garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Detection of the wordlist charset

Browse Source
This commit is contained in:
erwanlr
2013-04-13 18:42:33 +02:00
parent 5d327f5060
commit 704c6b1669
5 changed files with 45 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/common/hacks.rb
View File

@@ -70,3 +70,12 @@ def puts(o = '')
end end
super(o) super(o)
end end
class File
# @param [ String ] file_path
#
# @return [ String ] The charset of the file
def self.charset(file_path)
%x{file -i #{file_path}}[%r{charset=([^\n]+)\n}, 1]
end
end

7
lib/common/models/wp_user/brute_forcable.rb
View File

@@ -9,14 +9,15 @@ class WpUser < WpItem
# @return [ void ] # @return [ void ]
def brute_force(wordlist, options = {}) def brute_force(wordlist, options = {})
hydra = Browser.instance.hydra hydra = Browser.instance.hydra
wordlist_charset = File.charset(wordlist)
number_of_passwords = BruteForcable.lines_in_file(wordlist) number_of_passwords = BruteForcable.lines_in_file(wordlist)
login_url = @uri.merge('wp-login.php').to_s login_url = @uri.merge('wp-login.php').to_s
queue_count = 0 queue_count = 0
request_count = 0 request_count = 0
File.open(wordlist, 'r').each do |line| File.open(wordlist, "r:#{wordlist_charset}").each do |line|
line.strip! line.encode!('UTF-8').strip!
# ignore file comments, but will miss passwords if they start with a hash... # ignore file comments, but will miss passwords if they start with a hash...
next if line[0, 1] == '#' next if line[0, 1] == '#'
@@ -101,7 +102,7 @@ class WpUser < WpItem
# @return [ Integer ] # @return [ Integer ]
def self.lines_in_file(file_path) def self.lines_in_file(file_path)
lines = 0 lines = 0
File.open(file_path, 'r').each do |line| File.open(file_path, 'rb').each do |line|
lines += 1 if line.strip[0,1] != '#' lines += 1 if line.strip[0,1] != '#'
end end
lines lines

6
spec/samples/common/models/wp_user/brute_forcable/wordlist-iso-8859-1.txt Normal file
View File

@@ -0,0 +1,6 @@
password1
pa55w0rd
#comment
admin
root
kansei<EFBFBD><EFBFBD>

2
spec/samples/common/models/wp_user/brute_forcable/wordlist.txt → spec/samples/common/models/wp_user/brute_forcable/wordlist-utf-8.txt
View File

@@ -1,6 +1,6 @@
password1 password1
pa55w0rd pa55w0rd
# comment #comment
admin admin
root root
kansei£Ô kansei£Ô

26
spec/shared_examples/wp_user/brute_forcable.rb
View File

@@ -2,7 +2,7 @@
shared_examples 'WpUser::BruteForcable' do shared_examples 'WpUser::BruteForcable' do
let(:fixtures_dir) { MODELS_FIXTURES + '/wp_user/brute_forcable' } let(:fixtures_dir) { MODELS_FIXTURES + '/wp_user/brute_forcable' }
let(:wordlist) { fixtures_dir + '/wordlist.txt' } let(:wordlist) { fixtures_dir + '/wordlist-iso-8859-1.txt' }
let(:mod) { WpUser::BruteForcable } let(:mod) { WpUser::BruteForcable }
let(:login_url) { uri.merge('wp-login.php').to_s } let(:login_url) { uri.merge('wp-login.php').to_s }
@@ -72,11 +72,31 @@ shared_examples 'WpUser::BruteForcable' do
end end
end end
describe 'wordlist charset' do
let(:expected) { %w{password1 pa55w0rd #comment admin root kansei£Ô} }
%w{wordlist-iso-8859-1.txt wordlist-utf-8.txt}.each do |file|
it 'contains the expected lines' do
file = fixtures_dir + '/' + file
charset = File.charset(file)
lines = []
File.open(file, "r:#{charset}").each do |line|
lines << line.encode!('UTF-8').strip!
end
lines.should == expected
end
end
end
describe '#brute_force' do describe '#brute_force' do
let(:passwords) { let(:passwords) {
passwords = [] passwords = []
File.open(wordlist, 'r').each do |line| charset = File.charset(wordlist)
line.strip!
File.open(wordlist, "r:#{charset}").each do |line|
line.encode!('UTF-8').strip!
passwords << line unless line[0,1] == '#' passwords << line unless line[0,1] == '#'
end end
passwords passwords