garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Theme enumeration working

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-15 23:57:49 +02:00
parent 0eaef9cd69
commit 08506b02c9
3 changed files with 74 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
lib/wpscan/wp_theme.rb
View File

@@ -19,15 +19,26 @@
require "#{WPSCAN_LIB_DIR}/vulnerable" require "#{WPSCAN_LIB_DIR}/vulnerable"
class WpTheme < Vulnerable class WpTheme < Vulnerable
include WpItem
attr_reader :name, :style_url, :version attr_reader :name, :style_url, :version
def initialize(name, options = {}) def initialize(options = {})
@name = name @base_url = options[:url]
@name = options[:name] || extract_name_from_url(get_url)
@path = options[:path]
@wp_content_dir = options[:wp_content_dir]
@vulns_xml = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml' @vulns_xml = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
@vulns_xpath = "//theme[@name='#{@name}']/vulnerability" @vulns_xpath = "//theme[@name='#{@name}']/vulnerability"
@style_url = options[:style_url]
@version = options[:version] @version = options[:version]
@style_url = options[:style_url]
raise("base_url not set") unless @base_url
raise("path not set") unless @path
raise("wp_content_dir not set") unless @wp_content_dir
raise("name not set") unless @name
raise("vulns_xml not set") unless @vulns_xml
end end
def version def version
@@ -64,11 +75,16 @@ class WpTheme < Vulnerable
def self.find_from_css_link(target_uri) def self.find_from_css_link(target_uri)
response = Browser.instance.get(target_uri.to_s, :follow_location => true, :max_redirects => 2) response = Browser.instance.get(target_uri.to_s, :follow_location => true, :max_redirects => 2)
if matches = %r{https?://[^"]+/themes/([^"]+)/style.css}i.match(response.body) if matches = %r{https?://[^"']+/themes/([^"']+)/style.css}i.match(response.body)
style_url = matches[0] style_url = matches[0]
theme_name = matches[1] theme_name = matches[1]
return new(theme_name, :style_url => style_url) return new(:name => theme_name,
:style_url => style_url,
:url => style_url,
:path => "",
:wp_content_dir => ""
)
end end
end end
@@ -82,7 +98,12 @@ class WpTheme < Vulnerable
woo_theme_version = matches[2] woo_theme_version = matches[2]
woo_framework_version = matches[3] # Not used at this time woo_framework_version = matches[3] # Not used at this time
return new(woo_theme_name, :version => woo_theme_version) return new(:name => woo_theme_name,
:version => woo_theme_version,
:url => matches[0],
:path => "",
:wp_content_dir => ""
)
end end
end end

4
spec/lib/wpscan/wp_theme_spec.rb
View File

@@ -31,7 +31,7 @@ describe WpTheme do
describe "#to_s" do describe "#to_s" do
it "should return the theme name and the version if there is one" do it "should return the theme name and the version if there is one" do
wp_theme = WpTheme.new("bueno", :version => "1.2.3") wp_theme = WpTheme.new(:name => "bueno", :version => "1.2.3")
wp_theme.to_s.should === "bueno v1.2.3" wp_theme.to_s.should === "bueno v1.2.3"
end end
@@ -41,7 +41,7 @@ describe WpTheme do
stub_request(:get, style_url).to_return(:status => 200, :body => "") stub_request(:get, style_url).to_return(:status => 200, :body => "")
wp_theme = WpTheme.new("hello-world", :style_url => style_url) wp_theme = WpTheme.new(:name => "hello-world", :style_url => style_url)
wp_theme.to_s.should === "hello-world" wp_theme.to_s.should === "hello-world"
end end

44
wpscan.rb
View File

@@ -225,9 +225,49 @@ begin
end end
end end
#TODO: Enumerate Themes # Enumerate installed themes
if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes
puts "Need to implement theme enumerating" puts
puts "[+] Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..."
puts
options = WpOptions.get_empty_options
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_themes
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
themes = wp_target.themes_from_aggressive_detection(options)
unless themes.empty?
puts
puts
puts "[+] We found #{themes.size.to_s} themes:"
themes.each do |theme|
puts
puts " | Name: #{theme}" #this will also output the version number if detected
puts " | Location: #{theme.get_url}"
puts " | Directory listing enabled? #{theme.directory_listing? ? "Yes." : "No."}"
theme.vulnerabilities.each do |vulnerability|
puts " |"
puts " | [!] #{vulnerability.title}"
puts " | * Reference: #{vulnerability.reference}"
# This has been commented out as MSF are moving from
# XML-RPC to MessagePack.
# I need to get to grips with the new way of communicating
# with MSF and implement new code.
# check if vuln is exploitable
#Exploit.new(url, type, uri, postdata.to_s, use_proxy, proxy_addr, proxy_port)
end
end
else
puts
puts "No themes found :("
end
end end
if wpscan_options.enumerate_timthumbs if wpscan_options.enumerate_timthumbs