garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WpVersion code factoring

Browse Source
This commit is contained in:
erwanlr
2013-03-11 15:59:38 +01:00
parent eadebd387a
commit 5f7ca09e55
2 changed files with 69 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
lib/wpscan/wp_version.rb
View File

@@ -39,7 +39,7 @@ class WpVersion < Vulnerable
# (find_from_meta_generator, find_from_rss_generator etc) # (find_from_meta_generator, find_from_rss_generator etc)
def self.find(target_uri, wp_content_dir) def self.find(target_uri, wp_content_dir)
options = { options = {
base_url: target_uri, base_uri: target_uri,
wp_content_dir: wp_content_dir wp_content_dir: wp_content_dir
} }
self.methods.grep(/find_from_/).each do |method_to_call| self.methods.grep(/find_from_/).each do |method_to_call|
@@ -54,34 +54,44 @@ class WpVersion < Vulnerable
protected protected
# Returns the first match in the body of the url
def self.scan_url_for_pattern(base_uri, pattern, path = nil)
url = path ? base_uri.merge(path).to_s : base_uri.to_s
response = Browser.instance.get_and_follow_location(url)
response.body[pattern, 1]
end
# Attempts to find the wordpress version from, # Attempts to find the wordpress version from,
# the generator meta tag in the html source. # the generator meta tag in the html source.
# #
# The meta tag can be removed however it seems, # The meta tag can be removed however it seems,
# that it is reinstated on upgrade. # that it is reinstated on upgrade.
def self.find_from_meta_generator(options) def self.find_from_meta_generator(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
response = Browser.instance.get_and_follow_location(target_uri.to_s) options[:base_uri],
%r{name="generator" content="wordpress #{WpVersion.version_pattern}"}i
response.body[%r{name="generator" content="wordpress #{WpVersion.version_pattern}"}i, 1] )
end end
# Attempts to find the WordPress version from, # Attempts to find the WordPress version from,
# the generator tag in the RSS feed source. # the generator tag in the RSS feed source.
def self.find_from_rss_generator(options) def self.find_from_rss_generator(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
response = Browser.instance.get_and_follow_location(target_uri.merge('feed/').to_s) options[:base_uri],
%r{<generator>http://wordpress.org/\?v=#{WpVersion.version_pattern}</generator>}i,
response.body[%r{<generator>http://wordpress.org/\?v=#{WpVersion.version_pattern}</generator>}i, 1] 'feed/'
)
end end
# Attempts to find WordPress version from, # Attempts to find WordPress version from,
# the generator tag in the RDF feed source. # the generator tag in the RDF feed source.
def self.find_from_rdf_generator(options) def self.find_from_rdf_generator(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
response = Browser.instance.get_and_follow_location(target_uri.merge('feed/rdf/').to_s) options[:base_uri],
%r{<admin:generatorAgent rdf:resource="http://wordpress.org/\?v=#{WpVersion.version_pattern}" />}i,
response.body[%r{<admin:generatorAgent rdf:resource="http://wordpress.org/\?v=#{WpVersion.version_pattern}" />}i, 1] 'feed/rdf/'
)
end end
# Attempts to find the WordPress version from, # Attempts to find the WordPress version from,
@@ -89,19 +99,21 @@ class WpVersion < Vulnerable
# #
# Have not been able to find an example of this - Ryan # Have not been able to find an example of this - Ryan
#def self.find_from_rss2_generator(options) #def self.find_from_rss2_generator(options)
# target_uri = options[:base_url] # WpVersion.scan_url_for_pattern(
# response = Browser.instance.get_and_follow_location(target_uri.merge('feed/rss/').to_s) # options[:base_uri],
# # %r{<generator>http://wordpress.org/?v=(#{WpVersion.version_pattern})</generator>}i,
# response.body[%r{<generator>http://wordpress.org/?v=(#{WpVersion.version_pattern})</generator>}i, 1] # 'feed/rss/'
# )
#end #end
# Attempts to find the WordPress version from, # Attempts to find the WordPress version from,
# the generator tag in the Atom source. # the generator tag in the Atom source.
def self.find_from_atom_generator(options) def self.find_from_atom_generator(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
response = Browser.instance.get_and_follow_location(target_uri.merge('feed/atom/').to_s) options[:base_uri],
%r{<generator uri="http://wordpress.org/" version="#{WpVersion.version_pattern}">WordPress</generator>}i,
response.body[%r{<generator uri="http://wordpress.org/" version="#{WpVersion.version_pattern}">WordPress</generator>}i, 1] 'feed/atom/'
)
end end
# Attempts to find the WordPress version from, # Attempts to find the WordPress version from,
@@ -109,10 +121,11 @@ class WpVersion < Vulnerable
# #
# Have not been able to find an example of this - Ryan # Have not been able to find an example of this - Ryan
#def self.find_from_comments_rss_generator(options) #def self.find_from_comments_rss_generator(options)
# target_uri = options[:base_url] # WpVersion.scan_url_for_pattern(
# response = Browser.instance.get_and_follow_location(target_uri.merge('comments/feed/').to_s) # options[:base_uri],
# # %r{<!-- generator="WordPress/#{WpVersion.version_pattern}" -->}i,
# response.body[%r{<!-- generator="WordPress/#{WpVersion.version_pattern}" -->}i, 1] # 'comments/feed/'
# )
#end #end
# Uses data/wp_versions.xml to try to identify a # Uses data/wp_versions.xml to try to identify a
@@ -123,20 +136,19 @@ class WpVersion < Vulnerable
# /!\ Warning : this method might return false positive if the file used for fingerprinting is part of a theme (they can be updated) # /!\ Warning : this method might return false positive if the file used for fingerprinting is part of a theme (they can be updated)
# #
def self.find_from_advanced_fingerprinting(options) def self.find_from_advanced_fingerprinting(options)
target_uri = options[:base_url] target_uri = options[:base_uri]
# needed for rpsec tests version_xml = options[:version_xml] || WP_VERSIONS_FILE # needed for rpsec
version_xml = options[:version_xml] || WP_VERSIONS_FILE wp_content = options[:wp_content_dir]
wp_plugins = "#{wp_content}/plugins"
xml = Nokogiri::XML(File.open(version_xml)) do |config| xml = Nokogiri::XML(File.open(version_xml)) do |config|
config.noblanks config.noblanks
end end
xml.xpath('//file').each do |node| xml.xpath('//file').each do |node|
wp_content = options[:wp_content_dir]
wp_plugins = "#{wp_content}/plugins"
file_url = target_uri.merge(node.attribute('src').text).to_s file_url = target_uri.merge(node.attribute('src').text).to_s
file_url = file_url.gsub(/\$wp-plugins\$/i, wp_plugins).gsub(/\$wp-content\$/i, wp_content) file_url = file_url.gsub(/\$wp-plugins\$/i, wp_plugins).gsub(/\$wp-content\$/i, wp_content)
response = Browser.instance.get(file_url) md5sum = Digest::MD5.hexdigest(Browser.instance.get(file_url).body)
md5sum = Digest::MD5.hexdigest(response.body)
node.search('hash').each do |hash| node.search('hash').each do |hash|
if hash.attribute('md5').text == md5sum if hash.attribute('md5').text == md5sum
@@ -144,27 +156,36 @@ class WpVersion < Vulnerable
end end
end end
end end
nil # Otherwise the data['file'] is returned (issue #107) nil
end end
# Attempts to find the WordPress version from the readme.html file. # Attempts to find the WordPress version from the readme.html file.
def self.find_from_readme(options) def self.find_from_readme(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
Browser.instance.get(target_uri.merge('readme.html').to_s).body[%r{<br />\sversion #{WpVersion.version_pattern}}i, 1] options[:base_uri],
%r{<br />\sversion #{WpVersion.version_pattern}}i,
'readme.html'
)
end end
# Attempts to find the WordPress version from the sitemap.xml file. # Attempts to find the WordPress version from the sitemap.xml file.
# #
# See: http://code.google.com/p/wpscan/issues/detail?id=109 # See: http://code.google.com/p/wpscan/issues/detail?id=109
def self.find_from_sitemap_generator(options) def self.find_from_sitemap_generator(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
Browser.instance.get(target_uri.merge('sitemap.xml').to_s).body[%r{generator="wordpress/#{WpVersion.version_pattern}"}i, 1] options[:base_uri],
%r{generator="wordpress/#{WpVersion.version_pattern}"}i,
'sitemap.xml'
)
end end
# Attempts to find the WordPress version from the p-links-opml.php file. # Attempts to find the WordPress version from the p-links-opml.php file.
def self.find_from_links_opml(options) def self.find_from_links_opml(options)
target_uri = options[:base_url] WpVersion.scan_url_for_pattern(
Browser.instance.get(target_uri.merge('wp-links-opml.php').to_s).body[%r{generator="wordpress/#{WpVersion.version_pattern}"}i, 1] options[:base_uri],
%r{generator="wordpress/#{WpVersion.version_pattern}"}i,
'wp-links-opml.php'
)
end end
# Used to check if the version is correct: must contain at least one dot. # Used to check if the version is correct: must contain at least one dot.

18
spec/lib/wpscan/wp_version_spec.rb
View File

@@ -31,7 +31,7 @@ describe WpVersion do
after :each do after :each do
stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture) stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture)
WpVersion.find_from_meta_generator(base_url: @target_uri.to_s).should === @expected WpVersion.find_from_meta_generator(base_uri: @target_uri.to_s).should === @expected
end end
it 'should return nil if the meta-generator is not found' do it 'should return nil if the meta-generator is not found' do
@@ -66,7 +66,7 @@ describe WpVersion do
after :each do after :each do
@status_code ||= 200 @status_code ||= 200
stub_request_to_fixture(url: @target_uri.merge('feed/').to_s, status: @status_code, fixture: @fixture) stub_request_to_fixture(url: @target_uri.merge('feed/').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_rss_generator(base_url: @target_uri).should === @expected WpVersion.find_from_rss_generator(base_uri: @target_uri).should === @expected
end end
it 'should return nil on a 404' do it 'should return nil on a 404' do
@@ -107,7 +107,7 @@ describe WpVersion do
after :each do after :each do
@status_code ||= 200 @status_code ||= 200
stub_request_to_fixture(url: @target_uri.merge('feed/rdf/').to_s, status: @status_code, fixture: @fixture) stub_request_to_fixture(url: @target_uri.merge('feed/rdf/').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_rdf_generator(base_url: @target_uri).should === @expected WpVersion.find_from_rdf_generator(base_uri: @target_uri).should === @expected
end end
it 'should return nil on a 404' do it 'should return nil on a 404' do
@@ -148,7 +148,7 @@ describe WpVersion do
after :each do after :each do
@status_code ||= 200 @status_code ||= 200
stub_request_to_fixture(url: @target_uri.merge('feed/atom/').to_s, status: @status_code, fixture: @fixture) stub_request_to_fixture(url: @target_uri.merge('feed/atom/').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_atom_generator(base_url: @target_uri).should === @expected WpVersion.find_from_atom_generator(base_uri: @target_uri).should === @expected
end end
it 'should return nil on a 404' do it 'should return nil on a 404' do
@@ -188,7 +188,7 @@ describe WpVersion do
stub_request(:get, @target_uri.merge('sitemap.xml').to_s). stub_request(:get, @target_uri.merge('sitemap.xml').to_s).
to_return(status: 200, body: @body) to_return(status: 200, body: @body)
WpVersion.find_from_sitemap_generator(base_url: @target_uri).should === @expected WpVersion.find_from_sitemap_generator(base_uri: @target_uri).should === @expected
end end
it 'should return nil if the generator is not found' do it 'should return nil if the generator is not found' do
@@ -214,7 +214,7 @@ describe WpVersion do
@status_code ||= 200 @status_code ||= 200
stub_request_to_fixture(url: @target_uri.merge('readme.html').to_s, status: @status_code, fixture: @fixture) stub_request_to_fixture(url: @target_uri.merge('readme.html').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_readme(base_url: @target_uri).should === @expected WpVersion.find_from_readme(base_uri: @target_uri).should === @expected
end end
it 'should return nil on a 404' do it 'should return nil on a 404' do
@@ -248,7 +248,7 @@ describe WpVersion do
fixture: "#{fixtures_dir}/3.2.1.js" fixture: "#{fixtures_dir}/3.2.1.js"
) )
version = WpVersion.find_from_advanced_fingerprinting( version = WpVersion.find_from_advanced_fingerprinting(
base_url: @target_uri, base_uri: @target_uri,
wp_content_dir: 'wp-content', wp_content_dir: 'wp-content',
version_xml: "#{fixtures_dir}/wp_versions.xml" version_xml: "#{fixtures_dir}/wp_versions.xml"
) )
@@ -264,7 +264,7 @@ describe WpVersion do
url: @target_uri.merge('wp-links-opml.php').to_s, url: @target_uri.merge('wp-links-opml.php').to_s,
fixture: "#{fixtures_dir}/wp-links-opml.xml" fixture: "#{fixtures_dir}/wp-links-opml.xml"
) )
version = WpVersion.find_from_links_opml(base_url: @target_uri) version = WpVersion.find_from_links_opml(base_uri: @target_uri)
version.should == '3.4.2' version.should == '3.4.2'
end end
@@ -273,7 +273,7 @@ describe WpVersion do
url: @target_uri.merge('wp-links-opml.php').to_s, url: @target_uri.merge('wp-links-opml.php').to_s,
fixture: "#{fixtures_dir}/wp-links-opml-nogenerator.xml" fixture: "#{fixtures_dir}/wp-links-opml-nogenerator.xml"
) )
version = WpVersion.find_from_links_opml(base_url: @target_uri) version = WpVersion.find_from_links_opml(base_uri: @target_uri)
version.should be_nil version.should be_nil
end end
end end