Class: Ronin::Web::CLI::Commands::Vulns Private

Inherits:
Ronin::Web::CLI::Command show all
Includes:
Core::CLI::Logging, Vulns::CLI::Importable, Vulns::CLI::Printing, SpiderOptions
Defined in:
lib/ronin/web/cli/commands/vulns.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Usage

ronin-web vulns [options] {--host HOST | --domain DOMAIN | --site URL}

Options

    --host HOST                  Spiders the specific HOST
    --domain DOMAIN              Spiders the whole domain
    --site URL                   Spiders the website, starting at the URL
    --open-timeout SECS          Sets the connection open timeout
    --read-timeout SECS          Sets the read timeout
    --ssl-timeout SECS           Sets the SSL connection timeout
    --continue-timeout SECS      Sets the continue timeout
    --keep-alive-timeout SECS    Sets the connection keep alive timeout
-P, --proxy PROXY                Sets the proxy to use.
-H, --header NAME: VALUE         Sets a default header
    --host-header NAME=VALUE     Sets a default header
-u chrome-linux|chrome-macos|chrome-windows|chrome-iphone|chrome-ipad|chrome-android|firefox-linux|firefox-macos|firefox-windows|firefox-iphone|firefox-ipad|firefox-android|safari-macos|safari-iphone|safari-ipad|edge,
    --user-agent                 The User-Agent to use
-U, --user-agent-string STRING   The User-Agent string to use
-R, --referer URL                Sets the Referer URL
    --delay SECS                 Sets the delay in seconds between each request
-l, --limit COUNT                Only spiders up to COUNT pages
-d, --max-depth DEPTH            Only spiders up to max depth
    --enqueue URL                Adds the URL to the queue
    --visited URL                Marks the URL as previously visited
    --strip-fragments            Enables/disables stripping the fragment component of every URL
    --strip-query                Enables/disables stripping the query component of every URL
    --visit-host HOST            Visit URLs with the matching host name
    --visit-hosts-like /REGEX/   Visit URLs with hostnames that match the REGEX
    --ignore-host HOST           Ignore the host name
    --ignore-hosts-like /REGEX/  Ignore the host names matching the REGEX
    --visit-port PORT            Visit URLs with the matching port number
    --visit-ports-like /REGEX/   Visit URLs with port numbers that match the REGEX
    --ignore-port PORT           Ignore the port number
    --ignore-ports-like /REGEX/  Ignore the port numbers matching the REGEXP
    --visit-link URL             Visit the URL
    --visit-links-like /REGEX/   Visit URLs that match the REGEX
    --ignore-link URL            Ignore the URL
    --ignore-links-like /REGEX/  Ignore URLs matching the REGEX
    --visit-ext FILE_EXT         Visit URLs with the matching file ext
    --visit-exts-like /REGEX/    Visit URLs with file exts that match the REGEX
    --ignore-ext FILE_EXT        Ignore the URLs with the file ext
    --ignore-exts-like /REGEX/   Ignore URLs with file exts matching the REGEX
-r, --robots                     Specifies whether to honor robots.txt
-v, --verbose                    Enables verbose output
    --lfi-os unix|windows        Sets the OS to test for
    --lfi-depth COUNT            Sets the directory depth to escape up
    --lfi-filter-bypass null-byte|double-escape|base64|rot13|zlib
                                 Sets the filter bypass strategy to use
    --rfi-filter-bypass double-encode|suffix-escape|null-byte
                                 Optional filter-bypass strategy to use
    --rfi-script-lang asp|asp.net|coldfusion|jsp|php|perl
                                 Explicitly specify the scripting language to test for
    --rfi-test-script-url URL    Use an alternative test script URL
    --sqli-escape-quote          Escapes quotation marks
    --sqli-escape-parens         Escapes parenthesis
    --sqli-terminate             Terminates the SQL expression with a --
    --ssti-test-expr {X*Y | X/Z | X+Y | X-Y}
                                 Optional numeric test to use
    --open-redirect-url URL      Optional test URL to try to redirect to

Since:

  • 2.0.0

Instance Attribute Summary collapse

Attributes included from SpiderOptions

#agent_kwargs

URL Scanning Methods collapse

Instance Method Summary collapse

Methods included from SpiderOptions

#continue_timeout, #continue_timeout=, #delay, #delay=, #history, #host_headers, #ignore_exts, #ignore_hosts, #ignore_links, #ignore_ports, #ignore_schemes, included, #keep_alive_timeout, #keep_alive_timeout=, #limit, #limit=, #max_depth, #max_depth=, #new_agent, #open_timeout, #open_timeout=, #proxy, #proxy=, #queue, #read_timeout, #read_timeout=, #referer, #robots, #robots=, #ssl_timeout, #ssl_timeout=, #strip_fragments, #strip_fragments=, #strip_query, #strip_query=, #user_agent, #visit_exts, #visit_hosts, #visit_links, #visit_ports, #visit_schemes

Constructor Details

#initialize(**kwargs) ⇒ Vulns

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Initializes the ronin-web vulns command.

Parameters:

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments.

Since:

  • 2.0.0



230
231
232
233
234
235
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 230

def initialize(**kwargs)
  super(**kwargs)

  @scan_mode   = :all
  @scan_kwargs = {}
end

Instance Attribute Details

#scan_kwargsHash{Symbol => Object} (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments for Ronin::Vulns::URLScanner.scan.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



222
223
224
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 222

def scan_kwargs
  @scan_kwargs
end

#scan_mode:first, :all (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The scan mode

Returns:

  • (:first, :all)

Since:

  • 2.0.0



217
218
219
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 217

def scan_mode
  @scan_mode
end

Instance Method Details

#default_headersHash{String => String}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The default headers to send with every request.

Returns:

  • (Hash{String => String})

Since:

  • 2.0.0



313
314
315
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 313

def default_headers
  @scan_kwargs[:headers] ||= super
end

#lfi_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the lfi: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



354
355
356
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 354

def lfi_kwargs
  @scan_kwargs[:lfi] ||= {}
end

#open_redirect_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the open_redirect: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



398
399
400
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 398

def open_redirect_kwargs
  @scan_kwargs[:open_redirect] ||= {}
end

#print_vulns(vulns, print_curl: , print_http: ) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Prints detailed information about a discovered web vulnerability.

Parameters:

  • vulns (Array<Ronin::Vulns::WebVuln>)

    The web vulnerability to log.

  • print_curl (Boolean) (defaults to: )

    Prints an example curl command to trigger the web vulnerability.

  • print_http (Boolean) (defaults to: )

    Prints an example HTTP request to trigger the web vulnerability.

Since:

  • 2.0.0



301
302
303
304
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 301

def print_vulns(vulns, print_curl: options[:print_curl],
                       print_http: options[:print_http])
  super(vulns, print_curl: print_curl, print_http: print_http)
end

#process_vuln(vuln) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Logs and optioanlly imports a new discovered web vulnerability.

Parameters:

  • vuln (Ronin::Vulns::WebVuln)

    The discovered web vulnerability.

Since:

  • 2.0.0



284
285
286
287
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 284

def process_vuln(vuln)
  log_vuln(vuln)
  import_vuln(vuln) if options[:import]
end

#referer=(new_referer) ⇒ String?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Note:

Also sets the Referer header that will be used during web vulnerability scanning.

Sets the Referer header that will be sent with every request.

Parameters:

  • new_referer (String)

Returns:

  • (String, nil)

Since:

  • 2.0.0



339
340
341
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 339

def referer=(new_referer)
  @scan_kwargs[:referer] ||= super(new_referer)
end

#reflected_xss_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the reflected_xss: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



409
410
411
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 409

def reflected_xss_kwargs
  @scan_kwargs[:reflected_xss] ||= {}
end

#rfi_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the rfi: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



365
366
367
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 365

def rfi_kwargs
  @scan_kwargs[:rfi] ||= {}
end

#runObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Runs the ronin-web vulns command.

Since:

  • 2.0.0



240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 240

def run
  db_connect if options[:import]

  vulns = []

  begin
    new_agent do |agent|
      case @scan_mode
      when :first
        agent.every_url do |url|
          log_info "Testing #{url}"

          if (vuln = test_url(url))
            process_vuln(vuln)
            vulns << vuln

            agent.pause!
          end
        end
      when :all
        agent.every_url do |url|
          log_info "Testing #{url}"

          scan_url(url) do |vuln|
            process_vuln(vuln)
            vulns << vuln
          end
        end
      end
    end
  rescue Interrupt
    puts
  end

  puts unless vulns.empty?
  print_vulns(vulns)
end

#scan_url(url, **kwargs) {|vuln| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Scans the URL for web vulnerabilities.

A discovered web vulnerability in the URL.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for Ronin::Vulns::URLScanner.scan.

Yields:

  • (vuln)

    The given block will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (Ronin::Vulns::LFI, Ronin::Vulns::RFI, Ronin::Vulns::SQLI, Ronin::Vulns::SSTI, Ronin::Vulns::ReflectedXSS, Ronin::Vulns::OpenRedirect)

Since:

  • 2.0.0



433
434
435
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 433

def scan_url(url,**kwargs,&block)
  Ronin::Vulns::URLScanner.scan(url,**kwargs,**@scan_kwargs,&block)
end

#sqli_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the sqli: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



376
377
378
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 376

def sqli_kwargs
  @scan_kwargs[:sqli] ||= {}
end

#ssti_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the ssti: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



387
388
389
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 387

def ssti_kwargs
  @scan_kwargs[:ssti] ||= {}
end

#test_url(url, **kwargs) ⇒ Ronin::Vulns::LFI, ...

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Tests the URL for web vulnerabilities and prints the first vulnerability.

The first discovered web vulnerability or nil if no vulnerabilities were discovered.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for Ronin::Vulns::URLScanner.test.

Returns:

  • (Ronin::Vulns::LFI, Ronin::Vulns::RFI, Ronin::Vulns::SQLI, Ronin::Vulns::SSTI, Ronin::Vulns::ReflectedXSS, Ronin::Vulns::OpenRedirect, nil)

Since:

  • 2.0.0



456
457
458
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 456

def test_url(url,**kwargs)
  Ronin::Vulns::URLScanner.test(url,**kwargs,**@scan_kwargs)
end

#user_agent=(new_user_agent) ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Sets the User-Agent header that will be sent with every request.

Parameters:

  • new_user_agent (String)

Returns:

  • (String)

Since:

  • 2.0.0



324
325
326
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 324

def user_agent=(new_user_agent)
  @scan_kwargs[:user_agent] ||= super(new_user_agent)
end