From 22006f40b840b5db841a737536b7b92c9fb6ea25 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Sat, 15 Sep 2012 23:28:00 +0200
Subject: [PATCH] bugfixing

---
 lib/wpscan/modules/wp_plugins.rb |  9 +++++----
 lib/wpscan/modules/wp_themes.rb  |  9 +++++----
 lib/wpscan/wp_enumerator.rb      | 23 ++++++++++++-----------
 lib/wpscan/wp_options.rb         |  3 +++
 4 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/lib/wpscan/modules/wp_plugins.rb b/lib/wpscan/modules/wp_plugins.rb
index 3533439c..fcf5a9c3 100644
--- a/lib/wpscan/modules/wp_plugins.rb
+++ b/lib/wpscan/modules/wp_plugins.rb
@@ -22,10 +22,11 @@ module WpPlugins
   #
   # return array of WpPlugin
   def plugins_from_aggressive_detection(options)
-    options[:file]        = "#{DATA_DIR}/plugins.txt"
-    options[:vulns_file]  = "#{DATA_DIR}/plugin_vulns.xml"
-    options[:vulns_xpath] = "//plugin[@name='#{@name}']/vulnerability"
-    options[:type]        = "plugins"
+    options[:file]          = "#{DATA_DIR}/plugins.txt"
+    options[:vulns_file]    = "#{DATA_DIR}/plugin_vulns.xml"
+    options[:vulns_xpath]   = "//plugin[@name='#{@name}']/vulnerability"
+    options[:vulns_xpath_2] = "//plugin"
+    options[:type]          = "plugins"
     result = WpDetector.aggressive_detection(options)
     result
   end
diff --git a/lib/wpscan/modules/wp_themes.rb b/lib/wpscan/modules/wp_themes.rb
index 957eb782..705b1d14 100644
--- a/lib/wpscan/modules/wp_themes.rb
+++ b/lib/wpscan/modules/wp_themes.rb
@@ -19,10 +19,11 @@
 module WpThemes
 
   def themes_from_aggressive_detection(options)
-    options[:file]        = "#{DATA_DIR}/themes.txt"
-    options[:vulns_file]  = "#{DATA_DIR}/theme_vulns.xml"
-    options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
-    options[:type]        = "themes"
+    options[:file]          = "#{DATA_DIR}/themes.txt"
+    options[:vulns_file]    = "#{DATA_DIR}/wp_theme_vulns.xml"
+    options[:vulns_xpath]   = "//theme[@name='#{@name}']/vulnerability"
+    options[:vulns_xpath_2] = "//theme"
+    options[:type]          = "themes"
     result = WpDetector.aggressive_detection(options)
     result
   end
diff --git a/lib/wpscan/wp_enumerator.rb b/lib/wpscan/wp_enumerator.rb
index 30fcdd3b..76012457 100644
--- a/lib/wpscan/wp_enumerator.rb
+++ b/lib/wpscan/wp_enumerator.rb
@@ -76,8 +76,8 @@ class WpEnumerator
 
   def self.generate_items(options = {})
     only_vulnerable   = options[:only_vulnerable_ones]
-    plugins_file      = options[:file] || "#{DATA_DIR}/plugins.txt"
-    plugin_vulns_file = options[:vulns_file] || "#{DATA_DIR}/plugin_vulns.xml"
+    file              = options[:file]
+    vulns_file        = options[:vulns_file]
     wp_content_dir    = options[:wp_content_dir]
     url               = options[:url]
     type              = options[:type]
@@ -85,27 +85,28 @@ class WpEnumerator
 
     if only_vulnerable == false
       # Open and parse the 'most popular' plugin list...
-      File.open(plugins_file, 'r') do |file|
-        file.readlines.collect do |line|
-          targets_url << WpPlugin.new(:url => url, :path => line.strip, :wp_content_dir => wp_content_dir)
+      File.open(file, 'r') do |f|
+        f.readlines.collect do |line|
+          targets_url << WpPlugin.new(:url => url, :path => "#{type}/#{line.strip}", :wp_content_dir => wp_content_dir)
         end
       end
     end
 
-    xml = Nokogiri::XML(File.open(plugin_vulns_file)) do |config|
+    xml = Nokogiri::XML(File.open(vulns_file)) do |config|
       config.noblanks
     end
 
     # We check if the plugin name from the plugin_vulns_file is already in targets, otherwise we add it
-    xml.xpath("//plugin").each do |node|
-      plugin_name = node.attribute('name').text
+    xml.xpath(options[:vulns_xpath_2]).each do |node|
+      item_name = node.attribute('name').text
 
-      if targets_url.grep(%r{/#{plugin_name}/}).empty?
+      if targets_url.grep(%r{/#{item_name}/}).empty?
+        # TODO: Generic
         targets_url << WpPlugin.new(
             :url            => url,
-            :path           => "#{type}/#{plugin_name}",
+            :path           => "#{type}/#{item_name}",
             :wp_content_dir => wp_content_dir,
-            :name           => plugin_name
+            :name           => item_name
         )
       end
     end
diff --git a/lib/wpscan/wp_options.rb b/lib/wpscan/wp_options.rb
index e956f880..edb3c123 100644
--- a/lib/wpscan/wp_options.rb
+++ b/lib/wpscan/wp_options.rb
@@ -25,6 +25,7 @@
 # * +file+ - Filename with items to detect
 # * +vulns_file+ - XML file with vulnerabilities
 # * +vulns_xpath+ - XPath for vulnerability XML file
+# * +vulns_xpath_2+ - XPath for vulnerability XML file
 # * +wp_content_dir+ - Name of the wp-content directory
 # * +show_progress_bar+ - Show a progress bar during enumeration
 # * +error_404_hash+ - MD5 hash of a 404 page
@@ -37,6 +38,7 @@ class WpOptions
         :file                 => "",
         :vulns_file           => "",
         :vulns_xpath          => "",
+        :vulns_xpath_2        => "",
         :wp_content_dir       => "",
         :show_progress_bar    => true,
         :error_404_hash       => "",
@@ -51,6 +53,7 @@ class WpOptions
     raise("file must be set")                 unless options[:file] != nil and options[:file].length > 0
     raise("vulns_file must be set")           unless options[:vulns_file] != nil and options[:vulns_file].length > 0
     raise("vulns_xpath must be set")          unless options[:vulns_xpath] != nil and options[:vulns_xpath].length > 0
+    raise("vulns_xpath_2 must be set")        unless options[:vulns_xpath_2] != nil and options[:vulns_xpath_2].length > 0
     raise("wp_content_dir must be set")       unless options[:wp_content_dir] != nil and options[:wp_content_dir].length > 0
     raise("show_progress_bar must be set")    unless options[:show_progress_bar] != nil
     raise("error_404_hash must be set")       unless options[:error_404_hash] != nil and options[:error_404_hash].length > 0