Code Factoring

lib/common/collections/wp_users/brute_forcable.rb

@@ -3,8 +3,19 @@
 class WpUsers < WpItems
   module BruteForcable
 
+    # Brute force each wp_user
+    #
+    # To avoid loading the wordlist each time in the wp_user instance
+    # It's loaded here, and given to the wp_user
+    #
+    # @param [ String, Array<String> ] wordlist
+    # @param [ Hash ] options See WpUser::BruteForcable#brute_force
+    #
+    # @return [ void ]
     def brute_force(wordlist, options = {})
-      self.each { |wp_user| wp_user.brute_force(wordlist, options) }
+      passwords = WpUser::BruteForcable.passwords_from_wordlist(wordlist)
+
+      self.each { |wp_user| wp_user.brute_force(passwords, options) }
     end
 
   end

lib/common/models/wp_user/brute_forcable.rb

@@ -3,28 +3,24 @@
 class WpUser < WpItem
   module BruteForcable
 
-    # @param [ String ] wordlist The wordlist path
+    # @param [ String, Array<String> ] wordlist The wordlist path
     # @param [ Hash ] options
+    # @option options [ Boolean ] :verbose
+    # @option options [ Boolean ] :show_progression
     #
     # @return [ void ]
     def brute_force(wordlist, options = {})
       hydra               = Browser.instance.hydra
-      wordlist_charset    = File.charset(wordlist)
-      number_of_passwords = BruteForcable.lines_in_file(wordlist)
+      passwords           = BruteForcable.passwords_from_wordlist(wordlist)
+      number_of_passwords = passwords.size
       login_url           = @uri.merge('wp-login.php').to_s
-
       queue_count         = 0
       request_count       = 0
 
-      File.open(wordlist, "r:#{wordlist_charset}").each do |line|
-        line.encode!('UTF-8').strip!
-        # ignore file comments, but will miss passwords if they start with a hash...
-        next if line[0, 1] == '#'
-
+      passwords.each do |password|
         request_count += 1
         queue_count   += 1
         login          = self.login
-        password       = line
 
         request = Browser.instance.forge_request(login_url,
           {
@@ -67,6 +63,8 @@ class WpUser < WpItem
     # @param [ Typhoeus::Response ] response
     # @param [ String ] password
     # @param [ Hash ] options
+    # @option options [ Boolean ] :verbose
+    # @option options [ Boolean ] :show_progression
     #
     # @return [ Boolean ]
     def valid_password?(response, password, options = {})
@@ -92,21 +90,35 @@ class WpUser < WpItem
       false
     end
 
-    # Counts the number of lines in the wordlist
-    # It can take a couple of minutes on large
-    # wordlists, although bareable.
+    # Load the passwords from the wordlist, which can be a file path or
+    # an array or passwords
     #
-    # Each line which starts with # is ignored
+    # File comments are ignored, but will miss passwords if they start with a hash...
     #
-    # @param [ String ] file_path
+    # @param [ String, Array<String> ] wordlist
     #
-    # @return [ Integer ]
-    def self.lines_in_file(file_path)
-      lines = 0
-      File.open(file_path, 'rb').each do |line|
-        lines += 1 if line.strip[0,1] != '#'
+    # @return [ Array<String> ]
+    def self.passwords_from_wordlist(wordlist)
+      if wordlist.is_a?(String)
+        passwords = []
+        charset   = File.charset(wordlist).upcase
+        opt       = "r:#{charset}"
+        # To remove warning when charset = UTF-8
+        # Ignoring internal encoding UTF-8: it is identical to external encoding utf-8
+        opt      += ':UTF-8' if charset != 'UTF-8'
+
+        File.open(wordlist, opt).each do |line|
+          next if line[0,1] == '#'
+
+          passwords << line.strip
+        end
+      elsif wordlist.is_a?(Array)
+        passwords = wordlist
+      else
+        raise 'Invalid wordlist, expected String or Array'
       end
-      lines
+
+      passwords
     end
 
   end

spec/shared_examples/wp_user/brute_forcable.rb

@@ -1,22 +1,63 @@
 # encoding: UTF-8
 
 shared_examples 'WpUser::BruteForcable' do
-  let(:fixtures_dir) { MODELS_FIXTURES + '/wp_user/brute_forcable' }
-  let(:wordlist)     { fixtures_dir + '/wordlist-iso-8859-1.txt' }
-  let(:mod)          { WpUser::BruteForcable }
-  let(:login_url)    { uri.merge('wp-login.php').to_s }
+  let(:fixtures_dir)  { MODELS_FIXTURES + '/wp_user/brute_forcable' }
+  let(:wordlist_iso)  { fixtures_dir + '/wordlist-iso-8859-1.txt' }
+  let(:wordlist_utf8) { fixtures_dir + '/wordlist-utf-8.txt' }
+  let(:mod)           { WpUser::BruteForcable }
+  let(:login_url)     { uri.merge('wp-login.php').to_s }
 
   before { Browser.instance.max_threads = 1 }
 
-  describe '::lines_in_file' do
-    it 'returns 5 (1 line is a comment)' do
-      lines = mod.lines_in_file(wordlist)
-      lines.should == 5
+  describe '::passwords_from_wordlist' do
+    let(:expected)  { %w{password1 pa55w0rd admin root kansei£Ô} }
+    let(:exception) { 'Invalid wordlist, expected String or Array' }
+
+    after do
+      if @expected
+        mod.passwords_from_wordlist(wordlist).should == @expected
+      else
+        expect { mod.passwords_from_wordlist(wordlist) }.to raise_error(@exception)
+      end
+    end
+
+    context 'when the wordlist is a file' do
+      context 'when encoded with ISO-8859-1' do
+        let(:wordlist) { wordlist_iso }
+
+        it 'returns the expected passwords' do
+          @expected = expected
+        end
+      end
+
+      context 'when encoded with UTF-8' do
+        let(:wordlist) { wordlist_utf8 }
+
+        it 'returns the expected passwords' do
+          @expected = expected
+        end
+      end
+    end
+
+    context 'when the wordlist is an Array<String>' do
+      let(:wordlist) { %w{hello pwet yolo} }
+
+      it 'returns it' do
+        @expected = wordlist
+      end
+    end
+
+    context 'when the wordlist is invalid' do
+      let(:wordlist) { 200 }
+
+      it 'raises an error' do
+        @exception = exception
+      end
     end
   end
 
   describe '#valid_password?' do
-    let(:response) { Typhoeus::Response.new(resp_options) }
+    let(:response)     { Typhoeus::Response.new(resp_options) }
     let(:resp_options) { {} }
 
     after do
@@ -72,40 +113,13 @@ shared_examples 'WpUser::BruteForcable' do
     end
   end
 
-  describe 'wordlist charset' do
-    let(:expected) { %w{password1 pa55w0rd #comment admin root kansei£Ô} }
-
-    %w{wordlist-iso-8859-1.txt wordlist-utf-8.txt}.each do |file|
-      it 'contains the expected lines' do
-        file    = fixtures_dir + '/' + file
-        charset = File.charset(file)
-
-        lines = []
-        File.open(file, "r:#{charset}").each do |line|
-          lines << line.encode!('UTF-8').strip!
-        end
-
-        lines.should == expected
-      end
-    end
-  end
-
   describe '#brute_force' do
-    let(:passwords) {
-      passwords = []
-      charset   = File.charset(wordlist)
-
-      File.open(wordlist, "r:#{charset}").each do |line|
-        line.encode!('UTF-8').strip!
-        passwords << line unless line[0,1] == '#'
-      end
-      passwords
-    }
-    let(:login) { 'someuser' }
+    let(:passwords) { %w{pass1 pass2 yolo kansei£Ô} }
+    let(:login)     { 'someuser' }
 
     after do
       wp_user.login = login
-      wp_user.brute_force(wordlist)
+      wp_user.brute_force(passwords)
       wp_user.password.should == @expected
     end
 

spec/shared_examples/wp_users/brute_forcable.rb

@@ -5,16 +5,19 @@ shared_examples 'WpUsers::BruteForcable' do
   describe '#brute_force' do
     let(:range)           { (1..10) }
     let(:wordlist)        { 'somefile.txt'}
+    let(:passwords)       { %w{password 123456 0000} }
     let(:brute_force_opt) { {} }
 
     it 'calls #brute_force on each wp_user' do
       range.each do |id|
         wp_user = WpUser.new(uri, id: id)
-        wp_user.should_receive(:brute_force).with(wordlist, brute_force_opt)
+        wp_user.should_receive(:brute_force).with(passwords, brute_force_opt)
 
         wp_users << wp_user
       end
 
+      WpUser::BruteForcable.stub(:passwords_from_wordlist).with(wordlist).and_return(passwords)
+
       wp_users.brute_force(wordlist, brute_force_opt)
     end
   end