garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

-) more rspec tests

Browse Source 
-) Bugfixing
This commit is contained in:
Christian Mehlmauer
2012-09-19 21:47:34 +02:00
parent 1684810431
commit 2a46dc3f40
17 changed files with 125 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/wpscan/modules/brute_force.rb
View File

@@ -45,9 +45,11 @@ module BruteForce
# the request object
request = Browser.instance.forge_request(login_url,
{
:method => :post,
:params => {:log => username, :pwd => password},
:cache_timeout => 0
}
)
# tell hydra what to do when the request completes

6
lib/wpscan/modules/web_site.rb
View File

@@ -24,16 +24,14 @@ module WebSite
wordpress = false
response = Browser.instance.get(login_url(),
:follow_location => true,
:max_redirects => 2
{ :follow_location => true, :max_redirects => 2 }
)
if response.body =~ %r{WordPress}i
wordpress = true
else
response = Browser.instance.get(xmlrpc_url(),
:follow_location => true,
:max_redirects => 2
{ :follow_location => true, :max_redirects => 2 }
)
if response.body =~ %r{XML-RPC server accepts POST requests only}i

10
lib/wpscan/modules/wp_plugins.rb
View File

@@ -22,8 +22,8 @@ module WpPlugins
#
# return array of WpPlugin
def plugins_from_aggressive_detection(options)
options[:file] = "#{DATA_DIR}/plugins.txt"
options[:vulns_file] = "#{DATA_DIR}/plugin_vulns.xml"
options[:file] = options[:file] || "#{DATA_DIR}/plugins.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/plugin_vulns.xml"
options[:vulns_xpath] = "//plugin[@name='#{@name}']/vulnerability"
options[:vulns_xpath_2] = "//plugin"
options[:type] = "plugins"
@@ -46,16 +46,16 @@ module WpPlugins
# <link rel='stylesheet' href='http://example.com/wp-content/plugins/wp-minify/..' type='text/css' media='screen'/>
# ...
# return array of WpPlugin
def plugins_from_passive_detection(wp_content_dir)
def plugins_from_passive_detection(options)
plugins = []
temp = WpDetector.passive_detection(url(), "plugins", wp_content_dir)
temp = WpDetector.passive_detection(options[:url], "plugins", options[:wp_content_dir])
temp.each do |item|
plugins << WpPlugin.new(
:url => item[:url],
:name => item[:name],
:path => item[:path],
:wp_content_dir => wp_content_dir
:wp_content_dir => options[:wp_content_dir]
)
end
plugins.sort_by { |p| p.name }

10
lib/wpscan/modules/wp_themes.rb
View File

@@ -19,8 +19,8 @@
module WpThemes
def themes_from_aggressive_detection(options)
options[:file] = "#{DATA_DIR}/themes.txt"
options[:vulns_file] = "#{DATA_DIR}/wp_theme_vulns.xml"
options[:file] = options[:file] || "#{DATA_DIR}/themes.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/wp_theme_vulns.xml"
options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
options[:vulns_xpath_2] = "//theme"
options[:type] = "themes"
@@ -37,16 +37,16 @@ module WpThemes
themes.sort_by { |t| t.name }
end
def themes_from_passive_detection(wp_content_dir)
def themes_from_passive_detection(options)
themes = []
temp = WpDetector.passive_detection(url(), "themes", wp_content_dir)
temp = WpDetector.passive_detection(options[:url], "themes", options[:wp_content_dir])
temp.each do |item|
themes << WpTheme.new(
:url => item[:url],
:name => item[:name],
:path => item[:path],
:wp_content_dir => wp_content_dir
:wp_content_dir => options[:wp_content_dir]
)
end
themes.sort_by { |t| t.name }

4
lib/wpscan/modules/wp_usernames.rb
View File

@@ -39,7 +39,7 @@ module WpUsernames
if response.code == 301 # username in location?
username = response.headers_hash['location'][%r{/author/([^/]+)/}i, 1]
# Get the real name from the redirect site
real_name = get_real_name_from_url(response.headers_hash['location'])
real_name = get_real_name_from_url(url)
elsif response.code == 200 # username in body?
username = response.body[%r{posts by (.*) feed}i, 1]
real_name = get_real_name_from_response(response)
@@ -62,7 +62,7 @@ module WpUsernames
end
def get_real_name_from_url(url)
resp = Browser.instance.get(url, :follow_location => true, :max_redirects => 2)
resp = Browser.instance.get(url, { :follow_location => true, :max_redirects => 2 })
real_name = nil
if resp.code == 200
real_name = extract_real_name_from_body(resp.body)

12
lib/wpscan/wp_enumerator.rb
View File

@@ -56,7 +56,7 @@ class WpEnumerator
end
url = "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}"
request = enum_browser.forge_request(url, :cache_timeout => 0, :follow_location => true)
request = enum_browser.forge_request(url, { :cache_timeout => 0, :follow_location => true })
request_count += 1
request.on_complete do |response|
@@ -116,23 +116,19 @@ class WpEnumerator
# We check if the plugin name from the plugin_vulns_file is already in targets, otherwise we add it
xml.xpath(options[:vulns_xpath_2]).each do |node|
item_name = node.attribute('name').text
if targets_url.grep(%r{/#{item_name}/}).empty?
name = node.attribute("name").text
targets_url << {
:url => url,
:path => item_name,
:path => name,
:wp_content_dir => wp_content_dir,
:name => item_name
:name => name
}
end
end
end
targets_url.flatten!
targets_url.uniq!
# randomize the plugins array to *maybe* help in some crappy IDS/IPS/WAF detection
targets_url.sort_by! { rand }
end
end

16
lib/wpscan/wp_item.rb
View File

@@ -83,9 +83,19 @@ class WpItem < Vulnerable
"#@name#{' v' + item_version.strip if item_version}"
end
# Object comparer
def ==(item)
item.name == @name
# Compare
def ==(other)
other.name == self.name
end
# Compare
def ===(other)
other.name == self.name
end
# Compare
def <=>(other)
other.name <=> self.name
end
# Url for readme.txt

16
lib/wpscan/wp_options.rb
View File

@@ -31,22 +31,6 @@
# * +error_404_hash+ - MD5 hash of a 404 page
# * +type+ - Type: plugins, themes
class WpOptions
def self.get_empty_options
options = {
:url => "",
:only_vulnerable_ones => false,
:file => "",
:vulns_file => "",
:vulns_xpath => "",
:vulns_xpath_2 => "",
:wp_content_dir => "",
:show_progress_bar => true,
:error_404_hash => "",
:type => ""
}
options
end
def self.check_options(options)
raise("url must be set") unless options[:url] != nil and options[:url].to_s.length > 0
raise("only_vulnerable_ones must be set") unless options[:only_vulnerable_ones] != nil

3
lib/wpscan/wp_plugin.rb
View File

@@ -20,6 +20,8 @@ class WpPlugin < WpItem
def initialize(options = {})
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/plugin_vulns.xml'
options[:vulns_xpath] = "//plugin[@name='#@name']/vulnerability"
options[:vulns_xpath_2] = "//plugin"
options[:type] = "plugins"
super(options)
end
@@ -36,5 +38,4 @@ class WpPlugin < WpItem
def error_log_url
get_url.merge("error_log").to_s
end
end

9
lib/wpscan/wp_target.rb
View File

@@ -117,4 +117,13 @@ class WpTarget
@uri.merge("#{wp_content_dir()}/debug.log").to_s
end
# Should check wp-login.php if registration is enabled or not
def registration_enabled?
# TODO
end
def registration_url
# TODO
end
end

4
lib/wpscan/wp_theme.rb
View File

@@ -24,7 +24,7 @@ class WpTheme < WpItem
def initialize(options = {})
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
options[:vulns_xpath] = "//theme[@name='#@name']/vulnerability"
@version = options[:version]
@style_url = options[:style_url]
super(options)
@@ -56,7 +56,7 @@ class WpTheme < WpItem
# Discover the wordpress theme name by parsing the css link rel
def self.find_from_css_link(target_uri)
response = Browser.instance.get(target_uri.to_s, :follow_location => true, :max_redirects => 2)
response = Browser.instance.get(target_uri.to_s, { :follow_location => true, :max_redirects => 2 })
if matches = %r{https?://[^"']+/themes/([^"']+)/style.css}i.match(response.body)
style_url = matches[0]

4
lib/wpscan/wp_version.rb
View File

@@ -60,14 +60,14 @@ class WpVersion < Vulnerable
# that it is reinstated on upgrade.
def self.find_from_meta_generator(options)
target_uri = options[:url]
response = Browser.instance.get(target_uri.to_s, :follow_location => true, :max_redirects => 2)
response = Browser.instance.get(target_uri.to_s, { :follow_location => true, :max_redirects => 2 })
response.body[%r{name="generator" content="wordpress ([^"]+)"}i, 1]
end
def self.find_from_rss_generator(options)
target_uri = options[:url]
response = Browser.instance.get(target_uri.merge("feed/").to_s, :follow_location => true, :max_redirects => 2)
response = Browser.instance.get(target_uri.merge("feed/").to_s, { :follow_location => true, :max_redirects => 2 })
response.body[%r{<generator>http://wordpress.org/\?v=([^<]+)</generator>}i, 1]
end

86
spec/lib/wpscan/modules/wp_plugins_spec.rb
View File

@@ -22,19 +22,38 @@ shared_examples_for "WpPlugins" do
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/wp_plugins'
@plugins_file = @fixtures_dir + "/plugins.txt"
@plugin_vulns_file = @fixtures_dir + "/plugin_vulns.xml"
@wp_url = "http://example.localhost/"
end
before :each do
@wp_url = "http://example.localhost"
@module = WpScanModuleSpec.new(@wp_url)
@module.error_404_hash = Digest::MD5.hexdigest("Error 404!")
@module.extend(WpPlugins)
@options = { :url => @wp_url,
:only_vulnerable_ones => true,
:only_vulnerable_ones => false,
:show_progress_bar => false,
:error_404_hash => @module.error_404_hash
:error_404_hash => Digest::MD5.hexdigest("Error 404!"),
:vulns_file => @plugin_vulns_file,
:file => @plugins_file,
:type => "plugins",
:wp_content_dir => "wp-content",
:vulns_xpath_2 => "//plugin"
}
File.exist?(@plugin_vulns_file).should == true
File.exist?(@plugins_file).should == true
target_hashes = WpEnumerator.generate_items(@options)
target_hashes.length.should > 0
@targets = []
target_hashes.each do |t|
@targets << WpPlugin.new(
:url => t[:url],
:path => "/plugins/#{t[:path]}",
:wp_content_dir => t[:wp_content_dir],
:name => t[:name])
end
@targets.length.should > 0
end
describe "#plugins_from_passive_detection" do
@@ -42,8 +61,7 @@ shared_examples_for "WpPlugins" do
it "should return an empty array" do
stub_request_to_fixture(:url => @module.url, :fixture => File.new(passive_detection_fixtures + '/no_plugins.htm'))
plugins = @module.plugins_from_passive_detection(@options)
plugins = @module.plugins_from_passive_detection(:url => @module.url, :wp_content_dir => "wp-content")
plugins.should be_empty
end
@@ -66,42 +84,31 @@ shared_examples_for "WpPlugins" do
:name => plugin_name)
end
plugins = @module.plugins_from_passive_detection(@options)
plugins = @module.plugins_from_passive_detection(:url => @module.url, :wp_content_dir => "wp-content")
plugins.should_not be_empty
plugins.sort.should === expected_plugins.sort
plugins.length.should == expected_plugins.length
plugins.sort.should == expected_plugins.sort
end
end
describe "#plugins_from_aggressive_detection" do
before :each do
@wp_url = "http://example.localhost"
@module = WpScanModuleSpec.new(@wp_url)
@module.error_404_hash = Digest::MD5.hexdigest("Error 404!")
@module.extend(WpPlugins)
@options = { :url => @wp_url,
:only_vulnerable_ones => true,
:show_progress_bar => false,
:error_404_hash => @module.error_404_hash,
:vulns_file => @plugin_vulns_file,
:file => @plugins_file
}
@targets_url = WpEnumerator.generate_items(@options)
stub_request(:get, @module.uri.to_s).to_return(:status => 200)
# Point all targets to a 404
@targets_url.each do |target|
stub_request(:get, "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}").to_return(:status => 404)
@targets.each do |target|
stub_request(:get, target.get_url.to_s).to_return(:status => 404)
# to_s calls readme_url
stub_request(:get, target.readme_url.to_s).to_return(:status => 404)
end
end
after :each do
@passive_detection_fixture = SPEC_FIXTURES_DIR + "/empty-file" unless @passive_detection_fixture
stub_request_to_fixture(:url => @wp_url, :fixture => @passive_detection_fixture)
@module.plugins_from_aggressive_detection(
:plugins_file => @plugins_file,
:plugin_vulns_file => @plugin_vulns_file
).sort.should === @expected_plugins.sort
stub_request_to_fixture(:url => "#{@module.uri}/".sub(/\/\/$/, "/") + "wp-content/plugins/", :fixture => @passive_detection_fixture)
detected = @module.plugins_from_aggressive_detection(@options)
detected.length.should == @expected_plugins.length
detected.sort.should == @expected_plugins.sort
end
it "should return an empty array" do
@@ -109,25 +116,24 @@ shared_examples_for "WpPlugins" do
end
it "should return an array with 3 WpPlugin (1 detected from passive method)" do
@expected_plugins = []
@targets_url.sample(2).each do |target_url|
@expected_plugins << WpPlugin.new(target_url)
stub_request(:get, target_url).to_return(:status => 200)
end
@passive_detection_fixture = @fixtures_dir + "/passive_detection/one_plugin.htm"
@expected_plugins << WpPlugin.new("http://example.localhost/wp-content/plugins/comment-info-tip/")
@expected_plugins = @targets.sample(2)
new_plugin = WpPlugin.new(:url => "http://example.localhost/",
:path => "/plugins/comment-info-tip/",
:name => "comment-info-tip")
stub_request(:get, new_plugin.readme_url.to_s).to_return(:status => 200)
@expected_plugins << new_plugin
end
# testing response codes
WpTarget.valid_response_codes.each do |valid_response_code|
it "should detect the plugin if the reponse.code is #{valid_response_code}" do
@expected_plugins = []
plugin_url = @targets_url.sample
@expected_plugins << WpPlugin.new(plugin_url)
stub_request(:get, plugin_url).to_return(:status => valid_response_code)
plugin_url = [@targets.sample(1)[0]]
plugin_url.should_not be_nil
plugin_url.length.should == 1
@expected_plugins = plugin_url
stub_request(:get, plugin_url[0].get_url.to_s).to_return(:status => valid_response_code)
end
end
end

4
spec/lib/wpscan/modules/wp_timthumbs_spec.rb
View File

@@ -19,13 +19,15 @@
shared_examples_for "WpTimthumbs" do
before :each do
@options = WpOptions.get_empty_options
@options = {}
@url = "http://example.localhost/"
@theme_name = "bueno"
@options[:url] = @url
@options[:wp_content_dir] = "wp-content"
@options[:name] = @theme_name
@options[:error_404_hash] = "xx"
@options[:show_progress_bar] = false
@options[:only_vulnerable_ones] = false
@module = WpScanModuleSpec.new(@url)
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + "/wp_timthumbs"
@timthumbs_file = @fixtures_dir + "/timthumbs.txt"

7
spec/lib/wpscan/modules/wp_usernames_spec.rb
View File

@@ -28,7 +28,7 @@ shared_examples_for "WpUsernames" do
describe "#author_url" do
it "should return the auhor url according to his id" do
@module.author_url(1).should === "#{@target_url}?author=1"
@module.author_url(1).should === "#@target_url?author=1"
end
end
@@ -49,7 +49,8 @@ shared_examples_for "WpUsernames" do
usernames = @module.usernames
usernames.should_not be_empty
usernames.should === ["Youhou"]
usernames.length.should == 1
usernames[0].should == "id: 3, name: Youhou"
end
it "should return an array with 1 username (from in the body response)" do
@@ -58,7 +59,7 @@ shared_examples_for "WpUsernames" do
usernames = @module.usernames(:range => (1..2))
usernames.should_not be_empty
usernames.should === ["admin"]
usernames.should === ["id: 2, name: admin, real name: admin | Wordpress 3.3.2"]
end
it "should return an array with 1 username (testing duplicates)" do

18
spec/lib/wpscan/wp_options_spec.rb
View File

@@ -19,25 +19,9 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpOptions do
describe "#get_empty_options" do
it "should initialize an empty options hash" do
options = WpOptions.get_empty_options
options[:url].should == ""
options[:only_vulnerable_ones].should == false
options[:file].should == ""
options[:vulns_file].should == ""
options[:vulns_xpath].should == ""
options[:vulns_xpath_2].should == ""
options[:wp_content_dir].should == ""
options[:show_progress_bar].should == true
options[:error_404_hash].should == ""
options[:type].should == ""
end
end
describe "#check_options" do
before :each do
@options = WpOptions.get_empty_options
@options = {}
@options[:url] = "url"
@options[:only_vulnerable_ones] = false
@options[:file] = "file"

8
wpscan.rb
View File

@@ -153,7 +153,7 @@ begin
puts
puts "[+] Enumerating plugins from passive detection ... "
plugins = wp_target.plugins_from_passive_detection(wp_target.wp_content_dir)
plugins = wp_target.plugins_from_passive_detection(:url => wp_target.uri, :wp_content_dir => wp_target.wp_content_dir)
unless plugins.empty?
puts "#{plugins.size} found :"
@@ -179,7 +179,7 @@ begin
puts "[+] Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ..."
puts
options = WpOptions.get_empty_options
options = {}
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_plugins || false
options[:show_progress_bar] = true
@@ -233,7 +233,7 @@ begin
puts "[+] Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..."
puts
options = WpOptions.get_empty_options
options = {}
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_themes || false
options[:show_progress_bar] = true
@@ -279,7 +279,7 @@ begin
puts "[+] Enumerating timthumb files ..."
puts
options = WpOptions.get_empty_options
options = {}
options[:url] = wp_target.uri
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir