garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes hacks.rb conflict

Browse Source
This commit is contained in:
erwanlr
2013-04-16 14:19:30 +02:00
parent de1bc6a369 7143c7ffe9
commit 3f8bc5e01a
5 changed files with 40 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Gemfile
View File

@@ -6,6 +6,7 @@ gem "ethon", "=0.5.10"
gem "nokogiri"
gem "json"
gem "terminal-table"
gem "ruby-progressbar"
group :development, :test do
gem "webmock", ">=1.9.3"

11
lib/common/collections/wp_items/detectable.rb
View File

@@ -14,17 +14,18 @@ class WpItems < Array
# @return [ WpItems ]
def aggressive_detection(wp_target, options = {})
queue_count = 0
request_count = 0
browser = Browser.instance
hydra = browser.hydra
targets = targets_items(wp_target, options)
targets_size = targets.size
show_progression = options[:show_progression] || false
exist_options = {
error_404_hash: wp_target.error_404_hash,
homepage_hash: wp_target.homepage_hash,
exclude_content: options[:exclude_content] ? %r{#{options[:exclude_content]}} : nil
}
progress_bar = ProgressBar.create(format: '%t %a <%B> (%c / %C) %P%% %e',
title: ' ', # Used to craete a left margin
length: 120,
total: targets.size) if options[:show_progression]
# If we only want the vulnerable ones, the passive detection is ignored
# Otherwise, a passive detection is performed, and results will be merged
@@ -32,11 +33,9 @@ class WpItems < Array
targets.each do |target_item|
request = browser.forge_request(target_item.url, request_params)
request_count += 1
request.on_complete do |response|
print "\rChecking for #{targets_size} total ... #{(request_count * 100) / targets_size}% complete." if show_progression
progress_bar.progress += 1 if options[:show_progression]
if target_item.exists?(exist_options, response)
if !results.include?(target_item)

56
lib/common/models/wp_user/brute_forcable.rb
View File

@@ -10,54 +10,54 @@ class WpUser < WpItem
#
# @return [ void ]
def brute_force(wordlist, options = {})
hydra = Browser.instance.hydra
passwords = BruteForcable.passwords_from_wordlist(wordlist)
number_of_passwords = passwords.size
login_url = @uri.merge('wp-login.php').to_s
queue_count = 0
request_count = 0
browser = Browser.instance
hydra = browser.hydra
passwords = BruteForcable.passwords_from_wordlist(wordlist)
login = self.login
login_url = @uri.merge('wp-login.php').to_s
queue_count = 0
found = false
progress_bar = ProgressBar.create(format: '%t %a <%B> (%c / %C) %P%% %e',
title: " Brute Forcing '#{login}'",
length: 120,
total: passwords.size) if options[:show_progression]
passwords.each do |password|
request_count += 1
queue_count += 1
login = self.login
request = Browser.instance.forge_request(login_url,
{
method: :post,
body: { log: login, pwd: password },
cache_ttl: 0
}
method: :post,
body: { log: login, pwd: password },
cache_ttl: 0
)
request.on_complete do |response|
progress_bar.progress += 1 if options[:show_progression] && !found
puts "\n Trying Username : #{login} Password : #{password}" if options[:verbose]
if valid_password?(response, password, options)
self.password = password
found = true
return # Used as break
end
end
hydra.queue(request)
print "\r Brute forcing user '#{login}' with #{number_of_passwords} passwords... #{(request_count * 100) / number_of_passwords}% complete." if options[:show_progression]
queue_count += 1
# it can take a long time to queue 2 million requests,
# for that reason, we queue @threads, send @threads, queue @threads and so on.
# hydra.run only returns when it has recieved all of its,
# responses. This means that while we are waiting for @threads,
# responses, we are waiting...
if queue_count >= Browser.instance.max_threads
if queue_count >= browser.max_threads
hydra.run
queue_count = 0
puts "Sent #{Browser.instance.max_threads} requests ..." if options[:verbose]
puts "Sent #{browser.max_threads} requests ..." if options[:verbose]
end
end
# run all of the remaining requests
hydra.run
puts if options[:show_progression]
end
# @param [ Typhoeus::Response ] response
@@ -69,22 +69,22 @@ class WpUser < WpItem
# @return [ Boolean ]
def valid_password?(response, password, options = {})
if response.code == 302
puts "\n " + green('[SUCCESS]') + " Login : #{login} Password : #{password}\n" if options[:show_progression]
puts "\n " + green('[SUCCESS]') + " Login : #{login} Password : #{password}\n\n" if options[:show_progression]
return true
elsif response.body =~ /login_error/i
puts "\nIncorrect login and/or password." if options[:verbose]
puts "\n Incorrect login and/or password." if options[:verbose]
elsif response.timed_out?
puts red('ERROR:') + ' Request timed out.' if options[:show_progression]
puts "\n " + red('ERROR:') + ' Request timed out.' if options[:show_progression]
elsif response.code == 0
puts red('ERROR:') + ' No response from remote server. WAF/IPS?' if options[:show_progression]
puts "\n " + red('ERROR:') + ' No response from remote server. WAF/IPS?' if options[:show_progression]
elsif response.code.to_s =~ /^50/
puts red('ERROR:') + ' Server error, try reducing the number of threads.' if options[:show_progression]
puts "\n " + red('ERROR:') + ' Server error, try reducing the number of threads.' if options[:show_progression]
else
puts "\n" + red('ERROR:') + " We received an unknown response for #{password}..." if options[:show_progression]
puts "\n " + red('ERROR:') + " We received an unknown response for #{password}..." if options[:show_progression]
# HACK to get the coverage :/ (otherwise some output is present in the rspec)
puts red("Code: #{response.code}") if options[:verbose]
puts red("Body: #{response.body}") if options[:verbose]
puts red(" Code: #{response.code}") if options[:verbose]
puts red(" Body: #{response.body}") if options[:verbose]
puts if options[:verbose]
end
false

1
lib/environment.rb
View File

@@ -28,6 +28,7 @@ begin
require 'json'
require 'nokogiri'
require 'terminal-table'
require 'ruby-progressbar'
# Custom libs
require 'common/browser'
require 'common/custom_option_parser'

21
wpscan.rb
View File

@@ -192,14 +192,12 @@ def main
only_vulnerable: wpscan_options.enumerate_only_vulnerable_plugins || false
)
)
puts
if !wp_plugins.empty?
puts
puts
puts green('[+]') + " We found #{wp_plugins.size} plugins:"
wp_plugins.output
else
puts
puts 'No plugins found :('
end
end
@@ -216,15 +214,12 @@ def main
only_vulnerable: wpscan_options.enumerate_only_vulnerable_themes || false
)
)
puts
if !wp_themes.empty?
puts
puts
puts green('[+]') + " We found #{wp_themes.size} themes:"
wp_themes.output
else
puts
puts 'No themes found :('
end
end
@@ -240,8 +235,8 @@ def main
theme_name: wp_theme ? wp_theme.name : nil
)
)
puts
if !wp_timthumbs.empty?
puts
puts green('[+]') + " We found #{wp_timthumbs.size} timthumb file/s :"
puts
@@ -250,7 +245,6 @@ def main
puts
puts red(' * Reference: http://www.exploit-db.com/exploits/17602/')
else
puts
puts 'No timthumb files found :('
end
end
@@ -266,15 +260,13 @@ def main
show_progression: false
)
)
puts
if wp_users.empty?
puts
puts 'We did not enumerate any usernames :('
puts 'Try supplying your own username with the --username option'
puts
exit(1)
else
puts
puts green('[+]') + " We found the following #{wp_users.size} user/s :"
wp_users.output(margin_left: ' ' * 4)
@@ -298,11 +290,9 @@ def main
bruteforce = false if Readline.readline !~ /^y/i
end
puts
if bruteforce
puts
puts green('[+]') + ' Starting the password brute forcer'
puts
wp_users.brute_force(wpscan_options.wordlist,
show_progression: true,
@@ -310,7 +300,6 @@ def main
puts
wp_users.output(show_password: true, margin_left: ' ' * 2)
else
puts
puts 'Brute forcing aborted'
end
end