Skip to content

Commit

Permalink
Add --test-all-form-params option
Browse files Browse the repository at this point in the history
  • Loading branch information
@moozzi
moozzi committed May 6, 2024
1 parent 4da9771 commit f6fcc95
Show file tree
Hide file tree
Showing 11 changed files with 82 additions and 4 deletions.
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/lfi.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Commands
# --test-cookie-param NAME Tests the HTTP Cookie name
# --test-all-cookie-params Test all Cookie param names
# --test-form-param NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# -O, --os unix|windows Sets the OS to test for
# -D, --depth COUNT Sets the directory depth to escape up
Expand Down
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/open_redirect.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Commands
# --test-cookie-param NAME Tests the HTTP Cookie name
# --test-all-cookie-params Test all Cookie param names
# --test-form-param NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# -T, --test-url URL Optional test URL to try to redirect to
# -h, --help Print help information
Expand Down
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/reflected_xss.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Commands
# --test-cookie-param NAME Tests the HTTP Cookie name
# --test-all-cookie-params Test all Cookie param names
# --test-form-param NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# -h, --help Print help information
#
Expand Down
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/rfi.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Commands
# --test-cookie-param NAME Tests the HTTP Cookie name
# --test-all-cookie-params Test all Cookie param names
# --test-form-param NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# -B double-encode|suffix-escape|null-byte,
# --filter-bypass Optional filter-bypass strategy to use
Expand Down
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/scan.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ module Commands
# --test-header-names NAME Tests the HTTP Header name
# --test-cookie-params NAME Tests the HTTP Cookie name
# --test-form-params NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# --lfi-os unix|windows Sets the OS to test for
# --lfi-depth COUNT Sets the directory depth to escape up
Expand Down
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/sqli.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Commands
# --test-cookie-param NAME Tests the HTTP Cookie name
# --test-all-cookie-params Test all Cookie param names
# --test-form-param NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# -Q, --escape-quote Escapes quotation marks
# -P, --escape-parens Escapes parenthesis
Expand Down
1 change: 1 addition & 0 deletions lib/ronin/vulns/cli/commands/ssti.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ module Commands
# --test-cookie-param NAME Tests the HTTP Cookie name
# --test-all-cookie-params Test all Cookie param names
# --test-form-param NAME Tests the form param name
# --test-all-form-params Test all form param names
# -i, --input FILE Reads URLs from the list file
# -T {X*Y | X/Z | X+Y | X-Y}, Optional numeric test to use
# --test-expr
Expand Down
16 changes: 16 additions & 0 deletions lib/ronin/vulns/cli/web_vuln_command.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,10 @@ class WebVulnCommand < Command
self.test_form_params << name
end

option :test_all_form_params, desc: 'Tests all form param names' do
self.test_form_params = true
end

option :input, short: '-i',
value: {
type: String,
Expand Down Expand Up @@ -358,6 +362,18 @@ def test_form_params
@scan_kwargs[:form_params] ||= Set.new
end

#
# Sets the form params to test.
#
# @param [Set<String>, true] new_form_params
# The new form param names to test.
#
# @return [Set<String>, true]
#
def test_form_params=(new_form_params)
@scan_kwargs[:form_params] = new_form_params
end

#
# Scans a URL for web vulnerabilities.
#
Expand Down
14 changes: 10 additions & 4 deletions lib/ronin/vulns/web_vuln.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,14 +336,15 @@ def self.scan_cookie_params(url,cookie_params=nil, http: nil, **kwargs)
# @return [Array<Web>]
# All discovered web vulnerabilities.
#
def self.scan_form_params(url,form_params, http: nil, **kwargs)
def self.scan_form_params(url,form_params=nil, http: nil, form_data: {}, **kwargs)
url = URI(url)
http ||= Support::Network::HTTP.connect_uri(url)

vulns = []
form_params ||= form_data.keys
vulns = []

form_params.each do |form_param|
vuln = new(url, form_param: form_param, http: http, **kwargs)
vuln = new(url, form_param: form_param, http: http, form_data: form_data, **kwargs)

if vuln.vulnerable?
yield vuln if block_given?
Expand Down Expand Up @@ -455,7 +456,12 @@ def self.scan(url, query_params: nil,

if form_params
vulns.concat(
scan_form_params(url,form_params, http: http, **kwargs,&block)
case form_params
when true
scan_form_params(url, http: http, **kwargs,&block)
else
scan_form_params(url,form_params, http: http, **kwargs,&block)
end
)
end
end
Expand Down
9 changes: 9 additions & 0 deletions spec/cli/web_vuln_command_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -631,6 +631,15 @@
end
end

context "when #test_all_form_params is set" do
let(:argv) { %w[--test-all-form-param] }
before { subject.option_parser.parse(argv) }

it "must set the :form_params key in the Hash to true" do
expect(subject.scan_kwargs[:form_params]).to be(true)
end
end

context "when #test_form_params is set" do
let(:form_param) { 'id' }

Expand Down
40 changes: 40 additions & 0 deletions spec/web_vuln_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,25 @@ def vulnerable?

subject.scan_form_params(url,form_params, form_data: form_data)
end

context "and a form_params value is not given" do
let(:form_params) { nil }
let(:form_data) do
{
'foo' => '1',
'bar' => '2',
'baz' => '3'
}
end

it "must send requests with each Cookie param overridden with the payload" do
stub_request(:get, url).with(body: "foo=#{payload}&bar=2&baz=3")
stub_request(:get, url).with(body: "foo=1&bar=#{payload}&baz=3")
stub_request(:get, url).with(body: "foo=1&bar=2&baz=#{payload}")

subject.scan_form_params(url,form_params, form_data: form_data)
end
end
end

context "when one of the responses indicates it's vulnerable" do
Expand Down Expand Up @@ -693,6 +712,27 @@ def vulnerable?
subject.scan(url, form_params: form_params, form_data: form_data)
end
end

context "and it's true" do
context "and a form_data: value is given" do
let(:form_params) { nil }
let(:form_data) do
{
'foo' => '1',
'bar' => '2',
'baz' => '3'
}
end

it "must send requests with each Cookie param overridden with the payload" do
stub_request(:get, url).with(body: "foo=#{payload}&bar=2&baz=3")
stub_request(:get, url).with(body: "foo=1&bar=#{payload}&baz=3")
stub_request(:get, url).with(body: "foo=1&bar=2&baz=#{payload}")

subject.scan(url, form_params: true, form_data: form_data)
end
end
end
end
end

Expand Down

0 comments on commit f6fcc95

Please sign in to comment.