Don't fail silent.

2018-05-15 10:39:16 +01:00
parent 439900a1ea
commit 59368a72bd
3 changed files with 22 additions and 10 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -24,7 +24,7 @@ before_install:
  - "gem regenerate_binstubs"
  - "bundle --version"
 before_script:
-  - "unzip -o $TRAVIS_BUILD_DIR/data.zip -d $HOME"
+  - "unzip -o $TRAVIS_BUILD_DIR/data.zip -d $HOME/.wpscan/"
 script:
  - "bundle exec rspec"
 notifications:
--- a/lib/wpscan/wp_target/wp_api.rb
+++ b/lib/wpscan/wp_target/wp_api.rb
@@ -46,22 +46,25 @@ class WpTarget < WebSite
    def json_get_users(url)
      # Variables
      users = []
+      data = ""

      # Make the request
      response = Browser.get(url)

-      # Able to view the output?
-      return false if not valid_json?(response.body)
+      # If not HTTP 200, return false
+      return false if response.code != 200

-      # Read in JSON
-      data = JSON.parse(response.body)
+      # Able to view the output?
+      if valid_json?(response.body)
+        # Read in JSON
+        data = JSON.parse(response.body)
+      else
+        return false
+      end

      # If there is nothing there, return false
      return false if data.empty?

-      # If not HTTP 200, return false
-      return false if response.code != 200
-
      # Add to array
      data.each do |child|
        row = [ child['id'], child['name'], child['link'] ]
@@ -71,7 +74,7 @@ class WpTarget < WebSite
      # Sort and uniq
      users = users.sort.uniq

-      if users and users.size > 1
+      if users and users.size >= 1
        # Feedback
        grammar = grammar_s(users.size)
        puts warning("#{users.size} user#{grammar} exposed via API: #{json_users_url}")
@@ -80,6 +83,8 @@ class WpTarget < WebSite
        table = Terminal::Table.new(headings: ['ID', 'Name', 'URL'],
                                    rows: users)
        puts table
+      else
+        return false
      end
    end
  end
--- a/lib/wpscan/wp_target/wp_rss.rb
+++ b/lib/wpscan/wp_target/wp_rss.rb
@@ -33,6 +33,9 @@ class WpTarget < WebSite
      # Get output
      data = response.body

+      # If there is nothing there, return false
+      return false if data.empty?
+
      # Read in RSS/XML
      xml = Nokogiri::XML(data)

@@ -43,12 +46,14 @@ class WpTarget < WebSite
          users << [%r{.*}i.match(node).to_s]
        end
      rescue
+        puts critical("Missing Author field. Maybe non-standard WordPress RSS feed?")
+        return false
      end

      # Sort and uniq
      users = users.sort_by { |user| user.to_s.downcase }.uniq

-      if users and users.size > 1
+      if users and users.size >= 1
        # Feedback
        grammar = grammar_s(users.size)
        puts warning("Detected #{users.size} user#{grammar} from RSS feed:")
@@ -57,6 +62,8 @@ class WpTarget < WebSite
        table = Terminal::Table.new(headings: ['Name'],
                                    rows: users)
        puts table
+      else
+        return false
      end
    end
  end