Improves Password Attack against wp-login.php to avoid FP

2019-03-14 19:21:39 +00:00
parent e7925de5bc
commit 4f9822743c
3 changed files with 13 additions and 4 deletions
--- a/app/finders/passwords/wp_login.rb
+++ b/app/finders/passwords/wp_login.rb
@@ -10,7 +10,8 @@ module WPScan
        end

        def valid_credentials?(response)
-          response.code == 302
+          response.code == 302 &&
+            response.headers['Set-Cookie']&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
        end

        def errored_response?(response)
--- a/lib/wpscan/target/platform/wordpress.rb
+++ b/lib/wpscan/target/platform/wordpress.rb
@@ -84,7 +84,7 @@ module WPScan

          res = Browser.get_and_follow_location(@login_url)

-          @login_url = res.effective_url if in_scope?(res.effective_url)
+          @login_url = res.effective_url if res.effective_url =~ /wp\-login\.php\z/i && in_scope?(res.effective_url)

          @login_url
        end
--- a/spec/shared_examples/target/platform/wordpress.rb
+++ b/spec/shared_examples/target/platform/wordpress.rb
@@ -98,9 +98,17 @@ shared_examples WPScan::Target::Platform::WordPress do
      end

      context 'to an in scope URL' do
-        let(:effective_url) { target.url('wp-login.php').gsub('http', 'https') }
+        context 'when https version of the wp-login' do
+          let(:effective_url) { target.url('wp-login.php').gsub('http', 'https') }

-        its(:login_url) { should eql effective_url }
+          its(:login_url) { should eql effective_url }
+        end
+
+        context 'when something else' do
+          let(:effective_url) { target.url('something').gsub('http', 'https') }
+
+          its(:login_url) { should eql target.url('wp-login.php') }
+        end
      end

      context 'to an out of scope URL' do