Fixes #1322

2019-03-22 20:20:07 +00:00
parent 8b18204a69
commit 231f5157bf
8 changed files with 63 additions and 45 deletions
--- a/app/finders/interesting_findings/tmm_db_migrate.rb
+++ b/app/finders/interesting_findings/tmm_db_migrate.rb
@@ -7,7 +7,7 @@ module WPScan
        def aggressive(_opts = {})
          path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
          url  = target.url(path)
-          res  = Browser.get(url)
+          res  = browser.forge_request(url, target.head_or_get_request_params).run

          return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i

--- a/app/finders/interesting_findings/upload_sql_dump.rb
+++ b/app/finders/interesting_findings/upload_sql_dump.rb
@@ -3,24 +3,25 @@ module WPScan
    module InterestingFindings
      # UploadSQLDump finder
      class UploadSQLDump < CMSScanner::Finders::Finder
-        SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze

        # @return [ InterestingFinding ]
        def aggressive(_opts = {})
-          url = dump_url
-          res = Browser.get(url)
+          head_res = browser.forge_request(dump_url, target.head_or_get_request_params).run

-          return unless res.code == 200 && res.body =~ SQL_PATTERN
+          return unless head_res.code == 200
+
+          return unless Browser.get(dump_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN

          WPScan::UploadSQLDump.new(
-            url,
+            dump_url,
            confidence: 100,
            found_by: DIRECT_ACCESS
          )
        end

        def dump_url
-          target.url('wp-content/uploads/dump.sql')
+          @dump_url ||= target.url('wp-content/uploads/dump.sql')
        end
      end
    end