Merge pull request #1595 from wpscanteam/dev

Dev

app/controllers/core.rb

@@ -8,13 +8,13 @@ module WPScan
       def cli_options
         [OptURL.new(['--url URL', 'The URL of the blog to scan'],
                     required_unless: %i[update help hh version], default_protocol: 'http')] +
-          super.drop(1) + # delete the --url from CMSScanner
+          super.drop(2) + # delete the --url and --force from CMSScanner
           [
             OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
                           choices: %w[apache iis nginx],
                           normalize: %i[downcase to_sym],
                           advanced: true),
-            OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
+            OptBoolean.new(['--force', 'Do not check if the target is running WordPress or returns a 403']),
             OptBoolean.new(['--[no-]update', 'Whether or not to update the Database'])
           ]
       end

app/finders/interesting_findings.rb

@@ -6,6 +6,7 @@ require_relative 'interesting_findings/multisite'
 require_relative 'interesting_findings/debug_log'
 require_relative 'interesting_findings/backup_db'
 require_relative 'interesting_findings/mu_plugins'
+require_relative 'interesting_findings/php_disabled'
 require_relative 'interesting_findings/registration'
 require_relative 'interesting_findings/tmm_db_migrate'
 require_relative 'interesting_findings/upload_sql_dump'
@@ -26,7 +27,7 @@ module WPScan
           %w[
             Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
             Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
-            UploadSQLDump EmergencyPwdResetScript WPCron
+            UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
           ].each do |f|
             finders << InterestingFindings.const_get(f).new(target)
           end

app/finders/interesting_findings/php_disabled.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # See https://github.com/wpscanteam/wpscan/issues/1593
+      class PHPDisabled < CMSScanner::Finders::Finder
+        PATTERN = /\$wp_version =/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-includes/version.php'
+
+          return unless PATTERN.match?(target.head_and_get(path).body)
+
+          Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

app/models/interesting_finding.rb

@@ -132,5 +132,19 @@ module WPScan
         }
       end
     end
+
+    class PHPDisabled < InterestingFinding
+      # @return [ String ]
+      def to_s
+        @to_s ||= 'PHP seems to be disabled'
+      end
+
+      # @return [ Hash ]
+      def references
+        @references ||= {
+          url: ['https://github.com/wpscanteam/wpscan/issues/1593']
+        }
+      end
+    end
   end
 end

spec/app/finders/interesting_findings/php_disabled_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+describe WPScan::Finders::InterestingFindings::PHPDisabled do
+  subject(:finder) { described_class.new(target) }
+  let(:target)     { WPScan::Target.new(url).extend(CMSScanner::Target::Server::Apache) }
+  let(:url)        { 'http://ex.lo/' }
+  let(:fixtures)   { FINDERS_FIXTURES.join('interesting_findings', 'php_disabled') }
+  let(:file_path)  { 'wp-includes/version.php' }
+  let(:file_url)   { target.url(file_path) }
+
+  describe '#aggressive' do
+    before do
+      expect(target).to receive(:sub_dir).at_least(1).and_return(false)
+      expect(target).to receive(:head_or_get_params).and_return(method: :head)
+    end
+
+    context 'when not a 200' do
+      it 'return nil' do
+        stub_request(:head, file_url).to_return(status: 404)
+
+        expect(finder.aggressive).to eql nil
+      end
+    end
+
+    context 'when a 200' do
+      before do
+        stub_request(:head, file_url)
+        stub_request(:get, file_url).to_return(body: body)
+      end
+
+      context 'when the body does not match' do
+        let(:body) { '' }
+
+        its(:aggressive) { should be_nil }
+      end
+
+      context 'when the body matches' do
+        let(:body) { File.read(fixtures.join('version.php')) }
+
+        it 'returns the PHPDisabled' do
+          expect(finder.aggressive).to eql WPScan::Model::PHPDisabled.new(
+            file_url,
+            confidence: 100,
+            found_by: described_class::DIRECT_ACCESS
+          )
+        end
+      end
+    end
+  end
+end

spec/app/finders/interesting_findings_spec.rb

@@ -10,7 +10,7 @@ describe WPScan::Finders::InterestingFindings::Base do
       %w[
         Readme DebugLog FullPathDisclosure
         Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
-        UploadSQLDump
+        UploadSQLDump PHPDisabled
       ]
     end
 

spec/fixtures/finders/interesting_findings/php_disabled/version.php

@@ -0,0 +1,44 @@
+<?php
+/**
+ * WordPress Version
+ *
+ * Contains version information for the current WordPress release.
+ *
+ * @package WordPress
+ * @since 1.1.0
+ */
+
+/**
+ * The WordPress version string.
+ *
+ * @global string $wp_version
+ */
+$wp_version = '5.6';
+
+/**
+ * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
+ *
+ * @global int $wp_db_version
+ */
+$wp_db_version = 49752;
+
+/**
+ * Holds the TinyMCE version.
+ *
+ * @global string $tinymce_version
+ */
+$tinymce_version = '49110-20201110';
+
+/**
+ * Holds the required PHP version.
+ *
+ * @global string $required_php_version
+ */
+$required_php_version = '5.6.20';
+
+/**
+ * Holds the required MySQL version.
+ *
+ * @global string $required_mysql_version
+ */
+$required_mysql_version = '5.0';

wpscan.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
   s.executables           = ['wpscan']
   s.require_paths         = ['lib']
 
-  s.add_dependency 'cms_scanner', '~> 0.12.2'
+  s.add_dependency 'cms_scanner', '~> 0.13.0'
 
   s.add_development_dependency 'bundler',             '>= 1.6'
   s.add_development_dependency 'memory_profiler',     '~> 1.0.0'