Skip to content

Commit

Permalink
Add the ronin-web vulns command (issue #81).
Browse files Browse the repository at this point in the history
  • Loading branch information
@postmodern
postmodern committed Feb 14, 2024
1 parent 8bbe82c commit 0b66f08
Show file tree
Hide file tree
Showing 6 changed files with 354 additions and 0 deletions.
7 changes: 7 additions & 0 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,13 @@ gem 'ronin-web-browser', '~> 0.1', github: 'ronin-rb/ronin-web-browser'
gem 'ronin-web-session_cookie', '~> 0.1', github: 'ronin-rb/ronin-web-session_cookie',
branch: 'main'

gem 'ronin-db', '~> 0.2', github: 'ronin-rb/ronin-db',
branch: '0.2.0'
gem 'ronin-db-activerecord', '~> 0.2', github: 'ronin-rb/ronin-db-activerecord',
branch: '0.2.0'
gem 'ronin-vulns', '~> 0.2', github: 'ronin-rb/ronin-vulns',
branch: '0.2.0'

group :development do
gem 'rake'
gem 'rubygems-tasks', '~> 0.1'
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,7 @@ puts doc.to_xml
* [ronin-web-user_agents] ~> 0.1
* [ronin-web-session_cookie] ~> 0.1
* [ronin-core] ~> 0.2
* [ronin-vulns] ~> 0.2

## Install

Expand Down
2 changes: 2 additions & 0 deletions gemspec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ generated_files:
- man/ronin-web-session-cookie.1
- man/ronin-web-user-agent.1
- man/ronin-web-wordlist.1
- man/ronin-web-vulns.1

dependencies:
nokogiri: ~> 1.4
Expand All @@ -54,6 +55,7 @@ dependencies:
ronin-web-user_agents: ~> 0.1
ronin-web-session_cookie: ~> 0.1
ronin-core: ~> 0.2
ronin-vulns: ~> 0.2

development_dependencies:
bundler: ~> 2.0
160 changes: 160 additions & 0 deletions lib/ronin/web/cli/commands/vulns.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
# frozen_string_literal: true
#
# ronin-web - A collection of useful web helper methods and commands.
#
# Copyright (c) 2006-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# ronin-web is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ronin-web is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ronin-web. If not, see <https://www.gnu.org/licenses/>.
#

require 'ronin/web/cli/command'
require 'ronin/web/cli/spider_options'
require 'ronin/core/cli/logging'
require 'ronin/vulns/url_scanner'
require 'ronin/vulns/cli/logging'

module Ronin
module Web
class CLI
module Commands
#
# ## Usage
#
# ronin-web vulns [options] {--host HOST | --domain DOMAIN | --site URL}
#
# ## Options
#
# @since 1.1.0
#
class Vulns < Command

include Core::CLI::Logging
include Ronin::Vulns::CLI::Logging
include SpiderOptions

option :lfi_os, value: {
type: [:unix, :windows]
},
desc: 'Sets the OS to test for'

option :lfi_depth, value: {
type: Integer,
usage: 'COUNT'
},
desc: 'Sets the directory depth to escape up'

option :lfi_filter_bypass, value: {
type: [
:null_byte,
:double_escape,
:base64,
:rot13,
:zlib
]
},
desc: 'Sets the filter bypass strategy to use'

option :rfi_filter_bypass, value: {
type: {
'double-encode' => :double_encode,
'suffix-escape' => :suffix_escape,
'null-byte' => :null_byte
}
},
desc: 'Optional filter-bypass strategy to use'

option :rfi_script_lang, value: {
type: {
'asp' => :asp,
'asp.net' => :asp_net,
'coldfusion' => :cold_fusion,
'jsp' => :jsp,
'php' => :php,
'perl' => :perl
}
},
desc: 'Explicitly specify the scripting language to test for'

option :rfi_test_script_url, value: {
type: String,
usage: 'URL'
},
desc: 'Use an alternative test script URL'

option :sqli_escape_quote, desc: 'Escapes quotation marks'

option :sqli_escape_parens, desc: 'Escapes parenthesis'

option :sqli_terminate, desc: 'Terminates the SQL expression with a --'

option :ssti_test_expr, value: {
type: %r{\A\d+\s*[\*/\+\-]\s*\d+\z},
usage: '{X*Y | X/Z | X+Y | X-Y}'
},
desc: 'Optional numeric test to use' do |expr|
@ssti_test_expr = Ronin::Vulns::SSTI::TestExpression.parse(expr)
end

option :open_redirect_url, value: {
type: String,
usage: 'URL'
},
desc: 'Optional test URL to try to redirect to'

description "Spiders a website and scans every URL for web vulnerabilities"

man_page 'ronin-web-vulns.1'

#
# Runs the `ronin-web vulns` command.
#
def run
new_agent do |agent|
agent.every_url do |url|
test_url(url)
end
end
end

#
# Scans the URL for web vulnerabilities and prints every discovered
# web vulnerability.
#
# @param [URI::HTTP, String] url
# The URL to scan.
#
def scan_url(url)
Ronin::Vulns::URLScanner.scan(url) do |vuln|
log_vuln(vuln)
end
end

#
# Tests the URL for web vulnerabilities and prints the first
# vulnerability.
#
# @param [URI::HTTP, String] url
# The URL to scan.
#
def test_url(url)
if (vuln = Ronin::Vulns::URLScanner.test(url))
log_vuln(vuln)
end
end

end
end
end
end
end
177 changes: 177 additions & 0 deletions man/ronin-web-vulns.1.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,177 @@
# ronin-web-spider 1 "2022-01-01" Ronin Web "User Manuals"

## SYNOPSIS

`ronin-web spider` [*options*] {`--host` *HOST* \| `--domain` *DOMAIN* \| `--site` *URL*}

## DESCRIPTION

Spiders a website and tests every URL for web vulnerabilities.

## OPTIONS

`--host` *HOST*
Spiders the specific *HOST*.

`--domain` *DOMAIN*
Spiders the whole *DOMAIN*.

`--site` *URL*
Spiders the website, starting at the *URL*.

`--open-timeout` *SECS*
Sets the connection open timeout.

`--read-timeout` *SECS*
Sets the read timeout.

`--ssl-timeout` *SECS*
Sets the SSL connection timeout.

`--continue-timeout` *SECS*
Sets the continue timeout.

`--keep-alive-timeout` *SECS*
Sets the connection keep alive timeout.

`-P`, `--proxy` *PROXY*
Sets the proxy to use.

`-H`, `--header` "*NAME*: *VALUE*"
Sets a default header.

`--host-header` *NAME*=*VALUE*
Sets a default header.

`-u`, `--user-agent` chrome-linux|chrome-macos|chrome-windows|chrome-iphone|chrome-ipad|chrome-android|firefox-linux|firefox-macos|firefox-windows|firefox-iphone|firefox-ipad|firefox-android|safari-macos|safari-iphone|safari-ipad|edge
The `User-Agent` to use.

`-U`, `--user-agent-string` *STRING*
The raw `User-Agent` string to use.

`-R`, `--referer` *URL*
Sets the `Referer` URL.

`--delay` *SECS*
Sets the delay in seconds between each request.

`-l`, `--limit` *COUNT*
Only spiders up to *COUNT* pages.

`-d`, `--max-depth` *DEPTH*
Only spiders up to max depth.

`--enqueue` *URL*
Adds the URL to the queue.

`--visited` *URL*
Marks the URL as previously visited.

`--strip-fragments`
Enables/disables stripping the fragment component of every URL.

`--strip-query`
Enables/disables stripping the query component of every URL.

`--visit-host` *HOST*
Visit URLs with the matching host name.

`--visit-hosts-like` `/`*REGEX*`/`
Visit URLs with hostnames that match the *REGEX*.

`--ignore-host` *HOST*
Ignore the host name.

`--ignore-hosts-like` `/`*REGEX*`/`
Ignore the host names matching the *REGEX*.

`--visit-port` *PORT*
Visit URLs with the matching port number.

`--visit-ports-like` `/`*REGEX*`/`
Visit URLs with port numbers that match the *REGEX*.

`--ignore-port` *PORT*
Ignore the port number.

`--ignore-ports-like` `/`*REGEX*`/`
Ignore the port numbers matching the *REGEXP*.

`--visit-link` *URL*
Visit the *URL*.

`--visit-links-like` `/`*REGEX*`/`
Visit URLs that match the *REGEX*.

`--ignore-link` *URL*
Ignore the *URL*.

`--ignore-links-like` `/`*REGEX*`/`
Ignore URLs matching the *REGEX*.

`--visit-ext` *FILE_EXT*
Visit URLs with the matching file ext.

`--visit-exts-like` `/`*REGEX*`/`
Visit URLs with file exts that match the *REGEX*.

`--ignore-ext` *FILE_EXT*
Ignore the URLs with the file ext.

`--ignore-exts-like` `/`*REGEX*`/`
Ignore URLs with file exts matching the REGEX.

`-r`, `--robots`
Specifies whether to honor `robots.txt`.

`--lfi-os` `unix`\|`windows`
: Sets the OS to test for.

`--lfi-depth` *NUM*
: Sets the directory depth to escape up.

`--lfi-filter-bypass` `null_byte`\|`double_escape`\|`base64`\|`rot13`\|`zlib`
: Sets the filter bypass strategy to use.

`--rfi-filter-bypass` `double-encode`\|`suffix-escape`\|`null-byte`
: Optional filter-bypass strategy to use.

`--rfi-script-lang` `asp`\|`asp.net`\|`coldfusion`\|`jsp`\|`php`\|`perl`
: Explicitly specify the scripting language to test for.

`--rfi-test-script-url` *URL*
: Use an alternative test script URL.

`--sqli-escape-quote`
: Escapes quotation marks.

`--sqli-escape-parens`
: Escapes parenthesis.

`--sqli-terminate`
: Terminates the SQL expression with a `--`.

`--ssti-test-expr` {*X*\**Y* \| *X*/*Z* \| *X*+*Y* \| *X*-*Y*}
: Optional numeric test to use.

`--open-redirect-url` *URL*
: Optional test URL to try to redirect to.

`-h`, `--help`
Print help information.

## ENVIRONMENT

*HTTP_PROXY*
Sets the global HTTP proxy.

*RONIN_HTTP_PROXY*
Sets the HTTP proxy for Ronin.

## AUTHOR

Postmodern <postmodern.mod3@gmail.com>

## SEE ALSO

ronin-web-spider(1)
7 changes: 7 additions & 0 deletions spec/cli/commands/vulns_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
require 'spec_helper'
require 'ronin/web/cli/commands/vulns'
require_relative 'man_page_example'

describe Ronin::Web::CLI::Commands::Vulns do
include_examples "man_page"
end

0 comments on commit 0b66f08

Please sign in to comment.