Command line options and bugfixing

lib/wpscan/modules/wp_themes.rb

@@ -0,0 +1,47 @@
+#--
+# WPScan - WordPress Security Scanner
+# Copyright (C) 2012
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+module WpThemes
+
+  def themes_from_aggressive_detection(options)
+    options[:file]        = "#{DATA_DIR}/themes.txt"
+    options[:vulns_file]  = "#{DATA_DIR}/theme_vulns.xml"
+    options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
+    options[:type]        = "themes"
+    result = WpDetector.aggressive_detection(options)
+    result
+  end
+
+  private
+
+  def themes_from_passive_detection(wp_content_dir)
+    themes = []
+    temp = WpDetector.passive_detection(url(), "themes", wp_content_dir)
+
+    temp.each do |item|
+      themes << WpPlugin.new(
+          :base_url       => item[:base_url],
+          :name           => item[:name],
+          :path           => item[:path],
+          :wp_content_dir => wp_content_dir
+      )
+    end
+    themes
+  end
+
+end

lib/wpscan/wp_target.rb

@@ -26,6 +26,7 @@ class WpTarget
   include WpUsernames
   include WpTimthumbs
   include WpPlugins
+  include WpThemes
   include BruteForce
 
   @error_404_hash = nil
@@ -50,7 +51,8 @@ class WpTarget
     url = @uri.merge("wp-login.php").to_s
 
     # Let's check if the login url is redirected (to https url for example)
-    if redirection == redirection(url)
+    redirection = redirection(url)
+    if redirection
       url = redirection
     end
 

lib/wpscan/wpscan_helper.rb

@@ -36,9 +36,18 @@ def usage()
   puts "-Do wordlist password brute force on the 'admin' username only ..."
   puts "ruby #{script_name} --url www.example.com --wordlist darkc0de.lst --username admin"
   puts
-  puts "-Enumerate instaled plugins ..."
+  puts "-Enumerate installed plugins ..."
   puts "ruby #{script_name} --url www.example.com --enumerate p"
   puts
+  puts "-Enumerate installed themes ..."
+  puts "ruby #{script_name} --url www.example.com --enumerate T"
+  puts
+  puts "-Enumerate users ..."
+  puts "ruby #{script_name} --url www.example.com --enumerate u"
+  puts
+  puts "-Enumerate installed timthumbs ..."
+  puts "ruby #{script_name} --url www.example.com --enumerate t"
+  puts
   puts "-Use a HTTP proxy ..."
   puts "ruby #{script_name} --url www.example.com --proxy 127.0.0.1:8118"
   puts
@@ -72,6 +81,8 @@ def help()
   puts "    p        plugins"
   puts "    p!       only vulnerable plugins"
   puts "    t        timthumbs"
+  puts "    T        themes"
+  puts "    T!       only vulnerable themes"
   puts "  Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins"
   puts "  If no option is supplied, the default is 'tup!'"
   puts

lib/wpscan/wpscan_options.rb

@@ -21,6 +21,8 @@ class WpscanOptions
   ACCESSOR_OPTIONS = [
     :enumerate_plugins,
     :enumerate_only_vulnerable_plugins,
+    :enumerate_themes,
+    :enumerate_only_vulnerable_themes,
     :enumerate_timthumbs,
     :enumerate_usernames,
     :enumerate_usernames_range,
@@ -88,6 +90,22 @@ class WpscanOptions
     end
   end
 
+  def enumerate_themes=(enumerate_themes)
+    if enumerate_themes === true and @enumerate_only_vulnerable_themes === true
+      raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one"
+    else
+      @enumerate_themes = enumerate_themes
+    end
+  end
+
+  def enumerate_only_vulnerable_themes=(enumerate_only_vulnerable_themes)
+    if enumerate_only_vulnerable_themes === true and @enumerate_plugins === true
+      raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one"
+    else
+      @enumerate_only_vulnerable_themes = enumerate_only_vulnerable_themes
+    end
+  end
+
   def has_options?
     !to_h.empty?
   end
@@ -131,7 +149,7 @@ class WpscanOptions
       )
     elsif cli_option === "--enumerate" # Special cases
       # Default value if no argument is given
-      cli_value = "tup!" if cli_value.length == 0
+      cli_value = "Ttup!" if cli_value.length == 0
 
       enumerate_options_from_string(cli_value)
     else
@@ -151,6 +169,10 @@ class WpscanOptions
 
     @enumerate_timthumbs = true if value =~ /t/
 
+    self.enumerate_only_vulnerable_themes = true if value =~ /T!/
+
+    self.enumerate_themes = true if value =~ /T(?!!)/
+
     if value =~ /u/
       @enumerate_usernames = true
       # Check for usernames range