garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes non detection of plugins/themes from homepage in some cases

Browse Source
This commit is contained in:
erwanlr
2019-10-10 22:33:19 +01:00
parent a9062db57f
commit 40c2e9a54b
5 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/finders/wp_items/urls_in_homepage.rb
View File

@@ -15,7 +15,9 @@ module WPScan
target.in_scope_uris(target.homepage_res) do |uri| target.in_scope_uris(target.homepage_res) do |uri|
next unless uri.to_s =~ item_attribute_pattern(type) next unless uri.to_s =~ item_attribute_pattern(type)
found << Regexp.last_match[1] slug = Regexp.last_match[1]&.strip
found << slug unless slug&.empty?
end end
uniq ? found.uniq.sort : found.sort uniq ? found.uniq.sort : found.sort
@@ -42,7 +44,7 @@ module WPScan
# #
# @return [ Regexp ] # @return [ Regexp ]
def item_attribute_pattern(type) def item_attribute_pattern(type)
@item_attribute_pattern ||= %r{\A#{item_url_pattern(type)}([^/]+)/}i @item_attribute_pattern ||= %r{#{item_url_pattern(type)}([^/]+)/}i
end end
# @param [ String ] type # @param [ String ] type
@@ -59,7 +61,7 @@ module WPScan
item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir
item_url = type == 'plugins' ? target.plugins_url : target.content_url item_url = type == 'plugins' ? target.plugins_url : target.content_url
url = /#{item_url.gsub(/\A(?:http|https)/i, 'https?').gsub('/', '\\\\\?\/')}/i url = /#{item_url.gsub(/\A(?:https?)/i, 'https?').gsub('/', '\\\\\?\/')}/i
item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i

6
spec/app/finders/plugins/urls_in_homepage_spec.rb
View File

@@ -3,14 +3,16 @@
describe WPScan::Finders::Plugins::UrlsInHomepage do describe WPScan::Finders::Plugins::UrlsInHomepage do
subject(:finder) { described_class.new(target) } subject(:finder) { described_class.new(target) }
let(:target) { WPScan::Target.new(url) } let(:target) { WPScan::Target.new(url) }
let(:url) { 'http://wp.lab/' } let(:url) { 'https://wp.lab/' }
let(:fixtures) { FINDERS_FIXTURES.join('plugins', 'urls_in_homepage') } let(:fixtures) { FINDERS_FIXTURES.join('plugins', 'urls_in_homepage') }
before { target.scope << 'sub.lab' }
it_behaves_like 'App::Finders::WpItems::URLsInHomepage' do it_behaves_like 'App::Finders::WpItems::URLsInHomepage' do
let(:type) { 'plugins' } let(:type) { 'plugins' }
let(:uniq_links) { true } let(:uniq_links) { true }
let(:uniq_codes) { true } let(:uniq_codes) { true }
let(:expected_from_links) { (1..4).map { |i| "dl-#{i}" } } let(:expected_from_links) { (1..5).map { |i| "dl-#{i}" } }
let(:expected_from_codes) { (1..6).map { |i| "dc-#{i}" } } let(:expected_from_codes) { (1..6).map { |i| "dc-#{i}" } }
end end

2
spec/app/finders/themes/urls_in_homepage_spec.rb
View File

@@ -6,6 +6,8 @@ describe WPScan::Finders::Themes::UrlsInHomepage do
let(:url) { 'http://wp.lab/' } let(:url) { 'http://wp.lab/' }
let(:fixtures) { FINDERS_FIXTURES.join('themes', 'urls_in_homepage') } let(:fixtures) { FINDERS_FIXTURES.join('themes', 'urls_in_homepage') }
# before { target.scope << 'sub.lab' }
it_behaves_like 'App::Finders::WpItems::URLsInHomepage' do it_behaves_like 'App::Finders::WpItems::URLsInHomepage' do
let(:type) { 'themes' } let(:type) { 'themes' }
let(:uniq_links) { true } let(:uniq_links) { true }

8
spec/fixtures/finders/plugins/urls_in_homepage/found.html vendored
View File

@@ -8,7 +8,7 @@
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script> <script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
<!-- plugins that should be detected --> <!-- plugins that should be detected -->
<link rel='stylesheet' href='http://wp.lab/wp-content/plugins/dl-1/cache/7f81.css?m=12' type='text/css' media='screen'/> <link rel='stylesheet' href='https://wp.lab/wp-content/plugins/dl-1/cache/7f81.css?m=12' type='text/css' media='screen'/>
<link rel="stylesheet" href="/wp-content/plugins/dl-2/css/frontend.css?ver=3.9.2"/> <link rel="stylesheet" href="/wp-content/plugins/dl-2/css/frontend.css?ver=3.9.2"/>
<script type='text/javascript' src='http://wp.lab/wp-content/plugins/dl-3/s2member-o.php?ws=1'></script> <script type='text/javascript' src='http://wp.lab/wp-content/plugins/dl-3/s2member-o.php?ws=1'></script>
@@ -17,6 +17,12 @@
<!-- Duplicate, dl-4 should only be detected once --> <!-- Duplicate, dl-4 should only be detected once -->
<script type='text/javascript' src='/wp-content/plugins/dl-4/main2.js'></script> <script type='text/javascript' src='/wp-content/plugins/dl-4/main2.js'></script>
<!-- in scope domain -->
<link rel="stylesheet" href="http://sub.lab/wp-content/plugins/dl-5/css/"/>
<!-- Should not be detected -->
<link rel="stylesheet" href="https://wp.lab/wp-content/plugins//css/"/>
<link rel="stylesheet" href="http://sub.lab/wp-content/plugins/ /aa/"/>
<a href="http://wp.lab/wp-content/plugins/somefile.php">It should not be detected</a> <a href="http://wp.lab/wp-content/plugins/somefile.php">It should not be detected</a>
<style type="text/css"> <style type="text/css">

2
spec/fixtures/finders/themes/urls_in_homepage/found.html vendored
View File

@@ -1,6 +1,6 @@
<link rel='stylesheet' href='http://wp.lab/wp-content/themes/dl-1/style.css?ver=4.1.1' type='text/css' media='all'> <link rel='stylesheet' href='http://wp.lab/wp-content/themes/dl-1/style.css?ver=4.1.1' type='text/css' media='all'>
<img src="http://wp.lab/wp-content/themes/image.png" alt="Should not be detected" /> <img src="https://wp.lab/wp-content/themes/image.png" alt="Should not be detected" />
<style type="text/css"> <style type="text/css">
#fancybox-loading.fancybox-ie div { #fancybox-loading.fancybox-ie div {