garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:wpscanteam/wpscan

Browse Source
This commit is contained in:
Christian Mehlmauer
2016-02-17 23:30:45 +01:00
parent 26ab95d822 cea01d8aa0
commit 33f8aaf1dc
6 changed files with 50 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/common/browser.rb
View File

@@ -153,8 +153,8 @@ class Browser
params.merge!(maxredirs: 3) unless params.key?(:maxredirs)
# Disable SSL-Certificate checks
params.merge!(ssl_verifypeer: false)
params.merge!(ssl_verifyhost: 0)
params.merge!(ssl_verifypeer: false) unless params.key?(:ssl_verifypeer)
params.merge!(ssl_verifyhost: 0) unless params.key?(:ssl_verifyhost)
params.merge!(cookiejar: @cache_dir + '/cookie-jar')
params.merge!(cookiefile: @cache_dir + '/cookie-jar')

2
lib/common/cache_file_store.rb
View File

@@ -51,7 +51,7 @@ class CacheFileStore
end
def write_entry(key, data_to_store, cache_ttl)
if cache_ttl > 0
if cache_ttl && cache_ttl > 0
File.open(get_entry_file_path(key), 'w') do |f|
begin
f.write(@serializer.dump(data_to_store))

2
lib/common/db_updater.rb
View File

@@ -28,7 +28,7 @@ class DbUpdater
# @return [ String ] The raw file URL associated with the given filename
def remote_file_url(filename)
"https://wpvulndb.com/data/#{filename}"
"https://data.wpscan.org/#{filename}"
end
# @return [ String ] The checksum of the associated remote filename

23
lib/common/models/wp_user/brute_forcable.rb
View File

@@ -3,6 +3,8 @@
class WpUser < WpItem
module BruteForcable
attr_reader :progress_bar
# Brute force the user with the wordlist supplied
#
# It can take a long time to queue 2 million requests,
@@ -25,7 +27,8 @@ class WpUser < WpItem
hydra = browser.hydra
queue_count = 0
found = false
progress_bar = self.progress_bar(count_file_lines(wordlist)+1, options)
create_progress_bar(count_file_lines(wordlist)+1, options)
File.open(wordlist).each do |password|
password.chomp!
@@ -42,7 +45,7 @@ class WpUser < WpItem
request.on_complete do |response|
progress_bar.progress += 1 if options[:show_progression] && !found
puts "\n Trying Username : #{login} Password : #{password}" if options[:verbose]
progress_bar.log(" Trying Username: #{login} Password: #{password}") if options[:verbose]
if valid_password?(response, password, redirect_url, options)
found = true
@@ -57,7 +60,7 @@ class WpUser < WpItem
if queue_count >= browser.max_threads
hydra.run
queue_count = 0
puts "Sent #{browser.max_threads} requests ..." if options[:verbose]
progress_bar.log(" Sent #{browser.max_threads} request/s ...") if options[:verbose]
end
end
@@ -71,9 +74,9 @@ class WpUser < WpItem
#
# @return [ ProgressBar ]
# :nocov:
def progress_bar(passwords_size, options)
def create_progress_bar(passwords_size, options)
if options[:show_progression]
ProgressBar.create(
@progress_bar = ProgressBar.create(
format: '%t %a <%B> (%c / %C) %P%% %e',
title: " Brute Forcing '#{login}'",
total: passwords_size
@@ -107,20 +110,20 @@ class WpUser < WpItem
progression = "#{info('[SUCCESS]')} Login : #{login} Password : #{password}\n\n"
valid = true
elsif response.body =~ /login_error/i
verbose = "\n Incorrect login and/or password."
verbose = "Incorrect login and/or password."
elsif response.timed_out?
progression = critical('ERROR: Request timed out.')
elsif response.code == 0
progression = critical("ERROR: No response from remote server. WAF/IPS? (#{response.return_message})")
elsif response.code.to_s =~ /^50/
progression = critical('ERROR: Server error, try reducing the number of threads.')
progression = critical('ERROR: Server error, try reducing the number of threads or use the --throttle option.')
else
progression = critical("ERROR: We received an unknown response for #{password}...")
verbose = critical(" Code: #{response.code}\n Body: #{response.body}\n")
verbose = critical(" Code: #{response.code}\n Body: #{response.body}\n")
end
puts "\n " + progression if progression && options[:show_progression]
puts verbose if verbose && options[:verbose]
progress_bar.log(" #{progression}") if progression && options[:show_progression]
progress_bar.log(" #{verbose}") if verbose && options[:verbose]
valid || false
end

55
lib/common/models/wp_version/findable.rb
View File

@@ -114,34 +114,6 @@ class WpVersion < WpItem
)
end
def find_from_stylesheets_numbers(target_uri)
wp_versions = WpVersion.all
found = {}
pattern = /\bver=([0-9\.]+)/i
Nokogiri::HTML(Browser.get(target_uri.to_s).body).css('link,script').each do |tag|
%w(href src).each do |attribute|
attr_value = tag.attribute(attribute).to_s
next if attr_value.nil? || attr_value.empty?
uri = Addressable::URI.parse(attr_value)
next unless uri.query && uri.query.match(pattern)
version = Regexp.last_match[1].to_s
found[version] ||= 0
found[version] += 1
end
end
found.delete_if { |v, _| !wp_versions.include?(v) }
best_guess = found.sort_by(&:last).last
# best_guess[0]: version number, [1] numbers of occurences
best_guess && best_guess[1] > 1 ? best_guess[0] : nil
end
# Uses data/wp_versions.xml to try to identify a
# wordpress version.
#
@@ -218,5 +190,32 @@ class WpVersion < WpItem
)
end
def find_from_stylesheets_numbers(target_uri)
wp_versions = WpVersion.all
found = {}
pattern = /\bver=([0-9\.]+)/i
Nokogiri::HTML(Browser.get(target_uri.to_s).body).css('link,script').each do |tag|
%w(href src).each do |attribute|
attr_value = tag.attribute(attribute).to_s
next if attr_value.nil? || attr_value.empty?
uri = Addressable::URI.parse(attr_value)
next unless uri.query && uri.query.match(pattern)
version = Regexp.last_match[1].to_s
found[version] ||= 0
found[version] += 1
end
end
found.delete_if { |v, _| !wp_versions.include?(v) }
best_guess = found.sort_by(&:last).last
# best_guess[0]: version number, [1] numbers of occurences
best_guess && best_guess[1] > 1 ? best_guess[0] : nil
end
end
end

12
spec/lib/common/collections/wp_timthumbs/detectable_spec.rb
View File

@@ -26,10 +26,10 @@ describe 'WpTimthumbs::Detectable' do
def expected_targets_from_theme(theme_name)
expected = []
%w{
%w(
timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
scripts/timthumb.php tools/timthumb.php functions/timthumb.php
}.each do |file|
).each do |file|
path = "$wp-content$/themes/#{theme_name}/#{file}"
expected << WpTimthumb.new(uri, path: path)
end
@@ -46,7 +46,7 @@ describe 'WpTimthumbs::Detectable' do
after do
targets = subject.send(:targets_items_from_file, file, wp_target)
expect(targets.map { |t| t.url }).to eq @expected.map { |t| t.url }
expect(targets.map(&:url)).to eq @expected.map(&:url)
end
context 'when an empty file' do
@@ -71,7 +71,7 @@ describe 'WpTimthumbs::Detectable' do
theme = 'hello-world'
targets = subject.send(:theme_timthumbs, theme, wp_target)
expect(targets.map { |t| t.url }).to eq expected_targets_from_theme(theme).map { |t| t.url }
expect(targets.map(&:url)).to eq expected_targets_from_theme(theme).map(&:url)
end
end
@@ -81,7 +81,7 @@ describe 'WpTimthumbs::Detectable' do
after do
targets = subject.send(:targets_items, wp_target, options)
targets.map { |t| t.url }.should =~ @expected.sort.map { |t| t.url }
expect(targets.map(&:url)).to match_array(@expected.map(&:url))
end
context 'when no :theme_name' do
@@ -101,7 +101,7 @@ describe 'WpTimthumbs::Detectable' do
end
context 'when :theme_name' do
let(:theme) { 'theme-name'}
let(:theme) { 'theme-name' }
context 'when no :file' do
let(:options) { { theme_name: theme } }