Created
January 1, 2025 13:23
-
-
Save Zapotek/36bfe6c842a4b8d68b8bb5c512e5d719 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'net/http' | |
| require 'sinatra' | |
| require 'scnr/introspector' | |
| class MyApp < Sinatra::Base | |
| use SCNR::Introspector, scope: { | |
| path_start_with: __FILE__ | |
| } | |
| def process_params( params ) | |
| params.values.join( ', ' ) | |
| end | |
| def run_cmd( cmd ) | |
| return if !cmd || cmd.empty? | |
| `#{cmd}` | |
| end | |
| def read_file( path ) | |
| IO.read( path ) | |
| end | |
| def ping( url ) | |
| uri = begin | |
| URI( url ) | |
| rescue | |
| nil | |
| end | |
| return if !uri | |
| begin | |
| return !!Net::HTTP.get( uri ) | |
| rescue | |
| end | |
| nil | |
| end | |
| get '/' do | |
| <<HTML | |
| <html> | |
| <body> | |
| <ul> | |
| <li><a href="/redirect">Redirect</a></li> | |
| <li><a href="/path-traversal">Path traversal</a></li> | |
| <li><a href="/external">External</a></li> | |
| <li><a href="/xss">XSS</a></li> | |
| <li><a href="/cmd">OS command injection</a></li> | |
| </ul> | |
| </body> | |
| </html> | |
| HTML | |
| end | |
| get '/redirect' do | |
| if (input = params[:input]) | |
| begin | |
| return redirect( input ) | |
| rescue | |
| end | |
| end | |
| <<-HTML | |
| <html> | |
| <body> | |
| <form> | |
| <input name="input" /> | |
| <input type="submit" value="Submit" /> | |
| </form> | |
| </body> | |
| </html> | |
| HTML | |
| end | |
| get '/path-traversal' do | |
| contents = nil | |
| if (input = params[:input]) | |
| begin | |
| contents = self.read_file( input ) | |
| rescue | |
| end | |
| end | |
| <<-HTML | |
| <html> | |
| <body> | |
| <form> | |
| <input name="input" /> | |
| <input type="submit" value="Submit" /> | |
| </form> | |
| <pre>#{contents}</pre> | |
| </body> | |
| </html> | |
| HTML | |
| end | |
| get '/external' do | |
| success = false | |
| if (input = params[:input]) | |
| success = ping( input ) | |
| end | |
| <<-HTML | |
| <html> | |
| <body> | |
| <form> | |
| <input name="input" /> | |
| <input type="submit" value="Submit" /> | |
| </form> | |
| <pre>#{success ? 'Done' : 'None'}</pre> | |
| </body> | |
| </html> | |
| HTML | |
| end | |
| get '/xss' do | |
| <<-HTML | |
| <html> | |
| <head> | |
| <script src="/xss/helpers.js"></script> | |
| <script> | |
| function handleResponse() { | |
| if( this.readyState != 4 || this.status != 200 ) { return } | |
| document.getElementById( "container" ).innerHTML = processHTML( this.responseText ); | |
| } | |
| function submit() { | |
| ajax = new XMLHttpRequest(); | |
| ajax.onreadystatechange = handleResponse; | |
| ajax.open( "GET", "/xss/ajax?vulnerable=" + document.getElementById("input").value, true ); | |
| ajax.send(); | |
| } | |
| </script> | |
| </head> | |
| <body> | |
| <div id="container"> | |
| <input id="input" /> | |
| <button onclick="submit()">Submit</button> | |
| </div> | |
| </body> | |
| </html> | |
| HTML | |
| end | |
| get '/xss/ajax' do | |
| <<-HTML | |
| <div id="ajax-container"> | |
| #{process_params( params )} | |
| </div> | |
| HTML | |
| end | |
| get '/xss/helpers.js' do | |
| content_type 'application/javascript' | |
| <<-JS | |
| function processHTML( html ) { | |
| return html; | |
| } | |
| JS | |
| end | |
| get '/cmd' do | |
| <<-HTML | |
| <html> | |
| <body> | |
| <form> | |
| <input name="input" /> | |
| <input type="submit" value="Submit" /> | |
| </form> | |
| <pre>#{run_cmd( params[:input] )}</pre> | |
| </body> | |
| </html> | |
| HTML | |
| end | |
| run! | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment