Class: Ronin::Exploits::Web

Inherits:

HTTP

• Object
• Exploit
• Remote
• RemoteTCP
• HTTP
• Ronin::Exploits::Web

Defined in:

lib/ronin/exploits/web.rb

Overview

An Exploit class that represents exploits that run against Web services.

Direct Known Subclasses

LFI, RFI, SQLi

Constant Summary

Constants inherited from HTTP

HTTP::DEFAULT_PORT

Instance Attribute Summary

Attributes inherited from Exploit

#encoders, #helpers, #raw_payload, #restricted_chars, #target

Attributes included from Payloads::HasPayload

#payload

Class Method Summary

• .test(uri, options = {}) ⇒ Web

  Tests if the URI is vulnerable to the Web Exploit.

Instance Method Summary

• #exploit(payload, query_params = {}) ⇒ Net::HTTPResponse

  Performs a HTTP request to the exploit URL.

• #exploit_url(payload, query_params = {}) ⇒ URL::HTTP

  Creates an exploit URL.

• #http_request(options = {}) {|response| ... } ⇒ Net::HTTPResponse protected

  Performs an HTTP request.

• #normal_body ⇒ String

  Contains the normal response body for the URL.

• #normal_response ⇒ Net::HTTPResponse

  Contains the normal response for the URL.

• #url ⇒ URI::HTTP

  Builds the target URL based on the #http_host, #http_port, #url_prefix and #url_query_params parameters as well as the #url_path and #url_query properties.

• #url_query_param_value ⇒ String

  The value of the targeted query-param.

• #vulnerable? ⇒ Boolean^? abstract

  Determines if the URL is vulnerable.

Methods inherited from HTTP

#url_for

Methods inherited from RemoteTCP

#deploy!, #test!

Methods included from Model::HasDefaultPort

included

Methods inherited from Exploit

#advisory, advisory, #arch, #build!, #build_payload!, #deploy!, #encode_payload, #encode_payload!, #evacuate!, #exploit!, #helper, #initialize, #os, #payload=, #restrict, #software, #targeting, #targeting_arch, targeting_arch, #targeting_os, targeting_os, #targeting_software, targeting_software, #use_target!

Methods included from Tests

#is_restricted?, #test_arch!, #test_os!, #test_restricted!, #test_software!, #test_target!

Methods included from PostExploitation::Mixin

#fs, #post_exploitation, #process, #resources, #shell

Methods included from Payloads::HasPayload

#default_payload, #initialize, #method_missing, #payload_class, #respond_to?, #use_payload!, #use_payload_from!

Constructor Details

This class inherits a constructor from Ronin::Exploits::Exploit

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Ronin::Payloads::HasPayload

Class Method Details

.test(uri, options = {}) ⇒ Web

Tests if the URI is vulnerable to the Web Exploit.

# File 'lib/ronin/exploits/web.rb', line 74

def self.test(uri,options={})
  uri = URI(uri) unless uri.kind_of?(URI)

  uri.query_params.each do |name,value|
    exploit = new(options.merge(
      host:             uri.host,
      port:             uri.port,
      url_path:         uri.path,
      url_query:        uri.query,
      url_query_param:  URLQueryParamName.first_or_new(name: name)
    ))

    return exploit if exploit.vulnerable?
  end

  return nil
end

Instance Method Details

#exploit(payload, query_params = {}) ⇒ Net::HTTPResponse

Performs a HTTP request to the exploit URL.

# File 'lib/ronin/exploits/web.rb', line 176

def exploit(payload,query_params={})
  http_request(url: exploit_url(payload,query_params))
end

#exploit_url(payload, query_params = {}) ⇒ URL::HTTP

Creates an exploit URL.

# File 'lib/ronin/exploits/web.rb', line 153

def exploit_url(payload,query_params={})
  new_url = url
  new_url.query_params.merge!(query_params)

  if self.url_query_param
    new_url.query_params[self.url_query_param.name] = payload
  end

  return new_url
end

#http_request(options = {}) {|response| ... } ⇒ Net::HTTPResponse (protected)

Performs an HTTP request.

Options Hash (options):

• :method (Symbol) — default: self.http_method —

  The HTTP method to use for the request.

• :headers (Hash) — default: self.http_headers —

  Additional HTTP Headers to send with the request.

Yields:

• (response) —

  If a block is given, it will be passed the response received from the request.

Yield Parameters:

• response (Net::HTTPResponse) —

  The HTTP response object.

See Also:

• http://ronin-ruby.github.com/docs/ronin-support/Ronin/Network/Mixins/HTTP.html#http_request-instance_method

# File 'lib/ronin/exploits/web.rb', line 219

def http_request(options={},&block)
  options = {
    method:  self.http_method,
    headers: self.http_headers,
    path:    self.url_path,
    query:   self.url_query
  }.merge(options)

  return super(options,&block)
end

#normal_body ⇒ String

Contains the normal response body for the URL.

# File 'lib/ronin/exploits/web.rb', line 137

def normal_body
  normal_response.body
end

#normal_response ⇒ Net::HTTPResponse

Contains the normal response for the URL.

# File 'lib/ronin/exploits/web.rb', line 127

def normal_response
  @normal_response ||= http_request
end

#url ⇒ URI::HTTP

Builds the target URL based on the #http_host, #http_port, #url_prefix and #url_query_params parameters as well as the #url_path and #url_query properties.

See Also:

• HTTP#url_for

# File 'lib/ronin/exploits/web.rb', line 114

def url
  path_query  = self.url_path
  path_query += "?#{self.url_query}" if self.url_query

  return url_for(path_query,self.url_query_params)
end

#url_query_param_value ⇒ String

The value of the targeted query-param.

# File 'lib/ronin/exploits/web.rb', line 98

def url_query_param_value
  @url_query_param_value ||= (
    URI::QueryParams.parse(self.url_query)[self.url_query_param.name].to_s
  )
end

#vulnerable? ⇒ Boolean^?

This method is abstract.

Determines if the URL is vulnerable.

# File 'lib/ronin/exploits/web.rb', line 189

def vulnerable?
  nil
end