Module: Ronin::Vulns::URLScanner

Defined in:

lib/ronin/vulns/url_scanner.rb

Overview

Top-level module which scans a URL for all web vulnerabilities.

Examples

require 'ronin/vulns/url_scanner'

Ronin::Vulns::URLScanner.scan(url) do |vuln|
  # ...
end

vuln = Ronin::Vulns::URLScanner.test(url)

Class Method Summary

• .scan(url, lfi: {}, rfi: {}, sqli: {}, ssti: {}, reflected_xss: {}, open_redirect: {}, command_injection: {}, **kwargs) {|vuln| ... } ⇒ Array<LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect>

  Scans a URL for web vulnerabilities.

• .test(url, **kwargs) ⇒ LFI, ...

  Tests the URL for a Web vulnerability and returns the first found vulnerability.

Class Method Details

.scan(url, lfi: {}, rfi: {}, sqli: {}, ssti: {}, reflected_xss: {}, open_redirect: {}, command_injection: {}, **kwargs) {|vuln| ... } ⇒ Array<LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect>

Scans a URL for web vulnerabilities.

The HTTP request mehtod for each request.

Parameters:

• url (URI::HTTP, String) —

  The URL to test or exploit.

• lfi (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• rfi (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• sqli (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• ssti (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• reflected_xss (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• open_redirect (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• command_injection (Hash{Symbol => Object}, false) (defaults to: {}) —

  Additional options for WebVuln.scan.

• kwargs (Hash) —

  a customizable set of options

Options Hash (lfi:):

• :os (:unix, :windows, nil) — default: :unix —

  Operating System to specifically target.

• :depth (Integer) — default: 6 —

  Number of directories to escape up.

• :filter_bypass (:null_byte, :double_escape, :base64, :rot13, :zlib, nil) —

  Specifies which filter bypass technique to use.

  • :null_byte - appends a%00` null byte to the escaped path. *Note: this technique only works on PHP < 5.3.
  • :double_escape - Double escapes the LFI#escape_path (ex: ....//....//).
  • :base64 - Base64 encodes the included local file.
  • :rot13 - ROT13 encodes the included local file.
  • :zlib - Zlib compresses and Base64 encodes the included local file.

Options Hash (rfi:):

• :filter_bypass (:null_byte, :double_encode, nil) —

  Specifies which filter bypass technique to use.

  • :double_encode - will cause the inclusion URL to be URI escaped twice.
  • :suffix_escape - escape any appended suffix (ex: param + ".php") by adding a URI fragment character (#) to the end of the RFI script URL. The fragment component of the URI is not sent to the web server.
  • :null_byte - will cause the inclusion URL to be appended with a %00 character. *Note: this technique only works on PHP < 5.3.
• :test_script_url (String, URI::HTTP, nil) —

  The URL of the RFI test script. If not specified, it will default to RFI.test_script_for.

Options Hash (sqli:):

• :escape_quote (Boolean) — default: false —

  Specifies whether to escape a quoted string value.

• :escape_parens (Boolean) — default: false —

  Specifies whether to escape parenthesis.

• :terminate (Boolean) — default: false —

  Specifies whether to terminate the SQL statement with --.

Options Hash (ssti:):

• :escape (Proc, nil) —

  How to escape a given payload. Either a proc that will accept a String and return a String, or nil to indicate that the payload will not be escaped.

• :test ((String, String)) —

  The test payload and expected result to check for when testing the URL for SSTI.

Options Hash (open_redirect:):

• :test_url (String) — default: OpenRedirect.random_test_url —

  The desired redirect URL to test the URL with.

Options Hash (**kwargs):

• :query_param (String, Symbol, nil) —

  The query param to test or exploit.

• :header_name (String, Symbol, nil) —

  The HTTP Header name to test or exploit.

• :cookie_param (String, Symbol, nil) —

  The Cookie: param name to test or exploit.

• :form_param (String, Symbol, nil) —

  The form param name to test or exploit.

• :http (Ronin::Support::Network::HTTP, nil) —

  An HTTP session to use for testing the URL.

• :request_method (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock)
• :user (String, nil) —

  The user to authenticate as.

• :password (String, nil) —

  The password to authenticate with.

• :headers (Hash{Symbol,String => String}, nil) —

  Additional HTTP header names and values to add to the request.

• :cookie (String, Hash{String => String}, nil) —

  Additional Cookie header. If a Hash is given, it will be converted to a String using Ronin::Support::Network::HTTP::Cookie.

• :form_data (Hash, String, nil) —

  The form data that may be sent in the body of the request.

• :referer (String, nil) —

  The optional HTTP Referer header to send with each request.

Yields:

• (vuln) —

  If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

• vuln (LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect) —

  A discovered web vulnerability in the URL.

Returns:

• (Array<LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect>) —

  All discovered Web vulnerabilities.

# File 'lib/ronin/vulns/url_scanner.rb', line 175

def self.scan(url, lfi:  {},
                   rfi:  {},
                   sqli: {},
                   ssti: {},
                   reflected_xss: {},
                   open_redirect: {},
                   command_injection: {},
                   **kwargs,
                   &block)
  vulns = []

  if lfi
    vulns.concat(LFI.scan(url,**kwargs,**lfi,&block))
  end

  if rfi
    vulns.concat(RFI.scan(url,**kwargs,**rfi,&block))
  end

  if sqli
    vulns.concat(SQLI.scan(url,**kwargs,**sqli,&block))
  end

  if ssti
    vulns.concat(SSTI.scan(url,**kwargs,**ssti,&block))
  end

  if reflected_xss
    vulns.concat(ReflectedXSS.scan(url,**kwargs,**reflected_xss,&block))
  end

  if open_redirect
    vulns.concat(OpenRedirect.scan(url,**kwargs,**open_redirect,&block))
  end

  if command_injection
    vulns.concat(CommandInjection.scan(url,**kwargs,**command_injection,&block))
  end

  return vulns
end

.test(url, **kwargs) ⇒ LFI, ...

Tests the URL for a Web vulnerability and returns the first found vulnerability.

Parameters:

• url (URI::HTTP, String) —

  The URL to test.

• kwargs (Hash{Symbol => Object}) —

  Additional keyword arguments for scan.

Returns:

• (LFI, RFI, SQLI, SSTI, ReflectedXSS, OpenRedirect, nil) —

  The first discovered web vulnerability or nil if no vulnerabilities were discovered.

# File 'lib/ronin/vulns/url_scanner.rb', line 231

def self.test(url,**kwargs)
  scan(url,**kwargs) do |vuln|
    return vuln
  end

  return nil
end