diff --git a/Gemfile b/Gemfile index 356d38c1..1836763c 100644 --- a/Gemfile +++ b/Gemfile @@ -6,6 +6,7 @@ gem "ethon", "=0.5.10" gem "nokogiri" gem "json" gem "terminal-table" +gem "ruby-progressbar" group :development, :test do gem "webmock", ">=1.9.3" diff --git a/lib/common/collections/wp_items/detectable.rb b/lib/common/collections/wp_items/detectable.rb index f53353c6..5ec84dd7 100755 --- a/lib/common/collections/wp_items/detectable.rb +++ b/lib/common/collections/wp_items/detectable.rb @@ -14,17 +14,18 @@ class WpItems < Array # @return [ WpItems ] def aggressive_detection(wp_target, options = {}) queue_count = 0 - request_count = 0 browser = Browser.instance hydra = browser.hydra targets = targets_items(wp_target, options) - targets_size = targets.size - show_progression = options[:show_progression] || false exist_options = { error_404_hash: wp_target.error_404_hash, homepage_hash: wp_target.homepage_hash, exclude_content: options[:exclude_content] ? %r{#{options[:exclude_content]}} : nil } + progress_bar = ProgressBar.create(format: '%t %a <%B> (%c / %C) %P%% %e', + title: ' ', # Used to craete a left margin + length: 120, + total: targets.size) if options[:show_progression] # If we only want the vulnerable ones, the passive detection is ignored # Otherwise, a passive detection is performed, and results will be merged @@ -32,11 +33,9 @@ class WpItems < Array targets.each do |target_item| request = browser.forge_request(target_item.url, request_params) - request_count += 1 request.on_complete do |response| - - print "\rChecking for #{targets_size} total ... #{(request_count * 100) / targets_size}% complete." if show_progression + progress_bar.progress += 1 if options[:show_progression] if target_item.exists?(exist_options, response) if !results.include?(target_item) diff --git a/lib/common/models/wp_user/brute_forcable.rb b/lib/common/models/wp_user/brute_forcable.rb index 68c8c7c5..130f7af6 100644 --- a/lib/common/models/wp_user/brute_forcable.rb +++ b/lib/common/models/wp_user/brute_forcable.rb @@ -10,54 +10,54 @@ class WpUser < WpItem # # @return [ void ] def brute_force(wordlist, options = {}) - hydra = Browser.instance.hydra - passwords = BruteForcable.passwords_from_wordlist(wordlist) - number_of_passwords = passwords.size - login_url = @uri.merge('wp-login.php').to_s - queue_count = 0 - request_count = 0 + browser = Browser.instance + hydra = browser.hydra + passwords = BruteForcable.passwords_from_wordlist(wordlist) + login = self.login + login_url = @uri.merge('wp-login.php').to_s + queue_count = 0 + found = false + progress_bar = ProgressBar.create(format: '%t %a <%B> (%c / %C) %P%% %e', + title: " Brute Forcing '#{login}'", + length: 120, + total: passwords.size) if options[:show_progression] passwords.each do |password| - request_count += 1 - queue_count += 1 - login = self.login - request = Browser.instance.forge_request(login_url, - { - method: :post, - body: { log: login, pwd: password }, - cache_ttl: 0 - } + method: :post, + body: { log: login, pwd: password }, + cache_ttl: 0 ) request.on_complete do |response| + progress_bar.progress += 1 if options[:show_progression] && !found + puts "\n Trying Username : #{login} Password : #{password}" if options[:verbose] if valid_password?(response, password, options) self.password = password + found = true return # Used as break end end hydra.queue(request) - - print "\r Brute forcing user '#{login}' with #{number_of_passwords} passwords... #{(request_count * 100) / number_of_passwords}% complete." if options[:show_progression] + queue_count += 1 # it can take a long time to queue 2 million requests, # for that reason, we queue @threads, send @threads, queue @threads and so on. # hydra.run only returns when it has recieved all of its, # responses. This means that while we are waiting for @threads, # responses, we are waiting... - if queue_count >= Browser.instance.max_threads + if queue_count >= browser.max_threads hydra.run queue_count = 0 - puts "Sent #{Browser.instance.max_threads} requests ..." if options[:verbose] + puts "Sent #{browser.max_threads} requests ..." if options[:verbose] end end # run all of the remaining requests hydra.run - puts if options[:show_progression] end # @param [ Typhoeus::Response ] response @@ -69,22 +69,22 @@ class WpUser < WpItem # @return [ Boolean ] def valid_password?(response, password, options = {}) if response.code == 302 - puts "\n " + green('[SUCCESS]') + " Login : #{login} Password : #{password}\n" if options[:show_progression] + puts "\n " + green('[SUCCESS]') + " Login : #{login} Password : #{password}\n\n" if options[:show_progression] return true elsif response.body =~ /login_error/i - puts "\nIncorrect login and/or password." if options[:verbose] + puts "\n Incorrect login and/or password." if options[:verbose] elsif response.timed_out? - puts red('ERROR:') + ' Request timed out.' if options[:show_progression] + puts "\n " + red('ERROR:') + ' Request timed out.' if options[:show_progression] elsif response.code == 0 - puts red('ERROR:') + ' No response from remote server. WAF/IPS?' if options[:show_progression] + puts "\n " + red('ERROR:') + ' No response from remote server. WAF/IPS?' if options[:show_progression] elsif response.code.to_s =~ /^50/ - puts red('ERROR:') + ' Server error, try reducing the number of threads.' if options[:show_progression] + puts "\n " + red('ERROR:') + ' Server error, try reducing the number of threads.' if options[:show_progression] else - puts "\n" + red('ERROR:') + " We received an unknown response for #{password}..." if options[:show_progression] + puts "\n " + red('ERROR:') + " We received an unknown response for #{password}..." if options[:show_progression] # HACK to get the coverage :/ (otherwise some output is present in the rspec) - puts red("Code: #{response.code}") if options[:verbose] - puts red("Body: #{response.body}") if options[:verbose] + puts red(" Code: #{response.code}") if options[:verbose] + puts red(" Body: #{response.body}") if options[:verbose] puts if options[:verbose] end false diff --git a/lib/environment.rb b/lib/environment.rb index 054806f4..68a264c0 100644 --- a/lib/environment.rb +++ b/lib/environment.rb @@ -28,6 +28,7 @@ begin require 'json' require 'nokogiri' require 'terminal-table' + require 'ruby-progressbar' # Custom libs require 'common/browser' require 'common/custom_option_parser' diff --git a/wpscan.rb b/wpscan.rb index 26995739..53a10da1 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -192,14 +192,12 @@ def main only_vulnerable: wpscan_options.enumerate_only_vulnerable_plugins || false ) ) + puts if !wp_plugins.empty? - puts - puts puts green('[+]') + " We found #{wp_plugins.size} plugins:" wp_plugins.output else - puts puts 'No plugins found :(' end end @@ -216,15 +214,12 @@ def main only_vulnerable: wpscan_options.enumerate_only_vulnerable_themes || false ) ) - + puts if !wp_themes.empty? - puts - puts puts green('[+]') + " We found #{wp_themes.size} themes:" wp_themes.output else - puts puts 'No themes found :(' end end @@ -240,8 +235,8 @@ def main theme_name: wp_theme ? wp_theme.name : nil ) ) + puts if !wp_timthumbs.empty? - puts puts green('[+]') + " We found #{wp_timthumbs.size} timthumb file/s :" puts @@ -250,7 +245,6 @@ def main puts puts red(' * Reference: http://www.exploit-db.com/exploits/17602/') else - puts puts 'No timthumb files found :(' end end @@ -266,15 +260,13 @@ def main show_progression: false ) ) - + puts if wp_users.empty? - puts puts 'We did not enumerate any usernames :(' puts 'Try supplying your own username with the --username option' puts exit(1) else - puts puts green('[+]') + " We found the following #{wp_users.size} user/s :" wp_users.output(margin_left: ' ' * 4) @@ -298,11 +290,9 @@ def main bruteforce = false if Readline.readline !~ /^y/i end - + puts if bruteforce - puts puts green('[+]') + ' Starting the password brute forcer' - puts wp_users.brute_force(wpscan_options.wordlist, show_progression: true, @@ -310,7 +300,6 @@ def main puts wp_users.output(show_password: true, margin_left: ' ' * 2) else - puts puts 'Brute forcing aborted' end end