ronin-vulns 0.1.4 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a034edd07851be44f796a03f47cc5583969734943d5ec23c0073e9dc92f62bd7
-  data.tar.gz: 223f844d4ead3779a13d981a6998c46a5cf7f445d5b95044ae30997f546642e5
+  metadata.gz: 782fb72c980f9466dd49b736e941d1d4bf092066bdb2894c776f7610bb0ee049
+  data.tar.gz: 732c6cf18098e86aa1d600e7607fb8110a903ea76391901977574faff167b550
 SHA512:
-  metadata.gz: 0db7e162bc9e7294be2d5a89660c3fd3b5892d4e2595b56704bcd8725bccb3041b38a8621c1daab77471236d2a17c1075bdf8ce7f4f233afee43d7277b6afc94
-  data.tar.gz: 9a5e1f7513231f294ca5f328f79921dc66c1072b301ccfbf3ac72844b75b492a0ccd76a171d507d82b002824522f79cf6d9e08e7bf99c7624e47375993064176
+  metadata.gz: a636b00ea3642dadf7ee2f1c1b4a498f5b8e107d46c7ed64aac115cb1788b395de343c5ac7683eef0b3556128e9466e8228782ae453d337cae46ef0c280369fa
+  data.tar.gz: e610ebe869ae47cc6ea5ab6c6cd548838da9873943f3d64317ff4682d36bfa172de79df5fff4a53a8d37936a83ada614d4fdc4c1d374eed08cb51a3f9ab421a0

data/.github/workflows/ruby.yml

@@ -12,11 +12,12 @@ jobs:
           - '3.0'
           - '3.1'
           - '3.2'
+          - '3.3'
           # - jruby
           - truffleruby
     name: Ruby ${{ matrix.ruby }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -35,7 +36,7 @@ jobs:
   rubocop:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/ChangeLog.md

@@ -1,3 +1,12 @@
+### 0.1.5 / 2024-06-19
+
+* Improve the accuracy of {Ronin::Vulns::OpenRedirect#vulnerable?} when
+  detecting open redirects in meta-refresh HTML tags.
+  * Match the test URL when it ends with `?...`, `&...`, or `&...`.
+  * Detect when the test URL has an additional string appended to it
+    (ex: `.html`). The appended string can easily be bypassed by adding a
+    `?`, `&`, or `#` character to the end of the test URL.
+
 ### 0.1.4 / 2023-09-19
 
 #### CLI

data/lib/ronin/vulns/open_redirect.rb

@@ -80,7 +80,7 @@ module Ronin
         when '301', '302', '303', '307', '308'
           if (locations = response.get_fields('Location'))
             escaped_test_url = Regexp.escape(@test_url)
-            regexp           = /\A#{escaped_test_url}(?:[\?&].+)?\z/
+            regexp           = /\A#{escaped_test_url}.*\z/
 
             locations.last =~ regexp
           end
@@ -95,10 +95,34 @@ module Ronin
                 http-equiv\s*=\s*(?: "refresh" | 'refresh' | refresh )\s+
                 content\s*=\s*
                 (?:
-                 "\s*\d+\s*;\s*url\s*=\s*'\s*#{escaped_test_url}\s*'\s*"|
-                 '\s*\d+\s*;\s*url\s*=\s*"\s*#{escaped_test_url}\s*"\s*'|
-                 \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' )
-                )\s*
+                  # content="..."
+                  "\s*\d+\s*;\s*url\s*=\s*
+                  (?:
+                    # content="0; url='...'"
+                    '\s*#{escaped_test_url}[^'"]*' |
+                    # content="0; url=..."
+                    #{escaped_test_url}[^"]*
+                  )\s*" |
+                  # content='...'
+                  '\s*\d+\s*;\s*url\s*=\s*
+                  (?:
+                    # content='0; url="..."'
+                    "\s*#{escaped_test_url}[^"']*" |
+                    # content='0; url=...'
+                    #{escaped_test_url}[^']*
+                  )\s*' |
+                  # content=...
+                  \s*\d+;url=(?:
+                    # content=0;url="..."
+                    "\s*#{escaped_test_url}[^\s"]*" |
+                    # content=0;url='...'
+                    '\s*#{escaped_test_url}[^\s']*' |
+                    # content=0;url=...
+                    #{escaped_test_url}[^\s/>]*
+                  )
+                )
+                \s*
+                # /> or / >
                 (?:/\s*)?>
             }xi
 

data/lib/ronin/vulns/sqli.rb

@@ -296,7 +296,7 @@ module Ronin
       #
       def check_for_sql_errors(response)
         if response.code == '500'
-          ERROR_PATTERNS.each do |database,error_pattern|
+          ERROR_PATTERNS.each_value do |error_pattern|
             if error_pattern =~ response.body
               return true
             end

data/lib/ronin/vulns/url_scanner.rb

@@ -30,6 +30,16 @@ module Ronin
     #
     # Top-level module which scans a URL for all web vulnerabilities.
     #
+    # ## Examples
+    #
+    #     require 'ronin/vulns/url_scanner'
+    #
+    #     Ronin::Vulns::URLScanner.scan(url) do |vuln|
+    #       # ...
+    #     end
+    #
+    #     vuln = Ronin::Vulns::URLScanner.test(url)
+    #
     module URLScanner
       #
       # Scans a URL for web vulnerabilities.

data/lib/ronin/vulns/version.rb

@@ -21,6 +21,6 @@
 module Ronin
   module Vulns
     # The ronin-vulns version
-    VERSION = '0.1.4'
+    VERSION = '0.1.5'
   end
 end

data/man/ronin-vulns-lfi.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-lfi 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns lfi\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION

data/man/ronin-vulns-open-redirect.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-open-redirect 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns open-redirect\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION

data/man/ronin-vulns-reflected-xss.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-reflected-xss 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns reflected-xss\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION

data/man/ronin-vulns-rfi.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-rfi 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns rfi\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION
@@ -82,7 +82,7 @@ Reads URLs from the given \fIFILE\fP\.
 \fB-B\fR, \fB--filter-bypass\fR \fBdouble-encode\fR\[or]\fBsuffix-escape\fR\[or]\fBnull-byte\fR
 Optional filter\-bypass strategy to use\.
 .LP
-.HP
+.PP
 \fB-S\fR, \fB--script-lang\fR \fBasp\|\fRasp\.net\fB\|\fRcoldfusion\fB\|\fRjsp\fB\|\fRphp\fB\|\fRperl\`
 Explicitly specify the scripting language to test for\.
 .LP

data/man/ronin-vulns-scan.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-scan 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns scan\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION
@@ -113,7 +113,7 @@ Escapes parenthesis\.
 \fB--sqli-terminate\fR
 Terminates the SQL expression with a \fB--\fR\.
 .LP
-.HP
+.PP
 \fB--ssti-test-expr\fR \[lC]\fIX\fP*\fIY\fP \[or] \fIX\fP\[sl]\fIZ\fP \[or] \fIX\fP\[pl]\fIY\fP \[or] \fIX\fP\-\fIY\fP\[rC]
 Optional numeric test to use\.
 .LP

data/man/ronin-vulns-sqli.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-sqli 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns sqli\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION

data/man/ronin-vulns-ssti.1

@@ -1,10 +1,10 @@
-.\" Generated by kramdown-man 0.1.8
+.\" Generated by kramdown-man 0.1.9
 .\" https://github.com/postmodern/kramdown-man#readme
 .TH ronin-vulns-lfi 1 "May 2022" Ronin "User Manuals"
 .LP
 .SH SYNOPSIS
 .LP
-.HP
+.PP
 \fBronin-vulns lfi\fR \[lB]\fIoptions\fP\[rB] \[lC]\fIURL\fP \.\.\. \[or] \fB--input\fR \fIFILE\fP\[rC]
 .LP
 .SH DESCRIPTION
@@ -78,7 +78,7 @@ Tests the form param name\.
 \fB-i\fR, \fB--input\fR \fIFILE\fP
 Reads URLs from the given \fIFILE\fP\.
 .LP
-.HP
+.PP
 \fB-T\fR, \fB--test-expr\fR \[lC]\fIX*Y\fP \[or] \fIX\[sl]Z\fP \[or] \fIX\[pl]Y\fP \[or] \fIX\-Y\fP\[rC]
 Optional numeric test to use\.
 .LP

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ronin-vulns
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - Postmodern
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-19 00:00:00.000000000 Z
+date: 2024-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ronin-support
@@ -159,7 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Tests URLs for Local File Inclusion (LFI), Remove File Inclusion (RFI), SQL