Adds security-protection plugin detection - Fixes #747

2015-01-25 15:16:11 +01:00
parent 9361cf4b00
commit 585d22be46
3 changed files with 105 additions and 25 deletions
--- a/lib/wpscan/wp_target/wp_login_protection.rb
+++ b/lib/wpscan/wp_target/wp_login_protection.rb
@@ -99,5 +99,12 @@ class WpTarget < WebSite
      plugin_url('bluetrait-event-viewer')
    end

+    # https://wordpress.org/plugins/security-protection/
+    def has_security_protection_protection?
+      Nokogiri::HTML(Browser.get(login_url).body).css('script').each do |node|
+        return true if node['src'] =~ /security-protection.js/i
+      end
+      false
+    end
  end
 end
--- a/spec/samples/wpscan/wp_target/wp_login_protection/wp-login-security_protection.php
+++ b/spec/samples/wpscan/wp_target/wp_login_protection/wp-login-security_protection.php
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+  <!--[if IE 8]>
+    <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
+  <![endif]-->
+  <!--[if !(IE 8) ]><!-->
+    <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
+  <!--<![endif]-->
+  <head>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+  <title>WordPress 4.1 &rsaquo; Log In</title>
+  <link rel='stylesheet' id='buttons-css'  href='http://wp.lab/wordpress-4.1/wp-includes/css/buttons.min.css?ver=4.1' type='text/css' media='all' />
+<link rel='stylesheet' id='open-sans-css'  href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&#038;subset=latin%2Clatin-ext&#038;ver=4.1' type='text/css' media='all' />
+<link rel='stylesheet' id='dashicons-css'  href='http://wp.lab/wordpress-4.1/wp-includes/css/dashicons.min.css?ver=4.1' type='text/css' media='all' />
+<link rel='stylesheet' id='login-css'  href='http://wp.lab/wordpress-4.1/wp-admin/css/login.min.css?ver=4.1' type='text/css' media='all' />
+<script type='text/javascript' src='http://wp.lab/wordpress-4.1/wp-includes/js/jquery/jquery.js?ver=1.11.1'></script>
+<script type='text/javascript' src='http://wp.lab/wordpress-4.1/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
+<script type='text/javascript' src='http://wp.lab/wordpress-4.1/wp-content/plugins/security-protection/js/security-protection.js?ver=4.1'></script>
+<meta name='robots' content='noindex,follow' />
+  </head>
+  <body class="login login-action-login wp-core-ui  locale-en-us">
+  <div id="login">
+    <h1><a href="https://wordpress.org/" title="Powered by WordPress" tabindex="-1">WordPress 4.1</a></h1>
+
+<form name="loginform" id="loginform" action="http://wp.lab/wordpress-4.1/wp-login.php" method="post">
+  <p>
+    <label for="user_login">Username<br />
+    <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>
+  </p>
+  <p>
+    <label for="user_pass">Password<br />
+    <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
+  </p>
+
+<p class="secprot-form-group secprot-form-group-code"><label>Copy this code "<span>asd321</span>" and paste it into input: <br /><input type="text" name="secprot-code" class="input" value="2.1" /></label></p>
+
+<p class="secprot-form-group secprot-form-group-empty" style="display: none;"><label>Leave this field empty: <br /><input type="text" name="secprot-empty-email-url-website" class="input" value="" /></label></p>
+  <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever"  /> Remember Me</label></p>
+  <p class="submit">
+    <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
+    <input type="hidden" name="redirect_to" value="http://wp.lab/wordpress-4.1/wp-admin/" />
+    <input type="hidden" name="testcookie" value="1" />
+  </p>
+</form>
+
+<p id="nav">
+  <a href="http://wp.lab/wordpress-4.1/wp-login.php?action=lostpassword" title="Password Lost and Found">Lost your password?</a>
+</p>
+
+<script type="text/javascript">
+function wp_attempt_focus(){
+setTimeout( function(){ try{
+d = document.getElementById('user_login');
+d.focus();
+d.select();
+} catch(e){}
+}, 200);
+}
+
+wp_attempt_focus();
+if(typeof wpOnload=='function')wpOnload();
+</script>
+
+  <p id="backtoblog"><a href="http://wp.lab/wordpress-4.1/" title="Are you lost?">&larr; Back to WordPress 4.1</a></p>
+
+  </div>
+
+
+    <div class="clear"></div>
+  </body>
+  </html>
+
--- a/spec/shared_examples/wp_target/wp_login_protection.rb
+++ b/spec/shared_examples/wp_target/wp_login_protection.rb
@@ -11,15 +11,16 @@ shared_examples 'WpTarget::WpLoginProtection' do
  describe '#has_.*_protection?' do

    pattern = WpTarget::WpLoginProtection::LOGIN_PROTECTION_METHOD_PATTERN
-    fixtures = %w{
+    fixtures = %w(
      wp-login-clean.php wp-login-login_lockdown.php wp-login-login_lock.php
-      wp-login-better_wp_security.php wp-login-simple_login_lockdown.php wp-login-login_security_solution.php
-      wp-login-limit_login_attempts.php wp-login-bluetrait_event_viewer.php
-    }
+      wp-login-better_wp_security.php wp-login-simple_login_lockdown.php
+      wp-login-login_security_solution.php wp-login-limit_login_attempts.php
+      wp-login-bluetrait_event_viewer.php wp-login-security_protection.php
+    )

    # For plugins which are detected from the existence of their directory into wp-content/plugins/ (or one of their file)
    # and not from a regex into the login page
-    special_plugins = %w{better_wp_security simple_login_lockdown login_security_solution limit_login_attempts bluetrait_event_viewer}
+    special_plugins = %w(better_wp_security simple_login_lockdown login_security_solution limit_login_attempts bluetrait_event_viewer)

    after :each do
      stub_request_to_fixture(url: login_url, fixture: @fixture)
@@ -33,10 +34,10 @@ shared_examples 'WpTarget::WpLoginProtection' do
        stub_request(:get, wp_target.send(special_plugin_call_url_symbol).to_s).to_return(status: status_code)
      end

-      expect(wp_target.send(@symbol_to_call)).to be === @expected
+      expect(wp_target.send(@symbol_to_call)).to eql @expected
    end

-    self.protected_instance_methods.grep(pattern).each do |symbol_to_call|
+    protected_instance_methods.grep(pattern).each do |symbol_to_call|
      plugin_name_from_symbol = symbol_to_call[pattern, 1].gsub('_', '-')

      fixtures.each do |fixture|
@@ -45,7 +46,7 @@ shared_examples 'WpTarget::WpLoginProtection' do

        it "#{symbol_to_call} with #{fixture} returns #{expected}" do
          @plugin_name    = plugin_name_from_fixture
-          @fixture        = fixtures_dir + '/' + fixture
+          @fixture        = File.join(fixtures_dir, fixture)
          @symbol_to_call = symbol_to_call
          @expected       = expected
        end
@@ -53,36 +54,37 @@ shared_examples 'WpTarget::WpLoginProtection' do
    end
  end

-  # Factorise this with the code above ? :D
  describe '#login_protection_plugin' do
    after :each do
+      stub_request(:get, /.*/).to_return(status: 404)
      stub_request_to_fixture(url: login_url, fixture: @fixture)
-      stub_request(:get, wp_target.send(:better_wp_security_url).to_s).to_return(status: 404)
-      stub_request(:get, wp_target.send(:simple_login_lockdown_url).to_s).to_return(status: 404)
-      stub_request(:get, wp_target.send(:login_security_solution_url).to_s).to_return(status: 404)
-      stub_request(:get, wp_target.send(:limit_login_attempts_url).to_s).to_return(status: 404)
-      stub_request(:get, wp_target.send(:bluetrait_event_viewer_url).to_s).to_return(status: 404)

-      expect(wp_target.login_protection_plugin()).to eq @plugin_expected
-      expect(wp_target.has_login_protection?).to be === @has_protection_expected
+      expect(wp_target.login_protection_plugin).to eq @plugin_expected
+      expect(wp_target.has_login_protection?).to eql @protection_expected
    end

    it 'returns nil if no protection is present' do
-      @fixture                 = fixtures_dir + '/wp-login-clean.php'
-      @plugin_expected         = nil
-      @has_protection_expected = false
+      @fixture             = File.join(fixtures_dir, 'wp-login-clean.php')
+      @plugin_expected     = nil
+      @protection_expected = false
    end

    it 'returns a login-lockdown WpPlugin object' do
-      @fixture                 = fixtures_dir + '/wp-login-login_lockdown.php'
-      @plugin_expected         = WpPlugin.new(wp_target.uri, name: 'login-lockdown')
-      @has_protection_expected = true
+      @fixture             = File.join(fixtures_dir, 'wp-login-login_lockdown.php')
+      @plugin_expected     = WpPlugin.new(wp_target.uri, name: 'login-lockdown')
+      @protection_expected = true
    end

    it 'returns a login-lock WpPlugin object' do
-      @fixture                 = fixtures_dir + '/wp-login-login_lock.php'
-      @plugin_expected         = WpPlugin.new(wp_target.uri, name: 'login-lock')
-      @has_protection_expected = true
+      @fixture             = File.join(fixtures_dir, 'wp-login-login_lock.php')
+      @plugin_expected     = WpPlugin.new(wp_target.uri, name: 'login-lock')
+      @protection_expected = true
+    end
+
+    it 'returns a security-protection WpPlugin object' do
+      @fixture             = File.join(fixtures_dir, 'wp-login-security_protection.php')
+      @plugin_expected     = WpPlugin.new(wp_target.uri, name: 'security-protection')
+      @protection_expected = true
    end
  end