From 08506b02c90cfa2985b0d044ee9842f90e1a37c0 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Sat, 15 Sep 2012 23:57:49 +0200
Subject: [PATCH] Theme enumeration working

---
 lib/wpscan/wp_theme.rb           | 39 +++++++++++++++++++++-------
 spec/lib/wpscan/wp_theme_spec.rb |  4 +--
 wpscan.rb                        | 44 ++++++++++++++++++++++++++++++--
 3 files changed, 74 insertions(+), 13 deletions(-)

diff --git a/lib/wpscan/wp_theme.rb b/lib/wpscan/wp_theme.rb
index 2755aba5..c28a2c3a 100644
--- a/lib/wpscan/wp_theme.rb
+++ b/lib/wpscan/wp_theme.rb
@@ -19,15 +19,26 @@
 require "#{WPSCAN_LIB_DIR}/vulnerable"
 
 class WpTheme < Vulnerable
+  include WpItem
 
   attr_reader :name, :style_url, :version
 
-  def initialize(name, options = {})
-    @name        = name
-    @vulns_xml   = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
-    @vulns_xpath = "//theme[@name='#{@name}']/vulnerability"
-    @style_url   = options[:style_url]
-    @version     = options[:version]
+  def initialize(options = {})
+    @base_url       = options[:url]
+    @name           = options[:name] || extract_name_from_url(get_url)
+    @path           = options[:path]
+    @wp_content_dir = options[:wp_content_dir]
+    @vulns_xml      = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
+    @vulns_xpath    = "//theme[@name='#{@name}']/vulnerability"
+
+    @version        = options[:version]
+    @style_url      = options[:style_url]
+
+    raise("base_url not set") unless @base_url
+    raise("path not set") unless @path
+    raise("wp_content_dir not set") unless @wp_content_dir
+    raise("name not set") unless @name
+    raise("vulns_xml not set") unless @vulns_xml
   end
 
   def version
@@ -64,11 +75,16 @@ class WpTheme < Vulnerable
   def self.find_from_css_link(target_uri)
     response = Browser.instance.get(target_uri.to_s, :follow_location => true, :max_redirects => 2)
 
-    if matches = %r{https?://[^"]+/themes/([^"]+)/style.css}i.match(response.body)
+    if matches = %r{https?://[^"']+/themes/([^"']+)/style.css}i.match(response.body)
       style_url = matches[0]
       theme_name = matches[1]
 
-      return new(theme_name, :style_url => style_url)
+      return new(:name            => theme_name,
+                 :style_url       => style_url,
+                 :url             => style_url,
+                 :path            => "",
+                 :wp_content_dir  => ""
+      )
     end
   end
 
@@ -82,7 +98,12 @@ class WpTheme < Vulnerable
       woo_theme_version     = matches[2]
       woo_framework_version = matches[3] # Not used at this time
 
-      return new(woo_theme_name, :version => woo_theme_version)
+      return new(:name            => woo_theme_name,
+                 :version         => woo_theme_version,
+                 :url             => matches[0],
+                 :path            => "",
+                 :wp_content_dir  => ""
+      )
     end
   end
 
diff --git a/spec/lib/wpscan/wp_theme_spec.rb b/spec/lib/wpscan/wp_theme_spec.rb
index 2ea42b28..0e8e61a1 100644
--- a/spec/lib/wpscan/wp_theme_spec.rb
+++ b/spec/lib/wpscan/wp_theme_spec.rb
@@ -31,7 +31,7 @@ describe WpTheme do
 
   describe "#to_s" do
     it "should return the theme name and the version if there is one" do
-      wp_theme = WpTheme.new("bueno", :version => "1.2.3")
+      wp_theme = WpTheme.new(:name => "bueno", :version => "1.2.3")
 
       wp_theme.to_s.should === "bueno v1.2.3"
     end
@@ -41,7 +41,7 @@ describe WpTheme do
 
       stub_request(:get, style_url).to_return(:status => 200, :body => "")
 
-      wp_theme = WpTheme.new("hello-world", :style_url => style_url)
+      wp_theme = WpTheme.new(:name => "hello-world", :style_url => style_url)
 
       wp_theme.to_s.should === "hello-world"
     end
diff --git a/wpscan.rb b/wpscan.rb
index 0e9ac2d7..885dc52f 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -225,9 +225,49 @@ begin
     end
   end
 
-  #TODO: Enumerate Themes
+  # Enumerate installed themes
   if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes
-    puts "Need to implement theme enumerating"
+    puts
+    puts "[+] Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..."
+    puts
+
+    options = WpOptions.get_empty_options
+    options[:url]                   = wp_target.uri
+    options[:only_vulnerable_ones]  = wpscan_options.enumerate_only_vulnerable_themes
+    options[:show_progress_bar]     = true
+    options[:wp_content_dir]        = wp_target.wp_content_dir
+    options[:error_404_hash]        = wp_target.error_404_hash
+
+    themes = wp_target.themes_from_aggressive_detection(options)
+    unless themes.empty?
+      puts
+      puts
+      puts "[+] We found #{themes.size.to_s} themes:"
+
+      themes.each do |theme|
+        puts
+        puts " | Name: #{theme}" #this will also output the version number if detected
+        puts " | Location: #{theme.get_url}"
+        puts " | Directory listing enabled? #{theme.directory_listing? ? "Yes." : "No."}"
+
+        theme.vulnerabilities.each do |vulnerability|
+          puts " |"
+          puts " | [!] #{vulnerability.title}"
+          puts " | * Reference: #{vulnerability.reference}"
+
+          # This has been commented out as MSF are moving from
+          # XML-RPC to MessagePack.
+          # I need to get to grips with the new way of communicating
+          # with MSF and implement new code.
+
+          # check if vuln is exploitable
+          #Exploit.new(url, type, uri, postdata.to_s, use_proxy, proxy_addr, proxy_port)
+        end
+      end
+    else
+      puts
+      puts "No themes found :("
+    end
   end
 
   if wpscan_options.enumerate_timthumbs