Merge remote-tracking branch 'origin/master' into layout-423

lib/common/browser.rb

@@ -9,12 +9,10 @@ class Browser
   include Browser::Options
 
   OPTIONS = [
-    :available_user_agents,
     :basic_auth,
     :cache_ttl,
     :max_threads,
     :user_agent,
-    :user_agent_mode,
     :proxy,
     :proxy_auth,
     :request_timeout,
@@ -23,16 +21,20 @@ class Browser
 
   @@instance = nil
 
-  attr_reader :hydra, :config_file, :cache_dir
+  attr_reader :hydra, :cache_dir
 
   # @param [ Hash ] options
   #
   # @return [ Browser ]
   def initialize(options = {})
-    @config_file = options[:config_file] || CONF_DIR + '/browser.conf.json'
     @cache_dir   = options[:cache_dir]   || CACHE_DIR + '/browser'
 
-    load_config
+    # sets browser defaults
+    browser_defaults
+    # load config file
+    conf = options[:config_file]
+    load_config(conf) if conf
+    # overrides defaults with user supplied values (overwrite values from config)
     override_config(options)
 
     unless @hydra
@@ -61,6 +63,20 @@ class Browser
     @@instance = nil
   end
 
+  #
+  # sets browser default values
+  #
+  def browser_defaults
+    @max_threads = 20
+    # 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
+    @cache_ttl = 600
+    # 2s
+    @request_timeout = 2000
+    # 1s
+    @connect_timeout = 1000
+    @user_agent = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
+  end
+
   #
   # If an option was set but is not in the new config_file
   # it's value is kept
@@ -69,21 +85,20 @@ class Browser
   #
   # @return [ void ]
   def load_config(config_file = nil)
-    @config_file = config_file || @config_file
 
-    if File.symlink?(@config_file)
+    if File.symlink?(config_file)
       raise '[ERROR] Config file is a symlink.'
     else
-      data = JSON.parse(File.read(@config_file))
+      data = JSON.parse(File.read(config_file))
     end
 
     OPTIONS.each do |option|
       option_name = option.to_s
-
       unless data[option_name].nil?
         self.send(:"#{option_name}=", data[option_name])
       end
     end
+
   end
 
   # @param [ String ] url
@@ -101,7 +116,7 @@ class Browser
     params = Browser.append_params_header_field(
       params,
       'User-Agent',
-      self.user_agent
+      @user_agent
     )
 
     if @proxy

lib/common/browser/options.rb

@@ -3,10 +3,8 @@
 class Browser
   module Options
 
-    USER_AGENT_MODES = %w{ static semi-static random }
-
-    attr_accessor :available_user_agents, :cache_ttl, :request_timeout, :connect_timeout
-    attr_reader   :basic_auth, :user_agent_mode, :proxy, :proxy_auth
+    attr_accessor :cache_ttl, :request_timeout, :connect_timeout
+    attr_reader   :basic_auth, :proxy, :proxy_auth
     attr_writer   :user_agent
 
     # Sets the Basic Authentification credentials
@@ -41,42 +39,6 @@ class Browser
       end
     end
 
-    # Sets the user_agent_mode, which can be one of the following:
-    #   static:      The UA is defined by the user, and will be the same in each requests
-    #   semi-static: The UA is randomly chosen at the first request, and will not change
-    #   random:      UA randomly chosen each request
-    #
-    # UA are from @available_user_agents
-    #
-    # @param [ String ] ua_mode
-    #
-    # @return [ void ]
-    def user_agent_mode=(ua_mode)
-      ua_mode ||= 'static'
-
-      if USER_AGENT_MODES.include?(ua_mode)
-        @user_agent_mode = ua_mode
-        # For semi-static user agent mode, the user agent has to
-        # be nil the first time (it will be set with the getter)
-        @user_agent = nil if ua_mode === 'semi-static'
-      else
-        raise "Unknow user agent mode : '#{ua_mode}'"
-      end
-    end
-
-    # @return [ String ] The user agent, according to the user_agent_mode
-    def user_agent
-      case @user_agent_mode
-      when 'semi-static'
-        unless @user_agent
-          @user_agent = @available_user_agents.sample
-        end
-      when 'random'
-        @user_agent = @available_user_agents.sample
-      end
-      @user_agent
-    end
-
     # Sets the proxy
     # Accepted format:
     #   [protocol://]host:post

lib/common/common_helper.rb

@@ -32,6 +32,7 @@ LOCAL_FILES_FILE    = DATA_DIR + '/local_vulnerable_files.xml'
 VULNS_XSD           = DATA_DIR + '/vuln.xsd'
 WP_VERSIONS_XSD     = DATA_DIR + '/wp_versions.xsd'
 LOCAL_FILES_XSD     = DATA_DIR + '/local_vulnerable_files.xsd'
+USER_AGENTS_FILE    = DATA_DIR + '/user-agents.txt'
 
 WPSCAN_VERSION       = '2.3'
 
@@ -199,3 +200,19 @@ def truncate(input, size, trailing = '...')
       trailing.length >= input.length or size-trailing.length-1 >= input.length
   return "#{input[0..size-trailing.length-1]}#{trailing}"
 end
+
+# Gets a random User-Agent
+#
+# @return [ String ] A random user-agent from data/user-agents.txt
+def get_random_user_agent
+  user_agents = []
+  f = File.open(USER_AGENTS_FILE, 'r')
+  f.each_line do |line|
+    # ignore comments
+    next if line.empty? or line =~ /^\s*(#|\/\/)/
+    user_agents << line.strip
+  end
+  f.close
+  # return ransom user-agent
+  user_agents.sample
+end

lib/common/models/vulnerability/urls.rb

@@ -14,7 +14,7 @@ class Vulnerability
     end
 
     def url_cve(cve)
-      "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
+      "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-#{cve}"
     end
 
     def url_osvdb(id)
@@ -30,4 +30,4 @@ class Vulnerability
     end
 
   end
-end
+end

lib/common/typhoeus_cache.rb

@@ -2,25 +2,14 @@
 
 require 'common/cache_file_store'
 
-# Implementaion of a cache_key (Typhoeus::Request#hash has too many options)
-module Typhoeus
-  class Request
-    module Cacheable
-      def cache_key
-        Digest::SHA2.hexdigest("#{url}-#{options[:body]}-#{options[:method]}")[0..32]
-      end
-    end
-  end
-end
-
 class TyphoeusCache < CacheFileStore
 
   def get(request)
-    read_entry(request.cache_key)
+    read_entry(request.hash.to_s)
   end
 
   def set(request, response)
-    write_entry(request.cache_key, response, request.cache_ttl)
+    write_entry(request.hash.to_s, response, request.cache_ttl)
   end
 
 end

lib/wpscan/wpscan_helper.rb

@@ -83,6 +83,8 @@ def help
   puts '--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied'
   puts '                                             You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)'
   puts '--config-file | -c <config file> Use the specified config file'
+  puts '--user-agent | -a <User-Agent> Use the specified User-Agent'
+  puts '--random-agent | -r Use a random User-Agent'
   puts '--follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
   puts '--wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed'
   puts '--wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed'
@@ -93,6 +95,10 @@ def help
   puts '--wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.'
   puts '--threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)'
   puts '--username | -U <username>  Only brute force the supplied username.'
+  puts '--cache-ttl <cache-ttl>  Typhoeus cache TTL'
+  puts '--request-timeout <request-timeout>  Request Timeout'
+  puts '--connect-timeout <connect-timeout>  Connect Timeout'
+  puts '--max-threads <max-threads>  Maximum Threads'
   puts '--help     | -h This help screen.'
   puts '--verbose  | -v Verbose output.'
   puts

lib/wpscan/wpscan_options.rb

@@ -30,7 +30,13 @@ class WpscanOptions
     :exclude_content_based,
     :basic_auth,
     :debug_output,
-    :version
+    :version,
+    :user_agent,
+    :random_agent,
+    :cache_ttl,
+    :request_timeout,
+    :connect_timeout,
+    :max_threads
   ]
 
   attr_accessor *ACCESSOR_OPTIONS
@@ -136,6 +142,10 @@ class WpscanOptions
     !to_h.empty?
   end
 
+  def random_agent=(useless)
+    @user_agent = get_random_user_agent
+  end
+
   # return Hash
   def to_h
     options = {}
@@ -227,6 +237,8 @@ class WpscanOptions
       ['--wordlist', '-w', GetoptLong::REQUIRED_ARGUMENT],
       ['--threads', '-t', GetoptLong::REQUIRED_ARGUMENT],
       ['--force', '-f', GetoptLong::NO_ARGUMENT],
+      ['--user-agent', '-a', GetoptLong::REQUIRED_ARGUMENT],
+      ['--random-agent', '-r', GetoptLong::NO_ARGUMENT],
       ['--help', '-h', GetoptLong::NO_ARGUMENT],
       ['--verbose', '-v', GetoptLong::NO_ARGUMENT],
       ['--proxy', GetoptLong::REQUIRED_ARGUMENT],
@@ -239,7 +251,11 @@ class WpscanOptions
       ['--exclude-content-based', GetoptLong::REQUIRED_ARGUMENT],
       ['--basic-auth', GetoptLong::REQUIRED_ARGUMENT],
       ['--debug-output', GetoptLong::NO_ARGUMENT],
-      ['--version', GetoptLong::NO_ARGUMENT]
+      ['--version', GetoptLong::NO_ARGUMENT],
+      ['--cache_ttl', GetoptLong::REQUIRED_ARGUMENT],
+      ['--request_timeout', GetoptLong::REQUIRED_ARGUMENT],
+      ['--connect_timeout', GetoptLong::REQUIRED_ARGUMENT],
+      ['--max_threads', GetoptLong::REQUIRED_ARGUMENT]
     )
   end