@return [ String ] The user agent, according to the user_agent_mode
-
-
-
-
-
-# File lib/common/browser/options.rb, line 67
-defuser_agent
- case@user_agent_mode
- when'semi-static'
- unless@user_agent
- @user_agent = @available_user_agents.sample
- end
- when'random'
- @user_agent = @available_user_agents.sample
- end
- @user_agent
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- user_agent_mode=(ua_mode)
- click to toggle source
-
-
-
-
-
-
Sets the user_agent_mode, which
-can be one of the following:
-
-
static: The UA is defined by the user, and will be the same in each requests
-semi-static: The UA is randomly chosen at the first request, and will not change
-random: UA randomly chosen each request
-# File lib/common/browser/options.rb, line 53
-defuser_agent_mode=(ua_mode)
- ua_mode||='static'
-
- ifUSER_AGENT_MODES.include?(ua_mode)
- @user_agent_mode = ua_mode
- # For semi-static user agent mode, the user agent has to
- # be nil the first time (it will be set with the getter)
- @user_agent = nilifua_mode==='semi-static'
- else
- raise"Unknow user agent mode : '#{ua_mode}'"
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Protected Instance Methods
-
-
-
-
-
-
-
- invalid_proxy_auth_format()
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/browser/options.rb, line 135
-definvalid_proxy_auth_format
- 'Invalid proxy auth format, expected username:password or {proxy_username: username, proxy_password: password}'
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- override_config(options = {})
- click to toggle source
-
-
-
-
-
-
Override with the options if they are set @param [ Hash ] options
-
-
@return [ void ]
-
-
-
-
-
-# File lib/common/browser/options.rb, line 143
-defoverride_config(options = {})
- options.eachdo|option, value|
- ifvalue!=nilandOPTIONS.include?(option)
- self.send(:"#{option}=", value)
- end
- end
-end
The serializer must have the 2 methods .load and .dump
-
-
(Marshal and YAML have them)
-
-
YAML is Human Readable, contrary to Marshal which store in a binary format
-Marshal does not need any “require”
-
-
-
-
-
-# File lib/common/cache_file_store.rb, line 19
-definitialize(storage_path, serializer = Marshal)
- @storage_path = File.expand_path(storage_path)
- @serializer = serializer
-
- # File.directory? for ruby <= 1.9 otherwise,
- # it makes more sense to do Dir.exist? :/
- unlessFile.directory?(@storage_path)
- Dir.mkdir(@storage_path)
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Public Instance Methods
-
-
-
-
-
-
-
- clean()
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/cache_file_store.rb, line 30
-defclean
- Dir[File.join(@storage_path, '*')].eachdo|f|
- File.delete(f) unlessFile.symlink?(f)
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- get_entry_file_path(key)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/cache_file_store.rb, line 56
-defget_entry_file_path(key)
- File::join(@storage_path, key)
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- read_entry(key)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/cache_file_store.rb, line 36
-defread_entry(key)
- entry_file_path = get_entry_file_path(key)
-
- ifFile.exists?(entry_file_path)
- return@serializer.load(File.read(entry_file_path))
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- write_entry(key, data_to_store, cache_ttl)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/cache_file_store.rb, line 44
-defwrite_entry(key, data_to_store, cache_ttl)
- ifcache_ttl>0
- File.open(get_entry_file_path(key), 'w') do|f|
- begin
- f.write(@serializer.dump(data_to_store))
- rescue
- nil# spec fix for "can't dump hash with default proc" when stub_request with response headers
- end
- end
- end
-end
-# File lib/wpstools/plugins/checker/checker_plugin.rb, line 4
-definitialize
- super(author:'WPScanTeam - @erwanlr')
-
- register_options(
- ['--check-vuln-ref-urls', '--cvru', 'Check all the vulnerabilities reference urls for 404'],
- ['--check-local-vulnerable-files LOCAL_DIRECTORY', '--clvf', 'Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells']
- )
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Public Instance Methods
-
-
-
-
-
-
-
- check_local_vulnerable_files(dir_to_scan)
- click to toggle source
-
-# File lib/common/custom_option_parser.rb, line 14
-defadd(options)
- ifoptions.is_a?(Array)
- ifoptions[0].is_a?(Array)
- options.eachdo|option|
- add_option(option)
- end
- else
- add_option(options)
- end
- else
- raise"Options must be at least an Array, or an Array(Array). #{options.class} supplied"
- end
-end
This program is free software: you can redistribute it and/or modify it
-under the terms of the GNU General Public License as published by the Free
-Software Foundation, either version 3 of the License, or (at your option)
-any later version.
-
-
This program is distributed in the hope that it will be useful, but WITHOUT
-ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-more details.
-
-
You should have received a copy of the GNU General Public License along
-with this program. If not, see <www.gnu.org/licenses/>.
-# File lib/wpstools/plugins/list_generator/list_generator_plugin.rb, line 4
-definitialize
- super(author:'WPScanTeam - @FireFart')
-
- register_options(
- ['--generate-plugin-list [NUMBER_OF_PAGES]', '--gpl', Integer, 'Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)'],
- ['--generate-full-plugin-list', '--gfpl', 'Generate a new full data/plugins.txt file'],
-
- ['--generate-theme-list [NUMBER_OF_PAGES]', '--gtl', Integer, 'Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 150)'],
- ['--generate-full-theme-list', '--gftl', 'Generate a new full data/themes.txt file'],
-
- ['--generate-all', '--ga', 'Generate a new full plugins, full themes, popular plugins and popular themes list']
- )
-end
- colorize(text, color_code)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/common_helper.rb, line 102
-defcolorize(text, color_code)
- "\e[#{color_code}m#{text}\e[0m"
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- get_equal_string_end(stringarray = [''])
- click to toggle source
-
-
-
-
-
-
Gets the string all elements in stringarray ends with
-
-
-
-
-
-# File lib/common/common_helper.rb, line 126
-defget_equal_string_end(stringarray = [''])
- already_found = ''
- looping = true
- counter = -1
- # remove nils (# Issue #232)
- stringarray = stringarray.compact
- ifstringarray.kind_of?Arrayandstringarray.length>1
- base = stringarray.first
- whilelooping
- character = base[counter, 1]
- stringarray.eachdo|s|
- ifs[counter, 1] !=character
- looping = false
- break
- end
- end
- iflooping==falseor (counter * -1) >base.length
- break
- end
- already_found = "#{character if character}#{already_found}"
- counter-=1
- end
- end
- already_found
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- green(text)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/common/common_helper.rb, line 110
-defgreen(text)
- colorize(text, 32)
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- help()
- click to toggle source
-
-
-
-
-
-
command help
-
-
-
-
-
-# File lib/wpscan/wpscan_helper.rb, line 59
-defhelp
- puts'Help :'
- puts
- puts'Some values are settable in conf/browser.conf.json :'
- puts' user-agent, proxy, proxy-auth, threads, cache timeout and request timeout'
- puts
- puts'--update Update to the latest revision'
- puts'--url | -u <target url> The WordPress URL/domain to scan.'
- puts'--force | -f Forces WPScan to not check if the remote site is running WordPress.'
- puts'--enumerate | -e [option(s)] Enumeration.'
- puts' option :'
- puts' u usernames from id 1 to 10'
- puts' u[10-20] usernames from id 10 to 20 (you must write [] chars)'
- puts' p plugins'
- puts' vp only vulnerable plugins'
- puts' ap all plugins (can take a long time)'
- puts' tt timthumbs'
- puts' t themes'
- puts' vt only vulnerable themes'
- puts' at all themes (can take a long time)'
- puts' Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins'
- puts' If no option is supplied, the default is "vt,tt,u,vp"'
- puts
- puts'--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied'
- puts' You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)'
- puts'--config-file | -c <config file> Use the specified config file'
- puts'--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
- puts'--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed'
- puts'--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed'
- puts'--proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json).'
- puts' HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used'
- puts'--proxy-auth <username:password> Supply the proxy login credentials (will override the one from conf/browser.conf.json).'
- puts'--basic-auth <username:password> Set the HTTP Basic authentication'
- puts'--wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute.'
- puts'--threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)'
- puts'--username | -U <username> Only brute force the supplied username.'
- puts'--help | -h This help screen.'
- puts'--verbose | -v Verbose output.'
- puts
-end
-# File lib/common/common_helper.rb, line 48
-defrequire_files_from_directory(absolute_dir_path, files_pattern = '*.rb')
- files = Dir[File.join(absolute_dir_path, files_pattern)]
-
- # Files in the root dir are loaded first, then thoses in the subdirectories
- files.sort_by { |file| [file.count("/"), file] }.eachdo|f|
- f = File.expand_path(f)
- #puts "require #{f}" # Used for debug
- requiref
- end
-end
-# File lib/common/plugins/plugin.rb, line 15
-defregister_options(*options)
- options.eachdo|option|
- unlessoption.is_a?(Array)
- raise"Each option must be an array, #{option.class} supplied"
- end
- end
- @registered_options = options
-end
-# File lib/common/plugins/plugins.rb, line 26
-defregister_plugin(plugin)
- ifplugin.is_a?(Plugin)
- self<<plugin
-
- # A plugin may not have options
- ifplugin_options = plugin.registered_options
- @option_parser.add(plugin_options)
- end
- else
- raise"The argument must be an instance of Plugin, #{plugin.class} supplied"
- end
-end
WPScan - WordPress Security Scanner Copyright (C) 2011-2013 The WPScan Team
-
-
This program is free software: you can redistribute it and/or modify it
-under the terms of the GNU General Public License as published by the Free
-Software Foundation, either version 3 of the License, or (at your option)
-any later version.
-
-
This program is distributed in the hope that it will be useful, but WITHOUT
-ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-more details.
-
-
You should have received a copy of the GNU General Public License along
-with this program. If not, see <www.gnu.org/licenses/>.
-
-
ryandewhurst at gmail
-
-
INSTALL==
-
-
WPScan comes pre-installed on the following Linux distributions:
-
- * BackBox Linux
- * BackTrack Linux
- * Pentoo
- * SamuraiWTF
-
-Prerequisites:
-
- * Windows not supported
- * Ruby >= 1.9.2 - Recommended: 1.9.3
- * Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfault
- * RubyGems - Recommended: latest
- * Git
-
--> Installing on Debian/Ubuntu:
-
- sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
- git clone https://github.com/wpscanteam/wpscan.git
- cd wpscan
- sudo gem install bundler && bundle install --without test development
-
--> Installing on Fedora:
-
- sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel
- git clone https://github.com/wpscanteam/wpscan.git
- cd wpscan
- sudo gem install bundler && bundle install --without test development
-
--> Installing on Archlinux:
-
- pacman -Syu ruby
- pacman -Syu libyaml
-
- git clone https://github.com/wpscanteam/wpscan.git
- cd wpscan
- sudo gem install bundler && bundle install --without test development
-
- gem install typhoeus
- gem install nokogiri
-
--> Installing on Mac OS X:
-
- git clone https://github.com/wpscanteam/wpscan.git
- cd wpscan
- sudo gem install bundler && bundle install --without test development
-
-
KNOWN ISSUES==
-
-
- Typhoeus segmentation fault:
- Update cURL to version => 7.21 (may have to install from source)
- See http://code.google.com/p/wpscan/issues/detail?id=81
-
-- Proxy not working:
- Update cURL to version => 7.21.7 (may have to install from source).
-
- Installation from sources :
- - Grab the sources from http://curl.haxx.se/download.html
- - Decompress the archive
- - Open the folder with the extracted files
- - Run ./configure
- - Run make
- - Run sudo make install
- - Run sudo ldconfig
-
-- cannot load such file -- readline:
- Run sudo aptitude install libreadline5-dev libncurses5-dev
-
- Then, open the directory of the readline gem (you have to locate it)
-
- cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
- ruby extconf.rb
- make
- make install
-
- See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details
-
-- no such file to load -- rubygems
- Run update-alternatives --config ruby
- And select your ruby version
-
- See https://github.com/wpscanteam/wpscan/issues/148
-
-
WPSCAN ARGUMENTS==
-
-
–update Update to the latest revision
-
-
–url | -u <target url> The WordPress URL/domain to scan.
-
-
–force | -f Forces WPScan to not check if the remote site is running
-WordPress.
-
-
–enumerate | -e [option(s)] Enumeration.
-
-
option :
- u usernames from id 1 to 10
- u[10-20] usernames from id 10 to 20 (you must write [] chars)
- p plugins
- vp only vulnerable plugins
- ap all plugins (can take a long time)
- tt timthumbs
- t themes
- vp only vulnerable themes
- at all themes (can take a long time)
-Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins
-If no option is supplied, the default is 'vt,tt,u,vp'
-
-
–exclude-content-based ‘<regexp or string>’ Used with the
-enumeration option, will exclude all occurrences based on the regexp or
-string supplied
-
-
You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
-
-
–config-file | -c <config file> Use the specified config file
-
-
–follow-redirection If the target url has a redirection, it will be
-followed without asking if you wanted to do so or not
-
-
–wp-content-dir <wp content dir> WPScan try to find the content
-directory (ie wp-content) by scanning the index page, however you can
-specified it. Subdirectories are allowed
-
-
–wp-plugins-dir <wp plugins dir> Same thing than –wp-content-dir but
-for the plugins directory. If not supplied, WPScan will use
-wp-content-dir/plugins. Subdirectories are allowed
-
-
–proxy <[protocol://]host:port> Supply a proxy (will override the
-one from conf/browser.conf.json).
-
-
HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
-
-
–proxy-auth <username:password> Supply the proxy login credentials
-(will override the one from conf/browser.conf.json).
-
-
–basic-auth <username:password> Set the HTTP Basic authentication
-
-
–wordlist | -w <wordlist> Supply a wordlist for the password bruter
-and do the brute.
-
-
–threads | -t <number of threads> The number of threads to use when
-multi-threading requests. (will override the value from
-conf/browser.conf.json)
-
-
–username | -U <username> Only brute force the supplied username.
-
-
–help | -h This help screen.
-
-
–verbose | -v Verbose output.
-
-
WPSCAN EXAMPLES==
-
-
Do ‘non-intrusive’ checks…
-
-
ruby wpscan.rb --url www.example.com
-
-
Do wordlist password brute force on enumerated users using 50 threads…
–help | -h This help screen. –Verbose | -v Verbose output. –update
-| -u Update to the latest revision. –generate_plugin_list [number of
-pages] Generate a new data/plugins.txt file. (supply number of
-pages to parse, default : 150) –gpl Alias for –generate_plugin_list
-–check-local-vulnerable-files | –clvf <local directory> Perform a
-recursive scan in the <local directory> to find vulnerable files or
-shells
-
-
WPSTOOLS EXAMPLES==
-
-
Generate a new ‘most popular’ plugin list, up to 150 pages …
-# File lib/common/version_compare.rb, line 11
-defself.is_newer_or_same?(version1, version2)
- returntrueif (version1==version2)
- # Both versions must be set
- returnfalseunless (version1andversion2)
- returnfalseif (version1.empty?orversion2.empty?)
- begin
- returntrueif (Gem::Version.new(version1) <Gem::Version.new(version2))
- rescueArgumentError =>e
- # Example: ArgumentError: Malformed version number string a
- returnfalseife.message=~/Malformed version number string/
- raise
- end
- returnfalse
- end
@param [ String ] title The title of the vulnerability @param [ String ]
-type The type of the vulnerability @param [ Array
-] references References urls @param [ Array ] metasploit_modules
-Metasploit modules for the vulnerability @param [ String ] fixed_in Vuln fixed in
-Version X
@option options [ Hash ] :error_404_hash The hash of the error 404 page
-@option options [ Hash ] :homepage_hash The hash of the homepage @option
-options [ Hash ] :exclude_content A regexp with the pattern to exclude from
-the body of the response
-
-
@return [ Boolean ]
-
-
-
-
-
-# File lib/common/models/wp_item/existable.rb, line 30
-defexists_from_response?(response, options = {})
- if [200, 401, 403].include?(response.code)
- ifresponse.has_valid_hash?(options[:error_404_hash], options[:homepage_hash])
- ifoptions[:exclude_content]
- unlessresponse.body.match(options[:exclude_content])
- returntrue
- end
- else
- returntrue
- end
- end
- end
- false
-end
Discover any error_log files created by WordPress These are created by the
-WordPress error_log() function They are normally found in the /plugins/
-directory, however can also be found in their specific plugin dir. www.exploit-db.com/ghdb/3714/
- malware_pattern(url_regex)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wp_target/malwares.rb, line 43
-defself.malware_pattern(url_regex)
- # no need to escape regex here, because malware.txt contains regex
- %{<(?:script|iframe).* src=(?:"|')(#{url_regex}[^"']*)(?:"|')[^>]*>}
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- malwares_file(malwares_file_path)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wp_target/malwares.rb, line 39
-defself.malwares_file(malwares_file_path)
- malwares_file_path||DATA_DIR+'/malwares.txt'
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Public Instance Methods
-
-
-
-
-
-
-
- has_malwares?(malwares_file_path = nil)
- click to toggle source
-
-# File lib/wpscan/wp_target/wp_custom_directories.rb, line 6
-defwp_content_dir
- unless@wp_content_dir
- index_body = Browser.get(@uri.to_s).body
- uri_path = @uri.path# Only use the path because domain can be text or an IP
-
- ifindex_body[/\/wp-content\/(?:themes|plugins)\//] ||default_wp_content_dir_exists?
- @wp_content_dir = 'wp-content'
- else
- domains_excluded = '(?:www\.)?(facebook|twitter)\.com'
- @wp_content_dir = index_body[/(?:href|src)\s*=\s*(?:"|').+#{Regexp.escape(uri_path)}((?!#{domains_excluded})[^"']+)\/(?:themes|plugins)\/.*(?:"|')/, 1]
- end
- end
-
- @wp_content_dir
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- wp_plugins_dir()
- click to toggle source
-
-
-
-
-
-
@return [ String ] The wp-plugins directory
-
-
-
-
-
-# File lib/wpscan/wp_target/wp_custom_directories.rb, line 35
-defwp_plugins_dir
- unless@wp_plugins_dir
- @wp_plugins_dir = "#{wp_content_dir}/plugins"
- end
- @wp_plugins_dir
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- wp_plugins_dir_exists?()
- click to toggle source
-
-
-
-
-
-
@return [ Boolean ]
-
-
-
-
-
-# File lib/wpscan/wp_target/wp_custom_directories.rb, line 43
-defwp_plugins_dir_exists?
- Browser.get(@uri.merge(wp_plugins_dir).to_s).code!=404
-end
-# File lib/wpscan/wp_target/wp_registrable.rb, line 32
-defmultisite?
- unless@multisite
- # when multi site, there is no redirection or a redirect to the site itself
- # otherwise redirect to wp-login.php
- resp = Browser.get(@uri.merge('wp-signup.php').to_s)
-
- ifresp.code==302andresp.headers_hash['location'] =~/wp-login\.php\?action=register/
- @multisite = false
- elsifresp.code==302andresp.headers_hash['location'] =~/wp-signup\.php/
- @multisite = true
- elsifresp.code==200
- @multisite = true
- else
- @multisite = false
- end
- end
- @multisite
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- registration_enabled?()
- click to toggle source
-
-
-
-
-
-
Should check wp-login.php if registration is enabled or not
-
-
@return [ Boolean ]
-
-
-
-
-
-# File lib/wpscan/wp_target/wp_registrable.rb, line 8
-defregistration_enabled?
- resp = Browser.get(registration_url)
- # redirect only on non multi sites
- ifresp.code==302andresp.headers_hash['location'] =~/wp-login\.php\?registration=disabled/
- enabled = false
- # multi site registration form
- elsifresp.code==200andresp.body=~/<form id="setupform" method="post" action="[^"]*wp-signup\.php[^"]*">/
- enabled = true
- # normal registration form
- elsifresp.code==200andresp.body=~/<form name="registerform" id="registerform" action="[^"]*wp-login\.php[^"]*"/
- enabled = true
- # registration disabled
- else
- enabled = false
- end
- enabled
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- registration_url()
- click to toggle source
-
-
-
-
-
-
@return [ String ] The registration URL
-
-
-
-
-
-# File lib/wpscan/wp_target/wp_registrable.rb, line 27
-defregistration_url
- multisite??@uri.merge('wp-signup.php').to_s:@uri.merge('wp-login.php?action=register').to_s
-end
It can take a long time to queue 2 million requests, for that reason, we
-queue browser.max_threads, send browser.max_threads, queue
-browser.max_threads and so on.
-
-
hydra.run only returns when it has recieved all of its, responses. This
-means that while we are waiting for browser.max_threads, responses, we are
-waiting…
Uses data/wp_versions.xml to try to identify a wordpress version.
-
-
It does this by using client side file hashing
-
-
/!\ Warning : this method might return false positive if the file used for
-fingerprinting is part of a theme (they can be updated)
-
-
@param [ URI ] target_uri @param [ String ]
-wp_content_dir @param [ String ] wp_plugins_dir @param [ String ]
-versions_xml The path to the xml containing all versions
-
-
@return [ String ] The version number
-
-
-
-
-
-# File lib/common/models/wp_version/findable.rb, line 153
-deffind_from_advanced_fingerprinting(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
- xml = xml(versions_xml)
-
- # This wp_item will take care of encoding the path
- # and replace variables like $wp-content$ & $wp-plugins$
- wp_item = WpItem.new(target_uri,
- wp_content_dir:wp_content_dir,
- wp_plugins_dir:wp_plugins_dir)
-
- xml.xpath('//file').eachdo|node|
- wp_item.path = node.attribute('src').text
-
- response = Browser.get(wp_item.url)
- md5sum = Digest::MD5.hexdigest(response.body)
-
- node.search('hash').eachdo|hash|
- ifhash.attribute('md5').text==md5sum
- returnhash.search('version').text
- end
- end
- end
- nil
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- find_from_atom_generator(target_uri)
- click to toggle source
-
-
-
-
-
-
Attempts to find the WordPress version from, the generator tag in the Atom
-source.
-# File lib/common/models/wp_version/output.rb, line 5
-defoutput
- putsgreen('[+]') +" WordPress version #{self.number} identified from #{self.found_from}"
-
- vulnerabilities = self.vulnerabilities
-
- unlessvulnerabilities.empty?
- puts
- putsred('[!]') +" We have identified #{vulnerabilities.size} vulnerabilities from the version number :"
-
- vulnerabilities.output
- end
-end
- enumerate_all_plugins=(enumerate_all_plugins)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 92
-defenumerate_all_plugins=(enumerate_all_plugins)
- ifenumerate_all_plugins===trueand (@enumerate_plugins===trueor@enumerate_only_vulnerable_plugins===true)
- raise'Please choose only one plugin enumeration option'
- else
- @enumerate_all_plugins = enumerate_all_plugins
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- enumerate_all_themes=(enumerate_all_themes)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 116
-defenumerate_all_themes=(enumerate_all_themes)
- ifenumerate_all_themes===trueand (@enumerate_themes===trueor@enumerate_only_vulnerable_themes===true)
- raise'Please choose only one theme enumeration option'
- else
- @enumerate_all_themes = enumerate_all_themes
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- enumerate_only_vulnerable_plugins=(enumerate_only_vulnerable_plugins)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 84
-defenumerate_only_vulnerable_plugins=(enumerate_only_vulnerable_plugins)
- ifenumerate_only_vulnerable_plugins===trueand (@enumerate_all_plugins===trueor@enumerate_plugins===true)
- raise'Please choose only one plugin enumeration option'
- else
- @enumerate_only_vulnerable_plugins = enumerate_only_vulnerable_plugins
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- enumerate_only_vulnerable_themes=(enumerate_only_vulnerable_themes)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 108
-defenumerate_only_vulnerable_themes=(enumerate_only_vulnerable_themes)
- ifenumerate_only_vulnerable_themes===trueand (@enumerate_all_themes===trueor@enumerate_themes===true)
- raise'Please choose only one theme enumeration option'
- else
- @enumerate_only_vulnerable_themes = enumerate_only_vulnerable_themes
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- enumerate_options_from_string(value)
- click to toggle source
-
-
-
-
-
-
Will set enumerate_* from the string value IE : if value = vp =>
-:enumerate_only_vulnerable_plugins will be set to true multiple enumeration
-are possible : ‘u,p’ => :enumerate_usernames and :enumerate_plugins
-Special case for usernames, a range is possible : u will enumerate usernames from 1 to 10
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 188
-defenumerate_options_from_string(value)
- # Usage of self is mandatory because there are overridden setters
-
- value = value.split(',').map { |c|c.downcase }
-
- self.enumerate_only_vulnerable_plugins = trueifvalue.include?('vp')
-
- self.enumerate_plugins = trueifvalue.include?('p')
-
- self.enumerate_all_plugins = trueifvalue.include?('ap')
-
- @enumerate_timthumbs = trueifvalue.include?('tt')
-
- self.enumerate_only_vulnerable_themes = trueifvalue.include?('vt')
-
- self.enumerate_themes = trueifvalue.include?('t')
-
- self.enumerate_all_themes = trueifvalue.include?('at')
-
- value.grep(/^u/) do|username_enum_value|
- @enumerate_usernames = true
- # Check for usernames range
- matches = %{\[([\d]+)-([\d]+)\]}.match(username_enum_value)
- ifmatches
- @enumerate_usernames_range = (matches[1].to_i..matches[2].to_i)
- end
- end
-
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- enumerate_plugins=(enumerate_plugins)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 76
-defenumerate_plugins=(enumerate_plugins)
- ifenumerate_plugins===trueand (@enumerate_all_plugins===trueor@enumerate_only_vulnerable_plugins===true)
- raise'Please choose only one plugin enumeration option'
- else
- @enumerate_plugins = enumerate_plugins
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- enumerate_themes=(enumerate_themes)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 100
-defenumerate_themes=(enumerate_themes)
- ifenumerate_themes===trueand (@enumerate_all_themes===trueor@enumerate_only_vulnerable_themes===true)
- raise'Please choose only one theme enumeration option'
- else
- @enumerate_themes = enumerate_themes
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- has_options?()
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 133
-defhas_options?
- !to_h.empty?
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- proxy=(proxy)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 60
-defproxy=(proxy)
- ifproxy.index(':') ==nil
- raise'Invalid proxy format. Should be host:port.'
- else
- @proxy = proxy
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- proxy_auth=(auth)
- click to toggle source
-
-
-
-
-
-
-
-
-
-
-
-# File lib/wpscan/wpscan_options.rb, line 68
-defproxy_auth=(auth)
- ifauth.index(':') ==nil
- raise'Invalid proxy auth format, username:password expected'
- else
- @proxy_auth = auth
- end
-end
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- set_option_from_cli(cli_option, cli_value)
- click to toggle source
-
![[+]](./images/find.png "show/hide quicksearch"){kind=small}
![[+]](../images/find.png "show/hide quicksearch"){kind=small}
![[+]](../../images/find.png "show/hide quicksearch"){kind=small}