lib/ronin/exploits/lfi.rb
# frozen_string_literal: true
#
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# ronin-exploits is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ronin-exploits is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with ronin-exploits. If not, see <https://www.gnu.org/licenses/>.
#
require 'ronin/exploits/web_vuln'
require 'ronin/vulns/lfi'
module Ronin
module Exploits
#
# Represents a [Local File Inclusion (LFI)][LFI] exploit.
#
# [LFI]: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
#
# ## Example
#
# require 'ronin/exploits/lfi'
#
# module Ronin
# module Exploits
# class MyExploit < LFI
#
# register 'my_exploit'
#
# base_path '/path/to/page.php'
# query_param 'template'
# depth 7
#
# end
# end
# end
#
# @api public
#
# @since 1.0.0
#
class LFI < WebVuln
references [
'https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion'
]
param :os, Enum[:unix, :windows], default: :unix,
desc: 'Which OS to target'
param :filter_bypass, Enum[
:null_byte,
:double_escape,
:base64,
:rot13,
:zlib
], desc: 'Optional filter-bypass strategy to use'
#
# Gets or sets the directory traversal depth for the LFI vulnerability.
#
# @param [Integer, nil] new_depth
# The optional new directory traversal depth to set.
#
# @return [Integer]
# The LFI vulnerability's directory traverse depth.
# Defaults to `Ronin::Vulns::LFI::DEFAULT_DEPTH`.
#
# @example
# depth 7
#
def self.depth(new_depth=nil)
if new_depth
@depth = new_depth
else
@depth || if superclass < LFI
superclass.depth
else
Vulns::LFI::DEFAULT_DEPTH
end
end
end
param :depth, Integer, default: depth,
desc: 'The number of directories to escape up'
#
# Returns the type or kind of exploit.
#
# @return [Symbol]
#
# @note
# This is used internally to map an exploit class to a printable type.
#
# @api private
#
def self.exploit_type
:lfi
end
#
# The directory traversal depth for the LFI exploit.
#
# @return [Integer]
#
# @see depth
#
def depth
self.class.depth
end
#
# The Local File Inclusion (LFI) vulnerability to exploit.
#
# @return [Ronin::Vulns::LFI]
#
def vuln
@vuln ||= Vulns::LFI.new(
url, os: params[:os],
depth: depth,
filter_bypass: params[:filter_bypass],
**web_vuln_kwargs
)
end
end
end
end