# # ronin-exploits - A Ruby library for ronin-rb that provides exploitation and # payload crafting functionality. # # Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com) # # ronin-exploits is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published # by the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # ronin-exploits is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License # along with ronin-exploits. If not, see . # require 'ronin/exploits/web_vuln' require 'ronin/vulns/lfi' module Ronin module Exploits # # Represents a [Local File Inclusion (LFI)][LFI] exploit. # # [LFI]: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion # # ## Example # # require 'ronin/exploits/lfi' # # module Ronin # module Exploits # class MyExploit < LFI # # register 'my_exploit' # # base_path '/path/to/page.php' # query_param 'template' # depth 7 # # end # end # end # # @api public # # @since 1.0.0 # class LFI < WebVuln references [ 'https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion' ] param :os, Enum[:unix, :windows], default: :unix, desc: 'Which OS to target' param :filter_bypass, Enum[ :null_byte, :double_escape, :base64, :rot13, :zlib ], desc: 'Optional filter-bypass strategy to use' # # Gets or sets the directory traversal depth for the LFI vulnerability. # # @param [Integer, nil] new_depth # The optional new directory trasversal depth to set. # # @return [Integer] # The LFI vulnerability's directory traverse depth. # Defaults to `Ronin::Vulns::LFI::DEFAULT_DEPTH`. # # @example # depth 7 # def self.depth(new_depth=nil) if new_depth @depth = new_depth else @depth || if superclass < LFI superclass.depth else Vulns::LFI::DEFAULT_DEPTH end end end param :depth, Integer, default: depth, desc: 'The number of directories to escape up' # # Returns the type or kind of exploit. # # @return [Symbol] # # @note # This is used internally to map an exploit class to a printable type. # # @api private # def self.exploit_type :lfi end # # The directory traversal depth for the LFI exploit. # # @return [Integer] # # @see depth # def depth self.class.depth end # # The Local File Inclusion (LFI) vulnerability to exploit. # # @return [Ronin::Vulns::LFI] # def vuln @vuln ||= Vulns::LFI.new( url, os: params[:os], depth: depth, filter_bypass: params[:filter_bypass], **web_vuln_kwargs ) end end end end