ronin-vulns 0.1.5 → 0.2.0.rc1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (68) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +1 -0
  3. data/ChangeLog.md +43 -0
  4. data/Gemfile +14 -4
  5. data/README.md +7 -3
  6. data/Rakefile +9 -0
  7. data/data/completions/ronin-vulns +139 -0
  8. data/gemspec.yml +7 -1
  9. data/lib/ronin/vulns/cli/command.rb +1 -1
  10. data/lib/ronin/vulns/cli/commands/command_injection.rb +163 -0
  11. data/lib/ronin/vulns/cli/commands/completion.rb +63 -0
  12. data/lib/ronin/vulns/cli/commands/irb.rb +59 -0
  13. data/lib/ronin/vulns/cli/commands/lfi.rb +21 -9
  14. data/lib/ronin/vulns/cli/commands/open_redirect.rb +13 -1
  15. data/lib/ronin/vulns/cli/commands/reflected_xss.rb +13 -1
  16. data/lib/ronin/vulns/cli/commands/rfi.rb +13 -1
  17. data/lib/ronin/vulns/cli/commands/scan.rb +21 -9
  18. data/lib/ronin/vulns/cli/commands/sqli.rb +13 -1
  19. data/lib/ronin/vulns/cli/commands/ssti.rb +13 -1
  20. data/lib/ronin/vulns/cli/importable.rb +76 -0
  21. data/lib/ronin/vulns/cli/printing.rb +184 -0
  22. data/lib/ronin/vulns/cli/ruby_shell.rb +53 -0
  23. data/lib/ronin/vulns/cli/web_vuln_command.rb +216 -20
  24. data/lib/ronin/vulns/cli.rb +3 -2
  25. data/lib/ronin/vulns/command_injection.rb +267 -0
  26. data/lib/ronin/vulns/importer.rb +116 -0
  27. data/lib/ronin/vulns/lfi/test_file.rb +1 -1
  28. data/lib/ronin/vulns/lfi.rb +1 -1
  29. data/lib/ronin/vulns/open_redirect.rb +1 -1
  30. data/lib/ronin/vulns/reflected_xss/context.rb +1 -1
  31. data/lib/ronin/vulns/reflected_xss/test_string.rb +1 -1
  32. data/lib/ronin/vulns/reflected_xss.rb +1 -1
  33. data/lib/ronin/vulns/rfi.rb +64 -9
  34. data/lib/ronin/vulns/root.rb +1 -1
  35. data/lib/ronin/vulns/sqli/error_pattern.rb +1 -1
  36. data/lib/ronin/vulns/sqli.rb +36 -28
  37. data/lib/ronin/vulns/ssti/test_expression.rb +1 -1
  38. data/lib/ronin/vulns/ssti.rb +69 -53
  39. data/lib/ronin/vulns/url_scanner.rb +10 -1
  40. data/lib/ronin/vulns/version.rb +2 -2
  41. data/lib/ronin/vulns/vuln.rb +1 -1
  42. data/lib/ronin/vulns/web_vuln/http_request.rb +40 -1
  43. data/lib/ronin/vulns/web_vuln.rb +86 -16
  44. data/man/ronin-vulns-command-injection.1 +109 -0
  45. data/man/ronin-vulns-command-injection.1.md +112 -0
  46. data/man/ronin-vulns-completion.1 +76 -0
  47. data/man/ronin-vulns-completion.1.md +78 -0
  48. data/man/ronin-vulns-irb.1 +27 -0
  49. data/man/ronin-vulns-irb.1.md +26 -0
  50. data/man/ronin-vulns-lfi.1 +54 -51
  51. data/man/ronin-vulns-lfi.1.md +52 -20
  52. data/man/ronin-vulns-open-redirect.1 +51 -47
  53. data/man/ronin-vulns-open-redirect.1.md +50 -18
  54. data/man/ronin-vulns-reflected-xss.1 +50 -45
  55. data/man/ronin-vulns-reflected-xss.1.md +49 -17
  56. data/man/ronin-vulns-rfi.1 +54 -52
  57. data/man/ronin-vulns-rfi.1.md +52 -20
  58. data/man/ronin-vulns-scan.1 +68 -69
  59. data/man/ronin-vulns-scan.1.md +61 -29
  60. data/man/ronin-vulns-sqli.1 +54 -52
  61. data/man/ronin-vulns-sqli.1.md +52 -20
  62. data/man/ronin-vulns-ssti.1 +52 -48
  63. data/man/ronin-vulns-ssti.1.md +50 -18
  64. data/man/ronin-vulns.1 +73 -0
  65. data/man/ronin-vulns.1.md +69 -0
  66. data/scripts/setup +58 -0
  67. metadata +36 -5
  68. data/lib/ronin/vulns/cli/logging.rb +0 -81
@@ -0,0 +1,116 @@
1
+ # frozen_string_literal: true
2
+ #
3
+ # ronin-vulns - A Ruby library for blind vulnerability testing.
4
+ #
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
+ #
7
+ # ronin-vulns is free software: you can redistribute it and/or modify
8
+ # it under the terms of the GNU Lesser General Public License as published
9
+ # by the Free Software Foundation, either version 3 of the License, or
10
+ # (at your option) any later version.
11
+ #
12
+ # ronin-vulns is distributed in the hope that it will be useful,
13
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
14
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
+ # GNU Lesser General Public License for more details.
16
+ #
17
+ # You should have received a copy of the GNU Lesser General Public License
18
+ # along with ronin-vulns. If not, see <https://www.gnu.org/licenses/>.
19
+ #
20
+
21
+ require 'ronin/db'
22
+
23
+ module Ronin
24
+ module Vulns
25
+ #
26
+ # Handles importing discovered {WebVuln web vulnerability} objects into
27
+ # [ronin-db].
28
+ #
29
+ # [ronin-db]: https://github.com/ronin-rb/ronin-db#readme
30
+ #
31
+ # ## Examples
32
+ #
33
+ # require 'ronin/vulns/url_scanner'
34
+ # require 'ronin/vulns/importer'
35
+ #
36
+ # Ronin::Vulns::URLScanner.scan(url) do |vuln|
37
+ # Ronin::Vulns::Importer.import(vuln)
38
+ # end
39
+ #
40
+ # @since 0.2.0
41
+ #
42
+ module Importer
43
+ #
44
+ # Imports a web vulnerability into database.
45
+ #
46
+ # @param [WebVuln] vuln
47
+ # The web vulnerability to import.
48
+ #
49
+ # @yield [imported]
50
+ # If a block is given, it will be passed the imported database records.
51
+ #
52
+ # @yieldparam [Ronin::DB::WebVuln] imported
53
+ # The imported web vulnerability record.
54
+ #
55
+ # @return [Ronin::DB::WebVuln]
56
+ # The imported web vuln record.
57
+ #
58
+ def self.import(vuln)
59
+ imported_url = import_url(vuln.url)
60
+
61
+ attributes = {
62
+ url: imported_url,
63
+ type: vuln.class.vuln_type,
64
+
65
+ query_param: vuln.query_param,
66
+ header_name: vuln.header_name,
67
+ cookie_param: vuln.cookie_param,
68
+ form_param: vuln.form_param,
69
+ request_method: vuln.request_method
70
+ }
71
+
72
+ case vuln
73
+ when LFI
74
+ attributes[:lfi_os] = vuln.os
75
+ attributes[:lfi_depth] = vuln.depth
76
+ attributes[:lfi_filter_bypass] = vuln.filter_bypass
77
+ when RFI
78
+ attributes[:rfi_script_lang] = vuln.script_lang
79
+ attributes[:rfi_filter_bypass] = vuln.filter_bypass
80
+ when SQLI
81
+ attributes[:sqli_escape_quote] = vuln.escape_quote
82
+ attributes[:sqli_escape_parens] = vuln.escape_parens
83
+ attributes[:sqli_terminate] = vuln.terminate
84
+ when SSTI
85
+ attributes[:ssti_escape_type] = vuln.escape_type
86
+ when CommandInjection
87
+ attributes[:command_injection_escape_quote] = vuln.escape_quote
88
+ attributes[:command_injection_escape_operator] = vuln.escape_operator
89
+ attributes[:command_injection_terminator] = vuln.terminator
90
+ end
91
+
92
+ imported_vuln = DB::WebVuln.transaction do
93
+ DB::WebVuln.find_or_create_by(attributes)
94
+ end
95
+
96
+ yield imported_vuln if block_given?
97
+ return imported_vuln
98
+ end
99
+
100
+ #
101
+ # Imports a URL into the database.
102
+ #
103
+ # @param [URI, String] url
104
+ # The URL to import.
105
+ #
106
+ # @return [Ronin::DB::URL]
107
+ # The imported URL record.
108
+ #
109
+ def self.import_url(url)
110
+ DB::URL.transaction do
111
+ DB::URL.find_or_import(url)
112
+ end
113
+ end
114
+ end
115
+ end
116
+ end
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library to blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -47,11 +47,11 @@ module Ronin
47
47
 
48
48
  # Mapping of scripting languages to RFI test scripts.
49
49
  TEST_SCRIPT_URLS = {
50
+ php: "#{GITHUB_BASE_URL}/rfi_test.php",
50
51
  asp: "#{GITHUB_BASE_URL}/rfi_test.asp",
51
52
  asp_net: "#{GITHUB_BASE_URL}/rfi_test.aspx",
52
- cold_fusion: "#{GITHUB_BASE_URL}/rfi_test.cfm",
53
53
  jsp: "#{GITHUB_BASE_URL}/rfi_test.jsp",
54
- php: "#{GITHUB_BASE_URL}/rfi_test.php",
54
+ cold_fusion: "#{GITHUB_BASE_URL}/rfi_test.cfm",
55
55
  perl: "#{GITHUB_BASE_URL}/rfi_test.pl"
56
56
  }
57
57
 
@@ -59,6 +59,13 @@ module Ronin
59
59
  # script is executed.
60
60
  VULN_RESPONSE_STRING = "Security Alert: Remote File Inclusion Detected!"
61
61
 
62
+ # The scripting language that the URL is using.
63
+ #
64
+ # @return [:asp, :asp_net, :cold_fusion, :jsp, :php, :perl, nil]
65
+ #
66
+ # @since 0.2.0
67
+ attr_reader :script_lang
68
+
62
69
  # The filter bypass technique to use.
63
70
  #
64
71
  # @return [nil, :double_encode, :suffix_escape, :null_byte]
@@ -93,15 +100,18 @@ module Ronin
93
100
  # The URL of the RFI test script. If not specified, it will default to
94
101
  # {test_script_for}.
95
102
  #
96
- def initialize(url, script_lang: nil, test_script_url: nil, filter_bypass: nil, **kwargs)
103
+ def initialize(url, script_lang: nil,
104
+ test_script_url: nil,
105
+ filter_bypass: nil,
106
+ **kwargs)
97
107
  super(url,**kwargs)
98
108
 
109
+ @script_lang = script_lang || self.class.infer_script_lang(@url)
110
+
99
111
  @test_script_url = if test_script_url
100
112
  test_script_url
101
- elsif script_lang
102
- self.class.test_script_url_for(script_lang)
103
- else
104
- self.class.test_script_for(@url)
113
+ elsif @script_lang
114
+ self.class.test_script_url_for(@script_lang)
105
115
  end
106
116
 
107
117
  @filter_bypass = filter_bypass
@@ -196,12 +206,57 @@ module Ronin
196
206
  # Specifies whether the URL and query parameter are vulnerable to RFI.
197
207
  #
198
208
  def vulnerable?
199
- response = exploit(@test_script_url)
209
+ if @test_script_url
210
+ test_a_test_script(@test_script_url)
211
+ else
212
+ test_each_test_script
213
+ end
214
+ end
215
+
216
+ #
217
+ # Determines if a specific test script URL can be remotely injected.
218
+ #
219
+ # @param [String] test_script_url
220
+ # The test script URL to attempt injecting.
221
+ #
222
+ # @return [Boolean]
223
+ # Indicates whether the test script was successfully executed or not.
224
+ #
225
+ # @api private
226
+ #
227
+ def test_a_test_script(test_script_url)
228
+ response = exploit(test_script_url)
200
229
  body = response.body
201
230
 
202
231
  return body.include?(VULN_RESPONSE_STRING)
203
232
  end
204
233
 
234
+ #
235
+ # Test each scripting language and RFI test payload in {TEST_SCRIPT_URLS}
236
+ # until one succeeds.
237
+ #
238
+ # @return [Boolean]
239
+ # Indicates whether one of the test script was successfully executed or
240
+ # not.
241
+ #
242
+ # @note
243
+ # If one of the test script URLs successfully executes, then
244
+ # {#script_lang} and {#test_script_url} will be updated accordingly.
245
+ #
246
+ # @api private
247
+ #
248
+ def test_each_test_script
249
+ TEST_SCRIPT_URLS.each do |script_lang,test_script_url|
250
+ if test_a_test_script(test_script_url)
251
+ @script_lang = script_lang
252
+ @test_script_url = test_script_url
253
+ return true
254
+ end
255
+ end
256
+
257
+ return false
258
+ end
259
+
205
260
  #
206
261
  # Returns the type or kind of vulnerability.
207
262
  #
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -100,10 +100,12 @@ module Ronin
100
100
  public
101
101
 
102
102
  #
103
- # Scans the URL for SQL injections.
103
+ # Tests the URL and a specific query param, header name, cookie param, or
104
+ # form param for SQL injections by enumerating over various SQLi
105
+ # configurations.
104
106
  #
105
- # @param [URI::HTTP, String] url
106
- # The URL to test or exploit.
107
+ # @param [URI::HTTP] url
108
+ # The URL to test.
107
109
  #
108
110
  # @param [Array<Boolean>, Boolean] escape_quote
109
111
  # Controls whether to escape a quoted string value. If not specified,
@@ -123,40 +125,46 @@ module Ronin
123
125
  # @param [Hash{Symbol => Object}] kwargs
124
126
  # Additional keyword arguments for {WebVuln.scan}.
125
127
  #
126
- # @yield [sqli]
127
- # If a block is given it will be yielded each discovered SQL injection
128
- # vulnerability.
128
+ # @option kwargs [Symbol, String, nil] :query_param
129
+ # The query param name to test.
129
130
  #
130
- # @yieldparam [SQLI] sqli
131
- # A discovered SQL injection vulnerability in the URL.
131
+ # @option kwargs [Symbol, String, nil] :header_name
132
+ # The header name to test.
132
133
  #
133
- # @return [Array<SQLI>]
134
- # All discovered SQL injection vulnerabilities.
134
+ # @option kwargs [Symbol, String, true, nil] :cookie_param
135
+ # The cookie param name to test.
135
136
  #
136
- def self.scan(url, escape_quote: [false, true],
137
- escape_parens: [false, true],
138
- terminate: [false, true],
139
- # WebVuln.scan keyword arguments
140
- http: nil, **kwargs, &block)
141
- url = URI(url)
142
- http ||= Support::Network::HTTP.connect_uri(url)
143
-
144
- vulns = []
145
-
137
+ # @option kwargs [Symbol, String, nil] :form_param
138
+ # The form param name to test.
139
+ #
140
+ # @return [SQLI] sqli
141
+ # The first discovered SQLi vulnerability for the specific query param,
142
+ # header name, cookie param, or form param.
143
+ #
144
+ # @api private
145
+ #
146
+ # @since 0.2.0
147
+ #
148
+ def self.test_param(url, escape_quote: [false, true],
149
+ escape_parens: [false, true],
150
+ terminate: [false, true],
151
+ # keyword arguments for initialize
152
+ http: , **kwargs)
146
153
  Array(escape_quote).each do |escape_quote_value|
147
154
  Array(escape_parens).each do |escape_parens_value|
148
155
  Array(terminate).each do |terminate_value|
149
- vulns.concat(super(url, escape_quote: escape_quote_value,
150
- escape_parens: escape_parens_value,
151
- terminate: terminate_value,
152
- http: http,
153
- **kwargs,
154
- &block))
156
+ vuln = new(url, escape_quote: escape_quote_value,
157
+ escape_parens: escape_parens_value,
158
+ terminate: terminate_value,
159
+ http: http,
160
+ **kwargs)
161
+
162
+ return vuln if vuln.vulnerable?
155
163
  end
156
164
  end
157
165
  end
158
166
 
159
- return vulns
167
+ return nil
160
168
  end
161
169
 
162
170
  #
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -31,14 +31,22 @@ module Ronin
31
31
  # List of common Server Side Template Injection (SSTI) escapes.
32
32
  #
33
33
  # @api private
34
- ESCAPES = [
35
- nil, # does not escape the expression
36
- ->(expression) { "{{#{expression}}}" },
37
- ->(expression) { "${#{expression}}" },
38
- ->(expression) { "${{#{expression}}}" },
39
- ->(expression) { "\#{#{expression}}" },
40
- ->(expression) { "<%= #{expression} %>" }
41
- ]
34
+ ESCAPES = {
35
+ nil => nil, # does not escape the expression
36
+
37
+ double_curly_braces: ->(expression) { "{{#{expression}}}" },
38
+ dollar_curly_braces: ->(expression) { "${#{expression}}" },
39
+ dollar_double_curly_braces: ->(expression) { "${{#{expression}}}" },
40
+ pound_curly_braces: ->(expression) { "\#{#{expression}}" },
41
+ angle_brackets_percent: ->(expression) { "<%= #{expression} %>" }
42
+ }
43
+
44
+ # The type of SSTI escape used.
45
+ #
46
+ # @return [:double_curly_braces, :dollar_curly_braces, :dollar_double_curly_braces, :pound_curly_braces, :angle_brackets_percent, :custom, nil]
47
+ #
48
+ # @since 0.2.0
49
+ attr_reader :escape_type
42
50
 
43
51
  # How to escape the payload so that it's executed.
44
52
  #
@@ -58,21 +66,38 @@ module Ronin
58
66
  # @param [String, URI::HTTP] url
59
67
  # The URL to exploit.
60
68
  #
61
- # @param [Proc, nil] escape
69
+ # @param [:double_curly_braces, :dollar_curly_braces, :dollar_double_curly_braces, :pound_curly_braces, :angle_brackets_percent, :custom, Proc, nil] escape
62
70
  # How to escape a given payload. Either a proc that will accept a String
63
- # and return a String, or `nil` to indicate that the payload will not
64
- # be escaped.
71
+ # and return a String, a Symbol describing the template syntax to use,
72
+ # or `nil` to indicate that the payload will not be escaped.
65
73
  #
66
74
  # @param [TestExpression] test_expr
67
75
  # The test payload and expected result to check for when testing the URL
68
76
  # for SSTI.
69
77
  #
70
- def initialize(url, escape: nil,
78
+ # @raise [ArgumentError]
79
+ # An unknown `escape_type:` or `escape:` value was given, or no
80
+ # `test_expr:` was given.
81
+ #
82
+ def initialize(url, escape: nil,
71
83
  test_expr: self.class.random_test,
72
84
  **kwargs)
73
85
  super(url,**kwargs)
74
86
 
75
- @escape = escape
87
+ case escape
88
+ when Symbol
89
+ @escape_type = escape
90
+ @escape = ESCAPES.fetch(escape) do
91
+ raise(ArgumentError,"unknown template syntax: #{escape_type.inspect}")
92
+ end
93
+ when Proc
94
+ @escape_type = :custom
95
+ @escape = escape
96
+ when nil # no-op
97
+ else
98
+ raise(ArgumentError,"invalid escape type, must be a Symbol, Proc, or nil: #{escape.inspect}")
99
+ end
100
+
76
101
  @test_expr = test_expr
77
102
 
78
103
  unless @test_expr
@@ -97,62 +122,53 @@ module Ronin
97
122
  end
98
123
 
99
124
  #
100
- # Scans the URL for Server Side Template Injection (SSTI) vulnerabilities.
125
+ # Tests the URL and a specific query param, header name, cookie param, or
126
+ # form param for a Server Side Template Injection (SSTI) vulnerability
127
+ # by enumerating over various SSTI syntaxes.
101
128
  #
102
- # @param [URI::HTTP, String] url
103
- # The URL to scan.
129
+ # @param [URI::HTTP] url
130
+ # The URL to test.
104
131
  #
105
- # @param [Array<Proc>, Proc, nil] escape
132
+ # @param [Array<Symbol, Proc>, Symbol, Proc, nil] escape
106
133
  # The escape method to use. If `escape:` is not given, then all escapes
107
- # in {ESCAPES} will be tested..
134
+ # names in {ESCAPES} will be tested..
135
+ #
136
+ # @param [Ronin::Support::Network::HTTP] http
137
+ # The HTTP session to use for testing the URL.
108
138
  #
109
139
  # @param [Hash{Symbol => Object}] kwargs
110
140
  # Additional keyword arguments for {#initialize}.
111
141
  #
112
- # @option kwargs [Array<Symbol, String>, Symbol, String, true, nil] :query_params
113
- # The query param name(s) to test.
114
- #
115
- # @option kwargs [Array<Symbol, String>, Symbol, String, nil] :header_names
116
- # The header name(s) to test.
117
- #
118
- # @option kwargs [Array<Symbol, String>, Symbol, String, true, nil] :cookie_params
119
- # The cookie param name(s) to test.
120
- #
121
- # @option kwargs [Array<Symbol, String>, Symbol, String, nil] :form_params
122
- # The form param name(s) to test.
142
+ # @option kwargs [Symbol, String, true, nil] :query_param
143
+ # The query param name to test.
123
144
  #
124
- # @option kwargs [Ronin::Support::Network::HTTP, nil] :http
125
- # An HTTP session to use for testing the LFI.
145
+ # @option kwargs [Symbol, String, nil] :header_name
146
+ # The header name to test.
126
147
  #
127
- # @option kwargs [Hash{String => String}, nil] :headers
128
- # Additional headers to send with requests.
148
+ # @option kwargs [Symbol, String, true, nil] :cookie_param
149
+ # The cookie param name to test.
129
150
  #
130
- # @option kwargs [String, Ronin::Support::Network::HTTP::Cookie, nil] :cookie
131
- # Additional cookie params to send with requests.
151
+ # @option kwargs [Symbol, String, nil] :form_param
152
+ # The form param name to test.
132
153
  #
133
- # @option kwargs [String, nil] :referer
134
- # Optional `Referer` header to send with requests.
154
+ # @return [SSTI, nil]
155
+ # The first discovered web vulnerability for the specific query param,
156
+ # header name, cookie param, or form param.
135
157
  #
136
- # @option kwargs [Hash{String => String}, nil] :form_data
137
- # Additional form data to send with requests.
138
- #
139
- # @yield [vuln]
140
- # If a block is given it will be yielded each discovered vulnerability.
141
- #
142
- # @yieldparam [SSTI] vuln
143
- # A discovered SSTI vulnerability in the URL.
158
+ # @api private
144
159
  #
145
- # @return [Array<SSTI>]
146
- # All discovered SSTI vulnerabilities.
160
+ # @since 0.2.0
147
161
  #
148
- def self.scan(url, escape: ESCAPES, **kwargs,&block)
149
- vulns = []
162
+ def self.test_param(url, escape: ESCAPES.keys,
163
+ # initialize keyword arguments
164
+ http: , **kwargs)
165
+ Array(escape).each do |escape_value|
166
+ vuln = new(url, escape: escape_value, http: http, **kwargs)
150
167
 
151
- Array(escape).each do |escape_char|
152
- vulns.concat(super(url, escape: escape_char, **kwargs, &block))
168
+ return vuln if vuln.vulnerable?
153
169
  end
154
170
 
155
- return vulns
171
+ return nil
156
172
  end
157
173
 
158
174
  #
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -24,6 +24,7 @@ require 'ronin/vulns/sqli'
24
24
  require 'ronin/vulns/ssti'
25
25
  require 'ronin/vulns/reflected_xss'
26
26
  require 'ronin/vulns/open_redirect'
27
+ require 'ronin/vulns/command_injection'
27
28
 
28
29
  module Ronin
29
30
  module Vulns
@@ -158,6 +159,9 @@ module Ronin
158
159
  # @option open_redirect [String] :test_url (OpenRedirect.random_test_url)
159
160
  # The desired redirect URL to test the URL with.
160
161
  #
162
+ # @param [Hash{Symbol => Object}, false] command_injection
163
+ # Additional options for {CommandInjection.scan}.
164
+ #
161
165
  # @yield [vuln]
162
166
  # If a block is given it will be yielded each discovered web
163
167
  # vulnerability.
@@ -174,6 +178,7 @@ module Ronin
174
178
  ssti: {},
175
179
  reflected_xss: {},
176
180
  open_redirect: {},
181
+ command_injection: {},
177
182
  **kwargs,
178
183
  &block)
179
184
  vulns = []
@@ -202,6 +207,10 @@ module Ronin
202
207
  vulns.concat(OpenRedirect.scan(url,**kwargs,**open_redirect,&block))
203
208
  end
204
209
 
210
+ if command_injection
211
+ vulns.concat(CommandInjection.scan(url,**kwargs,**command_injection,&block))
212
+ end
213
+
205
214
  return vulns
206
215
  end
207
216
 
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published
@@ -21,6 +21,6 @@
21
21
  module Ronin
22
22
  module Vulns
23
23
  # The ronin-vulns version
24
- VERSION = '0.1.5'
24
+ VERSION = '0.2.0.rc1'
25
25
  end
26
26
  end
@@ -2,7 +2,7 @@
2
2
  #
3
3
  # ronin-vulns - A Ruby library for blind vulnerability testing.
4
4
  #
5
- # Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
5
+ # Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
6
6
  #
7
7
  # ronin-vulns is free software: you can redistribute it and/or modify
8
8
  # it under the terms of the GNU Lesser General Public License as published