From 31d2ca06eb03a9ad50fed603cd27df6d786fa20e Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 26 Nov 2012 22:30:07 +0100 Subject: [PATCH] initial commit --- lib/wpscan/modules/wp_plugins.rb | 5 ++-- lib/wpscan/modules/wp_themes.rb | 2 +- lib/wpscan/wpscan_helper.rb | 2 ++ lib/wpscan/wpscan_options.rb | 36 ++++++++++++++++++++------ spec/lib/wpscan/wpscan_options_spec.rb | 8 +++--- wpscan.rb | 6 +++-- 6 files changed, 42 insertions(+), 17 deletions(-) diff --git a/lib/wpscan/modules/wp_plugins.rb b/lib/wpscan/modules/wp_plugins.rb index bad4c765..09576b02 100644 --- a/lib/wpscan/modules/wp_plugins.rb +++ b/lib/wpscan/modules/wp_plugins.rb @@ -22,8 +22,9 @@ module WpPlugins # # return array of WpPlugin def plugins_from_aggressive_detection(options) - options[:file] = options[:file] || "#{DATA_DIR}/plugins.txt" - options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/plugin_vulns.xml" + options[:file] = options[:file] || (options[:full] ? "#{DATA_DIR}/plugins_full.txt" : "#{DATA_DIR}/plugins.txt") + options[:vulns_file] = (options[:vulns_file] != nil and options[:vulns_file] != "") ? + options[:vulns_file] : DATA_DIR + "/plugin_vulns.xml" options[:vulns_xpath] = "//plugin[@name='#{@name}']/vulnerability" options[:vulns_xpath_2] = "//plugin" options[:type] = "plugins" diff --git a/lib/wpscan/modules/wp_themes.rb b/lib/wpscan/modules/wp_themes.rb index 78e93fd5..388a7b44 100644 --- a/lib/wpscan/modules/wp_themes.rb +++ b/lib/wpscan/modules/wp_themes.rb @@ -19,7 +19,7 @@ module WpThemes def themes_from_aggressive_detection(options) - options[:file] = options[:file] || "#{DATA_DIR}/themes.txt" + options[:file] = options[:file] || (options[:full] ? "#{DATA_DIR}/themes_full.txt" : "#{DATA_DIR}/themes.txt") options[:vulns_file] = (options[:vulns_file] != nil and options[:vulns_file] != "") ? options[:vulns_file] : DATA_DIR + "/wp_theme_vulns.xml" options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability" diff --git a/lib/wpscan/wpscan_helper.rb b/lib/wpscan/wpscan_helper.rb index d95557f0..42bf6513 100644 --- a/lib/wpscan/wpscan_helper.rb +++ b/lib/wpscan/wpscan_helper.rb @@ -85,9 +85,11 @@ def help() puts " u[10-20] usernames from id 10 to 20 (you must write [] chars)" puts " p plugins" puts " vp only vulnerable plugins" + puts " ap all plugins (can take a long time)" puts " tt timthumbs" puts " t themes" puts " vt only vulnerable themes" + puts " at all themes (can take a long time)" puts " Multiple values are allowed : '-e t,p' will enumerate timthumbs and plugins" puts " If no option is supplied, the default is 'vt,tt,u,vp'" puts diff --git a/lib/wpscan/wpscan_options.rb b/lib/wpscan/wpscan_options.rb index d993b4e1..569f55ac 100644 --- a/lib/wpscan/wpscan_options.rb +++ b/lib/wpscan/wpscan_options.rb @@ -86,37 +86,53 @@ class WpscanOptions end def enumerate_plugins=(enumerate_plugins) - if enumerate_plugins === true and @enumerate_only_vulnerable_plugins === true - raise "You can't enumerate plugins and only vulnerable plugins at the same time, please choose only one" + if enumerate_plugins === true and (@enumerate_all_plugins === true or @enumerate_only_vulnerable_plugins === true) + raise "Please choose only one plugin enumeration option" else @enumerate_plugins = enumerate_plugins end end def enumerate_only_vulnerable_plugins=(enumerate_only_vulnerable_plugins) - if enumerate_only_vulnerable_plugins === true and @enumerate_plugins === true - raise "You can't enumerate plugins and only vulnerable plugins at the same time, please choose only one" + if enumerate_only_vulnerable_plugins === true and (@enumerate_all_plugins === true or @enumerate_plugins === true) + raise "Please choose only one plugin enumeration option" else @enumerate_only_vulnerable_plugins = enumerate_only_vulnerable_plugins end end + def enumerate_all_plugins=(enumerate_all_plugins) + if enumerate_all_plugins === true and (@enumerate_plugins === true or @enumerate_only_vulnerable_plugins === true) + raise "Please choose only one plugin enumeration option" + else + @enumerate_all_plugins = enumerate_all_plugins + end + end + def enumerate_themes=(enumerate_themes) - if enumerate_themes === true and @enumerate_only_vulnerable_themes === true - raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one" + if enumerate_themes === true and (@enumerate_all_themes === true or @enumerate_only_vulnerable_themes === true) + raise "Please choose only one theme enumeration option" else @enumerate_themes = enumerate_themes end end def enumerate_only_vulnerable_themes=(enumerate_only_vulnerable_themes) - if enumerate_only_vulnerable_themes === true and @enumerate_themes === true - raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one" + if enumerate_only_vulnerable_themes === true and (@enumerate_all_themes === true or @enumerate_themes === true) + raise "Please choose only one theme enumeration option" else @enumerate_only_vulnerable_themes = enumerate_only_vulnerable_themes end end + def enumerate_all_themes=(enumerate_all_themes) + if enumerate_all_themes === true and (@enumerate_themes === true or @enumerate_only_vulnerable_themes === true) + raise "Please choose only one theme enumeration option" + else + @enumerate_all_themes = enumerate_all_themes + end + end + def has_options? !to_h.empty? end @@ -181,12 +197,16 @@ class WpscanOptions self.enumerate_plugins = true if value.include?('p') + self.enumerate_all_plugins = true if value.include?('ap') + @enumerate_timthumbs = true if value.include?('tt') self.enumerate_only_vulnerable_themes = true if value.include?('vt') self.enumerate_themes = true if value.include?('t') + self.enumerate_all_themes = true if value.include?('at') + value.grep(/^u/) do |username_enum_value| @enumerate_usernames = true # Check for usernames range diff --git a/spec/lib/wpscan/wpscan_options_spec.rb b/spec/lib/wpscan/wpscan_options_spec.rb index 8c52a3c8..8428a02d 100644 --- a/spec/lib/wpscan/wpscan_options_spec.rb +++ b/spec/lib/wpscan/wpscan_options_spec.rb @@ -105,7 +105,7 @@ describe "WpscanOptions" do it "should raise an error" do @wpscan_options.enumerate_only_vulnerable_plugins = true expect { @wpscan_options.enumerate_plugins = true }.to raise_error( - RuntimeError, "You can't enumerate plugins and only vulnerable plugins at the same time, please choose only one" + RuntimeError, "Please choose only one plugin enumeration option" ) end @@ -121,7 +121,7 @@ describe "WpscanOptions" do it "should raise an error" do @wpscan_options.enumerate_only_vulnerable_themes = true expect { @wpscan_options.enumerate_themes = true }.to raise_error( - RuntimeError, "You can't enumerate themes and only vulnerable themes at the same time, please choose only one" + RuntimeError, "Please choose only one theme enumeration option" ) end @@ -137,7 +137,7 @@ describe "WpscanOptions" do it "should raise an error" do @wpscan_options.enumerate_plugins = true expect { @wpscan_options.enumerate_only_vulnerable_plugins = true }.to raise_error( - RuntimeError, "You can't enumerate plugins and only vulnerable plugins at the same time, please choose only one" + RuntimeError, "Please choose only one plugin enumeration option" ) end @@ -153,7 +153,7 @@ describe "WpscanOptions" do it "should raise an error" do @wpscan_options.enumerate_themes = true expect { @wpscan_options.enumerate_only_vulnerable_themes = true }.to raise_error( - RuntimeError, "You can't enumerate themes and only vulnerable themes at the same time, please choose only one" + RuntimeError, "Please choose only one theme enumeration option" ) end diff --git a/wpscan.rb b/wpscan.rb index a06f5d40..40171eb9 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -197,7 +197,7 @@ begin end # Enumerate the installed plugins - if wpscan_options.enumerate_plugins or wpscan_options.enumerate_only_vulnerable_plugins + if wpscan_options.enumerate_plugins or wpscan_options.enumerate_only_vulnerable_plugins or wpscan_options.enumerate_all_plugins puts puts green("[+]") + " Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ..." puts @@ -209,6 +209,7 @@ begin options[:wp_content_dir] = wp_target.wp_content_dir options[:error_404_hash] = wp_target.error_404_hash options[:wp_plugins_dir] = wp_target.wp_plugins_dir + options[:full] = wpscan_options.enumerate_all_plugins plugins = wp_target.plugins_from_aggressive_detection(options) unless plugins.empty? @@ -252,7 +253,7 @@ begin end # Enumerate installed themes - if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes + if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes or wpscan_options.enumerate_all_themes puts puts green("[+]") + " Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..." puts @@ -263,6 +264,7 @@ begin options[:show_progress_bar] = true options[:wp_content_dir] = wp_target.wp_content_dir options[:error_404_hash] = wp_target.error_404_hash + options[:full] = wpscan_options.enumerate_all_themes themes = wp_target.themes_from_aggressive_detection(options) unless themes.empty?