From 0bfbfacc27fb9713219f6e698f74f2ceeb3a2b91 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 10 Mar 2020 20:31:42 +0100 Subject: [PATCH] Fixes #1465 --- app/finders/passwords/xml_rpc.rb | 2 +- spec/app/finders/passwords/xml_rpc_spec.rb | 49 ++++++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 spec/app/finders/passwords/xml_rpc_spec.rb diff --git a/app/finders/passwords/xml_rpc.rb b/app/finders/passwords/xml_rpc.rb index ae7134e0..bddedbe7 100644 --- a/app/finders/passwords/xml_rpc.rb +++ b/app/finders/passwords/xml_rpc.rb @@ -16,7 +16,7 @@ module WPScan end def errored_response?(response) - response.code != 200 && response.body !~ /login_error/i + response.code != 200 && response.body !~ /Incorrect username or password/i end end end diff --git a/spec/app/finders/passwords/xml_rpc_spec.rb b/spec/app/finders/passwords/xml_rpc_spec.rb new file mode 100644 index 00000000..c4ad84e1 --- /dev/null +++ b/spec/app/finders/passwords/xml_rpc_spec.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +describe WPScan::Finders::Passwords::XMLRPC do + subject(:finder) { described_class.new(target) } + let(:target) { WPScan::Model::XMLRPC.new(url) } + let(:url) { 'http://ex.lo/xmlrpc.php' } + + RESPONSE_403_BODY = ' + + + + + + faultCode + 403 + + + faultString + Incorrect username or password. + + + + + ' + + describe '#attack' do + context 'when no valid credentials' do + before do + stub_request(:post, url).to_return(status: status, body: RESPONSE_403_BODY) + + finder.attack(users, %w[pwd]) + end + + let(:users) { %w[admin].map { |username| WPScan::Model::User.new(username) } } + + context 'when status = 200' do + let(:status) { 200 } + + its('progress_bar.log') { should be_empty } + end + + context 'when status = 403' do + let(:status) { 403 } + + its('progress_bar.log') { should be_empty } + end + end + end +end