From 4f142985a2870cbba97aeec15811245315960a00 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sat, 6 Jul 2019 14:23:34 +0100 Subject: [PATCH] Fixes #1364 --- app/finders/plugin_version/readme.rb | 2 +- app/models/plugin.rb | 5 +++++ app/models/wp_item.rb | 7 ++++++- spec/app/models/plugin_spec.rb | 20 +++++++++++++++++++ spec/fixtures/db/dynamic_finders.yml | 17 ++++++++++++---- spec/fixtures/dynamic_finders/expected.yml | 9 +++++++++ .../query_parameter_passive_all.html | 6 ++++++ 7 files changed, 60 insertions(+), 6 deletions(-) diff --git a/app/finders/plugin_version/readme.rb b/app/finders/plugin_version/readme.rb index cddedb1b..dffd635f 100644 --- a/app/finders/plugin_version/readme.rb +++ b/app/finders/plugin_version/readme.rb @@ -11,7 +11,7 @@ module WPScan # The target(plugin)#readme_url can't be used directly here # as if the --detection-mode is passive, it will always return nil - Model::WpItem::READMES.each do |file| + target.potential_readme_filenames.each do |file| res = target.head_and_get(file) next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty? diff --git a/app/models/plugin.rb b/app/models/plugin.rb index 8363985e..27c132c9 100644 --- a/app/models/plugin.rb +++ b/app/models/plugin.rb @@ -28,6 +28,11 @@ module WPScan @version end + + # @return [ Array ] + def potential_readme_filenames + @potential_readme_filenames ||= [*(DB::DynamicFinders::Plugin.db_data.dig(slug, 'Readme', 'path') || super)] + end end end end diff --git a/app/models/wp_item.rb b/app/models/wp_item.rb index 8287d95e..c4dab331 100644 --- a/app/models/wp_item.rb +++ b/app/models/wp_item.rb @@ -9,6 +9,7 @@ module WPScan include CMSScanner::Target::Platform::PHP include CMSScanner::Target::Server::Generic + # Most common readme filenames, based on checking all public plugins and themes. READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data @@ -117,7 +118,7 @@ module WPScan return @readme_url unless @readme_url.nil? - READMES.each do |path| + potential_readme_filenames.each do |path| t_url = url(path) return @readme_url = t_url if Browser.forge_request(t_url, blog.head_or_get_params).run.code == 200 @@ -126,6 +127,10 @@ module WPScan @readme_url = false end + def potential_readme_filenames + @potential_readme_filenames ||= READMES + end + # @param [ String ] path # @param [ Hash ] params The request params # diff --git a/spec/app/models/plugin_spec.rb b/spec/app/models/plugin_spec.rb index dc2313ed..8075d4a2 100644 --- a/spec/app/models/plugin_spec.rb +++ b/spec/app/models/plugin_spec.rb @@ -60,6 +60,26 @@ describe WPScan::Model::Plugin do end end + describe 'potential_readme_filenames' do + context 'when not set in the DF file' do + its(:potential_readme_filenames) { should eql described_class::READMES } + end + + context 'when set in the DF file' do + context 'as a string' do + let(:slug) { 'photoblocks-grid-gallery' } + + its(:potential_readme_filenames) { should eql %w[README.txt] } + end + + context 'as an array' do + let(:slug) { 'customerlabs-actionrecorder' } + + its(:potential_readme_filenames) { should eql %w[Readme.txt Readme.md] } + end + end + end + describe '#latest_version, #last_updated, #popular' do context 'when none' do let(:slug) { 'vulnerable-not-popular' } diff --git a/spec/fixtures/db/dynamic_finders.yml b/spec/fixtures/db/dynamic_finders.yml index 81c75045..cd5d6e4a 100644 --- a/spec/fixtures/db/dynamic_finders.yml +++ b/spec/fixtures/db/dynamic_finders.yml @@ -129,6 +129,8 @@ themes: version: true plugins: 10centmail-subscription-management-and-analytics: + Readme: + path: README.txt MetaTag: class: Xpath xpath: //meta[@name="tencentmail-plugin-version"]/@content @@ -7129,6 +7131,11 @@ plugins: - public/css/customer-chat-for-facebook-public.css - public/js/customer-chat-for-facebook-public.js version: true + customerlabs-actionrecorder: + Readme: + path: + - Readme.txt + - Readme.md customify-sites: TranslationFile: class: BodyPattern @@ -18867,11 +18874,13 @@ plugins: - js/photoswipe.js version: true photoblocks-grid-gallery: - CorrectReadmePath: - class: BodyPattern + Readme: path: README.txt - pattern: !ruby/regexp /= (?\d+\.[\.\d]+) =/ - confidence: 80 + QueryParameter: + files: + - public/css/photoblocks-public.css + - public/js/anime.min.js + - public/js/photoblocks.public.js version: true photonic: QueryParameter: diff --git a/spec/fixtures/dynamic_finders/expected.yml b/spec/fixtures/dynamic_finders/expected.yml index b107eab9..4cd83bd0 100644 --- a/spec/fixtures/dynamic_finders/expected.yml +++ b/spec/fixtures/dynamic_finders/expected.yml @@ -8776,6 +8776,7 @@ plugins: - http://wp.lab/wp-content/plugins/customer-chat-for-facebook/public/css/customer-chat-for-facebook-public.css?ver=1.0.3.1 - http://wp.lab/wp-content/plugins/customer-chat-for-facebook/public/js/customer-chat-for-facebook-public.js?ver=1.0.3.1 confidence: 20 + customerlabs-actionrecorder: {} customify-sites: TranslationFile: number: 0.0.1 @@ -23332,6 +23333,14 @@ plugins: - 'http://wp.lab/wp-content/plugins/photoblocks-grid-gallery/README.txt, Match: ''= 1.1.40 =''' confidence: 80 + QueryParameter: + number: 1.1.41 + found_by: Query Parameter (Passive Detection) + interesting_entries: + - http://wp.lab/wp-content/plugins/photoblocks-grid-gallery/public/css/photoblocks-public.css?ver=1.1.41 + - http://wp.lab/wp-content/plugins/photoblocks-grid-gallery/public/js/anime.min.js?ver=1.1.41 + - http://wp.lab/wp-content/plugins/photoblocks-grid-gallery/public/js/photoblocks.public.js?ver=1.1.41 + confidence: 30 photonic: QueryParameter: number: '1.64' diff --git a/spec/fixtures/dynamic_finders/plugin_version/query_parameter_passive_all.html b/spec/fixtures/dynamic_finders/plugin_version/query_parameter_passive_all.html index 66d6f90e..0aa90516 100644 --- a/spec/fixtures/dynamic_finders/plugin_version/query_parameter_passive_all.html +++ b/spec/fixtures/dynamic_finders/plugin_version/query_parameter_passive_all.html @@ -8570,6 +8570,12 @@ + + + + + +