garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Moves Models into their own namespace - Ref #1315

Browse Source
This commit is contained in:
erwanlr
2019-03-19 21:07:53 +00:00
parent f1657164d5
commit 898e8d4546
116 changed files with 613 additions and 560 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/core.rb
View File

@@ -95,7 +95,7 @@ module WPScan
mod = CMSScanner::Target::Server.const_get(server)
target.extend mod
WPScan::WpItem.include mod
Model::WpItem.include mod
server
end

4
app/controllers/password_attack.rb
View File

@@ -52,7 +52,7 @@ module WPScan
@attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
end
# @return [ WPScan::XMLRPC ]
# @return [ Model::XMLRPC ]
def xmlrpc
@xmlrpc ||= target.xmlrpc
end
@@ -95,7 +95,7 @@ module WPScan
return target.users unless parsed_options[:usernames]
parsed_options[:usernames].reduce([]) do |acc, elem|
acc << CMSScanner::User.new(elem.chomp)
acc << Model::User.new(elem.chomp)
end
end

4
app/finders/config_backups/known_filenames.rb
View File

@@ -17,7 +17,9 @@ module WPScan
# Might need to improve that
next unless res.body =~ /define/i && res.body !~ /<\s?html/i
found << WPScan::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
found << Model::ConfigBackup.new(res.request.url,
found_by: DIRECT_ACCESS,
confidence: 100)
end
found

4
app/finders/db_exports/known_locations.rb
View File

@@ -17,7 +17,9 @@ module WPScan
enumerate(potential_urls(opts), opts) do |res|
next unless res.code == 200 && res.body =~ /INSERT INTO/
found << WPScan::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
found << Model::DbExport.new(res.request.url,
found_by: DIRECT_ACCESS,
confidence: 100)
end
found

2
app/finders/interesting_findings/backup_db.rb
View File

@@ -11,7 +11,7 @@ module WPScan
return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
WPScan::BackupDB.new(
Model::BackupDB.new(
url,
confidence: 70,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/debug_log.rb
View File

@@ -9,7 +9,7 @@ module WPScan
return unless target.debug_log?(path)
WPScan::DebugLog.new(
Model::DebugLog.new(
target.url(path),
confidence: 100, found_by: DIRECT_ACCESS,
references: { url: 'https://codex.wordpress.org/Debugging_in_WordPress' }

2
app/finders/interesting_findings/duplicator_installer_log.rb
View File

@@ -10,7 +10,7 @@ module WPScan
return unless res.body =~ /DUPLICATOR INSTALL-LOG/
WPScan::DuplicatorInstallerLog.new(
Model::DuplicatorInstallerLog.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/emergency_pwd_reset_script.rb
View File

@@ -10,7 +10,7 @@ module WPScan
return unless res.code == 200 && !target.homepage_or_404?(res)
WPScan::EmergencyPwdResetScript.new(
Model::EmergencyPwdResetScript.new(
url,
confidence: res.body =~ /password/i ? 100 : 40,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/full_path_disclosure.rb
View File

@@ -10,7 +10,7 @@ module WPScan
return if fpd_entries.empty?
WPScan::FullPathDisclosure.new(
Model::FullPathDisclosure.new(
target.url(path),
confidence: 100,
found_by: DIRECT_ACCESS,

4
app/finders/interesting_findings/mu_plugins.rb
View File

@@ -12,7 +12,7 @@ module WPScan
url = target.url('wp-content/mu-plugins/')
return WPScan::MuPlugins.new(
return Model::MuPlugins.new(
url,
confidence: 70,
found_by: 'URLs In Homepage (Passive Detection)',
@@ -35,7 +35,7 @@ module WPScan
target.mu_plugins = true
WPScan::MuPlugins.new(
Model::MuPlugins.new(
url,
confidence: 80,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/multisite.rb
View File

@@ -15,7 +15,7 @@ module WPScan
target.multisite = true
WPScan::Multisite.new(
Model::Multisite.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/readme.rb
View File

@@ -10,7 +10,7 @@ module WPScan
res = Browser.get(url)
if res.code == 200 && res.body =~ /wordpress/i
return WPScan::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS)
return Model::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS)
end
end
nil

2
app/finders/interesting_findings/registration.rb
View File

@@ -18,7 +18,7 @@ module WPScan
target.registration_enabled = true
WPScan::Registration.new(
Model::Registration.new(
res.effective_url,
confidence: 100,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/tmm_db_migrate.rb
View File

@@ -11,7 +11,7 @@ module WPScan
return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
WPScan::TmmDbMigrate.new(
Model::TmmDbMigrate.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/upload_directory_listing.rb
View File

@@ -11,7 +11,7 @@ module WPScan
url = target.url(path)
WPScan::UploadDirectoryListing.new(
Model::UploadDirectoryListing.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,

2
app/finders/interesting_findings/upload_sql_dump.rb
View File

@@ -12,7 +12,7 @@ module WPScan
return unless res.code == 200 && res.body =~ SQL_PATTERN
WPScan::UploadSQLDump.new(
Model::UploadSQLDump.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS

2
app/finders/interesting_findings/wp_cron.rb
View File

@@ -9,7 +9,7 @@ module WPScan
return unless res.code == 200
WPScan::WPCron.new(
Model::WPCron.new(
wp_cron_url,
confidence: 60,
found_by: DIRECT_ACCESS,

2
app/finders/main_theme/css_style.rb
View File

@@ -6,7 +6,7 @@ module WPScan
include Finders::WpItems::URLsInHomepage
def create_theme(slug, style_url, opts)
WPScan::Theme.new(
Model::Theme.new(
slug,
target,
opts.merge(found_by: found_by, confidence: 70, style_url: style_url)

2
app/finders/main_theme/urls_in_homepage.rb
View File

@@ -14,7 +14,7 @@ module WPScan
slugs = items_from_links('themes', false) + items_from_codes('themes', false)
slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
end
found

2
app/finders/main_theme/woo_framework_meta_generator.rb
View File

@@ -10,7 +10,7 @@ module WPScan
def passive(opts = {})
return unless target.homepage_res.body =~ PATTERN
WPScan::Theme.new(
Model::Theme.new(
Regexp.last_match[1],
target,
opts.merge(found_by: found_by, confidence: 80)

2
app/finders/medias/attachment_brute_forcing.rb
View File

@@ -15,7 +15,7 @@ module WPScan
enumerate(target_urls(opts), opts) do |res|
next unless res.code == 200
found << WPScan::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100))
found << Model::Media.new(res.effective_url, opts.merge(found_by: found_by, confidence: 100))
end
found

4
app/finders/passwords/xml_rpc_multicall.rb
View File

@@ -20,13 +20,13 @@ module WPScan
target.multi_call(methods).run
end
# @param [ Array<CMSScanner::User> ] users
# @param [ Array<Model::User> ] users
# @param [ Array<String> ] passwords
# @param [ Hash ] opts
# @option opts [ Boolean ] :show_progression
# @option opts [ Integer ] :multicall_max_passwords
#
# @yield [ CMSScanner::User ] When a valid combination is found
# @yield [ Model::User ] When a valid combination is found
#
# TODO: Make rubocop happy about metrics etc
#

4
app/finders/plugin_version.rb
View File

@@ -7,7 +7,7 @@ module WPScan
class Base
include CMSScanner::Finders::UniqueFinder
# @param [ WPScan::Plugin ] plugin
# @param [ Model::Plugin ] plugin
def initialize(plugin)
finders << PluginVersion::Readme.new(plugin)
@@ -16,7 +16,7 @@ module WPScan
# Load the finders associated with the plugin
#
# @param [ WPScan::Plugin ] plugin
# @param [ Model::Plugin ] plugin
def load_specific_finders(plugin)
module_name = plugin.classify

4
app/finders/plugin_version/readme.rb
View File

@@ -7,14 +7,14 @@ module WPScan
def aggressive(_opts = {})
found_by_msg = 'Readme - %s (Aggressive Detection)'
WPScan::WpItem::READMES.each do |file|
Model::WpItem::READMES.each do |file|
url = target.url(file)
res = Browser.get(url)
next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
return numbers.reduce([]) do |a, e|
a << WPScan::Version.new(
a << Model::Version.new(
e[0],
found_by: format(found_by_msg, e[1]),
confidence: e[2],

2
app/finders/plugins/body_pattern.rb
View File

@@ -15,7 +15,7 @@ module WPScan
def process_response(opts, response, slug, klass, config)
return unless response.body =~ config['pattern']
Plugin.new(
Model::Plugin.new(
slug,
target,
opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

2
app/finders/plugins/comment.rb
View File

@@ -18,7 +18,7 @@ module WPScan
next unless comment =~ config['pattern']
return Plugin.new(
return Model::Plugin.new(
slug,
target,
opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

2
app/finders/plugins/config_parser.rb
View File

@@ -19,7 +19,7 @@ module WPScan
# when checking for plugins
#
Plugin.new(
Model::Plugin.new(
slug,
target,
opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

2
app/finders/plugins/header_pattern.rb
View File

@@ -18,7 +18,7 @@ module WPScan
configs.each do |klass, config|
next unless headers[config['header']] && headers[config['header']].to_s =~ config['pattern']
found << Plugin.new(
found << Model::Plugin.new(
slug,
target,
opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

2
app/finders/plugins/javascript_var.rb
View File

@@ -16,7 +16,7 @@ module WPScan
response.html.xpath(config['xpath'] || '//script[not(@src)]').each do |node|
next if config['pattern'] && !node.text.match(config['pattern'])
return Plugin.new(
return Model::Plugin.new(
slug,
target,
opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

2
app/finders/plugins/known_locations.rb
View File

@@ -13,7 +13,7 @@ module WPScan
found = []
enumerate(target_urls(opts), opts) do |_res, slug|
found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
found

2
app/finders/plugins/urls_in_homepage.rb
View File

@@ -14,7 +14,7 @@ module WPScan
found = []
(items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
found << Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
found

2
app/finders/plugins/xpath.rb
View File

@@ -16,7 +16,7 @@ module WPScan
response.html.xpath(config['xpath']).each do |node|
next if config['pattern'] && !node.text.match(config['pattern'])
return Plugin.new(
return Model::Plugin.new(
slug,
target,
opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

4
app/finders/theme_version.rb
View File

@@ -8,7 +8,7 @@ module WPScan
class Base
include CMSScanner::Finders::UniqueFinder
# @param [ WPScan::Theme ] theme
# @param [ Model::Theme ] theme
def initialize(theme)
finders <<
ThemeVersion::Style.new(theme) <<
@@ -19,7 +19,7 @@ module WPScan
# Load the finders associated with the theme
#
# @param [ WPScan::Theme ] theme
# @param [ Model::Theme ] theme
def load_specific_finders(theme)
module_name = theme.classify

2
app/finders/theme_version/style.rb
View File

@@ -30,7 +30,7 @@ module WPScan
def style_version
return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
WPScan::Version.new(
Model::Version.new(
Regexp.last_match[1],
found_by: found_by,
confidence: 80,

2
app/finders/theme_version/woo_framework_meta_generator.rb
View File

@@ -11,7 +11,7 @@ module WPScan
return unless Regexp.last_match[1] == target.slug
WPScan::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
Model::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
end
end
end

2
app/finders/themes/known_locations.rb
View File

@@ -13,7 +13,7 @@ module WPScan
found = []
enumerate(target_urls(opts), opts) do |_res, slug|
found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
found

2
app/finders/themes/urls_in_homepage.rb
View File

@@ -12,7 +12,7 @@ module WPScan
found = []
(items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug|
found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
found

2
app/finders/timthumb_version.rb
View File

@@ -7,7 +7,7 @@ module WPScan
class Base
include CMSScanner::Finders::UniqueFinder
# @param [ WPScan::Timthumb ] target
# @param [ Model::Timthumb ] target
def initialize(target)
finders << TimthumbVersion::BadRequest.new(target)
end

2
app/finders/timthumb_version/bad_request.rb
View File

@@ -8,7 +8,7 @@ module WPScan
def aggressive(_opts = {})
return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/
WPScan::Version.new(
Model::Version.new(
Regexp.last_match[2],
found_by: 'Bad Request (Aggressive Detection)',
confidence: 90,

2
app/finders/timthumbs/known_locations.rb
View File

@@ -15,7 +15,7 @@ module WPScan
found = []
enumerate(target_urls(opts), opts) do |res|
found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
end
found

2
app/finders/users/author_id_brute_forcing.rb
View File

@@ -18,7 +18,7 @@ module WPScan
next unless username
found << CMSScanner::User.new(
found << Model::User.new(
username,
id: id,
found_by: format(found_by_msg, found_by),

2
app/finders/users/author_posts.rb
View File

@@ -10,7 +10,7 @@ module WPScan
found_by_msg = 'Author Posts - %s (Passive Detection)'
usernames(opts).reduce([]) do |a, e|
a << CMSScanner::User.new(
a << Model::User.new(
e[0],
found_by: format(found_by_msg, e[1]),
confidence: e[2]

2
app/finders/users/login_error_messages.rb
View File

@@ -24,7 +24,7 @@ module WPScan
next unless error =~ /The password you entered for the username|Incorrect Password/i
found << CMSScanner::User.new(username, found_by: found_by, confidence: 100)
found << Model::User.new(username, found_by: found_by, confidence: 100)
end
found

8
app/finders/users/oembed_api.rb
View File

@@ -21,10 +21,10 @@ module WPScan
return [] unless details
[CMSScanner::User.new(details[0],
found_by: format(found_by_msg, details[1]),
confidence: details[2],
interesting_entries: [api_url])]
[Model::User.new(details[0],
found_by: format(found_by_msg, details[1]),
confidence: details[2],
interesting_entries: [api_url])]
rescue JSON::ParserError
[]
end

2
app/finders/users/rss_generator.rb
View File

@@ -30,7 +30,7 @@ module WPScan
end
potential_usernames.uniq.each do |potential_username|
found << CMSScanner::User.new(potential_username, found_by: found_by, confidence: 50)
found << Model::User.new(potential_username, found_by: found_by, confidence: 50)
end
break

10
app/finders/users/wp_json_api.rb
View File

@@ -41,11 +41,11 @@ module WPScan
found = []
JSON.parse(response.body)&.each do |user|
found << CMSScanner::User.new(user['slug'],
id: user['id'],
found_by: found_by,
confidence: 100,
interesting_entries: [response.effective_url])
found << Model::User.new(user['slug'],
id: user['id'],
found_by: found_by,
confidence: 100,
interesting_entries: [response.effective_url])
end
found

8
app/finders/users/yoast_seo_author_sitemap.rb
View File

@@ -15,10 +15,10 @@ module WPScan
next unless username && !username.strip.empty?
found << CMSScanner::User.new(username,
found_by: found_by,
confidence: 100,
interesting_entries: [sitemap_url])
found << Model::User.new(username,
found_by: found_by,
confidence: 100,
interesting_entries: [sitemap_url])
end
found

4
app/finders/wp_version/readme.rb
View File

@@ -13,9 +13,9 @@ module WPScan
number = Regexp.last_match(1)
return unless WPScan::WpVersion.valid?(number)
return unless Model::WpVersion.valid?(number)
WPScan::WpVersion.new(
Model::WpVersion.new(
number,
found_by: 'Readme (Aggressive Detection)',
# Since WP 4.7, the Readme only contains the major version (ie 4.7, 4.8 etc)

2
app/finders/wp_version/unique_fingerprinting.rb
View File

@@ -11,7 +11,7 @@ module WPScan
hydra.abort
progress_bar.finish
return WPScan::WpVersion.new(
return Model::WpVersion.new(
version_number,
found_by: 'Unique Fingerprinting (Aggressive Detection)',
confidence: 100,

6
app/models.rb
View File

@@ -1,3 +1,9 @@
module WPScan
module Model
include CMSScanner::Model
end
end
require_relative 'models/interesting_finding'
require_relative 'models/wp_version'
require_relative 'models/xml_rpc'

6
app/models/config_backup.rb
View File

@@ -1,5 +1,7 @@
module WPScan
# Config Backup
class ConfigBackup < InterestingFinding
module Model
# Config Backup
class ConfigBackup < InterestingFinding
end
end
end

6
app/models/db_export.rb
View File

@@ -1,5 +1,7 @@
module WPScan
# DB Export
class DbExport < InterestingFinding
module Model
# DB Export
class DbExport < InterestingFinding
end
end
end

66
app/models/interesting_finding.rb
View File

@@ -1,48 +1,50 @@
module WPScan
# Custom class to include the WPScan::References module
class InterestingFinding < CMSScanner::InterestingFinding
include References
end
module Model
# Custom class to include the WPScan::References module
class InterestingFinding < CMSScanner::Model::InterestingFinding
include References
end
#
# Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent)
#
class BackupDB < InterestingFinding
end
#
# Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent)
#
class BackupDB < InterestingFinding
end
class DebugLog < InterestingFinding
end
class DebugLog < InterestingFinding
end
class DuplicatorInstallerLog < InterestingFinding
end
class DuplicatorInstallerLog < InterestingFinding
end
class EmergencyPwdResetScript < InterestingFinding
end
class EmergencyPwdResetScript < InterestingFinding
end
class FullPathDisclosure < InterestingFinding
end
class FullPathDisclosure < InterestingFinding
end
class MuPlugins < InterestingFinding
end
class MuPlugins < InterestingFinding
end
class Multisite < InterestingFinding
end
class Multisite < InterestingFinding
end
class Readme < InterestingFinding
end
class Readme < InterestingFinding
end
class Registration < InterestingFinding
end
class Registration < InterestingFinding
end
class TmmDbMigrate < InterestingFinding
end
class TmmDbMigrate < InterestingFinding
end
class UploadDirectoryListing < InterestingFinding
end
class UploadDirectoryListing < InterestingFinding
end
class UploadSQLDump < InterestingFinding
end
class UploadSQLDump < InterestingFinding
end
class WPCron < InterestingFinding
class WPCron < InterestingFinding
end
end
end

6
app/models/media.rb
View File

@@ -1,5 +1,7 @@
module WPScan
# Media
class Media < InterestingFinding
module Model
# Media
class Media < InterestingFinding
end
end
end

36
app/models/plugin.rb
View File

@@ -1,25 +1,27 @@
module WPScan
# WordPress Plugin
class Plugin < WpItem
# See WpItem
def initialize(slug, blog, opts = {})
super(slug, blog, opts)
module Model
# WordPress Plugin
class Plugin < WpItem
# See WpItem
def initialize(slug, blog, opts = {})
super(slug, blog, opts)
@uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/"))
end
@uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/"))
end
# @return [ JSON ]
def db_data
DB::Plugin.db_data(slug)
end
# @return [ JSON ]
def db_data
DB::Plugin.db_data(slug)
end
# @param [ Hash ] opts
#
# @return [ WPScan::Version, false ]
def version(opts = {})
@version = Finders::PluginVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
# @param [ Hash ] opts
#
# @return [ Model::Version, false ]
def version(opts = {})
@version = Finders::PluginVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
@version
@version
end
end
end
end

174
app/models/theme.rb
View File

@@ -1,99 +1,101 @@
module WPScan
# WordPress Theme
class Theme < WpItem
attr_reader :style_url, :style_name, :style_uri, :author, :author_uri, :template, :description,
:license, :license_uri, :tags, :text_domain
module Model
# WordPress Theme
class Theme < WpItem
attr_reader :style_url, :style_name, :style_uri, :author, :author_uri, :template, :description,
:license, :license_uri, :tags, :text_domain
# See WpItem
def initialize(slug, blog, opts = {})
super(slug, blog, opts)
# See WpItem
def initialize(slug, blog, opts = {})
super(slug, blog, opts)
@uri = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/"))
@style_url = opts[:style_url] || url('style.css')
@uri = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/"))
@style_url = opts[:style_url] || url('style.css')
parse_style
end
# @return [ JSON ]
def db_data
DB::Theme.db_data(slug)
end
# @param [ Hash ] opts
#
# @return [ WPScan::Version, false ]
def version(opts = {})
@version = Finders::ThemeVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
@version
end
# @return [ Theme ]
def parent_theme
return unless template
return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i
opts = detection_opts.merge(
style_url: url(Regexp.last_match[1]),
found_by: 'Parent Themes (Passive Detection)',
confidence: 100
).merge(version_detection: version_detection_opts)
self.class.new(template, blog, opts)
end
# @param [ Integer ] depth
#
# @retun [ Array<Theme> ]
def parent_themes(depth = 3)
theme = self
found = []
(1..depth).each do |_|
parent = theme.parent_theme
break unless parent
found << parent
theme = parent
parse_style
end
found
end
def style_body
@style_body ||= Browser.get(style_url).body
end
def parse_style
{
style_name: 'Theme Name',
style_uri: 'Theme URI',
author: 'Author',
author_uri: 'Author URI',
template: 'Template',
description: 'Description',
license: 'License',
license_uri: 'License URI',
tags: 'Tags',
text_domain: 'Text Domain'
}.each do |attribute, tag|
instance_variable_set(:"@#{attribute}", parse_style_tag(style_body, tag))
# @return [ JSON ]
def db_data
DB::Theme.db_data(slug)
end
end
# @param [ String ] bofy
# @param [ String ] tag
#
# @return [ String ]
def parse_style_tag(body, tag)
value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1]
# @param [ Hash ] opts
#
# @return [ Model::Version, false ]
def version(opts = {})
@version = Finders::ThemeVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
value && !value.strip.empty? ? value.strip : nil
end
@version
end
def ==(other)
super(other) && style_url == other.style_url
# @return [ Theme ]
def parent_theme
return unless template
return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i
opts = detection_opts.merge(
style_url: url(Regexp.last_match[1]),
found_by: 'Parent Themes (Passive Detection)',
confidence: 100
).merge(version_detection: version_detection_opts)
self.class.new(template, blog, opts)
end
# @param [ Integer ] depth
#
# @retun [ Array<Theme> ]
def parent_themes(depth = 3)
theme = self
found = []
(1..depth).each do |_|
parent = theme.parent_theme
break unless parent
found << parent
theme = parent
end
found
end
def style_body
@style_body ||= Browser.get(style_url).body
end
def parse_style
{
style_name: 'Theme Name',
style_uri: 'Theme URI',
author: 'Author',
author_uri: 'Author URI',
template: 'Template',
description: 'Description',
license: 'License',
license_uri: 'License URI',
tags: 'Tags',
text_domain: 'Text Domain'
}.each do |attribute, tag|
instance_variable_set(:"@#{attribute}", parse_style_tag(style_body, tag))
end
end
# @param [ String ] bofy
# @param [ String ] tag
#
# @return [ String ]
def parse_style_tag(body, tag)
value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1]
value && !value.strip.empty? ? value.strip : nil
end
def ==(other)
super(other) && style_url == other.style_url
end
end
end
end

110
app/models/timthumb.rb
View File

@@ -1,71 +1,73 @@
module WPScan
# Timthumb
class Timthumb < InterestingFinding
include Vulnerable
module Model
# Timthumb
class Timthumb < InterestingFinding
include Vulnerable
attr_reader :version_detection_opts
attr_reader :version_detection_opts
# @param [ String ] url
# @param [ Hash ] opts
# @option opts [ Symbol ] :mode The mode to use to detect the version
def initialize(url, opts = {})
super(url, opts)
# @param [ String ] url
# @param [ Hash ] opts
# @option opts [ Symbol ] :mode The mode to use to detect the version
def initialize(url, opts = {})
super(url, opts)
@version_detection_opts = opts[:version_detection] || {}
end
@version_detection_opts = opts[:version_detection] || {}
end
# @param [ Hash ] opts
#
# @return [ WPScan::Version, false ]
def version(opts = {})
@version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
# @param [ Hash ] opts
#
# @return [ Model::Version, false ]
def version(opts = {})
@version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
@version
end
@version
end
# @return [ Array<Vulnerability> ]
def vulnerabilities
vulns = []
# @return [ Array<Vulnerability> ]
def vulnerabilities
vulns = []
vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled?
vulns << rce_132_vuln if version == false || version < '1.33'
vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled?
vulns << rce_132_vuln if version == false || version < '1.33'
vulns
end
vulns
end
# @return [ Vulnerability ] The RCE in the <= 1.32
def rce_132_vuln
Vulnerability.new(
'Timthumb <= 1.32 Remote Code Execution',
{ exploitdb: ['17602'] },
'RCE',
'1.33'
)
end
# @return [ Vulnerability ] The RCE in the <= 1.32
def rce_132_vuln
Vulnerability.new(
'Timthumb <= 1.32 Remote Code Execution',
{ exploitdb: ['17602'] },
'RCE',
'1.33'
)
end
# @return [ Vulnerability ] The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13
def rce_webshot_vuln
Vulnerability.new(
'Timthumb <= 2.8.13 WebShot Remote Code Execution',
{
url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
cve: '2014-4663'
},
'RCE',
'2.8.14'
)
end
# @return [ Vulnerability ] The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13
def rce_webshot_vuln
Vulnerability.new(
'Timthumb <= 2.8.13 WebShot Remote Code Execution',
{
url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
cve: '2014-4663'
},
'RCE',
'2.8.14'
)
end
# @return [ Boolean ]
def webshot_enabled?
res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
# @return [ Boolean ]
def webshot_enabled?
res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
res.body =~ /WEBSHOT_ENABLED == true/ ? false : true
end
res.body =~ /WEBSHOT_ENABLED == true/ ? false : true
end
# @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
def default_allowed_domains
%w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
# @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
def default_allowed_domains
%w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
end
end
end
end

266
app/models/wp_item.rb
View File

@@ -1,158 +1,160 @@
module WPScan
# WpItem (superclass of Plugin & Theme)
class WpItem
include Vulnerable
include Finders::Finding
include CMSScanner::Target::Platform::PHP
include CMSScanner::Target::Server::Generic
module Model
# WpItem (superclass of Plugin & Theme)
class WpItem
include Vulnerable
include Finders::Finding
include CMSScanner::Target::Platform::PHP
include CMSScanner::Target::Server::Generic
READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze
READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze
attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data
attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data
delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog
delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog
# @param [ String ] slug The plugin/theme slug
# @param [ Target ] blog The targeted blog
# @param [ Hash ] opts
# @option opts [ Symbol ] :mode The detection mode to use
# @option opts [ Hash ] :version_detection The options to use when looking for the version
# @option opts [ String ] :url The URL of the item
def initialize(slug, blog, opts = {})
@slug = URI.decode(slug)
@blog = blog
@uri = Addressable::URI.parse(opts[:url]) if opts[:url]
# @param [ String ] slug The plugin/theme slug
# @param [ Target ] blog The targeted blog
# @param [ Hash ] opts
# @option opts [ Symbol ] :mode The detection mode to use
# @option opts [ Hash ] :version_detection The options to use when looking for the version
# @option opts [ String ] :url The URL of the item
def initialize(slug, blog, opts = {})
@slug = URI.decode(slug)
@blog = blog
@uri = Addressable::URI.parse(opts[:url]) if opts[:url]
@detection_opts = { mode: opts[:mode] }
@version_detection_opts = opts[:version_detection] || {}
@detection_opts = { mode: opts[:mode] }
@version_detection_opts = opts[:version_detection] || {}
parse_finding_options(opts)
end
# @return [ Array<Vulnerabily> ]
def vulnerabilities
return @vulnerabilities if @vulnerabilities
@vulnerabilities = []
[*db_data['vulnerabilities']].each do |json_vuln|
vulnerability = Vulnerability.load_from_json(json_vuln)
@vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
parse_finding_options(opts)
end
@vulnerabilities
end
# @return [ Array<Vulnerabily> ]
def vulnerabilities
return @vulnerabilities if @vulnerabilities
# Checks if the wp_item is vulnerable to a specific vulnerability
#
# @param [ Vulnerability ] vuln Vulnerability to check the item against
#
# @return [ Boolean ]
def vulnerable_to?(vuln)
return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
@vulnerabilities = []
version < vuln.fixed_in
end
# @return [ String ]
def latest_version
@latest_version ||= db_data['latest_version'] ? WPScan::Version.new(db_data['latest_version']) : nil
end
# Not used anywhere ATM
# @return [ Boolean ]
def popular?
@popular ||= db_data['popular']
end
# @return [ String ]
def last_updated
@last_updated ||= db_data['last_updated']
end
# @return [ Boolean ]
def outdated?
@outdated ||= if version && latest_version
version < latest_version
else
false
end
end
# URI.encode is preferered over Addressable::URI.encode as it will encode
# leading # character:
# URI.encode('#t#') => %23t%23
# Addressable::URI.encode('#t#') => #t%23
#
# @param [ String ] path Optional path to merge with the uri
#
# @return [ String ]
def url(path = nil)
return unless @uri
return @uri.to_s unless path
@uri.join(URI.encode(path)).to_s
end
# @return [ Boolean ]
def ==(other)
self.class == other.class && slug == other.slug
end
def to_s
slug
end
# @return [ Symbol ] The Class symbol associated to the item
def classify
@classify ||= classify_slug(slug)
end
# @return [ String ] The readme url if found
def readme_url
return if detection_opts[:mode] == :passive
if @readme_url.nil?
READMES.each do |path|
return @readme_url = url(path) if Browser.get(url(path)).code == 200
[*db_data['vulnerabilities']].each do |json_vuln|
vulnerability = Vulnerability.load_from_json(json_vuln)
@vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
end
@vulnerabilities
end
@readme_url
end
# Checks if the wp_item is vulnerable to a specific vulnerability
#
# @param [ Vulnerability ] vuln Vulnerability to check the item against
#
# @return [ Boolean ]
def vulnerable_to?(vuln)
return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
# @return [ String, false ] The changelog urr if found
def changelog_url
return if detection_opts[:mode] == :passive
version < vuln.fixed_in
end
if @changelog_url.nil?
CHANGELOGS.each do |path|
return @changelog_url = url(path) if Browser.get(url(path)).code == 200
# @return [ String ]
def latest_version
@latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil
end
# Not used anywhere ATM
# @return [ Boolean ]
def popular?
@popular ||= db_data['popular']
end
# @return [ String ]
def last_updated
@last_updated ||= db_data['last_updated']
end
# @return [ Boolean ]
def outdated?
@outdated ||= if version && latest_version
version < latest_version
else
false
end
end
# URI.encode is preferered over Addressable::URI.encode as it will encode
# leading # character:
# URI.encode('#t#') => %23t%23
# Addressable::URI.encode('#t#') => #t%23
#
# @param [ String ] path Optional path to merge with the uri
#
# @return [ String ]
def url(path = nil)
return unless @uri
return @uri.to_s unless path
@uri.join(URI.encode(path)).to_s
end
# @return [ Boolean ]
def ==(other)
self.class == other.class && slug == other.slug
end
def to_s
slug
end
# @return [ Symbol ] The Class symbol associated to the item
def classify
@classify ||= classify_slug(slug)
end
# @return [ String ] The readme url if found
def readme_url
return if detection_opts[:mode] == :passive
if @readme_url.nil?
READMES.each do |path|
return @readme_url = url(path) if Browser.get(url(path)).code == 200
end
end
@readme_url
end
@changelog_url
end
# @return [ String, false ] The changelog urr if found
def changelog_url
return if detection_opts[:mode] == :passive
# @param [ String ] path
# @param [ Hash ] params The request params
#
# @return [ Boolean ]
def directory_listing?(path = nil, params = {})
return if detection_opts[:mode] == :passive
if @changelog_url.nil?
CHANGELOGS.each do |path|
return @changelog_url = url(path) if Browser.get(url(path)).code == 200
end
end
super(path, params)
end
@changelog_url
end
# @param [ String ] path
# @param [ Hash ] params The request params
#
# @return [ Boolean ]
def error_log?(path = 'error_log', params = {})
return if detection_opts[:mode] == :passive
# @param [ String ] path
# @param [ Hash ] params The request params
#
# @return [ Boolean ]
def directory_listing?(path = nil, params = {})
return if detection_opts[:mode] == :passive
super(path, params)
super(path, params)
end
# @param [ String ] path
# @param [ Hash ] params The request params
#
# @return [ Boolean ]
def error_log?(path = 'error_log', params = {})
return if detection_opts[:mode] == :passive
super(path, params)
end
end
end
end

94
app/models/wp_version.rb
View File

@@ -1,64 +1,66 @@
module WPScan
# WP Version
class WpVersion < CMSScanner::Version
include Vulnerable
module Model
# WP Version
class WpVersion < CMSScanner::Model::Version
include Vulnerable
def initialize(number, opts = {})
raise Error::InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
def initialize(number, opts = {})
raise Error::InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
super(number, opts)
end
super(number, opts)
end
# @param [ String ] number
#
# @return [ Boolean ] true if the number is a valid WP version, false otherwise
def self.valid?(number)
all.include?(number)
end
# @param [ String ] number
#
# @return [ Boolean ] true if the number is a valid WP version, false otherwise
def self.valid?(number)
all.include?(number)
end
# @return [ Array<String> ] All the version numbers
def self.all
return @all_numbers if @all_numbers
# @return [ Array<String> ] All the version numbers
def self.all
return @all_numbers if @all_numbers
@all_numbers = []
@all_numbers = []
DB::Fingerprints.wp_fingerprints.each_value do |fp|
fp.each_value do |versions|
versions.each do |version|
@all_numbers << version unless @all_numbers.include?(version)
DB::Fingerprints.wp_fingerprints.each_value do |fp|
fp.each_value do |versions|
versions.each do |version|
@all_numbers << version unless @all_numbers.include?(version)
end
end
end
@all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
end
@all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
end
# @return [ JSON ]
def db_data
DB::Version.db_data(number)
end
# @return [ Array<Vulnerability> ]
def vulnerabilities
return @vulnerabilities if @vulnerabilities
@vulnerabilities = []
[*db_data['vulnerabilities']].each do |json_vuln|
@vulnerabilities << Vulnerability.load_from_json(json_vuln)
# @return [ JSON ]
def db_data
DB::Version.db_data(number)
end
@vulnerabilities
end
# @return [ Array<Vulnerability> ]
def vulnerabilities
return @vulnerabilities if @vulnerabilities
# @return [ String ]
def release_date
@release_date ||= db_data['release_date'] || 'Unknown'
end
@vulnerabilities = []
# @return [ String ]
def status
@status ||= db_data['status'] || 'Unknown'
[*db_data['vulnerabilities']].each do |json_vuln|
@vulnerabilities << Vulnerability.load_from_json(json_vuln)
end
@vulnerabilities
end
# @return [ String ]
def release_date
@release_date ||= db_data['release_date'] || 'Unknown'
end
# @return [ String ]
def status
@status ||= db_data['status'] || 'Unknown'
end
end
end
end

30
app/models/xml_rpc.rb
View File

@@ -1,19 +1,21 @@
module WPScan
# Override of the CMSScanner::XMLRPC to include the references
class XMLRPC < CMSScanner::XMLRPC
include References # To be able to use the :wpvulndb reference if needed
module Model
# Override of the CMSScanner::XMLRPC to include the references
class XMLRPC < CMSScanner::Model::XMLRPC
include References # To be able to use the :wpvulndb reference if needed
# @return [ Hash ]
def references
{
url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
metasploit: [
'auxiliary/scanner/http/wordpress_ghost_scanner',
'auxiliary/dos/http/wordpress_xmlrpc_dos',
'auxiliary/scanner/http/wordpress_xmlrpc_login',
'auxiliary/scanner/http/wordpress_pingback_access'
]
}
# @return [ Hash ]
def references
{
url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
metasploit: [
'auxiliary/scanner/http/wordpress_ghost_scanner',
'auxiliary/dos/http/wordpress_xmlrpc_dos',
'auxiliary/scanner/http/wordpress_xmlrpc_login',
'auxiliary/scanner/http/wordpress_pingback_access'
]
}
end
end
end
end