garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adds a custom temporary Enumerator for Plugins,Themes and Timthumbs

Browse Source
This commit is contained in:
erwanlr
2019-03-18 19:15:43 +00:00
parent 9a3db275f3
commit 4a427f1ff6
5 changed files with 128 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/finders/plugins/known_locations.rb
View File

@@ -3,7 +3,7 @@ module WPScan
module Plugins
# Known Locations Plugins Finder
class KnownLocations < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
include Finders::Finder::Enumerator
# @param [ Hash ] opts
# @option opts [ String ] :list
@@ -12,11 +12,7 @@ module WPScan
def aggressive(opts = {})
found = []
enumerate(target_urls(opts), opts) do |res, slug|
# TODO: follow the location (from enumerate()) and remove the 301 here ?
# As a result, it might remove false positive due to redirection to the homepage
next unless [200, 401, 403, 301].include?(res.code)
enumerate(target_urls(opts), opts) do |_res, slug|
found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
@@ -30,10 +26,9 @@ module WPScan
def target_urls(opts = {})
slugs = opts[:list] || DB::Plugins.vulnerable_slugs
urls = {}
plugins_url = target.plugins_url
slugs.each do |slug|
urls["#{plugins_url}#{URI.encode(slug)}/"] = slug
urls[target.plugin_url(slug)] = slug
end
urls

15
app/finders/themes/known_locations.rb
View File

@@ -3,7 +3,7 @@ module WPScan
module Themes
# Known Locations Themes Finder
class KnownLocations < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
include Finders::Finder::Enumerator
# @param [ Hash ] opts
# @option opts [ String ] :list
@@ -12,11 +12,7 @@ module WPScan
def aggressive(opts = {})
found = []
enumerate(target_urls(opts), opts) do |res, slug|
# TODO: follow the location (from enumerate()) and remove the 301 here ?
# As a result, it might remove false positive due to redirection to the homepage
next unless [200, 401, 403, 301].include?(res.code)
enumerate(target_urls(opts), opts) do |_res, slug|
found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
@@ -28,12 +24,11 @@ module WPScan
#
# @return [ Hash ]
def target_urls(opts = {})
slugs = opts[:list] || DB::Themes.vulnerable_slugs
urls = {}
themes_url = target.url('wp-content/themes/')
slugs = opts[:list] || DB::Themes.vulnerable_slugs
urls = {}
slugs.each do |slug|
urls["#{themes_url}#{URI.encode(slug)}/"] = slug
urls[target.theme_url(slug)] = slug
end
urls

18
app/finders/timthumbs/known_locations.rb
View File

@@ -2,8 +2,10 @@ module WPScan
module Finders
module Timthumbs
# Known Locations Timthumbs Finder
# Note: A vulnerable version, 2.8.13 can be found here:
# https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
class KnownLocations < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
include Finders::Finder::Enumerator
# @param [ Hash ] opts
# @option opts [ String ] :list Mandatory
@@ -13,14 +15,24 @@ module WPScan
found = []
enumerate(target_urls(opts), opts) do |res|
next unless res.code == 400 && res.body =~ /no image specified/i
found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
end
found
end
# @param [ Typhoeus::Response ] res
# @param [ Regexp,nil ] exclude_content
#
# @return [ Boolean ]
def valid_response?(res, _exclude_content = nil)
return false unless res.code == 400
full_res = Browser.get(res.effective_url, cache_ttl: 0)
full_res.body =~ /no image specified/i ? true : false
end
# @param [ Hash ] opts
# @option opts [ String ] :list Mandatory
#