Class: Ronin::Vulns::RFI
Overview
Represents a Remote File Inclusion (RFI) vulnerability.
Constant Summary collapse
- URL_EXTS =
The script extensions and their languages
{ '.asp' => :asp, '.aspx' => :asp_net, '.cfm' => :cold_fusion, '.cfml' => :cold_fusion, '.jsp' => :jsp, '.php' => :php, '.pl' => :perl }
- GITHUB_BASE_URL =
The github.com base URL for all RFI test scripts.
"https://raw.githubusercontent.com/ronin-rb/ronin-vulns/#{VERSION}/data"
- TEST_SCRIPT_URLS =
Mapping of scripting languages to RFI test scripts.
{ asp: "#{GITHUB_BASE_URL}/rfi_test.asp", asp_net: "#{GITHUB_BASE_URL}/rfi_test.aspx", cold_fusion: "#{GITHUB_BASE_URL}/rfi_test.cfm", jsp: "#{GITHUB_BASE_URL}/rfi_test.jsp", php: "#{GITHUB_BASE_URL}/rfi_test.php", perl: "#{GITHUB_BASE_URL}/rfi_test.pl" }
- VULN_RESPONSE_STRING =
The string that will be returned if the Remote File Inclusion (RFI) script is executed.
"Security Alert: Remote File Inclusion Detected!"
Instance Attribute Summary collapse
-
#filter_bypass ⇒ nil, ...
readonly
The filter bypass technique to use.
-
#test_script_url ⇒ URI::HTTP, String
readonly
URL of the Remote File Inclusion (RFI) Test script.
Attributes inherited from WebVuln
#cookie, #cookie_param, #form_data, #form_param, #header_name, #headers, #http, #password, #query_param, #query_params, #referer, #request_method, #url, #user
Class Method Summary collapse
-
.infer_script_lang(url) ⇒ :asp, ...
Attempts to infer the programming language used for the web page at the given URL.
-
.test_script_for(url) ⇒ String?
Selects the RFI test script for the scripting language used by the given URL.
-
.test_script_url_for(script_lang) ⇒ String
Returns the test script URL for the given scripting language.
-
.vuln_type ⇒ Symbol
abstract
private
Returns the type or kind of vulnerability.
Instance Method Summary collapse
-
#encode_payload(url) ⇒ String
Optionally applies a filter bypass technique to the RFI URL.
-
#initialize(url, script_lang: nil, test_script_url: nil, filter_bypass: nil, **kwargs) ⇒ RFI
constructor
Creates a new Remote File Inclusion (RFI) object.
-
#vulnerable? ⇒ Boolean
Tests whether the URL and query parameter are vulnerable to Remote File Inclusion (RFI).
Methods inherited from WebVuln
#exploit, #exploit_cookie, #exploit_form_data, #exploit_headers, #exploit_query_params, #original_value, #random_value, #request, scan, scan_cookie_params, scan_form_params, scan_headers, scan_query_params, test, #to_curl, #to_http, #to_s
Constructor Details
#initialize(url, script_lang: nil, test_script_url: nil, filter_bypass: nil, **kwargs) ⇒ RFI
Creates a new Remote File Inclusion (RFI) object.
96 97 98 99 100 101 102 103 104 105 106 107 108 |
# File 'lib/ronin/vulns/rfi.rb', line 96 def initialize(url, script_lang: nil, test_script_url: nil, filter_bypass: nil, **kwargs) super(url,**kwargs) @test_script_url = if test_script_url test_script_url elsif script_lang self.class.test_script_url_for(script_lang) else self.class.test_script_for(@url) end @filter_bypass = filter_bypass end |
Instance Attribute Details
#filter_bypass ⇒ nil, ... (readonly)
The filter bypass technique to use.
65 66 67 |
# File 'lib/ronin/vulns/rfi.rb', line 65 def filter_bypass @filter_bypass end |
#test_script_url ⇒ URI::HTTP, String (readonly)
URL of the Remote File Inclusion (RFI) Test script
70 71 72 |
# File 'lib/ronin/vulns/rfi.rb', line 70 def test_script_url @test_script_url end |
Class Method Details
.infer_script_lang(url) ⇒ :asp, ...
Attempts to infer the programming language used for the web page at the given URL.
138 139 140 141 142 |
# File 'lib/ronin/vulns/rfi.rb', line 138 def self.infer_script_lang(url) url = URI(url) return URL_EXTS[File.extname(url.path)] end |
.test_script_for(url) ⇒ String?
Selects the RFI test script for the scripting language used by the given URL.
155 156 157 158 159 |
# File 'lib/ronin/vulns/rfi.rb', line 155 def self.test_script_for(url) if (lang = infer_script_lang(url)) TEST_SCRIPT_URLS.fetch(lang) end end |
.test_script_url_for(script_lang) ⇒ String
Returns the test script URL for the given scripting language.
122 123 124 125 126 |
# File 'lib/ronin/vulns/rfi.rb', line 122 def self.test_script_url_for(script_lang) TEST_SCRIPT_URLS.fetch(script_lang) do raise(ArgumentError,"unknown scripting language: #{script_lang.inspect}") end end |
.vuln_type ⇒ Symbol
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
This is used internally to map an vulnerability class to a printable type.
Returns the type or kind of vulnerability.
218 219 220 |
# File 'lib/ronin/vulns/rfi.rb', line 218 def self.vuln_type :rfi end |
Instance Method Details
#encode_payload(url) ⇒ String
Optionally applies a filter bypass technique to the RFI URL.
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 |
# File 'lib/ronin/vulns/rfi.rb', line 171 def encode_payload(url) url = url.to_s case @filter_bypass when :double_encode # Optionally double URI encodes the script URL url = URI::QueryParams.escape(url) when :suffix_escape # Optionally append a '#' character to escape any appended suffixes # (ex: `param + ".php"`). url = "#{url}#" when :null_byte # Optionally append a null-byte # NOTE: uri-query_params will automatically URI encode the null byte url = "#{url}\0" end return url end |
#vulnerable? ⇒ Boolean
Tests whether the URL and query parameter are vulnerable to Remote File Inclusion (RFI).
198 199 200 201 202 203 |
# File 'lib/ronin/vulns/rfi.rb', line 198 def vulnerable? response = exploit(@test_script_url) body = response.body return body.include?(VULN_RESPONSE_STRING) end |