Class: Ronin::Web::CLI::Commands::Vulns Private

Inherits:
Ronin::Web::CLI::Command show all
Includes:
Core::CLI::Logging, Vulns::CLI::Importable, Vulns::CLI::Printing, SpiderOptions
Defined in:
lib/ronin/web/cli/commands/vulns.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Usage

ronin-web vulns [options] {--host HOST | --domain DOMAIN | --site URL}

Options

    --host HOST                  Spiders the specific HOST
    --domain DOMAIN              Spiders the whole domain
    --site URL                   Spiders the website, starting at the URL
    --open-timeout SECS          Sets the connection open timeout
    --read-timeout SECS          Sets the read timeout
    --ssl-timeout SECS           Sets the SSL connection timeout
    --continue-timeout SECS      Sets the continue timeout
    --keep-alive-timeout SECS    Sets the connection keep alive timeout
-P, --proxy PROXY                Sets the proxy to use.
-H, --header NAME: VALUE         Sets a default header
    --host-header NAME=VALUE     Sets a default header
-u chrome-linux|chrome-macos|chrome-windows|chrome-iphone|chrome-ipad|chrome-android|firefox-linux|firefox-macos|firefox-windows|firefox-iphone|firefox-ipad|firefox-android|safari-macos|safari-iphone|safari-ipad|edge,
    --user-agent                 The User-Agent to use
-U, --user-agent-string STRING   The User-Agent string to use
-R, --referer URL                Sets the Referer URL
    --delay SECS                 Sets the delay in seconds between each request
-l, --limit COUNT                Only spiders up to COUNT pages
-d, --max-depth DEPTH            Only spiders up to max depth
    --enqueue URL                Adds the URL to the queue
    --visited URL                Marks the URL as previously visited
    --strip-fragments            Enables/disables stripping the fragment component of every URL
    --strip-query                Enables/disables stripping the query component of every URL
    --visit-host HOST            Visit URLs with the matching host name
    --visit-hosts-like /REGEX/   Visit URLs with hostnames that match the REGEX
    --ignore-host HOST           Ignore the host name
    --ignore-hosts-like /REGEX/  Ignore the host names matching the REGEX
    --visit-port PORT            Visit URLs with the matching port number
    --visit-ports-like /REGEX/   Visit URLs with port numbers that match the REGEX
    --ignore-port PORT           Ignore the port number
    --ignore-ports-like /REGEX/  Ignore the port numbers matching the REGEXP
    --visit-link URL             Visit the URL
    --visit-links-like /REGEX/   Visit URLs that match the REGEX
    --ignore-link URL            Ignore the URL
    --ignore-links-like /REGEX/  Ignore URLs matching the REGEX
    --visit-ext FILE_EXT         Visit URLs with the matching file ext
    --visit-exts-like /REGEX/    Visit URLs with file exts that match the REGEX
    --ignore-ext FILE_EXT        Ignore the URLs with the file ext
    --ignore-exts-like /REGEX/   Ignore URLs with file exts matching the REGEX
-r, --robots                     Specifies whether to honor robots.txt
-v, --verbose                    Enables verbose output
    --lfi-os unix|windows        Sets the OS to test for
    --lfi-depth COUNT            Sets the directory depth to escape up
    --lfi-filter-bypass null-byte|double-escape|base64|rot13|zlib
                                 Sets the filter bypass strategy to use
    --rfi-filter-bypass double-encode|suffix-escape|null-byte
                                 Optional filter-bypass strategy to use
    --rfi-script-lang asp|asp.net|coldfusion|jsp|php|perl
                                 Explicitly specify the scripting language to test for
    --rfi-test-script-url URL    Use an alternative test script URL
    --sqli-escape-quote          Escapes quotation marks
    --sqli-escape-parens         Escapes parenthesis
    --sqli-terminate             Terminates the SQL expression with a --
    --ssti-test-expr {X*Y | X/Z | X+Y | X-Y}
                                 Optional numeric test to use
    --open-redirect-url URL      Optional test URL to try to redirect to

Since:

  • 2.0.0

Instance Attribute Summary collapse

Attributes included from SpiderOptions

#agent_kwargs

URL Scanning Methods collapse

Instance Method Summary collapse

Methods included from SpiderOptions

#continue_timeout, #continue_timeout=, #delay, #delay=, #history, #host_headers, #ignore_exts, #ignore_hosts, #ignore_links, #ignore_ports, #ignore_schemes, included, #keep_alive_timeout, #keep_alive_timeout=, #limit, #limit=, #max_depth, #max_depth=, #new_agent, #open_timeout, #open_timeout=, #proxy, #proxy=, #queue, #read_timeout, #read_timeout=, #referer, #robots, #robots=, #ssl_timeout, #ssl_timeout=, #strip_fragments, #strip_fragments=, #strip_query, #strip_query=, #user_agent, #visit_exts, #visit_hosts, #visit_links, #visit_ports, #visit_schemes

Constructor Details

#initialize(**kwargs) ⇒ Vulns

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Initializes the ronin-web vulns command.

Parameters:

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments.

Since:

  • 2.0.0



229
230
231
232
233
234
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 229

def initialize(**kwargs)
  super(**kwargs)

  @scan_mode   = :all
  @scan_kwargs = {}
end

Instance Attribute Details

#scan_kwargsHash{Symbol => Object} (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments for Ronin::Vulns::URLScanner.scan.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



221
222
223
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 221

def scan_kwargs
  @scan_kwargs
end

#scan_mode:first, :all (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The scan mode

Returns:

  • (:first, :all)

Since:

  • 2.0.0



216
217
218
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 216

def scan_mode
  @scan_mode
end

Instance Method Details

#default_headersHash{String => String}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

The default headers to send with every request.

Returns:

  • (Hash{String => String})

Since:

  • 2.0.0



312
313
314
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 312

def default_headers
  @scan_kwargs[:headers] ||= super
end

#lfi_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the lfi: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



353
354
355
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 353

def lfi_kwargs
  @scan_kwargs[:lfi] ||= {}
end

#open_redirect_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the open_redirect: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



397
398
399
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 397

def open_redirect_kwargs
  @scan_kwargs[:open_redirect] ||= {}
end

#print_vulns(vulns, print_curl: , print_http: ) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Prints detailed information about a discovered web vulnerability.

Parameters:

  • vulns (Array<Ronin::Vulns::WebVuln>)

    The web vulnerability to log.

  • print_curl (Boolean) (defaults to: )

    Prints an example curl command to trigger the web vulnerability.

  • print_http (Boolean) (defaults to: )

    Prints an example HTTP request to trigger the web vulnerability.

Since:

  • 2.0.0



300
301
302
303
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 300

def print_vulns(vulns, print_curl: options[:print_curl],
                       print_http: options[:print_http])
  super(vulns, print_curl: print_curl, print_http: print_http)
end

#process_vuln(vuln) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Logs and optioanlly imports a new discovered web vulnerability.

Parameters:

  • vuln (Ronin::Vulns::WebVuln)

    The discovered web vulnerability.

Since:

  • 2.0.0



283
284
285
286
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 283

def process_vuln(vuln)
  log_vuln(vuln)
  import_vuln(vuln) if options[:import]
end

#referer=(new_referer) ⇒ String?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Note:

Also sets the Referer header that will be used during web vulnerability scanning.

Sets the Referer header that will be sent with every request.

Parameters:

  • new_referer (String)

Returns:

  • (String, nil)

Since:

  • 2.0.0



338
339
340
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 338

def referer=(new_referer)
  @scan_kwargs[:referer] ||= super(new_referer)
end

#reflected_xss_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the reflected_xss: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



408
409
410
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 408

def reflected_xss_kwargs
  @scan_kwargs[:reflected_xss] ||= {}
end

#rfi_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the rfi: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



364
365
366
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 364

def rfi_kwargs
  @scan_kwargs[:rfi] ||= {}
end

#runObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Runs the ronin-web vulns command.

Since:

  • 2.0.0



239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 239

def run
  db_connect if options[:import]

  vulns = []

  begin
    new_agent do |agent|
      case @scan_mode
      when :first
        agent.every_url do |url|
          log_info "Testing #{url}"

          if (vuln = test_url(url))
            process_vuln(vuln)
            vulns << vuln

            agent.pause!
          end
        end
      when :all
        agent.every_url do |url|
          log_info "Testing #{url}"

          scan_url(url) do |vuln|
            process_vuln(vuln)
            vulns << vuln
          end
        end
      end
    end
  rescue Interrupt
    puts
  end

  puts unless vulns.empty?
  print_vulns(vulns)
end

#scan_url(url, **kwargs) {|vuln| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Scans the URL for web vulnerabilities.

A discovered web vulnerability in the URL.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for Ronin::Vulns::URLScanner.scan.

Yields:

  • (vuln)

    The given block will be yielded each discovered web vulnerability.

Yield Parameters:

  • vuln (Ronin::Vulns::LFI, Ronin::Vulns::RFI, Ronin::Vulns::SQLI, Ronin::Vulns::SSTI, Ronin::Vulns::ReflectedXSS, Ronin::Vulns::OpenRedirect)

Since:

  • 2.0.0



432
433
434
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 432

def scan_url(url,**kwargs,&block)
  Ronin::Vulns::URLScanner.scan(url,**kwargs,**@scan_kwargs,&block)
end

#sqli_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the sqli: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



375
376
377
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 375

def sqli_kwargs
  @scan_kwargs[:sqli] ||= {}
end

#ssti_kwargsHash{Symbol => Object}

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Keyword arguments which will be passed to Ronin::Vulns::URLScanner.scan or Ronin::Vulns::URLScanner.test via the ssti: keyword.

Returns:

  • (Hash{Symbol => Object})

Since:

  • 2.0.0



386
387
388
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 386

def ssti_kwargs
  @scan_kwargs[:ssti] ||= {}
end

#test_url(url, **kwargs) ⇒ Ronin::Vulns::LFI, ...

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Tests the URL for web vulnerabilities and prints the first vulnerability.

The first discovered web vulnerability or nil if no vulnerabilities were discovered.

Parameters:

  • url (URI::HTTP, String)

    The URL to scan.

  • kwargs (Hash{Symbol => Object})

    Additional keyword arguments for Ronin::Vulns::URLScanner.test.

Returns:

  • (Ronin::Vulns::LFI, Ronin::Vulns::RFI, Ronin::Vulns::SQLI, Ronin::Vulns::SSTI, Ronin::Vulns::ReflectedXSS, Ronin::Vulns::OpenRedirect, nil)

Since:

  • 2.0.0



455
456
457
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 455

def test_url(url,**kwargs)
  Ronin::Vulns::URLScanner.test(url,**kwargs,**@scan_kwargs)
end

#user_agent=(new_user_agent) ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Sets the User-Agent header that will be sent with every request.

Parameters:

  • new_user_agent (String)

Returns:

  • (String)

Since:

  • 2.0.0



323
324
325
 
# File 'lib/ronin/web/cli/commands/vulns.rb', line 323

def user_agent=(new_user_agent)
  @scan_kwargs[:user_agent] ||= super(new_user_agent)
end