garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improves the Plugins & Themes passive detection, fixes #674

Browse Source
This commit is contained in:
erwanlr
2014-09-01 18:28:09 +02:00
parent 94fdddb056
commit 03618f38b5
6 changed files with 119 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
spec/lib/common/collections/wp_items_spec.rb
View File

@@ -18,12 +18,21 @@ describe WpItems do
vulnerable_targets_items: [ WpItem.new(uri, name: 'mr-smith'),
WpItem.new(uri, name: 'neo')],
passive_detection: WpItems.new << WpItem.new(uri, name: 'js-source') <<
WpItem.new(uri, name: 'escaped-url') <<
WpItem.new(uri, name: 'link-tag') <<
WpItem.new(uri, name: 'script-tag') <<
WpItem.new(uri, name: 'style-tag') <<
WpItem.new(uri, name: 'style-tag-import')
# Any better way to do this ? :x
passive_detection: WpItems.new << WpItem.new(uri, name: 'detect-me-1') <<
WpItem.new(uri, name: 'detect-me-2') <<
WpItem.new(uri, name: 'detect-me-3') <<
WpItem.new(uri, name: 'detect-me-4') <<
WpItem.new(uri, name: 'detect-me-5') <<
WpItem.new(uri, name: 'detect-me-6') <<
WpItem.new(uri, name: 'detect-me-7') <<
WpItem.new(uri, name: 'detect-me-8') <<
WpItem.new(uri, name: 'detect-me-9') <<
WpItem.new(uri, name: 'detect-me-10') <<
WpItem.new(uri, name: 'detect-me-11') <<
WpItem.new(uri, name: 'detect-me-12') <<
WpItem.new(uri, name: 'detect-me-13') <<
WpItem.new(uri, name: 'detect-me-14')
}
end
end

3
spec/lib/common/collections/wp_plugins_spec.rb
View File

@@ -19,8 +19,7 @@ describe WpPlugins do
vulnerable_targets_items: [ WpPlugin.new(uri, name: 'mr-smith'),
WpPlugin.new(uri, name: 'neo')],
passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'js-source') <<
WpPlugin.new(uri, name: 'escaped-url') <<
passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'escaped-url') <<
WpPlugin.new(uri, name: 'link-tag') <<
WpPlugin.new(uri, name: 'script-tag') <<
WpPlugin.new(uri, name: 'style-tag') <<

107
spec/samples/common/collections/wp_items/detectable/passive_detection.html
View File

@@ -1,65 +1,60 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="fr-FR">
<!-- This file is malformed to make sure Nokogiri can process it -->
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta property="fb:page_id" content="18968879441564"/>
<title>Example.com</title>
<link rel="alternate" type="application/rss+xml" title="Example RSS Feed" href="http://example.com/feed"/>
<link rel="alternate" type="application/atom+xml" title="Example Atom Feed" href="http://example.com/feed/atom"/>
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
<link rel='stylesheet'
href='http://example.com/wp-content/items/link-tag/cache/7f8155a5485bc445ed0adb136722b.css?m=1224763007'
type='text/css' media='screen'/>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta property="fb:page_id" content="18968879441564"/>
<title>example.com</title>
<link rel="alternate" type="application/rss+xml" title="Example RSS Feed" href="http://example.com/feed"/>
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
<script type="text/javascript">
var TB_pluginPath = 'http://www.welovebug.com/wp-content/items/js-source';
var TB_config = {
'widget_show_photos': true,
'widget_show_source': true,
'widget_show_header': true,
'general_link_screen_names': true,
'general_link_hash_tags': true,
'general_link_urls': true,
'widget_check_sources': true,
'widget_show_user': true
}
</script>
<!-- Items that should be detected -->
<link rel='stylesheet' href='http://example.com/wp-content/items/detect-me-1/cache/7f81.css?m=12' type='text/css' media='screen'/>
<link rel="stylesheet" href="/wp-content/items/detect-me-2/css/frontend.css?ver=3.9.2"/>
<style type="text/css">
#fancybox-loading.fancybox-ie div {
background: transparent;
filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='http://example.com/wp-content/items/style-tag/fancybox/fancy_loading.png', sizingMethod='scale');
}
</style>
<script type='text/javascript' src='http://example.com/wp-content/items/detect-me-3/s2member-o.php?ws=1'></script>
<script type='text/javascript'
src='http://example.com/wp-content/items/script-tag/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
<script type='text/javascript' src='/wp-content/items/detect-me-4/main.js'></script>
<!-- Duplicate, detect-me-4 should only be detected once -->
<script type='text/javascript' src='/wp-content/items/detect-me-4/main.js'></script>
<style type="text/css" media="all">
/* <![CDATA[ */
@import url("https://example.com/wp-content/items/style-tag-import/css/plugin.css?ver=1.9.4");
@import url("https://example.com/wp-content/items/style-tag-import/css/datatables.css?ver=1.9.4");
/* ]]> */
</style>
</head>
<body>
<div class="top">
<div class="header">
<h1 class="logo">
Blablabla the following plugin should not match : /wp-content/items/this-plugin-should-not-match/sub.css
</h1>
</div>
</div>
</body>
<script type='text/javascript' src='//wp-content/items/detect-me-5/main.js'></script>
<script type='text/javascript'>
<!--[if lt IE 9]>
<script src="http://example.com/wp-content/items/detect-me-6/assets/js/vendor/html5shiv.js"></script>
<![endif]-->
<style type="text/css">
#fancybox-loading.fancybox-ie div {
background: transparent;
filter: AlphaImageLoader(src='http://example.com/wp-content/items/detect-me-7/fancybox/fancy_loading.png', sizingMethod='scale');
}
</style>
<style type="text/css" media="all">
/* <![CDATA[ */
var pollsL10n = {"ajax_url": "http:\/\/example.com\/wp-content\/items\/escaped-url\/wp-polls.php", "text_wait": "Your last request is still being processed. Please wait a while ...", "text_valid": "Please choose a valid poll answer.", "text_multiple": "Maximum number of choices allowed: ", "show_loading": "1", "show_fading": "1"};
@import url("https://example.com/wp-content/items/detect-me-8/css/plugin.css?ver=1.9.4");
@import url('/wp-content/items/detect-me-9/css/datatables.css?ver=1.9.4');
@import url(/wp-content/items/detect-me-10/css/datatables.css?ver=1.9.4);
@import url(//wp-content/items/detect-me-11/css/datatables.css?ver=1.9.4);
/* ]]> */
</script>
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
</style>
<!-- a duplicate one -->
<script type='text/javascript'
src='http://example.com/wp-content/items/script-tag/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
</html>
<script type='text/javascript'>
/* <![CDATA[ */
var poll1 = {"ajax_url": "http:\/\/example.com\/wp-content\/items\/detect-me-12\/wp-polls.php", "text_wait": "Please wait a while ..."};
var poll2 = {"ajax_url": "\/wp-content\/items\/detect-me-13\/wp-polls.php", "text_wait": "Please wait a while ..."};
var poll3 = {"ajax_url": "\/\/wp-content\/items\/detect-me-14\/wp-polls.php", "text_wait": "Please wait a while ..."};
/* ]]> */
</script>
<!-- Items that should not be detected -->
http://example.com/wp-content/items/this-should-not-match/sub.css
href="http://example.com/wp-content/items/this-should-not-match/sub.css"
/wp-content/items/this-should-not-match/sub.css
//wp-content/items/this-should-not-match/sub.css
src='/wp-content/items/this-should-not-match/sub.css'
<script type="text/javascript">
var TB_pluginPath = 'http://www.welovebug.com/wp-content/items/js-source';
var TB_config = { 'widget_show_photos': true }
</script>

6
spec/samples/common/collections/wp_themes/detectable/passive_detection.html
View File

@@ -8,9 +8,9 @@
<link rel="alternate" type="application/atom+xml" title="Example Atom Feed" href="http://example.com/feed/atom"/>
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme1/style.css"/>
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme 2/javascript.js"/>
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme-3/test.png"/>
<link type="text/css" rel="stylesheet" href="http://example.com/wp-content/themes/theme1/style.css"/>
<link type="text/css" rel="stylesheet" href="http://example.com/wp-content/themes/theme 2/javascript.js"/>
<link type="text/css" rel="stylesheet" href="http://example.com/wp-content/themes/theme-3/test.png"/>
<style type="text/css" media="all">
/* <![CDATA[ */