Module: Ronin::Vulns::URLScanner

Defined in:: lib/ronin/vulns/url_scanner.rb

Overview

Top-level module which scans a URL for all web vulnerabilities.

Class Method Summary collapse

.scan(url, lfi: {}, rfi: {}, sqli: {}, ssti: {}, reflected_xss: {}, open_redirect: {}, **kwargs) {|vuln| ... } ⇒ Array<LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect>
Scans a URL for web vulnerabilities.
.test(url, **kwargs) ⇒ LFI, ...
Tests the URL for a Web vulnerability and returns the first found vulnerability.

Class Method Details

.scan(url, lfi: {}, rfi: {}, sqli: {}, ssti: {}, reflected_xss: {}, open_redirect: {}, **kwargs) {|vuln| ... } ⇒ `Array<LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect>`

Scans a URL for web vulnerabilities.

The HTTP request mehtod for each request.

Parameters:

url (URI::HTTP, String) —
The URL to test or exploit.
lfi (Hash{Symbol => Object}, false) (defaults to: {}) —
Additional options for WebVuln.scan.
rfi (Hash{Symbol => Object}, false) (defaults to: {}) —
Additional options for WebVuln.scan.
sqli (Hash{Symbol => Object}, false) (defaults to: {}) —
Additional options for SQLI.scan.
ssti (Hash{Symbol => Object}, false) (defaults to: {}) —
Additional options for SSTI.scan.
reflected_xss (Hash{Symbol => Object}, false) (defaults to: {}) —
Additional options for WebVuln.scan.
open_redirect (Hash{Symbol => Object}, false) (defaults to: {}) —
Additional options for WebVuln.scan.
kwargs (Hash) —
a customizable set of options

Options Hash (lfi:):

:os (:unix, :windows, nil) — default: :unix —
Operating System to specifically target.
:depth (Integer) — default: 6 —
Number of directories to escape up.
:filter_bypass (:null_byte, :double_escape, :base64, :rot13, :zlib, nil) —
Specifies which filter bypass technique to use.
- :null_byte - appends a%00` null byte to the escaped path. *Note: this technique only works on PHP < 5.3.
- :double_escape - Double escapes the LFI#escape_path (ex: ....//....//).
- :base64 - Base64 encodes the included local file.
- :rot13 - ROT13 encodes the included local file.
- :zlib - Zlib compresses and Base64 encodes the included local file.

Options Hash (rfi:):

:filter_bypass (:null_byte, :double_encode, nil) —
Specifies which filter bypass technique to use.
- :double_encode - will cause the inclusion URL to be URI escaped twice.
- :suffix_escape - escape any appended suffix (ex: param + ".php") by adding a URI fragment character (#) to the end of the RFI script URL. The fragment component of the URI is not sent to the web server.
- :null_byte - will cause the inclusion URL to be appended with a %00 character. *Note: this technique only works on PHP < 5.3.
:test_script_url (String, URI::HTTP, nil) —
The URL of the RFI test script. If not specified, it will default to RFI.test_script_for.

Options Hash (sqli:):

:escape_quote (Boolean) — default: false —
Specifies whether to escape a quoted string value.
:escape_parens (Boolean) — default: false —
Specifies whether to escape parenthesis.
:terminate (Boolean) — default: false —
Specifies whether to terminate the SQL statement with --.

Options Hash (ssti:):

:escape (Proc, nil) —
How to escape a given payload. Either a proc that will accept a String and return a String, or nil to indicate that the payload will not be escaped.
:test ((String, String)) —
The test payload and expected result to check for when testing the URL for SSTI.

Options Hash (open_redirect:):

:test_url (String) — default: OpenRedirect.random_test_url —
The desired redirect URL to test the URL with.

Options Hash (**kwargs):

:query_param (String, Symbol, nil) —
The query param to test or exploit.
:header_name (String, Symbol, nil) —
The HTTP Header name to test or exploit.
:cookie_param (String, Symbol, nil) —
The Cookie: param name to test or exploit.
:form_param (String, Symbol, nil) —
The form param name to test or exploit.
:http (Ronin::Support::Network::HTTP, nil) —
An HTTP session to use for testing the URL.
:request_method (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock)
:user (String, nil) —
The user to authenticate as.
:password (String, nil) —
The password to authenticate with.
:headers (Hash{Symbol,String => String}, nil) —
Additional HTTP header names and values to add to the request.
:cookie (String, Hash{String => String}, nil) —
Additional Cookie header. If a Hash is given, it will be converted to a String using Ronin::Support::Network::HTTP::Cookie.
:form_data (Hash, String, nil) —
The form data that may be sent in the body of the request.
:referer (String, nil) —
The optional HTTP Referer header to send with each request.

Yields:

(vuln) —
If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

vuln (LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect) —
A discovered web vulnerability in the URL.

Returns:

(Array<LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect>) —
All discovered Web vulnerabilities.

# File 'lib/ronin/vulns/url_scanner.rb', line 161

def self.scan(url, lfi:  {},
                   rfi:  {},
                   sqli: {},
                   ssti: {},
                   reflected_xss: {},
                   open_redirect: {},
                   **kwargs,
                   &block)
  vulns = []

  if lfi
    vulns.concat(LFI.scan(url,**kwargs,**lfi,&block))
  end

  if rfi
    vulns.concat(RFI.scan(url,**kwargs,**rfi,&block))
  end

  if sqli
    vulns.concat(SQLI.scan(url,**kwargs,**sqli,&block))
  end

  if ssti
    vulns.concat(SSTI.scan(url,**kwargs,**ssti,&block))
  end

  if reflected_xss
    vulns.concat(ReflectedXSS.scan(url,**kwargs,**reflected_xss,&block))
  end

  if open_redirect
    vulns.concat(OpenRedirect.scan(url,**kwargs,**open_redirect,&block))
  end

  return vulns
end

.test(url, **kwargs) ⇒ `LFI`, ...

Tests the URL for a Web vulnerability and returns the first found vulnerability.