Merge remote-tracking branch 'origin/master' into layout-423

.travis.yml

@@ -5,3 +5,6 @@ rvm:
   - 2.0.0
   - 2.1.0
 script: bundle exec rspec --format documentation
+notifications:
+  email:
+    - wpscanteam@gmail.com

Gemfile

@@ -1,6 +1,6 @@
 source "https://rubygems.org"
 
-gem "typhoeus", ">=0.6.3"
+gem "typhoeus", "~>0.6.8"
 gem "nokogiri"
 gem "json"
 gem "terminal-table"

README

@@ -142,6 +142,10 @@ ryandewhurst at gmail
 
 --config-file | -c <config file> Use the specified config file
 
+--user-agent | -a <User-Agent> Use the specified User-Agent
+
+--random-agent | -r Use a random User-Agent
+
 --follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not
 
 --wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
@@ -161,6 +165,14 @@ ryandewhurst at gmail
 
 --username | -U <username>  Only brute force the supplied username.
 
+--cache-ttl <cache-ttl>  Typhoeus cache TTL
+
+--request-timeout <request-timeout>  Request Timeout
+
+--connect-timeout <connect-timeout>  Connect Timeout
+
+--max-threads <max-threads>  Maximum Threads
+
 --help     | -h This help screen.
 
 --verbose  | -v Verbose output.

README.md

@@ -156,6 +156,10 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
     --config-file | -c <config file> Use the specified config file
 
+    --user-agent | -a <User-Agent> Use the specified User-Agent
+
+    --random-agent | -r Use a random User-Agent
+
     --follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not
 
     --wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
@@ -175,6 +179,14 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
     --username | -U <username>  Only brute force the supplied username.
 
+    --cache-ttl <cache-ttl>  Typhoeus cache TTL
+
+    --request-timeout <request-timeout>  Request Timeout
+
+    --connect-timeout <connect-timeout>  Connect Timeout
+
+    --max-threads <max-threads>  Maximum Threads
+
     --help     | -h This help screen.
 
     --verbose  | -v Verbose output.

conf/browser.conf.json

@@ -1,65 +0,0 @@
-{
-  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
-  /* Modes :
-    static : will use the defined user_agent for each request
-    semi-static : will randomly choose a user agent into available_user_agents before each scan
-    random : each request will choose a random user agent in available_user_agents
-  */
-  "user_agent_mode": "static",
-
-  /* Uncomment the "proxy" line to use the proxy
-    SOCKS proxies (4, 4A, 5) are supported, ie : "proxy": "socks5://127.0.0.1:9000"
-    If you do not specify the protocol, http will be used
-  */
-  //"proxy": "127.0.0.1:3128",
-  //"proxy_auth": "username:password",
-
-  "cache_ttl": 600, // 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
-
-  "request_timeout": 2000, // 2s
-
-  "connect_timeout": 1000, // 1s
-
-  "max_threads": 20,
-
-  // Some user_agents can be found there http://techpatterns.com/downloads/firefox/useragentswitcher.xml (thx to Gianluca Brindisi)
-  "available_user_agents":
-  [
-    // Windows
-    "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5",
-    "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14",
-    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27",
-    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1",
-    "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)",
-    "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
-    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
-    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1",
-    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6",
-    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1",
-    "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0",
-    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1",
-    "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
-    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
-    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0)",
-    "Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
-    "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5",
-
-    // MAC
-    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13",
-    "Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15",
-    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
-    "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3",
-    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
-    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1",
-    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
-
-    // Linux
-    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1",
-    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24",
-    "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9",
-    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0",
-    "Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0",
-    "Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00",
-    "Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0"
-  ]
-}

data/plugin_vulns.xml

@@ -4750,6 +4750,7 @@
         <exploitdb>4593</exploitdb>
       </references>
       <type>RFI</type>
+      <fixed_in>0.4.3</fixed_in>
     </vulnerability>
   </plugin>
 
@@ -6036,8 +6037,18 @@
 
   <plugin name="wp-slimstat">
     <vulnerability>
-      <title>wp-slimstat - XSS</title>
+      <title>WP SlimStat 3.5.5 - Overview URI Stored XSS</title>
       <references>
+        <osvdb>104428</osvdb>
+        <secunia>57305</secunia>
+      </references>
+      <type>XSS</type>
+      <fixed_in>3.5.6</fixed_in>
+    </vulnerability>
+    <vulnerability>
+      <title>WP SlimStat 2.8.4 - wp-content/plugins/wp-slimstat/admin/view/panel1.php s Parameter XSS</title>
+      <references>
+        <osvdb>89052</osvdb>
         <secunia>51721</secunia>
       </references>
       <type>XSS</type>
@@ -7036,6 +7047,7 @@
       <title>CommentLuv 2.92.3 - Cross Site Scripting Vulnerability</title>
       <references>
         <osvdb>89925</osvdb>
+        <cve>2013-1409</cve>
         <url>https://www.htbridge.com/advisory/HTB23138</url>
         <url>http://packetstormsecurity.com/files/120090/</url>
         <url>http://seclists.org/bugtraq/2013/Feb/30</url>
@@ -11035,7 +11047,10 @@
       <title>Contus Video Gallery - index.php playid Parameter SQL Injection</title>
       <references>
         <osvdb>93369</osvdb>
+        <cve>2013-3478</cve>
         <secunia>51344</secunia>
+        <url>http://www.securityfocus.com/bid/59845</url>
+        <url>http://xforce.iss.net/xforce/xfdb/84239</url>
       </references>
       <type>SQLI</type>
     </vulnerability>
@@ -11447,4 +11462,159 @@
     </vulnerability>
   </plugin>
 
+  <plugin name="LayerSlider">
+    <vulnerability>
+      <title>LayerSlider 4.6.1 - wp-admin/admin.php Style Editing CSRF</title>
+      <references>
+        <osvdb>104393</osvdb>
+        <secunia>57930</secunia>
+        <url>http://packetstormsecurity.com/files/125637/</url>
+      </references>
+      <type>CSRF</type>
+    </vulnerability>
+    <vulnerability>
+      <title>LayerSlider 4.6.1 - LayerSlider/editor.php skin Parameter Remote Path Traversal File Access</title>
+      <references>
+        <osvdb>104394</osvdb>
+        <url>http://packetstormsecurity.com/files/125637/</url>
+      </references>
+      <type>AUTHBYPASS</type>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="xcloner-backup-and-restore">
+    <vulnerability>
+      <title>XCloner 3.1.0 - Multiple Actions CSRF</title>
+      <references>
+        <osvdb>104402</osvdb>
+        <url>https://www.htbridge.com/advisory/HTB23206</url>
+      </references>
+      <type>CSRF</type>
+      <fixed_in>3.1.1</fixed_in>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="guiform">
+    <vulnerability>
+      <title>GuiForm 1.4.10 - class/class-ajax.php Entry Saving CSRF</title>
+      <references>
+        <osvdb>104399</osvdb>
+      </references>
+      <type>CSRF</type>
+      <fixed_in>1.5.0</fixed_in>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="clickdesk-live-support-chat-plugin">
+    <vulnerability>
+      <title>ClickDesk - Live Chat Widget Multiple Field XSS</title>
+      <references>
+        <osvdb>104037</osvdb>
+        <url>http://packetstormsecurity.com/files/125528/</url>
+        <url>http://www.securityfocus.com/bid/65971</url>
+      </references>
+      <type>XSS</type>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="duplicate-post">
+    <vulnerability>
+      <title>Duplicate Post 2.5 - duplicate-post-admin.php User Login Cookie Value SQL Injection</title>
+      <references>
+        <osvdb>104669</osvdb>
+      </references>
+      <type>SQLI</type>
+      <fixed_in>2.6</fixed_in>
+    </vulnerability>
+    <vulnerability>
+      <title>Duplicate Post 2.5 - options-general.php post Parameter Reflected XSS</title>
+      <references>
+        <osvdb>104670</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.6</fixed_in>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="mtouch-quiz">
+    <vulnerability>
+      <title>mTouch Quiz 3.0.6 - question.php quiz Parameter Reflected XSS</title>
+      <references>
+        <osvdb>104667</osvdb>
+        <url>http://www.securityfocus.com/bid/66306</url>
+      </references>
+      <type>XSS</type>
+      <fixed_in>3.0.7</fixed_in>
+    </vulnerability>
+    <vulnerability>
+      <title>mTouch Quiz 3.0.6 - question.php quiz Parameter SQL Injection</title>
+      <references>
+        <osvdb>104668</osvdb>
+        <url>http://www.securityfocus.com/bid/66306</url>
+      </references>
+      <type>SQLI</type>
+      <fixed_in>3.0.7</fixed_in>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="simple-retail-menus">
+    <vulnerability>
+      <title>Simple Retail Menus 4.0.1 - includes/actions.php targetmenu Parameter SQL Injection</title>
+      <references>
+        <osvdb>104680</osvdb>
+      </references>
+      <type>SQLI</type>
+      <fixed_in>4.1</fixed_in>
+    </vulnerability>
+    <vulnerability>
+      <title>Simple Retail Menus 4.0.1 - includes/mode-edit.php targetmenu Parameter SQL Injection</title>
+      <references>
+        <osvdb>104682</osvdb>
+      </references>
+      <type>SQLI</type>
+      <fixed_in>4.1</fixed_in>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="user-domain-whitelist">
+    <vulnerability>
+      <title>User Domain Whitelist 1.4 - user-domain-whitelist.php domain_whitelist Parameter Stored XSS</title>
+      <references>
+        <osvdb>104681</osvdb>
+      </references>
+      <type>XSS</type>
+    </vulnerability>
+    <vulnerability>
+      <title>User Domain Whitelist 1.4 -  user-domain-whitelist.php Domain Whitelisting Manipulation CSRF</title>
+      <references>
+        <osvdb>104683</osvdb>
+      </references>
+      <type>CSRF</type>
+      <fixed_in>1.5</fixed_in>
+    </vulnerability>
+  </plugin>
+
+  <plugin name="subscribe-to-comments-reloaded">
+    <vulnerability>
+      <title>Subscribe To Comments Reloaded 140204 - options/index.php manager_page Parameter Stored XSS Weakness</title>
+      <references>
+        <osvdb>104698</osvdb>
+        <secunia>57015</secunia>
+        <url>http://www.securityfocus.com/bid/66288</url>
+      </references>
+      <type>XSS</type>
+      <fixed_in>140219</fixed_in>
+    </vulnerability>
+    <vulnerability>
+      <title>Subscribe To Comments Reloaded 140204 - options/index.php Admin Settings Manipulation CSRF</title>
+      <references>
+        <osvdb>104699</osvdb>
+        <secunia>57015</secunia>
+        <url>http://www.securityfocus.com/bid/66288</url>
+      </references>
+      <type>CSRF</type>
+      <fixed_in>140219</fixed_in>
+    </vulnerability>
+  </plugin>
+
 </vulnerabilities>

data/user-agents.txt

@@ -0,0 +1,36 @@
+# Windows
+Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5
+Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14
+Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27
+Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1
+Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)
+Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
+Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
+Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
+Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
+Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
+Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0
+Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1
+Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
+Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
+Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0)
+Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
+Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
+
+# MAC
+Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13
+Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
+Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
+Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
+Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3
+Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
+Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
+
+# Linux
+Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1
+Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24
+Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9
+Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0
+Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
+Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00
+Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0

example.conf.json

@@ -0,0 +1,18 @@
+{
+  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
+
+    /* Uncomment the "proxy" line to use the proxy
+        SOCKS proxies (4, 4A, 5) are supported, ie : "proxy": "socks5://127.0.0.1:9000"
+        If you do not specify the protocol, http will be used
+    */
+    //"proxy": "127.0.0.1:3128",
+    //"proxy_auth": "username:password",
+
+    "cache_ttl": 600, // 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
+
+    "request_timeout": 2000, // 2s
+
+    "connect_timeout": 1000, // 1s
+
+    "max_threads": 20
+}

lib/common/browser.rb

@@ -9,12 +9,10 @@ class Browser
   include Browser::Options
 
   OPTIONS = [
-    :available_user_agents,
     :basic_auth,
     :cache_ttl,
     :max_threads,
     :user_agent,
-    :user_agent_mode,
     :proxy,
     :proxy_auth,
     :request_timeout,
@@ -23,16 +21,20 @@ class Browser
 
   @@instance = nil
 
-  attr_reader :hydra, :config_file, :cache_dir
+  attr_reader :hydra, :cache_dir
 
   # @param [ Hash ] options
   #
   # @return [ Browser ]
   def initialize(options = {})
-    @config_file = options[:config_file] || CONF_DIR + '/browser.conf.json'
     @cache_dir   = options[:cache_dir]   || CACHE_DIR + '/browser'
 
-    load_config
+    # sets browser defaults
+    browser_defaults
+    # load config file
+    conf = options[:config_file]
+    load_config(conf) if conf
+    # overrides defaults with user supplied values (overwrite values from config)
     override_config(options)
 
     unless @hydra
@@ -61,6 +63,20 @@ class Browser
     @@instance = nil
   end
 
+  #
+  # sets browser default values
+  #
+  def browser_defaults
+    @max_threads = 20
+    # 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
+    @cache_ttl = 600
+    # 2s
+    @request_timeout = 2000
+    # 1s
+    @connect_timeout = 1000
+    @user_agent = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
+  end
+
   #
   # If an option was set but is not in the new config_file
   # it's value is kept
@@ -69,21 +85,20 @@ class Browser
   #
   # @return [ void ]
   def load_config(config_file = nil)
-    @config_file = config_file || @config_file
 
-    if File.symlink?(@config_file)
+    if File.symlink?(config_file)
       raise '[ERROR] Config file is a symlink.'
     else
-      data = JSON.parse(File.read(@config_file))
+      data = JSON.parse(File.read(config_file))
     end
 
     OPTIONS.each do |option|
       option_name = option.to_s
-
       unless data[option_name].nil?
         self.send(:"#{option_name}=", data[option_name])
       end
     end
+
   end
 
   # @param [ String ] url
@@ -101,7 +116,7 @@ class Browser
     params = Browser.append_params_header_field(
       params,
       'User-Agent',
-      self.user_agent
+      @user_agent
     )
 
     if @proxy

lib/common/browser/options.rb

@@ -3,10 +3,8 @@
 class Browser
   module Options
 
-    USER_AGENT_MODES = %w{ static semi-static random }
+    attr_accessor :cache_ttl, :request_timeout, :connect_timeout
-
+    attr_reader   :basic_auth, :proxy, :proxy_auth
-    attr_accessor :available_user_agents, :cache_ttl, :request_timeout, :connect_timeout
-    attr_reader   :basic_auth, :user_agent_mode, :proxy, :proxy_auth
     attr_writer   :user_agent
 
     # Sets the Basic Authentification credentials
@@ -41,42 +39,6 @@ class Browser
       end
     end
 
-    # Sets the user_agent_mode, which can be one of the following:
-    #   static:      The UA is defined by the user, and will be the same in each requests
-    #   semi-static: The UA is randomly chosen at the first request, and will not change
-    #   random:      UA randomly chosen each request
-    #
-    # UA are from @available_user_agents
-    #
-    # @param [ String ] ua_mode
-    #
-    # @return [ void ]
-    def user_agent_mode=(ua_mode)
-      ua_mode ||= 'static'
-
-      if USER_AGENT_MODES.include?(ua_mode)
-        @user_agent_mode = ua_mode
-        # For semi-static user agent mode, the user agent has to
-        # be nil the first time (it will be set with the getter)
-        @user_agent = nil if ua_mode === 'semi-static'
-      else
-        raise "Unknow user agent mode : '#{ua_mode}'"
-      end
-    end
-
-    # @return [ String ] The user agent, according to the user_agent_mode
-    def user_agent
-      case @user_agent_mode
-      when 'semi-static'
-        unless @user_agent
-          @user_agent = @available_user_agents.sample
-        end
-      when 'random'
-        @user_agent = @available_user_agents.sample
-      end
-      @user_agent
-    end
-
     # Sets the proxy
     # Accepted format:
     #   [protocol://]host:post

lib/common/common_helper.rb

@@ -32,6 +32,7 @@ LOCAL_FILES_FILE    = DATA_DIR + '/local_vulnerable_files.xml'
 VULNS_XSD           = DATA_DIR + '/vuln.xsd'
 WP_VERSIONS_XSD     = DATA_DIR + '/wp_versions.xsd'
 LOCAL_FILES_XSD     = DATA_DIR + '/local_vulnerable_files.xsd'
+USER_AGENTS_FILE    = DATA_DIR + '/user-agents.txt'
 
 WPSCAN_VERSION       = '2.3'
 
@@ -199,3 +200,19 @@ def truncate(input, size, trailing = '...')
       trailing.length >= input.length or size-trailing.length-1 >= input.length
   return "#{input[0..size-trailing.length-1]}#{trailing}"
 end
+
+# Gets a random User-Agent
+#
+# @return [ String ] A random user-agent from data/user-agents.txt
+def get_random_user_agent
+  user_agents = []
+  f = File.open(USER_AGENTS_FILE, 'r')
+  f.each_line do |line|
+    # ignore comments
+    next if line.empty? or line =~ /^\s*(#|\/\/)/
+    user_agents << line.strip
+  end
+  f.close
+  # return ransom user-agent
+  user_agents.sample
+end

lib/common/models/vulnerability/urls.rb

@@ -14,7 +14,7 @@ class Vulnerability
     end
 
     def url_cve(cve)
-      "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
+      "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-#{cve}"
     end
 
     def url_osvdb(id)

lib/common/typhoeus_cache.rb

@@ -2,25 +2,14 @@
 
 require 'common/cache_file_store'
 
-# Implementaion of a cache_key (Typhoeus::Request#hash has too many options)
-module Typhoeus
-  class Request
-    module Cacheable
-      def cache_key
-        Digest::SHA2.hexdigest("#{url}-#{options[:body]}-#{options[:method]}")[0..32]
-      end
-    end
-  end
-end
-
 class TyphoeusCache < CacheFileStore
 
   def get(request)
-    read_entry(request.cache_key)
+    read_entry(request.hash.to_s)
   end
 
   def set(request, response)
-    write_entry(request.cache_key, response, request.cache_ttl)
+    write_entry(request.hash.to_s, response, request.cache_ttl)
   end
 
 end

lib/wpscan/wpscan_helper.rb

@@ -83,6 +83,8 @@ def help
   puts '--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied'
   puts '                                             You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)'
   puts '--config-file | -c <config file> Use the specified config file'
+  puts '--user-agent | -a <User-Agent> Use the specified User-Agent'
+  puts '--random-agent | -r Use a random User-Agent'
   puts '--follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
   puts '--wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed'
   puts '--wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed'
@@ -93,6 +95,10 @@ def help
   puts '--wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.'
   puts '--threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)'
   puts '--username | -U <username>  Only brute force the supplied username.'
+  puts '--cache-ttl <cache-ttl>  Typhoeus cache TTL'
+  puts '--request-timeout <request-timeout>  Request Timeout'
+  puts '--connect-timeout <connect-timeout>  Connect Timeout'
+  puts '--max-threads <max-threads>  Maximum Threads'
   puts '--help     | -h This help screen.'
   puts '--verbose  | -v Verbose output.'
   puts

lib/wpscan/wpscan_options.rb

@@ -30,7 +30,13 @@ class WpscanOptions
     :exclude_content_based,
     :basic_auth,
     :debug_output,
-    :version
+    :version,
+    :user_agent,
+    :random_agent,
+    :cache_ttl,
+    :request_timeout,
+    :connect_timeout,
+    :max_threads
   ]
 
   attr_accessor *ACCESSOR_OPTIONS
@@ -136,6 +142,10 @@ class WpscanOptions
     !to_h.empty?
   end
 
+  def random_agent=(useless)
+    @user_agent = get_random_user_agent
+  end
+
   # return Hash
   def to_h
     options = {}
@@ -227,6 +237,8 @@ class WpscanOptions
       ['--wordlist', '-w', GetoptLong::REQUIRED_ARGUMENT],
       ['--threads', '-t', GetoptLong::REQUIRED_ARGUMENT],
       ['--force', '-f', GetoptLong::NO_ARGUMENT],
+      ['--user-agent', '-a', GetoptLong::REQUIRED_ARGUMENT],
+      ['--random-agent', '-r', GetoptLong::NO_ARGUMENT],
       ['--help', '-h', GetoptLong::NO_ARGUMENT],
       ['--verbose', '-v', GetoptLong::NO_ARGUMENT],
       ['--proxy', GetoptLong::REQUIRED_ARGUMENT],
@@ -239,7 +251,11 @@ class WpscanOptions
       ['--exclude-content-based', GetoptLong::REQUIRED_ARGUMENT],
       ['--basic-auth', GetoptLong::REQUIRED_ARGUMENT],
       ['--debug-output', GetoptLong::NO_ARGUMENT],
-      ['--version', GetoptLong::NO_ARGUMENT]
+      ['--version', GetoptLong::NO_ARGUMENT],
+      ['--cache_ttl', GetoptLong::REQUIRED_ARGUMENT],
+      ['--request_timeout', GetoptLong::REQUIRED_ARGUMENT],
+      ['--connect_timeout', GetoptLong::REQUIRED_ARGUMENT],
+      ['--max_threads', GetoptLong::REQUIRED_ARGUMENT]
     )
   end
 

spec/lib/common/browser_spec.rb

@@ -6,9 +6,9 @@ describe Browser do
   it_behaves_like 'Browser::Actions'
   it_behaves_like 'Browser::Options'
 
-  CONFIG_FILE_WITHOUT_PROXY       = SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json'
+  CONFIG_FILE_WITHOUT_PROXY       = SPEC_FIXTURES_CONF_DIR + '/browser.conf.json'
-  CONFIG_FILE_WITH_PROXY          = SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf_proxy.json'
+  CONFIG_FILE_WITH_PROXY          = SPEC_FIXTURES_CONF_DIR + '/browser.conf_proxy.json'
-  #CONFIG_FILE_WITH_PROXY_AND_AUTH = SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf_proxy_auth.json'
+  #CONFIG_FILE_WITH_PROXY_AND_AUTH = SPEC_FIXTURES_CONF_DIR + '/browser.conf_proxy_auth.json'
 
   subject(:browser) {
     Browser.reset
@@ -16,14 +16,13 @@ describe Browser do
   }
   let(:options) { {} }
   let(:instance_vars_to_check) {
-    ['user_agent', 'user_agent_mode', 'available_user_agents', 'proxy',
+    ['proxy', 'max_threads', 'cache_ttl', 'request_timeout', 'connect_timeout']
-     'max_threads', 'cache_ttl', 'request_timeout', 'connect_timeout']
   }
   let(:json_config_without_proxy) { JSON.parse(File.read(CONFIG_FILE_WITHOUT_PROXY)) }
   let(:json_config_with_proxy)    { JSON.parse(File.read(CONFIG_FILE_WITH_PROXY)) }
 
   def check_instance_variables(browser, json_expected_vars)
-    json_expected_vars['max_threads'] ||= 1 # max_thread can not be nil
+    json_expected_vars['max_threads'] ||= 20 # max_thread can not be nil
 
     instance_vars_to_check.each do |variable_name|
       browser.send(:"#{variable_name}").should === json_expected_vars[variable_name]
@@ -39,12 +38,6 @@ describe Browser do
   describe '::instance' do
     after { check_instance_variables(browser, @json_expected_vars) }
 
-    context "when default config_file = #{CONFIG_FILE_WITHOUT_PROXY}" do
-      it 'will check the instance vars' do
-        @json_expected_vars = json_config_without_proxy
-      end
-    end
-
     context "when :config_file = #{CONFIG_FILE_WITH_PROXY}" do
       let(:options) { { config_file: CONFIG_FILE_WITH_PROXY } }
 
@@ -143,7 +136,7 @@ describe Browser do
     }
 
     after :each do
-      browser.stub(user_agent: 'SomeUA')
+      browser.user_agent = 'SomeUA'
       browser.cache_ttl = 250
 
       browser.merge_request_params(params).should == @expected

spec/lib/common/version_compare_spec.rb

@@ -31,6 +31,11 @@ describe 'VersionCompare' do
         @version1 = '0'
         @version2 = '1'
       end
+
+      it 'returns true' do
+        @version1 = '0.4.2b'
+        @version2 = '2.3.3'
+      end
     end
 
     context 'version checked is older' do

spec/lib/wpscan/web_site_spec.rb

@@ -12,7 +12,7 @@ describe 'WebSite' do
   before :all do
     Browser::reset
     Browser.instance(
-      config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
+      config_file: SPEC_FIXTURES_CONF_DIR + '/browser.conf.json',
       cache_ttl: 0
     )
   end

spec/lib/wpscan/wp_target_spec.rb

@@ -9,7 +9,7 @@ describe WpTarget do
   let(:login_url)     { wp_target.uri.merge('wp-login.php').to_s }
   let(:options)       {
     {
-      config_file:    SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
+      config_file:    SPEC_FIXTURES_CONF_DIR + '/browser.conf.json',
       cache_ttl:      0,
       wp_content_dir: 'wp-content',
       wp_plugins_dir: 'wp-content/plugins'

spec/samples/conf/browser.conf.json

@@ -0,0 +1,7 @@
+{
+    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
+    "cache_ttl": 600,
+    "request_timeout": 2000,
+    "connect_timeout": 1000,
+    "max_threads": 20
+}

spec/samples/conf/browser.conf_proxy.json

@@ -0,0 +1,7 @@
+{
+    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
+    "proxy": "127.0.0.1:3038",
+    "cache_ttl": 300,
+    "request_timeout": 2000,
+    "connect_timeout": 1000
+}

spec/samples/conf/browser.conf_proxy_auth.json

@@ -0,0 +1,8 @@
+{
+    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
+    "proxy": "127.0.0.1:3038",
+    "proxy_auth": "user:pass",
+    "cache_ttl": 300,
+    "request_timeout": 2000,
+    "connect_timeout": 1000
+}

spec/samples/conf/browser/browser.conf.json

@@ -1,8 +0,0 @@
-{
-  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0",
-  "user_agent_mode": "static",
-  "cache_ttl": 300,
-  "request_timeout": 2000,
-  "connect_timeout": 1000,
-  "max_threads": 5
-}

spec/samples/conf/browser/browser.conf_proxy.json

@@ -1,8 +0,0 @@
-{
-  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
-  "user_agent_mode": "static",
-  "proxy": "127.0.0.1:3038",
-  "cache_ttl": 300,
-  "request_timeout": 2000,
-  "connect_timeout": 1000
-}

spec/samples/conf/browser/browser.conf_proxy_auth.json

@@ -1,9 +0,0 @@
-{
-  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/11.0",
-  "user_agent_mode": "static",
-  "proxy": "127.0.0.1:3038",
-  "proxy_auth": "user:pass",
-  "cache_ttl": 300,
-  "request_timeout": 2000,
-  "connect_timeout": 1000
-}

spec/shared_examples/browser/options.rb

@@ -71,69 +71,6 @@ shared_examples 'Browser::Options' do
     end
   end
 
-  describe '#user_agent_mode= & #user_agent_mode' do
-    # Testing all valid modes
-    Browser::USER_AGENT_MODES.each do |user_agent_mode|
-      it "sets & returns #{user_agent_mode}" do
-        browser.user_agent_mode = user_agent_mode
-        browser.user_agent_mode.should === user_agent_mode
-      end
-    end
-
-    it 'sets the mode to "static" if nil is given' do
-      browser.user_agent_mode = nil
-      browser.user_agent_mode.should === 'static'
-    end
-
-    it 'raises an error if the mode is not valid' do
-      expect { browser.user_agent_mode = 'invalid-mode' }.to raise_error
-    end
-  end
-
-  describe '#user_agent= & #user_agent' do
-    let(:available_user_agents) { %w{ ua-1 ua-2 ua-3 ua-4 ua-6 ua-7 ua-8 ua-9 ua-10 ua-11 ua-12 ua-13 ua-14 ua-15 ua-16 ua-17 } }
-
-    context 'when static mode' do
-      it 'returns the same user agent' do
-        browser.user_agent      = 'fake UA'
-        browser.user_agent_mode = 'static'
-
-        (1..3).each do
-          browser.user_agent.should === 'fake UA'
-        end
-      end
-    end
-
-    context 'when semi-static mode' do
-      it 'chooses a random user_agent in the available_user_agents array and always return it' do
-        browser.available_user_agents = available_user_agents
-        browser.user_agent            = 'Firefox 11.0'
-        browser.user_agent_mode       = 'semi-static'
-
-        user_agent = browser.user_agent
-        user_agent.should_not === 'Firefox 11.0'
-        available_user_agents.include?(user_agent).should be_true
-
-        (1..3).each do
-          browser.user_agent.should === user_agent
-        end
-      end
-    end
-
-    context 'when random' do
-      it 'returns a random user agent each time' do
-        browser.available_user_agents = available_user_agents
-        browser.user_agent_mode       = 'random'
-
-        ua_1 = browser.user_agent
-        ua_2 = browser.user_agent
-        ua_3 = browser.user_agent
-
-        fail if ua_1 === ua_2 and ua_2 === ua_3
-      end
-    end
-  end
-
   describe 'proxy=' do
     let(:exception) { 'Invalid proxy format. Should be [protocol://]host:port.' }
 
@@ -185,7 +122,7 @@ shared_examples 'Browser::Options' do
         end
 
         context 'valid format' do
-           it 'sets the auth' do
+          it 'sets the auth' do
             @proxy_auth = 'username:passwd'
             @expected   = @proxy_auth
           end

spec/spec_helper.rb

@@ -15,7 +15,7 @@ SPEC_FIXTURES_CONF_DIR        = SPEC_FIXTURES_DIR + '/conf' # FIXME Remove it
 SPEC_FIXTURES_WP_VERSIONS_DIR = SPEC_FIXTURES_DIR + '/wp_versions'
 
 redefine_constant(:CACHE_DIR, SPEC_DIR + '/cache')
-redefine_constant(:CONF_DIR, SPEC_FIXTURES_DIR + '/conf/browser') # FIXME Remove the /browser
+redefine_constant(:CONF_DIR, SPEC_FIXTURES_DIR + '/conf')
 
 MODELS_FIXTURES = SPEC_FIXTURES_DIR + '/common/models'
 COLLECTIONS_FIXTURES = SPEC_FIXTURES_DIR + '/common/collections'