garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into layout-423

Browse Source
This commit is contained in:
FireFart
2014-03-22 18:01:22 +01:00
parent 17dcc7ec80 a0f476fb24
commit 78cb3f8ee2
27 changed files with 362 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.travis.yml
View File

@@ -5,3 +5,6 @@ rvm:
- 2.0.0
- 2.1.0
script: bundle exec rspec --format documentation
notifications:
email:
- wpscanteam@gmail.com

2
Gemfile
View File

@@ -1,6 +1,6 @@
source "https://rubygems.org"
gem "typhoeus", ">=0.6.3"
gem "typhoeus", "~>0.6.8"
gem "nokogiri"
gem "json"
gem "terminal-table"

12
README
View File

@@ -142,6 +142,10 @@ ryandewhurst at gmail
--config-file | -c <config file> Use the specified config file
--user-agent | -a <User-Agent> Use the specified User-Agent
--random-agent | -r Use a random User-Agent
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
@@ -161,6 +165,14 @@ ryandewhurst at gmail
--username | -U <username> Only brute force the supplied username.
--cache-ttl <cache-ttl> Typhoeus cache TTL
--request-timeout <request-timeout> Request Timeout
--connect-timeout <connect-timeout> Connect Timeout
--max-threads <max-threads> Maximum Threads
--help | -h This help screen.
--verbose | -v Verbose output.

12
README.md
View File

@@ -156,6 +156,10 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
--config-file | -c <config file> Use the specified config file
--user-agent | -a <User-Agent> Use the specified User-Agent
--random-agent | -r Use a random User-Agent
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
@@ -175,6 +179,14 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
--username | -U <username> Only brute force the supplied username.
--cache-ttl <cache-ttl> Typhoeus cache TTL
--request-timeout <request-timeout> Request Timeout
--connect-timeout <connect-timeout> Connect Timeout
--max-threads <max-threads> Maximum Threads
--help | -h This help screen.
--verbose | -v Verbose output.

65
conf/browser.conf.json
View File

@@ -1,65 +0,0 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
/* Modes :
static : will use the defined user_agent for each request
semi-static : will randomly choose a user agent into available_user_agents before each scan
random : each request will choose a random user agent in available_user_agents
*/
"user_agent_mode": "static",
/* Uncomment the "proxy" line to use the proxy
SOCKS proxies (4, 4A, 5) are supported, ie : "proxy": "socks5://127.0.0.1:9000"
If you do not specify the protocol, http will be used
*/
//"proxy": "127.0.0.1:3128",
//"proxy_auth": "username:password",
"cache_ttl": 600, // 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
"request_timeout": 2000, // 2s
"connect_timeout": 1000, // 1s
"max_threads": 20,
// Some user_agents can be found there http://techpatterns.com/downloads/firefox/useragentswitcher.xml (thx to Gianluca Brindisi)
"available_user_agents":
[
// Windows
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)",
"Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1",
"Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1",
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0)",
"Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5",
// MAC
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
// Linux
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0",
"Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0",
"Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00",
"Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0"
]
}

172
data/plugin_vulns.xml
View File

@@ -4750,6 +4750,7 @@
<exploitdb>4593</exploitdb>
</references>
<type>RFI</type>
<fixed_in>0.4.3</fixed_in>
</vulnerability>
</plugin>
@@ -6036,8 +6037,18 @@
<plugin name="wp-slimstat">
<vulnerability>
<title>wp-slimstat - XSS</title>
<title>WP SlimStat 3.5.5 - Overview URI Stored XSS</title>
<references>
<osvdb>104428</osvdb>
<secunia>57305</secunia>
</references>
<type>XSS</type>
<fixed_in>3.5.6</fixed_in>
</vulnerability>
<vulnerability>
<title>WP SlimStat 2.8.4 - wp-content/plugins/wp-slimstat/admin/view/panel1.php s Parameter XSS</title>
<references>
<osvdb>89052</osvdb>
<secunia>51721</secunia>
</references>
<type>XSS</type>
@@ -7036,6 +7047,7 @@
<title>CommentLuv 2.92.3 - Cross Site Scripting Vulnerability</title>
<references>
<osvdb>89925</osvdb>
<cve>2013-1409</cve>
<url>https://www.htbridge.com/advisory/HTB23138</url>
<url>http://packetstormsecurity.com/files/120090/</url>
<url>http://seclists.org/bugtraq/2013/Feb/30</url>
@@ -11035,7 +11047,10 @@
<title>Contus Video Gallery - index.php playid Parameter SQL Injection</title>
<references>
<osvdb>93369</osvdb>
<cve>2013-3478</cve>
<secunia>51344</secunia>
<url>http://www.securityfocus.com/bid/59845</url>
<url>http://xforce.iss.net/xforce/xfdb/84239</url>
</references>
<type>SQLI</type>
</vulnerability>
@@ -11447,4 +11462,159 @@
</vulnerability>
</plugin>
<plugin name="LayerSlider">
<vulnerability>
<title>LayerSlider 4.6.1 - wp-admin/admin.php Style Editing CSRF</title>
<references>
<osvdb>104393</osvdb>
<secunia>57930</secunia>
<url>http://packetstormsecurity.com/files/125637/</url>
</references>
<type>CSRF</type>
</vulnerability>
<vulnerability>
<title>LayerSlider 4.6.1 - LayerSlider/editor.php skin Parameter Remote Path Traversal File Access</title>
<references>
<osvdb>104394</osvdb>
<url>http://packetstormsecurity.com/files/125637/</url>
</references>
<type>AUTHBYPASS</type>
</vulnerability>
</plugin>
<plugin name="xcloner-backup-and-restore">
<vulnerability>
<title>XCloner 3.1.0 - Multiple Actions CSRF</title>
<references>
<osvdb>104402</osvdb>
<url>https://www.htbridge.com/advisory/HTB23206</url>
</references>
<type>CSRF</type>
<fixed_in>3.1.1</fixed_in>
</vulnerability>
</plugin>
<plugin name="guiform">
<vulnerability>
<title>GuiForm 1.4.10 - class/class-ajax.php Entry Saving CSRF</title>
<references>
<osvdb>104399</osvdb>
</references>
<type>CSRF</type>
<fixed_in>1.5.0</fixed_in>
</vulnerability>
</plugin>
<plugin name="clickdesk-live-support-chat-plugin">
<vulnerability>
<title>ClickDesk - Live Chat Widget Multiple Field XSS</title>
<references>
<osvdb>104037</osvdb>
<url>http://packetstormsecurity.com/files/125528/</url>
<url>http://www.securityfocus.com/bid/65971</url>
</references>
<type>XSS</type>
</vulnerability>
</plugin>
<plugin name="duplicate-post">
<vulnerability>
<title>Duplicate Post 2.5 - duplicate-post-admin.php User Login Cookie Value SQL Injection</title>
<references>
<osvdb>104669</osvdb>
</references>
<type>SQLI</type>
<fixed_in>2.6</fixed_in>
</vulnerability>
<vulnerability>
<title>Duplicate Post 2.5 - options-general.php post Parameter Reflected XSS</title>
<references>
<osvdb>104670</osvdb>
</references>
<type>XSS</type>
<fixed_in>2.6</fixed_in>
</vulnerability>
</plugin>
<plugin name="mtouch-quiz">
<vulnerability>
<title>mTouch Quiz 3.0.6 - question.php quiz Parameter Reflected XSS</title>
<references>
<osvdb>104667</osvdb>
<url>http://www.securityfocus.com/bid/66306</url>
</references>
<type>XSS</type>
<fixed_in>3.0.7</fixed_in>
</vulnerability>
<vulnerability>
<title>mTouch Quiz 3.0.6 - question.php quiz Parameter SQL Injection</title>
<references>
<osvdb>104668</osvdb>
<url>http://www.securityfocus.com/bid/66306</url>
</references>
<type>SQLI</type>
<fixed_in>3.0.7</fixed_in>
</vulnerability>
</plugin>
<plugin name="simple-retail-menus">
<vulnerability>
<title>Simple Retail Menus 4.0.1 - includes/actions.php targetmenu Parameter SQL Injection</title>
<references>
<osvdb>104680</osvdb>
</references>
<type>SQLI</type>
<fixed_in>4.1</fixed_in>
</vulnerability>
<vulnerability>
<title>Simple Retail Menus 4.0.1 - includes/mode-edit.php targetmenu Parameter SQL Injection</title>
<references>
<osvdb>104682</osvdb>
</references>
<type>SQLI</type>
<fixed_in>4.1</fixed_in>
</vulnerability>
</plugin>
<plugin name="user-domain-whitelist">
<vulnerability>
<title>User Domain Whitelist 1.4 - user-domain-whitelist.php domain_whitelist Parameter Stored XSS</title>
<references>
<osvdb>104681</osvdb>
</references>
<type>XSS</type>
</vulnerability>
<vulnerability>
<title>User Domain Whitelist 1.4 - user-domain-whitelist.php Domain Whitelisting Manipulation CSRF</title>
<references>
<osvdb>104683</osvdb>
</references>
<type>CSRF</type>
<fixed_in>1.5</fixed_in>
</vulnerability>
</plugin>
<plugin name="subscribe-to-comments-reloaded">
<vulnerability>
<title>Subscribe To Comments Reloaded 140204 - options/index.php manager_page Parameter Stored XSS Weakness</title>
<references>
<osvdb>104698</osvdb>
<secunia>57015</secunia>
<url>http://www.securityfocus.com/bid/66288</url>
</references>
<type>XSS</type>
<fixed_in>140219</fixed_in>
</vulnerability>
<vulnerability>
<title>Subscribe To Comments Reloaded 140204 - options/index.php Admin Settings Manipulation CSRF</title>
<references>
<osvdb>104699</osvdb>
<secunia>57015</secunia>
<url>http://www.securityfocus.com/bid/66288</url>
</references>
<type>CSRF</type>
<fixed_in>140219</fixed_in>
</vulnerability>
</plugin>
</vulnerabilities>

36
data/user-agents.txt Normal file
View File

@@ -0,0 +1,36 @@
# Windows
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1
Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0)
Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
# MAC
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
# Linux
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00
Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0

18
example.conf.json Normal file
View File

@@ -0,0 +1,18 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
/* Uncomment the "proxy" line to use the proxy
SOCKS proxies (4, 4A, 5) are supported, ie : "proxy": "socks5://127.0.0.1:9000"
If you do not specify the protocol, http will be used
*/
//"proxy": "127.0.0.1:3128",
//"proxy_auth": "username:password",
"cache_ttl": 600, // 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
"request_timeout": 2000, // 2s
"connect_timeout": 1000, // 1s
"max_threads": 20
}

35
lib/common/browser.rb
View File

@@ -9,12 +9,10 @@ class Browser
include Browser::Options
OPTIONS = [
:available_user_agents,
:basic_auth,
:cache_ttl,
:max_threads,
:user_agent,
:user_agent_mode,
:proxy,
:proxy_auth,
:request_timeout,
@@ -23,16 +21,20 @@ class Browser
@@instance = nil
attr_reader :hydra, :config_file, :cache_dir
attr_reader :hydra, :cache_dir
# @param [ Hash ] options
#
# @return [ Browser ]
def initialize(options = {})
@config_file = options[:config_file] || CONF_DIR + '/browser.conf.json'
@cache_dir = options[:cache_dir] || CACHE_DIR + '/browser'
load_config
# sets browser defaults
browser_defaults
# load config file
conf = options[:config_file]
load_config(conf) if conf
# overrides defaults with user supplied values (overwrite values from config)
override_config(options)
unless @hydra
@@ -61,6 +63,20 @@ class Browser
@@instance = nil
end
#
# sets browser default values
#
def browser_defaults
@max_threads = 20
# 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
@cache_ttl = 600
# 2s
@request_timeout = 2000
# 1s
@connect_timeout = 1000
@user_agent = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
end
#
# If an option was set but is not in the new config_file
# it's value is kept
@@ -69,21 +85,20 @@ class Browser
#
# @return [ void ]
def load_config(config_file = nil)
@config_file = config_file || @config_file
if File.symlink?(@config_file)
if File.symlink?(config_file)
raise '[ERROR] Config file is a symlink.'
else
data = JSON.parse(File.read(@config_file))
data = JSON.parse(File.read(config_file))
end
OPTIONS.each do |option|
option_name = option.to_s
unless data[option_name].nil?
self.send(:"#{option_name}=", data[option_name])
end
end
end
# @param [ String ] url
@@ -101,7 +116,7 @@ class Browser
params = Browser.append_params_header_field(
params,
'User-Agent',
self.user_agent
@user_agent
)
if @proxy

42
lib/common/browser/options.rb
View File

@@ -3,10 +3,8 @@
class Browser
module Options
USER_AGENT_MODES = %w{ static semi-static random }
attr_accessor :available_user_agents, :cache_ttl, :request_timeout, :connect_timeout
attr_reader :basic_auth, :user_agent_mode, :proxy, :proxy_auth
attr_accessor :cache_ttl, :request_timeout, :connect_timeout
attr_reader :basic_auth, :proxy, :proxy_auth
attr_writer :user_agent
# Sets the Basic Authentification credentials
@@ -41,42 +39,6 @@ class Browser
end
end
# Sets the user_agent_mode, which can be one of the following:
# static: The UA is defined by the user, and will be the same in each requests
# semi-static: The UA is randomly chosen at the first request, and will not change
# random: UA randomly chosen each request
#
# UA are from @available_user_agents
#
# @param [ String ] ua_mode
#
# @return [ void ]
def user_agent_mode=(ua_mode)
ua_mode ||= 'static'
if USER_AGENT_MODES.include?(ua_mode)
@user_agent_mode = ua_mode
# For semi-static user agent mode, the user agent has to
# be nil the first time (it will be set with the getter)
@user_agent = nil if ua_mode === 'semi-static'
else
raise "Unknow user agent mode : '#{ua_mode}'"
end
end
# @return [ String ] The user agent, according to the user_agent_mode
def user_agent
case @user_agent_mode
when 'semi-static'
unless @user_agent
@user_agent = @available_user_agents.sample
end
when 'random'
@user_agent = @available_user_agents.sample
end
@user_agent
end
# Sets the proxy
# Accepted format:
# [protocol://]host:post

17
lib/common/common_helper.rb
View File

@@ -32,6 +32,7 @@ LOCAL_FILES_FILE = DATA_DIR + '/local_vulnerable_files.xml'
VULNS_XSD = DATA_DIR + '/vuln.xsd'
WP_VERSIONS_XSD = DATA_DIR + '/wp_versions.xsd'
LOCAL_FILES_XSD = DATA_DIR + '/local_vulnerable_files.xsd'
USER_AGENTS_FILE = DATA_DIR + '/user-agents.txt'
WPSCAN_VERSION = '2.3'
@@ -199,3 +200,19 @@ def truncate(input, size, trailing = '...')
trailing.length >= input.length or size-trailing.length-1 >= input.length
return "#{input[0..size-trailing.length-1]}#{trailing}"
end
# Gets a random User-Agent
#
# @return [ String ] A random user-agent from data/user-agents.txt
def get_random_user_agent
user_agents = []
f = File.open(USER_AGENTS_FILE, 'r')
f.each_line do |line|
# ignore comments
next if line.empty? or line =~ /^\s*(#|\/\/)/
user_agents << line.strip
end
f.close
# return ransom user-agent
user_agents.sample
end

4
lib/common/models/vulnerability/urls.rb
View File

@@ -14,7 +14,7 @@ class Vulnerability
end
def url_cve(cve)
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-#{cve}"
end
def url_osvdb(id)
@@ -30,4 +30,4 @@ class Vulnerability
end
end
end
end

15
lib/common/typhoeus_cache.rb
View File

@@ -2,25 +2,14 @@
require 'common/cache_file_store'
# Implementaion of a cache_key (Typhoeus::Request#hash has too many options)
module Typhoeus
class Request
module Cacheable
def cache_key
Digest::SHA2.hexdigest("#{url}-#{options[:body]}-#{options[:method]}")[0..32]
end
end
end
end
class TyphoeusCache < CacheFileStore
def get(request)
read_entry(request.cache_key)
read_entry(request.hash.to_s)
end
def set(request, response)
write_entry(request.cache_key, response, request.cache_ttl)
write_entry(request.hash.to_s, response, request.cache_ttl)
end
end

6
lib/wpscan/wpscan_helper.rb
View File

@@ -83,6 +83,8 @@ def help
puts '--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied'
puts ' You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)'
puts '--config-file | -c <config file> Use the specified config file'
puts '--user-agent | -a <User-Agent> Use the specified User-Agent'
puts '--random-agent | -r Use a random User-Agent'
puts '--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
puts '--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed'
puts '--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed'
@@ -93,6 +95,10 @@ def help
puts '--wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute.'
puts '--threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)'
puts '--username | -U <username> Only brute force the supplied username.'
puts '--cache-ttl <cache-ttl> Typhoeus cache TTL'
puts '--request-timeout <request-timeout> Request Timeout'
puts '--connect-timeout <connect-timeout> Connect Timeout'
puts '--max-threads <max-threads> Maximum Threads'
puts '--help | -h This help screen.'
puts '--verbose | -v Verbose output.'
puts

20
lib/wpscan/wpscan_options.rb
View File

@@ -30,7 +30,13 @@ class WpscanOptions
:exclude_content_based,
:basic_auth,
:debug_output,
:version
:version,
:user_agent,
:random_agent,
:cache_ttl,
:request_timeout,
:connect_timeout,
:max_threads
]
attr_accessor *ACCESSOR_OPTIONS
@@ -136,6 +142,10 @@ class WpscanOptions
!to_h.empty?
end
def random_agent=(useless)
@user_agent = get_random_user_agent
end
# return Hash
def to_h
options = {}
@@ -227,6 +237,8 @@ class WpscanOptions
['--wordlist', '-w', GetoptLong::REQUIRED_ARGUMENT],
['--threads', '-t', GetoptLong::REQUIRED_ARGUMENT],
['--force', '-f', GetoptLong::NO_ARGUMENT],
['--user-agent', '-a', GetoptLong::REQUIRED_ARGUMENT],
['--random-agent', '-r', GetoptLong::NO_ARGUMENT],
['--help', '-h', GetoptLong::NO_ARGUMENT],
['--verbose', '-v', GetoptLong::NO_ARGUMENT],
['--proxy', GetoptLong::REQUIRED_ARGUMENT],
@@ -239,7 +251,11 @@ class WpscanOptions
['--exclude-content-based', GetoptLong::REQUIRED_ARGUMENT],
['--basic-auth', GetoptLong::REQUIRED_ARGUMENT],
['--debug-output', GetoptLong::NO_ARGUMENT],
['--version', GetoptLong::NO_ARGUMENT]
['--version', GetoptLong::NO_ARGUMENT],
['--cache_ttl', GetoptLong::REQUIRED_ARGUMENT],
['--request_timeout', GetoptLong::REQUIRED_ARGUMENT],
['--connect_timeout', GetoptLong::REQUIRED_ARGUMENT],
['--max_threads', GetoptLong::REQUIRED_ARGUMENT]
)
end

19
spec/lib/common/browser_spec.rb
View File

@@ -6,9 +6,9 @@ describe Browser do
it_behaves_like 'Browser::Actions'
it_behaves_like 'Browser::Options'
CONFIG_FILE_WITHOUT_PROXY = SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json'
CONFIG_FILE_WITH_PROXY = SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf_proxy.json'
#CONFIG_FILE_WITH_PROXY_AND_AUTH = SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf_proxy_auth.json'
CONFIG_FILE_WITHOUT_PROXY = SPEC_FIXTURES_CONF_DIR + '/browser.conf.json'
CONFIG_FILE_WITH_PROXY = SPEC_FIXTURES_CONF_DIR + '/browser.conf_proxy.json'
#CONFIG_FILE_WITH_PROXY_AND_AUTH = SPEC_FIXTURES_CONF_DIR + '/browser.conf_proxy_auth.json'
subject(:browser) {
Browser.reset
@@ -16,14 +16,13 @@ describe Browser do
}
let(:options) { {} }
let(:instance_vars_to_check) {
['user_agent', 'user_agent_mode', 'available_user_agents', 'proxy',
'max_threads', 'cache_ttl', 'request_timeout', 'connect_timeout']
['proxy', 'max_threads', 'cache_ttl', 'request_timeout', 'connect_timeout']
}
let(:json_config_without_proxy) { JSON.parse(File.read(CONFIG_FILE_WITHOUT_PROXY)) }
let(:json_config_with_proxy) { JSON.parse(File.read(CONFIG_FILE_WITH_PROXY)) }
def check_instance_variables(browser, json_expected_vars)
json_expected_vars['max_threads'] ||= 1 # max_thread can not be nil
json_expected_vars['max_threads'] ||= 20 # max_thread can not be nil
instance_vars_to_check.each do |variable_name|
browser.send(:"#{variable_name}").should === json_expected_vars[variable_name]
@@ -39,12 +38,6 @@ describe Browser do
describe '::instance' do
after { check_instance_variables(browser, @json_expected_vars) }
context "when default config_file = #{CONFIG_FILE_WITHOUT_PROXY}" do
it 'will check the instance vars' do
@json_expected_vars = json_config_without_proxy
end
end
context "when :config_file = #{CONFIG_FILE_WITH_PROXY}" do
let(:options) { { config_file: CONFIG_FILE_WITH_PROXY } }
@@ -143,7 +136,7 @@ describe Browser do
}
after :each do
browser.stub(user_agent: 'SomeUA')
browser.user_agent = 'SomeUA'
browser.cache_ttl = 250
browser.merge_request_params(params).should == @expected

5
spec/lib/common/version_compare_spec.rb
View File

@@ -31,6 +31,11 @@ describe 'VersionCompare' do
@version1 = '0'
@version2 = '1'
end
it 'returns true' do
@version1 = '0.4.2b'
@version2 = '2.3.3'
end
end
context 'version checked is older' do

2
spec/lib/wpscan/web_site_spec.rb
View File

@@ -12,7 +12,7 @@ describe 'WebSite' do
before :all do
Browser::reset
Browser.instance(
config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
config_file: SPEC_FIXTURES_CONF_DIR + '/browser.conf.json',
cache_ttl: 0
)
end

2
spec/lib/wpscan/wp_target_spec.rb
View File

@@ -9,7 +9,7 @@ describe WpTarget do
let(:login_url) { wp_target.uri.merge('wp-login.php').to_s }
let(:options) {
{
config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
config_file: SPEC_FIXTURES_CONF_DIR + '/browser.conf.json',
cache_ttl: 0,
wp_content_dir: 'wp-content',
wp_plugins_dir: 'wp-content/plugins'

7
spec/samples/conf/browser.conf.json Normal file
View File

@@ -0,0 +1,7 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
"cache_ttl": 600,
"request_timeout": 2000,
"connect_timeout": 1000,
"max_threads": 20
}

7
spec/samples/conf/browser.conf_proxy.json Normal file
View File

@@ -0,0 +1,7 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
"proxy": "127.0.0.1:3038",
"cache_ttl": 300,
"request_timeout": 2000,
"connect_timeout": 1000
}

8
spec/samples/conf/browser.conf_proxy_auth.json Normal file
View File

@@ -0,0 +1,8 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
"proxy": "127.0.0.1:3038",
"proxy_auth": "user:pass",
"cache_ttl": 300,
"request_timeout": 2000,
"connect_timeout": 1000
}

8
spec/samples/conf/browser/browser.conf.json
View File

@@ -1,8 +0,0 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
"user_agent_mode": "static",
"cache_ttl": 300,
"request_timeout": 2000,
"connect_timeout": 1000,
"max_threads": 5
}

8
spec/samples/conf/browser/browser.conf_proxy.json
View File

@@ -1,8 +0,0 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
"user_agent_mode": "static",
"proxy": "127.0.0.1:3038",
"cache_ttl": 300,
"request_timeout": 2000,
"connect_timeout": 1000
}

9
spec/samples/conf/browser/browser.conf_proxy_auth.json
View File

@@ -1,9 +0,0 @@
{
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
"user_agent_mode": "static",
"proxy": "127.0.0.1:3038",
"proxy_auth": "user:pass",
"cache_ttl": 300,
"request_timeout": 2000,
"connect_timeout": 1000
}

65
spec/shared_examples/browser/options.rb
View File

@@ -71,69 +71,6 @@ shared_examples 'Browser::Options' do
end
end
describe '#user_agent_mode= & #user_agent_mode' do
# Testing all valid modes
Browser::USER_AGENT_MODES.each do |user_agent_mode|
it "sets & returns #{user_agent_mode}" do
browser.user_agent_mode = user_agent_mode
browser.user_agent_mode.should === user_agent_mode
end
end
it 'sets the mode to "static" if nil is given' do
browser.user_agent_mode = nil
browser.user_agent_mode.should === 'static'
end
it 'raises an error if the mode is not valid' do
expect { browser.user_agent_mode = 'invalid-mode' }.to raise_error
end
end
describe '#user_agent= & #user_agent' do
let(:available_user_agents) { %w{ ua-1 ua-2 ua-3 ua-4 ua-6 ua-7 ua-8 ua-9 ua-10 ua-11 ua-12 ua-13 ua-14 ua-15 ua-16 ua-17 } }
context 'when static mode' do
it 'returns the same user agent' do
browser.user_agent = 'fake UA'
browser.user_agent_mode = 'static'
(1..3).each do
browser.user_agent.should === 'fake UA'
end
end
end
context 'when semi-static mode' do
it 'chooses a random user_agent in the available_user_agents array and always return it' do
browser.available_user_agents = available_user_agents
browser.user_agent = 'Firefox 11.0'
browser.user_agent_mode = 'semi-static'
user_agent = browser.user_agent
user_agent.should_not === 'Firefox 11.0'
available_user_agents.include?(user_agent).should be_true
(1..3).each do
browser.user_agent.should === user_agent
end
end
end
context 'when random' do
it 'returns a random user agent each time' do
browser.available_user_agents = available_user_agents
browser.user_agent_mode = 'random'
ua_1 = browser.user_agent
ua_2 = browser.user_agent
ua_3 = browser.user_agent
fail if ua_1 === ua_2 and ua_2 === ua_3
end
end
end
describe 'proxy=' do
let(:exception) { 'Invalid proxy format. Should be [protocol://]host:port.' }
@@ -185,7 +122,7 @@ shared_examples 'Browser::Options' do
end
context 'valid format' do
it 'sets the auth' do
it 'sets the auth' do
@proxy_auth = 'username:passwd'
@expected = @proxy_auth
end

2
spec/spec_helper.rb
View File

@@ -15,7 +15,7 @@ SPEC_FIXTURES_CONF_DIR = SPEC_FIXTURES_DIR + '/conf' # FIXME Remove it
SPEC_FIXTURES_WP_VERSIONS_DIR = SPEC_FIXTURES_DIR + '/wp_versions'
redefine_constant(:CACHE_DIR, SPEC_DIR + '/cache')
redefine_constant(:CONF_DIR, SPEC_FIXTURES_DIR + '/conf/browser') # FIXME Remove the /browser
redefine_constant(:CONF_DIR, SPEC_FIXTURES_DIR + '/conf')
MODELS_FIXTURES = SPEC_FIXTURES_DIR + '/common/models'
COLLECTIONS_FIXTURES = SPEC_FIXTURES_DIR + '/common/collections'