Class: Ronin::Vulns::WebVuln

Inherits:
Vuln
  • Object
show all
Defined in:
lib/ronin/vulns/web_vuln.rb,
lib/ronin/vulns/web_vuln/http_request.rb

Overview

The base class for all web vulnerabilities.

Direct Known Subclasses

CommandInjection, LFI, OpenRedirect, RFI, ReflectedXSS, SQLI, SSTI

Defined Under Namespace

Classes: HTTPRequest

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Vuln

vuln_type

Constructor Details

#initialize(url, query_param: nil, header_name: nil, cookie_param: nil, form_param: nil, http: nil, request_method: :get, user: nil, password: nil, headers: nil, user_agent: nil, cookie: nil, form_data: nil, referer: nil) ⇒ WebVuln

Initializes the web vulnerability.

The HTTP request mehtod for each request.

The optional HTTP User-Agent header to send with each request.

Parameters:

  • url (URI::HTTP, String)

    The URL to test or exploit.

  • query_param (String, Symbol, nil) (defaults to: nil)

    The query param to test or exploit.

  • header_name (String, Symbol, nil) (defaults to: nil)

    The HTTP Header name to test or exploit.

  • cookie_param (String, Symbol, nil) (defaults to: nil)

    The Cookie: param name to test or exploit.

  • form_param (String, Symbol, nil) (defaults to: nil)

    The form param name to test or exploit.

  • http (Ronin::Support::Network::HTTP, nil) (defaults to: nil)

    An HTTP session to use for testing the URL.

  • request_method (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock) (defaults to: :get)
  • user (String, nil) (defaults to: nil)

    The user to authenticate as.

  • password (String, nil) (defaults to: nil)

    The password to authenticate with.

  • headers (Hash{Symbol,String => String}, nil) (defaults to: nil)

    Additional HTTP header names and values to add to the request.

  • user_agent (String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil) (defaults to: nil)
  • cookie (Hash{String => String}, nil) (defaults to: nil)

    Additional Cookie header. If a Hash is given, it will be converted to a String using Ronin::Support::Network::HTTP::Cookie.

  • form_data (Hash, nil) (defaults to: nil)

    The form data that may be sent in the body of the request.

  • referer (String, nil) (defaults to: nil)

    The optional HTTP Referer header to send with each request.



174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
 
# File 'lib/ronin/vulns/web_vuln.rb', line 174

def initialize(url, query_param:    nil,
                    header_name:    nil,
                    cookie_param:   nil,
                    form_param:     nil,
                    # http keyword arguments
                    http:           nil,
                    request_method: :get,
                    user:           nil,
                    password:       nil,
                    headers:        nil,
                    user_agent:     nil,
                    cookie:         nil,
                    form_data:      nil,
                    referer:        nil)
  @url = URI(url)

  @query_param  = String(query_param)  if query_param
  @header_name  = String(header_name)  if header_name
  @cookie_param = String(cookie_param) if cookie_param
  @form_param   = String(form_param)   if form_param

  @http = http || Support::Network::HTTP.connect_uri(@url)

  @request_method = request_method
  @query_params   = @url.query_params
  @user           = user
  @password       = password
  @headers        = headers
  @user_agent     = user_agent
  @cookie         = cookie
  @form_data      = form_data
  @referer        = referer
end

Instance Attribute Details

Additional Cookie header. If a Hash is given, it will be converted to a String using Ronin::Support::Network::HTTP::Cookie.

Returns:

  • (Hash{String => String}, nil) 


108
109
110
 
# File 'lib/ronin/vulns/web_vuln.rb', line 108

def cookie
  @cookie
end

#cookie_paramString, ... (readonly)

The Cookie: param name to test or exploit.

Returns:

  • (String, Symbol, nil) 


52
53
54
 
# File 'lib/ronin/vulns/web_vuln.rb', line 52

def cookie_param
  @cookie_param
end

#form_dataHash? (readonly)

The form data that may be sent in the body of the request.

Returns:

  • (Hash, nil) 


113
114
115
 
# File 'lib/ronin/vulns/web_vuln.rb', line 113

def form_data
  @form_data
end

#form_paramString, ... (readonly)

The form param name to test or exploit.

Returns:

  • (String, Symbol, nil) 


57
58
59
 
# File 'lib/ronin/vulns/web_vuln.rb', line 57

def form_param
  @form_param
end

#header_nameString, ... (readonly)

The HTTP Header name to test or exploit.

Returns:

  • (String, Symbol, nil) 


47
48
49
 
# File 'lib/ronin/vulns/web_vuln.rb', line 47

def header_name
  @header_name
end

#headersHash{Symbol,String => String}? (readonly)

Additional HTTP header names and values to add to the request.

Returns:

  • (Hash{Symbol,String => String}, nil) 


89
90
91
 
# File 'lib/ronin/vulns/web_vuln.rb', line 89

def headers
  @headers
end

#httpRonin::Support::Network::HTTP? (readonly)

An HTTP session to use for testing the URL.

Returns:

  • (Ronin::Support::Network::HTTP, nil) 


62
63
64
 
# File 'lib/ronin/vulns/web_vuln.rb', line 62

def http
  @http
end

#passwordString? (readonly)

The password to authenticate with.

Returns:

  • (String, nil) 


84
85
86
 
# File 'lib/ronin/vulns/web_vuln.rb', line 84

def password
  @password
end

#query_paramString, ... (readonly)

The query param to test or exploit.

Returns:

  • (String, Symbol, nil) 


42
43
44
 
# File 'lib/ronin/vulns/web_vuln.rb', line 42

def query_param
  @query_param
end

#query_paramsHash{String,Symbol => String} (readonly)

The query params to send with each request.

Returns:

  • (Hash{String,Symbol => String}) 


74
75
76
 
# File 'lib/ronin/vulns/web_vuln.rb', line 74

def query_params
  @query_params
end

#refererString? (readonly)

The optional HTTP Referer header to send with each request.

Returns:

  • (String, nil) 


118
119
120
 
# File 'lib/ronin/vulns/web_vuln.rb', line 118

def referer
  @referer
end

#request_method:copy, ... (readonly)

The HTTP request method for each request.

Returns:

  • (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock) 


69
70
71
 
# File 'lib/ronin/vulns/web_vuln.rb', line 69

def request_method
  @request_method
end

#urlURI::HTTP (readonly)

The URL to test or exploit.

Returns:

  • (URI::HTTP) 


37
38
39
 
# File 'lib/ronin/vulns/web_vuln.rb', line 37

def url
  @url
end

#userString? (readonly)

The user to authenticate as.

Returns:

  • (String, nil) 


79
80
81
 
# File 'lib/ronin/vulns/web_vuln.rb', line 79

def user
  @user
end

#user_agentString, ... (readonly)

The optional HTTP User-Agent header to send with each request.

Returns:

  • (String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil)

Since:

  • 0.2.0



102
103
104
 
# File 'lib/ronin/vulns/web_vuln.rb', line 102

def user_agent
  @user_agent
end

Class Method Details

.scan(url, query_params: nil, header_names: nil, cookie_params: nil, form_params: nil, http: nil, **kwargs) {|vuln| ... } ⇒ Array<WebVuln>

Scans the URL for web vulnerabilities.

The HTTP request mehtod for each request.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • query_params (Array<Symbol, String>, true, nil) (defaults to: nil)

    The query param name(s) to test.

  • header_names (Array<Symbol, String>, nil) (defaults to: nil)

    The header name(s) to test.

  • cookie_params (Array<Symbol, String>, true, nil) (defaults to: nil)

    The cookie param name(s) to test.

  • form_params (Array<Symbol, String>, nil) (defaults to: nil)

    The form param name(s) to test.

  • http (Ronin::Support::Network::HTTP, nil) (defaults to: nil)

    An HTTP session to use for testing the LFI.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for #initialize.

Options Hash (**kwargs):

  • :request_method (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock)
  • :user (String, nil)

    The user to authenticate as.

  • :password (String, nil)

    The password to authenticate with.

  • :headers (Hash{String => String}, nil)

    Additional headers to send with requests.

  • :user_agent (String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil)

    Optional User-Agent header to send with requests.

  • :cookie (Hash{String => String}, Ronin::Support::Network::HTTP::Cookie, nil)

    Additional cookie params to send with requests.

  • :referer (String, nil)

    Optional Referer header to send with requests.

  • :form_data (Hash{String => String}, nil)

    Additional form data to send with requests.

Yields:

  • (vuln)

    If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (WebVuln)

    A discovered web vulnerability in the URL.

Returns:

  • (Array<WebVuln>)

    All discovered web vulnerabilities.



473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
 
# File 'lib/ronin/vulns/web_vuln.rb', line 473

def self.scan(url, query_params:  nil,
                   header_names:  nil,
                   cookie_params: nil,
                   form_params:   nil,
                   http:          nil,
                   **kwargs,
                   &block)
  url    = URI(url)
  http ||= Support::Network::HTTP.connect_uri(url)
  vulns  = []

  if (query_params.nil? && header_names.nil? && cookie_params.nil? && form_params.nil?)
    vulns.concat(scan_query_params(url, http: http, **kwargs,&block))
  else
    if query_params
      vulns.concat(
        case query_params
        when true
          scan_query_params(url, http: http, **kwargs,&block)
        else
          scan_query_params(url,query_params, http: http, **kwargs,&block)
        end
      )
    end

    if header_names
      vulns.concat(
        scan_headers(url,header_names, http: http, **kwargs,&block)
      )
    end

    if cookie_params
      vulns.concat(
        case cookie_params
        when true
          scan_cookie_params(url, http: http, **kwargs,&block)
        else
          scan_cookie_params(url,cookie_params, http: http, **kwargs,&block)
        end
      )
    end

    if form_params
      vulns.concat(
        case form_params
        when true
          scan_form_params(url, http: http, **kwargs,&block)
        else
          scan_form_params(url,form_params, http: http, **kwargs,&block)
        end
      )
    end
  end

  return vulns
end

.scan_cookie_params(url, cookie_params = nil, http: nil, **kwargs) {|vuln| ... } ⇒ Array<Web>

Scans the URL and the Cookie header params.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • cookie_params (Array<Symbol, String>, nil) (defaults to: nil)

    The cookie param name(s) to test. If not given, then the URL will be requested and the Set-Cookie params from the response will be tested instead.

  • http (Ronin::Support::Network::HTTP, nil) (defaults to: nil)

    An HTTP session to use when testing for web vulnerabilities.

Yields:

  • (vuln)

    If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (Web)

    A discovered web vulnerability in the URL and one of the Cookie header params.

Returns:

  • (Array<Web>)

    All discovered web vulnerabilities.



350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
 
# File 'lib/ronin/vulns/web_vuln.rb', line 350

def self.scan_cookie_params(url,cookie_params=nil, http: nil, **kwargs)
  url    = URI(url)
  http ||= Support::Network::HTTP.connect_uri(url)

  unless cookie_params
    cookie_params = Set.new

    http.get_cookies(url.request_uri).each do |set_cookie|
      cookie_params.merge(set_cookie.params.keys)
    end
  end

  vulns = []

  cookie_params.each do |cookie_param|
    if (vuln = test_param(url, cookie_param: cookie_param, http: http, **kwargs))
      yield vuln if block_given?
      vulns << vuln
    end
  end

  return vulns
end

.scan_form_params(url, form_params = nil, http: nil, form_data: {}, **kwargs) {|vuln| ... } ⇒ Array<Web>

Scans the URL and the form params.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • form_params (Array<Symbol, String>, nil) (defaults to: nil)

    The form param name(s) to test.

  • http (Ronin::Support::Network::HTTP, nil) (defaults to: nil)

    An HTTP session to use when testing for web vulnerabilities.

Yields:

  • (vuln)

    If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (Web)

    A discovered web vulnerability in the URL and one of the form params.

Returns:

  • (Array<Web>)

    All discovered web vulnerabilities.



396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
 
# File 'lib/ronin/vulns/web_vuln.rb', line 396

def self.scan_form_params(url,form_params=nil, http: nil, form_data: {}, **kwargs)
  url    = URI(url)
  http ||= Support::Network::HTTP.connect_uri(url)

  form_params ||= form_data.keys
  vulns         = []

  form_params.each do |form_param|
    if (vuln = test_param(url, form_param: form_param, form_data: form_data, http: http, **kwargs))
      yield vuln if block_given?
      vulns << vuln
    end
  end

  return vulns
end

.scan_headers(url, header_names, http: nil, **kwargs) {|vuln| ... } ⇒ Array<Web>

Scans the URL and request headers.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • header_names (Array<String, Symbol>)

    The header name(s) to test.

  • http (Ronin::Support::Network::HTTP, nil) (defaults to: nil)

    An HTTP session to use when testing for web vulnerabilities.

Yields:

  • (vuln)

    If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (Web)

    A discovered web vulnerability in the URL and one of the header names.

Returns:

  • (Array<Web>)

    All discovered web vulnerabilities.



309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
 
# File 'lib/ronin/vulns/web_vuln.rb', line 309

def self.scan_headers(url,header_names, http: nil, **kwargs)
  url    = URI(url)
  http ||= Support::Network::HTTP.connect_uri(url)

  vulns = []

  header_names.each do |header_name|
    if (vuln = test_param(url, header_name: header_name, http: http, **kwargs))
      yield vuln if block_given?
      vulns << vuln
    end
  end

  return vulns
end

.scan_query_params(url, query_params = nil, http: nil, **kwargs) {|vuln| ... } ⇒ Array<Web>

Scans the query parameters of the URL.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • query_params (Array<Symbol, String>, nil) (defaults to: nil)

    The query param name(s) to test. If no query param(s) are given, then all query params in the URL will be scanned.

  • http (Ronin::Support::Network::HTTP, nil) (defaults to: nil)

    An HTTP session to use when testing for web vulnerabilities.

Yields:

  • (vuln)

    If a block is given it will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (Web)

    A discovered web vulnerability in the URL's query params.

Returns:

  • (Array<Web>)

    All discovered web vulnerabilities.



270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
 
# File 'lib/ronin/vulns/web_vuln.rb', line 270

def self.scan_query_params(url,query_params=nil, http: nil, **kwargs)
  url    = URI(url)
  http ||= Support::Network::HTTP.connect_uri(url)

  query_params ||= url.query_params.keys
  vulns          = []

  query_params.each do |param|
    if (vuln = test_param(url, query_param: param, http: http, **kwargs))
      yield vuln if block_given?
      vulns << vuln
    end
  end

  return vulns
end

.test(url, **kwargs) ⇒ WebVuln?

Tests the URL for a web vulnerability and returns the first found vulnerability.

The HTTP request mehtod for each request.

Parameters:

  • url (URI::HTTP, String)

    The URL to test.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for scan.

Options Hash (**kwargs):

  • :query_params (Array<Symbol, String>, true, nil)

    The query param name(s) to test.

  • :header_names (Array<Symbol, String>, nil)

    The header name(s) to test.

  • :cookie_params (Array<Symbol, String>, true, nil)

    The cookie param name(s) to test.

  • :form_params (Array<Symbol, String>, nil)

    The form param name(s) to test.

  • :http (Ronin::Support::Network::HTTP, nil)

    An HTTP session to use for testing the LFI.

  • :request_method (:copy, :delete, :get, :head, :lock, :mkcol, :move, :options, :patch, :post, :propfind, :proppatch, :put, :trace, :unlock)
  • :user (String, nil)

    The user to authenticate as.

  • :password (String, nil)

    The password to authenticate with.

  • :headers (Hash{String => String}, nil)

    Additional headers to send with requests.

  • :user_agent (String, :random, :chrome, :chrome_linux, :chrome_macos, :chrome_windows, :chrome_iphone, :chrome_ipad, :chrome_android, :firefox, :firefox_linux, :firefox_macos, :firefox_windows, :firefox_iphone, :firefox_ipad, :firefox_android, :safari, :safari_macos, :safari_iphone, :safari_ipad, :edge, :linux, :macos, :windows, :iphone, :ipad, :android, nil)

    Optional User-Agent header to send with requests.

  • :cookie (Hash{String => String}, Ronin::Support::Network::HTTP::Cookie, nil)

    Additional cookie params to send with requests.

  • :referer (String, nil)

    Optional Referer header to send with requests.

  • :form_data (Hash{String => String}, nil)

    Additional form data to send with requests.

Returns:

  • (WebVuln, nil)

    The first discovered web vulnerability or nil if no vulnerabilities were discovered.



585
586
587
588
589
590
591
 
# File 'lib/ronin/vulns/web_vuln.rb', line 585

def self.test(url,**kwargs)
  scan(url,**kwargs) do |vuln|
    return vuln
  end

  return nil
end

.test_param(url, http:, **kwargs) ⇒ WebVuln?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Internal method that tests combinations of configurations for a specific query param, header name, cookie param, or form param.

Parameters:

  • url (URI::HTTP)

    The URL to test.

  • http (Ronin::Support::Network::HTTP, nil)

    An HTTP session to use for testing the URL.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for #initialize.

Options Hash (**kwargs):

  • :query_param (Symbol, String, nil)

    The query param name to test.

  • :header_name (Symbol, String, nil)

    The header name to test.

  • :cookie_param (Symbol, String, true, nil)

    The cookie param name to test.

  • :form_param (Symbol, String, nil)

    The form param name to test.

Returns:

  • (WebVuln, nil)

    The first discovered web vulnerability for the specific query param, header name, cookie param, or form param.

Since:

  • 0.2.0



241
242
243
244
245
 
# File 'lib/ronin/vulns/web_vuln.rb', line 241

def self.test_param(url, http: , **kwargs)
  vuln = new(url, http: http, **kwargs)

  return vuln if vuln.vulnerable?
end

Instance Method Details

#encode_payload(payload) ⇒ String

Place holder method for applying additional encoding to the payload.

Parameters:

  • payload (#to_s)

    The payload to encode.

Returns:

  • (String)

    The encoded payload.



713
714
715
 
# File 'lib/ronin/vulns/web_vuln.rb', line 713

def encode_payload(payload)
  payload.to_s
end

#exploit(payload, **kwargs) ⇒ Net::HTTPResponse

Exploits the web vulnerability by sending an HTTP request.

Parameters:

  • payload (String)

    The payload for the web vulnerability.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for Ronin::Support::Network::HTTP#request.

Returns:

  • (Net::HTTPResponse) 


729
730
731
732
733
734
735
736
737
738
739
 
# File 'lib/ronin/vulns/web_vuln.rb', line 729

def exploit(payload,**kwargs)
  payload = encode_payload(payload)

  request(
    query_params: exploit_query_params(payload),
    cookie:       exploit_cookie(payload),
    headers:      exploit_headers(payload),
    form_data:    exploit_form_data(payload),
    **kwargs
  )
end

#exploit_cookie(payload) ⇒ Hash{String,Symbol => String}, ...

The exploit cookie params with the payload injected.

Parameters:

  • payload (#to_s)

    The payload to use for the exploit.

Returns:

  • (Hash{String,Symbol => String}, Ronin::Support::Network::HTTP::Cookie, nil)

    The #cookie with the payload injected. If #cookie_param is not set, then the unmodified #cookie will be returned.



670
671
672
673
674
675
676
677
678
679
680
 
# File 'lib/ronin/vulns/web_vuln.rb', line 670

def exploit_cookie(payload)
  if @cookie_param
    if @cookie
      @cookie.merge(@cookie_param.to_s => payload)
    else
      {@cookie_param.to_s => payload}
    end
  else
    @cookie
  end
end

#exploit_form_data(payload) ⇒ Hash{String,Symbol => String}?

The exploit form data with the payload injected.

Parameters:

  • payload (#to_s)

    The payload to use for the exploit.

Returns:

  • (Hash{String,Symbol => String}, nil)

    The #form_data with the payload injected. If #form_param is not set, then the unmodified #form_data will be returned.



692
693
694
695
696
697
698
699
700
701
702
 
# File 'lib/ronin/vulns/web_vuln.rb', line 692

def exploit_form_data(payload)
  if @form_param
    if @form_data
      @form_data.merge(@form_param.to_s => payload)
    else
      {@form_param.to_s => payload}
    end
  else
    @form_data
  end
end

#exploit_headers(payload) ⇒ Hash{String,Symbol => String}?

The exploit headers with the payload injected.

Parameters:

  • payload (#to_s)

    The payload to use for the exploit.

Returns:

  • (Hash{String,Symbol => String}, nil)

    The #headers with the payload injected. If #header_name is not set, then the unmodified #headers will be returned.



648
649
650
651
652
653
654
655
656
657
658
 
# File 'lib/ronin/vulns/web_vuln.rb', line 648

def exploit_headers(payload)
  if @header_name
    if @headers
      @headers.merge(@header_name.to_s => payload)
    else
      {@header_name.to_s => payload}
    end
  else
    @headers
  end
end

#exploit_query_params(payload) ⇒ Hash{String,Symbol => String}

The exploit query params with the payload injected.

Parameters:

  • payload (#to_s)

    The payload to use for the exploit.

Returns:



626
627
628
629
630
631
632
633
634
635
636
 
# File 'lib/ronin/vulns/web_vuln.rb', line 626

def exploit_query_params(payload)
  if @query_param
    if @query_params
      @query_params.merge(@query_param.to_s => payload)
    else
      {@query_param.to_s => payload}
    end
  else
    @query_params
  end
end

#original_valueString?

The original value of the vulnerable query param, header, cookie param, or form param.

Returns:

  • (String, nil) 


747
748
749
750
751
752
753
754
755
756
757
 
# File 'lib/ronin/vulns/web_vuln.rb', line 747

def original_value
  if @query_param
    @url.query_params[@query_param]
  elsif @header_name
    @headers[@header_name] if @headers
  elsif @cookie_param
    @cookie[@cookie_param] if @cookie
  elsif @form_param
    @form_data[@form_param] if @form_data
  end
end

#random_value(length = 4) ⇒ String

Returns a random value.

Parameters:

  • length (Integer) (defaults to: 4)

    The desired length of the String.

Returns:

  • (String)

    The random value.



768
769
770
 
# File 'lib/ronin/vulns/web_vuln.rb', line 768

def random_value(length=4)
  Chars::ALPHA.random_string(length)
end

#request(**kwargs) ⇒ Net::HTTPResponse

Performs a normal request for the URL to test.

Parameters:

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for Ronin::Support::Network::HTTP#request.

Returns:

  • (Net::HTTPResponse) 


602
603
604
605
606
607
608
609
610
611
612
613
614
 
# File 'lib/ronin/vulns/web_vuln.rb', line 602

def request(**kwargs)
  @http.request(
    @request_method, @url.path, user:         @user,
                                password:     @password,
                                query_params: @query_params,
                                user_agent:   @user_agent,
                                cookie:       @cookie,
                                referer:      @referer,
                                headers:      @headers,
                                form_data:    @form_data,
                                **kwargs
  )
end

#to_curl(payload = 'PAYLOAD') ⇒ String

Converts the HTTP request to a curl command.

Parameters:

  • payload (#to_s) (defaults to: 'PAYLOAD')

    The optional payload to include in the curl command.

Returns:

  • (String) 


802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
 
# File 'lib/ronin/vulns/web_vuln.rb', line 802

def to_curl(payload='PAYLOAD')
  payload = encode_payload(payload)

  HTTPRequest.new(
    @url, request_method: @request_method,
          user:           @user,
          password:       @password,
          user_agent:     @user_agent,
          referer:        @referer,
          query_params:   exploit_query_params(payload),
          cookie:         exploit_cookie(payload),
          headers:        exploit_headers(payload),
          form_data:      exploit_form_data(payload)
  ).to_curl
end

#to_http(payload = 'PAYLOAD') ⇒ String

Converts the HTTP request to a raw HTTP request.

Parameters:

  • payload (#to_s) (defaults to: 'PAYLOAD')

    The optional payload to include in the HTTP request.

Returns:

  • (String) 


826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
 
# File 'lib/ronin/vulns/web_vuln.rb', line 826

def to_http(payload='PAYLOAD')
  payload = encode_payload(payload)

  HTTPRequest.new(
    @url, request_method: @request_method,
          user:           @user,
          password:       @password,
          user_agent:     @user_agent,
          referer:        @referer,
          query_params:   exploit_query_params(payload),
          cookie:         exploit_cookie(payload),
          headers:        exploit_headers(payload),
          form_data:      exploit_form_data(payload)
  ).to_http
end

#to_sString

Converts the web vulnerability into a String.

Returns:

  • (String)

    The String form of #url.



790
791
792
 
# File 'lib/ronin/vulns/web_vuln.rb', line 790

def to_s
  @url.to_s
end

#vulnerable?Boolean

This method is abstract.

Determines if the #url is vulnerable.

Returns:

  • (Boolean)

    Indicates whether the URL is vulnerable.

Raises:

  • (NotImplementedError) 


780
781
782
 
# File 'lib/ronin/vulns/web_vuln.rb', line 780

def vulnerable?
  raise(NotImplementedError,"#{self.inspect} did not implement ##{__method__}")
end