garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WpItems, WpPlugins, WpThemes specs

Browse Source
This commit is contained in:
erwanlr
2013-03-29 22:27:43 +01:00
parent 565bfceb49
commit 68876bffb9
34 changed files with 456 additions and 390 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/common/collections/wp_items.rb
View File

@@ -6,5 +6,4 @@ require 'common/collections/wp_items/output'
class WpItems < Array
extend WpItems::Detectable
include WpItems::Output
end

43
lib/common/collections/wp_items/detectable.rb
View File

@@ -1,17 +1,20 @@
# encoding: UTF-8
class WpItems < Array
module Detectable
# The default request parameters
def request_params; { cache_ttl: 0, followlocation: true } end
attr_reader :vulns_file, :item_xpath
# options:
# option name - default - description
# show_progress - false - Output a progress bar
# only_vulnerable - nil - Only check for vulnerable items
# exclude_content - nil -
# @param [ Wptarget ] wp_target
# @param [ options ] options
# @options
#
# @return [ WpItems ]
def aggressive_detection(wp_target, options = {})
queue_count = 0
request_count = 0
@@ -59,6 +62,9 @@ class WpItems < Array
results # can't just return results.sort because the #sort returns an array, and we want a WpItems
end
# @param [ WpTarget ] wp_target
#
# @return [ WpItems ]
def passive_detection(wp_target, options = {})
results = new
item_class = self.item_class
@@ -67,7 +73,7 @@ class WpItems < Array
item_options = {
wp_content_dir: wp_target.wp_content_dir,
wp_plugins_dir: wp_target.wp_plugins_dir,
vulns_file: vulns_file
vulns_file: self.vulns_file
}
regex1 = %r{(?:[^=:]+)\s?(?:=|:)\s?(?:"|')[^"']+\\?/}
@@ -86,6 +92,16 @@ class WpItems < Array
protected
# The default request parameters
#
# @return [ Hash ]
def request_params; { cache_ttl: 0, followlocation: true } end
# @param [ WpTarget ] wp_target
# @param [ String ] vulns_file
# @param [ options ] options
#
# @return [ Array<WpItem> ]
def targets_items(wp_target, options = {})
item_class = self.item_class
vulns_file = self.vulns_file
@@ -104,6 +120,11 @@ class WpItems < Array
targets.sort_by { rand }
end
# @param [ WpTarget ] wp_target
# @param [ Class ] item_class
# @param [ String ] vulns_file
#
# @return [ Array<WpItem> ]
def vulnerable_targets_items(wp_target, item_class, vulns_file)
targets = []
xml = xml(vulns_file)
@@ -119,6 +140,12 @@ class WpItems < Array
targets
end
# @param [ Class ] klass
# @param [ String ] name
# @param [ WpTarget ] wp_target
# @option [ String ] vulns_file
#
# @return [ WpItem ]
def create_item(klass, name, wp_target, vulns_file = nil)
klass.new(
wp_target.uri,
@@ -129,6 +156,12 @@ class WpItems < Array
)
end
# @param [ String ] file
# @param [ WpTarget ] wp_target
# @param [ Class ] item_class
# @param [ String ] vulns_file
#
# @return [ WpItem ]
def targets_items_from_file(file, wp_target, item_class, vulns_file)
targets = []
@@ -145,7 +178,7 @@ class WpItems < Array
targets
end
# return class
# @return [ Class ]
def item_class
Object.const_get(self.to_s.gsub(/.$/, ''))
end

7
lib/common/collections/wp_plugins/detectable.rb
View File

@@ -3,13 +3,12 @@
class WpPlugins < WpItems
module Detectable
# @return [ String ]
def vulns_file
unless @vulns_file
@vulns_file = PLUGINS_VULNS_FILE
end
@vulns_file
PLUGINS_VULNS_FILE
end
# @return [ String ]
def item_xpath
'//plugin'
end

7
lib/common/collections/wp_themes/detectable.rb
View File

@@ -3,13 +3,12 @@
class WpThemes < WpItems
module Detectable
# @return [ String ]
def vulns_file
unless @vulns_file
@vulns_file = THEMES_VULNS_FILE
end
@vulns_file
THEMES_VULNS_FILE
end
# @return [ String ]
def item_xpath
'//theme'
end

2
lib/common/collections/wp_timthumbs/detectable.rb
View File

@@ -5,7 +5,7 @@ class WpTimthumbs < WpItems
# No passive detection
# @return [ WpTimthumbs ]
def passive_detection(wp_target, topns = {})
def passive_detection(wp_target, options = {})
new
end

1
lib/common/common_helper.rb
View File

@@ -53,6 +53,7 @@ LOCAL_FILES_XSD = DATA_DIR + '/local_vulnerable_files.xsd'
WPSCAN_VERSION = '2.1'
$LOAD_PATH.unshift(LIB_DIR)
$LOAD_PATH.unshift(WPSCAN_LIB_DIR)
$LOAD_PATH.unshift(MODELS_LIB_DIR)
require 'environment'

8
lib/wpscan/wp_target.rb
View File

@@ -17,6 +17,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
require 'web_site'
require 'modules/wp_readme'
require 'modules/wp_full_path_disclosure'
require 'modules/wp_config_backup'
require 'modules/wp_login_protection'
require 'modules/malwares'
require 'modules/brute_force'
class WpTarget < WebSite
include WpReadme
include WpFullPathDisclosure

29
spec/lib/common/collections/wp_items_spec.rb Normal file
View File

@@ -0,0 +1,29 @@
#encoding: UTF-8
require 'spec_helper'
describe WpItems do
it_behaves_like 'WpItems::Detectable' do
subject(:wp_items) { WpItems }
let(:item_class) { WpItem }
let(:fixtures_dir) { COLLECTIONS_FIXTURES + '/wp_items/detectable' }
let(:expected) do
{
request_params: { cache_ttl: 0, followlocation: true },
targets_items_from_file: [ WpItem.new(uri, name: 'item1'),
WpItem.new(uri, name:'item-2'),
WpItem.new(uri, name: 'mr-smith')],
vulnerable_targets_items: [ WpItem.new(uri, name: 'mr-smith'),
WpItem.new(uri, name: 'neo')],
passive_detection: WpItems.new << WpItem.new(uri, name: 'js-source') <<
WpItem.new(uri, name: 'escaped-url') <<
WpItem.new(uri, name: 'link-tag') <<
WpItem.new(uri, name: 'script-tag') <<
WpItem.new(uri, name: 'style-tag')
}
end
end
end

30
spec/lib/common/collections/wp_plugins_spec.rb Normal file
View File

@@ -0,0 +1,30 @@
#encoding: UTF-8
require 'spec_helper'
describe WpPlugins do
it_behaves_like 'WpItems::Detectable' do
subject(:wp_plugins) { WpPlugins }
let(:item_class) { WpPlugin }
let(:fixtures_dir) { COLLECTIONS_FIXTURES + '/wp_plugins/detectable' }
let(:expected) do
{
request_params: { cache_ttl: 0, followlocation: true },
vulns_file: PLUGINS_VULNS_FILE,
targets_items_from_file: [ WpPlugin.new(uri, name: 'plugin1'),
WpPlugin.new(uri, name:'plugin-2'),
WpPlugin.new(uri, name: 'mr-smith')],
vulnerable_targets_items: [ WpPlugin.new(uri, name: 'mr-smith'),
WpPlugin.new(uri, name: 'neo')],
passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'js-source') <<
WpPlugin.new(uri, name: 'escaped-url') <<
WpPlugin.new(uri, name: 'link-tag') <<
WpPlugin.new(uri, name: 'script-tag') <<
WpPlugin.new(uri, name: 'style-tag')
}
end
end
end

28
spec/lib/common/collections/wp_themes_spec.rb Normal file
View File

@@ -0,0 +1,28 @@
#encoding: UTF-8
require 'spec_helper'
describe WpThemes do
it_behaves_like 'WpItems::Detectable' do
subject(:wp_themes) { WpThemes }
let(:item_class) { WpTheme }
let(:fixtures_dir) { COLLECTIONS_FIXTURES + '/wp_themes/detectable' }
let(:expected) do
{
request_params: { cache_ttl: 0, followlocation: true },
vulns_file: THEMES_VULNS_FILE,
targets_items_from_file: [ WpTheme.new(uri, name: '3colours'),
WpTheme.new(uri, name:'42k'),
WpTheme.new(uri, name: 'a-ri')],
vulnerable_targets_items: [ WpTheme.new(uri, name: 'shopperpress'),
WpTheme.new(uri, name: 'webfolio')],
passive_detection: WpThemes.new << WpTheme.new(uri, name: 'theme1') <<
WpTheme.new(uri, name: 'theme 2') <<
WpTheme.new(uri, name: 'theme-3')
}
end
end
end

51
spec/samples/common/collections/wp_items/detectable/passive_detection.html Normal file
View File

@@ -0,0 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="fr-FR">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta property="fb:page_id" content="18968879441564"/>
<title>Example.com</title>
<link rel="alternate" type="application/rss+xml" title="Example RSS Feed" href="http://example.com/feed"/>
<link rel="alternate" type="application/atom+xml" title="Example Atom Feed" href="http://example.com/feed/atom"/>
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
<link rel='stylesheet' href='http://example.com/wp-content/items/link-tag/cache/7f8155a5485bc445ed0adb136722b.css?m=1224763007' type='text/css' media='screen'/>
<script type="text/javascript">
var TB_pluginPath = 'http://www.welovebug.com/wp-content/items/js-source';
var TB_config = {
'widget_show_photos':true,
'widget_show_source':true,
'widget_show_header':true,
'general_link_screen_names':true,
'general_link_hash_tags':true,
'general_link_urls':true,
'widget_check_sources':true,
'widget_show_user':true
}
</script>
<style type="text/css">
#fancybox-loading.fancybox-ie div { background: transparent; filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='http://example.com/wp-content/items/style-tag/fancybox/fancy_loading.png', sizingMethod='scale'); }
</style>
<script type='text/javascript' src='http://example.com/wp-content/items/script-tag/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
</head>
<body>
<div class="top">
<div class="header">
<h1 class="logo">
Blablabla the following plugin should not match : /wp-content/items/this-plugin-should-not-match/sub.css
</h1>
</div>
</div>
</body>
<script type='text/javascript'>
/* <![CDATA[ */
var pollsL10n = {"ajax_url":"http:\/\/example.com\/wp-content\/items\/escaped-url\/wp-polls.php","text_wait":"Your last request is still being processed. Please wait a while ...","text_valid":"Please choose a valid poll answer.","text_multiple":"Maximum number of choices allowed: ","show_loading":"1","show_fading":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
<!-- a duplicate one -->
<script type='text/javascript' src='http://example.com/wp-content/items/script-tag/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
</html>

3
spec/samples/common/collections/wp_items/detectable/targets.txt Normal file
View File

@@ -0,0 +1,3 @@
item1
item-2
mr-smith

7
spec/samples/common/collections/wp_items/detectable/vulns.xml Normal file
View File

@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- the vulnerability node is not needed there -->
<vulnerabilities>
<item name="mr-smith"/>
<not-valid name='I should not appear in the results'/>
<item name="neo"/>
</vulnerabilities>

19
spec/samples/wpscan/modules/wp_plugins/passive_detection/various_plugins.htm → spec/samples/common/collections/wp_plugins/detectable/passive_detection.html
View File

@@ -7,15 +7,10 @@
<link rel="alternate" type="application/rss+xml" title="Example RSS Feed" href="http://example.com/feed"/>
<link rel="alternate" type="application/atom+xml" title="Example Atom Feed" href="http://example.com/feed/atom"/>
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
<link rel='stylesheet' href='http://example.com/wp-content/plugins/wp-minify/cache/7f8155a5485bc445ed0adb136722b.css?m=1224763007' type='text/css' media='screen'/>
<link rel='stylesheet' href='http://example.com/wp-content/plugins/link-tag/cache/7f8155a5485bc445ed0adb136722b.css?m=1224763007' type='text/css' media='screen'/>
<!-- Start Comment Info Tip Plugin -->
<link type="text/css" rel="stylesheet" href="http://example.com/wp-content/plugins/comment-info-tip/comment-info-tip.css" />
<!-- End Comment Info Tip Plugin -->
<!-- #121 : http://code.google.com/p/wpscan/issues/detail?id=121 -->
<script type="text/javascript">
var TB_pluginPath = 'http://www.welovebug.com/wp-content/plugins/tweet-blender';
var TB_pluginPath = 'http://www.welovebug.com/wp-content/plugins/js-source';
var TB_config = {
'widget_show_photos':true,
'widget_show_source':true,
@@ -27,13 +22,12 @@
'widget_show_user':true
}
</script>
<!-- /#121 -->
<style type="text/css">
#fancybox-loading.fancybox-ie div { background: transparent; filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='http://example.com/wp-content/plugins/optinpop/fancybox/fancy_loading.png', sizingMethod='scale'); }
#fancybox-loading.fancybox-ie div { background: transparent; filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='http://example.com/wp-content/plugins/style-tag/fancybox/fancy_loading.png', sizingMethod='scale'); }
</style>
<script type='text/javascript' src='http://example.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
<script type='text/javascript' src='http://example.com/wp-content/plugins/script-tag/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
</head>
<body>
<div class="top">
@@ -47,12 +41,11 @@
<script type='text/javascript'>
/* <![CDATA[ */
var pollsL10n = {"ajax_url":"http:\/\/example.com\/wp-content\/plugins\/wp-polls\/wp-polls.php","text_wait":"Your last request is still being processed. Please wait a while ...","text_valid":"Please choose a valid poll answer.","text_multiple":"Maximum number of choices allowed: ","show_loading":"1","show_fading":"1"};
var pollsL10n = {"ajax_url":"http:\/\/example.com\/wp-content\/plugins\/escaped-url\/wp-polls.php","text_wait":"Your last request is still being processed. Please wait a while ...","text_valid":"Please choose a valid poll answer.","text_multiple":"Maximum number of choices allowed: ","show_loading":"1","show_fading":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
<script type="text/javascript" src="http://example.com/wp-content/plugins/commentluv/js/commentluv.js?ver=3.3.1"></script>
<!-- a duplicate one -->
<script type='text/javascript' src='http://example.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
<script type='text/javascript' src='http://example.com/wp-content/plugins/script-tag/s2member-o.php?ws_plugin__s2member_js_w_globals=1'></script>
</html>

3
spec/samples/common/collections/wp_plugins/detectable/targets.txt Normal file
View File

@@ -0,0 +1,3 @@
plugin1
plugin-2
mr-smith

7
spec/samples/common/collections/wp_plugins/detectable/vulns.xml Normal file
View File

@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- the vulnerability node is not needed there -->
<vulnerabilities>
<plugin name="mr-smith"/>
<not-valid name='I should not appear in the results'/>
<plugin name="neo"/>
</vulnerabilities>

4
spec/samples/wpscan/modules/wp_themes/passive_detection/various_themes.htm → spec/samples/common/collections/wp_themes/detectable/passive_detection.html
View File

@@ -9,8 +9,8 @@
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme1/style.css" />
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme2/javascript.js" />
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme3/test.png" />
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme 2/javascript.js" />
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/themes/theme-3/test.png" />
</head>
<body>

3
spec/samples/common/collections/wp_themes/detectable/targets.txt Normal file
View File

@@ -0,0 +1,3 @@
3colours
42k
a-ri

5
spec/samples/common/collections/wp_themes/detectable/vulns.xml Normal file
View File

@@ -0,0 +1,5 @@
<themes>
<theme name="shopperpress"/>
<not-valid name="wise"/>
<theme name="webfolio"/>
</themes>

21
spec/samples/wpscan/modules/wp_plugins/passive_detection/no_plugins.htm
View File

@@ -1,21 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="fr-FR">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta property="fb:page_id" content="18968879441564"/>
<title>Example.com</title>
<link rel="alternate" type="application/rss+xml" title="Example RSS Feed" href="http://example.com/feed"/>
<link rel="alternate" type="application/atom+xml" title="Example Atom Feed" href="http://example.com/feed/atom"/>
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
</head>
<body>
<div class="top">
<div class="header">
<h1 class="logo">
Blablabla
</h1>
</div>
</div>
</body>
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
</html>

26
spec/samples/wpscan/modules/wp_plugins/passive_detection/one_plugin.htm
View File

@@ -1,26 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="fr-FR">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta property="fb:page_id" content="18968879441564"/>
<title>Example.com</title>
<link rel="alternate" type="application/rss+xml" title="Example RSS Feed" href="http://example.com/feed"/>
<link rel="alternate" type="application/atom+xml" title="Example Atom Feed" href="http://example.com/feed/atom"/>
<link rel="pingback" href="http://example.com/xmlrpc.php"/>
<!-- Start Comment Info Tip Plugin -->
<link type="text/css" rel="stylesheet" href="http://example.localhost/wp-content/plugins/comment-info-tip/comment-info-tip.css" />
<!-- End Comment Info Tip Plugin -->
</head>
<body>
<div class="top">
<div class="header">
<h1 class="logo">
Blablabla
</h1>
</div>
</div>
</body>
<script type='text/javascript' src='http://platform.twitter.com/widgets.js?ver=1.0.0'></script>
</html>

18
spec/samples/wpscan/modules/wp_plugins/plugin_vulns.xml
View File

@@ -1,18 +0,0 @@
<?xml version="1.0"?>
<vulnerabilities>
<plugin name="media-library">
<vulnerability>
<title>Wordpress Media Library Categories plugin&lt;= 1.0.6 SQL Injection Vulnerability</title>
<reference>http://www.exploit-db.com/exploits/17628/</reference>
<type>SQLI</type>
</vulnerability>
</plugin>
<plugin name="deans">
<vulnerability>
<title>Wordpress FCKeditor Deans With Pwwangs Code Plugin &lt;= 1.0.0 Remote Shell Upload</title>
<reference>http://packetstormsecurity.org/files/111319/</reference>
<type>RFI</type>
</vulnerability>
</plugin>
</vulnerabilities>

5
spec/samples/wpscan/modules/wp_plugins/plugins.txt
View File

@@ -1,5 +0,0 @@
display-widgets/display-widgets.php
regenerate-thumbnails/readme.txt
formidable/formidable.php
exclude-pages/exclude_pages.php
regenerate-thumbnails/readme.txt

9
spec/samples/wpscan/modules/wp_themes/passive_detection/no_theme.htm
View File

@@ -1,9 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
</body>
</html>

179
spec/samples/wpscan/modules/wp_themes/passive_detection/one_theme.htm
View File

@@ -1,179 +0,0 @@
<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="UTF-8" />
<title>ddd</title>
<link rel="profile" href="http://gmpg.org/xfn/11" />
<link rel="stylesheet" type="text/css" media="all" href="http://10.211.55.8/wordpress/wp-content/themes/custom-twentyten/style.css" />
<link rel="pingback" href="http://10.211.55.8/wordpress/xmlrpc.php" />
<meta name='robots' content='noindex,nofollow' />
<link rel="alternate" type="application/rss+xml" title="test &raquo; Feed" href="http://10.211.55.8/wordpress/?feed=rss2" />
<link rel="alternate" type="application/rss+xml" title="test &raquo; Comments Feed" href="http://10.211.55.8/wordpress/?feed=comments-rss2" />
<!-- AL2FB CSS -->
<style type="text/css" media="screen">
.al2fb_widget_comments { }
.al2fb_widget_comments li { }
.al2fb_widget_picture { width: 32px; height: 32px; }
.al2fb_widget_name { }
.al2fb_widget_comment { }
.al2fb_widget_date { font-size: smaller; }
</style>
<link rel='stylesheet' id='al2fb_style-css' href='http://10.211.55.8/wordpress/wp-content/plugins/add-link-to-facebook/add-link-to-facebook.css?ver=3.3.1' type='text/css' media='all' />
<link rel='stylesheet' id='events-manager-css' href='http://10.211.55.8/wordpress/wp-content/plugins/events-manager/includes/css/events_manager.css?ver=3.3.1' type='text/css' media='all' />
<link rel='stylesheet' id='NextGEN-css' href='http://10.211.55.8/wordpress/wp-content/plugins/nextgen-gallery/css/nggallery.css?ver=1.0.0' type='text/css' media='screen' />
<link rel='stylesheet' id='shutter-css' href='http://10.211.55.8/wordpress/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.css?ver=1.3.4' type='text/css' media='screen' />
<link rel='stylesheet' id='contact-form-7-css' href='http://10.211.55.8/wordpress/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.2.1' type='text/css' media='all' />
<link rel='stylesheet' id='cntctfrmStylesheet-css' href='http://10.211.55.8/wordpress/wp-content/plugins/contact-form-plugin/css/style.css?ver=3.3.1' type='text/css' media='all' />
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/jquery.js?ver=1.7.1'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.core.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.widget.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.position.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.mouse.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.sortable.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.datepicker.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.autocomplete.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.resizable.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.draggable.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.button.min.js?ver=1.8.16'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-includes/js/jquery/ui/jquery.ui.dialog.min.js?ver=1.8.16'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var EM = {"ajaxurl":"http:\/\/10.211.55.8\/wordpress\/wp-admin\/admin-ajax.php","bookingajaxurl":"http:\/\/10.211.55.8\/wordpress\/wp-admin\/admin-ajax.php","locationajaxurl":"http:\/\/10.211.55.8\/wordpress\/wp-admin\/admin-ajax.php?action=locations_search","firstDay":"1","locale":"en","dateFormat":"dd\/mm\/yy","bookingInProgress":"Please wait while the booking is being submitted.","ui_css":"http:\/\/10.211.55.8\/wordpress\/wp-content\/plugins\/events-manager\/includes\/css\/ui-lightness.css","show24hours":"","is_ssl":"","tickets_save":"Save Ticket","bookings_export_save":"Export Bookings","bookings_settings_save":"Save Settings","booking_delete":"Are you sure you want to delete?","bb_full":"Sold Out","bb_book":"Book Now","bb_booking":"Booking...","bb_booked":"Booking Submitted","bb_error":"Booking Error. Try again?","bb_cancel":"Cancel","bb_canceling":"Canceling...","bb_cancelled":"Cancelled","bb_cancel_error":"Cancellation Error. Try again?","txt_search":"Search","txt_searching":"Searching...","txt_loading":"Loading..."};
/* ]]> */
</script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-content/plugins/events-manager/includes/js/events-manager.js?ver=3.3.1'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var shutterSettings = {"msgLoading":"L O A D I N G","msgClose":"Click to Close","imageCount":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js?ver=1.3.3'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-content/plugins/nextgen-gallery/js/jquery.cycle.all.min.js?ver=2.9995'></script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.06'></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://10.211.55.8/wordpress/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://10.211.55.8/wordpress/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 3.3.1" />
<!-- All in One SEO Pack 1.6.15 by Michael Torbert of Semper Fi Web Design[78,119] -->
<meta name="description" content="ddddd" />
<meta name="keywords" content="dd" />
<link rel="canonical" href="http://10.211.55.8/wordpress/" />
<!-- /all in one seo pack -->
<!-- <meta name="NextGEN" version="1.9.6" /> -->
<script charset="utf-8" type="text/javascript">var switchTo5x=true;</script><script charset="utf-8" type="text/javascript" src="http://w.sharethis.com/button/buttons.js"></script><script type="text/javascript">stLight.options({publisher:'wp.d54da82c-32aa-4efc-ab15-d4e2ed4f0b4d'});var st_type='wordpress3.3.1';</script></head>
<body class="home blog">
<div id="wrapper" class="hfeed">
<div id="header">
<div id="masthead">
<div id="branding" role="banner">
<h1 id="site-title">
<span>
<a href="http://10.211.55.8/wordpress/" title="test" rel="home">test</a>
</span>
</h1>
<div id="site-description">Just another WordPress site</div>
<img src="http://10.211.55.8/wordpress/wp-content/themes/custom-twentyten/images/headers/path.jpg" width="940" height="198" alt="" />
</div><!-- #branding -->
<div id="access" role="navigation">
<div class="skip-link screen-reader-text"><a href="#content" title="Skip to content">Skip to content</a></div>
<div class="menu"><ul><li class="current_page_item"><a href="http://10.211.55.8/wordpress/" title="Home">Home</a></li><li class="page_item page-item-11"><a href="http://10.211.55.8/wordpress/?page_id=11">Events</a><ul class='children'><li class="page_item page-item-13"><a href="http://10.211.55.8/wordpress/?page_id=13">Categories</a></li><li class="page_item page-item-12"><a href="http://10.211.55.8/wordpress/?page_id=12">Locations</a></li><li class="page_item page-item-14"><a href="http://10.211.55.8/wordpress/?page_id=14">My Bookings</a></li></ul></li><li class="page_item page-item-2"><a href="http://10.211.55.8/wordpress/?page_id=2">Sample Page</a></li></ul></div>
</div><!-- #access -->
</div><!-- #masthead -->
</div><!-- #header -->
<div id="main">
<div id="container">
<div id="content" role="main">
<div id="post-1" class="post-1 post type-post status-publish format-standard hentry category-uncategorized">
<h2 class="entry-title"><a href="http://10.211.55.8/wordpress/?p=1" title="Permalink to Hello world!" rel="bookmark">Hello world!</a></h2>
<div class="entry-meta">
<span class="meta-prep meta-prep-author">Posted on</span> <a href="http://10.211.55.8/wordpress/?p=1" title="8:41 pm" rel="bookmark"><span class="entry-date">September 15, 2012</span></a> <span class="meta-sep">by</span> <span class="author vcard"><a class="url fn n" href="http://10.211.55.8/wordpress/?author=1" title="View all posts by admin">admin</a></span> </div><!-- .entry-meta -->
<div class="entry-content">
<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>
<p><span class='st_facebook_buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='Facebook'></span><span class='st_twitter_buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='Twitter'></span><span class='st_email_buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='Email'></span><span class='st_sharethis_buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='ShareThis'></span><span class='st_fblike_buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='Facebook Like'></span><span class='st_plusone_buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='Google +1'></span><span class='st_pinterest _buttons' st_title='Hello world!' st_url='http://10.211.55.8/wordpress/?p=1' displayText='Pinterest'></span></p> </div><!-- .entry-content -->
<div class="entry-utility">
<span class="cat-links">
<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> <a href="http://10.211.55.8/wordpress/?cat=1" title="View all posts in Uncategorized" rel="category">Uncategorized</a> </span>
<span class="meta-sep">|</span>
<span class="comments-link"><a href="http://10.211.55.8/wordpress/?p=1#comments" title="Comment on Hello world!">1 Comment</a></span>
</div><!-- .entry-utility -->
</div><!-- #post-## -->
</div><!-- #content -->
</div><!-- #container -->
<div id="primary" class="widget-area" role="complementary">
<ul class="xoxo">
<li id="search-2" class="widget-container widget_search"><form role="search" method="get" id="searchform" action="http://10.211.55.8/wordpress/" >
<div><label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s" />
<input type="submit" id="searchsubmit" value="Search" />
</div>
</form></li> <li id="recent-posts-2" class="widget-container widget_recent_entries"> <h3 class="widget-title">Recent Posts</h3> <ul>
<li><a href="http://10.211.55.8/wordpress/?p=1" title="Hello world!">Hello world!</a></li>
</ul>
</li><li id="recent-comments-2" class="widget-container widget_recent_comments"><h3 class="widget-title">Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><a href='http://wordpress.org/' rel='external nofollow' class='url'>Mr WordPress</a> on <a href="http://10.211.55.8/wordpress/?p=1#comment-1">Hello world!</a></li></ul></li><li id="archives-2" class="widget-container widget_archive"><h3 class="widget-title">Archives</h3> <ul>
<li><a href='http://10.211.55.8/wordpress/?m=201209' title='September 2012'>September 2012</a></li>
</ul>
</li><li id="categories-2" class="widget-container widget_categories"><h3 class="widget-title">Categories</h3> <ul>
<li class="cat-item cat-item-1"><a href="http://10.211.55.8/wordpress/?cat=1" title="View all posts filed under Uncategorized">Uncategorized</a>
</li>
</ul>
</li><li id="meta-2" class="widget-container widget_meta"><h3 class="widget-title">Meta</h3> <ul>
<li><a href="http://10.211.55.8/wordpress/wp-login.php">Log in</a></li>
<li><a href="http://10.211.55.8/wordpress/?feed=rss2" title="Syndicate this site using RSS 2.0">Entries <abbr title="Really Simple Syndication">RSS</abbr></a></li>
<li><a href="http://10.211.55.8/wordpress/?feed=comments-rss2" title="The latest comments to all posts in RSS">Comments <abbr title="Really Simple Syndication">RSS</abbr></a></li>
<li><a href="http://wordpress.org/" title="Powered by WordPress, state-of-the-art semantic personal publishing platform.">WordPress.org</a></li>
</ul>
</li> </ul>
</div><!-- #primary .widget-area -->
</div><!-- #main -->
<div id="footer" role="contentinfo">
<div id="colophon">
<div id="site-info">
<a href="http://10.211.55.8/wordpress/" title="test" rel="home">
test </a>
</div><!-- #site-info -->
<div id="site-generator">
<a href="http://wordpress.org/" title="Semantic Personal Publishing Platform" rel="generator">Proudly powered by WordPress.</a>
</div><!-- #site-generator -->
</div><!-- #colophon -->
</div><!-- #footer -->
</div><!-- #wrapper -->
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-content/plugins/contact-form-7/includes/js/jquery.form.js?ver=3.14'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var _wpcf7 = {"loaderUrl":"http:\/\/10.211.55.8\/wordpress\/wp-content\/plugins\/contact-form-7\/images\/ajax-loader.gif","sending":"Sending ..."};
/* ]]> */
</script>
<script type='text/javascript' src='http://10.211.55.8/wordpress/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.2.1'></script>
</body>
</html>

25
spec/samples/wpscan/modules/wp_themes/theme_vulns.xml
View File

@@ -1,25 +0,0 @@
<themes>
<theme name="shopperpress">
<vulnerability>
<title>ShopperPress WordPress Theme 2.7 Cross Site Scripting</title>
<reference>http://packetstormsecurity.org/files/115630/</reference>
<type>XSS</type>
</vulnerability>
</theme>
<theme name="wise">
<vulnerability>
<title>Site5 Wordpress Themes Email Spoofing</title>
<reference>http://packetstormsecurity.org/files/114750/</reference>
<type>UNKNOWN</type>
</vulnerability>
</theme>
<theme name="webfolio">
<vulnerability>
<title>Site5 Wordpress Themes Email Spoofing</title>
<reference>http://packetstormsecurity.org/files/114750/</reference>
<type>UNKNOWN</type>
</vulnerability>
</theme>
</themes>

10
spec/samples/wpscan/modules/wp_themes/themes.txt
View File

@@ -1,10 +0,0 @@
zenpro/404.php
zeta-zip/404.php
zfirst/404.php
zgrey/404.php
zindi-ii/404.php
zindi/404.php
zombie-apocalypse/404.php
zsofa/404.php
zwei-seiten/404.php
twentyten/404.php

4
spec/samples/wpscan/wp_plugin/plugins.txt
View File

@@ -1,4 +0,0 @@
plugin1
plugin2
plugin3
plugin4

27
spec/samples/wpscan/wp_plugin/vulnerabilities/plugin_vulns.xml
View File

@@ -1,27 +0,0 @@
<?xml version="1.0"?>
<vulnerabilities>
<plugin name="spec-plugin">
<vulnerability>
<title>WPScan Spec</title>
<reference>http://secu.org/files/111319/</reference>
<type>XSS</type>
</vulnerability>
<vulnerability>
<title>Spec SQL Injection</title>
<reference>http://secu.org/files/1245/</reference>
<type>SQLI</type>
</vulnerability>
</plugin>
<plugin name="simple-login-lockdown">
<vulnerability>
<title>Simple Login Lockdown XSS</title>
<reference>http://secu.org/files/1234/</reference>
<type>XSS</type>
</vulnerability>
</plugin>
</vulnerabilities>

5
spec/samples/wpscan/wp_theme/themes.txt
View File

@@ -1,5 +0,0 @@
theme1
theme2
theme3
theme4
theme5

22
spec/samples/wpscan/wp_theme/vulnerabilities/theme_vulns.xml
View File

@@ -1,22 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<vulnerabilities>
<theme name="onepagewebsite">
<vulnerability>
<title>onepagewebsite Full Path Disclosure vulnerability</title>
<reference>http://1337day.com/exploit/20027</reference>
<type>FPD</type>
</vulnerability>
<vulnerability>
<title>onepagewebsite Full Path Disclosure vulnerability</title>
<reference>http://1337day.com/exploit/20027</reference>
<type>FPD</type>
</vulnerability>
</theme>
<theme name="vithy">
<vulnerability>
<title>vithy Full Path Disclosure vulnerability</title>
<reference>http://1337day.com/exploit/20040</reference>
<type>FPD</type>
</vulnerability>
</theme>
</vulnerabilities>

9
spec/samples/wpscan/wp_version/404.htm
View File

@@ -1,9 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at lamp Port 80</address>
</body></html>

227
spec/shared_examples/wp_items_detectable.rb Normal file
View File

@@ -0,0 +1,227 @@
# encoding: UTF-8
require WPSCAN_LIB_DIR + '/wp_target'
shared_examples 'WpItems::Detectable' do
let(:vulns_file) { fixtures_dir + '/vulns.xml' }
let(:targets_items_file) { fixtures_dir + '/targets.txt' }
let(:wp_content_dir) { 'wp-content' }
let(:wp_plugins_dir) { wp_content_dir + '/plugins' }
let(:wp_target) { WpTarget.new(url, wp_content_dir: wp_content_dir, wp_plugins_dir: wp_plugins_dir) }
let(:url) { 'http://example.com/' }
let(:uri) { URI.parse(url) }
let(:empty_file) { SPEC_FIXTURES_DIR + '/empty-file' }
before do
if class_vulns_file = subject.vulns_file
class_vulns_file.should == expected[:vulns_file]
end
subject.stub(:vulns_file).and_return(vulns_file)
unless subject.item_xpath
subject.stub(:item_xpath).and_return('//item')
end
end
describe '::request_params' do
it 'returns the default params' do
subject.send(:request_params).should == expected[:request_params]
end
end
describe '::item_class' do
it 'returns the correct item class' do
klass = subject.send(:item_class)
klass.should be_a Class
klass.should == item_class
end
end
describe '::targets_items_from_file' do
after do
results = subject.send(:targets_items_from_file, file, wp_target, item_class, vulns_file)
results.map { |i| i.name }.should == @expected.map { |i| i.name }
unless results.empty?
results.each do |item|
item.should be_a item_class
end
end
end
context 'when an empty file' do
let(:file) { empty_file }
it 'returns an empty Array' do
@expected = []
end
end
context 'when a file' do
let(:file) { targets_items_file }
it 'returns the expected Array of WpItem' do
@expected = expected[:targets_items_from_file]
end
end
end
describe '::vulnerable_targets_items' do
after do
results = subject.send(:vulnerable_targets_items, wp_target, item_class, vulns_file)
results.map { |i| i.name }.should == @expected.map { |i| i.name }
unless results.empty?
results.each do |item|
item.should be_a item_class
end
end
end
context 'when an empty file' do
let(:vulns_file) { empty_file }
it 'returns an empty Array' do
@expected = []
end
end
context 'when a file' do
it 'returns the expected Array of WpItem' do
@expected = expected[:vulnerable_targets_items]
end
end
end
describe '::targets_items' do
let(:options) { {} }
after do
if @expected
results = subject.send(:targets_items, wp_target, options)
results.map { |i| i.name }.sort.should == @expected.map { |i| i.name }.sort
end
end
context 'when :only_vulnerable' do
let(:options) { { only_vulnerable: true } }
it 'returns the expected Array of WpItem' do
@expected = expected[:vulnerable_targets_items]
end
end
context 'when not :only_vulnerable' do
context 'when no :file' do
it 'raises an error' do
expect { subject.send(:targets_items, wp_target, options) }.to raise_error('A file must be supplied')
end
end
context 'when :file' do
let(:options) { { file: targets_items_file } }
it 'returns the expected Array of WpItem' do
@expected = (expected[:targets_items_from_file] + expected[:vulnerable_targets_items]).uniq {|t| t.name }
end
end
end
end
describe '::passive_detection' do
after do
stub_request_to_fixture(url: wp_target.url, fixture: @fixture)
result = subject.passive_detection(wp_target)
result.should be_a subject
result.map { |i| i.name }.should == @expected.map { |i| i.name }.sort
end
context 'when the page is empty' do
it 'return an empty WpItems' do
@fixture = empty_file
@expected = subject.new
end
end
context 'when items are present' do
it 'returns the excpected items' do
@fixture = fixtures_dir + '/passive_detection.html'
@expected = expected[:passive_detection]
end
end
end
describe '::aggressive_detection' do
def stub_targets_dont_exist(targets)
targets.each { |t| t.stub(:exists?).and_return(false) }
end
let(:options) { {} }
after do
stub_request(:get, /.*/).to_return(status: 404)
result = subject.aggressive_detection(wp_target, options)
result.should be_a subject
result.map { |i| i.name }.should == @expected.map { |i| i.name }.sort
end
context 'when :only_vulnerable' do
let(:options) { { only_vulnerable: true } }
let(:targets) { expected[:vulnerable_targets_items] }
it 'only checks vulnerable targets' do
target = targets.sample
@expected = subject.new << target
stub_targets_dont_exist(targets)
target.stub(:exists?).and_return(true)
subject.should_receive(:targets_items).and_return(targets)
end
context 'when all targets dont exist' do
it 'returns an empty WpItems' do
stub_targets_dont_exist(targets)
subject.should_receive(:targets_items).and_return(targets)
@expected = subject.new
end
end
end
context 'when no :only_vulnerable' do
let(:targets) { (expected[:vulnerable_targets_items] + expected[:targets_items_from_file]).uniq { |t| t.name } }
it 'checks all targets, and merge the results with passive_detection' do
target = targets.sample
@expected = expected[:passive_detection] << target
stub_targets_dont_exist(targets)
target.stub(:exists?).and_return(true)
subject.should_receive(:targets_items).and_return(targets)
subject.should_receive(:passive_detection).and_return(expected[:passive_detection])
end
context 'when all targets dont exist' do
it 'returns the result from passive_detection' do
@expected = expected[:passive_detection]
stub_targets_dont_exist(targets)
subject.should_receive(:targets_items).and_return(targets)
subject.should_receive(:passive_detection).and_return(@expected)
end
end
end
end
end

1
spec/spec_helper.rb
View File

@@ -35,6 +35,7 @@ SPEC_FIXTURES_CONF_DIR = SPEC_FIXTURES_DIR + '/conf'
SPEC_FIXTURES_WP_VERSIONS_DIR = SPEC_FIXTURES_DIR + '/wp_versions'
MODELS_FIXTURES = SPEC_FIXTURES_DIR + '/common/models'
COLLECTIONS_FIXTURES = SPEC_FIXTURES_DIR + '/common/collections'
# Load all the shared examples
require_files_from_directory(SHARED_EXAMPLES_DIR)