ronin-vulns 0.1.5 → 0.2.0.rc1

data/lib/ronin/vulns/cli/web_vuln_command.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -19,9 +19,11 @@
 #
 
 require 'ronin/vulns/cli/command'
-require 'ronin/vulns/cli/logging'
+require 'ronin/vulns/cli/importable'
+require 'ronin/vulns/cli/printing'
 
 require 'ronin/support/network/http/cookie'
+require 'ronin/support/network/http/user_agents'
 
 require 'set'
 
@@ -33,8 +35,10 @@ module Ronin
       #
       class WebVulnCommand < Command
 
-        include Logging
+        include Printing
+        include Importable
 
+        option :import, desc: 'Imports discovered vulnerabilities into the database'
         option :first, short: '-F',
                        desc:  'Only find the first vulnerability for each URL' do
                          @scan_mode = :first
@@ -45,6 +49,34 @@ module Ronin
                        @scan_mode = :all
                      end
 
+        option :print_curl, desc: 'Also prints an example curl command for each vulnerability'
+
+        option :print_http, desc: 'Also prints an example HTTP request for each vulnerability'
+
+        option :request_method, short: '-M',
+                                value: {
+                                  type: {
+                                    'COPY'      => :copy,
+                                    'DELETE'    => :delete,
+                                    'GET'       => :get,
+                                    'HEAD'      => :head,
+                                    'LOCK'      => :lock,
+                                    'MKCOL'     => :mkcol,
+                                    'MOVE'      => :move,
+                                    'OPTIONS'   => :options,
+                                    'PATCH'     => :patch,
+                                    'POST'      => :post,
+                                    'PROPFIND'  => :propfind,
+                                    'PROPPATCH' => :proppatch,
+                                    'PUT'       => :put,
+                                    'TRACE'     => :trace,
+                                    'UNLOCK'    => :unlock
+                                  }
+                                },
+                                desc: 'The HTTP request method to use' do |verb|
+                                  self.request_method = verb
+                                end
+
         option :header, short: '-H',
                         value: {
                           type:  /[A-Za-z0-9-]+:\s*\w+/,
@@ -56,6 +88,25 @@ module Ronin
                           self.headers[name] = value
                         end
 
+        option :user_agent_string, short: '-U',
+                                   value: {
+                                     type:  String,
+                                     usage: 'STRING'
+                                   },
+                                   desc: 'Sets the User-Agent header' do |ua|
+                                     self.user_agent = ua
+                                   end
+
+        option :user_agent, short: '-u',
+                            value: {
+                              type: Support::Network::HTTP::UserAgents::ALIASES.transform_keys { |key|
+                                key.to_s.tr('_','-')
+                              }
+                            },
+                            desc: 'Sets the User-Agent to use' do |name|
+                              self.user_agent = name
+                            end
+
         option :cookie, short: '-C',
                         value: {
                           type: String,
@@ -148,6 +199,10 @@ module Ronin
                                    self.test_form_params << name
                                  end
 
+        option :test_all_form_params, desc: 'Tests all form param names' do
+          self.test_form_params = true
+        end
+
         option :input, short: '-i',
                        value: {
                          type:  String,
@@ -197,23 +252,68 @@ module Ronin
             exit(-1)
           end
 
-          vulns_discovered = false
+          db_connect if options[:import]
+
+          vulns = []
 
           if options[:input]
             File.open(options[:input]) do |file|
               file.each_line(chomp: true) do |url|
-                vulns_discovered ||= process_url(url)
+                process_url(url) do |vuln|
+                  vulns << vuln
+                end
               end
             end
           elsif !urls.empty?
             urls.each do |url|
-              vulns_discovered ||= process_url(url)
+              process_url(url) do |vuln|
+                vulns << vuln
+              end
             end
           end
 
-          unless vulns_discovered
-            puts colors.green("No vulnerabilities found")
-          end
+          puts unless vulns.empty?
+          print_vulns(vulns)
+        end
+
+        #
+        # Print a summary of all web vulnerabilities found.
+        #
+        # @param [Array<WebVuln>] vulns
+        #   The discovered web vulnerabilities.
+        #
+        # @param [Boolean] print_curl
+        #   Prints an example `curl` command to trigger the web vulnerability.
+        #
+        # @param [Boolean] print_http
+        #   Prints an example HTTP request to trigger the web vulnerability.
+        #
+        # @since 0.2.0
+        #
+        def print_vulns(vulns, print_curl: options[:print_curl],
+                               print_http: options[:print_http])
+          super(vulns, print_curl: print_curl,
+                       print_http: print_http)
+        end
+
+        #
+        # Prints detailed information about a discovered web vulnerability.
+        #
+        # @param [WebVuln] vuln
+        #   The web vulnerability to log.
+        #
+        # @param [Boolean] print_curl
+        #   Prints an example `curl` command to trigger the web vulnerability.
+        #
+        # @param [Boolean] print_http
+        #   Prints an example HTTP request to trigger the web vulnerability.
+        #
+        # @since 0.2.0
+        #
+        def print_vuln(vuln, print_curl: options[:print_curl],
+                             print_http: options[:print_http])
+          super(vuln, print_curl: print_curl,
+                      print_http: print_http)
         end
 
         #
@@ -222,8 +322,12 @@ module Ronin
         # @param [String] url
         #   A URL to scan.
         #
-        # @return [Boolean]
-        #   Indicates whether a vulnerability was discovered in the URL.
+        # @yield [vuln]
+        #   The given block will be passed each newly discovered web
+        #   vulnerability.
+        #
+        # @yieldparam [WebVuln] vuln
+        #   A newly discovered web vulnerability.
         #
         def process_url(url)
           unless url.start_with?('http://') || url.start_with?('https://')
@@ -231,23 +335,60 @@ module Ronin
             exit(-1)
           end
 
-          vuln_discovered = false
-
           if @scan_mode == :first
             if (first_vuln = test_url(url))
-              log_vuln(first_vuln)
-
-              vuln_discovered = true
+              process_vuln(first_vuln)
+              yield first_vuln
             end
           else
             scan_url(url) do |vuln|
-              log_vuln(vuln)
-
-              vuln_discovered = true
+              process_vuln(vuln)
+              yield vuln
             end
           end
+        end
 
-          return vuln_discovered
+        #
+        # Logs and optioanlly imports a new discovered web vulnerability.
+        #
+        # @param [WebVuln] vuln
+        #   The discovered web vulnerability.
+        #
+        # @since 0.2.0
+        #
+        def process_vuln(vuln)
+          log_vuln(vuln)
+          import_vuln(vuln) if options[:import]
+        end
+
+        #
+        # The HTTP request method to use.
+        #
+        # @return [:copy, :delete, :get, :head, :lock, :mkcol, :move,
+        #          :options, :patch, :post, :propfind, :proppatch, :put,
+        #          :trace, :unlock]
+        #
+        # @since 0.2.0
+        #
+        def request_method
+          @scan_kwargs[:request_method]
+        end
+
+        #
+        # Sets the HTTP request method to use.
+        #
+        # @param [:copy, :delete, :get, :head, :lock, :mkcol, :move,
+        #         :options, :patch, :post, :propfind, :proppatch, :put,
+        #         :trace, :unlock] new_request_method
+        #
+        # @return [:copy, :delete, :get, :head, :lock, :mkcol, :move,
+        #          :options, :patch, :post, :propfind, :proppatch, :put,
+        #          :trace, :unlock]
+        #
+        # @since 0.2.0
+        #
+        def request_method=(new_request_method)
+          @scan_kwargs[:request_method] = new_request_method
         end
 
         #
@@ -259,6 +400,49 @@ module Ronin
           @scan_kwargs[:headers] ||= {}
         end
 
+        #
+        # The optional HTTP `User-Agent` header to send.
+        #
+        # @return [String, :random, :chrome, :chrome_linux, :chrome_macos,
+        #          :chrome_windows, :chrome_iphone, :chrome_ipad,
+        #          :chrome_android, :firefox, :firefox_linux, :firefox_macos,
+        #          :firefox_windows, :firefox_iphone, :firefox_ipad,
+        #          :firefox_android, :safari, :safari_macos, :safari_iphone,
+        #          :safari_ipad, :edge, :linux, :macos, :windows, :iphone,
+        #          :ipad, :android, nil]
+        #
+        # @since 0.2.0
+        #
+        def user_agent
+          @scan_kwargs[:user_agent]
+        end
+
+        #
+        # Sets the HTTP `User-Agent` header.
+        #
+        # @param [String, :random, :chrome, :chrome_linux, :chrome_macos,
+        #         :chrome_windows, :chrome_iphone, :chrome_ipad,
+        #         :chrome_android, :firefox, :firefox_linux, :firefox_macos,
+        #         :firefox_windows, :firefox_iphone, :firefox_ipad,
+        #         :firefox_android, :safari, :safari_macos, :safari_iphone,
+        #         :safari_ipad, :edge, :linux, :macos, :windows, :iphone,
+        #         :ipad, :android] new_user_agent
+        #   The new `User-Agent` value to send.
+        #
+        # @return [String, :random, :chrome, :chrome_linux, :chrome_macos,
+        #          :chrome_windows, :chrome_iphone, :chrome_ipad,
+        #          :chrome_android, :firefox, :firefox_linux, :firefox_macos,
+        #          :firefox_windows, :firefox_iphone, :firefox_ipad,
+        #          :firefox_android, :safari, :safari_macos, :safari_iphone,
+        #          :safari_ipad, :edge, :linux, :macos, :windows, :iphone,
+        #          :ipad, :android]
+        #
+        # @since 0.2.0
+        #
+        def user_agent=(new_user_agent)
+          @scan_kwargs[:user_agent] = new_user_agent
+        end
+
         #
         # The optional `Cookie` header to send.
         #
@@ -358,6 +542,18 @@ module Ronin
           @scan_kwargs[:form_params] ||= Set.new
         end
 
+        #
+        # Sets the form params to test.
+        #
+        # @param [Set<String>, true] new_form_params
+        #   The new form param names to test.
+        #
+        # @return [Set<String>, true]
+        #
+        def test_form_params=(new_form_params)
+          @scan_kwargs[:form_params] = new_form_params
+        end
+
         #
         # Scans a URL for web vulnerabilities.
         #

data/lib/ronin/vulns/cli.rb

@@ -2,7 +2,7 @@
 #
 # ronin-vulns - A Ruby library for blind vulnerability testing.
 #
-# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-vulns is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -43,7 +43,8 @@ module Ronin
       command_name 'ronin-vulns'
       version Ronin::Vulns::VERSION
 
-      command_aliases['xss'] = 'reflected-xss'
+      command_aliases['xss']  = 'reflected-xss'
+      command_aliases['cmdi'] = 'command-injection'
 
     end
   end

data/lib/ronin/vulns/command_injection.rb

@@ -0,0 +1,267 @@
+# frozen_string_literal: true
+#
+# ronin-vulns - A Ruby library for blind vulnerability testing.
+#
+# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-vulns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-vulns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-vulns.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/vulns/web_vuln'
+
+require 'time'
+
+module Ronin
+  module Vulns
+    #
+    # Represents a Command Injection vulnerability.
+    #
+    # ## Features
+    #
+    # * Supports using `;`, `|`, `&`, and `\n` escape characters.
+    # * Supports escaping single and double-quoted strings.
+    # * Supports using `;`, `#`, and `\n` terminator characters.
+    #
+    # @since 0.2.0
+    #
+    class CommandInjection < WebVuln
+
+      # The character to use to escape a quoted string.
+      #
+      # @return [String, nil]
+      attr_reader :escape_quote
+
+      # The escape character or string to use to escape the command and execute
+      # another.
+      #
+      # @return [String]
+      attr_reader :escape_operator
+
+      # The terminator charactor to terminate the injected command with.
+      #
+      # @return [String, nil]
+      attr_reader :terminator
+
+      #
+      # Initializes the command injection vulnerability.
+      #
+      # @param [URI::HTTP, String] url
+      #   The URL to test or exploit.
+      #
+      # @param [String, nil] escape_quote
+      #   The optional character to use to escape a quoted string.
+      #
+      # @param [String] escape_operator
+      #   The escape character or string to use to escape the command
+      #   and execute another.
+      #
+      # @param [String, nil] terminator
+      #   The optional terminator character to terminate the injected command
+      #   with.
+      #
+      def initialize(url, escape_quote:    nil,
+                          escape_operator: nil,
+                          terminator:      nil,
+                          **kwargs)
+        super(url,**kwargs)
+
+        @escape_quote    = escape_quote
+        @escape_operator = escape_operator
+        @terminator      = terminator
+
+        @escape_string = build_escape_string
+      end
+
+      private
+
+      #
+      # Builds the command escape String.
+      #
+      # @return [String, nil]
+      #
+      def build_escape_string
+        if @escape_quote || @escape_operator
+          "#{original_value}#{@escape_quote}#{@escape_operator}"
+        end
+      end
+
+      public
+
+      #
+      # Scans the URL for command injections.
+      #
+      # Tests the URL and a specific query param, header name, cookie param, or
+      # form param for Command Injection by enumerating over various Command
+      # Injection escape syntaxes.
+      #
+      # @param [URI::HTTP] url
+      #   The URL to test.
+      #
+      # @param [Array<String, nil>, String, nil] escape_quote
+      #   The optional escape quote character(s) to test.
+      #
+      # @param [Array<String, nil>, String, nil] escape_operator
+      #   The optional escape operator character(s) to test.
+      #
+      # @param [Array<String, nil>, Stirng, nil] terminator
+      #   The optional command termination character(s) to test.
+      #
+      # @param [Ronin::Support::Network::HTTP, nil] http
+      #   An HTTP session to use for testing the URL.
+      #
+      # @param [Hash{Symbol => Object}] kwargs
+      #   Additional keyword arguments for {#initialize}.
+      #
+      # @option kwargs [Symbol, String, true, nil] :query_param
+      #   The query param name to test.
+      #
+      # @option kwargs [Symbol, String, nil] :header_name
+      #   The header name to test.
+      #
+      # @option kwargs [Symbol, String, true, nil] :cookie_param
+      #   The cookie param name to test.
+      #
+      # @option kwargs [Symbol, String, nil] :form_param
+      #   The form param name to test.
+      #
+      # @return [CommandInjection, nil]
+      #   The first discovered Command Injection vulnerability for the specific
+      #   query param, header name, cookie param, or form param.
+      #
+      # @api private
+      #
+      # @since 0.2.0
+      #
+      def self.test_param(url, escape_quote:    [nil, "'", '"', '`'],
+                               escape_operator: [';', '|', '&', "\n"],
+                               terminator:      [nil, ';', '#', "\n"],
+                               # keyword arguments for initialize
+                               http: , **kwargs)
+        Array(escape_quote).each do |escape_quote_char|
+          Array(escape_operator).each do |escape_operator_char|
+            Array(terminator).each do |terminator_char|
+              vuln = new(url, escape_quote:    escape_quote_char,
+                              escape_operator: escape_operator_char,
+                              terminator:      terminator_char,
+                              http:            http,
+                              **kwargs)
+
+              return vuln if vuln.vulnerable?
+            end
+          end
+        end
+
+        return nil
+      end
+
+      #
+      # Escapes the given SQL and turns it into a SQL injection.
+      #
+      # @param [#to_s] command
+      #   The command to escape.
+      #
+      # @return [String]
+      #   The escaped SQL expression.
+      #
+      def escape(command)
+        cmdi = "#{@escape_string}#{command}"
+
+        if @terminator
+          cmdi << @terminator
+        elsif (@escape_quote && cmdi.end_with?(@escape_quote))
+          cmdi.chop!
+        end
+
+        return cmdi
+      end
+
+      #
+      # Encodes the command injection payload.
+      #
+      # @see #escape
+      #
+      def encode_payload(sql)
+        escape(sql)
+      end
+
+      #
+      # Tests whether the URL is vulnerable to command injection.
+      #
+      # @return [Boolean]
+      #
+      def vulnerable?
+        test_command_output || test_sleep
+      end
+
+      # Regular expression to match the output of the `id` command.
+      ID_OUTPUT_REGEX = /uid=\d+\([^\)]+\) gid=\d+\([^\)]+\) groups=\d+\([^\)]+\)/
+
+      #
+      # Tests whether the URL is vulnerable to command injection, by executing
+      # the `id` command and the output is included in the response body.
+      #
+      # @return [Boolean]
+      #
+      # @api private
+      #
+      def test_command_output
+        response = exploit('id')
+
+        if response.body =~ ID_OUTPUT_REGEX
+          return true
+        end
+      end
+
+      #
+      # Tests whether the URL is vulnerable to command injection, by calling the
+      # sleep command to see if it takes longer for the response to be
+      # returned.
+      #
+      # @return [Boolean]
+      #
+      # @api private
+      #
+      def test_sleep
+        start_time = Time.now
+
+        exploit("sleep 5")
+
+        stop_time = Time.now
+        delta     = (stop_time - start_time)
+
+        # if the response took more than 5 seconds, our SQL sleep function
+        # probably worked.
+        return delta > 5.0
+      end
+
+      #
+      # Returns the type or kind of vulnerability.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an vulnerability class to a printable
+      #   type.
+      #
+      # @api private
+      #
+      # @abstract
+      #
+      def self.vuln_type
+        :command_injection
+      end
+
+    end
+  end
+end