ronin-vulns 0.1.5 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.ruby-version +1 -1
- data/ChangeLog.md +43 -0
- data/Gemfile +14 -4
- data/README.md +7 -3
- data/Rakefile +9 -0
- data/data/completions/ronin-vulns +139 -0
- data/gemspec.yml +7 -1
- data/lib/ronin/vulns/cli/command.rb +1 -1
- data/lib/ronin/vulns/cli/commands/command_injection.rb +163 -0
- data/lib/ronin/vulns/cli/commands/completion.rb +63 -0
- data/lib/ronin/vulns/cli/commands/irb.rb +59 -0
- data/lib/ronin/vulns/cli/commands/lfi.rb +21 -9
- data/lib/ronin/vulns/cli/commands/open_redirect.rb +13 -1
- data/lib/ronin/vulns/cli/commands/reflected_xss.rb +13 -1
- data/lib/ronin/vulns/cli/commands/rfi.rb +13 -1
- data/lib/ronin/vulns/cli/commands/scan.rb +21 -9
- data/lib/ronin/vulns/cli/commands/sqli.rb +13 -1
- data/lib/ronin/vulns/cli/commands/ssti.rb +13 -1
- data/lib/ronin/vulns/cli/importable.rb +76 -0
- data/lib/ronin/vulns/cli/printing.rb +184 -0
- data/lib/ronin/vulns/cli/ruby_shell.rb +53 -0
- data/lib/ronin/vulns/cli/web_vuln_command.rb +216 -20
- data/lib/ronin/vulns/cli.rb +5 -2
- data/lib/ronin/vulns/command_injection.rb +267 -0
- data/lib/ronin/vulns/importer.rb +116 -0
- data/lib/ronin/vulns/lfi/test_file.rb +1 -1
- data/lib/ronin/vulns/lfi.rb +1 -1
- data/lib/ronin/vulns/open_redirect.rb +1 -1
- data/lib/ronin/vulns/reflected_xss/context.rb +1 -1
- data/lib/ronin/vulns/reflected_xss/test_string.rb +1 -1
- data/lib/ronin/vulns/reflected_xss.rb +1 -1
- data/lib/ronin/vulns/rfi.rb +64 -9
- data/lib/ronin/vulns/root.rb +1 -1
- data/lib/ronin/vulns/sqli/error_pattern.rb +1 -1
- data/lib/ronin/vulns/sqli.rb +36 -28
- data/lib/ronin/vulns/ssti/test_expression.rb +1 -1
- data/lib/ronin/vulns/ssti.rb +69 -53
- data/lib/ronin/vulns/url_scanner.rb +10 -1
- data/lib/ronin/vulns/version.rb +2 -2
- data/lib/ronin/vulns/vuln.rb +1 -1
- data/lib/ronin/vulns/web_vuln/http_request.rb +40 -1
- data/lib/ronin/vulns/web_vuln.rb +86 -16
- data/man/ronin-vulns-command-injection.1 +109 -0
- data/man/ronin-vulns-command-injection.1.md +112 -0
- data/man/ronin-vulns-completion.1 +76 -0
- data/man/ronin-vulns-completion.1.md +78 -0
- data/man/ronin-vulns-irb.1 +27 -0
- data/man/ronin-vulns-irb.1.md +26 -0
- data/man/ronin-vulns-lfi.1 +54 -51
- data/man/ronin-vulns-lfi.1.md +52 -20
- data/man/ronin-vulns-open-redirect.1 +51 -47
- data/man/ronin-vulns-open-redirect.1.md +50 -18
- data/man/ronin-vulns-reflected-xss.1 +50 -45
- data/man/ronin-vulns-reflected-xss.1.md +49 -17
- data/man/ronin-vulns-rfi.1 +54 -52
- data/man/ronin-vulns-rfi.1.md +52 -20
- data/man/ronin-vulns-scan.1 +68 -69
- data/man/ronin-vulns-scan.1.md +61 -29
- data/man/ronin-vulns-sqli.1 +54 -52
- data/man/ronin-vulns-sqli.1.md +52 -20
- data/man/ronin-vulns-ssti.1 +52 -48
- data/man/ronin-vulns-ssti.1.md +50 -18
- data/man/ronin-vulns.1 +73 -0
- data/man/ronin-vulns.1.md +69 -0
- data/scripts/setup +58 -0
- metadata +37 -6
- data/lib/ronin/vulns/cli/logging.rb +0 -81
@@ -1,95 +1,100 @@
|
|
1
|
-
.\" Generated by kramdown-man 0.1
|
1
|
+
.\" Generated by kramdown-man 1.0.1
|
2
2
|
.\" https://github.com/postmodern/kramdown-man#readme
|
3
3
|
.TH ronin-vulns-reflected-xss 1 "May 2022" Ronin "User Manuals"
|
4
|
-
.
|
4
|
+
.SH NAME
|
5
|
+
.PP
|
6
|
+
ronin\-vulns\-reflected\-xss \- Scans URL(s) for Reflected Cross Site Scripting (XSS) vulnerabilities
|
5
7
|
.SH SYNOPSIS
|
6
|
-
.LP
|
7
8
|
.PP
|
8
|
-
\fBronin
|
9
|
-
.LP
|
9
|
+
\fBronin\-vulns reflected\-xss\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB\-\-input\fR \fIFILE\fP\[rC]
|
10
10
|
.SH DESCRIPTION
|
11
|
-
.LP
|
12
11
|
.PP
|
13
12
|
Scans URL(s) for reflected Cross Site Scripting (XSS) vulnerabilities\. The URLs
|
14
13
|
to scan can be given as additional arguments or read from a file using the
|
15
|
-
\fB
|
16
|
-
.LP
|
14
|
+
\fB\-\-input\fR option\.
|
17
15
|
.SH ARGUMENTS
|
18
|
-
.LP
|
19
16
|
.TP
|
20
17
|
\fIURL\fP
|
21
18
|
A URL to scan\.
|
22
|
-
.LP
|
23
19
|
.SH OPTIONS
|
24
|
-
.LP
|
25
20
|
.TP
|
26
|
-
\fB
|
21
|
+
\fB\-\-db\fR \fINAME\fP
|
22
|
+
The database name to connect to\. Defaults to \fBdefault\fR if not given\.
|
23
|
+
.TP
|
24
|
+
\fB\-\-db\-uri\fR \fIURI\fP
|
25
|
+
The database URI to connect to
|
26
|
+
(ex: \fBpostgres:\[sl]\[sl]user:password\[at]host\[sl]db\fR)\.
|
27
|
+
.TP
|
28
|
+
\fB\-\-db\-file\fR \fIPATH\fP
|
29
|
+
The sqlite3 database file to use\.
|
30
|
+
.TP
|
31
|
+
\fB\-\-import\fR
|
32
|
+
Imports discovered vulnerabilities into the database\.
|
33
|
+
.TP
|
34
|
+
\fB\-\-first\fR
|
27
35
|
Only find the first vulnerability for each URL\.
|
28
|
-
.LP
|
29
36
|
.TP
|
30
|
-
\fB
|
37
|
+
\fB\-A\fR, \fB\-\-all\fR
|
31
38
|
Find all vulnerabilities for each URL\.
|
32
|
-
.LP
|
33
39
|
.TP
|
34
|
-
\fB
|
40
|
+
\fB\-\-print\-curl\fR
|
41
|
+
Also prints an example \fBcurl\fR command for each vulnerability\.
|
42
|
+
.TP
|
43
|
+
\fB\-\-print\-http\fR
|
44
|
+
Also prints an example HTTP request for each vulnerability\.
|
45
|
+
.TP
|
46
|
+
\fB\-M\fR, \fB\-\-request\-method\fR \fBCOPY\fR\[or]\fBDELETE\fR\[or]\fBGET\fR\[or]\fBHEAD\fR\[or]\fBLOCK\fR\[or]\fBMKCOL\fR\[or]\fBMOVE\fR\[or]\fBOPTIONS\fR\[or]\fBPATCH\fR\[or]\fBPOST\fR\[or]\fBPROPFIND\fR\[or]\fBPROPPATCH\fR\[or]\fBPUT\fR\[or]\fBTRACE\fR\[or]\fBUNLOCK\fR
|
47
|
+
Sets the HTTP request method to use\.
|
48
|
+
.TP
|
49
|
+
\fB\-H\fR, \fB\-\-header\fR \[lq]\fIName\fP: \fIvalue\fP\[rq]
|
35
50
|
Sets an additional header using the given \fIName\fP and \fIvalue\fP\.
|
36
|
-
.LP
|
37
51
|
.TP
|
38
|
-
\fB
|
52
|
+
\fB\-U\fR, \fB\-\-user\-agent\-string\fR \fISTRING\fP
|
53
|
+
Sets the \fBUser\-Agent\fR header string\.
|
54
|
+
.TP
|
55
|
+
\fB\-u\fR, \fB\-\-user\-agent\fR \fBchrome\-linux\fR\[or]\fBchrome\-macos\fR\[or]\fBchrome\-windows\fR\[or]\fBchrome\-iphone\fR\[or]\fBchrome\-ipad\fR\[or]\fBchrome\-android\fR\[or]\fBfirefox\-linux\fR\[or]\fBfirefox\-macos\fR\[or]\fBfirefox\-windows\fR\[or]\fBfirefox\-iphone\fR\[or]\fBfirefox\-ipad\fR\[or]\fBfirefox\-android\fR\[or]\fBsafari\-macos\fR\[or]\fBsafari\-iphone\fR\[or]\fBsafari\-ipad\fR\[or]\fBedge\fR
|
56
|
+
Sets the \fBUser\-Agent\fR header\.
|
57
|
+
.TP
|
58
|
+
\fB\-C\fR, \fB\-\-cookie\fR \fICOOKIE\fP
|
39
59
|
Sets the raw \fBCookie\fR header\.
|
40
|
-
.LP
|
41
60
|
.TP
|
42
|
-
\fB
|
61
|
+
\fB\-c\fR, \fB\-\-cookie\-param\fR \fINAME\fP\fB\[eq]\fR\fIVALUE\fP
|
43
62
|
Sets an additional \fBCookie\fR param using the given \fINAME\fP and \fIVALUE\fP\.
|
44
|
-
.LP
|
45
63
|
.TP
|
46
|
-
\fB
|
64
|
+
\fB\-R\fR, \fB\-\-referer\fR \fIURL\fP
|
47
65
|
Sets the \fBReferer\fR header\.
|
48
|
-
.LP
|
49
66
|
.TP
|
50
|
-
\fB
|
67
|
+
\fB\-F\fR, \fB\-\-form\-param\fR \fINAME\fP\fB\[eq]\fR\fIVALUE\fP
|
51
68
|
Sets an additional form param using the given \fINAME\fP and \fIVALUE\fP\.
|
52
|
-
.LP
|
53
69
|
.TP
|
54
|
-
\fB
|
70
|
+
\fB\-\-test\-query\-param\fR \fINAME\fP
|
55
71
|
Tests the URL query param name\.
|
56
|
-
.LP
|
57
72
|
.TP
|
58
|
-
\fB
|
73
|
+
\fB\-\-test\-all\-query\-params\fR
|
59
74
|
Test all URL query param names\.
|
60
|
-
.LP
|
61
75
|
.TP
|
62
|
-
\fB
|
76
|
+
\fB\-\-test\-header\-name\fR \fINAME\fP
|
63
77
|
Tests the HTTP Header name\.
|
64
|
-
.LP
|
65
78
|
.TP
|
66
|
-
\fB
|
79
|
+
\fB\-\-test\-cookie\-param\fR \fINAME\fP
|
67
80
|
Tests the HTTP Cookie name\.
|
68
|
-
.LP
|
69
81
|
.TP
|
70
|
-
\fB
|
82
|
+
\fB\-\-test\-all\-cookie\-params\fR
|
71
83
|
Test all Cookie param names\.
|
72
|
-
.LP
|
73
84
|
.TP
|
74
|
-
\fB
|
85
|
+
\fB\-\-test\-form\-param\fR \fINAME\fP
|
75
86
|
Tests the form param name\.
|
76
|
-
.LP
|
77
87
|
.TP
|
78
|
-
\fB
|
88
|
+
\fB\-i\fR, \fB\-\-input\fR \fIFILE\fP
|
79
89
|
Reads URLs from the given \fIFILE\fP\.
|
80
|
-
.LP
|
81
90
|
.TP
|
82
|
-
\fB
|
91
|
+
\fB\-h\fR, \fB\-\-help\fR
|
83
92
|
Print help information\.
|
84
|
-
.LP
|
85
93
|
.SH AUTHOR
|
86
|
-
.LP
|
87
94
|
.PP
|
88
95
|
Postmodern
|
89
96
|
.MT postmodern\.mod3\[at]gmail\.com
|
90
97
|
.ME
|
91
|
-
.LP
|
92
98
|
.SH SEE ALSO
|
93
|
-
.LP
|
94
99
|
.PP
|
95
|
-
ronin\-vulns\-scan(1)
|
100
|
+
.BR ronin\-vulns\-scan (1)
|
@@ -1,5 +1,9 @@
|
|
1
1
|
# ronin-vulns-reflected-xss 1 "May 2022" Ronin "User Manuals"
|
2
2
|
|
3
|
+
## NAME
|
4
|
+
|
5
|
+
ronin-vulns-reflected-xss - Scans URL(s) for Reflected Cross Site Scripting (XSS) vulnerabilities
|
6
|
+
|
3
7
|
## SYNOPSIS
|
4
8
|
|
5
9
|
`ronin-vulns reflected-xss` [*options*] {*URL* ... \| `--input` *FILE*}
|
@@ -13,54 +17,82 @@ to scan can be given as additional arguments or read from a file using the
|
|
13
17
|
## ARGUMENTS
|
14
18
|
|
15
19
|
*URL*
|
16
|
-
|
20
|
+
: A URL to scan.
|
17
21
|
|
18
22
|
## OPTIONS
|
19
23
|
|
24
|
+
`--db` *NAME*
|
25
|
+
: The database name to connect to. Defaults to `default` if not given.
|
26
|
+
|
27
|
+
`--db-uri` *URI*
|
28
|
+
: The database URI to connect to
|
29
|
+
(ex: `postgres://user:password@host/db`).
|
30
|
+
|
31
|
+
`--db-file` *PATH*
|
32
|
+
: The sqlite3 database file to use.
|
33
|
+
|
34
|
+
`--import`
|
35
|
+
: Imports discovered vulnerabilities into the database.
|
36
|
+
|
20
37
|
`--first`
|
21
|
-
|
38
|
+
: Only find the first vulnerability for each URL.
|
22
39
|
|
23
40
|
`-A`, `--all`
|
24
|
-
|
41
|
+
: Find all vulnerabilities for each URL.
|
42
|
+
|
43
|
+
`--print-curl`
|
44
|
+
: Also prints an example `curl` command for each vulnerability.
|
45
|
+
|
46
|
+
`--print-http`
|
47
|
+
: Also prints an example HTTP request for each vulnerability.
|
48
|
+
|
49
|
+
`-M`, `--request-method` `COPY`|`DELETE`|`GET`|`HEAD`|`LOCK`|`MKCOL`|`MOVE`|`OPTIONS`|`PATCH`|`POST`|`PROPFIND`|`PROPPATCH`|`PUT`|`TRACE`|`UNLOCK`
|
50
|
+
: Sets the HTTP request method to use.
|
25
51
|
|
26
52
|
`-H`, `--header` "*Name*: *value*"
|
27
|
-
|
53
|
+
: Sets an additional header using the given *Name* and *value*.
|
54
|
+
|
55
|
+
`-U`, `--user-agent-string` *STRING*
|
56
|
+
: Sets the `User-Agent` header string.
|
57
|
+
|
58
|
+
`-u`, `--user-agent` `chrome-linux`\|`chrome-macos`\|`chrome-windows`\|`chrome-iphone`\|`chrome-ipad`\|`chrome-android`\|`firefox-linux`\|`firefox-macos`\|`firefox-windows`\|`firefox-iphone`\|`firefox-ipad`\|`firefox-android`\|`safari-macos`\|`safari-iphone`\|`safari-ipad`\|`edge`
|
59
|
+
: Sets the `User-Agent` header.
|
28
60
|
|
29
61
|
`-C`, `--cookie` *COOKIE*
|
30
|
-
|
62
|
+
: Sets the raw `Cookie` header.
|
31
63
|
|
32
64
|
`-c`, `--cookie-param` *NAME*`=`*VALUE*
|
33
|
-
|
65
|
+
: Sets an additional `Cookie` param using the given *NAME* and *VALUE*.
|
34
66
|
|
35
67
|
`-R`, `--referer` *URL*
|
36
|
-
|
68
|
+
: Sets the `Referer` header.
|
37
69
|
|
38
70
|
`-F`, `--form-param` *NAME*`=`*VALUE*
|
39
|
-
|
71
|
+
: Sets an additional form param using the given *NAME* and *VALUE*.
|
40
72
|
|
41
73
|
`--test-query-param` *NAME*
|
42
|
-
|
74
|
+
: Tests the URL query param name.
|
43
75
|
|
44
76
|
`--test-all-query-params`
|
45
|
-
|
77
|
+
: Test all URL query param names.
|
46
78
|
|
47
79
|
`--test-header-name` *NAME*
|
48
|
-
|
80
|
+
: Tests the HTTP Header name.
|
49
81
|
|
50
82
|
`--test-cookie-param` *NAME*
|
51
|
-
|
83
|
+
: Tests the HTTP Cookie name.
|
52
84
|
|
53
85
|
`--test-all-cookie-params`
|
54
|
-
|
86
|
+
: Test all Cookie param names.
|
55
87
|
|
56
88
|
`--test-form-param` *NAME*
|
57
|
-
|
89
|
+
: Tests the form param name.
|
58
90
|
|
59
91
|
`-i`, `--input` *FILE*
|
60
|
-
|
92
|
+
: Reads URLs from the given *FILE*.
|
61
93
|
|
62
94
|
`-h`, `--help`
|
63
|
-
|
95
|
+
: Print help information.
|
64
96
|
|
65
97
|
## AUTHOR
|
66
98
|
|
@@ -68,4 +100,4 @@ Postmodern <postmodern.mod3@gmail.com>
|
|
68
100
|
|
69
101
|
## SEE ALSO
|
70
102
|
|
71
|
-
ronin-vulns-scan(1)
|
103
|
+
[ronin-vulns-scan](ronin-vulns-scan.1.md)
|
data/man/ronin-vulns-rfi.1
CHANGED
@@ -1,107 +1,109 @@
|
|
1
|
-
.\" Generated by kramdown-man 0.1
|
1
|
+
.\" Generated by kramdown-man 1.0.1
|
2
2
|
.\" https://github.com/postmodern/kramdown-man#readme
|
3
3
|
.TH ronin-vulns-rfi 1 "May 2022" Ronin "User Manuals"
|
4
|
-
.
|
4
|
+
.SH NAME
|
5
|
+
.PP
|
6
|
+
ronin\-vulns\-rfi \- Scans URL(s) for Remote File Inclusion (RFI) vulnerabilities
|
5
7
|
.SH SYNOPSIS
|
6
|
-
.LP
|
7
8
|
.PP
|
8
|
-
\fBronin
|
9
|
-
.LP
|
9
|
+
\fBronin\-vulns rfi\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB\-\-input\fR \fIFILE\fP\[rC]
|
10
10
|
.SH DESCRIPTION
|
11
|
-
.LP
|
12
11
|
.PP
|
13
12
|
Scans URL(s) for Remote File Inclusion (RFI) vulnerabilities\. The URLs to scan
|
14
|
-
can be given as additional arguments or read from a file using the \fB
|
13
|
+
can be given as additional arguments or read from a file using the \fB\-\-input\fR
|
15
14
|
option\.
|
16
|
-
.LP
|
17
15
|
.SH ARGUMENTS
|
18
|
-
.LP
|
19
16
|
.TP
|
20
17
|
\fIURL\fP
|
21
18
|
A URL to scan\.
|
22
|
-
.LP
|
23
19
|
.SH OPTIONS
|
24
|
-
.LP
|
25
20
|
.TP
|
26
|
-
\fB
|
21
|
+
\fB\-\-db\fR \fINAME\fP
|
22
|
+
The database name to connect to\. Defaults to \fBdefault\fR if not given\.
|
23
|
+
.TP
|
24
|
+
\fB\-\-db\-uri\fR \fIURI\fP
|
25
|
+
The database URI to connect to
|
26
|
+
(ex: \fBpostgres:\[sl]\[sl]user:password\[at]host\[sl]db\fR)\.
|
27
|
+
.TP
|
28
|
+
\fB\-\-db\-file\fR \fIPATH\fP
|
29
|
+
The sqlite3 database file to use\.
|
30
|
+
.TP
|
31
|
+
\fB\-\-import\fR
|
32
|
+
Imports discovered vulnerabilities into the database\.
|
33
|
+
.TP
|
34
|
+
\fB\-\-first\fR
|
27
35
|
Only find the first vulnerability for each URL\.
|
28
|
-
.LP
|
29
36
|
.TP
|
30
|
-
\fB
|
37
|
+
\fB\-A\fR, \fB\-\-all\fR
|
31
38
|
Find all vulnerabilities for each URL\.
|
32
|
-
.LP
|
33
39
|
.TP
|
34
|
-
\fB
|
40
|
+
\fB\-\-print\-curl\fR
|
41
|
+
Also prints an example \fBcurl\fR command for each vulnerability\.
|
42
|
+
.TP
|
43
|
+
\fB\-\-print\-http\fR
|
44
|
+
Also prints an example HTTP request for each vulnerability\.
|
45
|
+
.TP
|
46
|
+
\fB\-M\fR, \fB\-\-request\-method\fR \fBCOPY\fR\[or]\fBDELETE\fR\[or]\fBGET\fR\[or]\fBHEAD\fR\[or]\fBLOCK\fR\[or]\fBMKCOL\fR\[or]\fBMOVE\fR\[or]\fBOPTIONS\fR\[or]\fBPATCH\fR\[or]\fBPOST\fR\[or]\fBPROPFIND\fR\[or]\fBPROPPATCH\fR\[or]\fBPUT\fR\[or]\fBTRACE\fR\[or]\fBUNLOCK\fR
|
47
|
+
Sets the HTTP request method to use\.
|
48
|
+
.TP
|
49
|
+
\fB\-H\fR, \fB\-\-header\fR \[lq]\fIName\fP: \fIvalue\fP\[rq]
|
35
50
|
Sets an additional header using the given \fIName\fP and \fIvalue\fP\.
|
36
|
-
.LP
|
37
51
|
.TP
|
38
|
-
\fB
|
52
|
+
\fB\-U\fR, \fB\-\-user\-agent\-string\fR \fISTRING\fP
|
53
|
+
Sets the \fBUser\-Agent\fR header string\.
|
54
|
+
.TP
|
55
|
+
\fB\-u\fR, \fB\-\-user\-agent\fR \fBchrome\-linux\fR\[or]\fBchrome\-macos\fR\[or]\fBchrome\-windows\fR\[or]\fBchrome\-iphone\fR\[or]\fBchrome\-ipad\fR\[or]\fBchrome\-android\fR\[or]\fBfirefox\-linux\fR\[or]\fBfirefox\-macos\fR\[or]\fBfirefox\-windows\fR\[or]\fBfirefox\-iphone\fR\[or]\fBfirefox\-ipad\fR\[or]\fBfirefox\-android\fR\[or]\fBsafari\-macos\fR\[or]\fBsafari\-iphone\fR\[or]\fBsafari\-ipad\fR\[or]\fBedge\fR
|
56
|
+
Sets the \fBUser\-Agent\fR header\.
|
57
|
+
.TP
|
58
|
+
\fB\-C\fR, \fB\-\-cookie\fR \fICOOKIE\fP
|
39
59
|
Sets the raw \fBCookie\fR header\.
|
40
|
-
.LP
|
41
60
|
.TP
|
42
|
-
\fB
|
61
|
+
\fB\-c\fR, \fB\-\-cookie\-param\fR \fINAME\fP\fB\[eq]\fR\fIVALUE\fP
|
43
62
|
Sets an additional \fBCookie\fR param using the given \fINAME\fP and \fIVALUE\fP\.
|
44
|
-
.LP
|
45
63
|
.TP
|
46
|
-
\fB
|
64
|
+
\fB\-R\fR, \fB\-\-referer\fR \fIURL\fP
|
47
65
|
Sets the \fBReferer\fR header\.
|
48
|
-
.LP
|
49
66
|
.TP
|
50
|
-
\fB
|
67
|
+
\fB\-F\fR, \fB\-\-form\-param\fR \fINAME\fP\fB\[eq]\fR\fIVALUE\fP
|
51
68
|
Sets an additional form param using the given \fINAME\fP and \fIVALUE\fP\.
|
52
|
-
.LP
|
53
69
|
.TP
|
54
|
-
\fB
|
70
|
+
\fB\-\-test\-query\-param\fR \fINAME\fP
|
55
71
|
Tests the URL query param name\.
|
56
|
-
.LP
|
57
72
|
.TP
|
58
|
-
\fB
|
73
|
+
\fB\-\-test\-all\-query\-params\fR
|
59
74
|
Test all URL query param names\.
|
60
|
-
.LP
|
61
75
|
.TP
|
62
|
-
\fB
|
76
|
+
\fB\-\-test\-header\-name\fR \fINAME\fP
|
63
77
|
Tests the HTTP Header name\.
|
64
|
-
.LP
|
65
78
|
.TP
|
66
|
-
\fB
|
79
|
+
\fB\-\-test\-cookie\-param\fR \fINAME\fP
|
67
80
|
Tests the HTTP Cookie name\.
|
68
|
-
.LP
|
69
81
|
.TP
|
70
|
-
\fB
|
82
|
+
\fB\-\-test\-all\-cookie\-params\fR
|
71
83
|
Test all Cookie param names\.
|
72
|
-
.LP
|
73
84
|
.TP
|
74
|
-
\fB
|
85
|
+
\fB\-\-test\-form\-param\fR \fINAME\fP
|
75
86
|
Tests the form param name\.
|
76
|
-
.LP
|
77
87
|
.TP
|
78
|
-
\fB
|
88
|
+
\fB\-i\fR, \fB\-\-input\fR \fIFILE\fP
|
79
89
|
Reads URLs from the given \fIFILE\fP\.
|
80
|
-
.LP
|
81
90
|
.TP
|
82
|
-
\fB
|
91
|
+
\fB\-B\fR, \fB\-\-filter\-bypass\fR \fBdouble\-encode\fR\[or]\fBsuffix\-escape\fR\[or]\fBnull\-byte\fR
|
83
92
|
Optional filter\-bypass strategy to use\.
|
84
|
-
.
|
85
|
-
|
86
|
-
\fB-S\fR, \fB--script-lang\fR \fBasp\|\fRasp\.net\fB\|\fRcoldfusion\fB\|\fRjsp\fB\|\fRphp\fB\|\fRperl\`
|
93
|
+
.TP
|
94
|
+
\fB\-S\fR, \fB\-\-script\-lang\fR \fBasp\e\[or]\fRasp\.net\fB\e\[or]\fRcoldfusion\fB\e\[or]\fRjsp\fB\e\[or]\fRphp\fB\e\[or]\fRperl\`
|
87
95
|
Explicitly specify the scripting language to test for\.
|
88
|
-
.LP
|
89
96
|
.TP
|
90
|
-
\fB
|
97
|
+
\fB\-T\fR, \fB\-\-test\-script\-url\fR \fIURL\fP
|
91
98
|
Use an alternative test script \fIURL\fP\.
|
92
|
-
.LP
|
93
99
|
.TP
|
94
|
-
\fB
|
100
|
+
\fB\-h\fR, \fB\-\-help\fR
|
95
101
|
Print help information\.
|
96
|
-
.LP
|
97
102
|
.SH AUTHOR
|
98
|
-
.LP
|
99
103
|
.PP
|
100
104
|
Postmodern
|
101
105
|
.MT postmodern\.mod3\[at]gmail\.com
|
102
106
|
.ME
|
103
|
-
.LP
|
104
107
|
.SH SEE ALSO
|
105
|
-
.LP
|
106
108
|
.PP
|
107
|
-
ronin\-vulns\-scan(1)
|
109
|
+
.BR ronin\-vulns\-scan (1)
|
data/man/ronin-vulns-rfi.1.md
CHANGED
@@ -1,5 +1,9 @@
|
|
1
1
|
# ronin-vulns-rfi 1 "May 2022" Ronin "User Manuals"
|
2
2
|
|
3
|
+
## NAME
|
4
|
+
|
5
|
+
ronin-vulns-rfi - Scans URL(s) for Remote File Inclusion (RFI) vulnerabilities
|
6
|
+
|
3
7
|
## SYNOPSIS
|
4
8
|
|
5
9
|
`ronin-vulns rfi` [*options*] {*URL* ... \| `--input` *FILE*}
|
@@ -13,63 +17,91 @@ option.
|
|
13
17
|
## ARGUMENTS
|
14
18
|
|
15
19
|
*URL*
|
16
|
-
|
20
|
+
: A URL to scan.
|
17
21
|
|
18
22
|
## OPTIONS
|
19
23
|
|
24
|
+
`--db` *NAME*
|
25
|
+
: The database name to connect to. Defaults to `default` if not given.
|
26
|
+
|
27
|
+
`--db-uri` *URI*
|
28
|
+
: The database URI to connect to
|
29
|
+
(ex: `postgres://user:password@host/db`).
|
30
|
+
|
31
|
+
`--db-file` *PATH*
|
32
|
+
: The sqlite3 database file to use.
|
33
|
+
|
34
|
+
`--import`
|
35
|
+
: Imports discovered vulnerabilities into the database.
|
36
|
+
|
20
37
|
`--first`
|
21
|
-
|
38
|
+
: Only find the first vulnerability for each URL.
|
22
39
|
|
23
40
|
`-A`, `--all`
|
24
|
-
|
41
|
+
: Find all vulnerabilities for each URL.
|
42
|
+
|
43
|
+
`--print-curl`
|
44
|
+
: Also prints an example `curl` command for each vulnerability.
|
45
|
+
|
46
|
+
`--print-http`
|
47
|
+
: Also prints an example HTTP request for each vulnerability.
|
48
|
+
|
49
|
+
`-M`, `--request-method` `COPY`|`DELETE`|`GET`|`HEAD`|`LOCK`|`MKCOL`|`MOVE`|`OPTIONS`|`PATCH`|`POST`|`PROPFIND`|`PROPPATCH`|`PUT`|`TRACE`|`UNLOCK`
|
50
|
+
: Sets the HTTP request method to use.
|
25
51
|
|
26
52
|
`-H`, `--header` "*Name*: *value*"
|
27
|
-
|
53
|
+
: Sets an additional header using the given *Name* and *value*.
|
54
|
+
|
55
|
+
`-U`, `--user-agent-string` *STRING*
|
56
|
+
: Sets the `User-Agent` header string.
|
57
|
+
|
58
|
+
`-u`, `--user-agent` `chrome-linux`\|`chrome-macos`\|`chrome-windows`\|`chrome-iphone`\|`chrome-ipad`\|`chrome-android`\|`firefox-linux`\|`firefox-macos`\|`firefox-windows`\|`firefox-iphone`\|`firefox-ipad`\|`firefox-android`\|`safari-macos`\|`safari-iphone`\|`safari-ipad`\|`edge`
|
59
|
+
: Sets the `User-Agent` header.
|
28
60
|
|
29
61
|
`-C`, `--cookie` *COOKIE*
|
30
|
-
|
62
|
+
: Sets the raw `Cookie` header.
|
31
63
|
|
32
64
|
`-c`, `--cookie-param` *NAME*`=`*VALUE*
|
33
|
-
|
65
|
+
: Sets an additional `Cookie` param using the given *NAME* and *VALUE*.
|
34
66
|
|
35
67
|
`-R`, `--referer` *URL*
|
36
|
-
|
68
|
+
: Sets the `Referer` header.
|
37
69
|
|
38
70
|
`-F`, `--form-param` *NAME*`=`*VALUE*
|
39
|
-
|
71
|
+
: Sets an additional form param using the given *NAME* and *VALUE*.
|
40
72
|
|
41
73
|
`--test-query-param` *NAME*
|
42
|
-
|
74
|
+
: Tests the URL query param name.
|
43
75
|
|
44
76
|
`--test-all-query-params`
|
45
|
-
|
77
|
+
: Test all URL query param names.
|
46
78
|
|
47
79
|
`--test-header-name` *NAME*
|
48
|
-
|
80
|
+
: Tests the HTTP Header name.
|
49
81
|
|
50
82
|
`--test-cookie-param` *NAME*
|
51
|
-
|
83
|
+
: Tests the HTTP Cookie name.
|
52
84
|
|
53
85
|
`--test-all-cookie-params`
|
54
|
-
|
86
|
+
: Test all Cookie param names.
|
55
87
|
|
56
88
|
`--test-form-param` *NAME*
|
57
|
-
|
89
|
+
: Tests the form param name.
|
58
90
|
|
59
91
|
`-i`, `--input` *FILE*
|
60
|
-
|
92
|
+
: Reads URLs from the given *FILE*.
|
61
93
|
|
62
94
|
`-B`, `--filter-bypass` `double-encode`\|`suffix-escape`\|`null-byte`
|
63
|
-
|
95
|
+
: Optional filter-bypass strategy to use.
|
64
96
|
|
65
97
|
`-S`, `--script-lang` `asp\|`asp.net`\|`coldfusion`\|`jsp`\|`php`\|`perl`
|
66
|
-
|
98
|
+
: Explicitly specify the scripting language to test for.
|
67
99
|
|
68
100
|
`-T`, `--test-script-url` *URL*
|
69
|
-
|
101
|
+
: Use an alternative test script *URL*.
|
70
102
|
|
71
103
|
`-h`, `--help`
|
72
|
-
|
104
|
+
: Print help information.
|
73
105
|
|
74
106
|
## AUTHOR
|
75
107
|
|
@@ -77,4 +109,4 @@ Postmodern <postmodern.mod3@gmail.com>
|
|
77
109
|
|
78
110
|
## SEE ALSO
|
79
111
|
|
80
|
-
ronin-vulns-scan(1)
|
112
|
+
[ronin-vulns-scan](ronin-vulns-scan.1.md)
|