garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Timthumb enumeration now working

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-16 23:31:03 +02:00
parent cad84d38f4
commit 04414ebc69
7 changed files with 2513 additions and 2563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4891
data/timthumbs.txt
View File

File diff suppressed because it is too large Load Diff

83
lib/wpscan/modules/wp_timthumbs.rb
View File

@@ -21,76 +21,32 @@ module WpTimthumbs
# Used as cache : nil => timthumbs not checked, [] => no timthumbs, otherwise array of timthumbs url found # Used as cache : nil => timthumbs not checked, [] => no timthumbs, otherwise array of timthumbs url found
@wp_timthumbs = nil @wp_timthumbs = nil
def has_timthumbs?(options = {}) def has_timthumbs?(theme_name, options = {})
!timthumbs(options).empty? !timthumbs(theme_name, options).empty?
end end
# Available options : def timthumbs(theme_name = nil, options = {})
# :theme_name
# :timthumbs_file
# :show_progress_bar - default false
#
# return array of string (url of timthumbs found), can be empty
def timthumbs(options = {})
if @wp_timthumbs.nil? if @wp_timthumbs.nil?
browser = Browser.instance options[:type] = "timthumbs"
hydra = browser.hydra options[:only_vulnerable_ones] = false
found_timthumbs = [] options[:file] = DATA_DIR + "/timthumbs.txt"
request_count = 0 options[:vulns_file] = "xxx"
queue_count = 0 options[:vulns_xpath] = "xxx"
targets_url = timthumbs_targets_url(options) options[:vulns_xpath_2] = "xxx"
show_progress_bar = options[:show_progress_bar] || false
targets_url.each do |target_url| WpOptions.check_options(options)
request = browser.forge_request(target_url, :cache_timeout => 0) if theme_name == nil
request_count += 1 custom_items = nil
else
request.on_complete do |response| custom_items = targets_url_from_theme(theme_name, options)
print "\rChecking for " + targets_url.size.to_s + " total timthumb files... #{(request_count * 100) / targets_url.size}% complete." if show_progress_bar
if response.body =~ /no image specified/i
found_timthumbs << target_url
end end
end @wp_timthumbs = WpEnumerator.enumerate(options, custom_items)
hydra.queue(request)
queue_count += 1
if queue_count == browser.max_threads
hydra.run
queue_count = 0
end
end
hydra.run
@wp_timthumbs = found_timthumbs
end end
@wp_timthumbs @wp_timthumbs
end end
# Available options :
# :theme_name
# :timthumbs_file
#
# retrun array of string
def timthumbs_targets_url(options = {})
targets = options[:theme_name] ? targets_url_from_theme(options[:theme_name]) : []
timthumbs_file = WpTimthumbs.timthumbs_file(options[:timthumbs_file])
targets += File.open(timthumbs_file, 'r') {|file| file.readlines.collect{|line| @uri.merge(line.chomp).to_s}}
targets.uniq!
# randomize the array to *maybe* help in some crappy IDS/IPS/WAF evasion
targets.sort_by! { rand }
end
def self.timthumbs_file(timthumbs_file_path = nil)
timthumbs_file_path || DATA_DIR + "/timthumbs.txt"
end
protected protected
def targets_url_from_theme(theme_name) def targets_url_from_theme(theme_name, options)
targets = [] targets = []
theme_name = URI.escape(theme_name) theme_name = URI.escape(theme_name)
@@ -98,7 +54,12 @@ module WpTimthumbs
'timthumb.php', 'lib/timthumb.php', 'inc/timthumb.php', 'includes/timthumb.php', 'timthumb.php', 'lib/timthumb.php', 'inc/timthumb.php', 'includes/timthumb.php',
'scripts/timthumb.php', 'tools/timthumb.php', 'functions/timthumb.php' 'scripts/timthumb.php', 'tools/timthumb.php', 'functions/timthumb.php'
].each do |file| ].each do |file|
targets << @uri.merge("wp-content/themes/#{theme_name}/#{file}").to_s targets << {
:url => options[:url],
:path => "themes/#{theme_name}/#{file}",
:wp_content_dir => options[:wp_content_dir],
:name => options[:name]
}
end end
targets targets
end end

17
lib/wpscan/wp_enumerator.rb
View File

@@ -30,12 +30,18 @@ class WpEnumerator
# * +type+ - "plugins" or "themes", item to enumerate # * +type+ - "plugins" or "themes", item to enumerate
# * +filename+ - filename in the data directory with paths # * +filename+ - filename in the data directory with paths
# * +show_progress_bar+ - Show a progress bar during enumeration # * +show_progress_bar+ - Show a progress bar during enumeration
def self.enumerate(options = {}) def self.enumerate(options = {}, items = nil)
WpOptions.check_options(options) WpOptions.check_options(options)
targets = self.generate_items(options) targets = self.generate_items(options)
unless items == nil
items.each do |i|
targets << i
end
end
found = [] found = []
queue_count = 0 queue_count = 0
request_count = 0 request_count = 0
@@ -44,7 +50,11 @@ class WpEnumerator
enumerate_size = targets.size enumerate_size = targets.size
targets.each do |target| targets.each do |target|
if options[:type] =~ /timthumbs/i
url = "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}" url = "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}"
else
url = "#{target[:url]}#{target[:wp_content_dir]}/#{options[:type]}/#{target[:path]}"
end
request = enum_browser.forge_request(url, :cache_timeout => 0, :follow_location => true) request = enum_browser.forge_request(url, :cache_timeout => 0, :follow_location => true)
request_count += 1 request_count += 1
@@ -89,7 +99,7 @@ class WpEnumerator
f.readlines.collect do |line| f.readlines.collect do |line|
targets_url << { targets_url << {
:url => url, :url => url,
:path => "#{type}/#{line.strip}", :path => line.strip,
:wp_content_dir => wp_content_dir, :wp_content_dir => wp_content_dir,
:name => File.dirname(line.strip) :name => File.dirname(line.strip)
} }
@@ -97,6 +107,8 @@ class WpEnumerator
end end
end end
# Timthumbs have no XML file
unless type =~ /timthumbs/i
xml = Nokogiri::XML(File.open(vulns_file)) do |config| xml = Nokogiri::XML(File.open(vulns_file)) do |config|
config.noblanks config.noblanks
end end
@@ -114,6 +126,7 @@ class WpEnumerator
} }
end end
end end
end
targets_url.flatten! targets_url.flatten!
targets_url.uniq! targets_url.uniq!

2
lib/wpscan/wp_options.rb
View File

@@ -59,7 +59,7 @@ class WpOptions
raise("error_404_hash must be set") unless options[:error_404_hash] != nil and options[:error_404_hash].length > 0 raise("error_404_hash must be set") unless options[:error_404_hash] != nil and options[:error_404_hash].length > 0
raise("type must be set") unless options[:type] != nil and options[:type].length > 0 raise("type must be set") unless options[:type] != nil and options[:type].length > 0
unless options[:type] =~ /plugins/i or options[:type] =~ /themes/i unless options[:type] =~ /plugins/i or options[:type] =~ /themes/i or options[:type] =~ /timthumbs/i
raise("Unknown type #{options[:type]}") raise("Unknown type #{options[:type]}")
end end
end end

30
spec/lib/browser_spec.rb
View File

@@ -216,36 +216,6 @@ describe Browser do
end end
end end
describe "#replace_variables_in_url" do
after :each do
@browser.variables_to_replace_in_url = @variables if @variables
@browser.send(:replace_variables_in_url, @url).should === @expected
end
it "should not replace anything (empty variables_to_replace_in_url)" do
@url = "http://target.tld/wp-content/file.txt"
@expected = @url
end
it "should not replace anything (not match found)" do
@variables = {"%nothing%" => "hello"}
@url = "http://target.tld/nothing/file.txt"
@expected = @url
end
it "should replace %wp-content% by 'custom-content'" do
@variables = {"%wp-content%" => "custom-content"}
@url = "http://target.tld/%wp-content%/some-file.txt"
@expected = "http://target.tld/custom-content/some-file.txt"
end
it "should replace %wp-content% by 'custom-content' and %plugins% by 'wp_plugins'" do
@variables = {"%wp-content%" => "custom-content", "%plugins%" => "wp_plugins"}
@url = "http://target.tld/%wp-content%/hello/%plugins%"
@expected = "http://target.tld/custom-content/hello/wp_plugins"
end
end
# TODO # TODO
describe "#forge_request" do describe "#forge_request" do

12
spec/lib/wpscan/wp_theme_spec.rb
View File

@@ -31,7 +31,7 @@ describe WpTheme do
describe "#to_s" do describe "#to_s" do
it "should return the theme name and the version if there is one" do it "should return the theme name and the version if there is one" do
wp_theme = WpTheme.new(:name => "bueno", :version => "1.2.3") wp_theme = WpTheme.new(:name => "bueno", :version => "1.2.3", :url => "", :path => "", :wp_content_dir => "")
wp_theme.to_s.should === "bueno v1.2.3" wp_theme.to_s.should === "bueno v1.2.3"
end end
@@ -41,7 +41,7 @@ describe WpTheme do
stub_request(:get, style_url).to_return(:status => 200, :body => "") stub_request(:get, style_url).to_return(:status => 200, :body => "")
wp_theme = WpTheme.new(:name => "hello-world", :style_url => style_url) wp_theme = WpTheme.new(:name => "hello-world", :style_url => style_url, :url => "", :path => "", :wp_content_dir => "")
wp_theme.to_s.should === "hello-world" wp_theme.to_s.should === "hello-world"
end end
@@ -99,12 +99,12 @@ describe WpTheme do
it "should return a WpTheme object with .name 'Editorial' and .version '1.3.5'" do it "should return a WpTheme object with .name 'Editorial' and .version '1.3.5'" do
@fixture = fixtures_dir + "/editorial-1.3.5.html" @fixture = fixtures_dir + "/editorial-1.3.5.html"
@expected_theme = WpTheme.new("Editorial", :version => "1.3.5") @expected_theme = WpTheme.new(:name => "Editorial", :version => "1.3.5", :url => "", :path => "", :wp_content_dir => "")
end end
it "should return a WpTheme object with .name 'Merchant'" do it "should return a WpTheme object with .name 'Merchant'" do
@fixture = fixtures_dir + "/merchant-no-version.html" @fixture = fixtures_dir + "/merchant-no-version.html"
@expected_theme = WpTheme.new("Merchant") @expected_theme = WpTheme.new(:name => "Merchant", :url => "", :path => "", :wp_content_dir => "")
end end
end end
@@ -148,7 +148,7 @@ describe WpTheme do
if @fixture if @fixture
stub_request_to_fixture(:url => theme_style_url, :fixture => @fixture) stub_request_to_fixture(:url => theme_style_url, :fixture => @fixture)
wp_theme = WpTheme.new('spec-theme', :style_url => theme_style_url) wp_theme = WpTheme.new(:name => 'spec-theme', :style_url => theme_style_url, :url => "", :path => "", :wp_content_dir => "")
wp_theme.version.should === @expected wp_theme.version.should === @expected
end end
@@ -160,7 +160,7 @@ describe WpTheme do
end end
it "should return nil if the style_url is nil" do it "should return nil if the style_url is nil" do
WpTheme.new("hello-world").version.should be_nil WpTheme.new(:name => "hello-world", :url => "", :path => "", :wp_content_dir => "").version.should be_nil
end end
it "should return 1.3" do it "should return 1.3" do

13
wpscan.rb
View File

@@ -279,15 +279,22 @@ begin
puts "[+] Enumerating timthumb files ..." puts "[+] Enumerating timthumb files ..."
puts puts
if wp_target.has_timthumbs?(:theme_name => wp_theme ? wp_theme.name : nil, :show_progress_bar => true) options = WpOptions.get_empty_options
options[:url] = wp_target.uri
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
theme_name = wp_theme ? wp_theme.name : nil
if wp_target.has_timthumbs?(theme_name, options)
timthumbs = wp_target.timthumbs timthumbs = wp_target.timthumbs
puts puts
puts "[+] We found #{timthumbs.size.to_s} timthumb file/s :" puts "[+] We found #{timthumbs.size.to_s} timthumb file/s :"
puts puts
timthumbs.each do |file_url| timthumbs.each do |t|
puts " | [!] #{file_url}" puts " | [!] #{t[:url]}#{t[:wp_content_dir]}/#{t[:path]}"
end end
puts puts
puts " * Reference: http://www.exploit-db.com/exploits/17602/" puts " * Reference: http://www.exploit-db.com/exploits/17602/"