Skip to content

Commit

Permalink
Added the ronin-db web-vulns command (issue #56).
Browse files Browse the repository at this point in the history
  • Loading branch information
@postmodern
postmodern committed Feb 3, 2024
1 parent 4a9421d commit e044d89
Show file tree
Hide file tree
Showing 5 changed files with 771 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ Commands:
software
street-addresses
urls
web-vulns
```

List available Databases:
Expand Down
1 change: 1 addition & 0 deletions gemspec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ generated_files:
- man/ronin-db-software.1
- man/ronin-db-street-addresses.1
- man/ronin-db-urls.1
- man/ronin-db-web-vulns.1

required_ruby_version: ">= 3.0.0"

Expand Down
235 changes: 235 additions & 0 deletions lib/ronin/db/cli/commands/web_vulns.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
# frozen_string_literal: true
#
# ronin-db - A common database library for managing and querying security data.
#
# Copyright (c) 2006-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# ronin-db is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ronin-db is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with ronin-db. If not, see <https://www.gnu.org/licenses/>.
#

require 'ronin/db/cli/model_command'

module Ronin
module DB
class CLI
module Commands
#
# Manages all PhoneNumbers in the database.
#
# ## Usage
#
# ronin-db phone-numbers [options]
#
# ## Options
#
# --db NAME The database to connect to (Default: default)
# --db-uri URI The database URI to connect to
# --db-file PATH The sqlite3 database file to use
# -v, --verbose Enables verbose output
# -t lfi|rfi|sqli|ssti|open-redirect|reflected-xss|command-injection,
# --with-type Searches for all web vulns of the given type
# -H, --for-host HOST Searches for web vulns effecting the host
# -d, --for-domain DOMAIN Searches for web vulns effecting the domain
# -p, --for-path PATH Searches for web vulns effecting the given path
# -q, --with-query-param NAME Searches for web vulns effecting the query param name
# --with-header-name NAME Searches for web vulns effecting the HTTP header name
# -c, --with-cookie-param NAME Searches for web vulns effecting the cookie param name
# -f, --with-form-param NAME Searches for web vulns effecting the form param name
# -M HTTP_METHOD, Searches for all web vulns with the HTTP request method
# --with-request-method
# -h, --help Print help information
#
# @since 0.2.0
#
class WebVulns < ModelCommand

command_name 'web-vulns'

model_file 'ronin/db/web_vuln'
model_name 'WebVuln'

option :with_type, short: '-t',
value: {
type: {
lfi: 'lfi',
rfi: 'rfi',
sqli: 'sqli',
ssti: 'ssti',

:"open-redirect" => 'open_redirect',
:"reflected-xss" => 'reflected_xss',
:"command-injection" => 'command_injection'
}
},
desc: 'Searches for all web vulns of the given type' do |type|
@query_method_calls << [:with_type, type]
end

option :for_host, short: '-H',
value: {
type: String,
usage: 'HOST'
},
desc: 'Searches for web vulns effecting the host' do |host|
@query_method_calls << [:for_host, host]
end

option :for_domain, short: '-d',
value: {
type: String,
usage: 'DOMAIN'
},
desc: 'Searches for web vulns effecting the domain' do |domain|
@query_method_calls << [:for_domain, domain]
end

option :for_path, short: '-p',
value: {
type: String,
usage: 'PATH'
},
desc: 'Searches for web vulns effecting the given path' do |path|
@query_method_calls << [:for_path, path]
end

option :with_query_param, short: '-q',
value: {
type: String,
usage: 'NAME'
},
desc: 'Searches for web vulns effecting the query param name' do |name|
@query_method_calls << [:with_query_param, name]
end

option :with_header_name, value: {
type: String,
usage: 'NAME'
},
desc: 'Searches for web vulns effecting the HTTP header name' do |name|
@query_method_calls << [:with_header_name, name]
end

option :with_cookie_param, short: '-c',
value: {
type: String,
usage: 'NAME'
},
desc: 'Searches for web vulns effecting the cookie param name' do |name|
@query_method_calls << [:with_cookie_param, name]
end

option :with_form_param, short: '-f',
value: {
type: String,
usage: 'NAME'
},
desc: 'Searches for web vulns effecting the form param name' do |name|
@query_method_calls << [:with_form_param, name]
end

option :with_request_method, short: '-M',
value: {
type: {
'COPY' => :copy,
'DELETE' => :delete,
'GET' => :get,
'HEAD' => :head,
'LOCK' => :lock,
'MKCOL' => :mkcol,
'MOVE' => :move,
'OPTIONS' => :options,
'PATCH' => :patch,
'POST' => :post,
'PROPFIND' => :propfind,
'PROPPATCH' => :proppatch,
'PUT' => :put,
'TRACE' => :trace,
'UNLOCK' => :unlock
},
usage: 'HTTP_METHOD'
},
desc: 'Searches for all web vulns with the HTTP request method' do |http_method|
@query_method_calls << [:with_request_method, http_method]
end

description 'Queries and manages WebVulns'

man_page 'ronin-db-web-vulns.1'

# Mapping of web vulnerability types and their printable names.
TYPE_NAMES = {
'lfi' => 'LFI',
'rfi' => 'RFI',
'sqli' => 'SQLi',
'ssti' => 'SSTI',

'open_redirect' => 'Open Redirect',
'reflected_xss' => 'Reflected XSS',
'command_injection' => 'Command Injection'
}

#
# Returns the printable vulnerability type for the vulnerability.
#
# @param [Ronin::DB::WebVuln] web_vuln
#
# @return [String]
#
def web_vuln_type(web_vuln)
TYPE_NAMES.fetch(web_vuln.type) do
raise(NotImplementedError,"unknown web vulnerability type: #{web_vuln.type.inspect}")
end
end

#
# Determines the location of the web vulnerability.
#
# @param [Ronin::DB::WebVuln] web_vuln
#
# @return [String, nil]
#
def web_vuln_location(web_vuln)
if web_vuln.query_param
"query param '#{web_vuln.query_param}'"
elsif web_vuln.header_name
"Header '#{web_vuln.header_name}'"
elsif web_vuln.cookie_param
"Cookie param '#{web_vuln.cookie_param}'"
elsif web_vuln.form_param
"form param '#{web_vuln.form_param}'"
end
end

#
# Prints a web vulnerability record from the database.
#
# @param [Ronin::DB::WebVuln] web_vuln
# The web vulnerability record to print.
#
def print_record(web_vuln)
type = web_vuln_type(web_vuln)
location = web_vuln_location(web_vuln)

if location
puts "#{type} on #{web_vuln.url} via #{location}"
else
puts "#{type} on #{web_vuln.url}"
end
end

end
end
end
end
end
85 changes: 85 additions & 0 deletions man/ronin-db-web-vulns.1.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# ronin-db-web-vulns 1 "2024-01-01" Ronin DB "User Manuals"

## NAME

ronin-db-web-vulns - Manages Web Vulns in the database

## SYNOPSIS

`ronin-db urls` [*options*]

## DESCRIPTION

Manages and queries discovered Web Vulnerabilities in the database.

## OPTIONS

`--db` *NAME*
: The database to connect to. Defaults to `default` if not given.

`--db-uri` *URI*
: The explicit database URI to connect to.

* **sqlite3**: `sqlite3:relative/path.db` or `sqlite3:///absolute/path.db`
* **mysql**: `mysql://user:password@host/database`
* **postgres**: `postgres://user:password@host/database`

`--db-file` *PATH*
: The sqlite3 database file to use.

`-v`, `--verbose`
: Enable verbose output.

`-t`, `--with-type` `lfi`\|`rfi`\|`sqli`\|`ssti`\|`open-redirect`\|`reflected-xss`\|`command-injection`
: Searches for all web vulnerabilities of the given type.

`-H`, `--for-host` *HOST*
: Searches for web vulnerabilities effecting the host.

`-d`, `--for-domain` *DOMAIN*
: Searches for web vulnerabilities effecting the domain.

`-p`, `--for-path` *PATH*
: Searches for web vulnerabilities effecting the given URL's path.

`-q`, `--with-query-param` *NAME*
: Searches for web vulnerabilities effecting the query param name.

`--with-header-name` *NAME*
: Searches for web vulnerabilities effecting the HTTP header name.

`-c`, `--with-cookie-param` *NAME*
: Searches for web vulnerabilities effecting the cookie param name.

`-f`, `--with-form-param` *NAME*
: Searches for web vulnerabilities effecting the form param name.

`-M`, `--with-request-method` *HTTP_METHOD*
: Searches for all web vulnerabilities with the HTTP request method.

`-h`, `--help`
: Print help information.

## ENVIRONMENT

*HOME*
: Alternate location for the user's home directory.

*XDG_CONFIG_HOME*
: Alternate location for the `~/.config` directory.

*XDG_DATA_HOME*
: Alternate location for the `~/.local/share` directory.

## FILES

`~/.local/share/ronin-db/database.sqlite3`
: The default sqlite3 database file.

`~/.config/ronin-db/database.yml`
: Optional database configuration.

## AUTHOR

Postmodern <[email protected]>

Loading

0 comments on commit e044d89

Please sign in to comment.