garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Command line options and bugfixing

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-15 21:33:18 +02:00
parent c187f0096e
commit 81d40e58f6
5 changed files with 96 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
lib/wpscan/modules/wp_themes.rb Normal file
View File

@@ -0,0 +1,47 @@
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
module WpThemes
def themes_from_aggressive_detection(options)
options[:file] = "#{DATA_DIR}/themes.txt"
options[:vulns_file] = "#{DATA_DIR}/theme_vulns.xml"
options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
options[:type] = "themes"
result = WpDetector.aggressive_detection(options)
result
end
private
def themes_from_passive_detection(wp_content_dir)
themes = []
temp = WpDetector.passive_detection(url(), "themes", wp_content_dir)
temp.each do |item|
themes << WpPlugin.new(
:base_url => item[:base_url],
:name => item[:name],
:path => item[:path],
:wp_content_dir => wp_content_dir
)
end
themes
end
end

4
lib/wpscan/wp_target.rb
View File

@@ -26,6 +26,7 @@ class WpTarget
include WpUsernames include WpUsernames
include WpTimthumbs include WpTimthumbs
include WpPlugins include WpPlugins
include WpThemes
include BruteForce include BruteForce
@error_404_hash = nil @error_404_hash = nil
@@ -50,7 +51,8 @@ class WpTarget
url = @uri.merge("wp-login.php").to_s url = @uri.merge("wp-login.php").to_s
# Let's check if the login url is redirected (to https url for example) # Let's check if the login url is redirected (to https url for example)
if redirection == redirection(url) redirection = redirection(url)
if redirection
url = redirection url = redirection
end end

13
lib/wpscan/wpscan_helper.rb
View File

@@ -36,9 +36,18 @@ def usage()
puts "-Do wordlist password brute force on the 'admin' username only ..." puts "-Do wordlist password brute force on the 'admin' username only ..."
puts "ruby #{script_name} --url www.example.com --wordlist darkc0de.lst --username admin" puts "ruby #{script_name} --url www.example.com --wordlist darkc0de.lst --username admin"
puts puts
puts "-Enumerate instaled plugins ..." puts "-Enumerate installed plugins ..."
puts "ruby #{script_name} --url www.example.com --enumerate p" puts "ruby #{script_name} --url www.example.com --enumerate p"
puts puts
puts "-Enumerate installed themes ..."
puts "ruby #{script_name} --url www.example.com --enumerate T"
puts
puts "-Enumerate users ..."
puts "ruby #{script_name} --url www.example.com --enumerate u"
puts
puts "-Enumerate installed timthumbs ..."
puts "ruby #{script_name} --url www.example.com --enumerate t"
puts
puts "-Use a HTTP proxy ..." puts "-Use a HTTP proxy ..."
puts "ruby #{script_name} --url www.example.com --proxy 127.0.0.1:8118" puts "ruby #{script_name} --url www.example.com --proxy 127.0.0.1:8118"
puts puts
@@ -72,6 +81,8 @@ def help()
puts " p plugins" puts " p plugins"
puts " p! only vulnerable plugins" puts " p! only vulnerable plugins"
puts " t timthumbs" puts " t timthumbs"
puts " T themes"
puts " T! only vulnerable themes"
puts " Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins" puts " Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins"
puts " If no option is supplied, the default is 'tup!'" puts " If no option is supplied, the default is 'tup!'"
puts puts

24
lib/wpscan/wpscan_options.rb
View File

@@ -21,6 +21,8 @@ class WpscanOptions
ACCESSOR_OPTIONS = [ ACCESSOR_OPTIONS = [
:enumerate_plugins, :enumerate_plugins,
:enumerate_only_vulnerable_plugins, :enumerate_only_vulnerable_plugins,
:enumerate_themes,
:enumerate_only_vulnerable_themes,
:enumerate_timthumbs, :enumerate_timthumbs,
:enumerate_usernames, :enumerate_usernames,
:enumerate_usernames_range, :enumerate_usernames_range,
@@ -88,6 +90,22 @@ class WpscanOptions
end end
end end
def enumerate_themes=(enumerate_themes)
if enumerate_themes === true and @enumerate_only_vulnerable_themes === true
raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one"
else
@enumerate_themes = enumerate_themes
end
end
def enumerate_only_vulnerable_themes=(enumerate_only_vulnerable_themes)
if enumerate_only_vulnerable_themes === true and @enumerate_plugins === true
raise "You can't enumerate themes and only vulnerable themes at the same time, please choose only one"
else
@enumerate_only_vulnerable_themes = enumerate_only_vulnerable_themes
end
end
def has_options? def has_options?
!to_h.empty? !to_h.empty?
end end
@@ -131,7 +149,7 @@ class WpscanOptions
) )
elsif cli_option === "--enumerate" # Special cases elsif cli_option === "--enumerate" # Special cases
# Default value if no argument is given # Default value if no argument is given
cli_value = "tup!" if cli_value.length == 0 cli_value = "Ttup!" if cli_value.length == 0
enumerate_options_from_string(cli_value) enumerate_options_from_string(cli_value)
else else
@@ -151,6 +169,10 @@ class WpscanOptions
@enumerate_timthumbs = true if value =~ /t/ @enumerate_timthumbs = true if value =~ /t/
self.enumerate_only_vulnerable_themes = true if value =~ /T!/
self.enumerate_themes = true if value =~ /T(?!!)/
if value =~ /u/ if value =~ /u/
@enumerate_usernames = true @enumerate_usernames = true
# Check for usernames range # Check for usernames range

14
wpscan.rb
View File

@@ -53,7 +53,8 @@ begin
raise "The WordPress URL supplied '#{wp_target.uri}' seems to be down." raise "The WordPress URL supplied '#{wp_target.uri}' seems to be down."
end end
if redirection = wp_target.redirection redirection = wp_target.redirection
if redirection
if wpscan_options.follow_redirection if wpscan_options.follow_redirection
puts "Following redirection #{redirection}" puts "Following redirection #{redirection}"
puts puts
@@ -87,7 +88,8 @@ begin
puts "| Started on #{Time.now.asctime}" puts "| Started on #{Time.now.asctime}"
puts puts
if wp_theme == wp_target.theme wp_theme = wp_target.theme
if wp_theme
theme_version = wp_theme.version theme_version = wp_theme.version
puts "[!] The WordPress theme in use is #{wp_theme}" puts "[!] The WordPress theme in use is #{wp_theme}"
@@ -130,7 +132,8 @@ begin
puts puts
end end
if wp_version == wp_target.version wp_version = wp_target.version
if wp_version
puts "[!] WordPress version #{wp_version.number} identified from #{wp_version.discovery_method}" puts "[!] WordPress version #{wp_version.number} identified from #{wp_version.discovery_method}"
version_vulnerabilities = wp_version.vulnerabilities version_vulnerabilities = wp_version.vulnerabilities
@@ -221,6 +224,11 @@ begin
end end
end end
#TODO: Enumerate Themes
if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes
puts "Need to implement theme enumerating"
end
if wpscan_options.enumerate_timthumbs if wpscan_options.enumerate_timthumbs
puts puts
puts "[+] Enumerating timthumb files ..." puts "[+] Enumerating timthumb files ..."