diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml
index c09b8228..724f0939 100644
--- a/data/plugin_vulns.xml
+++ b/data/plugin_vulns.xml
@@ -26,6 +26,9 @@ ryandewhurst at gmail
+
+
+
@@ -141,6 +144,7 @@ ryandewhurst at gmail
Google Document Embedder Arbitrary File Disclosure
http://www.exploit-db.com/exploits/23970/
http://ceriksen.com/2013/01/03/wordpress-google-document-embedder-arbitrary-file-disclosure/
+ exploit/unix/webapp/wp_google_document_embedder_exec
UNKNOWN
@@ -256,6 +260,7 @@ ryandewhurst at gmail
Advanced Custom Fields <= 3.5.1 Remote File Inclusion
http://packetstormsecurity.com/files/119221/wp_advanced_custom_fields_exec.rb.txt
+ exploit/unix/webapp/wp_advanced_custom_fields_exec
RFI
diff --git a/lib/common_helper.rb b/lib/common_helper.rb
index 28ee88e8..2e169cd5 100644
--- a/lib/common_helper.rb
+++ b/lib/common_helper.rb
@@ -139,3 +139,9 @@ end
def green(text)
colorize(text, 32)
end
+
+def get_metasploit_url(module_path)
+ # remove leading slash
+ module_path = module_path.sub(/^\//, "")
+ "http://www.metasploit.com/modules/#{module_path}"
+end
diff --git a/lib/wpscan/vulnerable.rb b/lib/wpscan/vulnerable.rb
index 0353bc0b..e23ef176 100644
--- a/lib/wpscan/vulnerable.rb
+++ b/lib/wpscan/vulnerable.rb
@@ -32,7 +32,8 @@ class Vulnerable
vulnerabilities << WpVulnerability.new(
node.search("title").text,
node.search("reference").map(&:text),
- node.search("type").text
+ node.search("type").text,
+ node.search("metasploit").map(&:text)
)
end
vulnerabilities
diff --git a/lib/wpscan/wp_vulnerability.rb b/lib/wpscan/wp_vulnerability.rb
index adaa7fc7..d8666b76 100644
--- a/lib/wpscan/wp_vulnerability.rb
+++ b/lib/wpscan/wp_vulnerability.rb
@@ -17,11 +17,12 @@
#++
class WpVulnerability
- attr_accessor :title, :references, :type
+ attr_accessor :title, :references, :type, :metasploit_modules
- def initialize(title, references, type)
- @title = title
- @references = references
- @type = type
+ def initialize(title, references, type, metasploit_modules)
+ @title = title
+ @references = references
+ @type = type
+ @metasploit_modules = metasploit_modules
end
end
diff --git a/wpscan.rb b/wpscan.rb
index ad171315..1ed907d9 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -21,6 +21,19 @@
$: << '.'
require File.dirname(__FILE__) +'/lib/wpscan/wpscan_helper'
+def output_vulnerabilities(vulns)
+ vulns.each do |vulnerability|
+ puts
+ puts " | " + red("* Title: #{vulnerability.title}")
+ vulnerability.references.each do |r|
+ puts " | " + red("* Reference: #{r}")
+ end
+ vulnerability.metasploit_modules.each do |m|
+ puts " | " + red("* Metasploit module: #{get_metasploit_url(m)}")
+ end
+ end
+end
+
banner()
begin
@@ -119,13 +132,7 @@ begin
theme_vulnerabilities = wp_theme.vulnerabilities
unless theme_vulnerabilities.empty?
puts red("[!]") + " We have identified #{theme_vulnerabilities.size} vulnerabilities for this theme :"
- theme_vulnerabilities.each do |vulnerability|
- puts
- puts " | " + red("* Title: #{vulnerability.title}")
- vulnerability.references.each do |r|
- puts " | " + red("* Reference: #{r}")
- end
- end
+ output_vulnerabilities(theme_vulnerabilities)
puts
end
end
@@ -182,13 +189,7 @@ begin
unless version_vulnerabilities.empty?
puts
puts red("[!]") + " We have identified #{version_vulnerabilities.size} vulnerabilities from the version number :"
- version_vulnerabilities.each do |vulnerability|
- puts
- puts " | " + red("* Title: #{vulnerability.title}")
- vulnerability.references.each do |r|
- puts " | " + red("* Reference: #{r}")
- end
- end
+ output_vulnerabilities(version_vulnerabilities)
end
end
@@ -206,13 +207,7 @@ begin
puts " | Location: #{plugin.get_full_url}"
puts " | WordPress: #{plugin.wp_org_url}"
- plugin.vulnerabilities.each do |vulnerability|
- puts " |"
- puts " | " + red("[!] #{vulnerability.title}")
- vulnerability.references.each do |r|
- puts " | " + red("* Reference: #{r}")
- end
- end
+ output_vulnerabilities(plugin.vulnerabilities)
end
else
puts "No plugins found :("
@@ -251,24 +246,7 @@ begin
puts " | Readme: #{plugin.readme_url}" if plugin.has_readme?
puts " | Changelog: #{plugin.changelog_url}" if plugin.has_changelog?
- plugin.vulnerabilities.each do |vulnerability|
- #vulnerability['vulnerability'][0]['uri'] == nil ? "" : uri = vulnerability['vulnerability'][0]['uri'] # uri
- #vulnerability['vulnerability'][0]['postdata'] == nil ? "" : postdata = CGI.unescapeHTML(vulnerability['vulnerability'][0]['postdata']) # postdata
-
- puts " |"
- puts " | " + red("[!] #{vulnerability.title}")
- vulnerability.references.each do |r|
- puts " | " + red("* Reference: #{r}")
- end
-
- # This has been commented out as MSF are moving from
- # XML-RPC to MessagePack.
- # I need to get to grips with the new way of communicating
- # with MSF and implement new code.
-
- # check if vuln is exploitable
- #Exploit.new(url, type, uri, postdata.to_s, use_proxy, proxy_addr, proxy_port)
- end
+ output_vulnerabilities(plugin.vulnerabilities)
if plugin.error_log?
puts " | " + red("[!]") + " A WordPress error_log file has been found : #{plugin.error_log_url}"
@@ -311,21 +289,7 @@ begin
puts " | Readme: #{theme.readme_url}" if theme.has_readme?
puts " | Changelog: #{theme.changelog_url}" if theme.has_changelog?
- theme.vulnerabilities.each do |vulnerability|
- puts " |"
- puts " | " + red("[!] #{vulnerability.title}")
- vulnerability.references.each do |r|
- puts " | " + red("* Reference: #{r}")
- end
-
- # This has been commented out as MSF are moving from
- # XML-RPC to MessagePack.
- # I need to get to grips with the new way of communicating
- # with MSF and implement new code.
-
- # check if vuln is exploitable
- #Exploit.new(url, type, uri, postdata.to_s, use_proxy, proxy_addr, proxy_port)
- end
+ output_vulnerabilities(theme.vulnerabilities)
end
else
puts