From d3e0ff1e66158c6f428513d9f1f4289096825ec8 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 11 Oct 2018 17:03:31 +0100 Subject: [PATCH 1/4] Adds simple and full help options --- Rakefile | 6 ++-- app/controllers/core.rb | 8 ++--- app/controllers/enumeration/cli_options.rb | 35 ++++++++++++---------- app/controllers/main_theme.rb | 3 +- app/controllers/wp_version.rb | 5 ++-- wpscan.gemspec | 2 +- 6 files changed, 30 insertions(+), 29 deletions(-) diff --git a/Rakefile b/Rakefile index 21348df2..96b4a1df 100644 --- a/Rakefile +++ b/Rakefile @@ -12,9 +12,9 @@ rescue LoadError end begin - require 'rspec/core/rake_task' - RSpec::Core::RakeTask.new(:spec) - exec << :spec + #require 'rspec/core/rake_task' + #RSpec::Core::RakeTask.new(:spec) + #exec << :spec rescue LoadError end diff --git a/app/controllers/core.rb b/app/controllers/core.rb index 0b66f2dc..d2c6ab79 100644 --- a/app/controllers/core.rb +++ b/app/controllers/core.rb @@ -5,15 +5,15 @@ module WPScan # @return [ Array ] def cli_options [OptURL.new(['--url URL', 'The URL of the blog to scan'], - required_unless: %i[update help version], default_protocol: 'http')] + + required_unless: %i[update help hh version], default_protocol: 'http')] + super.drop(1) + # delete the --url from CMSScanner [ OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'], choices: %w[apache iis nginx], - normalize: %i[downcase to_sym]), + normalize: %i[downcase to_sym], + advanced: true), OptBoolean.new(['--force', 'Do not check if the target is running WordPress']), - OptBoolean.new(['--[no-]update', 'Wether or not to update the Database'], - required_unless: %i[url help version]) + OptBoolean.new(['--[no-]update', 'Whether or not to update the Database']) ] end diff --git a/app/controllers/enumeration/cli_options.rb b/app/controllers/enumeration/cli_options.rb index 3a974b67..a3491b41 100644 --- a/app/controllers/enumeration/cli_options.rb +++ b/app/controllers/enumeration/cli_options.rb @@ -13,7 +13,7 @@ module WPScan def cli_enum_choices [ OptMultiChoices.new( - ['--enumerate [OPTS]', '-e', 'Enumeration Process'], + ['-e', '--enumerate [OPTS]', 'Enumeration Process'], choices: { vp: OptBoolean.new(['--vulnerable-plugins']), ap: OptBoolean.new(['--all-plugins']), @@ -45,7 +45,7 @@ module WPScan # @return [ Array ] def cli_plugins_opts [ - OptSmartList.new(['--plugins-list LIST', 'List of plugins to enumerate']), + OptSmartList.new(['--plugins-list LIST', 'List of plugins to enumerate'], advanced: true), OptChoice.new( ['--plugins-detection MODE', 'Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.'], @@ -54,7 +54,8 @@ module WPScan OptBoolean.new( ['--plugins-version-all', 'Check all the plugins version locations according to the choosen mode (--detection-mode, ' \ - '--plugins-detection and --plugins-version-detection)'] + '--plugins-detection and --plugins-version-detection)'], + advanced: true ), OptChoice.new( ['--plugins-version-detection MODE', @@ -68,22 +69,23 @@ module WPScan # @return [ Array ] def cli_themes_opts [ - OptSmartList.new(['--themes-list LIST', 'List of themes to enumerate']), + OptSmartList.new(['--themes-list LIST', 'List of themes to enumerate'], advanced: true), OptChoice.new( ['--themes-detection MODE', 'Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ), OptBoolean.new( ['--themes-version-all', 'Check all the themes version locations according to the choosen mode (--detection-mode, ' \ - '--themes-detection and --themes-version-detection)'] + '--themes-detection and --themes-version-detection)'], + advanced: true ), OptChoice.new( ['--themes-version-detection MODE', 'Use the supplied mode to check themes versions instead of the --detection-mode ' \ 'or --themes-detection modes.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end @@ -93,12 +95,12 @@ module WPScan [ OptFilePath.new( ['--timthumbs-list FILE-PATH', 'List of timthumbs\' location to use'], - exists: true, default: File.join(DB_DIR, 'timthumbs-v3.txt') + exists: true, default: File.join(DB_DIR, 'timthumbs-v3.txt'), advanced: true ), OptChoice.new( ['--timthumbs-detection MODE', 'Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end @@ -108,12 +110,12 @@ module WPScan [ OptFilePath.new( ['--config-backups-list FILE-PATH', 'List of config backups\' filenames to use'], - exists: true, default: File.join(DB_DIR, 'config_backups.txt') + exists: true, default: File.join(DB_DIR, 'config_backups.txt'), advanced: true ), OptChoice.new( ['--config-backups-detection MODE', 'Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end @@ -123,12 +125,12 @@ module WPScan [ OptFilePath.new( ['--db-exports-list FILE-PATH', 'List of DB exports\' paths to use'], - exists: true, default: File.join(DB_DIR, 'db_exports.txt') + exists: true, default: File.join(DB_DIR, 'db_exports.txt'), advanced: true ), OptChoice.new( ['--db-exports-detection MODE', 'Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end @@ -139,7 +141,7 @@ module WPScan OptChoice.new( ['--medias-detection MODE', 'Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end @@ -149,12 +151,13 @@ module WPScan [ OptSmartList.new( ['--users-list LIST', - 'List of users to check during the users enumeration from the Login Error Messages'] + 'List of users to check during the users enumeration from the Login Error Messages'], + advanced: true ), OptChoice.new( ['--users-detection MODE', 'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end diff --git a/app/controllers/main_theme.rb b/app/controllers/main_theme.rb index 22b616d3..11f3c576 100644 --- a/app/controllers/main_theme.rb +++ b/app/controllers/main_theme.rb @@ -7,8 +7,7 @@ module WPScan OptChoice.new( ['--main-theme-detection MODE', 'Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], - normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end diff --git a/app/controllers/wp_version.rb b/app/controllers/wp_version.rb index 0b1ffa5c..5ea409c7 100644 --- a/app/controllers/wp_version.rb +++ b/app/controllers/wp_version.rb @@ -4,13 +4,12 @@ module WPScan class WpVersion < CMSScanner::Controller::Base def cli_options [ - OptBoolean.new(['--wp-version-all', 'Check all the version locations']), + OptBoolean.new(['--wp-version-all', 'Check all the version locations'], advanced: true), OptChoice.new( ['--wp-version-detection MODE', 'Use the supplied mode for the WordPress version detection, ' \ 'instead of the global (--detection-mode) mode.'], - choices: %w[mixed passive aggressive], - normalize: :to_sym + choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true ) ] end diff --git a/wpscan.gemspec b/wpscan.gemspec index 7341f90d..96b35a68 100644 --- a/wpscan.gemspec +++ b/wpscan.gemspec @@ -21,7 +21,7 @@ Gem::Specification.new do |s| s.executables = ['wpscan'] s.require_paths = ['lib'] - s.add_dependency 'cms_scanner', '~> 0.0.40.1' + s.add_dependency 'cms_scanner', '~> 0.0.40.2' # Already required by CMSScanner, so version restrictions loosen s.add_dependency 'activesupport', '~> 5.2' From d89fcbb68acabfd1a51ef7f01a42a9d42e8a2733 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 18 Oct 2018 16:14:02 +0100 Subject: [PATCH 2/4] Ref #1225 - Adds notes related to Medias enumeration --- app/controllers/enumeration/cli_options.rb | 5 ++++- app/controllers/enumeration/enum_methods.rb | 5 ++++- app/finders/medias/attachment_brute_forcing.rb | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/app/controllers/enumeration/cli_options.rb b/app/controllers/enumeration/cli_options.rb index a3491b41..ee6b8d5b 100644 --- a/app/controllers/enumeration/cli_options.rb +++ b/app/controllers/enumeration/cli_options.rb @@ -25,7 +25,10 @@ module WPScan cb: OptBoolean.new(['--config-backups']), dbe: OptBoolean.new(['--db-exports']), u: OptIntegerRange.new(['--users', 'User IDs range. e.g: u1-5'], value_if_empty: '1-10'), - m: OptIntegerRange.new(['--medias', 'Media IDs range. e.g m1-15'], value_if_empty: '1-100') + m: OptIntegerRange.new(['--medias', + 'Media IDs range. e.g m1-15', + 'Note: Permalink setting must be set to "Plain" for those to be detected'], + value_if_empty: '1-100') }, value_if_empty: 'vp,vt,tt,cb,dbe,u,m', incompatible: [%i[vp ap p], %i[vt at t]], diff --git a/app/controllers/enumeration/enum_methods.rb b/app/controllers/enumeration/enum_methods.rb index 9447bcb9..2b5758d6 100644 --- a/app/controllers/enumeration/enum_methods.rb +++ b/app/controllers/enumeration/enum_methods.rb @@ -146,7 +146,10 @@ module WPScan def enum_medias opts = default_opts('medias').merge(range: parsed_options[:enumerate][:medias]) - output('@info', msg: 'Enumerating Medias') if user_interaction? + if user_interaction? + output('@info', msg: 'Enumerating Medias (Permalink setting must be set to "Plain" for those to be detected)') + end + output('medias', medias: target.medias(opts)) end diff --git a/app/finders/medias/attachment_brute_forcing.rb b/app/finders/medias/attachment_brute_forcing.rb index 0657fd16..eefa4a07 100644 --- a/app/finders/medias/attachment_brute_forcing.rb +++ b/app/finders/medias/attachment_brute_forcing.rb @@ -1,7 +1,7 @@ module WPScan module Finders module Medias - # Medias Finder + # Medias Finder, see https://github.com/wpscanteam/wpscan/issues/172 class AttachmentBruteForcing < CMSScanner::Finders::Finder include CMSScanner::Finders::Finder::Enumerator From 998951e629d06430e0b6fd697d0607415a11d818 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 18 Oct 2018 16:15:36 +0100 Subject: [PATCH 3/4] Re-enables rspec on build --- Rakefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Rakefile b/Rakefile index 96b4a1df..21348df2 100644 --- a/Rakefile +++ b/Rakefile @@ -12,9 +12,9 @@ rescue LoadError end begin - #require 'rspec/core/rake_task' - #RSpec::Core::RakeTask.new(:spec) - #exec << :spec + require 'rspec/core/rake_task' + RSpec::Core::RakeTask.new(:spec) + exec << :spec rescue LoadError end From 48dab903138b7a78691b591315061641522ec5a8 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sat, 20 Oct 2018 12:37:46 +0100 Subject: [PATCH 4/4] Displays the release date of the detected WP version --- app/models/wp_version.rb | 5 +++++ app/views/cli/wp_version/version.erb | 2 +- app/views/json/wp_version/version.erb | 1 + spec/app/controllers/core_spec.rb | 2 +- spec/app/models/wp_version_spec.rb | 6 ++++++ spec/fixtures/db/wordpresses.json | 5 +++++ spec/output/wp_version/confirmed_multiples.cli_no_colour | 2 +- spec/output/wp_version/confirmed_multiples.json | 1 + spec/output/wp_version/confirmed_one.cli_no_colour | 2 +- spec/output/wp_version/confirmed_one.json | 1 + spec/output/wp_version/not_confirmed_entries.cli_no_colour | 2 +- spec/output/wp_version/not_confirmed_entries.json | 1 + .../wp_version/not_confirmed_no_entries.cli_no_colour | 2 +- spec/output/wp_version/not_confirmed_no_entries.json | 1 + spec/output/wp_version/with_vulns.cli_no_colour | 2 +- spec/output/wp_version/with_vulns.json | 1 + 16 files changed, 29 insertions(+), 7 deletions(-) diff --git a/app/models/wp_version.rb b/app/models/wp_version.rb index 0f2ccaa0..0a817aff 100644 --- a/app/models/wp_version.rb +++ b/app/models/wp_version.rb @@ -50,5 +50,10 @@ module WPScan @vulnerabilities end + + # @return [ String ] + def release_date + @release_date ||= db_data['release_date'] + end end end diff --git a/app/views/cli/wp_version/version.erb b/app/views/cli/wp_version/version.erb index a2cc0893..b5397788 100644 --- a/app/views/cli/wp_version/version.erb +++ b/app/views/cli/wp_version/version.erb @@ -1,5 +1,5 @@ <% if @version -%> -<%= info_icon %> WordPress version <%= @version.number %> identified. +<%= info_icon %> WordPress version <%= @version.number %> identified (Released on <%= @version.release_date %>). <%= render('@finding', item: @version) -%> <% else -%> <%= notice_icon %> The WordPress version could not be detected. diff --git a/app/views/json/wp_version/version.erb b/app/views/json/wp_version/version.erb index 1066c23c..babf139e 100644 --- a/app/views/json/wp_version/version.erb +++ b/app/views/json/wp_version/version.erb @@ -1,6 +1,7 @@ <% if @version -%> "version": { "number": <%= @version.number.to_json %>, + "release_date": <%= @version.release_date.to_json %>, <%= render('@finding', item: @version) -%> }, <% else -%> diff --git a/spec/app/controllers/core_spec.rb b/spec/app/controllers/core_spec.rb index 475485bd..7172b023 100644 --- a/spec/app/controllers/core_spec.rb +++ b/spec/app/controllers/core_spec.rb @@ -22,7 +22,7 @@ describe WPScan::Controller::Core do # Ensures the :url is the first one and is correctly setup expect(cli_options.first.to_sym).to eql :url - expect(cli_options.first.required_unless).to match_array %i[update help version] + expect(cli_options.first.required_unless).to match_array %i[update help hh version] end end diff --git a/spec/app/models/wp_version_spec.rb b/spec/app/models/wp_version_spec.rb index 6e010908..1c4cbeb6 100644 --- a/spec/app/models/wp_version_spec.rb +++ b/spec/app/models/wp_version_spec.rb @@ -86,4 +86,10 @@ describe WPScan::WpVersion do end end end + + describe '#release_date' do + subject(:version) { described_class.new('3.8.1') } + + its(:release_date) { should eql '2014-01-23' } + end end diff --git a/spec/fixtures/db/wordpresses.json b/spec/fixtures/db/wordpresses.json index 8d6c3914..197d471e 100644 --- a/spec/fixtures/db/wordpresses.json +++ b/spec/fixtures/db/wordpresses.json @@ -1,5 +1,9 @@ { + "4.0": { + "release_date" : "2014-09-04" + }, "3.8.1": { + "release_date" : "2014-01-23", "vulnerabilities" : [ { "created_at" : "2014-08-01T10:58:19.000Z", @@ -25,6 +29,7 @@ ] }, "3.8": { + "release_date" : "2013-12-12", "vulnerabilities" : [ { "references": { diff --git a/spec/output/wp_version/confirmed_multiples.cli_no_colour b/spec/output/wp_version/confirmed_multiples.cli_no_colour index a364a6ac..75eb1e2b 100644 --- a/spec/output/wp_version/confirmed_multiples.cli_no_colour +++ b/spec/output/wp_version/confirmed_multiples.cli_no_colour @@ -1,4 +1,4 @@ -[+] WordPress version 4.0 identified. +[+] WordPress version 4.0 identified (Released on 2014-09-04). | Detected By: rspec | Confirmed By: | Confirmed 1 diff --git a/spec/output/wp_version/confirmed_multiples.json b/spec/output/wp_version/confirmed_multiples.json index 0971855f..bd47879a 100644 --- a/spec/output/wp_version/confirmed_multiples.json +++ b/spec/output/wp_version/confirmed_multiples.json @@ -1,6 +1,7 @@ { "version": { "number": "4.0", + "release_date": "2014-09-04", "found_by": "rspec", "confidence": 0, "interesting_entries": [ diff --git a/spec/output/wp_version/confirmed_one.cli_no_colour b/spec/output/wp_version/confirmed_one.cli_no_colour index 3b8e23f2..75c89109 100644 --- a/spec/output/wp_version/confirmed_one.cli_no_colour +++ b/spec/output/wp_version/confirmed_one.cli_no_colour @@ -1,4 +1,4 @@ -[+] WordPress version 4.0 identified. +[+] WordPress version 4.0 identified (Released on 2014-09-04). | Detected By: rspec | Confirmed By: Confirmed 1 | - IE1 diff --git a/spec/output/wp_version/confirmed_one.json b/spec/output/wp_version/confirmed_one.json index 8156a6fa..5d748206 100644 --- a/spec/output/wp_version/confirmed_one.json +++ b/spec/output/wp_version/confirmed_one.json @@ -1,6 +1,7 @@ { "version": { "number": "4.0", + "release_date": "2014-09-04", "found_by": "rspec", "confidence": 0, "interesting_entries": [ diff --git a/spec/output/wp_version/not_confirmed_entries.cli_no_colour b/spec/output/wp_version/not_confirmed_entries.cli_no_colour index 28f6559e..6cf39f33 100644 --- a/spec/output/wp_version/not_confirmed_entries.cli_no_colour +++ b/spec/output/wp_version/not_confirmed_entries.cli_no_colour @@ -1,4 +1,4 @@ -[+] WordPress version 4.0 identified. +[+] WordPress version 4.0 identified (Released on 2014-09-04). | Detected By: rspec | - IE1 | - IE2 diff --git a/spec/output/wp_version/not_confirmed_entries.json b/spec/output/wp_version/not_confirmed_entries.json index bf29a95f..204d071f 100644 --- a/spec/output/wp_version/not_confirmed_entries.json +++ b/spec/output/wp_version/not_confirmed_entries.json @@ -1,6 +1,7 @@ { "version": { "number": "4.0", + "release_date": "2014-09-04", "found_by": "rspec", "confidence": 0, "interesting_entries": [ diff --git a/spec/output/wp_version/not_confirmed_no_entries.cli_no_colour b/spec/output/wp_version/not_confirmed_no_entries.cli_no_colour index 53baf371..fd5340cb 100644 --- a/spec/output/wp_version/not_confirmed_no_entries.cli_no_colour +++ b/spec/output/wp_version/not_confirmed_no_entries.cli_no_colour @@ -1,3 +1,3 @@ -[+] WordPress version 4.0 identified. +[+] WordPress version 4.0 identified (Released on 2014-09-04). | Detected By: rspec diff --git a/spec/output/wp_version/not_confirmed_no_entries.json b/spec/output/wp_version/not_confirmed_no_entries.json index 25276fa4..a7e10916 100644 --- a/spec/output/wp_version/not_confirmed_no_entries.json +++ b/spec/output/wp_version/not_confirmed_no_entries.json @@ -1,6 +1,7 @@ { "version": { "number": "4.0", + "release_date": "2014-09-04", "found_by": "rspec", "confidence": 0, "interesting_entries": [ diff --git a/spec/output/wp_version/with_vulns.cli_no_colour b/spec/output/wp_version/with_vulns.cli_no_colour index f8a73300..8c55466c 100644 --- a/spec/output/wp_version/with_vulns.cli_no_colour +++ b/spec/output/wp_version/with_vulns.cli_no_colour @@ -1,4 +1,4 @@ -[+] WordPress version 3.8.1 identified. +[+] WordPress version 3.8.1 identified (Released on 2014-01-23). | Detected By: rspec | | [!] 2 vulnerabilities identified: diff --git a/spec/output/wp_version/with_vulns.json b/spec/output/wp_version/with_vulns.json index c77bc2a7..2b720834 100644 --- a/spec/output/wp_version/with_vulns.json +++ b/spec/output/wp_version/with_vulns.json @@ -1,6 +1,7 @@ { "version": { "number": "3.8.1", + "release_date": "2014-01-23", "found_by": "rspec", "confidence": 0, "interesting_entries": [