Fix for xmlrpc false positive. Issue #260.

lib/wpscan/web_site.rb

@@ -26,36 +26,19 @@ class WebSite
   end
 
   def has_xml_rpc?
-    !xml_rpc_url.nil?
+    response = Browser.get_and_follow_location(xml_rpc_url)
+    response.body =~ %r{XML-RPC server accepts POST requests only}i    
   end
 
   # See http://www.hixie.ch/specs/pingback/pingback-1.0#TOC2.3
   def xml_rpc_url
     unless @xmlrpc_url
-      @xmlrpc_url = xml_rpc_url_from_headers() || xml_rpc_url_from_body()
+      @xmlrpc_url = @uri.merge('xmlrpc.php').to_s
     end
+
     @xmlrpc_url
   end
 
-  def xml_rpc_url_from_headers
-    headers    = Browser.get(@uri.to_s).headers_hash
-    xmlrpc_url = nil
-
-    unless headers.nil?
-      pingback_url = headers['X-Pingback']
-      unless pingback_url.nil? || pingback_url.empty?
-        xmlrpc_url = pingback_url
-      end
-    end
-    xmlrpc_url
-  end
-
-  def xml_rpc_url_from_body
-    body = Browser.get(@uri.to_s).body
-
-    body[%r{<link rel="pingback" href="([^"]+)" ?\/?>}, 1]
-  end
-
   # See if the remote url returns 30x redirect
   # This method is recursive
   # Return a string with the redirection or nil

lib/wpscan/wp_target.rb

@@ -43,9 +43,8 @@ class WpTarget < WebSite
     if response.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i
       wordpress = true
     else
-      response = Browser.get_and_follow_location(xml_rpc_url)
 
-      if response.body =~ %r{XML-RPC server accepts POST requests only}i
+      if has_xml_rpc?
         wordpress = true
       else
         response = Browser.get_and_follow_location(login_url)