Merge branch 'master' of github.com:wpscanteam/wpscan

CHANGELOG.md

@@ -1,6 +1,27 @@
 # Changelog
 ## Master
-[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.9.2...master)
+[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.9.3...master)
+
+## Version 2.9.3
+Released: 2017-07-19
+
+* Updated dependencies and required ruby version
+* Made some changes so wpscan works in ruby 2.4
+* Added a Gemfile.lock to lock all dependencies
+* You can now pass a wordlist from stdin via "--wordlist -"
+* Improved version detection regexes
+* Added an optional paramter to --log to specify a filename
+
+WPScan Database Statistics:
+* Total tracked wordpresses: 251
+* Total tracked plugins: 68818
+* Total tracked themes: 15132
+* Total vulnerable wordpresses: 243
+* Total vulnerable plugins: 1527
+* Total vulnerable themes: 280
+* Total wordpress vulnerabilities: 5263
+* Total plugin vulnerabilities: 2406
+* Total theme vulnerabilities: 349
 
 ## Version 2.9.2
 Released: 2016-11-15

README.md

@@ -122,6 +122,8 @@ Mount a local wordlist to the docker container and start a bruteforce attack for
 docker run -it --rm -v ~/wordlists:/wordlists wpscanteam/wpscan --url https://yourblog.com --wordlist /wordlists/crackstation.txt --username admin
 ```
 
+(This mounts the host directory `~/wordlists` to the container in the path `/wordlists`)
+
 Use logfile option
 ```
 # the file must exist prior to starting the container, otherwise docker will create a directory with the filename
@@ -129,8 +131,6 @@ touch ~/FILENAME
 docker run -it --rm -v ~/FILENAME:/wpscan/output.txt wpscanteam/wpscan --url https://yourblog.com --log /wpscan/output.txt
 ```
 
-(This mounts the host directory `~/wordlists` to the container in the path `/wordlists`)
-
 Published on https://hub.docker.com/r/wpscanteam/wpscan/
 
 # Manual install

lib/common/common_helper.rb

@@ -30,7 +30,7 @@ LAST_UPDATE_FILE  = File.join(DATA_DIR, '.last_update')
 
 MIN_RUBY_VERSION = '2.1.9'
 
-WPSCAN_VERSION = '2.9.2'
+WPSCAN_VERSION = '2.9.3'
 
 $LOAD_PATH.unshift(LIB_DIR)
 $LOAD_PATH.unshift(WPSCAN_LIB_DIR)

lib/wpscan/wp_target.rb

@@ -155,6 +155,21 @@ class WpTarget < WebSite
     resp.code == 200 && resp.body[%r{by interconnect}i]
   end
 
+  # Script used to recover locked out admin users
+  # http://yoast.com/emergency-wordpress-access/
+  # https://codex.wordpress.org/User:MichaelH/Orphaned_Plugins_needing_Adoption/Emergency
+  #
+  # @return [ String ]
+  def emergency_url
+    @uri.merge('emergency.php').to_s
+  end
+
+  # @return [ Boolean ]
+  def emergency_exists?
+    resp = Browser.get(emergency_url)
+    resp.code == 200 && resp.body[%r{password}i]
+  end
+
   def upload_directory_listing_enabled?
     directory_listing_enabled?(upload_dir_url)
   end

spec/lib/wpscan/wp_target_spec.rb

@@ -192,4 +192,27 @@ describe WpTarget do
     end
   end
 
+  describe '#emergency_url' do
+    it 'returns the correct url' do
+      expect(wp_target.emergency_url).to eq 'http://example.localhost/emergency.php'
+    end
+  end
+
+  describe '#emergency_exists?' do
+    it 'returns true' do
+      stub_request(:any, wp_target.emergency_url).to_return(status: 200, body: 'enter your password here')
+      expect(wp_target.emergency_exists?).to be_truthy
+    end
+
+    it 'returns false' do
+      stub_request(:any, wp_target.emergency_url).to_return(status: 500)
+      expect(wp_target.emergency_exists?).to be_falsey
+    end
+
+    it 'returns false' do
+      stub_request(:any, wp_target.emergency_url).to_return(status: 500, body: 'enter your password here')
+      expect(wp_target.emergency_exists?).to be_falsey
+    end
+  end
+
 end

wpscan.rb

@@ -226,6 +226,10 @@ def main
       puts critical("searchreplacedb2.php has been found in: '#{wp_target.search_replace_db_2_url}'")
     end
 
+    if wp_target.emergency_exists?
+      puts critical("emergency.php has been found in: '#{wp_target.emergency_url}'")
+    end
+
     wp_target.interesting_headers.each do |header|
       output = info('Interesting header: ')