From 5fbfa1453c9aeaacab0ddf4b17d56465b8f6d9b9 Mon Sep 17 00:00:00 2001 From: Peter Date: Fri, 7 Mar 2014 23:16:50 +0100 Subject: [PATCH 1/8] Layout changes with new colors --- lib/common/common_helper.rb | 14 +++++++++++++- wpscan.rb | 14 +++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/lib/common/common_helper.rb b/lib/common/common_helper.rb index 6e1e532e..5854325d 100644 --- a/lib/common/common_helper.rb +++ b/lib/common/common_helper.rb @@ -96,7 +96,7 @@ def banner puts ' \\ /\\ / | | ____) | (__| (_| | | | |' puts ' \\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|' puts - puts ' WordPress Security Scanner by the WPScan Team ' + puts bold(' WordPress Security Scanner by the WPScan Team ') # Alignment of the version (w & w/o the Revision) if REVISION puts " Version #{version}" @@ -113,6 +113,10 @@ def colorize(text, color_code) "\e[#{color_code}m#{text}\e[0m" end +def bold(text) + colorize(text, 1) +end + def red(text) colorize(text, 31) end @@ -121,6 +125,14 @@ def green(text) colorize(text, 32) end +def amber(text) + colorize(text, 33) +end + +def blue(text) + colorize(text, 34) +end + def xml(file) Nokogiri::XML(File.open(file)) do |config| config.noblanks diff --git a/wpscan.rb b/wpscan.rb index 2a999e5b..e43dbae7 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -38,8 +38,8 @@ def main end puts @updater.update() else - puts 'Svn / Git not installed, or wpscan has not been installed with one of them.' - puts 'Update aborted' + puts '[i] Svn / Git not installed, or wpscan has not been installed with one of them.' + puts "#{red('[!]')} Update aborted" end exit(0) end @@ -69,15 +69,15 @@ def main puts "Following redirection #{redirection}" puts else - puts "The remote host tried to redirect us to: #{redirection}" - print '[?] Do you want follow the redirection ? [y/n] ' + puts "#{blue('[i]')} The remote host tried to redirect to: #{redirection}" + print "[?] Do you want follow the redirection ? [y/n] " end if wpscan_options.follow_redirection or Readline.readline =~ /^y/i wpscan_options.url = redirection wp_target = WpTarget.new(redirection, wpscan_options.to_h) else - puts 'Scan aborted' + puts "#{red('[!]')} Scan aborted" exit(0) end end @@ -138,7 +138,7 @@ def main end wp_target.config_backup.each do |file_url| - puts red("[!] A wp-config.php backup file has been found in: '#{file_url}'") + puts "#{red('[!]')} A wp-config.php backup file has been found in: '#{file_url}'" end if wp_target.search_replace_db_2_exists? @@ -212,7 +212,7 @@ def main wp_plugins = WpPlugins.passive_detection(wp_target) if !wp_plugins.empty? - puts " | #{wp_plugins.size} plugins found:" + puts " | Plugins found: #{wp_plugins.size}" wp_plugins.output(wpscan_options.verbose) else From ec5d12c940e798f0cd801ff26120fdd73dc1aef6 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 8 Mar 2014 22:47:43 +0100 Subject: [PATCH 2/8] Changed layout and coloring --- lib/common/models/vulnerability/output.rb | 8 ++++---- lib/common/models/wp_item/output.rb | 12 ++++++------ lib/common/models/wp_theme/output.rb | 22 +++++++++++----------- lib/common/models/wp_version/output.rb | 4 ++-- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/lib/common/models/vulnerability/output.rb b/lib/common/models/vulnerability/output.rb index 94ff5503..6c0a7f35 100644 --- a/lib/common/models/vulnerability/output.rb +++ b/lib/common/models/vulnerability/output.rb @@ -5,17 +5,17 @@ class Vulnerability # output the vulnerability def output(verbose = false) - puts ' |' - puts ' | ' + red("* Title: #{title}") + puts " |" + puts "#{red('[!]')} Title: #{title}" references.each do |key, urls| methodname = "url_#{key}" urls.each do |u| url = send(methodname, u) - puts ' | ' + red("* Reference: #{url}") if url + puts " | Reference: #{url}" if url end end if !fixed_in.empty? - puts " | * Fixed in: #{fixed_in}" + puts " | Fixed in: #{fixed_in}" end end end diff --git a/lib/common/models/wp_item/output.rb b/lib/common/models/wp_item/output.rb index c53ba09e..6cc888d7 100644 --- a/lib/common/models/wp_item/output.rb +++ b/lib/common/models/wp_item/output.rb @@ -6,13 +6,13 @@ class WpItem # @return [ Void ] def output(verbose = false) puts - puts " | Name: #{self}" #this will also output the version number if detected - puts " | Location: #{url}" + puts "#{green('[+]')} Name: #{self}" #this will also output the version number if detected + puts " | Location: #{url}" #puts " | WordPress: #{wordpress_url}" if wordpress_org_item? - puts " | Readme: #{readme_url}" if has_readme? - puts " | Changelog: #{changelog_url}" if has_changelog? - puts " | " + red('[!]') + " Directory listing is enabled: #{url}" if has_directory_listing? - puts " | " + red('[!]') + " An error_log file has been found: #{error_log_url}" if has_error_log? + puts " | Readme: #{readme_url}" if has_readme? + puts " | Changelog: #{changelog_url}" if has_changelog? + puts "#{red('[!]')} Directory listing is enabled: #{url}" if has_directory_listing? + puts "#{red('[!]')} An error_log file has been found: #{error_log_url}" if has_error_log? additional_output(verbose) if respond_to?(:additional_output) diff --git a/lib/common/models/wp_theme/output.rb b/lib/common/models/wp_theme/output.rb index fd3c6f25..eb1d7b9b 100644 --- a/lib/common/models/wp_theme/output.rb +++ b/lib/common/models/wp_theme/output.rb @@ -5,18 +5,18 @@ class WpTheme # @return [ Void ] def additional_output(verbose = false) - puts " | Style URL: #{style_url}" - puts " | Theme Name: #@theme_name" if @theme_name - puts " | Theme URI: #@theme_uri" if @theme_uri theme_desc = verbose ? @theme_description : truncate(@theme_description, 100) - puts " | Description: #{theme_desc}" - puts " | Author: #@theme_author" if @theme_author - puts " | Author URI: #@theme_author_uri" if @theme_author_uri - puts " | Template: #@theme_template" if @theme_template and verbose - puts " | License: #@theme_license" if @theme_license and verbose - puts " | License URI: #@theme_license_uri" if @theme_license_uri and verbose - puts " | Tags: #@theme_tags" if @theme_tags and verbose - puts " | Text Domain: #@theme_text_domain" if @theme_text_domain and verbose + puts " | Style URL: #{style_url}" + puts " | Theme Name: #@theme_name" if @theme_name + puts " | Theme URI: #@theme_uri" if @theme_uri + puts " | Description: #{theme_desc}" + puts " | Author: #@theme_author" if @theme_author + puts " | Author URI: #@theme_author_uri" if @theme_author_uri + puts " | Template: #@theme_template" if @theme_template and verbose + puts " | License: #@theme_license" if @theme_license and verbose + puts " | License URI: #@theme_license_uri" if @theme_license_uri and verbose + puts " | Tags: #@theme_tags" if @theme_tags and verbose + puts " | Text Domain: #@theme_text_domain" if @theme_text_domain and verbose end end diff --git a/lib/common/models/wp_version/output.rb b/lib/common/models/wp_version/output.rb index 1fdb8625..5fa7f0d3 100644 --- a/lib/common/models/wp_version/output.rb +++ b/lib/common/models/wp_version/output.rb @@ -5,12 +5,12 @@ class WpVersion < WpItem def output(verbose = false) puts - puts green('[+]') + " WordPress version #{self.number} identified from #{self.found_from}" + puts "#{green('[+]')} WordPress version #{self.number} identified from #{self.found_from}" vulnerabilities = self.vulnerabilities unless vulnerabilities.empty? - puts red('[!]') + " #{vulnerabilities.size} vulnerabilities identified from the version number" + puts "#{red('[!]')} #{vulnerabilities.size} vulnerabilities identified from the version number" vulnerabilities.output end From 1f13c47a4662de865bd3f095ec6d56651a70a7e9 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 16 Mar 2014 22:30:37 +0100 Subject: [PATCH 3/8] Update vuln db --- data/plugin_vulns.xml | 67 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 0dc69a0b..a9239524 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -6036,8 +6036,18 @@ - wp-slimstat - XSS + WP SlimStat 3.5.5 - Overview URI Stored XSS + 104428 + 57305 + + XSS + 3.5.6 + + + WP SlimStat 2.8.4 - wp-content/plugins/wp-slimstat/admin/view/panel1.php s Parameter XSS + + 89052 51721 XSS @@ -11447,4 +11457,59 @@ + + + LayerSlider 4.6.1 - wp-admin/admin.php Style Editing CSRF + + 104393 + 57930 + http://packetstormsecurity.com/files/125637/ + + CSRF + + + LayerSlider 4.6.1 - LayerSlider/editor.php skin Parameter Remote Path Traversal File Access + + 104394 + http://packetstormsecurity.com/files/125637/ + + AUTHBYPASS + + + + + + XCloner 3.1.0 - Multiple Actions CSRF + + 104402 + https://www.htbridge.com/advisory/HTB23206 + + CSRF + 3.1.1 + + + + + + GuiForm 1.4.10 - class/class-ajax.php Entry Saving CSRF + + 104399 + + CSRF + 1.5.0 + + + + + + ClickDesk - Live Chat Widget Multiple Field XSS + + 104037 + http://packetstormsecurity.com/files/125528/ + http://www.securityfocus.com/bid/65971 + + XSS + + + From 565eed99ef2d7a0e289cec379d947c9867f6c1de Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 16 Mar 2014 22:58:42 +0100 Subject: [PATCH 4/8] Undo last commit, wrong branch --- data/plugin_vulns.xml | 71 +++---------------------------------------- 1 file changed, 5 insertions(+), 66 deletions(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index a9239524..98f53778 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -6036,18 +6036,8 @@ - WP SlimStat 3.5.5 - Overview URI Stored XSS + wp-slimstat - XSS - 104428 - 57305 - - XSS - 3.5.6 - - - WP SlimStat 2.8.4 - wp-content/plugins/wp-slimstat/admin/view/panel1.php s Parameter XSS - - 89052 51721 XSS @@ -7046,6 +7036,7 @@ CommentLuv 2.92.3 - Cross Site Scripting Vulnerability 89925 + 2013-1409 https://www.htbridge.com/advisory/HTB23138 http://packetstormsecurity.com/files/120090/ http://seclists.org/bugtraq/2013/Feb/30 @@ -11045,7 +11036,10 @@ Contus Video Gallery - index.php playid Parameter SQL Injection 93369 + 2013-3478 51344 + http://www.securityfocus.com/bid/59845 + http://xforce.iss.net/xforce/xfdb/84239 SQLI @@ -11457,59 +11451,4 @@ - - - LayerSlider 4.6.1 - wp-admin/admin.php Style Editing CSRF - - 104393 - 57930 - http://packetstormsecurity.com/files/125637/ - - CSRF - - - LayerSlider 4.6.1 - LayerSlider/editor.php skin Parameter Remote Path Traversal File Access - - 104394 - http://packetstormsecurity.com/files/125637/ - - AUTHBYPASS - - - - - - XCloner 3.1.0 - Multiple Actions CSRF - - 104402 - https://www.htbridge.com/advisory/HTB23206 - - CSRF - 3.1.1 - - - - - - GuiForm 1.4.10 - class/class-ajax.php Entry Saving CSRF - - 104399 - - CSRF - 1.5.0 - - - - - - ClickDesk - Live Chat Widget Multiple Field XSS - - 104037 - http://packetstormsecurity.com/files/125528/ - http://www.securityfocus.com/bid/65971 - - XSS - - - From 17dcc7ec801e054f4b80ea4e15c860387ff286da Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 16 Mar 2014 23:16:40 +0100 Subject: [PATCH 5/8] Undo even more, wrong branch --- data/plugin_vulns.xml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 98f53778..0dc69a0b 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -7036,7 +7036,6 @@ CommentLuv 2.92.3 - Cross Site Scripting Vulnerability 89925 - 2013-1409 https://www.htbridge.com/advisory/HTB23138 http://packetstormsecurity.com/files/120090/ http://seclists.org/bugtraq/2013/Feb/30 @@ -11036,10 +11035,7 @@ Contus Video Gallery - index.php playid Parameter SQL Injection 93369 - 2013-3478 51344 - http://www.securityfocus.com/bid/59845 - http://xforce.iss.net/xforce/xfdb/84239 SQLI From e52e82fb78d9ebbb807fbd35c56c27c3f6957ce3 Mon Sep 17 00:00:00 2001 From: FireFart Date: Sat, 22 Mar 2014 18:12:47 +0100 Subject: [PATCH 6/8] formatting --- lib/common/models/vulnerability/output.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/common/models/vulnerability/output.rb b/lib/common/models/vulnerability/output.rb index 6c0a7f35..f8b3711a 100644 --- a/lib/common/models/vulnerability/output.rb +++ b/lib/common/models/vulnerability/output.rb @@ -5,17 +5,17 @@ class Vulnerability # output the vulnerability def output(verbose = false) - puts " |" + puts "" puts "#{red('[!]')} Title: #{title}" references.each do |key, urls| methodname = "url_#{key}" urls.each do |u| url = send(methodname, u) - puts " | Reference: #{url}" if url + puts " Reference: #{url}" if url end end if !fixed_in.empty? - puts " | Fixed in: #{fixed_in}" + puts " Fixed in: #{fixed_in}" end end end From 82ebb82a5fad76d52293d82970628fa53cf040c6 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 27 Apr 2014 15:40:12 +0200 Subject: [PATCH 7/8] Small change in code --- lib/common/models/vulnerability/output.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common/models/vulnerability/output.rb b/lib/common/models/vulnerability/output.rb index f8b3711a..c80ca6e2 100644 --- a/lib/common/models/vulnerability/output.rb +++ b/lib/common/models/vulnerability/output.rb @@ -5,7 +5,7 @@ class Vulnerability # output the vulnerability def output(verbose = false) - puts "" + puts puts "#{red('[!]')} Title: #{title}" references.each do |key, urls| methodname = "url_#{key}" From 19e2772729bbe37b266cd1d9a51eaa045221a4bb Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 27 Apr 2014 15:49:15 +0200 Subject: [PATCH 8/8] Update wpscan.rb --- wpscan.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/wpscan.rb b/wpscan.rb index 0f33901f..098fe390 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -67,7 +67,6 @@ def main if wpscan_options.follow_redirection puts "Following redirection #{redirection}" else -<<<<<<< HEAD puts "#{blue('[i]')} The remote host tried to redirect to: #{redirection}" print "[?] Do you want follow the redirection ? [y/n] " end @@ -78,7 +77,6 @@ def main else puts "#{red('[!]')} Scan aborted" exit(0) -======= puts "The remote host redirects to: #{redirection}" puts '[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]' end @@ -93,7 +91,6 @@ def main exit(0) end end ->>>>>>> master end end