From 898e8d454645b0eee8221a0d87ed86947c646f95 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 19 Mar 2019 21:07:53 +0000 Subject: [PATCH] Moves Models into their own namespace - Ref #1315 --- app/controllers/core.rb | 2 +- app/controllers/password_attack.rb | 4 +- app/finders/config_backups/known_filenames.rb | 4 +- app/finders/db_exports/known_locations.rb | 4 +- app/finders/interesting_findings/backup_db.rb | 2 +- app/finders/interesting_findings/debug_log.rb | 2 +- .../duplicator_installer_log.rb | 2 +- .../emergency_pwd_reset_script.rb | 2 +- .../full_path_disclosure.rb | 2 +- .../interesting_findings/mu_plugins.rb | 4 +- app/finders/interesting_findings/multisite.rb | 2 +- app/finders/interesting_findings/readme.rb | 2 +- .../interesting_findings/registration.rb | 2 +- .../interesting_findings/tmm_db_migrate.rb | 2 +- .../upload_directory_listing.rb | 2 +- .../interesting_findings/upload_sql_dump.rb | 2 +- app/finders/interesting_findings/wp_cron.rb | 2 +- app/finders/main_theme/css_style.rb | 2 +- app/finders/main_theme/urls_in_homepage.rb | 2 +- .../woo_framework_meta_generator.rb | 2 +- .../medias/attachment_brute_forcing.rb | 2 +- app/finders/passwords/xml_rpc_multicall.rb | 4 +- app/finders/plugin_version.rb | 4 +- app/finders/plugin_version/readme.rb | 4 +- app/finders/plugins/body_pattern.rb | 2 +- app/finders/plugins/comment.rb | 2 +- app/finders/plugins/config_parser.rb | 2 +- app/finders/plugins/header_pattern.rb | 2 +- app/finders/plugins/javascript_var.rb | 2 +- app/finders/plugins/known_locations.rb | 2 +- app/finders/plugins/urls_in_homepage.rb | 2 +- app/finders/plugins/xpath.rb | 2 +- app/finders/theme_version.rb | 4 +- app/finders/theme_version/style.rb | 2 +- .../woo_framework_meta_generator.rb | 2 +- app/finders/themes/known_locations.rb | 2 +- app/finders/themes/urls_in_homepage.rb | 2 +- app/finders/timthumb_version.rb | 2 +- app/finders/timthumb_version/bad_request.rb | 2 +- app/finders/timthumbs/known_locations.rb | 2 +- app/finders/users/author_id_brute_forcing.rb | 2 +- app/finders/users/author_posts.rb | 2 +- app/finders/users/login_error_messages.rb | 2 +- app/finders/users/oembed_api.rb | 8 +- app/finders/users/rss_generator.rb | 2 +- app/finders/users/wp_json_api.rb | 10 +- app/finders/users/yoast_seo_author_sitemap.rb | 8 +- app/finders/wp_version/readme.rb | 4 +- .../wp_version/unique_fingerprinting.rb | 2 +- app/models.rb | 6 + app/models/config_backup.rb | 6 +- app/models/db_export.rb | 6 +- app/models/interesting_finding.rb | 66 ++--- app/models/media.rb | 6 +- app/models/plugin.rb | 36 +-- app/models/theme.rb | 174 ++++++------ app/models/timthumb.rb | 110 ++++---- app/models/wp_item.rb | 266 +++++++++--------- app/models/wp_version.rb | 94 ++++--- app/models/xml_rpc.rb | 30 +- .../finders/dynamic_finder/version/finder.rb | 4 +- .../finders/dynamic_finder/wp_items/finder.rb | 4 +- .../finders/dynamic_finder/wp_version.rb | 4 +- .../finder/wp_version/smart_url_checker.rb | 2 +- lib/wpscan/target.rb | 2 +- spec/app/controllers/core_spec.rb | 4 +- spec/app/controllers/password_attack_spec.rb | 24 +- spec/app/controllers/wp_version_spec.rb | 10 +- .../config_backups/known_filenames_spec.rb | 2 +- .../db_exports/known_locations_spec.rb | 2 +- .../interesting_findings/backup_db_spec.rb | 2 +- .../interesting_findings/debug_log_spec.rb | 2 +- .../duplicator_installer_log_spec.rb | 2 +- .../full_path_disclosure_spec.rb | 2 +- .../interesting_findings/readme_spec.rb | 2 +- .../upload_sql_dump_spec.rb | 2 +- .../interesting_findings/wp_cron_spec.rb | 2 +- spec/app/finders/main_theme/css_style_spec.rb | 4 +- .../main_theme/urls_in_homepage_spec.rb | 2 +- .../woo_framework_meta_generator_spec.rb | 2 +- .../app/finders/plugin_version/readme_spec.rb | 6 +- spec/app/finders/plugin_version_spec.rb | 2 +- spec/app/finders/plugins/body_pattern_spec.rb | 2 +- spec/app/finders/plugins/comment_spec.rb | 2 +- .../app/finders/plugins/config_parser_spec.rb | 2 +- .../finders/plugins/header_pattern_spec.rb | 2 +- .../finders/plugins/javascript_var_spec.rb | 2 +- spec/app/finders/plugins/xpath_spec.rb | 2 +- spec/app/finders/theme_version/style_spec.rb | 4 +- .../woo_framework_meta_generator_spec.rb | 4 +- spec/app/finders/theme_version_spec.rb | 2 +- .../timthumb_version/bad_request_spec.rb | 4 +- spec/app/finders/timthumb_version_spec.rb | 2 +- spec/app/finders/users/rss_generator_spec.rb | 16 +- .../finders/wp_version/atom_generator_spec.rb | 8 +- spec/app/finders/wp_version/readme_spec.rb | 2 +- spec/app/models/interesting_finding_spec.rb | 2 +- spec/app/models/media_spec.rb | 2 +- spec/app/models/plugin_spec.rb | 25 +- spec/app/models/theme_spec.rb | 2 +- spec/app/models/timthumb_spec.rb | 4 +- spec/app/models/wp_item_spec.rb | 2 +- spec/app/models/wp_version_spec.rb | 2 +- spec/app/models/xml_rpc_spec.rb | 2 +- .../dynamic_finder/plugin_version_spec.rb | 6 +- .../finders/dynamic_finder/wp_version_spec.rb | 4 +- spec/lib/target_spec.rb | 16 +- .../views/enumeration/config_backups.rb | 2 +- .../views/enumeration/db_exports.rb | 2 +- .../views/enumeration/medias.rb | 2 +- .../views/enumeration/plugins.rb | 2 +- .../views/enumeration/themes.rb | 2 +- .../views/enumeration/timthumbs.rb | 4 +- .../views/enumeration/users.rb | 2 +- spec/shared_examples/views/main_theme.rb | 8 +- spec/shared_examples/views/wp_version.rb | 4 +- 116 files changed, 613 insertions(+), 560 deletions(-) diff --git a/app/controllers/core.rb b/app/controllers/core.rb index b8864170..a4927e0c 100644 --- a/app/controllers/core.rb +++ b/app/controllers/core.rb @@ -95,7 +95,7 @@ module WPScan mod = CMSScanner::Target::Server.const_get(server) target.extend mod - WPScan::WpItem.include mod + Model::WpItem.include mod server end diff --git a/app/controllers/password_attack.rb b/app/controllers/password_attack.rb index 691f13fd..f7890a3f 100644 --- a/app/controllers/password_attack.rb +++ b/app/controllers/password_attack.rb @@ -52,7 +52,7 @@ module WPScan @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection end - # @return [ WPScan::XMLRPC ] + # @return [ Model::XMLRPC ] def xmlrpc @xmlrpc ||= target.xmlrpc end @@ -95,7 +95,7 @@ module WPScan return target.users unless parsed_options[:usernames] parsed_options[:usernames].reduce([]) do |acc, elem| - acc << CMSScanner::User.new(elem.chomp) + acc << Model::User.new(elem.chomp) end end diff --git a/app/finders/config_backups/known_filenames.rb b/app/finders/config_backups/known_filenames.rb index 6dc9f38f..54319441 100644 --- a/app/finders/config_backups/known_filenames.rb +++ b/app/finders/config_backups/known_filenames.rb @@ -17,7 +17,9 @@ module WPScan # Might need to improve that next unless res.body =~ /define/i && res.body !~ /<\s?html/i - found << WPScan::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100) + found << Model::ConfigBackup.new(res.request.url, + found_by: DIRECT_ACCESS, + confidence: 100) end found diff --git a/app/finders/db_exports/known_locations.rb b/app/finders/db_exports/known_locations.rb index 24f26227..8809bb53 100644 --- a/app/finders/db_exports/known_locations.rb +++ b/app/finders/db_exports/known_locations.rb @@ -17,7 +17,9 @@ module WPScan enumerate(potential_urls(opts), opts) do |res| next unless res.code == 200 && res.body =~ /INSERT INTO/ - found << WPScan::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100) + found << Model::DbExport.new(res.request.url, + found_by: DIRECT_ACCESS, + confidence: 100) end found diff --git a/app/finders/interesting_findings/backup_db.rb b/app/finders/interesting_findings/backup_db.rb index b48872b3..5b6e6fb6 100644 --- a/app/finders/interesting_findings/backup_db.rb +++ b/app/finders/interesting_findings/backup_db.rb @@ -11,7 +11,7 @@ module WPScan return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res) - WPScan::BackupDB.new( + Model::BackupDB.new( url, confidence: 70, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/debug_log.rb b/app/finders/interesting_findings/debug_log.rb index 52d74cca..aa581500 100644 --- a/app/finders/interesting_findings/debug_log.rb +++ b/app/finders/interesting_findings/debug_log.rb @@ -9,7 +9,7 @@ module WPScan return unless target.debug_log?(path) - WPScan::DebugLog.new( + Model::DebugLog.new( target.url(path), confidence: 100, found_by: DIRECT_ACCESS, references: { url: 'https://codex.wordpress.org/Debugging_in_WordPress' } diff --git a/app/finders/interesting_findings/duplicator_installer_log.rb b/app/finders/interesting_findings/duplicator_installer_log.rb index c80fce6b..e96966bf 100644 --- a/app/finders/interesting_findings/duplicator_installer_log.rb +++ b/app/finders/interesting_findings/duplicator_installer_log.rb @@ -10,7 +10,7 @@ module WPScan return unless res.body =~ /DUPLICATOR INSTALL-LOG/ - WPScan::DuplicatorInstallerLog.new( + Model::DuplicatorInstallerLog.new( url, confidence: 100, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/emergency_pwd_reset_script.rb b/app/finders/interesting_findings/emergency_pwd_reset_script.rb index f0bd95db..0f36b273 100644 --- a/app/finders/interesting_findings/emergency_pwd_reset_script.rb +++ b/app/finders/interesting_findings/emergency_pwd_reset_script.rb @@ -10,7 +10,7 @@ module WPScan return unless res.code == 200 && !target.homepage_or_404?(res) - WPScan::EmergencyPwdResetScript.new( + Model::EmergencyPwdResetScript.new( url, confidence: res.body =~ /password/i ? 100 : 40, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/full_path_disclosure.rb b/app/finders/interesting_findings/full_path_disclosure.rb index f3dcfac5..4c4463df 100644 --- a/app/finders/interesting_findings/full_path_disclosure.rb +++ b/app/finders/interesting_findings/full_path_disclosure.rb @@ -10,7 +10,7 @@ module WPScan return if fpd_entries.empty? - WPScan::FullPathDisclosure.new( + Model::FullPathDisclosure.new( target.url(path), confidence: 100, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/mu_plugins.rb b/app/finders/interesting_findings/mu_plugins.rb index 97ee038f..f4e2da4e 100644 --- a/app/finders/interesting_findings/mu_plugins.rb +++ b/app/finders/interesting_findings/mu_plugins.rb @@ -12,7 +12,7 @@ module WPScan url = target.url('wp-content/mu-plugins/') - return WPScan::MuPlugins.new( + return Model::MuPlugins.new( url, confidence: 70, found_by: 'URLs In Homepage (Passive Detection)', @@ -35,7 +35,7 @@ module WPScan target.mu_plugins = true - WPScan::MuPlugins.new( + Model::MuPlugins.new( url, confidence: 80, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/multisite.rb b/app/finders/interesting_findings/multisite.rb index 1cae370f..0c2d02f6 100644 --- a/app/finders/interesting_findings/multisite.rb +++ b/app/finders/interesting_findings/multisite.rb @@ -15,7 +15,7 @@ module WPScan target.multisite = true - WPScan::Multisite.new( + Model::Multisite.new( url, confidence: 100, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/readme.rb b/app/finders/interesting_findings/readme.rb index db187b1f..c742ed3b 100644 --- a/app/finders/interesting_findings/readme.rb +++ b/app/finders/interesting_findings/readme.rb @@ -10,7 +10,7 @@ module WPScan res = Browser.get(url) if res.code == 200 && res.body =~ /wordpress/i - return WPScan::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS) + return Model::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS) end end nil diff --git a/app/finders/interesting_findings/registration.rb b/app/finders/interesting_findings/registration.rb index d8400349..df9c206f 100644 --- a/app/finders/interesting_findings/registration.rb +++ b/app/finders/interesting_findings/registration.rb @@ -18,7 +18,7 @@ module WPScan target.registration_enabled = true - WPScan::Registration.new( + Model::Registration.new( res.effective_url, confidence: 100, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/tmm_db_migrate.rb b/app/finders/interesting_findings/tmm_db_migrate.rb index d388f6e0..fa649f2b 100644 --- a/app/finders/interesting_findings/tmm_db_migrate.rb +++ b/app/finders/interesting_findings/tmm_db_migrate.rb @@ -11,7 +11,7 @@ module WPScan return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i - WPScan::TmmDbMigrate.new( + Model::TmmDbMigrate.new( url, confidence: 100, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/upload_directory_listing.rb b/app/finders/interesting_findings/upload_directory_listing.rb index 3942ec9a..8fbfce37 100644 --- a/app/finders/interesting_findings/upload_directory_listing.rb +++ b/app/finders/interesting_findings/upload_directory_listing.rb @@ -11,7 +11,7 @@ module WPScan url = target.url(path) - WPScan::UploadDirectoryListing.new( + Model::UploadDirectoryListing.new( url, confidence: 100, found_by: DIRECT_ACCESS, diff --git a/app/finders/interesting_findings/upload_sql_dump.rb b/app/finders/interesting_findings/upload_sql_dump.rb index 9d45398f..b7a9dd84 100644 --- a/app/finders/interesting_findings/upload_sql_dump.rb +++ b/app/finders/interesting_findings/upload_sql_dump.rb @@ -12,7 +12,7 @@ module WPScan return unless res.code == 200 && res.body =~ SQL_PATTERN - WPScan::UploadSQLDump.new( + Model::UploadSQLDump.new( url, confidence: 100, found_by: DIRECT_ACCESS diff --git a/app/finders/interesting_findings/wp_cron.rb b/app/finders/interesting_findings/wp_cron.rb index 4c69c488..1e2ef342 100644 --- a/app/finders/interesting_findings/wp_cron.rb +++ b/app/finders/interesting_findings/wp_cron.rb @@ -9,7 +9,7 @@ module WPScan return unless res.code == 200 - WPScan::WPCron.new( + Model::WPCron.new( wp_cron_url, confidence: 60, found_by: DIRECT_ACCESS, diff --git a/app/finders/main_theme/css_style.rb b/app/finders/main_theme/css_style.rb index a50456cf..f4329e68 100644 --- a/app/finders/main_theme/css_style.rb +++ b/app/finders/main_theme/css_style.rb @@ -6,7 +6,7 @@ module WPScan include Finders::WpItems::URLsInHomepage def create_theme(slug, style_url, opts) - WPScan::Theme.new( + Model::Theme.new( slug, target, opts.merge(found_by: found_by, confidence: 70, style_url: style_url) diff --git a/app/finders/main_theme/urls_in_homepage.rb b/app/finders/main_theme/urls_in_homepage.rb index 645dddba..86a5b264 100644 --- a/app/finders/main_theme/urls_in_homepage.rb +++ b/app/finders/main_theme/urls_in_homepage.rb @@ -14,7 +14,7 @@ module WPScan slugs = items_from_links('themes', false) + items_from_codes('themes', false) slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences| - found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences)) + found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences)) end found diff --git a/app/finders/main_theme/woo_framework_meta_generator.rb b/app/finders/main_theme/woo_framework_meta_generator.rb index b4ffee6f..81586c18 100644 --- a/app/finders/main_theme/woo_framework_meta_generator.rb +++ b/app/finders/main_theme/woo_framework_meta_generator.rb @@ -10,7 +10,7 @@ module WPScan def passive(opts = {}) return unless target.homepage_res.body =~ PATTERN - WPScan::Theme.new( + Model::Theme.new( Regexp.last_match[1], target, opts.merge(found_by: found_by, confidence: 80) diff --git a/app/finders/medias/attachment_brute_forcing.rb b/app/finders/medias/attachment_brute_forcing.rb index eefa4a07..6c19edb3 100644 --- a/app/finders/medias/attachment_brute_forcing.rb +++ b/app/finders/medias/attachment_brute_forcing.rb @@ -15,7 +15,7 @@ module WPScan enumerate(target_urls(opts), opts) do |res| next unless res.code == 200 - found << WPScan::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100)) + found << Model::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100)) end found diff --git a/app/finders/passwords/xml_rpc_multicall.rb b/app/finders/passwords/xml_rpc_multicall.rb index af47ac0d..c1536204 100644 --- a/app/finders/passwords/xml_rpc_multicall.rb +++ b/app/finders/passwords/xml_rpc_multicall.rb @@ -20,13 +20,13 @@ module WPScan target.multi_call(methods).run end - # @param [ Array ] users + # @param [ Array ] users # @param [ Array ] passwords # @param [ Hash ] opts # @option opts [ Boolean ] :show_progression # @option opts [ Integer ] :multicall_max_passwords # - # @yield [ CMSScanner::User ] When a valid combination is found + # @yield [ Model::User ] When a valid combination is found # # TODO: Make rubocop happy about metrics etc # diff --git a/app/finders/plugin_version.rb b/app/finders/plugin_version.rb index 4618658f..274c3135 100644 --- a/app/finders/plugin_version.rb +++ b/app/finders/plugin_version.rb @@ -7,7 +7,7 @@ module WPScan class Base include CMSScanner::Finders::UniqueFinder - # @param [ WPScan::Plugin ] plugin + # @param [ Model::Plugin ] plugin def initialize(plugin) finders << PluginVersion::Readme.new(plugin) @@ -16,7 +16,7 @@ module WPScan # Load the finders associated with the plugin # - # @param [ WPScan::Plugin ] plugin + # @param [ Model::Plugin ] plugin def load_specific_finders(plugin) module_name = plugin.classify diff --git a/app/finders/plugin_version/readme.rb b/app/finders/plugin_version/readme.rb index d584b01e..b9db2b62 100644 --- a/app/finders/plugin_version/readme.rb +++ b/app/finders/plugin_version/readme.rb @@ -7,14 +7,14 @@ module WPScan def aggressive(_opts = {}) found_by_msg = 'Readme - %s (Aggressive Detection)' - WPScan::WpItem::READMES.each do |file| + Model::WpItem::READMES.each do |file| url = target.url(file) res = Browser.get(url) next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty? return numbers.reduce([]) do |a, e| - a << WPScan::Version.new( + a << Model::Version.new( e[0], found_by: format(found_by_msg, e[1]), confidence: e[2], diff --git a/app/finders/plugins/body_pattern.rb b/app/finders/plugins/body_pattern.rb index 5815cbef..edbe5d99 100644 --- a/app/finders/plugins/body_pattern.rb +++ b/app/finders/plugins/body_pattern.rb @@ -15,7 +15,7 @@ module WPScan def process_response(opts, response, slug, klass, config) return unless response.body =~ config['pattern'] - Plugin.new( + Model::Plugin.new( slug, target, opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE) diff --git a/app/finders/plugins/comment.rb b/app/finders/plugins/comment.rb index 8a48e1fb..fbe9444e 100644 --- a/app/finders/plugins/comment.rb +++ b/app/finders/plugins/comment.rb @@ -18,7 +18,7 @@ module WPScan next unless comment =~ config['pattern'] - return Plugin.new( + return Model::Plugin.new( slug, target, opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE) diff --git a/app/finders/plugins/config_parser.rb b/app/finders/plugins/config_parser.rb index 7163ea9b..6a7e8d4c 100644 --- a/app/finders/plugins/config_parser.rb +++ b/app/finders/plugins/config_parser.rb @@ -19,7 +19,7 @@ module WPScan # when checking for plugins # - Plugin.new( + Model::Plugin.new( slug, target, opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE) diff --git a/app/finders/plugins/header_pattern.rb b/app/finders/plugins/header_pattern.rb index f9467193..6b90a0ae 100644 --- a/app/finders/plugins/header_pattern.rb +++ b/app/finders/plugins/header_pattern.rb @@ -18,7 +18,7 @@ module WPScan configs.each do |klass, config| next unless headers[config['header']] && headers[config['header']].to_s =~ config['pattern'] - found << Plugin.new( + found << Model::Plugin.new( slug, target, opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE) diff --git a/app/finders/plugins/javascript_var.rb b/app/finders/plugins/javascript_var.rb index 3a5c65c4..83caefbc 100644 --- a/app/finders/plugins/javascript_var.rb +++ b/app/finders/plugins/javascript_var.rb @@ -16,7 +16,7 @@ module WPScan response.html.xpath(config['xpath'] || '//script[not(@src)]').each do |node| next if config['pattern'] && !node.text.match(config['pattern']) - return Plugin.new( + return Model::Plugin.new( slug, target, opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE) diff --git a/app/finders/plugins/known_locations.rb b/app/finders/plugins/known_locations.rb index 3968c60d..63cfc347 100644 --- a/app/finders/plugins/known_locations.rb +++ b/app/finders/plugins/known_locations.rb @@ -13,7 +13,7 @@ module WPScan found = [] enumerate(target_urls(opts), opts) do |_res, slug| - found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) + found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end found diff --git a/app/finders/plugins/urls_in_homepage.rb b/app/finders/plugins/urls_in_homepage.rb index 7a5df959..0b0e2d9a 100644 --- a/app/finders/plugins/urls_in_homepage.rb +++ b/app/finders/plugins/urls_in_homepage.rb @@ -14,7 +14,7 @@ module WPScan found = [] (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug| - found << Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) + found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end found diff --git a/app/finders/plugins/xpath.rb b/app/finders/plugins/xpath.rb index 63db05fd..76cb80fb 100644 --- a/app/finders/plugins/xpath.rb +++ b/app/finders/plugins/xpath.rb @@ -16,7 +16,7 @@ module WPScan response.html.xpath(config['xpath']).each do |node| next if config['pattern'] && !node.text.match(config['pattern']) - return Plugin.new( + return Model::Plugin.new( slug, target, opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE) diff --git a/app/finders/theme_version.rb b/app/finders/theme_version.rb index b25ed77b..ef126688 100644 --- a/app/finders/theme_version.rb +++ b/app/finders/theme_version.rb @@ -8,7 +8,7 @@ module WPScan class Base include CMSScanner::Finders::UniqueFinder - # @param [ WPScan::Theme ] theme + # @param [ Model::Theme ] theme def initialize(theme) finders << ThemeVersion::Style.new(theme) << @@ -19,7 +19,7 @@ module WPScan # Load the finders associated with the theme # - # @param [ WPScan::Theme ] theme + # @param [ Model::Theme ] theme def load_specific_finders(theme) module_name = theme.classify diff --git a/app/finders/theme_version/style.rb b/app/finders/theme_version/style.rb index d4a59198..55015369 100644 --- a/app/finders/theme_version/style.rb +++ b/app/finders/theme_version/style.rb @@ -30,7 +30,7 @@ module WPScan def style_version return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i - WPScan::Version.new( + Model::Version.new( Regexp.last_match[1], found_by: found_by, confidence: 80, diff --git a/app/finders/theme_version/woo_framework_meta_generator.rb b/app/finders/theme_version/woo_framework_meta_generator.rb index bbafc5c8..75124c5d 100644 --- a/app/finders/theme_version/woo_framework_meta_generator.rb +++ b/app/finders/theme_version/woo_framework_meta_generator.rb @@ -11,7 +11,7 @@ module WPScan return unless Regexp.last_match[1] == target.slug - WPScan::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80) + Model::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80) end end end diff --git a/app/finders/themes/known_locations.rb b/app/finders/themes/known_locations.rb index ddd86a8a..11bd4549 100644 --- a/app/finders/themes/known_locations.rb +++ b/app/finders/themes/known_locations.rb @@ -13,7 +13,7 @@ module WPScan found = [] enumerate(target_urls(opts), opts) do |_res, slug| - found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) + found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end found diff --git a/app/finders/themes/urls_in_homepage.rb b/app/finders/themes/urls_in_homepage.rb index 15b9ad14..7354b713 100644 --- a/app/finders/themes/urls_in_homepage.rb +++ b/app/finders/themes/urls_in_homepage.rb @@ -12,7 +12,7 @@ module WPScan found = [] (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug| - found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) + found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end found diff --git a/app/finders/timthumb_version.rb b/app/finders/timthumb_version.rb index fcc43c80..9571a1ee 100644 --- a/app/finders/timthumb_version.rb +++ b/app/finders/timthumb_version.rb @@ -7,7 +7,7 @@ module WPScan class Base include CMSScanner::Finders::UniqueFinder - # @param [ WPScan::Timthumb ] target + # @param [ Model::Timthumb ] target def initialize(target) finders << TimthumbVersion::BadRequest.new(target) end diff --git a/app/finders/timthumb_version/bad_request.rb b/app/finders/timthumb_version/bad_request.rb index d3882f8f..b0e81de3 100644 --- a/app/finders/timthumb_version/bad_request.rb +++ b/app/finders/timthumb_version/bad_request.rb @@ -8,7 +8,7 @@ module WPScan def aggressive(_opts = {}) return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/ - WPScan::Version.new( + Model::Version.new( Regexp.last_match[2], found_by: 'Bad Request (Aggressive Detection)', confidence: 90, diff --git a/app/finders/timthumbs/known_locations.rb b/app/finders/timthumbs/known_locations.rb index e6923436..5935a30c 100644 --- a/app/finders/timthumbs/known_locations.rb +++ b/app/finders/timthumbs/known_locations.rb @@ -15,7 +15,7 @@ module WPScan found = [] enumerate(target_urls(opts), opts) do |res| - found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100)) + found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100)) end found diff --git a/app/finders/users/author_id_brute_forcing.rb b/app/finders/users/author_id_brute_forcing.rb index 6ea40266..20cb0789 100644 --- a/app/finders/users/author_id_brute_forcing.rb +++ b/app/finders/users/author_id_brute_forcing.rb @@ -18,7 +18,7 @@ module WPScan next unless username - found << CMSScanner::User.new( + found << Model::User.new( username, id: id, found_by: format(found_by_msg, found_by), diff --git a/app/finders/users/author_posts.rb b/app/finders/users/author_posts.rb index 2db1e258..fb427e21 100644 --- a/app/finders/users/author_posts.rb +++ b/app/finders/users/author_posts.rb @@ -10,7 +10,7 @@ module WPScan found_by_msg = 'Author Posts - %s (Passive Detection)' usernames(opts).reduce([]) do |a, e| - a << CMSScanner::User.new( + a << Model::User.new( e[0], found_by: format(found_by_msg, e[1]), confidence: e[2] diff --git a/app/finders/users/login_error_messages.rb b/app/finders/users/login_error_messages.rb index ad6075e7..148dee3f 100644 --- a/app/finders/users/login_error_messages.rb +++ b/app/finders/users/login_error_messages.rb @@ -24,7 +24,7 @@ module WPScan next unless error =~ /The password you entered for the username|Incorrect Password/i - found << CMSScanner::User.new(username, found_by: found_by, confidence: 100) + found << Model::User.new(username, found_by: found_by, confidence: 100) end found diff --git a/app/finders/users/oembed_api.rb b/app/finders/users/oembed_api.rb index 0e3a7d0a..13011158 100644 --- a/app/finders/users/oembed_api.rb +++ b/app/finders/users/oembed_api.rb @@ -21,10 +21,10 @@ module WPScan return [] unless details - [CMSScanner::User.new(details[0], - found_by: format(found_by_msg, details[1]), - confidence: details[2], - interesting_entries: [api_url])] + [Model::User.new(details[0], + found_by: format(found_by_msg, details[1]), + confidence: details[2], + interesting_entries: [api_url])] rescue JSON::ParserError [] end diff --git a/app/finders/users/rss_generator.rb b/app/finders/users/rss_generator.rb index dc936ddc..97175bbf 100644 --- a/app/finders/users/rss_generator.rb +++ b/app/finders/users/rss_generator.rb @@ -30,7 +30,7 @@ module WPScan end potential_usernames.uniq.each do |potential_username| - found << CMSScanner::User.new(potential_username, found_by: found_by, confidence: 50) + found << Model::User.new(potential_username, found_by: found_by, confidence: 50) end break diff --git a/app/finders/users/wp_json_api.rb b/app/finders/users/wp_json_api.rb index 91b0ea85..b78f038c 100644 --- a/app/finders/users/wp_json_api.rb +++ b/app/finders/users/wp_json_api.rb @@ -41,11 +41,11 @@ module WPScan found = [] JSON.parse(response.body)&.each do |user| - found << CMSScanner::User.new(user['slug'], - id: user['id'], - found_by: found_by, - confidence: 100, - interesting_entries: [response.effective_url]) + found << Model::User.new(user['slug'], + id: user['id'], + found_by: found_by, + confidence: 100, + interesting_entries: [response.effective_url]) end found diff --git a/app/finders/users/yoast_seo_author_sitemap.rb b/app/finders/users/yoast_seo_author_sitemap.rb index 857aa879..3bd2ac9f 100644 --- a/app/finders/users/yoast_seo_author_sitemap.rb +++ b/app/finders/users/yoast_seo_author_sitemap.rb @@ -15,10 +15,10 @@ module WPScan next unless username && !username.strip.empty? - found << CMSScanner::User.new(username, - found_by: found_by, - confidence: 100, - interesting_entries: [sitemap_url]) + found << Model::User.new(username, + found_by: found_by, + confidence: 100, + interesting_entries: [sitemap_url]) end found diff --git a/app/finders/wp_version/readme.rb b/app/finders/wp_version/readme.rb index 80b25d97..26c62474 100644 --- a/app/finders/wp_version/readme.rb +++ b/app/finders/wp_version/readme.rb @@ -13,9 +13,9 @@ module WPScan number = Regexp.last_match(1) - return unless WPScan::WpVersion.valid?(number) + return unless Model::WpVersion.valid?(number) - WPScan::WpVersion.new( + Model::WpVersion.new( number, found_by: 'Readme (Aggressive Detection)', # Since WP 4.7, the Readme only contains the major version (ie 4.7, 4.8 etc) diff --git a/app/finders/wp_version/unique_fingerprinting.rb b/app/finders/wp_version/unique_fingerprinting.rb index ca43aa55..72c12aee 100644 --- a/app/finders/wp_version/unique_fingerprinting.rb +++ b/app/finders/wp_version/unique_fingerprinting.rb @@ -11,7 +11,7 @@ module WPScan hydra.abort progress_bar.finish - return WPScan::WpVersion.new( + return Model::WpVersion.new( version_number, found_by: 'Unique Fingerprinting (Aggressive Detection)', confidence: 100, diff --git a/app/models.rb b/app/models.rb index 02e7c1f0..4e8c008e 100644 --- a/app/models.rb +++ b/app/models.rb @@ -1,3 +1,9 @@ +module WPScan + module Model + include CMSScanner::Model + end +end + require_relative 'models/interesting_finding' require_relative 'models/wp_version' require_relative 'models/xml_rpc' diff --git a/app/models/config_backup.rb b/app/models/config_backup.rb index 0c42fefc..e40161a3 100644 --- a/app/models/config_backup.rb +++ b/app/models/config_backup.rb @@ -1,5 +1,7 @@ module WPScan - # Config Backup - class ConfigBackup < InterestingFinding + module Model + # Config Backup + class ConfigBackup < InterestingFinding + end end end diff --git a/app/models/db_export.rb b/app/models/db_export.rb index bab236ca..bde67da3 100644 --- a/app/models/db_export.rb +++ b/app/models/db_export.rb @@ -1,5 +1,7 @@ module WPScan - # DB Export - class DbExport < InterestingFinding + module Model + # DB Export + class DbExport < InterestingFinding + end end end diff --git a/app/models/interesting_finding.rb b/app/models/interesting_finding.rb index e6cb8496..848e8f72 100644 --- a/app/models/interesting_finding.rb +++ b/app/models/interesting_finding.rb @@ -1,48 +1,50 @@ module WPScan - # Custom class to include the WPScan::References module - class InterestingFinding < CMSScanner::InterestingFinding - include References - end + module Model + # Custom class to include the WPScan::References module + class InterestingFinding < CMSScanner::Model::InterestingFinding + include References + end - # - # Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent) - # - class BackupDB < InterestingFinding - end + # + # Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent) + # + class BackupDB < InterestingFinding + end - class DebugLog < InterestingFinding - end + class DebugLog < InterestingFinding + end - class DuplicatorInstallerLog < InterestingFinding - end + class DuplicatorInstallerLog < InterestingFinding + end - class EmergencyPwdResetScript < InterestingFinding - end + class EmergencyPwdResetScript < InterestingFinding + end - class FullPathDisclosure < InterestingFinding - end + class FullPathDisclosure < InterestingFinding + end - class MuPlugins < InterestingFinding - end + class MuPlugins < InterestingFinding + end - class Multisite < InterestingFinding - end + class Multisite < InterestingFinding + end - class Readme < InterestingFinding - end + class Readme < InterestingFinding + end - class Registration < InterestingFinding - end + class Registration < InterestingFinding + end - class TmmDbMigrate < InterestingFinding - end + class TmmDbMigrate < InterestingFinding + end - class UploadDirectoryListing < InterestingFinding - end + class UploadDirectoryListing < InterestingFinding + end - class UploadSQLDump < InterestingFinding - end + class UploadSQLDump < InterestingFinding + end - class WPCron < InterestingFinding + class WPCron < InterestingFinding + end end end diff --git a/app/models/media.rb b/app/models/media.rb index c55bb69b..ef91ca4f 100644 --- a/app/models/media.rb +++ b/app/models/media.rb @@ -1,5 +1,7 @@ module WPScan - # Media - class Media < InterestingFinding + module Model + # Media + class Media < InterestingFinding + end end end diff --git a/app/models/plugin.rb b/app/models/plugin.rb index 7692282f..1d7a16f6 100644 --- a/app/models/plugin.rb +++ b/app/models/plugin.rb @@ -1,25 +1,27 @@ module WPScan - # WordPress Plugin - class Plugin < WpItem - # See WpItem - def initialize(slug, blog, opts = {}) - super(slug, blog, opts) + module Model + # WordPress Plugin + class Plugin < WpItem + # See WpItem + def initialize(slug, blog, opts = {}) + super(slug, blog, opts) - @uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/")) - end + @uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/")) + end - # @return [ JSON ] - def db_data - DB::Plugin.db_data(slug) - end + # @return [ JSON ] + def db_data + DB::Plugin.db_data(slug) + end - # @param [ Hash ] opts - # - # @return [ WPScan::Version, false ] - def version(opts = {}) - @version = Finders::PluginVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil? + # @param [ Hash ] opts + # + # @return [ Model::Version, false ] + def version(opts = {}) + @version = Finders::PluginVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil? - @version + @version + end end end end diff --git a/app/models/theme.rb b/app/models/theme.rb index cbc8326d..06e88783 100644 --- a/app/models/theme.rb +++ b/app/models/theme.rb @@ -1,99 +1,101 @@ module WPScan - # WordPress Theme - class Theme < WpItem - attr_reader :style_url, :style_name, :style_uri, :author, :author_uri, :template, :description, - :license, :license_uri, :tags, :text_domain + module Model + # WordPress Theme + class Theme < WpItem + attr_reader :style_url, :style_name, :style_uri, :author, :author_uri, :template, :description, + :license, :license_uri, :tags, :text_domain - # See WpItem - def initialize(slug, blog, opts = {}) - super(slug, blog, opts) + # See WpItem + def initialize(slug, blog, opts = {}) + super(slug, blog, opts) - @uri = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/")) - @style_url = opts[:style_url] || url('style.css') + @uri = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/")) + @style_url = opts[:style_url] || url('style.css') - parse_style - end - - # @return [ JSON ] - def db_data - DB::Theme.db_data(slug) - end - - # @param [ Hash ] opts - # - # @return [ WPScan::Version, false ] - def version(opts = {}) - @version = Finders::ThemeVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil? - - @version - end - - # @return [ Theme ] - def parent_theme - return unless template - return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i - - opts = detection_opts.merge( - style_url: url(Regexp.last_match[1]), - found_by: 'Parent Themes (Passive Detection)', - confidence: 100 - ).merge(version_detection: version_detection_opts) - - self.class.new(template, blog, opts) - end - - # @param [ Integer ] depth - # - # @retun [ Array ] - def parent_themes(depth = 3) - theme = self - found = [] - - (1..depth).each do |_| - parent = theme.parent_theme - - break unless parent - - found << parent - theme = parent + parse_style end - found - end - - def style_body - @style_body ||= Browser.get(style_url).body - end - - def parse_style - { - style_name: 'Theme Name', - style_uri: 'Theme URI', - author: 'Author', - author_uri: 'Author URI', - template: 'Template', - description: 'Description', - license: 'License', - license_uri: 'License URI', - tags: 'Tags', - text_domain: 'Text Domain' - }.each do |attribute, tag| - instance_variable_set(:"@#{attribute}", parse_style_tag(style_body, tag)) + # @return [ JSON ] + def db_data + DB::Theme.db_data(slug) end - end - # @param [ String ] bofy - # @param [ String ] tag - # - # @return [ String ] - def parse_style_tag(body, tag) - value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1] + # @param [ Hash ] opts + # + # @return [ Model::Version, false ] + def version(opts = {}) + @version = Finders::ThemeVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil? - value && !value.strip.empty? ? value.strip : nil - end + @version + end - def ==(other) - super(other) && style_url == other.style_url + # @return [ Theme ] + def parent_theme + return unless template + return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i + + opts = detection_opts.merge( + style_url: url(Regexp.last_match[1]), + found_by: 'Parent Themes (Passive Detection)', + confidence: 100 + ).merge(version_detection: version_detection_opts) + + self.class.new(template, blog, opts) + end + + # @param [ Integer ] depth + # + # @retun [ Array ] + def parent_themes(depth = 3) + theme = self + found = [] + + (1..depth).each do |_| + parent = theme.parent_theme + + break unless parent + + found << parent + theme = parent + end + + found + end + + def style_body + @style_body ||= Browser.get(style_url).body + end + + def parse_style + { + style_name: 'Theme Name', + style_uri: 'Theme URI', + author: 'Author', + author_uri: 'Author URI', + template: 'Template', + description: 'Description', + license: 'License', + license_uri: 'License URI', + tags: 'Tags', + text_domain: 'Text Domain' + }.each do |attribute, tag| + instance_variable_set(:"@#{attribute}", parse_style_tag(style_body, tag)) + end + end + + # @param [ String ] bofy + # @param [ String ] tag + # + # @return [ String ] + def parse_style_tag(body, tag) + value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1] + + value && !value.strip.empty? ? value.strip : nil + end + + def ==(other) + super(other) && style_url == other.style_url + end end end end diff --git a/app/models/timthumb.rb b/app/models/timthumb.rb index b0b62561..566c2e89 100644 --- a/app/models/timthumb.rb +++ b/app/models/timthumb.rb @@ -1,71 +1,73 @@ module WPScan - # Timthumb - class Timthumb < InterestingFinding - include Vulnerable + module Model + # Timthumb + class Timthumb < InterestingFinding + include Vulnerable - attr_reader :version_detection_opts + attr_reader :version_detection_opts - # @param [ String ] url - # @param [ Hash ] opts - # @option opts [ Symbol ] :mode The mode to use to detect the version - def initialize(url, opts = {}) - super(url, opts) + # @param [ String ] url + # @param [ Hash ] opts + # @option opts [ Symbol ] :mode The mode to use to detect the version + def initialize(url, opts = {}) + super(url, opts) - @version_detection_opts = opts[:version_detection] || {} - end + @version_detection_opts = opts[:version_detection] || {} + end - # @param [ Hash ] opts - # - # @return [ WPScan::Version, false ] - def version(opts = {}) - @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil? + # @param [ Hash ] opts + # + # @return [ Model::Version, false ] + def version(opts = {}) + @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil? - @version - end + @version + end - # @return [ Array ] - def vulnerabilities - vulns = [] + # @return [ Array ] + def vulnerabilities + vulns = [] - vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled? - vulns << rce_132_vuln if version == false || version < '1.33' + vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled? + vulns << rce_132_vuln if version == false || version < '1.33' - vulns - end + vulns + end - # @return [ Vulnerability ] The RCE in the <= 1.32 - def rce_132_vuln - Vulnerability.new( - 'Timthumb <= 1.32 Remote Code Execution', - { exploitdb: ['17602'] }, - 'RCE', - '1.33' - ) - end + # @return [ Vulnerability ] The RCE in the <= 1.32 + def rce_132_vuln + Vulnerability.new( + 'Timthumb <= 1.32 Remote Code Execution', + { exploitdb: ['17602'] }, + 'RCE', + '1.33' + ) + end - # @return [ Vulnerability ] The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13 - def rce_webshot_vuln - Vulnerability.new( - 'Timthumb <= 2.8.13 WebShot Remote Code Execution', - { - url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'], - cve: '2014-4663' - }, - 'RCE', - '2.8.14' - ) - end + # @return [ Vulnerability ] The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13 + def rce_webshot_vuln + Vulnerability.new( + 'Timthumb <= 2.8.13 WebShot Remote Code Execution', + { + url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'], + cve: '2014-4663' + }, + 'RCE', + '2.8.14' + ) + end - # @return [ Boolean ] - def webshot_enabled? - res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" }) + # @return [ Boolean ] + def webshot_enabled? + res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" }) - res.body =~ /WEBSHOT_ENABLED == true/ ? false : true - end + res.body =~ /WEBSHOT_ENABLED == true/ ? false : true + end - # @return [ Array ] The default allowed domains (between the 2.0 and 2.8.13) - def default_allowed_domains - %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org] + # @return [ Array ] The default allowed domains (between the 2.0 and 2.8.13) + def default_allowed_domains + %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org] + end end end end diff --git a/app/models/wp_item.rb b/app/models/wp_item.rb index 6ca2bb37..f8d73032 100644 --- a/app/models/wp_item.rb +++ b/app/models/wp_item.rb @@ -1,158 +1,160 @@ module WPScan - # WpItem (superclass of Plugin & Theme) - class WpItem - include Vulnerable - include Finders::Finding - include CMSScanner::Target::Platform::PHP - include CMSScanner::Target::Server::Generic + module Model + # WpItem (superclass of Plugin & Theme) + class WpItem + include Vulnerable + include Finders::Finding + include CMSScanner::Target::Platform::PHP + include CMSScanner::Target::Server::Generic - READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze - CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze + READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze + CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze - attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data + attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data - delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog + delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog - # @param [ String ] slug The plugin/theme slug - # @param [ Target ] blog The targeted blog - # @param [ Hash ] opts - # @option opts [ Symbol ] :mode The detection mode to use - # @option opts [ Hash ] :version_detection The options to use when looking for the version - # @option opts [ String ] :url The URL of the item - def initialize(slug, blog, opts = {}) - @slug = URI.decode(slug) - @blog = blog - @uri = Addressable::URI.parse(opts[:url]) if opts[:url] + # @param [ String ] slug The plugin/theme slug + # @param [ Target ] blog The targeted blog + # @param [ Hash ] opts + # @option opts [ Symbol ] :mode The detection mode to use + # @option opts [ Hash ] :version_detection The options to use when looking for the version + # @option opts [ String ] :url The URL of the item + def initialize(slug, blog, opts = {}) + @slug = URI.decode(slug) + @blog = blog + @uri = Addressable::URI.parse(opts[:url]) if opts[:url] - @detection_opts = { mode: opts[:mode] } - @version_detection_opts = opts[:version_detection] || {} + @detection_opts = { mode: opts[:mode] } + @version_detection_opts = opts[:version_detection] || {} - parse_finding_options(opts) - end - - # @return [ Array ] - def vulnerabilities - return @vulnerabilities if @vulnerabilities - - @vulnerabilities = [] - - [*db_data['vulnerabilities']].each do |json_vuln| - vulnerability = Vulnerability.load_from_json(json_vuln) - @vulnerabilities << vulnerability if vulnerable_to?(vulnerability) + parse_finding_options(opts) end - @vulnerabilities - end + # @return [ Array ] + def vulnerabilities + return @vulnerabilities if @vulnerabilities - # Checks if the wp_item is vulnerable to a specific vulnerability - # - # @param [ Vulnerability ] vuln Vulnerability to check the item against - # - # @return [ Boolean ] - def vulnerable_to?(vuln) - return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty? + @vulnerabilities = [] - version < vuln.fixed_in - end - - # @return [ String ] - def latest_version - @latest_version ||= db_data['latest_version'] ? WPScan::Version.new(db_data['latest_version']) : nil - end - - # Not used anywhere ATM - # @return [ Boolean ] - def popular? - @popular ||= db_data['popular'] - end - - # @return [ String ] - def last_updated - @last_updated ||= db_data['last_updated'] - end - - # @return [ Boolean ] - def outdated? - @outdated ||= if version && latest_version - version < latest_version - else - false - end - end - - # URI.encode is preferered over Addressable::URI.encode as it will encode - # leading # character: - # URI.encode('#t#') => %23t%23 - # Addressable::URI.encode('#t#') => #t%23 - # - # @param [ String ] path Optional path to merge with the uri - # - # @return [ String ] - def url(path = nil) - return unless @uri - return @uri.to_s unless path - - @uri.join(URI.encode(path)).to_s - end - - # @return [ Boolean ] - def ==(other) - self.class == other.class && slug == other.slug - end - - def to_s - slug - end - - # @return [ Symbol ] The Class symbol associated to the item - def classify - @classify ||= classify_slug(slug) - end - - # @return [ String ] The readme url if found - def readme_url - return if detection_opts[:mode] == :passive - - if @readme_url.nil? - READMES.each do |path| - return @readme_url = url(path) if Browser.get(url(path)).code == 200 + [*db_data['vulnerabilities']].each do |json_vuln| + vulnerability = Vulnerability.load_from_json(json_vuln) + @vulnerabilities << vulnerability if vulnerable_to?(vulnerability) end + + @vulnerabilities end - @readme_url - end + # Checks if the wp_item is vulnerable to a specific vulnerability + # + # @param [ Vulnerability ] vuln Vulnerability to check the item against + # + # @return [ Boolean ] + def vulnerable_to?(vuln) + return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty? - # @return [ String, false ] The changelog urr if found - def changelog_url - return if detection_opts[:mode] == :passive + version < vuln.fixed_in + end - if @changelog_url.nil? - CHANGELOGS.each do |path| - return @changelog_url = url(path) if Browser.get(url(path)).code == 200 + # @return [ String ] + def latest_version + @latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil + end + + # Not used anywhere ATM + # @return [ Boolean ] + def popular? + @popular ||= db_data['popular'] + end + + # @return [ String ] + def last_updated + @last_updated ||= db_data['last_updated'] + end + + # @return [ Boolean ] + def outdated? + @outdated ||= if version && latest_version + version < latest_version + else + false + end + end + + # URI.encode is preferered over Addressable::URI.encode as it will encode + # leading # character: + # URI.encode('#t#') => %23t%23 + # Addressable::URI.encode('#t#') => #t%23 + # + # @param [ String ] path Optional path to merge with the uri + # + # @return [ String ] + def url(path = nil) + return unless @uri + return @uri.to_s unless path + + @uri.join(URI.encode(path)).to_s + end + + # @return [ Boolean ] + def ==(other) + self.class == other.class && slug == other.slug + end + + def to_s + slug + end + + # @return [ Symbol ] The Class symbol associated to the item + def classify + @classify ||= classify_slug(slug) + end + + # @return [ String ] The readme url if found + def readme_url + return if detection_opts[:mode] == :passive + + if @readme_url.nil? + READMES.each do |path| + return @readme_url = url(path) if Browser.get(url(path)).code == 200 + end end + + @readme_url end - @changelog_url - end + # @return [ String, false ] The changelog urr if found + def changelog_url + return if detection_opts[:mode] == :passive - # @param [ String ] path - # @param [ Hash ] params The request params - # - # @return [ Boolean ] - def directory_listing?(path = nil, params = {}) - return if detection_opts[:mode] == :passive + if @changelog_url.nil? + CHANGELOGS.each do |path| + return @changelog_url = url(path) if Browser.get(url(path)).code == 200 + end + end - super(path, params) - end + @changelog_url + end - # @param [ String ] path - # @param [ Hash ] params The request params - # - # @return [ Boolean ] - def error_log?(path = 'error_log', params = {}) - return if detection_opts[:mode] == :passive + # @param [ String ] path + # @param [ Hash ] params The request params + # + # @return [ Boolean ] + def directory_listing?(path = nil, params = {}) + return if detection_opts[:mode] == :passive - super(path, params) + super(path, params) + end + + # @param [ String ] path + # @param [ Hash ] params The request params + # + # @return [ Boolean ] + def error_log?(path = 'error_log', params = {}) + return if detection_opts[:mode] == :passive + + super(path, params) + end end end end diff --git a/app/models/wp_version.rb b/app/models/wp_version.rb index 956dee6e..ba8ae63c 100644 --- a/app/models/wp_version.rb +++ b/app/models/wp_version.rb @@ -1,64 +1,66 @@ module WPScan - # WP Version - class WpVersion < CMSScanner::Version - include Vulnerable + module Model + # WP Version + class WpVersion < CMSScanner::Model::Version + include Vulnerable - def initialize(number, opts = {}) - raise Error::InvalidWordPressVersion unless WpVersion.valid?(number.to_s) + def initialize(number, opts = {}) + raise Error::InvalidWordPressVersion unless WpVersion.valid?(number.to_s) - super(number, opts) - end + super(number, opts) + end - # @param [ String ] number - # - # @return [ Boolean ] true if the number is a valid WP version, false otherwise - def self.valid?(number) - all.include?(number) - end + # @param [ String ] number + # + # @return [ Boolean ] true if the number is a valid WP version, false otherwise + def self.valid?(number) + all.include?(number) + end - # @return [ Array ] All the version numbers - def self.all - return @all_numbers if @all_numbers + # @return [ Array ] All the version numbers + def self.all + return @all_numbers if @all_numbers - @all_numbers = [] + @all_numbers = [] - DB::Fingerprints.wp_fingerprints.each_value do |fp| - fp.each_value do |versions| - versions.each do |version| - @all_numbers << version unless @all_numbers.include?(version) + DB::Fingerprints.wp_fingerprints.each_value do |fp| + fp.each_value do |versions| + versions.each do |version| + @all_numbers << version unless @all_numbers.include?(version) + end end end + + @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) } end - @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) } - end - - # @return [ JSON ] - def db_data - DB::Version.db_data(number) - end - - # @return [ Array ] - def vulnerabilities - return @vulnerabilities if @vulnerabilities - - @vulnerabilities = [] - - [*db_data['vulnerabilities']].each do |json_vuln| - @vulnerabilities << Vulnerability.load_from_json(json_vuln) + # @return [ JSON ] + def db_data + DB::Version.db_data(number) end - @vulnerabilities - end + # @return [ Array ] + def vulnerabilities + return @vulnerabilities if @vulnerabilities - # @return [ String ] - def release_date - @release_date ||= db_data['release_date'] || 'Unknown' - end + @vulnerabilities = [] - # @return [ String ] - def status - @status ||= db_data['status'] || 'Unknown' + [*db_data['vulnerabilities']].each do |json_vuln| + @vulnerabilities << Vulnerability.load_from_json(json_vuln) + end + + @vulnerabilities + end + + # @return [ String ] + def release_date + @release_date ||= db_data['release_date'] || 'Unknown' + end + + # @return [ String ] + def status + @status ||= db_data['status'] || 'Unknown' + end end end end diff --git a/app/models/xml_rpc.rb b/app/models/xml_rpc.rb index e6fa4936..97d2cdfc 100644 --- a/app/models/xml_rpc.rb +++ b/app/models/xml_rpc.rb @@ -1,19 +1,21 @@ module WPScan - # Override of the CMSScanner::XMLRPC to include the references - class XMLRPC < CMSScanner::XMLRPC - include References # To be able to use the :wpvulndb reference if needed + module Model + # Override of the CMSScanner::XMLRPC to include the references + class XMLRPC < CMSScanner::Model::XMLRPC + include References # To be able to use the :wpvulndb reference if needed - # @return [ Hash ] - def references - { - url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'], - metasploit: [ - 'auxiliary/scanner/http/wordpress_ghost_scanner', - 'auxiliary/dos/http/wordpress_xmlrpc_dos', - 'auxiliary/scanner/http/wordpress_xmlrpc_login', - 'auxiliary/scanner/http/wordpress_pingback_access' - ] - } + # @return [ Hash ] + def references + { + url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'], + metasploit: [ + 'auxiliary/scanner/http/wordpress_ghost_scanner', + 'auxiliary/dos/http/wordpress_xmlrpc_dos', + 'auxiliary/scanner/http/wordpress_xmlrpc_login', + 'auxiliary/scanner/http/wordpress_pingback_access' + ] + } + end end end end diff --git a/lib/wpscan/finders/dynamic_finder/version/finder.rb b/lib/wpscan/finders/dynamic_finder/version/finder.rb index 577dc260..49cc25d4 100644 --- a/lib/wpscan/finders/dynamic_finder/version/finder.rb +++ b/lib/wpscan/finders/dynamic_finder/version/finder.rb @@ -9,9 +9,9 @@ module WPScan # @param [ String ] number # @param [ Hash ] finding_opts - # @return [ WPScan::Version ] + # @return [ Model::Version ] def create_version(number, finding_opts) - WPScan::Version.new(number, version_finding_opts(finding_opts)) + Model::Version.new(number, version_finding_opts(finding_opts)) end # @param [ Hash ] opts diff --git a/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb b/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb index b0fef208..f846e636 100644 --- a/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +++ b/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb @@ -31,7 +31,7 @@ module WPScan configs.each do |klass, config| item = process_response(opts, target.homepage_res, slug, klass, config) - found << item if item.is_a?(WpItem) + found << item if item.is_a?(Model::WpItem) end end @@ -70,7 +70,7 @@ module WPScan item = process_response(opts, response, slug, klass, config) - found << item if item.is_a?(WpItem) + found << item if item.is_a?(Model::WpItem) end end diff --git a/lib/wpscan/finders/dynamic_finder/wp_version.rb b/lib/wpscan/finders/dynamic_finder/wp_version.rb index 8f1eee30..2af671df 100644 --- a/lib/wpscan/finders/dynamic_finder/wp_version.rb +++ b/lib/wpscan/finders/dynamic_finder/wp_version.rb @@ -4,9 +4,9 @@ module WPScan module WpVersion module Finder def create_version(number, finding_opts) - return unless WPScan::WpVersion.valid?(number) + return unless Model::WpVersion.valid?(number) - WPScan::WpVersion.new(number, version_finding_opts(finding_opts)) + Model::WpVersion.new(number, version_finding_opts(finding_opts)) end end diff --git a/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb b/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb index a10ecaca..054c689c 100644 --- a/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +++ b/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb @@ -7,7 +7,7 @@ module WPScan include CMSScanner::Finders::Finder::SmartURLChecker def create_version(number, opts = {}) - WPScan::WpVersion.new( + Model::WpVersion.new( number, found_by: opts[:found_by] || found_by, confidence: opts[:confidence] || 80, diff --git a/lib/wpscan/target.rb b/lib/wpscan/target.rb index 4adea28a..52422623 100644 --- a/lib/wpscan/target.rb +++ b/lib/wpscan/target.rb @@ -21,7 +21,7 @@ module WPScan # @return [ XMLRPC, nil ] def xmlrpc - @xmlrpc ||= interesting_findings&.select { |f| f.is_a?(WPScan::XMLRPC) }&.first + @xmlrpc ||= interesting_findings&.select { |f| f.is_a?(Model::XMLRPC) }&.first end # @param [ Hash ] opts diff --git a/spec/app/controllers/core_spec.rb b/spec/app/controllers/core_spec.rb index e086124c..abb910bd 100644 --- a/spec/app/controllers/core_spec.rb +++ b/spec/app/controllers/core_spec.rb @@ -29,13 +29,13 @@ describe WPScan::Controller::Core do expect(core.target).to receive(:server).and_return(@stubbed_server) expect(core.load_server_module).to eql @expected - [core.target, WPScan::WpItem.new(target_url, core.target)].each do |instance| + [core.target, WPScan::Model::WpItem.new(target_url, core.target)].each do |instance| expect(instance).to respond_to(:directory_listing?) expect(instance).to respond_to(:directory_listing_entries) # The below doesn't work, the module would have to be removed from the class # TODO: find a way to test this - # expect(instance.server).to eql @expected if instance.is_a? WPScan::WpItem + # expect(instance.server).to eql @expected if instance.is_a? WPScan::Model::WpItem end end diff --git a/spec/app/controllers/password_attack_spec.rb b/spec/app/controllers/password_attack_spec.rb index 1eb7a68b..b2b524e0 100644 --- a/spec/app/controllers/password_attack_spec.rb +++ b/spec/app/controllers/password_attack_spec.rb @@ -32,7 +32,7 @@ describe WPScan::Controller::PasswordAttack do it 'returns an array with the users' do expected = %w[admin editor].reduce([]) do |a, e| - a << CMSScanner::User.new(e) + a << WPScan::Model::User.new(e) end expect(controller.users).to eql expected @@ -90,7 +90,9 @@ describe WPScan::Controller::PasswordAttack do context 'when xmlrpc detected on target' do before do - expect(controller.target).to receive(:xmlrpc).and_return(WPScan::XMLRPC.new("#{target_url}/xmlrpc.php")) + expect(controller.target) + .to receive(:xmlrpc) + .and_return(WPScan::Model::XMLRPC.new("#{target_url}/xmlrpc.php")) end context 'when single xmlrpc' do @@ -98,7 +100,7 @@ describe WPScan::Controller::PasswordAttack do it 'returns the correct object' do expect(controller.attacker).to be_a WPScan::Finders::Passwords::XMLRPC - expect(controller.attacker.target).to be_a WPScan::XMLRPC + expect(controller.attacker.target).to be_a WPScan::Model::XMLRPC end end @@ -107,7 +109,7 @@ describe WPScan::Controller::PasswordAttack do it 'returns the correct object' do expect(controller.attacker).to be_a WPScan::Finders::Passwords::XMLRPCMulticall - expect(controller.attacker.target).to be_a WPScan::XMLRPC + expect(controller.attacker.target).to be_a WPScan::Model::XMLRPC end end end @@ -127,7 +129,7 @@ describe WPScan::Controller::PasswordAttack do end context 'when xmlrpc not enabled' do - let(:xmlrpc) { WPScan::XMLRPC.new("#{target_url}/xmlrpc.php") } + let(:xmlrpc) { WPScan::Model::XMLRPC.new("#{target_url}/xmlrpc.php") } it 'returns the WpLogin' do expect(xmlrpc).to receive(:enabled?).and_return(false) @@ -138,7 +140,7 @@ describe WPScan::Controller::PasswordAttack do end context 'when xmlrpc enabled' do - let(:xmlrpc) { WPScan::XMLRPC.new("#{target_url}/xmlrpc.php") } + let(:xmlrpc) { WPScan::Model::XMLRPC.new("#{target_url}/xmlrpc.php") } before { expect(xmlrpc).to receive(:enabled?).and_return(true) } @@ -159,7 +161,7 @@ describe WPScan::Controller::PasswordAttack do expect(controller.target).to receive(:wp_version).and_return(false) expect(controller.attacker).to be_a WPScan::Finders::Passwords::XMLRPC - expect(controller.attacker.target).to be_a WPScan::XMLRPC + expect(controller.attacker.target).to be_a WPScan::Model::XMLRPC end end @@ -167,20 +169,20 @@ describe WPScan::Controller::PasswordAttack do before { expect(controller.target).to receive(:wp_version).and_return(wp_version) } context 'when WP < 4.4' do - let(:wp_version) { WPScan::WpVersion.new('3.8.1') } + let(:wp_version) { WPScan::Model::WpVersion.new('3.8.1') } it 'returns the XMLRPCMulticall' do expect(controller.attacker).to be_a WPScan::Finders::Passwords::XMLRPCMulticall - expect(controller.attacker.target).to be_a WPScan::XMLRPC + expect(controller.attacker.target).to be_a WPScan::Model::XMLRPC end end context 'when WP >= 4.4' do - let(:wp_version) { WPScan::WpVersion.new('4.4') } + let(:wp_version) { WPScan::Model::WpVersion.new('4.4') } it 'returns the XMLRPC' do expect(controller.attacker).to be_a WPScan::Finders::Passwords::XMLRPC - expect(controller.attacker.target).to be_a WPScan::XMLRPC + expect(controller.attacker.target).to be_a WPScan::Model::XMLRPC end end end diff --git a/spec/app/controllers/wp_version_spec.rb b/spec/app/controllers/wp_version_spec.rb index 2a92af7b..1d9d0ccc 100644 --- a/spec/app/controllers/wp_version_spec.rb +++ b/spec/app/controllers/wp_version_spec.rb @@ -56,7 +56,7 @@ describe WPScan::Controller::WpVersion do context "when --detection-mode #{mode}" do let(:cli_args) { "#{super()} --detection-mode #{mode}" } - [WPScan::WpVersion.new('4.0')].each do |version| + [WPScan::Model::WpVersion.new('4.0')].each do |version| context "when version = #{version}" do let(:stubbed) { version } @@ -68,16 +68,16 @@ describe WPScan::Controller::WpVersion do context 'when --wp-version-all supplied' do let(:cli_args) { "#{super()} --wp-version-all" } - let(:stubbed) { WPScan::WpVersion.new('3.9.1') } + let(:stubbed) { WPScan::Model::WpVersion.new('3.9.1') } - it_calls_the_formatter_with_the_correct_parameter(WPScan::WpVersion.new('3.9.1')) + it_calls_the_formatter_with_the_correct_parameter(WPScan::Model::WpVersion.new('3.9.1')) end context 'when --wp-version-detection mode supplied' do let(:cli_args) { "#{super()} --detection-mode mixed --wp-version-detection passive" } - let(:stubbed) { WPScan::WpVersion.new('4.4') } + let(:stubbed) { WPScan::Model::WpVersion.new('4.4') } - it_calls_the_formatter_with_the_correct_parameter(WPScan::WpVersion.new('4.4')) + it_calls_the_formatter_with_the_correct_parameter(WPScan::Model::WpVersion.new('4.4')) end end end diff --git a/spec/app/finders/config_backups/known_filenames_spec.rb b/spec/app/finders/config_backups/known_filenames_spec.rb index ba8c97a7..c96d53f4 100644 --- a/spec/app/finders/config_backups/known_filenames_spec.rb +++ b/spec/app/finders/config_backups/known_filenames_spec.rb @@ -36,7 +36,7 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do files.each do |file| url = "#{target.url}#{file}" - expected << WPScan::ConfigBackup.new( + expected << WPScan::Model::ConfigBackup.new( url, confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/db_exports/known_locations_spec.rb b/spec/app/finders/db_exports/known_locations_spec.rb index bd58713e..b6475a23 100644 --- a/spec/app/finders/db_exports/known_locations_spec.rb +++ b/spec/app/finders/db_exports/known_locations_spec.rb @@ -53,7 +53,7 @@ describe WPScan::Finders::DbExports::KnownLocations do files.each do |file| url = "#{target.url}#{file}" - expected << WPScan::DbExport.new( + expected << WPScan::Model::DbExport.new( url, confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/backup_db_spec.rb b/spec/app/finders/interesting_findings/backup_db_spec.rb index a12a4cdf..988b5b0c 100644 --- a/spec/app/finders/interesting_findings/backup_db_spec.rb +++ b/spec/app/finders/interesting_findings/backup_db_spec.rb @@ -35,7 +35,7 @@ describe WPScan::Finders::InterestingFindings::BackupDB do after do found = finder.aggressive - expect(found).to eql WPScan::BackupDB.new( + expect(found).to eql WPScan::Model::BackupDB.new( dir_url, confidence: 70, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/debug_log_spec.rb b/spec/app/finders/interesting_findings/debug_log_spec.rb index 46173051..8568b937 100644 --- a/spec/app/finders/interesting_findings/debug_log_spec.rb +++ b/spec/app/finders/interesting_findings/debug_log_spec.rb @@ -21,7 +21,7 @@ describe WPScan::Finders::InterestingFindings::DebugLog do let(:body) { File.read(fixtures.join('debug.log')) } it 'returns the InterestingFinding' do - expect(finder.aggressive).to eql WPScan::DebugLog.new( + expect(finder.aggressive).to eql WPScan::Model::DebugLog.new( log_url, confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/duplicator_installer_log_spec.rb b/spec/app/finders/interesting_findings/duplicator_installer_log_spec.rb index 102eeaa4..d7c8e744 100644 --- a/spec/app/finders/interesting_findings/duplicator_installer_log_spec.rb +++ b/spec/app/finders/interesting_findings/duplicator_installer_log_spec.rb @@ -22,7 +22,7 @@ describe WPScan::Finders::InterestingFindings::DuplicatorInstallerLog do let(:body) { File.read(fixtures.join(filename)) } it 'returns the InterestingFinding' do - expect(finder.aggressive).to eql WPScan::DuplicatorInstallerLog.new( + expect(finder.aggressive).to eql WPScan::Model::DuplicatorInstallerLog.new( log_url, confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/full_path_disclosure_spec.rb b/spec/app/finders/interesting_findings/full_path_disclosure_spec.rb index 68a7fa5d..cb7520cc 100644 --- a/spec/app/finders/interesting_findings/full_path_disclosure_spec.rb +++ b/spec/app/finders/interesting_findings/full_path_disclosure_spec.rb @@ -23,7 +23,7 @@ describe WPScan::Finders::InterestingFindings::FullPathDisclosure do it 'returns the InterestingFinding' do found = finder.aggressive - expect(found).to eql WPScan::FullPathDisclosure.new( + expect(found).to eql WPScan::Model::FullPathDisclosure.new( file_url, confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/readme_spec.rb b/spec/app/finders/interesting_findings/readme_spec.rb index 89d51ee6..27924f6f 100644 --- a/spec/app/finders/interesting_findings/readme_spec.rb +++ b/spec/app/finders/interesting_findings/readme_spec.rb @@ -25,7 +25,7 @@ describe WPScan::Finders::InterestingFindings::Readme do before { stub_request(:get, target.url(file)).to_return(body: readme) } it 'returns the expected InterestingFinding' do - expected = WPScan::Readme.new( + expected = WPScan::Model::Readme.new( target.url(file), confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/upload_sql_dump_spec.rb b/spec/app/finders/interesting_findings/upload_sql_dump_spec.rb index c8881604..c12a5a4c 100644 --- a/spec/app/finders/interesting_findings/upload_sql_dump_spec.rb +++ b/spec/app/finders/interesting_findings/upload_sql_dump_spec.rb @@ -36,7 +36,7 @@ describe WPScan::Finders::InterestingFindings::UploadSQLDump do let(:fixture) { 'dump.sql' } it 'returns the interesting findings' do - @expected = WPScan::UploadSQLDump.new( + @expected = WPScan::Model::UploadSQLDump.new( finder.dump_url, confidence: 100, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/interesting_findings/wp_cron_spec.rb b/spec/app/finders/interesting_findings/wp_cron_spec.rb index cd59778f..460a1719 100644 --- a/spec/app/finders/interesting_findings/wp_cron_spec.rb +++ b/spec/app/finders/interesting_findings/wp_cron_spec.rb @@ -13,7 +13,7 @@ describe WPScan::Finders::InterestingFindings::WPCron do let(:status) { 200 } it 'returns the InterestingFinding' do - expect(finder.aggressive).to eql WPScan::WPCron.new( + expect(finder.aggressive).to eql WPScan::Model::WPCron.new( finder.wp_cron_url, confidence: 60, found_by: described_class::DIRECT_ACCESS diff --git a/spec/app/finders/main_theme/css_style_spec.rb b/spec/app/finders/main_theme/css_style_spec.rb index 12601c9f..5ac2694e 100644 --- a/spec/app/finders/main_theme/css_style_spec.rb +++ b/spec/app/finders/main_theme/css_style_spec.rb @@ -28,7 +28,7 @@ describe WPScan::Finders::MainTheme::CssStyle do let(:fixture) { 'link_href.html' } it 'returns the expected theme' do - @expected = WPScan::Theme.new( + @expected = WPScan::Model::Theme.new( 'twentyfifteen', target, found_by: 'Css Style (Passive Detection)', @@ -42,7 +42,7 @@ describe WPScan::Finders::MainTheme::CssStyle do let(:fixture) { 'style_code.html' } it 'returns the expected theme' do - @expected = WPScan::Theme.new( + @expected = WPScan::Model::Theme.new( 'custom', target, found_by: 'Css Style (Passive Detection)', diff --git a/spec/app/finders/main_theme/urls_in_homepage_spec.rb b/spec/app/finders/main_theme/urls_in_homepage_spec.rb index 0ec833b3..576cd36a 100644 --- a/spec/app/finders/main_theme/urls_in_homepage_spec.rb +++ b/spec/app/finders/main_theme/urls_in_homepage_spec.rb @@ -22,7 +22,7 @@ describe WPScan::Finders::MainTheme::UrlsInHomepage do @expected = [] { 'twentyfifteen' => 6, 'yolo' => 4, 'test' => 2 }.each do |slug, confidence| - @expected << WPScan::Theme.new( + @expected << WPScan::Model::Theme.new( slug, target, found_by: 'Urls In Homepage (Passive Detection)', confidence: confidence ) end diff --git a/spec/app/finders/main_theme/woo_framework_meta_generator_spec.rb b/spec/app/finders/main_theme/woo_framework_meta_generator_spec.rb index 0b9bceeb..9397a72b 100644 --- a/spec/app/finders/main_theme/woo_framework_meta_generator_spec.rb +++ b/spec/app/finders/main_theme/woo_framework_meta_generator_spec.rb @@ -26,7 +26,7 @@ describe WPScan::Finders::MainTheme::WooFrameworkMetaGenerator do it 'returns the expected theme' do @file = 'woo_generator.html' - @expected = WPScan::Theme.new( + @expected = WPScan::Model::Theme.new( 'Merchant', target, found_by: 'Woo Framework Meta Generator (Passive Detection)', confidence: 80 diff --git a/spec/app/finders/plugin_version/readme_spec.rb b/spec/app/finders/plugin_version/readme_spec.rb index 02f81ece..c35f9565 100644 --- a/spec/app/finders/plugin_version/readme_spec.rb +++ b/spec/app/finders/plugin_version/readme_spec.rb @@ -1,11 +1,11 @@ describe WPScan::Finders::PluginVersion::Readme do subject(:finder) { described_class.new(plugin) } - let(:plugin) { WPScan::Plugin.new('spec', target) } + let(:plugin) { WPScan::Model::Plugin.new('spec', target) } let(:target) { WPScan::Target.new('http://wp.lab/') } let(:fixtures) { FINDERS_FIXTURES.join('plugin_version', 'readme') } def version(number, found_by, confidence) - WPScan::Version.new( + WPScan::Model::Version.new( number, found_by: format('Readme - %s (Aggressive Detection)', found_by), confidence: confidence, @@ -31,7 +31,7 @@ describe WPScan::Finders::PluginVersion::Readme do expect(finder.aggressive).to eql @expected end - let(:readme_url) { plugin.url(WPScan::WpItem::READMES.sample) } + let(:readme_url) { plugin.url(WPScan::Model::WpItem::READMES.sample) } context 'when no version' do it 'returns nil' do diff --git a/spec/app/finders/plugin_version_spec.rb b/spec/app/finders/plugin_version_spec.rb index 0e8b63e2..6cf45548 100644 --- a/spec/app/finders/plugin_version_spec.rb +++ b/spec/app/finders/plugin_version_spec.rb @@ -3,7 +3,7 @@ describe WPScan::Finders::PluginVersion::Base do subject(:plugin_version) { described_class.new(plugin) } - let(:plugin) { WPScan::Plugin.new(slug, target) } + let(:plugin) { WPScan::Model::Plugin.new(slug, target) } let(:target) { WPScan::Target.new('http://wp.lab/') } let(:default_finders) { %w[Readme] } diff --git a/spec/app/finders/plugins/body_pattern_spec.rb b/spec/app/finders/plugins/body_pattern_spec.rb index d0c14928..396ee7d7 100644 --- a/spec/app/finders/plugins/body_pattern_spec.rb +++ b/spec/app/finders/plugins/body_pattern_spec.rb @@ -6,6 +6,6 @@ describe WPScan::Finders::Plugins::BodyPattern do let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } let(:expected_all) { df_expected_all['plugins'] } - let(:item_class) { WPScan::Plugin } + let(:item_class) { WPScan::Model::Plugin } end end diff --git a/spec/app/finders/plugins/comment_spec.rb b/spec/app/finders/plugins/comment_spec.rb index 0fdc2465..ec64d135 100644 --- a/spec/app/finders/plugins/comment_spec.rb +++ b/spec/app/finders/plugins/comment_spec.rb @@ -6,6 +6,6 @@ describe WPScan::Finders::Plugins::Comment do let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } let(:expected_all) { df_expected_all['plugins'] } - let(:item_class) { WPScan::Plugin } + let(:item_class) { WPScan::Model::Plugin } end end diff --git a/spec/app/finders/plugins/config_parser_spec.rb b/spec/app/finders/plugins/config_parser_spec.rb index 09a19281..956c98af 100644 --- a/spec/app/finders/plugins/config_parser_spec.rb +++ b/spec/app/finders/plugins/config_parser_spec.rb @@ -8,6 +8,6 @@ describe WPScan::Finders::Plugins::ConfigParser do # let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } # # let(:expected_all) { df_expected_all['plugins'] } - # let(:item_class) { WPScan::Plugin } + # let(:item_class) { WPScan::Model::Plugin } # end end diff --git a/spec/app/finders/plugins/header_pattern_spec.rb b/spec/app/finders/plugins/header_pattern_spec.rb index cfadb343..51dd483f 100644 --- a/spec/app/finders/plugins/header_pattern_spec.rb +++ b/spec/app/finders/plugins/header_pattern_spec.rb @@ -5,7 +5,7 @@ describe WPScan::Finders::Plugins::HeaderPattern do let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } def plugin(slug) - WPScan::Plugin.new(slug, target) + WPScan::Model::Plugin.new(slug, target) end describe '#passive' do diff --git a/spec/app/finders/plugins/javascript_var_spec.rb b/spec/app/finders/plugins/javascript_var_spec.rb index db7f1681..30963627 100644 --- a/spec/app/finders/plugins/javascript_var_spec.rb +++ b/spec/app/finders/plugins/javascript_var_spec.rb @@ -6,6 +6,6 @@ describe WPScan::Finders::Plugins::JavascriptVar do let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } let(:expected_all) { df_expected_all['plugins'] } - let(:item_class) { WPScan::Plugin } + let(:item_class) { WPScan::Model::Plugin } end end diff --git a/spec/app/finders/plugins/xpath_spec.rb b/spec/app/finders/plugins/xpath_spec.rb index 9e1e0325..80a2037a 100644 --- a/spec/app/finders/plugins/xpath_spec.rb +++ b/spec/app/finders/plugins/xpath_spec.rb @@ -6,6 +6,6 @@ describe WPScan::Finders::Plugins::Xpath do let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } let(:expected_all) { df_expected_all['plugins'] } - let(:item_class) { WPScan::Plugin } + let(:item_class) { WPScan::Model::Plugin } end end diff --git a/spec/app/finders/theme_version/style_spec.rb b/spec/app/finders/theme_version/style_spec.rb index d1248a50..349a8fed 100644 --- a/spec/app/finders/theme_version/style_spec.rb +++ b/spec/app/finders/theme_version/style_spec.rb @@ -1,6 +1,6 @@ describe WPScan::Finders::ThemeVersion::Style do subject(:finder) { described_class.new(theme) } - let(:theme) { WPScan::Theme.new('spec', target) } + let(:theme) { WPScan::Model::Theme.new('spec', target) } let(:target) { WPScan::Target.new('http://wp.lab/') } let(:fixtures) { FINDERS_FIXTURES.join('theme_version', 'style') } @@ -81,7 +81,7 @@ describe WPScan::Finders::ThemeVersion::Style do it 'returns the expected version' do expected = if expected_version - WPScan::Version.new( + WPScan::Model::Version.new( expected_version, confidence: 80, interesting_entries: ["#{theme.style_url}, Version: #{expected_version}"] diff --git a/spec/app/finders/theme_version/woo_framework_meta_generator_spec.rb b/spec/app/finders/theme_version/woo_framework_meta_generator_spec.rb index 914ade33..7fe7e63c 100644 --- a/spec/app/finders/theme_version/woo_framework_meta_generator_spec.rb +++ b/spec/app/finders/theme_version/woo_framework_meta_generator_spec.rb @@ -1,6 +1,6 @@ describe WPScan::Finders::ThemeVersion::WooFrameworkMetaGenerator do subject(:finder) { described_class.new(theme) } - let(:theme) { WPScan::Theme.new(slug, target) } + let(:theme) { WPScan::Model::Theme.new(slug, target) } let(:target) { WPScan::Target.new('http://wp.lab/') } let(:fixtures) { FINDERS_FIXTURES.join('theme_version', 'woo_framework_meta_generator') } @@ -28,7 +28,7 @@ describe WPScan::Finders::ThemeVersion::WooFrameworkMetaGenerator do let(:slug) { 'Editorial' } it 'return the expected version' do - @expected = WPScan::Version.new( + @expected = WPScan::Model::Version.new( '1.3.5', found_by: 'Woo Framework Meta Generator (Passive Detection)', confidence: 80 diff --git a/spec/app/finders/theme_version_spec.rb b/spec/app/finders/theme_version_spec.rb index ef4d98ba..823266ac 100644 --- a/spec/app/finders/theme_version_spec.rb +++ b/spec/app/finders/theme_version_spec.rb @@ -1,6 +1,6 @@ describe WPScan::Finders::ThemeVersion::Base do subject(:theme_version) { described_class.new(theme) } - let(:theme) { WPScan::Plugin.new(slug, target) } + let(:theme) { WPScan::Model::Plugin.new(slug, target) } let(:target) { WPScan::Target.new('http://wp.lab/') } let(:slug) { 'spec' } let(:default_finders) { %w[Style WooFrameworkMetaGenerator] } diff --git a/spec/app/finders/timthumb_version/bad_request_spec.rb b/spec/app/finders/timthumb_version/bad_request_spec.rb index 7920a7fa..3e2e15ee 100644 --- a/spec/app/finders/timthumb_version/bad_request_spec.rb +++ b/spec/app/finders/timthumb_version/bad_request_spec.rb @@ -1,6 +1,6 @@ describe WPScan::Finders::TimthumbVersion::BadRequest do subject(:finder) { described_class.new(target) } - let(:target) { WPScan::Timthumb.new(url) } + let(:target) { WPScan::Model::Timthumb.new(url) } let(:url) { 'http://ex.lo/timthumb.php' } let(:fixtures) { FINDERS_FIXTURES.join('timthumb_version', 'bad_request') } @@ -20,7 +20,7 @@ describe WPScan::Finders::TimthumbVersion::BadRequest do let(:file) { '2.8.14.php' } it 'returns the expected version' do - @expected = WPScan::Version.new( + @expected = WPScan::Model::Version.new( '2.8.14', confidence: 90, found_by: 'Bad Request (Aggressive Detection)', diff --git a/spec/app/finders/timthumb_version_spec.rb b/spec/app/finders/timthumb_version_spec.rb index 3f342111..cfd7cff5 100644 --- a/spec/app/finders/timthumb_version_spec.rb +++ b/spec/app/finders/timthumb_version_spec.rb @@ -1,6 +1,6 @@ describe WPScan::Finders::TimthumbVersion::Base do subject(:timthumb_version) { described_class.new(target) } - let(:target) { WPScan::Timthumb.new(url) } + let(:target) { WPScan::Model::Timthumb.new(url) } let(:url) { 'http://ex.lo/timthumb.php' } describe '#finders' do diff --git a/spec/app/finders/users/rss_generator_spec.rb b/spec/app/finders/users/rss_generator_spec.rb index 60664f02..5caaa4e5 100644 --- a/spec/app/finders/users/rss_generator_spec.rb +++ b/spec/app/finders/users/rss_generator_spec.rb @@ -24,12 +24,12 @@ describe WPScan::Finders::Users::RSSGenerator do stub_request(:get, target.url('feed/rss2/')) expect(finder.aggressive).to eql [ - CMSScanner::User.new( + WPScan::Model::User.new( 'admin', confidence: 50, found_by: 'Rss Generator (Aggressive Detection)' ), - CMSScanner::User.new( + WPScan::Model::User.new( 'Aa Dias-Gildes', confidence: 50, found_by: 'Rss Generator (Aggressive Detection)' @@ -45,12 +45,12 @@ describe WPScan::Finders::Users::RSSGenerator do stub_request(:get, target.url('feed/')).to_return(body: rss_fixture) expect(finder.passive).to eql [ - CMSScanner::User.new( + WPScan::Model::User.new( 'admin', confidence: 50, found_by: 'Rss Generator (Passive Detection)' ), - CMSScanner::User.new( + WPScan::Model::User.new( 'Aa Dias-Gildes', confidence: 50, found_by: 'Rss Generator (Passive Detection)' @@ -63,12 +63,12 @@ describe WPScan::Finders::Users::RSSGenerator do stub_request(:get, target.url('comments/feed/')).to_return(body: rss_fixture) expect(finder.aggressive(mode: :mixed)).to eql [ - CMSScanner::User.new( + WPScan::Model::User.new( 'admin', confidence: 50, found_by: 'Rss Generator (Aggressive Detection)' ), - CMSScanner::User.new( + WPScan::Model::User.new( 'Aa Dias-Gildes', confidence: 50, found_by: 'Rss Generator (Aggressive Detection)' @@ -82,12 +82,12 @@ describe WPScan::Finders::Users::RSSGenerator do stub_request(:get, target.url('feed/')).to_return(body: rss_fixture) expect(finder.aggressive).to eql [ - CMSScanner::User.new( + WPScan::Model::User.new( 'admin', confidence: 50, found_by: 'Rss Generator (Aggressive Detection)' ), - CMSScanner::User.new( + WPScan::Model::User.new( 'Aa Dias-Gildes', confidence: 50, found_by: 'Rss Generator (Aggressive Detection)' diff --git a/spec/app/finders/wp_version/atom_generator_spec.rb b/spec/app/finders/wp_version/atom_generator_spec.rb index 09c161b5..5c33234f 100644 --- a/spec/app/finders/wp_version/atom_generator_spec.rb +++ b/spec/app/finders/wp_version/atom_generator_spec.rb @@ -22,7 +22,7 @@ describe WPScan::Finders::WpVersion::AtomGenerator do stub_request(:get, target.url('?feed=atom')) expect(finder.aggressive).to eql [ - WPScan::WpVersion.new( + WPScan::Model::WpVersion.new( '4.0', confidence: 80, found_by: 'Atom Generator (Aggressive Detection)', @@ -42,7 +42,7 @@ describe WPScan::Finders::WpVersion::AtomGenerator do stub_request(:get, target.url('?feed=atom')).to_return(body: atom_fixture) expect(finder.passive).to eql [ - WPScan::WpVersion.new( + WPScan::Model::WpVersion.new( '4.0', confidence: 80, found_by: 'Atom Generator (Passive Detection)', @@ -59,7 +59,7 @@ describe WPScan::Finders::WpVersion::AtomGenerator do stub_request(:get, target.url('feed/atom/')).to_return(body: atom_fixture) expect(finder.aggressive(mode: :mixed)).to eql [ - WPScan::WpVersion.new( + WPScan::Model::WpVersion.new( '4.0', confidence: 80, found_by: 'Atom Generator (Aggressive Detection)', @@ -78,7 +78,7 @@ describe WPScan::Finders::WpVersion::AtomGenerator do stub_request(:get, target.url('?feed=atom')) expect(finder.aggressive).to eql [ - WPScan::WpVersion.new( + WPScan::Model::WpVersion.new( '4.0', confidence: 80, found_by: 'Atom Generator (Aggressive Detection)', diff --git a/spec/app/finders/wp_version/readme_spec.rb b/spec/app/finders/wp_version/readme_spec.rb index 89b006ed..eff86c26 100644 --- a/spec/app/finders/wp_version/readme_spec.rb +++ b/spec/app/finders/wp_version/readme_spec.rb @@ -33,7 +33,7 @@ describe WPScan::Finders::WpVersion::Readme do let(:file) { '4.0.html' } it 'returns the expected version' do - @expected = WPScan::WpVersion.new( + @expected = WPScan::Model::WpVersion.new( '4.0', confidence: 90, found_by: 'Readme (Aggressive Detection)', diff --git a/spec/app/models/interesting_finding_spec.rb b/spec/app/models/interesting_finding_spec.rb index 9d1247ba..4afd239a 100644 --- a/spec/app/models/interesting_finding_spec.rb +++ b/spec/app/models/interesting_finding_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::InterestingFinding do +describe WPScan::Model::InterestingFinding do it_behaves_like WPScan::References do subject(:finding) { described_class.new('http://e.org/file.php', opts) } let(:opts) { { references: references } } diff --git a/spec/app/models/media_spec.rb b/spec/app/models/media_spec.rb index c5f111f4..252a97c3 100644 --- a/spec/app/models/media_spec.rb +++ b/spec/app/models/media_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::Media do +describe WPScan::Model::Media do subject(:media) { described_class.new(url) } let(:url) { 'http://e.oeg/?attachment_id=2' } diff --git a/spec/app/models/plugin_spec.rb b/spec/app/models/plugin_spec.rb index 149b065d..a95fc56a 100644 --- a/spec/app/models/plugin_spec.rb +++ b/spec/app/models/plugin_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::Plugin do +describe WPScan::Model::Plugin do subject(:plugin) { described_class.new(slug, blog, opts) } let(:slug) { 'spec' } let(:blog) { WPScan::Target.new('http://wp.lab/') } @@ -70,7 +70,7 @@ describe WPScan::Plugin do context 'when values' do let(:slug) { 'no-vulns-popular' } - its(:latest_version) { should eql WPScan::Version.new('2.0') } + its(:latest_version) { should eql WPScan::Model::Version.new('2.0') } its(:last_updated) { should eql '2015-05-16T00:00:00.000Z' } its(:popular?) { should be true } end @@ -87,7 +87,12 @@ describe WPScan::Plugin do end context 'when version' do - before { expect(plugin).to receive(:version).at_least(1).and_return(WPScan::Version.new(version_number)) } + before do + expect(plugin) + .to receive(:version) + .at_least(1) + .and_return(WPScan::Model::Version.new(version_number)) + end context 'when version < last_version' do let(:version_number) { '1.2' } @@ -113,7 +118,12 @@ describe WPScan::Plugin do end context 'when version' do - before { expect(plugin).to receive(:version).at_least(1).and_return(WPScan::Version.new('1.0')) } + before do + expect(plugin) + .to receive(:version) + .at_least(1) + .and_return(WPScan::Model::Version.new('1.0')) + end its(:outdated?) { should eql false } end @@ -166,7 +176,12 @@ describe WPScan::Plugin do end context 'when plugin version' do - before { expect(plugin).to receive(:version).at_least(1).and_return(WPScan::Version.new(number)) } + before do + expect(plugin) + .to receive(:version) + .at_least(1) + .and_return(WPScan::Model::Version.new(number)) + end context 'when < to a fixed_in' do let(:number) { '5.0' } diff --git a/spec/app/models/theme_spec.rb b/spec/app/models/theme_spec.rb index bd67cfc8..c648ac57 100644 --- a/spec/app/models/theme_spec.rb +++ b/spec/app/models/theme_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::Theme do +describe WPScan::Model::Theme do subject(:theme) { described_class.new(slug, blog, opts) } let(:slug) { 'spec' } let(:blog) { WPScan::Target.new('http://wp.lab/') } diff --git a/spec/app/models/timthumb_spec.rb b/spec/app/models/timthumb_spec.rb index abed5483..e1f3ba90 100644 --- a/spec/app/models/timthumb_spec.rb +++ b/spec/app/models/timthumb_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::Timthumb do +describe WPScan::Model::Timthumb do subject(:timthumb) { described_class.new(url, opts) } let(:url) { 'http://wp.lab/wp-content/timthumb.php' } let(:fixtures) { FIXTURES.join('models', 'timthumb') } @@ -86,7 +86,7 @@ describe WPScan::Timthumb do end context 'when version' do - let(:version) { WPScan::Version.new(version_number) } + let(:version) { WPScan::Model::Version.new(version_number) } context 'when version >= 2.8.14' do let(:version_number) { '2.8.14' } diff --git a/spec/app/models/wp_item_spec.rb b/spec/app/models/wp_item_spec.rb index 32d6c136..8566eee0 100644 --- a/spec/app/models/wp_item_spec.rb +++ b/spec/app/models/wp_item_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::WpItem do +describe WPScan::Model::WpItem do subject(:wp_item) { described_class.new(slug, blog, opts) } let(:slug) { 'test_item' } let(:blog) { WPScan::Target.new(url) } diff --git a/spec/app/models/wp_version_spec.rb b/spec/app/models/wp_version_spec.rb index 4260df87..ffcabca2 100644 --- a/spec/app/models/wp_version_spec.rb +++ b/spec/app/models/wp_version_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::WpVersion do +describe WPScan::Model::WpVersion do describe '#new' do context 'when invalid number' do it 'raises an error' do diff --git a/spec/app/models/xml_rpc_spec.rb b/spec/app/models/xml_rpc_spec.rb index 93680958..460db1c4 100644 --- a/spec/app/models/xml_rpc_spec.rb +++ b/spec/app/models/xml_rpc_spec.rb @@ -1,4 +1,4 @@ -describe WPScan::XMLRPC do +describe WPScan::Model::XMLRPC do subject(:xml_rpc) { described_class.new('http//e.org/xmlrpc.php') } describe '#references' do diff --git a/spec/lib/finders/dynamic_finder/plugin_version_spec.rb b/spec/lib/finders/dynamic_finder/plugin_version_spec.rb index 4311d2d0..90976910 100644 --- a/spec/lib/finders/dynamic_finder/plugin_version_spec.rb +++ b/spec/lib/finders/dynamic_finder/plugin_version_spec.rb @@ -30,7 +30,7 @@ WPScan::DB::DynamicFinders::Plugin.versions_finders_configs.each do |slug, confi # If someone find a fix for that, please share! describe df_tested_class_constant('PluginVersion', finder_class, slug), slow: true do subject(:finder) { described_class.new(plugin) } - let(:plugin) { WPScan::Plugin.new(slug, target) } + let(:plugin) { WPScan::Model::Plugin.new(slug, target) } let(:target) { WPScan::Target.new('http://wp.lab/') } let(:fixtures) { DYNAMIC_FINDERS_FIXTURES.join('plugin_version') } @@ -75,7 +75,7 @@ WPScan::DB::DynamicFinders::Plugin.versions_finders_configs.each do |slug, confi found.each_with_index do |version, index| expected_version = expected.at(index) - expect(version).to be_a WPScan::Version + expect(version).to be_a WPScan::Model::Version expect(version.number).to eql expected_version['number'].to_s expect(version.found_by).to eql expected_version['found_by'] expect(version.interesting_entries).to match_array expected_version['interesting_entries'] @@ -117,7 +117,7 @@ WPScan::DB::DynamicFinders::Plugin.versions_finders_configs.each do |slug, confi found.each_with_index do |version, index| expected_version = expected.at(index) - expect(version).to be_a WPScan::Version + expect(version).to be_a WPScan::Model::Version expect(version.number).to eql expected_version['number'].to_s expect(version.found_by).to eql expected_version['found_by'] expect(version.interesting_entries).to match_array expected_version['interesting_entries'] diff --git a/spec/lib/finders/dynamic_finder/wp_version_spec.rb b/spec/lib/finders/dynamic_finder/wp_version_spec.rb index 55ea1e38..8dbbbffa 100644 --- a/spec/lib/finders/dynamic_finder/wp_version_spec.rb +++ b/spec/lib/finders/dynamic_finder/wp_version_spec.rb @@ -48,7 +48,7 @@ WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.each do |finder_c found.each_with_index do |version, index| expected_version = expected.at(index) - expect(version).to be_a WPScan::WpVersion + expect(version).to be_a WPScan::Model::WpVersion expect(version.number).to eql expected_version['number'].to_s expect(version.found_by).to eql expected_version['found_by'] expect(version.interesting_entries).to match_array expected_version['interesting_entries'] @@ -83,7 +83,7 @@ WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.each do |finder_c found.each_with_index do |version, index| expected_version = expected.at(index) - expect(version).to be_a WPScan::WpVersion + expect(version).to be_a WPScan::Model::WpVersion expect(version.number).to eql expected_version['number'].to_s expect(version.found_by).to eql expected_version['found_by'] expect(version.interesting_entries).to match_array expected_version['interesting_entries'] diff --git a/spec/lib/target_spec.rb b/spec/lib/target_spec.rb index c90e61e0..07c91e3a 100644 --- a/spec/lib/target_spec.rb +++ b/spec/lib/target_spec.rb @@ -18,14 +18,14 @@ describe WPScan::Target do end context 'when interesting_findings' do - let(:interesting_findings) { ['aa', CMSScanner::RobotsTxt.new(target.url)] } + let(:interesting_findings) { ['aa', CMSScanner::Model::RobotsTxt.new(target.url)] } context 'when no XMLRPC' do its(:xmlrpc) { should be_nil } end context 'when XMLRPC' do - let(:xmlrpc) { WPScan::XMLRPC.new(target.url('xmlrpc.php')) } + let(:xmlrpc) { WPScan::Model::XMLRPC.new(target.url('xmlrpc.php')) } let(:interesting_findings) { super() << xmlrpc } its(:xmlrpc) { should eq xmlrpc } @@ -81,13 +81,13 @@ describe WPScan::Target do context 'when wp_version found' do context 'when not vulnerable' do - before { target.instance_variable_set(:@wp_version, WPScan::WpVersion.new('4.4')) } + before { target.instance_variable_set(:@wp_version, WPScan::Model::WpVersion.new('4.4')) } it { should_not be_vulnerable } end context 'when vulnerable' do - before { target.instance_variable_set(:@wp_version, WPScan::WpVersion.new('3.8.1')) } + before { target.instance_variable_set(:@wp_version, WPScan::Model::WpVersion.new('3.8.1')) } it { should be_vulnerable } end @@ -95,7 +95,7 @@ describe WPScan::Target do context 'when config_backups' do before do - target.instance_variable_set(:@config_backups, [WPScan::ConfigBackup.new(target.url('/a-file-url'))]) + target.instance_variable_set(:@config_backups, [WPScan::Model::ConfigBackup.new(target.url('/a-file-url'))]) end it { should be_vulnerable } @@ -103,7 +103,7 @@ describe WPScan::Target do context 'when db_exports' do before do - target.instance_variable_set(:@db_exports, [WPScan::DbExport.new(target.url('/wordpress.sql'))]) + target.instance_variable_set(:@db_exports, [WPScan::Model::DbExport.new(target.url('/wordpress.sql'))]) end it { should be_vulnerable } @@ -111,7 +111,9 @@ describe WPScan::Target do context 'when users' do before do - target.instance_variable_set(:@users, [CMSScanner::User.new('u1'), CMSScanner::User.new('u2')]) + target.instance_variable_set(:@users, + [WPScan::Model::User.new('u1'), + WPScan::Model::User.new('u2')]) end context 'when no passwords' do diff --git a/spec/shared_examples/views/enumeration/config_backups.rb b/spec/shared_examples/views/enumeration/config_backups.rb index e81aaf74..0204685d 100644 --- a/spec/shared_examples/views/enumeration/config_backups.rb +++ b/spec/shared_examples/views/enumeration/config_backups.rb @@ -1,6 +1,6 @@ shared_examples 'App::Views::Enumeration::ConfigBackups' do let(:view) { 'config_backups' } - let(:config_backup) { WPScan::ConfigBackup } + let(:config_backup) { WPScan::Model::ConfigBackup } describe 'config_backups' do context 'when no backups found' do diff --git a/spec/shared_examples/views/enumeration/db_exports.rb b/spec/shared_examples/views/enumeration/db_exports.rb index 3310df9b..1d79c806 100644 --- a/spec/shared_examples/views/enumeration/db_exports.rb +++ b/spec/shared_examples/views/enumeration/db_exports.rb @@ -1,6 +1,6 @@ shared_examples 'App::Views::Enumeration::DbExports' do let(:view) { 'db_exports' } - let(:db_export) { WPScan::DbExport } + let(:db_export) { WPScan::Model::DbExport } describe 'db_exports' do context 'when no file found' do diff --git a/spec/shared_examples/views/enumeration/medias.rb b/spec/shared_examples/views/enumeration/medias.rb index e4581039..ee481465 100644 --- a/spec/shared_examples/views/enumeration/medias.rb +++ b/spec/shared_examples/views/enumeration/medias.rb @@ -1,6 +1,6 @@ shared_examples 'App::Views::Enumeration::Medias' do let(:view) { 'medias' } - let(:media) { WPScan::Media } + let(:media) { WPScan::Model::Media } describe 'medias' do context 'when no medias found' do diff --git a/spec/shared_examples/views/enumeration/plugins.rb b/spec/shared_examples/views/enumeration/plugins.rb index 4215b9e1..07963c00 100644 --- a/spec/shared_examples/views/enumeration/plugins.rb +++ b/spec/shared_examples/views/enumeration/plugins.rb @@ -1,6 +1,6 @@ shared_examples 'App::Views::Enumeration::Plugins' do let(:view) { 'plugins' } - let(:plugin) { WPScan::Plugin } + let(:plugin) { WPScan::Model::Plugin } describe 'plugins' do context 'when no plugins found' do diff --git a/spec/shared_examples/views/enumeration/themes.rb b/spec/shared_examples/views/enumeration/themes.rb index 89841a47..8c32e900 100644 --- a/spec/shared_examples/views/enumeration/themes.rb +++ b/spec/shared_examples/views/enumeration/themes.rb @@ -1,6 +1,6 @@ shared_examples 'App::Views::Enumeration::Themes' do let(:view) { 'themes' } - let(:plugin) { WPScan::Theme } + let(:plugin) { WPScan::Model::Theme } describe 'themes' do context 'when no themes found' do diff --git a/spec/shared_examples/views/enumeration/timthumbs.rb b/spec/shared_examples/views/enumeration/timthumbs.rb index e9868ae2..1a5f6629 100644 --- a/spec/shared_examples/views/enumeration/timthumbs.rb +++ b/spec/shared_examples/views/enumeration/timthumbs.rb @@ -1,7 +1,7 @@ shared_examples 'App::Views::Enumeration::Timthumbs' do let(:view) { 'timthumbs' } - let(:timthumb) { WPScan::Timthumb } - let(:version) { WPScan::Version.new('2.8.14', found_by: 'Bad Request') } + let(:timthumb) { WPScan::Model::Timthumb } + let(:version) { WPScan::Model::Version.new('2.8.14', found_by: 'Bad Request') } describe 'timthumbs' do context 'when no timthumbs found' do diff --git a/spec/shared_examples/views/enumeration/users.rb b/spec/shared_examples/views/enumeration/users.rb index 48805d5f..ec9301e3 100644 --- a/spec/shared_examples/views/enumeration/users.rb +++ b/spec/shared_examples/views/enumeration/users.rb @@ -1,6 +1,6 @@ shared_examples 'App::Views::Enumeration::Users' do let(:view) { 'users' } - let(:user) { CMSScanner::User } + let(:user) { WPScan::Model::User } describe 'users' do context 'when no users found' do diff --git a/spec/shared_examples/views/main_theme.rb b/spec/shared_examples/views/main_theme.rb index 798af81c..7f967ddc 100644 --- a/spec/shared_examples/views/main_theme.rb +++ b/spec/shared_examples/views/main_theme.rb @@ -1,7 +1,7 @@ shared_examples 'App::Views::MainTheme' do let(:controller) { WPScan::Controller::MainTheme.new } let(:tpl_vars) { { url: target_url } } - let(:theme) { WPScan::Theme.new(theme_name, target, found_by: 'rspec') } + let(:theme) { WPScan::Model::Theme.new(theme_name, target, found_by: 'rspec') } describe 'main_theme' do let(:view) { 'theme' } @@ -38,7 +38,11 @@ shared_examples 'App::Views::MainTheme' do let(:expected_view) { 'verbose' } it 'outputs the expected string' do - expect(theme).to receive(:version).at_least(1).and_return(WPScan::Version.new('3.2', found_by: 'style')) + expect(theme) + .to receive(:version) + .at_least(1) + .and_return(WPScan::Model::Version.new('3.2', found_by: 'style')) + @tpl_vars = tpl_vars.merge(theme: theme, verbose: true) end end diff --git a/spec/shared_examples/views/wp_version.rb b/spec/shared_examples/views/wp_version.rb index 3f2cc2a0..d9d38967 100644 --- a/spec/shared_examples/views/wp_version.rb +++ b/spec/shared_examples/views/wp_version.rb @@ -14,7 +14,7 @@ shared_examples 'App::Views::WpVersion' do end context 'when the version is not nil' do - let(:version) { WPScan::WpVersion.new('4.0', found_by: 'rspec') } + let(:version) { WPScan::Model::WpVersion.new('4.0', found_by: 'rspec') } context 'when confirmed_by is empty' do context 'when no interesting_entries' do @@ -77,7 +77,7 @@ shared_examples 'App::Views::WpVersion' do let(:expected_view) { 'with_vulns' } it 'outputs the expected string' do - @tpl_vars = tpl_vars.merge(version: WPScan::WpVersion.new('3.8.1', found_by: 'rspec')) + @tpl_vars = tpl_vars.merge(version: WPScan::Model::WpVersion.new('3.8.1', found_by: 'rspec')) end end end