diff --git a/lib/ronin/vulns/cli/commands/lfi.rb b/lib/ronin/vulns/cli/commands/lfi.rb index 44dd335..cdc8d02 100644 --- a/lib/ronin/vulns/cli/commands/lfi.rb +++ b/lib/ronin/vulns/cli/commands/lfi.rb @@ -58,6 +58,7 @@ module Commands # --test-cookie-param NAME Tests the HTTP Cookie name # --test-all-cookie-params Test all Cookie param names # --test-form-param NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # -O, --os unix|windows Sets the OS to test for # -D, --depth COUNT Sets the directory depth to escape up diff --git a/lib/ronin/vulns/cli/commands/open_redirect.rb b/lib/ronin/vulns/cli/commands/open_redirect.rb index ba0cee6..93d9497 100644 --- a/lib/ronin/vulns/cli/commands/open_redirect.rb +++ b/lib/ronin/vulns/cli/commands/open_redirect.rb @@ -58,6 +58,7 @@ module Commands # --test-cookie-param NAME Tests the HTTP Cookie name # --test-all-cookie-params Test all Cookie param names # --test-form-param NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # -T, --test-url URL Optional test URL to try to redirect to # -h, --help Print help information diff --git a/lib/ronin/vulns/cli/commands/reflected_xss.rb b/lib/ronin/vulns/cli/commands/reflected_xss.rb index 8dbae39..c610188 100644 --- a/lib/ronin/vulns/cli/commands/reflected_xss.rb +++ b/lib/ronin/vulns/cli/commands/reflected_xss.rb @@ -58,6 +58,7 @@ module Commands # --test-cookie-param NAME Tests the HTTP Cookie name # --test-all-cookie-params Test all Cookie param names # --test-form-param NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # -h, --help Print help information # diff --git a/lib/ronin/vulns/cli/commands/rfi.rb b/lib/ronin/vulns/cli/commands/rfi.rb index 742fb56..37455a0 100644 --- a/lib/ronin/vulns/cli/commands/rfi.rb +++ b/lib/ronin/vulns/cli/commands/rfi.rb @@ -58,6 +58,7 @@ module Commands # --test-cookie-param NAME Tests the HTTP Cookie name # --test-all-cookie-params Test all Cookie param names # --test-form-param NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # -B double-encode|suffix-escape|null-byte, # --filter-bypass Optional filter-bypass strategy to use diff --git a/lib/ronin/vulns/cli/commands/scan.rb b/lib/ronin/vulns/cli/commands/scan.rb index 77780c9..a5f7d84 100644 --- a/lib/ronin/vulns/cli/commands/scan.rb +++ b/lib/ronin/vulns/cli/commands/scan.rb @@ -56,6 +56,7 @@ module Commands # --test-header-names NAME Tests the HTTP Header name # --test-cookie-params NAME Tests the HTTP Cookie name # --test-form-params NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # --lfi-os unix|windows Sets the OS to test for # --lfi-depth COUNT Sets the directory depth to escape up diff --git a/lib/ronin/vulns/cli/commands/sqli.rb b/lib/ronin/vulns/cli/commands/sqli.rb index 3122b43..cc7123a 100644 --- a/lib/ronin/vulns/cli/commands/sqli.rb +++ b/lib/ronin/vulns/cli/commands/sqli.rb @@ -58,6 +58,7 @@ module Commands # --test-cookie-param NAME Tests the HTTP Cookie name # --test-all-cookie-params Test all Cookie param names # --test-form-param NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # -Q, --escape-quote Escapes quotation marks # -P, --escape-parens Escapes parenthesis diff --git a/lib/ronin/vulns/cli/commands/ssti.rb b/lib/ronin/vulns/cli/commands/ssti.rb index 36ccdf9..28a857e 100644 --- a/lib/ronin/vulns/cli/commands/ssti.rb +++ b/lib/ronin/vulns/cli/commands/ssti.rb @@ -59,6 +59,7 @@ module Commands # --test-cookie-param NAME Tests the HTTP Cookie name # --test-all-cookie-params Test all Cookie param names # --test-form-param NAME Tests the form param name + # --test-all-form-params Test all form param names # -i, --input FILE Reads URLs from the list file # -T {X*Y | X/Z | X+Y | X-Y}, Optional numeric test to use # --test-expr diff --git a/lib/ronin/vulns/cli/web_vuln_command.rb b/lib/ronin/vulns/cli/web_vuln_command.rb index 7c9d973..e337e24 100644 --- a/lib/ronin/vulns/cli/web_vuln_command.rb +++ b/lib/ronin/vulns/cli/web_vuln_command.rb @@ -199,6 +199,10 @@ class WebVulnCommand < Command self.test_form_params << name end + option :test_all_form_params, desc: 'Tests all form param names' do + self.test_form_params = true + end + option :input, short: '-i', value: { type: String, @@ -538,6 +542,18 @@ def test_form_params @scan_kwargs[:form_params] ||= Set.new end + # + # Sets the form params to test. + # + # @param [Set, true] new_form_params + # The new form param names to test. + # + # @return [Set, true] + # + def test_form_params=(new_form_params) + @scan_kwargs[:form_params] = new_form_params + end + # # Scans a URL for web vulnerabilities. # diff --git a/lib/ronin/vulns/web_vuln.rb b/lib/ronin/vulns/web_vuln.rb index edb7062..c0533b3 100644 --- a/lib/ronin/vulns/web_vuln.rb +++ b/lib/ronin/vulns/web_vuln.rb @@ -393,14 +393,15 @@ def self.scan_cookie_params(url,cookie_params=nil, http: nil, **kwargs) # @return [Array] # All discovered web vulnerabilities. # - def self.scan_form_params(url,form_params, http: nil, **kwargs) + def self.scan_form_params(url,form_params=nil, http: nil, form_data: {}, **kwargs) url = URI(url) http ||= Support::Network::HTTP.connect_uri(url) - vulns = [] + form_params ||= form_data.keys + vulns = [] form_params.each do |form_param| - if (vuln = test_param(url, form_param: form_param, http: http, **kwargs)) + if (vuln = test_param(url, form_param: form_param, form_data: form_data, http: http, **kwargs)) yield vuln if block_given? vulns << vuln end @@ -513,7 +514,12 @@ def self.scan(url, query_params: nil, if form_params vulns.concat( - scan_form_params(url,form_params, http: http, **kwargs,&block) + case form_params + when true + scan_form_params(url, http: http, **kwargs,&block) + else + scan_form_params(url,form_params, http: http, **kwargs,&block) + end ) end end diff --git a/spec/cli/web_vuln_command_spec.rb b/spec/cli/web_vuln_command_spec.rb index 7d5b84c..fd711ba 100644 --- a/spec/cli/web_vuln_command_spec.rb +++ b/spec/cli/web_vuln_command_spec.rb @@ -964,6 +964,15 @@ end end + context "when #test_all_form_params is set" do + let(:argv) { %w[--test-all-form-param] } + before { subject.option_parser.parse(argv) } + + it "must set the :form_params key in the Hash to true" do + expect(subject.scan_kwargs[:form_params]).to be(true) + end + end + context "when #test_form_params is set" do let(:form_param) { 'id' } diff --git a/spec/web_vuln_spec.rb b/spec/web_vuln_spec.rb index d073a32..7bdbca8 100644 --- a/spec/web_vuln_spec.rb +++ b/spec/web_vuln_spec.rb @@ -676,6 +676,25 @@ def vulnerable? subject.scan_form_params(url,form_params, form_data: form_data) end + + context "and a form_params value is not given" do + let(:form_params) { nil } + let(:form_data) do + { + 'foo' => '1', + 'bar' => '2', + 'baz' => '3' + } + end + + it "must send requests with each Cookie param overridden with the payload" do + stub_request(:get, url).with(body: "foo=#{payload}&bar=2&baz=3") + stub_request(:get, url).with(body: "foo=1&bar=#{payload}&baz=3") + stub_request(:get, url).with(body: "foo=1&bar=2&baz=#{payload}") + + subject.scan_form_params(url,form_params, form_data: form_data) + end + end end context "when one of the responses indicates it's vulnerable" do @@ -841,6 +860,27 @@ def vulnerable? subject.scan(url, form_params: form_params, form_data: form_data) end end + + context "and it's true" do + context "and a form_data: value is given" do + let(:form_params) { nil } + let(:form_data) do + { + 'foo' => '1', + 'bar' => '2', + 'baz' => '3' + } + end + + it "must send requests with each Cookie param overridden with the payload" do + stub_request(:get, url).with(body: "foo=#{payload}&bar=2&baz=3") + stub_request(:get, url).with(body: "foo=1&bar=#{payload}&baz=3") + stub_request(:get, url).with(body: "foo=1&bar=2&baz=#{payload}") + + subject.scan(url, form_params: true, form_data: form_data) + end + end + end end end