ronin-vulns 0.1.5 → 0.2.0.rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/ChangeLog.md +43 -0
- data/Gemfile +14 -4
- data/README.md +7 -3
- data/Rakefile +9 -0
- data/data/completions/ronin-vulns +139 -0
- data/gemspec.yml +7 -1
- data/lib/ronin/vulns/cli/command.rb +1 -1
- data/lib/ronin/vulns/cli/commands/command_injection.rb +163 -0
- data/lib/ronin/vulns/cli/commands/completion.rb +63 -0
- data/lib/ronin/vulns/cli/commands/irb.rb +59 -0
- data/lib/ronin/vulns/cli/commands/lfi.rb +21 -9
- data/lib/ronin/vulns/cli/commands/open_redirect.rb +13 -1
- data/lib/ronin/vulns/cli/commands/reflected_xss.rb +13 -1
- data/lib/ronin/vulns/cli/commands/rfi.rb +13 -1
- data/lib/ronin/vulns/cli/commands/scan.rb +21 -9
- data/lib/ronin/vulns/cli/commands/sqli.rb +13 -1
- data/lib/ronin/vulns/cli/commands/ssti.rb +13 -1
- data/lib/ronin/vulns/cli/importable.rb +76 -0
- data/lib/ronin/vulns/cli/printing.rb +184 -0
- data/lib/ronin/vulns/cli/ruby_shell.rb +53 -0
- data/lib/ronin/vulns/cli/web_vuln_command.rb +216 -20
- data/lib/ronin/vulns/cli.rb +3 -2
- data/lib/ronin/vulns/command_injection.rb +267 -0
- data/lib/ronin/vulns/importer.rb +116 -0
- data/lib/ronin/vulns/lfi/test_file.rb +1 -1
- data/lib/ronin/vulns/lfi.rb +1 -1
- data/lib/ronin/vulns/open_redirect.rb +1 -1
- data/lib/ronin/vulns/reflected_xss/context.rb +1 -1
- data/lib/ronin/vulns/reflected_xss/test_string.rb +1 -1
- data/lib/ronin/vulns/reflected_xss.rb +1 -1
- data/lib/ronin/vulns/rfi.rb +64 -9
- data/lib/ronin/vulns/root.rb +1 -1
- data/lib/ronin/vulns/sqli/error_pattern.rb +1 -1
- data/lib/ronin/vulns/sqli.rb +36 -28
- data/lib/ronin/vulns/ssti/test_expression.rb +1 -1
- data/lib/ronin/vulns/ssti.rb +69 -53
- data/lib/ronin/vulns/url_scanner.rb +10 -1
- data/lib/ronin/vulns/version.rb +2 -2
- data/lib/ronin/vulns/vuln.rb +1 -1
- data/lib/ronin/vulns/web_vuln/http_request.rb +40 -1
- data/lib/ronin/vulns/web_vuln.rb +86 -16
- data/man/ronin-vulns-command-injection.1 +109 -0
- data/man/ronin-vulns-command-injection.1.md +112 -0
- data/man/ronin-vulns-completion.1 +76 -0
- data/man/ronin-vulns-completion.1.md +78 -0
- data/man/ronin-vulns-irb.1 +27 -0
- data/man/ronin-vulns-irb.1.md +26 -0
- data/man/ronin-vulns-lfi.1 +54 -51
- data/man/ronin-vulns-lfi.1.md +52 -20
- data/man/ronin-vulns-open-redirect.1 +51 -47
- data/man/ronin-vulns-open-redirect.1.md +50 -18
- data/man/ronin-vulns-reflected-xss.1 +50 -45
- data/man/ronin-vulns-reflected-xss.1.md +49 -17
- data/man/ronin-vulns-rfi.1 +54 -52
- data/man/ronin-vulns-rfi.1.md +52 -20
- data/man/ronin-vulns-scan.1 +68 -69
- data/man/ronin-vulns-scan.1.md +61 -29
- data/man/ronin-vulns-sqli.1 +54 -52
- data/man/ronin-vulns-sqli.1.md +52 -20
- data/man/ronin-vulns-ssti.1 +52 -48
- data/man/ronin-vulns-ssti.1.md +50 -18
- data/man/ronin-vulns.1 +73 -0
- data/man/ronin-vulns.1.md +69 -0
- data/scripts/setup +58 -0
- metadata +36 -5
- data/lib/ronin/vulns/cli/logging.rb +0 -81
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2022-
|
5
|
+
# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -20,6 +20,7 @@
|
|
20
20
|
|
21
21
|
require 'ronin/vulns/vuln'
|
22
22
|
require 'ronin/support/network/http/cookie'
|
23
|
+
require 'ronin/support/network/http/user_agents'
|
23
24
|
|
24
25
|
require 'uri/query_params'
|
25
26
|
|
@@ -55,6 +56,19 @@ module Ronin
|
|
55
56
|
# @return [String, nil]
|
56
57
|
attr_reader :password
|
57
58
|
|
59
|
+
# The optional HTTP `User-Agent` header to send with each request.
|
60
|
+
#
|
61
|
+
# @return [String, :random, :chrome, :chrome_linux, :chrome_macos,
|
62
|
+
# :chrome_windows, :chrome_iphone, :chrome_ipad,
|
63
|
+
# :chrome_android, :firefox, :firefox_linux, :firefox_macos,
|
64
|
+
# :firefox_windows, :firefox_iphone, :firefox_ipad,
|
65
|
+
# :firefox_android, :safari, :safari_macos, :safari_iphone,
|
66
|
+
# :safari_ipad, :edge, :linux, :macos, :windows, :iphone,
|
67
|
+
# :ipad, :android, nil]
|
68
|
+
#
|
69
|
+
# @since 0.2.0
|
70
|
+
attr_reader :user_agent
|
71
|
+
|
58
72
|
# The optional HTTP `Referer` header for the request.
|
59
73
|
#
|
60
74
|
# @return [String, nil]
|
@@ -103,6 +117,9 @@ module Ronin
|
|
103
117
|
# @param [Hash{Symbol,String => String}, nil] headers
|
104
118
|
# Additional HTTP header names and values to add to the request.
|
105
119
|
#
|
120
|
+
# @param [String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil] user_agent
|
121
|
+
# Optional `User-Agent` header to send with requests.
|
122
|
+
#
|
106
123
|
# @param [String, Hash{String => String}, nil] cookie
|
107
124
|
# Additional `Cookie` header for the request..
|
108
125
|
#
|
@@ -112,6 +129,7 @@ module Ronin
|
|
112
129
|
def initialize(url, request_method: :get,
|
113
130
|
user: nil,
|
114
131
|
password: nil,
|
132
|
+
user_agent: nil,
|
115
133
|
referer: nil,
|
116
134
|
query_params: nil,
|
117
135
|
headers: nil,
|
@@ -128,6 +146,7 @@ module Ronin
|
|
128
146
|
@request_method = request_method
|
129
147
|
@user = user
|
130
148
|
@password = password
|
149
|
+
@user_agent = user_agent
|
131
150
|
@referer = referer
|
132
151
|
|
133
152
|
@query_params = query_params
|
@@ -138,6 +157,21 @@ module Ronin
|
|
138
157
|
@form_data = form_data
|
139
158
|
end
|
140
159
|
|
160
|
+
#
|
161
|
+
# The `User-Agent` string for the request.
|
162
|
+
#
|
163
|
+
# @return [String, nil]
|
164
|
+
#
|
165
|
+
# @since 0.2.0
|
166
|
+
#
|
167
|
+
def user_agent_string
|
168
|
+
case @user_agent
|
169
|
+
when String, nil then @user_agent
|
170
|
+
else
|
171
|
+
Support::Network::HTTP::UserAgents[@user_agent]
|
172
|
+
end
|
173
|
+
end
|
174
|
+
|
141
175
|
#
|
142
176
|
# Converts the HTTP request to a `curl` command.
|
143
177
|
#
|
@@ -156,6 +190,10 @@ module Ronin
|
|
156
190
|
command << '--user' << escape.call("#{@user}:#{@password}")
|
157
191
|
end
|
158
192
|
|
193
|
+
if @user_agent
|
194
|
+
command << '--user-agent' << escape.call(user_agent_string)
|
195
|
+
end
|
196
|
+
|
159
197
|
if @referer
|
160
198
|
command << '--referer' << escape.call(@referer)
|
161
199
|
end
|
@@ -201,6 +239,7 @@ module Ronin
|
|
201
239
|
request << "Authorization: Basic #{basic_auth}"
|
202
240
|
end
|
203
241
|
|
242
|
+
request << "User-Agent: #{user_agent_string}" if @user_agent
|
204
243
|
request << "Referer: #{@referer}" if @referer
|
205
244
|
request << "Cookie: #{@cookie}" if (@cookie && !@cookie.empty?)
|
206
245
|
|
data/lib/ronin/vulns/web_vuln.rb
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-vulns - A Ruby library for blind vulnerability testing.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2022-
|
5
|
+
# Copyright (c) 2022-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-vulns is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -88,6 +88,19 @@ module Ronin
|
|
88
88
|
# @return [Hash{Symbol,String => String}, nil]
|
89
89
|
attr_reader :headers
|
90
90
|
|
91
|
+
# The optional HTTP `User-Agent` header to send with each request.
|
92
|
+
#
|
93
|
+
# @return [String, :random, :chrome, :chrome_linux, :chrome_macos,
|
94
|
+
# :chrome_windows, :chrome_iphone, :chrome_ipad,
|
95
|
+
# :chrome_android, :firefox, :firefox_linux, :firefox_macos,
|
96
|
+
# :firefox_windows, :firefox_iphone, :firefox_ipad,
|
97
|
+
# :firefox_android, :safari, :safari_macos, :safari_iphone,
|
98
|
+
# :safari_ipad, :edge, :linux, :macos, :windows, :iphone,
|
99
|
+
# :ipad, :android, nil]
|
100
|
+
#
|
101
|
+
# @since 0.2.0
|
102
|
+
attr_reader :user_agent
|
103
|
+
|
91
104
|
# Additional `Cookie` header. If a `Hash` is given, it will be converted
|
92
105
|
# to a `String` using `Ronin::Support::Network::HTTP::Cookie`.
|
93
106
|
#
|
@@ -139,6 +152,15 @@ module Ronin
|
|
139
152
|
# @param [Hash{Symbol,String => String}, nil] headers
|
140
153
|
# Additional HTTP header names and values to add to the request.
|
141
154
|
#
|
155
|
+
# @param [String, :random, :chrome, :chrome_linux, :chrome_macos,
|
156
|
+
# :chrome_windows, :chrome_iphone, :chrome_ipad,
|
157
|
+
# :chrome_android, :firefox, :firefox_linux, :firefox_macos,
|
158
|
+
# :firefox_windows, :firefox_iphone, :firefox_ipad,
|
159
|
+
# :firefox_android, :safari, :safari_macos, :safari_iphone,
|
160
|
+
# :safari_ipad, :edge, :linux, :macos, :windows, :iphone,
|
161
|
+
# :ipad, :android, nil] user_agent
|
162
|
+
# The optional HTTP `User-Agent` header to send with each request.
|
163
|
+
#
|
142
164
|
# @param [Hash{String => String}, nil] cookie
|
143
165
|
# Additional `Cookie` header. If a `Hash` is given, it will be
|
144
166
|
# converted to a `String` using `Ronin::Support::Network::HTTP::Cookie`.
|
@@ -159,6 +181,7 @@ module Ronin
|
|
159
181
|
user: nil,
|
160
182
|
password: nil,
|
161
183
|
headers: nil,
|
184
|
+
user_agent: nil,
|
162
185
|
cookie: nil,
|
163
186
|
form_data: nil,
|
164
187
|
referer: nil)
|
@@ -176,11 +199,51 @@ module Ronin
|
|
176
199
|
@user = user
|
177
200
|
@password = password
|
178
201
|
@headers = headers
|
202
|
+
@user_agent = user_agent
|
179
203
|
@cookie = cookie
|
180
204
|
@form_data = form_data
|
181
205
|
@referer = referer
|
182
206
|
end
|
183
207
|
|
208
|
+
#
|
209
|
+
# Internal method that tests combinations of configurations for a specific
|
210
|
+
# query param, header name, cookie param, or form param.
|
211
|
+
#
|
212
|
+
# @param [URI::HTTP] url
|
213
|
+
# The URL to test.
|
214
|
+
#
|
215
|
+
# @param [Ronin::Support::Network::HTTP, nil] http
|
216
|
+
# An HTTP session to use for testing the URL.
|
217
|
+
#
|
218
|
+
# @param [Hash{Symbol => Object}] kwargs
|
219
|
+
# Additional keyword arguments for {#initialize}.
|
220
|
+
#
|
221
|
+
# @option kwargs [Symbol, String, nil] :query_param
|
222
|
+
# The query param name to test.
|
223
|
+
#
|
224
|
+
# @option kwargs [Symbol, String, nil] :header_name
|
225
|
+
# The header name to test.
|
226
|
+
#
|
227
|
+
# @option kwargs [Symbol, String, true, nil] :cookie_param
|
228
|
+
# The cookie param name to test.
|
229
|
+
#
|
230
|
+
# @option kwargs [Symbol, String, nil] :form_param
|
231
|
+
# The form param name to test.
|
232
|
+
#
|
233
|
+
# @return [WebVuln, nil]
|
234
|
+
# The first discovered web vulnerability for the specific query param,
|
235
|
+
# header name, cookie param, or form param.
|
236
|
+
#
|
237
|
+
# @api private
|
238
|
+
#
|
239
|
+
# @since 0.2.0
|
240
|
+
#
|
241
|
+
def self.test_param(url, http: , **kwargs)
|
242
|
+
vuln = new(url, http: http, **kwargs)
|
243
|
+
|
244
|
+
return vuln if vuln.vulnerable?
|
245
|
+
end
|
246
|
+
|
184
247
|
#
|
185
248
|
# Scans the query parameters of the URL.
|
186
249
|
#
|
@@ -212,9 +275,7 @@ module Ronin
|
|
212
275
|
vulns = []
|
213
276
|
|
214
277
|
query_params.each do |param|
|
215
|
-
vuln =
|
216
|
-
|
217
|
-
if vuln.vulnerable?
|
278
|
+
if (vuln = test_param(url, query_param: param, http: http, **kwargs))
|
218
279
|
yield vuln if block_given?
|
219
280
|
vulns << vuln
|
220
281
|
end
|
@@ -252,9 +313,7 @@ module Ronin
|
|
252
313
|
vulns = []
|
253
314
|
|
254
315
|
header_names.each do |header_name|
|
255
|
-
vuln =
|
256
|
-
|
257
|
-
if vuln.vulnerable?
|
316
|
+
if (vuln = test_param(url, header_name: header_name, http: http, **kwargs))
|
258
317
|
yield vuln if block_given?
|
259
318
|
vulns << vuln
|
260
319
|
end
|
@@ -303,9 +362,7 @@ module Ronin
|
|
303
362
|
vulns = []
|
304
363
|
|
305
364
|
cookie_params.each do |cookie_param|
|
306
|
-
vuln =
|
307
|
-
|
308
|
-
if vuln.vulnerable?
|
365
|
+
if (vuln = test_param(url, cookie_param: cookie_param, http: http, **kwargs))
|
309
366
|
yield vuln if block_given?
|
310
367
|
vulns << vuln
|
311
368
|
end
|
@@ -336,16 +393,15 @@ module Ronin
|
|
336
393
|
# @return [Array<Web>]
|
337
394
|
# All discovered web vulnerabilities.
|
338
395
|
#
|
339
|
-
def self.scan_form_params(url,form_params, http: nil, **kwargs)
|
396
|
+
def self.scan_form_params(url,form_params=nil, http: nil, form_data: {}, **kwargs)
|
340
397
|
url = URI(url)
|
341
398
|
http ||= Support::Network::HTTP.connect_uri(url)
|
342
399
|
|
343
|
-
|
400
|
+
form_params ||= form_data.keys
|
401
|
+
vulns = []
|
344
402
|
|
345
403
|
form_params.each do |form_param|
|
346
|
-
vuln =
|
347
|
-
|
348
|
-
if vuln.vulnerable?
|
404
|
+
if (vuln = test_param(url, form_param: form_param, form_data: form_data, http: http, **kwargs))
|
349
405
|
yield vuln if block_given?
|
350
406
|
vulns << vuln
|
351
407
|
end
|
@@ -392,6 +448,9 @@ module Ronin
|
|
392
448
|
# @option kwargs [Hash{String => String}, nil] :headers
|
393
449
|
# Additional headers to send with requests.
|
394
450
|
#
|
451
|
+
# @option kwargs [String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil] :user_agent
|
452
|
+
# Optional `User-Agent` header to send with requests.
|
453
|
+
#
|
395
454
|
# @option kwargs [Hash{String => String}, Ronin::Support::Network::HTTP::Cookie, nil] :cookie
|
396
455
|
# Additional cookie params to send with requests.
|
397
456
|
#
|
@@ -455,7 +514,12 @@ module Ronin
|
|
455
514
|
|
456
515
|
if form_params
|
457
516
|
vulns.concat(
|
458
|
-
|
517
|
+
case form_params
|
518
|
+
when true
|
519
|
+
scan_form_params(url, http: http, **kwargs,&block)
|
520
|
+
else
|
521
|
+
scan_form_params(url,form_params, http: http, **kwargs,&block)
|
522
|
+
end
|
459
523
|
)
|
460
524
|
end
|
461
525
|
end
|
@@ -502,6 +566,9 @@ module Ronin
|
|
502
566
|
# @option kwargs [Hash{String => String}, nil] :headers
|
503
567
|
# Additional headers to send with requests.
|
504
568
|
#
|
569
|
+
# @option kwargs [String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil] :user_agent
|
570
|
+
# Optional `User-Agent` header to send with requests.
|
571
|
+
#
|
505
572
|
# @option kwargs [Hash{String => String}, Ronin::Support::Network::HTTP::Cookie, nil] :cookie
|
506
573
|
# Additional cookie params to send with requests.
|
507
574
|
#
|
@@ -537,6 +604,7 @@ module Ronin
|
|
537
604
|
@request_method, @url.path, user: @user,
|
538
605
|
password: @password,
|
539
606
|
query_params: @query_params,
|
607
|
+
user_agent: @user_agent,
|
540
608
|
cookie: @cookie,
|
541
609
|
referer: @referer,
|
542
610
|
headers: @headers,
|
@@ -738,6 +806,7 @@ module Ronin
|
|
738
806
|
@url, request_method: @request_method,
|
739
807
|
user: @user,
|
740
808
|
password: @password,
|
809
|
+
user_agent: @user_agent,
|
741
810
|
referer: @referer,
|
742
811
|
query_params: exploit_query_params(payload),
|
743
812
|
cookie: exploit_cookie(payload),
|
@@ -761,6 +830,7 @@ module Ronin
|
|
761
830
|
@url, request_method: @request_method,
|
762
831
|
user: @user,
|
763
832
|
password: @password,
|
833
|
+
user_agent: @user_agent,
|
764
834
|
referer: @referer,
|
765
835
|
query_params: exploit_query_params(payload),
|
766
836
|
cookie: exploit_cookie(payload),
|
@@ -0,0 +1,109 @@
|
|
1
|
+
.\" Generated by kramdown-man 1.0.1
|
2
|
+
.\" https://github.com/postmodern/kramdown-man#readme
|
3
|
+
.TH ronin-vulns-command-injection 1 "May 2023" Ronin "User Manuals"
|
4
|
+
.SH NAME
|
5
|
+
.PP
|
6
|
+
ronin\-vulns\-command\-injection \- Scans URL(s) for Command Injection vulnerabilities
|
7
|
+
.SH SYNOPSIS
|
8
|
+
.PP
|
9
|
+
\fBronin\-vulns command\-injection\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB\-\-input\fR \fIFILE\fP\[rC]
|
10
|
+
.SH DESCRIPTION
|
11
|
+
.PP
|
12
|
+
Scans URL(s) for Command Injection vulnerabilities\. The URLs to scan
|
13
|
+
can be given as additional arguments or read from a file using the \fB\-\-input\fR
|
14
|
+
option\.
|
15
|
+
.SH ARGUMENTS
|
16
|
+
.TP
|
17
|
+
\fIURL\fP
|
18
|
+
A URL to scan\.
|
19
|
+
.SH OPTIONS
|
20
|
+
.TP
|
21
|
+
\fB\-\-db\fR \fINAME\fP
|
22
|
+
The database name to connect to\. Defaults to \fBdefault\fR if not given\.
|
23
|
+
.TP
|
24
|
+
\fB\-\-db\-uri\fR \fIURI\fP
|
25
|
+
The database URI to connect to
|
26
|
+
(ex: \fBpostgres:\[sl]\[sl]user:password\[at]host\[sl]db\fR)\.
|
27
|
+
.TP
|
28
|
+
\fB\-\-db\-file\fR \fIPATH\fP
|
29
|
+
The sqlite3 database file to use\.
|
30
|
+
.TP
|
31
|
+
\fB\-\-import\fR
|
32
|
+
Imports discovered vulnerabilities into the database\.
|
33
|
+
.TP
|
34
|
+
\fB\-\-first\fR
|
35
|
+
Only find the first vulnerability for each URL\.
|
36
|
+
.TP
|
37
|
+
\fB\-A\fR, \fB\-\-all\fR
|
38
|
+
Find all vulnerabilities for each URL\.
|
39
|
+
.TP
|
40
|
+
\fB\-\-print\-curl\fR
|
41
|
+
Also prints an example \fBcurl\fR command for each vulnerability\.
|
42
|
+
.TP
|
43
|
+
\fB\-\-print\-http\fR
|
44
|
+
Also prints an example HTTP request for each vulnerability\.
|
45
|
+
.TP
|
46
|
+
\fB\-M\fR, \fB\-\-request\-method\fR \fBCOPY\fR\[or]\fBDELETE\fR\[or]\fBGET\fR\[or]\fBHEAD\fR\[or]\fBLOCK\fR\[or]\fBMKCOL\fR\[or]\fBMOVE\fR\[or]\fBOPTIONS\fR\[or]\fBPATCH\fR\[or]\fBPOST\fR\[or]\fBPROPFIND\fR\[or]\fBPROPPATCH\fR\[or]\fBPUT\fR\[or]\fBTRACE\fR\[or]\fBUNLOCK\fR
|
47
|
+
Sets the HTTP request method to use\.
|
48
|
+
.TP
|
49
|
+
\fB\-H\fR, \fB\-\-header\fR \[lq]\fIName\fP: \fIvalue\fP\[rq]
|
50
|
+
Sets an additional header using the given \fIName\fP and \fIvalue\fP\.
|
51
|
+
.TP
|
52
|
+
\fB\-U\fR, \fB\-\-user\-agent\-string\fR \fISTRING\fP
|
53
|
+
Sets the \fBUser\-Agent\fR header string\.
|
54
|
+
.TP
|
55
|
+
\fB\-u\fR, \fB\-\-user\-agent\fR \fBchrome\-linux\fR\[or]\fBchrome\-macos\fR\[or]\fBchrome\-windows\fR\[or]\fBchrome\-iphone\fR\[or]\fBchrome\-ipad\fR\[or]\fBchrome\-android\fR\[or]\fBfirefox\-linux\fR\[or]\fBfirefox\-macos\fR\[or]\fBfirefox\-windows\fR\[or]\fBfirefox\-iphone\fR\[or]\fBfirefox\-ipad\fR\[or]\fBfirefox\-android\fR\[or]\fBsafari\-macos\fR\[or]\fBsafari\-iphone\fR\[or]\fBsafari\-ipad\fR\[or]\fBedge\fR
|
56
|
+
Sets the \fBUser\-Agent\fR header\.
|
57
|
+
.TP
|
58
|
+
\fB\-C\fR, \fB\-\-cookie\fR \fICOOKIE\fP
|
59
|
+
Sets the raw \fBCookie\fR header\.
|
60
|
+
.TP
|
61
|
+
\fB\-c\fR, \fB\-\-cookie\-param\fR \fINAME\fP\fB\[eq]\fR\fIVALUE\fP
|
62
|
+
Sets an additional \fBCookie\fR param using the given \fINAME\fP and \fIVALUE\fP\.
|
63
|
+
.TP
|
64
|
+
\fB\-R\fR, \fB\-\-referer\fR \fIURL\fP
|
65
|
+
Sets the \fBReferer\fR header\.
|
66
|
+
.TP
|
67
|
+
\fB\-F\fR, \fB\-\-form\-param\fR \fINAME\fP\fB\[eq]\fR\fIVALUE\fP
|
68
|
+
Sets an additional form param using the given \fINAME\fP and \fIVALUE\fP\.
|
69
|
+
.TP
|
70
|
+
\fB\-\-test\-query\-param\fR \fINAME\fP
|
71
|
+
Tests the URL query param name\.
|
72
|
+
.TP
|
73
|
+
\fB\-\-test\-all\-query\-params\fR
|
74
|
+
Test all URL query param names\.
|
75
|
+
.TP
|
76
|
+
\fB\-\-test\-header\-name\fR \fINAME\fP
|
77
|
+
Tests the HTTP Header name\.
|
78
|
+
.TP
|
79
|
+
\fB\-\-test\-cookie\-param\fR \fINAME\fP
|
80
|
+
Tests the HTTP Cookie name\.
|
81
|
+
.TP
|
82
|
+
\fB\-\-test\-all\-cookie\-params\fR
|
83
|
+
Test all Cookie param names\.
|
84
|
+
.TP
|
85
|
+
\fB\-\-test\-form\-param\fR \fINAME\fP
|
86
|
+
Tests the form param name\.
|
87
|
+
.TP
|
88
|
+
\fB\-i\fR, \fB\-\-input\fR \fIFILE\fP
|
89
|
+
Reads URLs from the given \fIFILE\fP\.
|
90
|
+
.TP
|
91
|
+
\fB\-Q\fR, \fB\-\-escape\-quote\fR \fICHAR\fP
|
92
|
+
The string quotation character to use to escape the command\.
|
93
|
+
.TP
|
94
|
+
\fB\-O\fR, \fB\-\-escape\-operator\fR \fICHAR\fP
|
95
|
+
The command operator character to use to escape the command\.
|
96
|
+
.TP
|
97
|
+
\fB\-T\fR, \fB\-\-terminator\fR \fICHAR\fP
|
98
|
+
The command termination character to use\.
|
99
|
+
.TP
|
100
|
+
\fB\-h\fR, \fB\-\-help\fR
|
101
|
+
Print help information\.
|
102
|
+
.SH AUTHOR
|
103
|
+
.PP
|
104
|
+
Postmodern
|
105
|
+
.MT postmodern\.mod3\[at]gmail\.com
|
106
|
+
.ME
|
107
|
+
.SH SEE ALSO
|
108
|
+
.PP
|
109
|
+
.BR ronin\-vulns\-scan (1)
|
@@ -0,0 +1,112 @@
|
|
1
|
+
# ronin-vulns-command-injection 1 "May 2023" Ronin "User Manuals"
|
2
|
+
|
3
|
+
## NAME
|
4
|
+
|
5
|
+
ronin-vulns-command-injection - Scans URL(s) for Command Injection vulnerabilities
|
6
|
+
|
7
|
+
## SYNOPSIS
|
8
|
+
|
9
|
+
`ronin-vulns command-injection` [*options*] {*URL* ... \| `--input` *FILE*}
|
10
|
+
|
11
|
+
## DESCRIPTION
|
12
|
+
|
13
|
+
Scans URL(s) for Command Injection vulnerabilities. The URLs to scan
|
14
|
+
can be given as additional arguments or read from a file using the `--input`
|
15
|
+
option.
|
16
|
+
|
17
|
+
## ARGUMENTS
|
18
|
+
|
19
|
+
*URL*
|
20
|
+
: A URL to scan.
|
21
|
+
|
22
|
+
## OPTIONS
|
23
|
+
|
24
|
+
`--db` *NAME*
|
25
|
+
: The database name to connect to. Defaults to `default` if not given.
|
26
|
+
|
27
|
+
`--db-uri` *URI*
|
28
|
+
: The database URI to connect to
|
29
|
+
(ex: `postgres://user:password@host/db`).
|
30
|
+
|
31
|
+
`--db-file` *PATH*
|
32
|
+
: The sqlite3 database file to use.
|
33
|
+
|
34
|
+
`--import`
|
35
|
+
: Imports discovered vulnerabilities into the database.
|
36
|
+
|
37
|
+
`--first`
|
38
|
+
: Only find the first vulnerability for each URL.
|
39
|
+
|
40
|
+
`-A`, `--all`
|
41
|
+
: Find all vulnerabilities for each URL.
|
42
|
+
|
43
|
+
`--print-curl`
|
44
|
+
: Also prints an example `curl` command for each vulnerability.
|
45
|
+
|
46
|
+
`--print-http`
|
47
|
+
: Also prints an example HTTP request for each vulnerability.
|
48
|
+
|
49
|
+
`-M`, `--request-method` `COPY`|`DELETE`|`GET`|`HEAD`|`LOCK`|`MKCOL`|`MOVE`|`OPTIONS`|`PATCH`|`POST`|`PROPFIND`|`PROPPATCH`|`PUT`|`TRACE`|`UNLOCK`
|
50
|
+
: Sets the HTTP request method to use.
|
51
|
+
|
52
|
+
`-H`, `--header` "*Name*: *value*"
|
53
|
+
: Sets an additional header using the given *Name* and *value*.
|
54
|
+
|
55
|
+
`-U`, `--user-agent-string` *STRING*
|
56
|
+
: Sets the `User-Agent` header string.
|
57
|
+
|
58
|
+
`-u`, `--user-agent` `chrome-linux`\|`chrome-macos`\|`chrome-windows`\|`chrome-iphone`\|`chrome-ipad`\|`chrome-android`\|`firefox-linux`\|`firefox-macos`\|`firefox-windows`\|`firefox-iphone`\|`firefox-ipad`\|`firefox-android`\|`safari-macos`\|`safari-iphone`\|`safari-ipad`\|`edge`
|
59
|
+
: Sets the `User-Agent` header.
|
60
|
+
|
61
|
+
`-C`, `--cookie` *COOKIE*
|
62
|
+
: Sets the raw `Cookie` header.
|
63
|
+
|
64
|
+
`-c`, `--cookie-param` *NAME*`=`*VALUE*
|
65
|
+
: Sets an additional `Cookie` param using the given *NAME* and *VALUE*.
|
66
|
+
|
67
|
+
`-R`, `--referer` *URL*
|
68
|
+
: Sets the `Referer` header.
|
69
|
+
|
70
|
+
`-F`, `--form-param` *NAME*`=`*VALUE*
|
71
|
+
: Sets an additional form param using the given *NAME* and *VALUE*.
|
72
|
+
|
73
|
+
`--test-query-param` *NAME*
|
74
|
+
: Tests the URL query param name.
|
75
|
+
|
76
|
+
`--test-all-query-params`
|
77
|
+
: Test all URL query param names.
|
78
|
+
|
79
|
+
`--test-header-name` *NAME*
|
80
|
+
: Tests the HTTP Header name.
|
81
|
+
|
82
|
+
`--test-cookie-param` *NAME*
|
83
|
+
: Tests the HTTP Cookie name.
|
84
|
+
|
85
|
+
`--test-all-cookie-params`
|
86
|
+
: Test all Cookie param names.
|
87
|
+
|
88
|
+
`--test-form-param` *NAME*
|
89
|
+
: Tests the form param name.
|
90
|
+
|
91
|
+
`-i`, `--input` *FILE*
|
92
|
+
: Reads URLs from the given *FILE*.
|
93
|
+
|
94
|
+
`-Q`, `--escape-quote` *CHAR*
|
95
|
+
: The string quotation character to use to escape the command.
|
96
|
+
|
97
|
+
`-O`, `--escape-operator` *CHAR*
|
98
|
+
: The command operator character to use to escape the command.
|
99
|
+
|
100
|
+
`-T`, `--terminator` *CHAR*
|
101
|
+
: The command termination character to use.
|
102
|
+
|
103
|
+
`-h`, `--help`
|
104
|
+
: Print help information.
|
105
|
+
|
106
|
+
## AUTHOR
|
107
|
+
|
108
|
+
Postmodern <postmodern.mod3@gmail.com>
|
109
|
+
|
110
|
+
## SEE ALSO
|
111
|
+
|
112
|
+
[ronin-vulns-scan](ronin-vulns-scan.1.md)
|
@@ -0,0 +1,76 @@
|
|
1
|
+
.\" Generated by kramdown-man 1.0.1
|
2
|
+
.\" https://github.com/postmodern/kramdown-man#readme
|
3
|
+
.TH ronin-vulns-completion 1 "2024-01-01" Ronin Vulns "User Manuals"
|
4
|
+
.SH NAME
|
5
|
+
.PP
|
6
|
+
ronin\-vulns\-completion \- Manages shell completion rules for \fBronin\-vulns\fR
|
7
|
+
.SH SYNOPSIS
|
8
|
+
.PP
|
9
|
+
\fBronin\-vulns completion\fR \[lB]\fIoptions\fP\[rB]
|
10
|
+
.SH DESCRIPTION
|
11
|
+
.PP
|
12
|
+
The \fBronin\-vulns completion\fR command can print, install, or uninstall shell
|
13
|
+
completion rules for the \fBronin\-vulns\fR command\.
|
14
|
+
.PP
|
15
|
+
Supports installing completion rules for Bash or Zsh shells\.
|
16
|
+
Completion rules for the Fish shell is currently not supported\.
|
17
|
+
.SS ZSH SUPPORT
|
18
|
+
.PP
|
19
|
+
Zsh users will have to add the following lines to their \fB\[ti]\[sl]\.zshrc\fR file in
|
20
|
+
order to enable Zsh\[cq]s Bash completion compatibility layer:
|
21
|
+
.PP
|
22
|
+
.RS 4
|
23
|
+
.EX
|
24
|
+
autoload \-Uz \[pl]X compinit && compinit
|
25
|
+
autoload \-Uz \[pl]X bashcompinit && bashcompinit
|
26
|
+
.EE
|
27
|
+
.RE
|
28
|
+
.SH OPTIONS
|
29
|
+
.TP
|
30
|
+
\fB\-\-print\fR
|
31
|
+
Prints the shell completion file\.
|
32
|
+
.TP
|
33
|
+
\fB\-\-install\fR
|
34
|
+
Installs the shell completion file\.
|
35
|
+
.TP
|
36
|
+
\fB\-\-uninstall\fR
|
37
|
+
Uninstalls the shell completion file\.
|
38
|
+
.TP
|
39
|
+
\fB\-h\fR, \fB\-\-help\fR
|
40
|
+
Prints help information\.
|
41
|
+
.SH ENVIRONMENT
|
42
|
+
.TP
|
43
|
+
\fIPREFIX\fP
|
44
|
+
Specifies the root prefix for the file system\.
|
45
|
+
.TP
|
46
|
+
\fIHOME\fP
|
47
|
+
Specifies the home directory of the user\. Ronin will search for the
|
48
|
+
\fB\[ti]\[sl]\.cache\[sl]ronin\-vulns\fR cache directory within the home directory\.
|
49
|
+
.TP
|
50
|
+
\fIXDG\[ru]DATA\[ru]HOME\fP
|
51
|
+
Specifies the data directory to use\. Defaults to \fB\[Do]HOME\[sl]\.local\[sl]share\fR\.
|
52
|
+
.SH FILES
|
53
|
+
.TP
|
54
|
+
\fB\[ti]\[sl]\.local\[sl]share\[sl]bash\-completion\[sl]completions\[sl]\fR
|
55
|
+
The user\-local installation directory for Bash completion files\.
|
56
|
+
.TP
|
57
|
+
\fB\[sl]usr\[sl]local\[sl]share\[sl]bash\-completion\[sl]completions\[sl]\fR
|
58
|
+
The system\-wide installation directory for Bash completions files\.
|
59
|
+
.TP
|
60
|
+
\fB\[sl]usr\[sl]local\[sl]share\[sl]zsh\[sl]site\-functions\[sl]\fR
|
61
|
+
The installation directory for Zsh completion files\.
|
62
|
+
.SH EXAMPLES
|
63
|
+
.TP
|
64
|
+
\fBronin\-vulns completion \-\-print\fR
|
65
|
+
Prints the shell completion rules instead of installing them\.
|
66
|
+
.TP
|
67
|
+
\fBronin\-vulns completion \-\-install\fR
|
68
|
+
Installs the shell completion rules for \fBronin\-vulns\fR\.
|
69
|
+
.TP
|
70
|
+
\fBronin\-vulns completion \-\-uninstall\fR
|
71
|
+
Uninstalls the shell completion rules for \fBronin\-vulns\fR\.
|
72
|
+
.SH AUTHOR
|
73
|
+
.PP
|
74
|
+
Postmodern
|
75
|
+
.MT postmodern\.mod3\[at]gmail\.com
|
76
|
+
.ME
|
@@ -0,0 +1,78 @@
|
|
1
|
+
# ronin-vulns-completion 1 "2024-01-01" Ronin Vulns "User Manuals"
|
2
|
+
|
3
|
+
## NAME
|
4
|
+
|
5
|
+
ronin-vulns-completion - Manages shell completion rules for `ronin-vulns`
|
6
|
+
|
7
|
+
## SYNOPSIS
|
8
|
+
|
9
|
+
`ronin-vulns completion` [*options*]
|
10
|
+
|
11
|
+
## DESCRIPTION
|
12
|
+
|
13
|
+
The `ronin-vulns completion` command can print, install, or uninstall shell
|
14
|
+
completion rules for the `ronin-vulns` command.
|
15
|
+
|
16
|
+
Supports installing completion rules for Bash or Zsh shells.
|
17
|
+
Completion rules for the Fish shell is currently not supported.
|
18
|
+
|
19
|
+
### ZSH SUPPORT
|
20
|
+
|
21
|
+
Zsh users will have to add the following lines to their `~/.zshrc` file in
|
22
|
+
order to enable Zsh's Bash completion compatibility layer:
|
23
|
+
|
24
|
+
autoload -Uz +X compinit && compinit
|
25
|
+
autoload -Uz +X bashcompinit && bashcompinit
|
26
|
+
|
27
|
+
## OPTIONS
|
28
|
+
|
29
|
+
`--print`
|
30
|
+
: Prints the shell completion file.
|
31
|
+
|
32
|
+
`--install`
|
33
|
+
: Installs the shell completion file.
|
34
|
+
|
35
|
+
`--uninstall`
|
36
|
+
: Uninstalls the shell completion file.
|
37
|
+
|
38
|
+
`-h`, `--help`
|
39
|
+
: Prints help information.
|
40
|
+
|
41
|
+
## ENVIRONMENT
|
42
|
+
|
43
|
+
*PREFIX*
|
44
|
+
: Specifies the root prefix for the file system.
|
45
|
+
|
46
|
+
*HOME*
|
47
|
+
: Specifies the home directory of the user. Ronin will search for the
|
48
|
+
`~/.cache/ronin-vulns` cache directory within the home directory.
|
49
|
+
|
50
|
+
*XDG_DATA_HOME*
|
51
|
+
: Specifies the data directory to use. Defaults to `$HOME/.local/share`.
|
52
|
+
|
53
|
+
## FILES
|
54
|
+
|
55
|
+
`~/.local/share/bash-completion/completions/`
|
56
|
+
: The user-local installation directory for Bash completion files.
|
57
|
+
|
58
|
+
`/usr/local/share/bash-completion/completions/`
|
59
|
+
: The system-wide installation directory for Bash completions files.
|
60
|
+
|
61
|
+
`/usr/local/share/zsh/site-functions/`
|
62
|
+
: The installation directory for Zsh completion files.
|
63
|
+
|
64
|
+
## EXAMPLES
|
65
|
+
|
66
|
+
`ronin-vulns completion --print`
|
67
|
+
: Prints the shell completion rules instead of installing them.
|
68
|
+
|
69
|
+
`ronin-vulns completion --install`
|
70
|
+
: Installs the shell completion rules for `ronin-vulns`.
|
71
|
+
|
72
|
+
`ronin-vulns completion --uninstall`
|
73
|
+
: Uninstalls the shell completion rules for `ronin-vulns`.
|
74
|
+
|
75
|
+
## AUTHOR
|
76
|
+
|
77
|
+
Postmodern <postmodern.mod3@gmail.com>
|
78
|
+
|