Class: Ronin::Vulns::CLI::Commands::Scan Private

Inherits:

WebVulnCommand

• Object
• Core::CLI::Command
• Ronin::Vulns::CLI::Command
• WebVulnCommand
• Ronin::Vulns::CLI::Commands::Scan

Defined in:

lib/ronin/vulns/cli/commands/scan.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Scans URL(s) for web vulnerabilities.

Usage

ronin-vulns scan [options] {URL ... | --input FILE}

Options

    --first                      Only find the first vulnerability for each URL
-A, --all                        Find all vulnerabilities for each URL
-H, --header "Name: value"       Sets an additional header
-C, --cookie COOKIE              Sets the raw Cookie header
-c, --cookie-param NAME=VALUE    Sets an additional cookie param
-R, --referer URL                Sets the Referer header
-F, --form-param NAME=VALUE      Sets an additional form param
    --test-query-param NAME      Tests the URL query param name
    --test-header-names NAME     Tests the HTTP Header name
    --test-cookie-params NAME    Tests the HTTP Cookie name
    --test-form-params NAME      Tests the form param name
-i, --input FILE                 Reads URLs from the list file
    --lfi-os unix|windows        Sets the OS to test for
    --lfi-depth COUNT            Sets the directory depth to escape up
    --lfi-filter-bypass null_byte|double_escape|base64|rot13|zlib
                                 Sets the filter bypass strategy to use
    --rfi-filter-bypass double-encode|suffix-escape|null-byte
                                 Optional filter-bypass strategy to use
    --rfi-script-lang asp|asp.net|coldfusion|jsp|php|perl
                                 Explicitly specify the scripting language to test for
    --rfi-test-script-url URL    Use an alternative test script URL
    --sqli-escape-quote          Escapes quotation marks
    --sqli-escape-parens         Escapes parenthesis
    --sqli-terminate             Terminates the SQL expression with a --
    --ssti-test-expr {X*Y | X/Z | X+Y | X-Y}
                                 Optional numeric test to use
    --open-redirect-url URL      Optional test URL to try to redirect to
-h, --help                       Print help information

Arguments

[URL ...]                        The URL(s) to scan

Constant Summary

Constants included from Logging

Logging::VULN_TYPES

Instance Attribute Summary

Attributes inherited from WebVulnCommand

#scan_kwargs, #scan_mode

Instance Method Summary

• #lfi_kwargs ⇒ Hash{Symbol => Object} private

  Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the lfi: keyword.

• #open_redirect_kwargs ⇒ Hash{Symbol => Object} private

  Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the open_redirect: keyword.

• #reflected_xss_kwargs ⇒ Hash{Symbol => Object} private

  Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the reflected_xss: keyword.

• #rfi_kwargs ⇒ Hash{Symbol => Object} private

  Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the rfi: keyword.

• #scan_url(url) {|vuln| ... } ⇒ Object private

  Scans a URL for all web vulnerabilities.

• #sqli_kwargs ⇒ Hash{Symbol => Object} private

  Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the sqli: keyword.

• #ssti_kwargs ⇒ Hash{Symbol => Object} private

  Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the ssti: keyword.

• #test_url(url, &block) ⇒ Vulns::LFI, ... private

  Tests a URL for any web vulnerabilities.

Methods inherited from WebVulnCommand

#cookie, #form_data, #headers, #initialize, #process_url, #referer, #referer=, #run, #test_cookie_params, #test_cookie_params=, #test_form_params, #test_header_names, #test_query_params, #test_query_params=

Methods included from Logging

#log_vuln, #vuln_type

Constructor Details

This class inherits a constructor from Ronin::Vulns::CLI::WebVulnCommand

Instance Method Details

#lfi_kwargs ⇒ Hash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the lfi: keyword.

Returns:

• (Hash{Symbol => Object})

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 173

def lfi_kwargs
  scan_kwargs[:lfi] ||= {}
end

#open_redirect_kwargs ⇒ Hash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the open_redirect: keyword.

Returns:

• (Hash{Symbol => Object})

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 213

def open_redirect_kwargs
  scan_kwargs[:open_redirect] ||= {}
end

#reflected_xss_kwargs ⇒ Hash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the reflected_xss: keyword.

Returns:

• (Hash{Symbol => Object})

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 223

def reflected_xss_kwargs
  scan_kwargs[:reflected_xss] ||= {}
end

#rfi_kwargs ⇒ Hash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the rfi: keyword.

Returns:

• (Hash{Symbol => Object})

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 183

def rfi_kwargs
  scan_kwargs[:rfi] ||= {}
end

#scan_url(url) {|vuln| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Scans a URL for all web vulnerabilities.

A LFI vulnerability discovered on the URL.

Parameters:

• url (String) —

  The URL to scan.

Yields:

• (vuln) —

  The given block will be passed each discovered web vulnerability.

Yield Parameters:

• vuln (Vulns::LFI, Vulns::RFI, Vulns::SQLI, Vulns::SSTI, Vulns::OpenRedirect, Vulns::ReflectedXSS)

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 244

def scan_url(url,&block)
  Vulns::URLScanner.scan(url,**scan_kwargs,&block)
end

#sqli_kwargs ⇒ Hash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the sqli: keyword.

Returns:

• (Hash{Symbol => Object})

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 193

def sqli_kwargs
  scan_kwargs[:sqli] ||= {}
end

#ssti_kwargs ⇒ Hash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to URLScanner.scan or URLScanner.test via the ssti: keyword.

Returns:

• (Hash{Symbol => Object})

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 203

def ssti_kwargs
  scan_kwargs[:ssti] ||= {}
end

#test_url(url, &block) ⇒ Vulns::LFI, ...

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Tests a URL for any web vulnerabilities.

The first web vulnerability discovered on the URL.

Parameters:

• url (String) —

  The URL to test.

Returns:

• (Vulns::LFI, Vulns::RFI, Vulns::SQLI, Vulns::SSTI, Vulns::OpenRedirect, Vulns::ReflectedXSS, nil)

# File 'lib/ronin/vulns/cli/commands/scan.rb', line 262

def test_url(url,&block)
  Vulns::URLScanner.test(url,**scan_kwargs)
end