Class: Ronin::Exploits::Web

Inherits:
HTTP show all
Defined in:
lib/ronin/exploits/web.rb

Overview

An Exploit class that represents exploits that run against Web services.

Direct Known Subclasses

LFI, RFI, SQLi

Constant Summary

Constants inherited from HTTP

HTTP::DEFAULT_PORT

Instance Attribute Summary

Attributes inherited from Exploit

#encoders, #helpers, #raw_payload, #restricted_chars, #target

Attributes included from Payloads::HasPayload

#payload

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from HTTP

#url_for

Methods inherited from RemoteTCP

#deploy!, #test!

Methods included from Model::HasDefaultPort

included

Methods inherited from Exploit

#advisory, advisory, #arch, #build!, #build_payload!, #deploy!, #encode_payload, #encode_payload!, #evacuate!, #exploit!, #helper, #initialize, #os, #payload=, #restrict, #software, #targeting, #targeting_arch, targeting_arch, #targeting_os, targeting_os, #targeting_software, targeting_software, #use_target!

Methods included from Tests

#is_restricted?, #test_arch!, #test_os!, #test_restricted!, #test_software!, #test_target!

Methods included from PostExploitation::Mixin

#fs, #post_exploitation, #process, #resources, #shell

Methods included from Payloads::HasPayload

#default_payload, #initialize, #method_missing, #payload_class, #respond_to?, #use_payload!, #use_payload_from!

Constructor Details

This class inherits a constructor from Ronin::Exploits::Exploit

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Ronin::Payloads::HasPayload

Class Method Details

.test(uri, options = {}) ⇒ Web

Tests if the URI is vulnerable to the Web Exploit.

Parameters:

  • uri (URI::HTTP, String)

    The URL to test.

  • options (Hash) (defaults to: {})

    Additional options for Exploit#initialize.

Returns:

  • (Web)

    The first successful Web Exploit.


74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# File 'lib/ronin/exploits/web.rb', line 74

def self.test(uri,options={})
  uri = URI(uri) unless uri.kind_of?(URI)

  uri.query_params.each do |name,value|
    exploit = new(options.merge(
      host:             uri.host,
      port:             uri.port,
      url_path:         uri.path,
      url_query:        uri.query,
      url_query_param:  URLQueryParamName.first_or_new(name: name)
    ))

    return exploit if exploit.vulnerable?
  end

  return nil
end

Instance Method Details

#exploit(payload, query_params = {}) ⇒ Net::HTTPResponse

Performs a HTTP request to the exploit URL.

Parameters:

  • payload (#to_s)

    The payload to inject into the URL.

  • query_params (Hash) (defaults to: {})

    Additional query parameters for the URL.

Returns:

  • (Net::HTTPResponse)

    The HTTP response from the exploit.


176
177
178
# File 'lib/ronin/exploits/web.rb', line 176

def exploit(payload,query_params={})
  http_request(url: exploit_url(payload,query_params))
end

#exploit_url(payload, query_params = {}) ⇒ URL::HTTP

Creates an exploit URL.

Parameters:

  • payload (#to_s)

    The payload to inject into the URL.

  • query_params (Hash) (defaults to: {})

    Additional query parameters for the URL.

Returns:

  • (URL::HTTP)

    The URL which will trigger the exploit.


153
154
155
156
157
158
159
160
161
162
# File 'lib/ronin/exploits/web.rb', line 153

def exploit_url(payload,query_params={})
  new_url = url
  new_url.query_params.merge!(query_params)

  if self.url_query_param
    new_url.query_params[self.url_query_param.name] = payload
  end

  return new_url
end

#http_request(options = {}) {|response| ... } ⇒ Net::HTTPResponse (protected)

Performs an HTTP request.

Parameters:

  • options (Hash) (defaults to: {})

    Additional http_request options.

Options Hash (options):

  • :method (Symbol) — default: self.http_method

    The HTTP method to use for the request.

  • :headers (Hash) — default: self.http_headers

    Additional HTTP Headers to send with the request.

Yields:

  • (response)

    If a block is given, it will be passed the response received from the request.

Yield Parameters:

  • response (Net::HTTPResponse)

    The HTTP response object.

Returns:

  • (Net::HTTPResponse)

    The response of the HTTP request.

See Also:


219
220
221
222
223
224
225
226
227
228
# File 'lib/ronin/exploits/web.rb', line 219

def http_request(options={},&block)
  options = {
    method:  self.http_method,
    headers: self.http_headers,
    path:    self.url_path,
    query:   self.url_query
  }.merge(options)

  return super(options,&block)
end

#normal_bodyString

Contains the normal response body for the URL.

Returns:

  • (String)

    The normal response body.


137
138
139
# File 'lib/ronin/exploits/web.rb', line 137

def normal_body
  normal_response.body
end

#normal_responseNet::HTTPResponse

Contains the normal response for the URL.

Returns:

  • (Net::HTTPResponse)

    The normal HTTP response.


127
128
129
# File 'lib/ronin/exploits/web.rb', line 127

def normal_response
  @normal_response ||= http_request
end

#urlURI::HTTP

Builds the target URL based on the #http_host, #http_port, #url_prefix and #url_query_params parameters as well as the #url_path and #url_query properties.

Returns:

  • (URI::HTTP)

    The HTTP URI object.

See Also:


114
115
116
117
118
119
# File 'lib/ronin/exploits/web.rb', line 114

def url
  path_query  = self.url_path
  path_query += "?#{self.url_query}" if self.url_query

  return url_for(path_query,self.url_query_params)
end

#url_query_param_valueString

The value of the targeted query-param.

Returns:

  • (String)

    The value.


98
99
100
101
102
# File 'lib/ronin/exploits/web.rb', line 98

def url_query_param_value
  @url_query_param_value ||= (
    URI::QueryParams.parse(self.url_query)[self.url_query_param.name].to_s
  )
end

#vulnerable?Boolean?

This method is abstract.

Determines if the URL is vulnerable.

Returns:

  • (Boolean, nil)

    Specifies whether the URL is vulnerable to the exploit. Returns nil when it is unclear if the URL can be exploited.


189
190
191
# File 'lib/ronin/exploits/web.rb', line 189

def vulnerable?
  nil
end