garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Timthumb enumeration now working

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-16 23:31:03 +02:00
parent cad84d38f4
commit 04414ebc69
7 changed files with 2513 additions and 2563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
lib/wpscan/modules/wp_timthumbs.rb
View File

@@ -21,76 +21,32 @@ module WpTimthumbs
# Used as cache : nil => timthumbs not checked, [] => no timthumbs, otherwise array of timthumbs url found
@wp_timthumbs = nil
def has_timthumbs?(options = {})
!timthumbs(options).empty?
def has_timthumbs?(theme_name, options = {})
!timthumbs(theme_name, options).empty?
end
# Available options :
# :theme_name
# :timthumbs_file
# :show_progress_bar - default false
#
# return array of string (url of timthumbs found), can be empty
def timthumbs(options = {})
def timthumbs(theme_name = nil, options = {})
if @wp_timthumbs.nil?
browser = Browser.instance
hydra = browser.hydra
found_timthumbs = []
request_count = 0
queue_count = 0
targets_url = timthumbs_targets_url(options)
show_progress_bar = options[:show_progress_bar] || false
options[:type] = "timthumbs"
options[:only_vulnerable_ones] = false
options[:file] = DATA_DIR + "/timthumbs.txt"
options[:vulns_file] = "xxx"
options[:vulns_xpath] = "xxx"
options[:vulns_xpath_2] = "xxx"
targets_url.each do |target_url|
request = browser.forge_request(target_url, :cache_timeout => 0)
request_count += 1
request.on_complete do |response|
print "\rChecking for " + targets_url.size.to_s + " total timthumb files... #{(request_count * 100) / targets_url.size}% complete." if show_progress_bar
if response.body =~ /no image specified/i
found_timthumbs << target_url
end
end
hydra.queue(request)
queue_count += 1
if queue_count == browser.max_threads
hydra.run
queue_count = 0
end
WpOptions.check_options(options)
if theme_name == nil
custom_items = nil
else
custom_items = targets_url_from_theme(theme_name, options)
end
hydra.run
@wp_timthumbs = found_timthumbs
@wp_timthumbs = WpEnumerator.enumerate(options, custom_items)
end
@wp_timthumbs
end
# Available options :
# :theme_name
# :timthumbs_file
#
# retrun array of string
def timthumbs_targets_url(options = {})
targets = options[:theme_name] ? targets_url_from_theme(options[:theme_name]) : []
timthumbs_file = WpTimthumbs.timthumbs_file(options[:timthumbs_file])
targets += File.open(timthumbs_file, 'r') {|file| file.readlines.collect{|line| @uri.merge(line.chomp).to_s}}
targets.uniq!
# randomize the array to *maybe* help in some crappy IDS/IPS/WAF evasion
targets.sort_by! { rand }
end
def self.timthumbs_file(timthumbs_file_path = nil)
timthumbs_file_path || DATA_DIR + "/timthumbs.txt"
end
protected
def targets_url_from_theme(theme_name)
def targets_url_from_theme(theme_name, options)
targets = []
theme_name = URI.escape(theme_name)
@@ -98,7 +54,12 @@ module WpTimthumbs
'timthumb.php', 'lib/timthumb.php', 'inc/timthumb.php', 'includes/timthumb.php',
'scripts/timthumb.php', 'tools/timthumb.php', 'functions/timthumb.php'
].each do |file|
targets << @uri.merge("wp-content/themes/#{theme_name}/#{file}").to_s
targets << {
:url => options[:url],
:path => "themes/#{theme_name}/#{file}",
:wp_content_dir => options[:wp_content_dir],
:name => options[:name]
}
end
targets
end

45
lib/wpscan/wp_enumerator.rb
View File

@@ -30,12 +30,18 @@ class WpEnumerator
# * +type+ - "plugins" or "themes", item to enumerate
# * +filename+ - filename in the data directory with paths
# * +show_progress_bar+ - Show a progress bar during enumeration
def self.enumerate(options = {})
def self.enumerate(options = {}, items = nil)
WpOptions.check_options(options)
targets = self.generate_items(options)
unless items == nil
items.each do |i|
targets << i
end
end
found = []
queue_count = 0
request_count = 0
@@ -44,7 +50,11 @@ class WpEnumerator
enumerate_size = targets.size
targets.each do |target|
url = "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}"
if options[:type] =~ /timthumbs/i
url = "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}"
else
url = "#{target[:url]}#{target[:wp_content_dir]}/#{options[:type]}/#{target[:path]}"
end
request = enum_browser.forge_request(url, :cache_timeout => 0, :follow_location => true)
request_count += 1
@@ -89,7 +99,7 @@ class WpEnumerator
f.readlines.collect do |line|
targets_url << {
:url => url,
:path => "#{type}/#{line.strip}",
:path => line.strip,
:wp_content_dir => wp_content_dir,
:name => File.dirname(line.strip)
}
@@ -97,21 +107,24 @@ class WpEnumerator
end
end
xml = Nokogiri::XML(File.open(vulns_file)) do |config|
config.noblanks
end
# Timthumbs have no XML file
unless type =~ /timthumbs/i
xml = Nokogiri::XML(File.open(vulns_file)) do |config|
config.noblanks
end
# We check if the plugin name from the plugin_vulns_file is already in targets, otherwise we add it
xml.xpath(options[:vulns_xpath_2]).each do |node|
item_name = node.attribute('name').text
# We check if the plugin name from the plugin_vulns_file is already in targets, otherwise we add it
xml.xpath(options[:vulns_xpath_2]).each do |node|
item_name = node.attribute('name').text
if targets_url.grep(%r{/#{item_name}/}).empty?
targets_url << {
:url => url,
:path => "#{type}/#{item_name}",
:wp_content_dir => wp_content_dir,
:name => item_name
}
if targets_url.grep(%r{/#{item_name}/}).empty?
targets_url << {
:url => url,
:path => "#{type}/#{item_name}",
:wp_content_dir => wp_content_dir,
:name => item_name
}
end
end
end

2
lib/wpscan/wp_options.rb
View File

@@ -59,7 +59,7 @@ class WpOptions
raise("error_404_hash must be set") unless options[:error_404_hash] != nil and options[:error_404_hash].length > 0
raise("type must be set") unless options[:type] != nil and options[:type].length > 0
unless options[:type] =~ /plugins/i or options[:type] =~ /themes/i
unless options[:type] =~ /plugins/i or options[:type] =~ /themes/i or options[:type] =~ /timthumbs/i
raise("Unknown type #{options[:type]}")
end
end