Adds a custom temporary Enumerator for Plugins,Themes and Timthumbs
This commit is contained in:
erwanlr
@@ -3,7 +3,7 @@ module WPScan
|
||||
module Plugins
|
||||
# Known Locations Plugins Finder
|
||||
class KnownLocations < CMSScanner::Finders::Finder
|
||||
include CMSScanner::Finders::Finder::Enumerator
|
||||
include Finders::Finder::Enumerator
|
||||
|
||||
# @param [ Hash ] opts
|
||||
# @option opts [ String ] :list
|
||||
@@ -12,11 +12,7 @@ module WPScan
|
||||
def aggressive(opts = {})
|
||||
found = []
|
||||
|
||||
enumerate(target_urls(opts), opts) do |res, slug|
|
||||
# TODO: follow the location (from enumerate()) and remove the 301 here ?
|
||||
# As a result, it might remove false positive due to redirection to the homepage
|
||||
next unless [200, 401, 403, 301].include?(res.code)
|
||||
|
||||
enumerate(target_urls(opts), opts) do |_res, slug|
|
||||
found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
|
||||
end
|
||||
|
||||
@@ -30,10 +26,9 @@ module WPScan
|
||||
def target_urls(opts = {})
|
||||
slugs = opts[:list] || DB::Plugins.vulnerable_slugs
|
||||
urls = {}
|
||||
plugins_url = target.plugins_url
|
||||
|
||||
slugs.each do |slug|
|
||||
urls["#{plugins_url}#{URI.encode(slug)}/"] = slug
|
||||
urls[target.plugin_url(slug)] = slug
|
||||
end
|
||||
|
||||
urls
|
||||
|
||||
@@ -3,7 +3,7 @@ module WPScan
|
||||
module Themes
|
||||
# Known Locations Themes Finder
|
||||
class KnownLocations < CMSScanner::Finders::Finder
|
||||
include CMSScanner::Finders::Finder::Enumerator
|
||||
include Finders::Finder::Enumerator
|
||||
|
||||
# @param [ Hash ] opts
|
||||
# @option opts [ String ] :list
|
||||
@@ -12,11 +12,7 @@ module WPScan
|
||||
def aggressive(opts = {})
|
||||
found = []
|
||||
|
||||
enumerate(target_urls(opts), opts) do |res, slug|
|
||||
# TODO: follow the location (from enumerate()) and remove the 301 here ?
|
||||
# As a result, it might remove false positive due to redirection to the homepage
|
||||
next unless [200, 401, 403, 301].include?(res.code)
|
||||
|
||||
enumerate(target_urls(opts), opts) do |_res, slug|
|
||||
found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
|
||||
end
|
||||
|
||||
@@ -28,12 +24,11 @@ module WPScan
|
||||
#
|
||||
# @return [ Hash ]
|
||||
def target_urls(opts = {})
|
||||
slugs = opts[:list] || DB::Themes.vulnerable_slugs
|
||||
urls = {}
|
||||
themes_url = target.url('wp-content/themes/')
|
||||
slugs = opts[:list] || DB::Themes.vulnerable_slugs
|
||||
urls = {}
|
||||
|
||||
slugs.each do |slug|
|
||||
urls["#{themes_url}#{URI.encode(slug)}/"] = slug
|
||||
urls[target.theme_url(slug)] = slug
|
||||
end
|
||||
|
||||
urls
|
||||
|
||||
@@ -2,8 +2,10 @@ module WPScan
|
||||
module Finders
|
||||
module Timthumbs
|
||||
# Known Locations Timthumbs Finder
|
||||
# Note: A vulnerable version, 2.8.13 can be found here:
|
||||
# https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
|
||||
class KnownLocations < CMSScanner::Finders::Finder
|
||||
include CMSScanner::Finders::Finder::Enumerator
|
||||
include Finders::Finder::Enumerator
|
||||
|
||||
# @param [ Hash ] opts
|
||||
# @option opts [ String ] :list Mandatory
|
||||
@@ -13,14 +15,24 @@ module WPScan
|
||||
found = []
|
||||
|
||||
enumerate(target_urls(opts), opts) do |res|
|
||||
next unless res.code == 400 && res.body =~ /no image specified/i
|
||||
|
||||
found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
|
||||
end
|
||||
|
||||
found
|
||||
end
|
||||
|
||||
# @param [ Typhoeus::Response ] res
|
||||
# @param [ Regexp,nil ] exclude_content
|
||||
#
|
||||
# @return [ Boolean ]
|
||||
def valid_response?(res, _exclude_content = nil)
|
||||
return false unless res.code == 400
|
||||
|
||||
full_res = Browser.get(res.effective_url, cache_ttl: 0)
|
||||
|
||||
full_res.body =~ /no image specified/i ? true : false
|
||||
end
|
||||
|
||||
# @param [ Hash ] opts
|
||||
# @option opts [ String ] :list Mandatory
|
||||
#
|
||||
|
||||
@@ -24,3 +24,94 @@ module WPScan
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Better version of the CMSScanner Enumerator for plugins, themes and timthumbs,
|
||||
# put here as temporary until implemented in it (and considering other finders using it, such as
|
||||
# the config backups etc)
|
||||
module WPScan
|
||||
module Finders
|
||||
class Finder
|
||||
module Enumerator
|
||||
# @param [ Hash ] The target urls
|
||||
# @param [ Hash ] opts
|
||||
# @option opts [ Boolean ] :show_progression Wether or not to display the progress bar
|
||||
# @option opts [ Regexp ] :exclude_content
|
||||
#
|
||||
# @yield [ Typhoeus::Response, String ]
|
||||
def enumerate(urls, opts = {})
|
||||
determine_request_params(urls, opts)
|
||||
# determine_valid_response_codes(opts)
|
||||
|
||||
create_progress_bar(opts.merge(total: urls.size))
|
||||
|
||||
urls.each do |url, slug|
|
||||
request = browser.forge_request(url, request_params)
|
||||
|
||||
request.on_complete do |res|
|
||||
progress_bar.increment
|
||||
|
||||
yield res, slug if valid_response?(res, opts[:exclude_content])
|
||||
end
|
||||
|
||||
hydra.queue(request)
|
||||
end
|
||||
|
||||
hydra.run
|
||||
end
|
||||
|
||||
# @param [ Typhoeus::Response ] res
|
||||
# @param [ Regexp,nil ] exclude_content
|
||||
#
|
||||
# @return [ Boolean ]
|
||||
# rubocop:disable Metrics/PerceivedComplexity
|
||||
def valid_response?(res, exclude_content = nil)
|
||||
return false unless valid_response_codes.include?(res.code)
|
||||
|
||||
return false if exclude_content && res.response_headers&.match(exclude_content)
|
||||
|
||||
# Perform a full get to check if homepage or custom 404
|
||||
if res.code == 200
|
||||
full_res = Browser.get(res.effective_url, cache_ttl: 0)
|
||||
|
||||
return false if target.homepage_or_404?(full_res) ||
|
||||
exclude_content && full_res.body.match(exclude_content)
|
||||
end
|
||||
|
||||
true
|
||||
end
|
||||
# rubocop:enable Metrics/PerceivedComplexity
|
||||
|
||||
# @return [ Hash ]
|
||||
def request_params
|
||||
@request_params ||= { cache_ttl: 0 }
|
||||
end
|
||||
|
||||
# @param [ Hash ] urls
|
||||
# @param [ Hash ] opts
|
||||
def determine_request_params(urls, _opts)
|
||||
head_res = Browser.head(urls.first[0], cache_ttl: 0)
|
||||
|
||||
@request_params = if head_res.code == 405
|
||||
{ method: :get, maxfilesize: 1, cache_ttl: 0 }
|
||||
else
|
||||
{ method: :head, cache_ttl: 0 }
|
||||
end
|
||||
end
|
||||
|
||||
# @return [ Array<Integer> ]
|
||||
def valid_response_codes
|
||||
@valid_response_codes ||= [200, 401, 403, 301]
|
||||
end
|
||||
|
||||
# Idea here would be to check the opts[:found] which
|
||||
# contains items (such as plugins) found via other techniques,
|
||||
# and see their responses to refine the #response_codes
|
||||
def determine_valid_response_codes(opts)
|
||||
return if opts[:found].empty?
|
||||
|
||||
# TODO
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -54,6 +54,13 @@ module WPScan
|
||||
plugins_uri.to_s
|
||||
end
|
||||
|
||||
# @param [ String ] slug
|
||||
#
|
||||
# @return [ String ]
|
||||
def plugin_url(slug)
|
||||
plugins_uri.join("#{URI.encode(slug)}/").to_s
|
||||
end
|
||||
|
||||
# @return [ String ]
|
||||
def themes_dir
|
||||
@themes_dir ||= "#{content_dir}/themes"
|
||||
@@ -69,6 +76,13 @@ module WPScan
|
||||
themes_uri.to_s
|
||||
end
|
||||
|
||||
# @param [ String ] slug
|
||||
#
|
||||
# @return [ String ]
|
||||
def theme_url(slug)
|
||||
themes_uri.join("#{URI.encode(slug)}/").to_s
|
||||
end
|
||||
|
||||
# TODO: Factorise the code and the content_dir one ?
|
||||
# @return [ String, False ] String of the sub_dir found, false otherwise
|
||||
# @note: nil can not be returned here, otherwise if there is no sub_dir
|
||||
|
||||
Reference in New Issue
Block a user