From 6df2564d1a49c619e467853f5455a8e3ee61387a Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Thu, 18 Apr 2019 14:17:00 +0100
Subject: [PATCH] Improves Target#wordpress_hosted?

---
 lib/wpscan/errors/wordpress.rb                |   2 +-
 lib/wpscan/target/platform/wordpress.rb       |  13 +-
 .../wordpress/wordpress_hosted/matches.html   | 232 ++++++++++++++++++
 .../wordpress/wordpress_hosted/no_match.html  |   2 +
 .../target/platform/wordpress.rb              |  29 ++-
 5 files changed, 274 insertions(+), 4 deletions(-)
 create mode 100644 spec/fixtures/target/platform/wordpress/wordpress_hosted/matches.html
 create mode 100644 spec/fixtures/target/platform/wordpress/wordpress_hosted/no_match.html

diff --git a/lib/wpscan/errors/wordpress.rb b/lib/wpscan/errors/wordpress.rb
index 364524ad..a99b84a6 100644
--- a/lib/wpscan/errors/wordpress.rb
+++ b/lib/wpscan/errors/wordpress.rb
@@ -5,7 +5,7 @@ module WPScan
     # WordPress hosted (*.wordpress.com)
     class WordPressHosted < Standard
       def to_s
-        'Scanning *.wordpress.com hosted blogs is not supported.'
+        'The target appears to be hosted on WordPress.com. Scanning such site is not supported.'
       end
     end
 
diff --git a/lib/wpscan/target/platform/wordpress.rb b/lib/wpscan/target/platform/wordpress.rb
index 849e3e02..97d5f834 100644
--- a/lib/wpscan/target/platform/wordpress.rb
+++ b/lib/wpscan/target/platform/wordpress.rb
@@ -78,8 +78,19 @@ module WPScan
           multisite? ? url('wp-signup.php') : url('wp-login.php?action=register')
         end
 
+        # @return [ Boolean ] Whether or not the target is hosted on wordpress.com
         def wordpress_hosted?
-          /\.wordpress\.com$/i.match?(uri.host) ? true : false
+          return true if /\.wordpress\.com$/i.match?(uri.host)
+
+          unless content_dir(:passive)
+            pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
+
+            urls_from_page(homepage_res) do |url|
+              return true if url.match?(pattern)
+            end
+          end
+
+          false
         end
 
         # @param [ String ] username
diff --git a/spec/fixtures/target/platform/wordpress/wordpress_hosted/matches.html b/spec/fixtures/target/platform/wordpress/wordpress_hosted/matches.html
new file mode 100644
index 00000000..bb91c4ca
--- /dev/null
+++ b/spec/fixtures/target/platform/wordpress/wordpress_hosted/matches.html
@@ -0,0 +1,232 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
+
+<head profile="http://gmpg.org/xfn/11">
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+
+<title>WP Lab</title>
+
+<link rel="stylesheet" href="https://s2.wp.com/wp-content/themes/vip/lab/style.css" type="text/css" media="screen" />
+<link rel="pingback" href="http://ex.lo/xmlrpc.php" />
+
+
+    <script src='https://r-login.wordpress.com/remote-login.php?action=js&amp;host=ex.lo&amp;id=18579156&amp;t=1555586446&amp;back=http%3A%2F%2Fex.lo%2F' type="text/javascript"></script>
+    <script type="text/javascript">
+    /* <![CDATA[ */
+      if ( 'function' === typeof WPRemoteLogin ) {
+        document.cookie = "wordpress_test_cookie=test; path=/";
+        if ( document.cookie.match( /(;|^)\s*wordpress_test_cookie\=/ ) ) {
+          WPRemoteLogin();
+        }
+      }
+    /* ]]> */
+    </script>
+    <link rel='dns-prefetch' href='//s2.wp.com' />
+<link rel='dns-prefetch' href='//s0.wp.com' />
+<link rel='dns-prefetch' href='//s1.wp.com' />
+<link rel='dns-prefetch' href='//lab.wordpress.com' />
+<link rel="alternate" type="application/rss+xml" title="WP Lab &raquo; Feed" href="http://ex.lo/feed/" />
+<link rel="alternate" type="application/rss+xml" title="WP Lab &raquo; Comments Feed" href="http://ex.lo/comments/feed/" />
+  <script type="text/javascript">
+    /* <![CDATA[ */
+    function addLoadEvent(func) {
+      var oldonload = window.onload;
+      if (typeof window.onload != 'function') {
+        window.onload = func;
+      } else {
+        window.onload = function () {
+          oldonload();
+          func();
+        }
+      }
+    }
+    /* ]]> */
+  </script>
+      <script type="text/javascript">
+      window._wpemojiSettings = {"baseUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/72x72\/","ext":".png","svgUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/s2.wp.com\/wp-includes\/js\/wp-emoji-release.min.js?m=1550249335h&ver=5.2-beta3-45232"}};
+      !function(a,b,c){function d(a,b){var c=String.fromCharCode;l.clearRect(0,0,k.width,k.height),l.fillText(c.apply(this,a),0,0);var d=k.toDataURL();l.clearRect(0,0,k.width,k.height),l.fillText(c.apply(this,b),0,0);var e=k.toDataURL();return d===e}function e(a){var b;if(!l||!l.fillText)return!1;switch(l.textBaseline="top",l.font="600 32px Arial",a){case"flag":return!(b=d([55356,56826,55356,56819],[55356,56826,8203,55356,56819]))&&(b=d([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]),!b);case"emoji":return b=d([55358,56760,9792,65039],[55358,56760,8203,9792,65039]),!b}return!1}function f(a){var c=b.createElement("script");c.src=a,c.defer=c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var g,h,i,j,k=b.createElement("canvas"),l=k.getContext&&k.getContext("2d");for(j=Array("flag","emoji"),c.supports={everything:!0,everythingExceptFlag:!0},i=0;i<j.length;i++)c.supports[j[i]]=e(j[i]),c.supports.everything=c.supports.everything&&c.supports[j[i]],"flag"!==j[i]&&(c.supports.everythingExceptFlag=c.supports.everythingExceptFlag&&c.supports[j[i]]);c.supports.everythingExceptFlag=c.supports.everythingExceptFlag&&!c.supports.flag,c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.everything||(h=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",h,!1),a.addEventListener("load",h,!1)):(a.attachEvent("onload",h),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),g=c.source||{},g.concatemoji?f(g.concatemoji):g.wpemoji&&g.twemoji&&(f(g.twemoji),f(g.wpemoji)))}(window,document,window._wpemojiSettings);
+    </script>
+    <style type="text/css">
+img.wp-smiley,
+img.emoji {
+  display: inline !important;
+  border: none !important;
+  box-shadow: none !important;
+  height: 1em !important;
+  width: 1em !important;
+  margin: 0 .07em !important;
+  vertical-align: -0.1em !important;
+  background: none !important;
+  padding: 0 !important;
+}
+</style>
+<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://lab.wordpress.com/xmlrpc.php?rsd" />
+<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://s1.wp.com/wp-includes/wlwmanifest.xml" />
+<meta name="generator" content="WordPress.com" />
+<link rel='shortlink' href='https://wp.me/1fXhO' />
+<link rel='openid.server' href='http://lab.wordpress.com/?openidserver=1' />
+<link rel='openid.delegate' href='http://lab.wordpress.com/' />
+<link rel="search" type="application/opensearchdescription+xml" href="http://ex.lo/osd.xml" title="WP Lab" />
+<link rel="search" type="application/opensearchdescription+xml" href="https://s1.wp.com/opensearch.xml" title="WordPress.com" />
+<script type="text/javascript">
+jQuery(function($){
+  $.fn.colorbox.settings.transition = "elastic";
+  $.fn.colorbox.settings.speed = 350;
+  $.fn.colorbox.settings.maxWidth = "false";
+  $.fn.colorbox.settings.maxHeight = "false";
+  $.fn.colorbox.settings.resize = true;
+  $.fn.colorbox.settings.opacity = 0.8;
+  $.fn.colorbox.settings.preloading = true;
+  $.fn.colorbox.settings.current = "Image {current} of {total}";
+  $.fn.colorbox.settings.previous = "previous";
+  $.fn.colorbox.settings.next = "next";
+  $.fn.colorbox.settings.close = "close";
+  $.fn.colorbox.settings.overlayClose = true;
+  $.fn.colorbox.settings.slideshow = false;
+  $.fn.colorbox.settings.slideshowAuto = true;
+  $.fn.colorbox.settings.slideshowSpeed = 2500;
+  $.fn.colorbox.settings.slideshowStart =  "start";
+  $.fn.colorbox.settings.slideshowStop = "stop";
+  $("a[rel*='lightbox']").colorbox();
+});
+</script>
+<link rel="stylesheet" type="text/css" href="https://s0.wp.com/wp-content/themes/vip/plugins/lightbox-plus//css/shadowed/colorbox.css" media="screen" />
+<!--[if IE]>
+     <link type="text/css" media="screen" rel="stylesheet" href="https://s0.wp.com/wp-content/themes/vip/plugins/lightbox-plus//css/shadowed/colorbox-ie.css" title="IE fixes" />
+<![endif]-->
+<meta name="application-name" content="WP Lab" /><meta name="msapplication-window" content="width=device-width;height=device-height" /><meta name="msapplication-task" content="name=Subscribe;action-uri=http://ex.lo/feed/;icon-uri=https://s1.wp.com/i/favicon.ico" /><style type="text/css" id="syntaxhighlighteranchor"></style>
+<link rel="shortcut icon" href="https://s2.wp.com/wp-content/themes/vip/lab/images/favicon.ico" type="image/vnd.microsoft.icon">
+<!--Script needed to render twitter follow button-->
+<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+
+<!--
+<script>
+function readCookie(name) {
+  var nameEQ = name + "=";
+  var ca = document.cookie.split(';');
+  for(var i=0;i < ca.length;i++) {
+    var c = ca[i];
+    while (c.charAt(0)==' ') c = c.substring(1,c.length);
+    if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
+  }
+  return null;
+}
+var splash = readCookie("seensplash");
+var isiPad = navigator.userAgent.match(/iPad/i) != null;
+if(splash == null && !isiPad && window.location.toString().indexOf("ex.lo") > -1)
+{
+  document.location.href="/intro/";
+}
+</script>
+-->
+
+<style type="text/css">
+.nav
+{
+  background:url(https://s2.wp.com/wp-content/themes/vip/lab/images/bg2.png) repeat;
+}
+
+.post
+{
+  background:url(https://s2.wp.com/wp-content/themes/vip/lab/images/int_border.png);
+}
+
+#double_container
+{
+  background:url(https://s2.wp.com/wp-content/themes/vip/lab/images/copy_bg.png);
+}
+
+.main_container
+{
+  background:none; width:1050px; margin:0 auto;);
+}
+
+div.post_footer
+{
+  background:#ffffff url(https://s2.wp.com/wp-content/themes/vip/lab/images/post_sep.png) no-repeat;
+}
+
+div.widget_footer
+{
+  background:#ffffff url(https://s2.wp.com/wp-content/themes/vip/lab/images/post_sep.png);
+}
+
+div.break_footer
+{
+  background:#ffffff url(https://s2.wp.com/wp-content/themes/vip/lab/images/post_sep.png);
+}
+
+.pushbutton-wide
+{
+  background:url(https://s2.wp.com/wp-content/themes/vip/lab/images/submit.gif);
+}
+#sidebar .pds-vote-button
+{
+  background:url(https://s2.wp.com/wp-content/themes/vip/lab/images/submit.gif);
+}
+
+/* Nav Style */
+.cbNav { background:url('https://s2.wp.com/wp-content/themes/vip/lab/images/nav.png') 0 0 no-repeat; width:1005px; height:54px; z-index:20; position:absolute; left:1px; top:58px; }
+  .cbNav ul { border:0; margin:0;  list-style-type:none; }
+    .cbNav li { background:url('https://s2.wp.com/wp-content/themes/vip/lab/images/nav-sprite.png') 0 0 no-repeat; list-style-type:none; margin:0; padding:0; position:absolute; top:10px; height:28px; }
+    .cbNav li.bio { left:91px; width:56px; }
+    .cbNav li.video { left:177px; width:79px; }
+
+    .cbNav li.photos { left:277px; width:92px; }
+    .cbNav li.contests { left:395px; width:107px; }
+    .cbNav li.press { left:529px; width:75px; }
+    .cbNav li.contact { left:629px; width:103px; }
+
+    /*
+    .cbNav li.photos { display:none; }
+    .cbNav li.contests { left:270px; width:107px; }
+    .cbNav li.press { left:413px; width:75px; }
+    .cbNav li.contact { left:514px; width:103px; }
+    */
+
+      .cbNav li a,
+      .cbNav li a:hover { display:block; width:100%; height:100%; }
+      .cbNav li.bio { background-position:-92px -64px; }
+      .cbNav li.video { background-position:-178px -64px; }
+      .cbNav li.photos { background-position:-278px -64px; }
+      .cbNav li.contests { background-position:-396px -64px; }
+      .cbNav li.press { background-position:-530px -64px; }
+      .cbNav li.contact { background-position:-630px -64px; }
+      .cbNav li.bio:hover { background-position:-91px -10px; }
+      .cbNav li.video:hover { background-position:-177px -10px; }
+      .cbNav li.photos:hover { background-position:-277px -10px; }
+      .cbNav li.contests:hover { background-position:-395px -10px; }
+      .cbNav li.press:hover { background-position:-529px -10px; }
+      .cbNav li.contact:hover { background-position:-629px -10px; }
+        .cbNav li .subnav { background:url('https://s2.wp.com/wp-content/themes/vip/lab/images/nav_sub_bg.png') repeat-x; height:28px; display:none; position:absolute; bottom:-25px; left:0; }
+        .cbNav li:hover .subnav { display:block; }
+          .cbNav .subnavEnds { background:url('https://s2.wp.com/wp-content/themes/vip/lab/images/nav_sub_ends-sprite.png') 0 0 no-repeat; width:7px; height:28px; position:absolute; }
+            .cbNav .leftEnd { left:-7px; top:0; }
+            .cbNav .rightEnd { right:-7px; top:0; background-position:-7px 0; }
+            .cbNav .subnav a {background:none; display:inline; color:#fff; text-decoration:none; line-height:24px; padding:5px; font-family:calibri, sans-serif; font-size:13px;}
+            .cbNav .subnav a:hover {background:none; display:inline; color:#c90; text-decoration:underline; text-shadow:0.1em 0.1em #333; line-height:24px;  }
+  .cbNav form { position:absolute; top:9px; right:17px; float:right; width:227px; height:30px; }
+    .cbNav .cbSearch { float:left; width:188px; height:30px; line-height:30px; background:none; border:0; position:relative; left:4px; color:#909090; font-size:11px; font-weight:bold; }
+    .cbNav form .submit { background:url('http://i.cdn.turner.com/nba/nba/images/1.gif') 0 0 no-repeat; width:30px; height:30px; float:right; border:0; margin:0; padding:0; cursor:pointer; }
+
+
+</style>
+<script language="JavaScript">
+document.adoffset = 0;
+document.adPopupFile = '/cnn_adspaces/adsPopup2.html';
+</script>
+<script type="text/javascript" src="https://s2.wp.com/wp-content/themes/vip/lab/js/jquery-1.8.3.min.js"></script>
+<script type="text/javascript" src="https://s2.wp.com/wp-content/themes/vip/lab/js/jquery.vticker-min.js"></script>
+<script type="text/javascript" src="https://s2.wp.com/wp-content/themes/vip/lab/js/adspaces.js"></script>
+<script type="text/javascript" src="https://s2.wp.com/wp-content/themes/vip/lab/js/nbaOmEvent.js"></script>
+<script type="text/javascript" src="http://i.cdn.turner.com/ads/adfuel/ais/nba-ais.js"></script>
+
+<script language="JavaScript">
+$(document).ready(function() { $('#content').append($('#footer')); });
+</script>
+
+</head>
+<body class="home blog mp6 customizer-styles-applied" style="background:url(https://s2.wp.com/wp-content/themes/vip/lab/images/bg2.png);">
+<div class="main_container">
+</body>
+</html>
diff --git a/spec/fixtures/target/platform/wordpress/wordpress_hosted/no_match.html b/spec/fixtures/target/platform/wordpress/wordpress_hosted/no_match.html
new file mode 100644
index 00000000..2637a721
--- /dev/null
+++ b/spec/fixtures/target/platform/wordpress/wordpress_hosted/no_match.html
@@ -0,0 +1,2 @@
+<link rel="pingback" href="http://ex.lo/xmlrpc.php" />
+<link rel="stylesheet" href="https://a.cloudfront.net/wp-content/themes/vip/lab/style.css" type="text/css" media="screen" />
diff --git a/spec/shared_examples/target/platform/wordpress.rb b/spec/shared_examples/target/platform/wordpress.rb
index b827c40b..06a2c186 100644
--- a/spec/shared_examples/target/platform/wordpress.rb
+++ b/spec/shared_examples/target/platform/wordpress.rb
@@ -139,7 +139,9 @@ shared_examples WPScan::Target::Platform::WordPress do
   end
 
   describe '#wordpress_hosted?' do
-    its(:wordpress_hosted?) { should be false }
+    let(:fixtures) { super().join('wordpress_hosted') }
+
+    # its(:wordpress_hosted?) { should be false }
 
     context 'when the target host matches' do
       let(:url) { 'http://ex.wordpress.com' }
@@ -150,7 +152,30 @@ shared_examples WPScan::Target::Platform::WordPress do
     context 'when the target host doesn\'t matches' do
       let(:url) { 'http://ex-wordpress.com' }
 
-      its(:wordpress_hosted?) { should be false }
+      context 'when wp-content not detected' do
+        before do
+          expect(target).to receive(:content_dir).with(:passive).and_return(nil)
+          stub_request(:get, target.url).to_return(body: File.read(fixtures.join(fixture).to_s))
+        end
+
+        context 'when an URL matches a WP hosted' do
+          let(:fixture) { 'matches.html' }
+
+          its(:wordpress_hosted?) { should be true }
+        end
+
+        context 'when URLs don\'t match' do
+          let(:fixture) { 'no_match.html' }
+
+          its(:wordpress_hosted?) { should be false }
+        end
+      end
+
+      context 'when wp-content detected' do
+        before { expect(target).to receive(:content_dir).with(:passive).and_return('wp-content') }
+
+        its(:wordpress_hosted?) { should be false }
+      end
     end
   end