From 130a2a44e8cdd8593e00551fd93571d029b9ed5b Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 26 Mar 2013 13:02:00 +0100 Subject: [PATCH 01/12] Fixes #150 BackupBuddy added --- lib/wpscan/wp_target.rb | 10 ++++++++++ main.rb | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb index 94b2c648..3c6b5593 100644 --- a/lib/wpscan/wp_target.rb +++ b/lib/wpscan/wp_target.rb @@ -155,6 +155,16 @@ class WpTarget < WebSite resp.code == 200 && resp.body[%r{by interconnect}i] end + # FIXME: a plugin which does not follow the wordpress plugin system + def backupbuddy_url + @uri.merge('importbuddy.php').to_s + end + + def has_backupbuddy? + response = Browser.instance.get(backupbuddy_url) + response.code == 200 && response.body[%r{BackupBuddy}i] + end + # Should check wp-login.php if registration is enabled or not def registration_enabled? resp = Browser.instance.get(registration_url) diff --git a/main.rb b/main.rb index 71d95256..1751fc45 100644 --- a/main.rb +++ b/main.rb @@ -170,6 +170,14 @@ def main puts red("[!] searchreplacedb2.php has been found '#{wp_target.search_replace_db_2_url}'") end + if wp_target.has_backupbuddy? + puts red("[!] BackupBuddy has been found") + puts ' |' + puts " | Location: #{wp_target.backupbuddy_url}" + puts ' | ' + red('* Reference: http://seclists.org/fulldisclosure/2013/Mar/206') + puts + end + if wp_target.is_multisite? puts green('[+]') + ' This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)' end From e3fbd07e41cbf0d62a27dc418a68021c66670a34 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 26 Mar 2013 17:30:02 +0100 Subject: [PATCH 02/12] Added mathjax-latex CSRF --- data/plugin_vulns.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 650f6ce0..cb6c48c9 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -4096,4 +4096,12 @@ + + + Mathjax Latex 1.1 CSRF Vulnerability + http://1337day.com/exploit/20566 + CSRF + + + From 99cd96f33cbda527eb6302d8aa976c5eb6ab50a5 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 26 Mar 2013 17:33:06 +0100 Subject: [PATCH 03/12] Added felici XSS --- data/theme_vulns.xml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/data/theme_vulns.xml b/data/theme_vulns.xml index 5c5bf661..48eb3eba 100644 --- a/data/theme_vulns.xml +++ b/data/theme_vulns.xml @@ -1221,7 +1221,7 @@ XSS - + Wordpress theme pinboard 1.0.6 XSS @@ -1264,4 +1264,12 @@ + + + felici XSS Vulnerability + http://1337day.com/exploit/20560 + XSS + + + From 1d5e7dccb76247b27b0f5b48764ed42e81bd591d Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Wed, 27 Mar 2013 12:42:32 +0100 Subject: [PATCH 04/12] Added WP-Banners-Lite XSS --- data/plugin_vulns.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index cb6c48c9..dc9380aa 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -4104,4 +4104,13 @@ + + + XSS vulnerability on WP-Banners-Lite + http://seclists.org/fulldisclosure/2013/Mar/209 + http://threatpost.com/en_us/blogs/xss-flaw-wordpress-plugin-allows-injection-malicious-code-032513 + XSS + + + From 2179dc50661eb900b1034c3996fceb726868cb8b Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Thu, 28 Mar 2013 14:10:44 +0100 Subject: [PATCH 05/12] fix issue 152 --- lib/common/browser.rb | 4 ++++ spec/lib/common/browser_spec.rb | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/common/browser.rb b/lib/common/browser.rb index eb44664b..e0468ec2 100644 --- a/lib/common/browser.rb +++ b/lib/common/browser.rb @@ -196,6 +196,10 @@ class Browser params = params.merge(cache_ttl: @cache_ttl) end + # Disable SSL-Certificate checks + params = params.merge(ssl_verifypeer: false) + params = params.merge(ssl_verifyhost: 0) + params end diff --git a/spec/lib/common/browser_spec.rb b/spec/lib/common/browser_spec.rb index f66afee6..24fd65b0 100644 --- a/spec/lib/common/browser_spec.rb +++ b/spec/lib/common/browser_spec.rb @@ -278,7 +278,7 @@ describe Browser do describe '#merge_request_params' do let(:params) { {} } - let(:default_expectation) { { cache_ttl: 250, headers: { 'User-Agent' => 'SomeUA' } } } + let(:default_expectation) { { cache_ttl: 250, headers: { 'User-Agent' => 'SomeUA' }, ssl_verifypeer: false, ssl_verifyhost: 0 } } after :each do @browser.stub(user_agent: 'SomeUA') From e33dad84924ee2b3280d923ac8a611965c128e27 Mon Sep 17 00:00:00 2001 From: ethicalhack3r Date: Thu, 28 Mar 2013 15:35:53 +0100 Subject: [PATCH 06/12] Added classic theme XSS --- data/theme_vulns.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/data/theme_vulns.xml b/data/theme_vulns.xml index 48eb3eba..e3e99c83 100644 --- a/data/theme_vulns.xml +++ b/data/theme_vulns.xml @@ -1272,4 +1272,13 @@ + + + CVE-2007-4483: Classic v1.5 Theme PHP_SELF XSS + http://osvdb.org/38450 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-4483 + XSS + + + From 91f9a1e84f216473159b71496e3d50acd5842f5d Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sat, 30 Mar 2013 23:11:59 +0100 Subject: [PATCH 07/12] Ref #150 Backupbuddy plugin vulns --- data/plugin_vulns.xml | 8 ++++++++ lib/wpscan/wp_target.rb | 10 ---------- main.rb | 8 -------- wpscan.rb | 2 +- 4 files changed, 9 insertions(+), 19 deletions(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index dc9380aa..cf1935fc 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -4113,4 +4113,12 @@ + + + Backupbuddy - sensitive data exposure in importbuddy.php + http://seclists.org/fulldisclosure/2013/Mar/206 + UNKNOWN + + + diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb index 3c6b5593..94b2c648 100644 --- a/lib/wpscan/wp_target.rb +++ b/lib/wpscan/wp_target.rb @@ -155,16 +155,6 @@ class WpTarget < WebSite resp.code == 200 && resp.body[%r{by interconnect}i] end - # FIXME: a plugin which does not follow the wordpress plugin system - def backupbuddy_url - @uri.merge('importbuddy.php').to_s - end - - def has_backupbuddy? - response = Browser.instance.get(backupbuddy_url) - response.code == 200 && response.body[%r{BackupBuddy}i] - end - # Should check wp-login.php if registration is enabled or not def registration_enabled? resp = Browser.instance.get(registration_url) diff --git a/main.rb b/main.rb index 1751fc45..71d95256 100644 --- a/main.rb +++ b/main.rb @@ -170,14 +170,6 @@ def main puts red("[!] searchreplacedb2.php has been found '#{wp_target.search_replace_db_2_url}'") end - if wp_target.has_backupbuddy? - puts red("[!] BackupBuddy has been found") - puts ' |' - puts " | Location: #{wp_target.backupbuddy_url}" - puts ' | ' + red('* Reference: http://seclists.org/fulldisclosure/2013/Mar/206') - puts - end - if wp_target.is_multisite? puts green('[+]') + ' This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)' end diff --git a/wpscan.rb b/wpscan.rb index 9b13bd07..d21e5726 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -24,4 +24,4 @@ $: << '.' require File.dirname(__FILE__) + '/lib/wpscan/wpscan_helper' require File.dirname(__FILE__) + '/main' -main() \ No newline at end of file +main() From 3af01e7ded0a51e44459e92dee2b5a92e715d0a7 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sat, 30 Mar 2013 23:25:33 +0100 Subject: [PATCH 08/12] Fix #158. Add the solution to 'no such file to load -- rubygems' in the README --- README | 6 ++++++ README.md | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/README b/README index d0cf21ba..3741f5e1 100644 --- a/README +++ b/README @@ -105,6 +105,12 @@ ryandewhurst at gmail See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details + - no such file to load -- rubygems + Run update-alternatives --config ruby + And select your ruby version + + See https://github.com/wpscanteam/wpscan/issues/148 + ==WPSCAN ARGUMENTS== diff --git a/README.md b/README.md index bb6aeafe..eaf2043f 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,13 @@ Prerequisites: See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details + - no such file to load -- rubygems + ```update-alternatives --config ruby``` + + And select your ruby version + + See https://github.com/wpscanteam/wpscan/issues/148 + #### WPSCAN ARGUMENTS --update Update to the latest revision From 84574533efb68d71f1af66649b0f0c6cd906d4a1 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sat, 30 Mar 2013 23:27:46 +0100 Subject: [PATCH 09/12] README.md format --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index eaf2043f..cc53af5f 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,7 @@ Prerequisites: See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details - no such file to load -- rubygems + ```update-alternatives --config ruby``` And select your ruby version From 794321d9255023d49901cafe9020dd6f4ad552ad Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sun, 31 Mar 2013 15:13:58 +0200 Subject: [PATCH 10/12] Fix #155 wp-funeral-press XSS --- data/plugin_vulns.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index cf1935fc..9c62bb4f 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -4121,4 +4121,12 @@ + + + WP FuneralPress - Stored XSS in Guestbook + http://seclists.org/fulldisclosure/2013/Mar/282 + XSS + + + From 9207493f31e75613e8531be89970b55faf0447ba Mon Sep 17 00:00:00 2001 From: erwanlr Date: Mon, 1 Apr 2013 22:46:02 +0200 Subject: [PATCH 11/12] Ref #150 Backbuddy reference added --- data/plugin_vulns.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 9c62bb4f..ed6f2177 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -4117,6 +4117,7 @@ Backupbuddy - sensitive data exposure in importbuddy.php http://seclists.org/fulldisclosure/2013/Mar/206 + http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html UNKNOWN From 31735c4ca7aee1b0bdcd08739bc25cebd079e80c Mon Sep 17 00:00:00 2001 From: erwanlr Date: Mon, 1 Apr 2013 22:50:55 +0200 Subject: [PATCH 12/12] ofc_upload_image.php Arbitrary File Upload Vulnerability --- data/plugin_vulns.xml | 48 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index ed6f2177..7594af2d 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -4130,4 +4130,52 @@ + + + ofc_upload_image.php Arbitrary File Upload Vulnerability + http://www.exploit-db.com/exploits/24492/ + UPLOAD + + + + + + ofc_upload_image.php Arbitrary File Upload Vulnerability + http://www.exploit-db.com/exploits/24492/ + UPLOAD + + + + + + ofc_upload_image.php Arbitrary File Upload Vulnerability + http://www.exploit-db.com/exploits/24492/ + UPLOAD + + + + + + ofc_upload_image.php Arbitrary File Upload Vulnerability + http://www.exploit-db.com/exploits/24492/ + UPLOAD + + + + + + ofc_upload_image.php Arbitrary File Upload Vulnerability + http://www.exploit-db.com/exploits/24492/ + UPLOAD + + + + + + ofc_upload_image.php Arbitrary File Upload Vulnerability + http://www.exploit-db.com/exploits/24492/ + UPLOAD + + +