garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes #1322

Browse Source
This commit is contained in:
erwanlr
2019-03-22 20:20:07 +00:00
parent 8b18204a69
commit 231f5157bf
8 changed files with 63 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/finders/db_exports/known_locations.rb
View File

@@ -4,7 +4,9 @@ module WPScan
# DB Exports finder
# See https://github.com/wpscanteam/wpscan-v3/issues/62
class KnownLocations < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
include Finders::Finder::Enumerator
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
# @param [ Hash ] opts
# @option opts [ String ] :list
@@ -15,14 +17,21 @@ module WPScan
found = []
enumerate(potential_urls(opts), opts) do |res|
next unless res.code == 200 && res.body =~ /INSERT INTO/
found << WPScan::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
end
found
end
def valid_response?(res, _exclude_content = nil)
return false unless res.code == 200
return true if res.effective_url.end_with?('.zip') &&
res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
Browser.get(res.effective_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN ? true : false
end
# @param [ Hash ] opts
# @option opts [ String ] :list Mandatory
#

2
app/finders/interesting_findings/tmm_db_migrate.rb
View File

@@ -7,7 +7,7 @@ module WPScan
def aggressive(_opts = {})
path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
url = target.url(path)
res = Browser.get(url)
res = browser.forge_request(url, target.head_or_get_request_params).run
return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i

13
app/finders/interesting_findings/upload_sql_dump.rb
View File

@@ -3,24 +3,25 @@ module WPScan
module InterestingFindings
# UploadSQLDump finder
class UploadSQLDump < CMSScanner::Finders::Finder
SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
# @return [ InterestingFinding ]
def aggressive(_opts = {})
url = dump_url
res = Browser.get(url)
head_res = browser.forge_request(dump_url, target.head_or_get_request_params).run
return unless res.code == 200 && res.body =~ SQL_PATTERN
return unless head_res.code == 200
return unless Browser.get(dump_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN
WPScan::UploadSQLDump.new(
url,
dump_url,
confidence: 100,
found_by: DIRECT_ACCESS
)
end
def dump_url
target.url('wp-content/uploads/dump.sql')
@dump_url ||= target.url('wp-content/uploads/dump.sql')
end
end
end

6
app/finders/timthumbs/known_locations.rb
View File

@@ -22,15 +22,13 @@ module WPScan
end
# @param [ Typhoeus::Response ] res
# @param [ Regexp,nil ] exclude_content
# @param [ Regexp, nil ] exclude_content
#
# @return [ Boolean ]
def valid_response?(res, _exclude_content = nil)
return false unless res.code == 400
full_res = Browser.get(res.effective_url, cache_ttl: 0)
full_res.body =~ /no image specified/i ? true : false
Browser.get(res.effective_url).body =~ /no image specified/i ? true : false
end
# @param [ Hash ] opts

29
lib/wpscan/finders.rb
View File

@@ -39,9 +39,6 @@ module WPScan
#
# @yield [ Typhoeus::Response, String ]
def enumerate(urls, opts = {})
determine_request_params(urls, opts)
# determine_valid_response_codes(opts)
create_progress_bar(opts.merge(total: urls.size))
urls.each do |url, slug|
@@ -59,6 +56,11 @@ module WPScan
hydra.run
end
# @return [ Hash ]
def request_params
@request_params ||= target.head_or_get_request_params.merge(cache_ttl: 0)
end
# @param [ Typhoeus::Response ] res
# @param [ Regexp,nil ] exclude_content
#
@@ -71,7 +73,9 @@ module WPScan
# Perform a full get to check if homepage or custom 404
if res.code == 200
full_res = Browser.get(res.effective_url, cache_ttl: 0)
# The cache is not disabled to avoid additional request/s when checking
# for directory listing
full_res = Browser.get(res.effective_url)
return false if target.homepage_or_404?(full_res) ||
exclude_content && full_res.body.match(exclude_content)
@@ -81,23 +85,6 @@ module WPScan
end
# rubocop:enable Metrics/PerceivedComplexity
# @return [ Hash ]
def request_params
@request_params ||= { cache_ttl: 0 }
end
# @param [ Hash ] urls
# @param [ Hash ] opts
def determine_request_params(urls, _opts)
head_res = Browser.head(urls.first[0], cache_ttl: 0)
@request_params = if head_res.code == 405
{ method: :get, maxfilesize: 1, cache_ttl: 0 }
else
{ method: :head, cache_ttl: 0 }
end
end
# @return [ Array<Integer> ]
def valid_response_codes
@valid_response_codes ||= [200, 401, 403, 301]

9
lib/wpscan/target.rb
View File

@@ -5,6 +5,15 @@ module WPScan
class Target < CMSScanner::Target
include Platform::WordPress
# @return [ Hash ]
def head_or_get_request_params
@head_or_get_request_params ||= if Browser.head(url).code == 405
{ method: :get, maxfilesize: 1 }
else
{ method: :head }
end
end
# @return [ Boolean ]
def vulnerable?
[@wp_version, @main_theme, @plugins, @themes, @timthumbs].each do |e|

20
spec/app/finders/db_exports/known_locations_spec.rb
View File

@@ -25,10 +25,10 @@ describe WPScan::Finders::DbExports::KnownLocations do
describe '#aggressive' do
before do
expect(target).to receive(:sub_dir).at_least(1).and_return(false)
expect(target).to receive(:homepage_or_404?).at_least(1).and_return(false)
expect(target).to receive(:head_or_get_request_params).and_return(method: :head)
finder.potential_urls(opts).each_key do |url|
stub_request(:get, url).to_return(status: 404)
stub_request(:head, url).to_return(status: 404)
end
end
@@ -38,20 +38,28 @@ describe WPScan::Finders::DbExports::KnownLocations do
end
end
context 'when a zip returns a 200' do
xit
end
context 'when some files exist' do
let(:files) { %w[ex.sql backups/db_backup.sql] }
let(:found_files) { %w[ex.sql backups/db_backup.sql] }
let(:db_export) { File.read(fixtures.join('dump.sql')) }
before do
files.each do |file|
stub_request(:get, "#{url}#{file}").to_return(body: db_export)
found_files.each do |file|
stub_request(:head, "#{url}#{file}").to_return(status: 200)
stub_request(:get, "#{url}#{file}")
.with(headers: { 'Range' => 'bytes=0-3000' })
.to_return(body: db_export)
end
end
it 'returns the expected Array<DbExport>' do
expected = []
files.each do |file|
found_files.each do |file|
url = "#{target.url}#{file}"
expected << WPScan::DbExport.new(
url,

14
spec/app/finders/interesting_findings/upload_sql_dump_spec.rb
View File

@@ -6,13 +6,16 @@ describe WPScan::Finders::InterestingFindings::UploadSQLDump do
let(:wp_content) { 'wp-content' }
describe '#aggressive' do
before { expect(target).to receive(:content_dir).at_least(1).and_return(wp_content) }
before do
expect(target).to receive(:content_dir).at_least(1).and_return(wp_content)
expect(target).to receive(:head_or_get_request_params).and_return(method: :head)
end
after { expect(finder.aggressive).to eql @expected }
after { expect(finder.aggressive).to eql @expected }
context 'when not a 200' do
it 'returns nil' do
stub_request(:get, finder.dump_url).to_return(status: 404)
stub_request(:head, finder.dump_url).to_return(status: 404)
@expected = nil
end
@@ -20,8 +23,11 @@ describe WPScan::Finders::InterestingFindings::UploadSQLDump do
context 'when a 200' do
before do
stub_request(:head, finder.dump_url).to_return(status: 200)
stub_request(:get, finder.dump_url)
.to_return(status: 200, body: File.read(fixtures.join(fixture)))
.with(headers: { 'Range' => 'bytes=0-3000' })
.to_return(body: File.read(fixtures.join(fixture)))
end
context 'when the body does not match a SQL dump' do