape, **kwargs, &block)
|
|
154
|
-
end
|
|
148
|
+
def self.scan(url, escape: ESCAPES, **kwargs,&block)
|
|
149
|
+
vulns = []
|
|
150
|
+
|
|
151
|
+
Array(escape).each do |escape_char|
|
|
152
|
+
vulns.concat(super(url, escape: escape_char, **kwargs, &block))
|
|
155
153
|
end
|
|
154
|
+
|
|
155
|
+
return vulns
|
|
156
156
|
end
|
|
157
157
|
|
|
158
158
|
#
|
data/lib/ronin/vulns/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ronin-vulns
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Postmodern
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-07-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ronin-support
|