From 66cd3e08a0d97ad8a5868fdfe2772e9b1fe624d5 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 5 Sep 2014 18:25:46 +0200 Subject: [PATCH] Detect directory listing in upload folder --- lib/common/common_helper.rb | 7 +++++++ lib/wpscan/wp_target.rb | 11 ++++++++++- wpscan.rb | 4 ++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/common/common_helper.rb b/lib/common/common_helper.rb index 38b4e0d7..4b286e67 100644 --- a/lib/common/common_helper.rb +++ b/lib/common/common_helper.rb @@ -232,3 +232,10 @@ def get_random_user_agent # return ransom user-agent user_agents.sample end + +# Directory listing enabled on url? +# +# @return [ Boolean ] +def directory_listing_enabled?(url) + Browser.get(url.to_s).body[%r{Index of}] ? true : false +end diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb index 17a0b9cb..a8b6a052 100644 --- a/lib/wpscan/wp_target.rb +++ b/lib/wpscan/wp_target.rb @@ -124,7 +124,12 @@ class WpTarget < WebSite # @return [ String ] def debug_log_url - @uri.merge("#{wp_content_dir()}/debug.log").to_s + @uri.merge("#{wp_content_dir}/debug.log").to_s + end + + # @return [ String ] + def upload_dir_url + @uri.merge("#{wp_content_dir}/uploads/").to_s end # Script for replacing strings in wordpress databases @@ -141,4 +146,8 @@ class WpTarget < WebSite resp = Browser.get(search_replace_db_2_url) resp.code == 200 && resp.body[%r{by interconnect}i] end + + def upload_directory_listing_enabled? + directory_listing_enabled?(upload_dir_url) + end end diff --git a/wpscan.rb b/wpscan.rb index 7284ad4d..02013e28 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -183,6 +183,10 @@ def main puts "#{green('[+]')} XML-RPC Interface available under: #{wp_target.xml_rpc_url}" end + if wp_target.upload_directory_listing_enabled? + puts "#{red('[!]')} Upload directory has directory listing enabled: #{wp_target.upload_dir_url}" + end + if wp_target.has_malwares? malwares = wp_target.malwares puts "#{red('[!]')} #{malwares.size} malware(s) found:"