-) Check if userregistration is enabled

-) Check if blog is a multisite

lib/wpscan/wp_target.rb

@@ -137,11 +137,33 @@ class WpTarget
 
   # Should check wp-login.php if registration is enabled or not
   def registration_enabled?
-    # TODO
+    resp = Browser.instance.get(registration_url)
+    if resp.code == 302 and resp.headers_hash["location"] =~ /wp-login\.php\?registration=disabled/
+      enabled = false
+    else
+      enabled = true
+    end
+    enabled
   end
 
   def registration_url
-    # TODO
+    @uri.merge("wp-login.php?action=register")
   end
 
+  def is_multisite?
+    # when multisite, there is no redirection or a redirect to the site itself
+    # otherwise redirect to wp-login.php
+    url = @uri.merge("wp-signup.php")
+    resp = Browser.instance.get(url)
+    if resp.code == 302 and resp.headers_hash["location"] =~ /wp-login\.php\?action=register/
+      multisite = false
+    elsif resp.code == 302 and resp.headers_hash["location"] =~ /wp-signup\.php/
+      multisite = true
+    elsif resp.code == 200
+      multisite = true
+    else
+      multisite = false
+    end
+    multisite
+  end
 end

spec/lib/wpscan/wp_target_spec.rb

@@ -244,4 +244,43 @@ describe WpTarget do
       @wp_target.search_replace_db_2_exists?.should be_false
     end
   end
+
+  describe "#registration_url" do
+    it "should return the correct url" do
+      @wp_target.registration_url.to_s.should == "http://example.localhost/wp-login.php?action=register"
+    end
+  end
+
+  describe "#registration_enabled?" do
+    it "should return false" do
+      stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 302, :headers => { "Location" => "wp-login.php?registration=disabled" })
+      @wp_target.registration_enabled?.should be_false
+    end
+
+    it "should return true" do
+      stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 200)
+      @wp_target.registration_enabled?.should be_true
+    end
+  end
+
+  describe "#is_multisite?" do
+    before :each do
+      @url = @wp_target.uri.merge("wp-signup.php").to_s
+    end
+
+    it "should return false" do
+      stub_request(:any, @url).to_return(:status => 302, :headers => { "Location" => "wp-login.php?action=register" })
+      @wp_target.is_multisite?.should be_false
+    end
+
+    it "should return true" do
+      stub_request(:any, @url).to_return(:status => 302, :headers => { "Location" => "http://example.localhost/wp-signup.php" })
+      @wp_target.is_multisite?.should be_true
+    end
+
+    it "should return true" do
+      stub_request(:any, @url).to_return(:status => 200)
+      @wp_target.is_multisite?.should be_true
+    end
+  end
 end

wpscan.rb

@@ -101,11 +101,11 @@ begin
   wp_theme = wp_target.theme
   if wp_theme
     # Theme version is handled in wp_item.to_s
-    puts green("[!]") + " The WordPress theme in use is #{wp_theme}"
+    puts green("[+]") + " The WordPress theme in use is #{wp_theme}"
 
     theme_vulnerabilities = wp_theme.vulnerabilities
     unless theme_vulnerabilities.empty?
-      puts red("[+]") + " We have identified #{theme_vulnerabilities.size} vulnerabilities for this theme :"
+      puts red("[!]") + " We have identified #{theme_vulnerabilities.size} vulnerabilities for this theme :"
       theme_vulnerabilities.each do |vulnerability|
         puts
         puts " | " + red("* Title: #{vulnerability.title}")
@@ -135,6 +135,14 @@ begin
     puts red("[!] searchreplacedb2.php has been found '#{wp_target.search_replace_db_2_url}'")
   end
 
+  if wp_target.is_multisite?
+    puts green("[+]") + " This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)"
+  end
+
+  if wp_target.registration_enabled?
+    puts green("[+]") + " Userregistration is enabled"
+  end
+
   if wp_target.has_malwares?
     malwares = wp_target.malwares
     puts red("[!]") + " #{malwares.size} malware(s) found :"