Improves detection of wp-content folder

2019-04-17 15:51:56 +01:00
parent f4db2d65f1
commit 08c574aff8
7 changed files with 40 additions and 9 deletions
--- a/lib/wpscan/target/platform/wordpress/custom_directories.rb
+++ b/lib/wpscan/target/platform/wordpress/custom_directories.rb
@@ -17,14 +17,15 @@ module WPScan
        # @return [ String ] The wp-content directory
        def content_dir(detection_mode = :mixed)
          unless @content_dir
-            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
-            pattern     = %r{#{escaped_url}([\w\s\-\/]+)\/(?:themes|plugins|uploads|cache)\/}i
+            # #url_pattern is from CMSScanner::Target
+            pattern = %r{#{scope_url_pattern}([\w\s\-\/]+)\/(?:themes|plugins|uploads|cache)\/}i

            in_scope_urls(homepage_res) do |url|
              return @content_dir = Regexp.last_match[1] if url.match(pattern)
            end

-            xpath_pattern_from_page('//script[not(@src)]', pattern, homepage_res) do |match|
+            # Checks for the pattern in raw JS code, as well as @content attributes of meta tags
+            xpath_pattern_from_page('//script[not(@src)]|//meta/@content', pattern, homepage_res) do |match|
              return @content_dir = match[1]
            end

@@ -96,14 +97,13 @@ module WPScan
          themes_uri.join("#{URI.encode(slug)}/").to_s
        end

-        # TODO: Factorise the code and the content_dir one ?
        # @return [ String, False ] String of the sub_dir found, false otherwise
        # @note: nil can not be returned here, otherwise if there is no sub_dir
        #        the check would be done each time
        def sub_dir
          unless @sub_dir
-            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
-            pattern     = %r{#{escaped_url}(.+?)\/(?:xmlrpc\.php|wp\-includes\/)}i
+            # escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
+            pattern = %r{#{url_pattern}(.+?)\/(?:xmlrpc\.php|wp\-includes\/)}i

            in_scope_urls(homepage_res) do |url|
              return @sub_dir = Regexp.last_match[1] if url.match(pattern)
--- a/spec/fixtures/target/platform/wordpress/custom_directories/in_meta_content.html
+++ b/spec/fixtures/target/platform/wordpress/custom_directories/in_meta_content.html
@@ -0,0 +1,5 @@
+<link rel="canonical" href="https://ex.lo/" />
+
+<meta property="og:site_name" content="WP Lab" />
+<meta property="og:image" content="http://ex.lo/wp-content/uploads/logo.png" />
+<meta property="og:image:secure_url" content="https:/ex.lo/wp-content/uploads/logo.png" />
--- a/spec/fixtures/target/platform/wordpress/custom_directories/scope.html
+++ b/spec/fixtures/target/platform/wordpress/custom_directories/scope.html
@@ -0,0 +1,5 @@
+<link rel="canonical" href="https://ex.lo/" />
+
+<link rel='stylesheet' href='https://aaa.cloudfront.net/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css' type='text/css' media='all' />
+
+<link rel='stylesheet' href='https://aaa.cloudfront.net/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' />
--- a/spec/fixtures/target/platform/wordpress/custom_directories/scope_meta_content.html
+++ b/spec/fixtures/target/platform/wordpress/custom_directories/scope_meta_content.html
@@ -0,0 +1,5 @@
+<link rel="canonical" href="https://ex.lo/" />
+
+<meta property="og:site_name" content="WP Lab" />
+<meta property="og:image" content="https://aaa.cloudfront.net/wp-content/uploads/logo.png" />
+<meta property="og:image:secure_url" content="https://aaa.cloudfront.net/wp-content/uploads/logo.png" />
--- a/spec/lib/target_spec.rb
+++ b/spec/lib/target_spec.rb
@@ -1,8 +1,9 @@
 # frozen_string_literal: true

 describe WPScan::Target do
-  subject(:target) { described_class.new(url) }
+  subject(:target) { described_class.new(url, opts) }
  let(:url)        { 'http://ex.lo' }
+  let(:opts)       { {} }

  it_behaves_like WPScan::Target::Platform::WordPress

--- a/spec/shared_examples/target/platform/wordpress/custom_directories.rb
+++ b/spec/shared_examples/target/platform/wordpress/custom_directories.rb
@@ -7,7 +7,8 @@ shared_examples 'WordPress::CustomDirectories' do
    {
      default: 'wp-content', https: 'wp-content', custom_w_spaces: 'custom content spaces',
      relative_one: 'wp-content', relative_two: 'wp-content', cache: 'wp-content',
-      in_raw_js: 'wp-content', with_sub_dir: 'app', relative_two_sub_dir: 'cms/wp-content'
+      in_raw_js: 'wp-content', with_sub_dir: 'app', relative_two_sub_dir: 'cms/wp-content',
+      in_meta_content: 'wp-content'
    }.each do |file, expected|
      it "returns #{expected} for #{file}.html" do
        stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{file}.html")))
@@ -16,6 +17,20 @@ shared_examples 'WordPress::CustomDirectories' do
      end
    end

+    context 'when scope given' do
+      let(:opts) { super().merge(scope: ['*.cloudfront.net']) }
+
+      {
+        scope: 'wp-content', scope_meta_content: 'wp-content'
+      }.each do |file, expected|
+        it "returns #{expected} for #{file}.html" do
+          stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{file}.html")))
+
+          expect(target.content_dir).to eql expected
+        end
+      end
+    end
+
    context 'when not found via the homepage' do
      before { stub_request(:get, target.url).to_return(body: '') }

--- a/wpscan.gemspec
+++ b/wpscan.gemspec
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
  s.executables           = ['wpscan']
  s.require_paths         = ['lib']

-  s.add_dependency 'cms_scanner', '~> 0.0.44.1'
+  s.add_dependency 'cms_scanner', '~> 0.0.44.2'

  s.add_development_dependency 'bundler',   '>= 1.6'
  s.add_development_dependency 'coveralls', '~> 0.8.0'