Fix #98 wpstools options to locally scan a wp installation for vulnerable files

2013-01-07 14:24:21 +01:00
parent db7416c5a6
commit 87d5d93030
6 changed files with 115 additions and 6 deletions
--- a/4
+++ b/4
@@ -169,12 +169,16 @@ Enumerate instaled plugins...
 --update  | -u   Update to the latest revision.
 --generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
 --gpl  Alias for --generate_plugin_list
+--check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells

 ==WPSTOOLS EXAMPLES==

 - Generate a new 'most popular' plugin list, up to 150 pages ...
 ruby wpstools.rb --generate_plugin_list 150

+- Locally scan a wordpress installation for vulnerable files or shells :
+ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/
+
 ===PROJECT HOME===

 www.wpscan.org
--- a/README.md
+++ b/README.md
@@ -187,6 +187,7 @@ Update WPScan...
    --update  | -u   Update to the latest revision.
    --generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
    --gpl  Alias for --generate_plugin_list
+    --check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells

 #### WPSTOOLS EXAMPLES

@@ -194,6 +195,10 @@ Generate a new 'most popular' plugin list, up to 150 pages...

 ```ruby wpstools.rb --generate_plugin_list 150```

+Locally scan a wordpress installation for vulnerable files or shells :
+```ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/```
+
+
 #### PROJECT HOME

 www.wpscan.org
--- a/data/local_vulnerable_files.xml
+++ b/data/local_vulnerable_files.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+WPScan - WordPress Security Scanner
+Copyright (C) 2011  Ryan Dewhurst AKA ethicalhack3r
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ryandewhurst at gmail
+
+  <hash sha1="">
+    <title></title>
+    <file></file>
+    <reference></reference>
+  </hash>
+
+-->
+
+<hashes>
+
+  <hash sha1="17c372678aafb3bc1a7b37320b5cc1d8af433527">
+    <title>XSS in swfupload.swf</title>
+    <file>swfupload.swf</file>
+    <reference>http://brindi.si/g/blog/vulnerable-swf-bundled-in-wordpress-plugins.html</reference>
+  </hash>
+
+</hashes>
+
--- a/lib/environment.rb
+++ b/lib/environment.rb
@@ -25,6 +25,7 @@ begin
  require 'resolv'
  require 'xmlrpc/client'
  require 'digest/md5'
+  require 'digest/sha1'
  require 'readline'
  require 'base64'
  require 'cgi'
--- a/lib/wpstools/wpstools_helper.rb
+++ b/lib/wpstools/wpstools_helper.rb
@@ -28,19 +28,22 @@ def usage()
  puts "Examples:"
  puts
  puts "- Generate a new 'most popular' plugin list, up to 150 pages ..."
-  puts "ruby " + script_name + " --generate_plugin_list 150"
+  puts "ruby #{script_name} --generate_plugin_list 150"
  puts
  puts "- Generate a new full plugin list"
-  puts "ruby " + script_name + " --generate_full_plugin_list"
+  puts "ruby #{script_name} --generate_full_plugin_list"
  puts
  puts "- Generate a new 'most popular' theme list, up to 150 pages ..."
-  puts "ruby " + script_name + " --generate_theme_list 150"
+  puts "ruby #{script_name} --generate_theme_list 150"
  puts
  puts "- Generate a new full theme list"
-  puts "ruby " + script_name + " --generate_full_theme_list"
+  puts "ruby #{script_name} --generate_full_theme_list"
  puts
  puts "- Generate all list"
-  puts "ruby " + script_name + " --generate_all"
+  puts "ruby #{script_name} --generate_all"
+  puts
+  puts "Locally scan a wordpress installation for vulnerable files or shells"
+  puts "ruby #{script_name} --check-local-vulnerable-files /var/www/wordpress/"
  puts
  puts "See README for further information."
  puts
@@ -63,5 +66,6 @@ def help()
  puts "--generate_all  Generate a new full plugins, full themes, popular plugins and popular themes list"
  puts "--ga  Alias for --generate_all"
  puts "--check-vuln-ref-urls | --cvru  Check all the vulnerabilities reference urls for 404"
+  puts "--check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells"
  puts
 end
--- a/wpstools.rb
+++ b/wpstools.rb
@@ -46,7 +46,9 @@ begin
      ["--ga", GetoptLong::OPTIONAL_ARGUMENT],            # Alias for --generate_all
      ["--update", "-u", GetoptLong::NO_ARGUMENT],
      ["--check-vuln-ref-urls", GetoptLong::NO_ARGUMENT],
-      ["--cvru", GetoptLong::NO_ARGUMENT]                 # Alias for --check-vuln-ref-urls
+      ["--cvru", GetoptLong::NO_ARGUMENT],                 # Alias for --check-vuln-ref-urls
+      ["--check-local-vulnerable-files", GetoptLong::REQUIRED_ARGUMENT],
+      ["--clvf", GetoptLong::REQUIRED_ARGUMENT]            # Alias for --check-local-vulnerable-files
  )

  options.each do |option, argument|
@@ -88,6 +90,9 @@ begin
        @generate_full_plugin_list = true
      when "--check-vuln-ref-urls", "--cvru"
        @check_vuln_ref_urls = true
+      when "--check-local-vulnerable-files", "--clvf"
+        @check_local_vulnerable_files = true
+        @dir_to_scan                  = argument
    end
  end

@@ -179,6 +184,57 @@ begin
    end
  end

+  if @check_local_vulnerable_files
+    if Dir::exist?(@dir_to_scan)
+      local_hashes   = {}
+      xml_file = DATA_DIR + "/local_vulnerable_files.xml"
+
+      print "[+] Generating local hashes ... "
+
+      Dir[File::join(@dir_to_scan, "**", "*.{js,php,swf}")].each do |filename|
+        sha1sum = Digest::SHA1.file(filename).hexdigest
+
+        if local_hashes.has_key?(sha1sum)
+          local_hashes[sha1sum] << filename
+        else
+          local_hashes[sha1sum] = [filename]
+        end
+      end
+
+      puts "done."
+
+      puts "[+] Checking for vulnerable files ..."
+
+      xml = Nokogiri::XML(File.open(xml_file)) do |config|
+        config.noblanks
+      end
+
+      xml.xpath("//hash").each do |node|
+        sha1sum = node.attribute("sha1").text
+
+        if local_hashes.has_key?(sha1sum)
+          local_filenames = local_hashes[sha1sum]
+          vuln_title      = node.search("title").text
+          vuln_filename   = node.search("file").text
+          vuln_refrence   = node.search("reference").text
+
+          puts "  #{vuln_filename} found :"
+          puts "  | Location(s):"
+          local_filenames.each do |file|
+            puts "  |  - #{file}"
+          end
+          puts "  | Title: #{vuln_title}"
+          puts "  | Refrence: #{vuln_refrence}"
+        end
+      end
+
+      puts "done."
+
+    else
+      puts "The supplied directory '#{@dir_to_scan}' does not exist"
+    end
+  end
+
 rescue => e
  puts "[ERROR] #{e.message}"
  puts "Trace :"