ronin-vulns 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.document +0 -1
- data/ChangeLog.md +10 -0
- data/Gemfile +2 -2
- data/lib/ronin/vulns/reflected_xss/context.rb +20 -6
- data/lib/ronin/vulns/sqli.rb +25 -13
- data/lib/ronin/vulns/ssti.rb +11 -11
- data/lib/ronin/vulns/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b260c485d9272af5724bed43fc2959995463f8b78e276bf669d1bb98740e917c
|
|
4
|
+
data.tar.gz: de99077b9d9fe73bd167309af9c7c6d7688bd03a02d2af9bd2fc8eae133aa43a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1f4ce00d82035a11ade026eb6deee9be1244b499d692e47d4961be3cfc2a2dd9d8c609b6c11c5fab72e454f5ccc60adf9dd6ab7e4ceced5b0df9ea27fc18ec27
|
|
7
|
+
data.tar.gz: fb41c677b9eaf56c3cc3fabc028db365061ed98e745dfc3bf942238ebd6c2b642716a2e5dc7f010bb9fa2249112bf4ab66db715d35221783104a3702c694aeea
|
data/.document
CHANGED
data/ChangeLog.md
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
### 0.1.3 / 2023-07-07
|
|
2
|
+
|
|
3
|
+
* Fixed a bug in {Ronin::Vulns::SSTI.scan} where when called without `escape:`
|
|
4
|
+
it would not return all found vulnerabilities.
|
|
5
|
+
* Fixed a bug in {Ronin::Vulns::SQLI.scan} where repeat requests would be sent
|
|
6
|
+
even if `escape_quote:`, `escape_parens:`, or `terminate:` keyword arguments
|
|
7
|
+
are given.
|
|
8
|
+
* Improved {Ronin::Vulns::ReflectedXSS::Context} to detect when the XSS occurs
|
|
9
|
+
after or *inside of* an HTML comment.
|
|
10
|
+
|
|
1
11
|
### 0.1.2 / 2023-03-01
|
|
2
12
|
|
|
3
13
|
* Require `ronin-support` ~> 1.0, >= 1.0.1
|
data/Gemfile
CHANGED
|
@@ -10,9 +10,9 @@ gem 'jruby-openssl', '~> 0.7', platforms: :jruby
|
|
|
10
10
|
# branch: '0.4.0'
|
|
11
11
|
|
|
12
12
|
# Ronin dependencies
|
|
13
|
-
# gem 'ronin-support', '~> 1.0', github:
|
|
13
|
+
# gem 'ronin-support', '~> 1.0', github: 'ronin-rb/ronin-support',
|
|
14
14
|
# branch: 'main'
|
|
15
|
-
# gem 'ronin-core', '~> 0.1', github:
|
|
15
|
+
# gem 'ronin-core', '~> 0.1', github: 'ronin-rb/ronin-core',
|
|
16
16
|
# branch: 'main'
|
|
17
17
|
|
|
18
18
|
group :development do
|
|
@@ -30,7 +30,7 @@ module Ronin
|
|
|
30
30
|
|
|
31
31
|
# Where in the HTML the XSS occurs.
|
|
32
32
|
#
|
|
33
|
-
# @return [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body]
|
|
33
|
+
# @return [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body, :comment]
|
|
34
34
|
# The context which the XSS occurs in.
|
|
35
35
|
# * `:tag_body` occurred within a tag's body (ex: `<tag>XSS...</tag>`)
|
|
36
36
|
# * `:double_quoted_attr_value` - occurred in a double quoted
|
|
@@ -44,13 +44,14 @@ module Ronin
|
|
|
44
44
|
# * `:attr_list` - occurred in the attribute list
|
|
45
45
|
# (ex: `<tag XSS>...</tag>`)
|
|
46
46
|
# * `:tag_name` - occurred in the tag name (ex: `<tagXSS>...</tag>`)
|
|
47
|
+
# * `:comment` - occurred in a comment (ex: `<!-- XSS -->`)
|
|
47
48
|
#
|
|
48
49
|
# @api public
|
|
49
50
|
attr_reader :location
|
|
50
51
|
|
|
51
52
|
# The name of the parent tag which the XSS occurs in.
|
|
52
53
|
#
|
|
53
|
-
# @return [String]
|
|
54
|
+
# @return [String, nil]
|
|
54
55
|
#
|
|
55
56
|
# @api public
|
|
56
57
|
attr_reader :tag
|
|
@@ -65,9 +66,9 @@ module Ronin
|
|
|
65
66
|
#
|
|
66
67
|
# Initializes the context.
|
|
67
68
|
#
|
|
68
|
-
# @param [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body] location
|
|
69
|
+
# @param [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body, :comment] location
|
|
69
70
|
#
|
|
70
|
-
# @param [String] tag
|
|
71
|
+
# @param [String, nil] tag
|
|
71
72
|
#
|
|
72
73
|
# @param [String, nil] attr
|
|
73
74
|
#
|
|
@@ -100,6 +101,11 @@ module Ronin
|
|
|
100
101
|
# @api private
|
|
101
102
|
ATTR_LIST = /(?:\s+#{ATTR})*/
|
|
102
103
|
|
|
104
|
+
# HTML comment regexp.
|
|
105
|
+
#
|
|
106
|
+
# @api private
|
|
107
|
+
COMMENT = /<![^>]*>/
|
|
108
|
+
|
|
103
109
|
# HTML tag name regexp.
|
|
104
110
|
#
|
|
105
111
|
# @api private
|
|
@@ -108,7 +114,7 @@ module Ronin
|
|
|
108
114
|
# Regexp matching when an XSS occurs within a tag's inner HTML.
|
|
109
115
|
#
|
|
110
116
|
# @api private
|
|
111
|
-
IN_TAG_BODY = %r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)[^<>]*\z}
|
|
117
|
+
IN_TAG_BODY = %r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)([^<>]|#{COMMENT})*\z}
|
|
112
118
|
|
|
113
119
|
# Regexp matching when an XSS occurs within a double-quoted attribute
|
|
114
120
|
# value.
|
|
@@ -142,6 +148,11 @@ module Ronin
|
|
|
142
148
|
# @api private
|
|
143
149
|
IN_TAG_NAME = /<(#{TAG_NAME})\z/
|
|
144
150
|
|
|
151
|
+
# Regexp matching when an XSS occurs within a comment.
|
|
152
|
+
#
|
|
153
|
+
# @api private
|
|
154
|
+
IN_COMMENT = /<![^>]*\z/
|
|
155
|
+
|
|
145
156
|
#
|
|
146
157
|
# Determine the context of the XSS by checking the characters that come
|
|
147
158
|
# before the given index.
|
|
@@ -174,6 +185,8 @@ module Ronin
|
|
|
174
185
|
new(:attr_list, tag: match[1])
|
|
175
186
|
elsif (match = prefix.match(IN_TAG_NAME))
|
|
176
187
|
new(:tag_name, tag: match[1])
|
|
188
|
+
elsif prefix.match?(IN_COMMENT)
|
|
189
|
+
new(:comment)
|
|
177
190
|
end
|
|
178
191
|
end
|
|
179
192
|
|
|
@@ -193,7 +206,8 @@ module Ronin
|
|
|
193
206
|
attr_name: MINIMAL_REQUIRED_CHARS,
|
|
194
207
|
attr_list: MINIMAL_REQUIRED_CHARS,
|
|
195
208
|
tag_name: MINIMAL_REQUIRED_CHARS,
|
|
196
|
-
tag_body: MINIMAL_REQUIRED_CHARS
|
|
209
|
+
tag_body: MINIMAL_REQUIRED_CHARS,
|
|
210
|
+
comment: MINIMAL_REQUIRED_CHARS
|
|
197
211
|
}
|
|
198
212
|
|
|
199
213
|
#
|
data/lib/ronin/vulns/sqli.rb
CHANGED
|
@@ -105,6 +105,18 @@ module Ronin
|
|
|
105
105
|
# @param [URI::HTTP, String] url
|
|
106
106
|
# The URL to test or exploit.
|
|
107
107
|
#
|
|
108
|
+
# @param [Array<Boolean>, Boolean] escape_quote
|
|
109
|
+
# Controls whether to escape a quoted string value. If not specified,
|
|
110
|
+
# with and without quoted string escaping will be tested.
|
|
111
|
+
#
|
|
112
|
+
# @param [Array<Boolean>, Boolean] escape_parens
|
|
113
|
+
# Controls whether to escape parenthesis. If not specified, with and
|
|
114
|
+
# without parenthesis escaping will be tested.
|
|
115
|
+
#
|
|
116
|
+
# @param [Array<Boolean>, Boolean] terminate
|
|
117
|
+
# Controls whether to terminate the SQL statement with `--`.
|
|
118
|
+
# If not specified, with and without `--` terminate will be tested.
|
|
119
|
+
#
|
|
108
120
|
# @param [Ronin::Support::Network::HTTP, nil] http
|
|
109
121
|
# An HTTP session to use for testing the URL.
|
|
110
122
|
#
|
|
@@ -115,28 +127,28 @@ module Ronin
|
|
|
115
127
|
# If a block is given it will be yielded each discovered SQL injection
|
|
116
128
|
# vulnerability.
|
|
117
129
|
#
|
|
118
|
-
# @yieldparam [
|
|
130
|
+
# @yieldparam [SQLI] sqli
|
|
119
131
|
# A discovered SQL injection vulnerability in the URL.
|
|
120
132
|
#
|
|
121
|
-
# @return [Array<
|
|
133
|
+
# @return [Array<SQLI>]
|
|
122
134
|
# All discovered SQL injection vulnerabilities.
|
|
123
135
|
#
|
|
124
|
-
def self.scan(url,
|
|
136
|
+
def self.scan(url, escape_quote: [false, true],
|
|
137
|
+
escape_parens: [false, true],
|
|
138
|
+
terminate: [false, true],
|
|
139
|
+
# WebVuln.scan keyword arguments
|
|
140
|
+
http: nil, **kwargs, &block)
|
|
125
141
|
url = URI(url)
|
|
126
142
|
http ||= Support::Network::HTTP.connect_uri(url)
|
|
127
143
|
|
|
128
|
-
escape_quotes = [false, true]
|
|
129
|
-
escape_parens = [false, true]
|
|
130
|
-
terminations = [false, true]
|
|
131
|
-
|
|
132
144
|
vulns = []
|
|
133
145
|
|
|
134
|
-
|
|
135
|
-
escape_parens.each do |
|
|
136
|
-
|
|
137
|
-
vulns.concat(super(url, escape_quote:
|
|
138
|
-
escape_parens:
|
|
139
|
-
terminate:
|
|
146
|
+
Array(escape_quote).each do |escape_quote_value|
|
|
147
|
+
Array(escape_parens).each do |escape_parens_value|
|
|
148
|
+
Array(terminate).each do |terminate_value|
|
|
149
|
+
vulns.concat(super(url, escape_quote: escape_quote_value,
|
|
150
|
+
escape_parens: escape_parens_value,
|
|
151
|
+
terminate: terminate_value,
|
|
140
152
|
http: http,
|
|
141
153
|
**kwargs,
|
|
142
154
|
&block))
|
data/lib/ronin/vulns/ssti.rb
CHANGED
|
@@ -102,13 +102,13 @@ module Ronin
|
|
|
102
102
|
# @param [URI::HTTP, String] url
|
|
103
103
|
# The URL to scan.
|
|
104
104
|
#
|
|
105
|
-
# @param [
|
|
106
|
-
# Additional keyword arguments for {#initialize}.
|
|
107
|
-
#
|
|
108
|
-
# @option kwargs [Proc, nil] :escape
|
|
105
|
+
# @param [Array<Proc>, Proc, nil] escape
|
|
109
106
|
# The escape method to use. If `escape:` is not given, then all escapes
|
|
110
107
|
# in {ESCAPES} will be tested..
|
|
111
108
|
#
|
|
109
|
+
# @param [Hash{Symbol => Object}] kwargs
|
|
110
|
+
# Additional keyword arguments for {#initialize}.
|
|
111
|
+
#
|
|
112
112
|
# @option kwargs [Array<Symbol, String>, Symbol, String, true, nil] :query_params
|
|
113
113
|
# The query param name(s) to test.
|
|
114
114
|
#
|
|
@@ -145,14 +145,14 @@ module Ronin
|
|
|
145
145
|
# @return [Array<SSTI>]
|
|
146
146
|
# All discovered SSTI vulnerabilities.
|
|
147
147
|
#
|
|
148
|
-
def self.scan(url, **kwargs,&block)
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
super(url, escape: escape, **kwargs, &block)
|
|
154
|
-
end
|
|
148
|
+
def self.scan(url, escape: ESCAPES, **kwargs,&block)
|
|
149
|
+
vulns = []
|
|
150
|
+
|
|
151
|
+
Array(escape).each do |escape_char|
|
|
152
|
+
vulns.concat(super(url, escape: escape_char, **kwargs, &block))
|
|
155
153
|
end
|
|
154
|
+
|
|
155
|
+
return vulns
|
|
156
156
|
end
|
|
157
157
|
|
|
158
158
|
#
|
data/lib/ronin/vulns/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ronin-vulns
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Postmodern
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-07-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ronin-support
|