Class: Ronin::Exploits::WebVuln

Inherits:
Web show all
Includes:
Mixins::HasPayload
Defined in:
lib/ronin/exploits/web_vuln.rb

Overview

An Exploit class that represents a common web vulnerability (ex: RFI, LFI, SQLI, XSS, etc).

Since:

  • 1.0.0

Direct Known Subclasses

ClientSideWebVuln, LFI, RFI, SQLI, SSTI

Constant Summary

Constants included from Mixins::HTTP

Mixins::HTTP::HTTP_USER_AGENT_ALIASES

Instance Attribute Summary

Attributes included from Mixins::HasPayload

#payload

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Mixins::HasPayload

included, #initialize, #perform_build, #perform_cleanup, #perform_launch, #perform_validate

Methods included from Mixins::HTTP

#http, #http_allowed_methods, #http_cookie, #http_copy, #http_delete, #http_get, #http_get_body, #http_get_cookies, #http_get_headers, #http_head, #http_headers, #http_lock, #http_mkcol, #http_move, #http_ok?, #http_options, #http_password, #http_patch, #http_post, #http_post_body, #http_post_headers, #http_powered_by_header, #http_propfind, #http_proppatch, #http_proxy, #http_put, #http_request, #http_response_body, #http_response_headers, #http_response_status, #http_server_header, #http_trace, #http_unlock, #http_user, #http_user_agent, included

Methods inherited from Exploit

#NotVulnerable, #Unknown, #Vulnerable, advisories, advisory, #build, #cleanup, disclosed?, disclosure_date, exploit, #exploit, exploit_type, #fail, #initialize, #launch, #perform_build, #perform_cleanup, #perform_launch, #perform_test, #perform_validate, quality, register, release_date, released?, software, software_versions, #validate

Class Method Details

.base_path(new_base_path = nil) ⇒ String

Gets or sets the base path for the web vulnerability.

Examples:

base_path '/path/to/page.php'

Parameters:

  • new_base_path (String, nil) (defaults to: nil)

    The optional new base path value to set.

Returns:

  • (String)

    The base path for the web vulnerability.

Raises:

  • (NotImplementedError)

    The exploit class did not set a base path.

Since:

  • 1.0.0



76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/ronin/exploits/web_vuln.rb', line 76

def self.base_path(new_base_path=nil)
  if new_base_path
    @base_path = new_base_path
  else
    @base_path ||= if superclass < WebVuln
                     superclass.base_path
                   else
                     raise(NotImplementedError,"#{self} did not set base_path")
                   end
  end
end

.cookie(new_cookie = nil) ⇒ String, ...

Gets or sets the exploit's default HTTP cookie data.

Examples:

cookie 'lang' => 'en', 'foo' => 'bar'

Parameters:

  • new_cookie (String, Hash{String => String}, nil) (defaults to: nil)

    The optional new default cookie values to set.

Returns:

  • (String, Hash{String => String}, nil)

    The default cookie values for the web vulnerability.

Since:

  • 1.0.0



210
211
212
213
214
215
216
217
218
 
# File 'lib/ronin/exploits/web_vuln.rb', line 210

def self.cookie(new_cookie=nil)
  if new_cookie
    @cookie = new_cookie
  else
    @cookie ||= if superclass < WebVuln
                  superclass.cookie
                end
  end
end

.cookie_param(new_cookie_param = nil) ⇒ String?

Gets or sets the HTTP cookie param to exploit.

Examples:

cookie_param 'foo'

Parameters:

  • new_cookie_param (String, nil) (defaults to: nil)

    The optional new cookie param value to set.

Returns:

  • (String, nil)

    The cookie param for the web vulnerability.

Since:

  • 1.0.0



144
145
146
147
148
149
150
151
152
 
# File 'lib/ronin/exploits/web_vuln.rb', line 144

def self.cookie_param(new_cookie_param=nil)
  if new_cookie_param
    @cookie_param = new_cookie_param
  else
    @cookie_param ||= if superclass < WebVuln
                        superclass.cookie_param
                      end
  end
end

.form_data(new_form_data = nil) ⇒ String, ...

Gets or sets the exploit's default form data.

Examples:

form_data 'foo' => 'a', 'bar' => 'b'

Parameters:

  • new_form_data (String, Hash, nil) (defaults to: nil)

    The optional new default form data values to set.

Returns:

  • (String, Hash, nil)

    The default form data values for the web vulnerability.

Since:

  • 1.0.0



232
233
234
235
236
237
238
239
240
 
# File 'lib/ronin/exploits/web_vuln.rb', line 232

def self.form_data(new_form_data=nil)
  if new_form_data
    @form_data = new_form_data
  else
    @form_data ||= if superclass < WebVuln
                     superclass.form_data
                   end
  end
end

.form_param(new_form_param = nil) ⇒ String?

Gets or sets the form param to exploit.

Examples:

form_param 'user'

Parameters:

  • new_form_param (String, nil) (defaults to: nil)

    The optional new form param value to set.

Returns:

  • (String, nil)

    The form param for the web vulnerability.

Since:

  • 1.0.0



166
167
168
169
170
171
172
173
174
 
# File 'lib/ronin/exploits/web_vuln.rb', line 166

def self.form_param(new_form_param=nil)
  if new_form_param
    @form_param = new_form_param
  else
    @form_param ||= if superclass < WebVuln
                      superclass.form_param
                    end
  end
end

.header_name(new_header_name = nil) ⇒ String?

Gets or sets the HTTP header name to exploit.

Examples:

header_name 'User-Agent'

Parameters:

  • new_header_name (String, nil) (defaults to: nil)

    The optional new header name value to set.

Returns:

  • (String, nil)

    The header name for the web vulnerability.

Since:

  • 1.0.0



122
123
124
125
126
127
128
129
130
 
# File 'lib/ronin/exploits/web_vuln.rb', line 122

def self.header_name(new_header_name=nil)
  if new_header_name
    @header_name = new_header_name
  else
    @header_name ||= if superclass < WebVuln
                       superclass.header_name
                     end
  end
end

.headers(new_headers = nil) ⇒ Hash{Symbol,String => String}?

Gets or sets the exploit's default headers.

Examples:

headers 'X-Foo' => 'foo', 'X-Bar' => 'bar'

Parameters:

  • new_headers (Hash{Symbol,String => String}, nil) (defaults to: nil)

    The optional new default headers values to set.

Returns:

  • (Hash{Symbol,String => String}, nil)

    The default headers for the web vulnerability.

Since:

  • 1.0.0



188
189
190
191
192
193
194
195
196
 
# File 'lib/ronin/exploits/web_vuln.rb', line 188

def self.headers(new_headers=nil)
  if new_headers
    @headers = new_headers
  else
    @headers ||= if superclass < WebVuln
                   superclass.headers
                 end
  end
end

.query_param(new_query_param = nil) ⇒ String?

Gets or sets the query param to exploit.

Examples:

query_param 'id'

Parameters:

  • new_query_param (String, nil) (defaults to: nil)

    The optional new query param value to set.

Returns:

  • (String, nil)

    The query param for the web vulnerability.

Since:

  • 1.0.0



100
101
102
103
104
105
106
107
108
 
# File 'lib/ronin/exploits/web_vuln.rb', line 100

def self.query_param(new_query_param=nil)
  if new_query_param
    @query_param = new_query_param
  else
    @query_param ||= if superclass < WebVuln
                       superclass.query_param
                     end
  end
end

.referer(new_referer = nil) ⇒ String?

Gets or sets the exploit's default Referer path.

Examples:

with a path:

referer '/previous/page.php'

with a fully qualified URL:

referer 'https://other.website.com/page.php'

Parameters:

  • new_referer (String, nil) (defaults to: nil)

    The optional new default Referer value to set. May be either a path or a fully qualified URL.

Returns:

  • (String, nil)

    The default Referer values for the web vulnerability.

Since:

  • 1.0.0



258
259
260
261
262
263
264
265
266
 
# File 'lib/ronin/exploits/web_vuln.rb', line 258

def self.referer(new_referer=nil)
  if new_referer
    @referer = new_referer
  else
    @referer ||= if superclass < WebVuln
                   superclass.referer
                 end
  end
end

.request_method(new_request_method = nil) ⇒ :copy, ...

Gets or sets the HTTP request method to use.

The previously set HTTP request method or :get.

Parameters:

  • new_request_method (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock, nil) (defaults to: nil)

Returns:

  • (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock)

Since:

  • 1.0.0



49
50
51
52
53
54
55
56
57
58
59
 
# File 'lib/ronin/exploits/web_vuln.rb', line 49

def self.request_method(new_request_method=nil)
  if new_request_method
    @request_method = new_request_method
  else
    @request_method ||= if superclass < WebVuln
                          superclass.request_method
                        else
                          :get
                        end
  end
end

Instance Method Details

Additional Cookie header to send with the exploit request.

Returns:

  • (String, Hash{String => String}, nil)

See Also:

Since:

  • 1.0.0



299
300
301
 
# File 'lib/ronin/exploits/web_vuln.rb', line 299

def cookie
  self.class.cookie
end

#form_dataHash, ...

The form data that may be sent in the body of the exploit request.

Returns:

  • (Hash, String, nil)

See Also:

Since:

  • 1.0.0



310
311
312
 
# File 'lib/ronin/exploits/web_vuln.rb', line 310

def form_data
  self.class.form_data
end

#headersHash{Symbol,String => String}?

Additional HTTP header names and values to add to the exploit request.

Returns:

  • (Hash{Symbol,String => String}, nil)

See Also:

Since:

  • 1.0.0



288
289
290
 
# File 'lib/ronin/exploits/web_vuln.rb', line 288

def headers
  self.class.headers
end

#refererString?

The optional HTTP Referer header to send with the exploit request.

Returns:

  • (String, nil)

See Also:

Since:

  • 1.0.0



321
322
323
324
325
 
# File 'lib/ronin/exploits/web_vuln.rb', line 321

def referer
  if (referer = self.class.referer)
    url_for(referer)
  end
end

#testTestResult::Vulnerable, TestResult::NotVulnerable

Determines if the URL is vulnerable to the web vulnerability.

Returns:

Since:

  • 1.0.0



369
370
371
372
373
374
375
 
# File 'lib/ronin/exploits/web_vuln.rb', line 369

def test
  if vuln.vulnerable?
    Vulnerable("The target URL is vulnerable")
  else
    NotVulnerable("The target URL is not vulnerable")
  end
end

#urlURI::HTTP

The target URL for the web vulnerability.

Returns:

  • (URI::HTTP)

Since:

  • 1.0.0



277
278
279
 
# File 'lib/ronin/exploits/web_vuln.rb', line 277

def url
  @url ||= url_for(self.class.base_path)
end

#vulnRonin::Vulns::WebVuln

This method is abstract.

Creates the Ronin::Vulns::WebVuln object based on the information defined in the exploit class and params.

Returns:

  • (Ronin::Vulns::WebVuln)

Raises:

  • (NotImplementedError)

Since:

  • 1.0.0



359
360
361
 
# File 'lib/ronin/exploits/web_vuln.rb', line 359

def vuln
  raise(NotImplementedError,"#{self.class}##{__method__} was not implemented")
end

#web_vuln_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Common keyword arguments for Ronin::Vulns::Web#initialize.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 1.0.0



334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
 
# File 'lib/ronin/exploits/web_vuln.rb', line 334

def web_vuln_kwargs
  {
    query_param:    self.class.query_param,
    header_name:    self.class.header_name,
    cookie_param:   self.class.cookie_param,
    form_param:     self.class.form_param,
    request_method: self.class.request_method,
    http:           http,
    user:           params[:http_user],
    password:       params[:http_password],
    headers:        headers,
    cookie:         cookie,
    form_data:      form_data,
    referer:        referer
  }
end