From 81d40e58f6bb0d2d08fc9b341ba6cd96ad0f2fb3 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Sat, 15 Sep 2012 21:33:18 +0200
Subject: [PATCH] Command line options and bugfixing

---
 lib/wpscan/modules/wp_themes.rb | 47 +++++++++++++++++++++++++++++++++
 lib/wpscan/wp_target.rb         |  4 ++-
 lib/wpscan/wpscan_helper.rb     | 13 ++++++++-
 lib/wpscan/wpscan_options.rb    | 24 ++++++++++++++++-
 wpscan.rb                       | 14 +++++++---
 5 files changed, 96 insertions(+), 6 deletions(-)
 create mode 100644 lib/wpscan/modules/wp_themes.rb

diff --git a/lib/wpscan/modules/wp_themes.rb b/lib/wpscan/modules/wp_themes.rb
new file mode 100644
index 00000000..957eb782
--- /dev/null
+++ b/lib/wpscan/modules/wp_themes.rb
@@ -0,0 +1,47 @@
+#--
+# WPScan - WordPress Security Scanner
+# Copyright (C) 2012
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+module WpThemes
+
+  def themes_from_aggressive_detection(options)
+    options[:file]        = "#{DATA_DIR}/themes.txt"
+    options[:vulns_file]  = "#{DATA_DIR}/theme_vulns.xml"
+    options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
+    options[:type]        = "themes"
+    result = WpDetector.aggressive_detection(options)
+    result
+  end
+
+  private
+
+  def themes_from_passive_detection(wp_content_dir)
+    themes = []
+    temp = WpDetector.passive_detection(url(), "themes", wp_content_dir)
+
+    temp.each do |item|
+      themes << WpPlugin.new(
+          :base_url       => item[:base_url],
+          :name           => item[:name],
+          :path           => item[:path],
+          :wp_content_dir => wp_content_dir
+      )
+    end
+    themes
+  end
+
+end
diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb
index d68c94c1..89af3f91 100644
--- a/lib/wpscan/wp_target.rb
+++ b/lib/wpscan/wp_target.rb
@@ -26,6 +26,7 @@ class WpTarget
   include WpUsernames
   include WpTimthumbs
   include WpPlugins
+  include WpThemes
   include BruteForce
 
   @error_404_hash = nil
@@ -50,7 +51,8 @@ class WpTarget
     url = @uri.merge("wp-login.php").to_s
 
     # Let's check if the login url is redirected (to https url for example)
-    if redirection == redirection(url)
+    redirection = redirection(url)
+    if redirection
       url = redirection
     end
 
diff --git a/lib/wpscan/wpscan_helper.rb b/lib/wpscan/wpscan_helper.rb
index e3d29d8b..4e55dfed 100644
--- a/lib/wpscan/wpscan_helper.rb
+++ b/lib/wpscan/wpscan_helper.rb
@@ -36,9 +36,18 @@ def usage()
   puts "-Do wordlist password brute force on the 'admin' username only ..."
   puts "ruby #{script_name} --url www.example.com --wordlist darkc0de.lst --username admin"
   puts
-  puts "-Enumerate instaled plugins ..."
+  puts "-Enumerate installed plugins ..."
   puts "ruby #{script_name} --url www.example.com --enumerate p"
   puts
+  puts "-Enumerate installed themes ..."
+  puts "ruby #{script_name} --url www.example.com --enumerate T"
+  puts
+  puts "-Enumerate users ..."
+  puts "ruby #{script_name} --url www.example.com --enumerate u"
+  puts
+  puts "-Enumerate installed timthumbs ..."
+  puts "ruby #{script_name} --url www.example.com --enumerate t"
+  puts
   puts "-Use a HTTP proxy ..."
   puts "ruby #{script_name} --url www.example.com --proxy 127.0.0.1:8118"
   puts
@@ -72,6 +81,8 @@ def help()
   puts "    p        plugins"
   puts "    p!       only vulnerable plugins"
   puts "    t        timthumbs"
+  puts "    T        themes"
+  puts "    T!       only vulnerable themes"
   puts "  Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins"
   puts "  If no option is supplied, the default is 'tup!'"
   puts
diff --git a/lib/wpscan/wpscan_options.rb b/lib/wpscan/wpscan_options.rb
index 15a344ff..d09cd1d4 100644
--- a/lib/wpscan/wpscan_options.rb
+++ b/lib/wpscan/wpscan_options.rb
@@ -21,6 +21,8 @@ class WpscanOptions
   ACCESSOR_OPTIONS = [
     :enumerate_plugins,
     :enumerate_only_vulnerable_plugins,
+    :enumerate_themes,
+    :enumerate_only_vulnerable_themes,
     :enumerate_timthumbs,
     :enumerate_usernames,
     :enumerate_usernames_range,
@@ -88,6 +90,22 @@ class WpscanOptions
     end
   end
 
+  def enumerate_themes=(enumerate_themes)
+    if enumerate_themes === true and @enumerate_only_vulnerable_themes === true
+      raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one"
+    else
+      @enumerate_themes = enumerate_themes
+    end
+  end
+
+  def enumerate_only_vulnerable_themes=(enumerate_only_vulnerable_themes)
+    if enumerate_only_vulnerable_themes === true and @enumerate_plugins === true
+      raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one"
+    else
+      @enumerate_only_vulnerable_themes = enumerate_only_vulnerable_themes
+    end
+  end
+
   def has_options?
     !to_h.empty?
   end
@@ -131,7 +149,7 @@ class WpscanOptions
       )
     elsif cli_option === "--enumerate" # Special cases
       # Default value if no argument is given
-      cli_value = "tup!" if cli_value.length == 0
+      cli_value = "Ttup!" if cli_value.length == 0
 
       enumerate_options_from_string(cli_value)
     else
@@ -151,6 +169,10 @@ class WpscanOptions
 
     @enumerate_timthumbs = true if value =~ /t/
 
+    self.enumerate_only_vulnerable_themes = true if value =~ /T!/
+
+    self.enumerate_themes = true if value =~ /T(?!!)/
+
     if value =~ /u/
       @enumerate_usernames = true
       # Check for usernames range
diff --git a/wpscan.rb b/wpscan.rb
index aac4028a..f42a0ece 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -53,7 +53,8 @@ begin
     raise "The WordPress URL supplied '#{wp_target.uri}' seems to be down."
   end
 
-  if redirection = wp_target.redirection
+  redirection = wp_target.redirection
+  if redirection
     if wpscan_options.follow_redirection
       puts "Following redirection #{redirection}"
       puts
@@ -87,7 +88,8 @@ begin
   puts "| Started on #{Time.now.asctime}"
   puts
 
-  if wp_theme == wp_target.theme
+  wp_theme = wp_target.theme
+  if wp_theme
     theme_version = wp_theme.version
     puts "[!] The WordPress theme in use is #{wp_theme}"
 
@@ -130,7 +132,8 @@ begin
     puts
   end
 
-  if wp_version == wp_target.version
+  wp_version = wp_target.version
+  if wp_version
     puts "[!] WordPress version #{wp_version.number} identified from #{wp_version.discovery_method}"
 
     version_vulnerabilities = wp_version.vulnerabilities
@@ -221,6 +224,11 @@ begin
     end
   end
 
+  #TODO: Enumerate Themes
+  if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes
+    puts "Need to implement theme enumerating"
+  end
+
   if wpscan_options.enumerate_timthumbs
     puts
     puts "[+] Enumerating timthumb files ..."