From 8c6234879ea865d2ac3421488bbfdada3d2cd6f8 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 12 Jan 2021 14:03:25 +0100 Subject: [PATCH] Adds check for PHP disabled, Ref #1593 --- app/finders/interesting_findings.rb | 3 +- .../interesting_findings/php_disabled.rb | 21 ++++++++ app/models/interesting_finding.rb | 14 ++++++ .../interesting_findings/php_disabled_spec.rb | 50 +++++++++++++++++++ spec/app/finders/interesting_findings_spec.rb | 2 +- .../php_disabled/version.php | 44 ++++++++++++++++ 6 files changed, 132 insertions(+), 2 deletions(-) create mode 100644 app/finders/interesting_findings/php_disabled.rb create mode 100644 spec/app/finders/interesting_findings/php_disabled_spec.rb create mode 100644 spec/fixtures/finders/interesting_findings/php_disabled/version.php diff --git a/app/finders/interesting_findings.rb b/app/finders/interesting_findings.rb index fd0c91ed..d88570de 100644 --- a/app/finders/interesting_findings.rb +++ b/app/finders/interesting_findings.rb @@ -6,6 +6,7 @@ require_relative 'interesting_findings/multisite' require_relative 'interesting_findings/debug_log' require_relative 'interesting_findings/backup_db' require_relative 'interesting_findings/mu_plugins' +require_relative 'interesting_findings/php_disabled' require_relative 'interesting_findings/registration' require_relative 'interesting_findings/tmm_db_migrate' require_relative 'interesting_findings/upload_sql_dump' @@ -26,7 +27,7 @@ module WPScan %w[ Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate - UploadSQLDump EmergencyPwdResetScript WPCron + UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled ].each do |f| finders << InterestingFindings.const_get(f).new(target) end diff --git a/app/finders/interesting_findings/php_disabled.rb b/app/finders/interesting_findings/php_disabled.rb new file mode 100644 index 00000000..3987ff1c --- /dev/null +++ b/app/finders/interesting_findings/php_disabled.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +module WPScan + module Finders + module InterestingFindings + # See https://github.com/wpscanteam/wpscan/issues/1593 + class PHPDisabled < CMSScanner::Finders::Finder + PATTERN = /\$wp_version =/.freeze + + # @return [ InterestingFinding ] + def aggressive(_opts = {}) + path = 'wp-includes/version.php' + + return unless PATTERN.match?(target.head_and_get(path).body) + + Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS) + end + end + end + end +end diff --git a/app/models/interesting_finding.rb b/app/models/interesting_finding.rb index 8214e6c7..8beeefa6 100644 --- a/app/models/interesting_finding.rb +++ b/app/models/interesting_finding.rb @@ -132,5 +132,19 @@ module WPScan } end end + + class PHPDisabled < InterestingFinding + # @return [ String ] + def to_s + @to_s ||= 'PHP seems to be disabled' + end + + # @return [ Hash ] + def references + @references ||= { + url: ['https://github.com/wpscanteam/wpscan/issues/1593'] + } + end + end end end diff --git a/spec/app/finders/interesting_findings/php_disabled_spec.rb b/spec/app/finders/interesting_findings/php_disabled_spec.rb new file mode 100644 index 00000000..a4dd2e3f --- /dev/null +++ b/spec/app/finders/interesting_findings/php_disabled_spec.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +describe WPScan::Finders::InterestingFindings::PHPDisabled do + subject(:finder) { described_class.new(target) } + let(:target) { WPScan::Target.new(url).extend(CMSScanner::Target::Server::Apache) } + let(:url) { 'http://ex.lo/' } + let(:fixtures) { FINDERS_FIXTURES.join('interesting_findings', 'php_disabled') } + let(:file_path) { 'wp-includes/version.php' } + let(:file_url) { target.url(file_path) } + + describe '#aggressive' do + before do + expect(target).to receive(:sub_dir).at_least(1).and_return(false) + expect(target).to receive(:head_or_get_params).and_return(method: :head) + end + + context 'when not a 200' do + it 'return nil' do + stub_request(:head, file_url).to_return(status: 404) + + expect(finder.aggressive).to eql nil + end + end + + context 'when a 200' do + before do + stub_request(:head, file_url) + stub_request(:get, file_url).to_return(body: body) + end + + context 'when the body does not match' do + let(:body) { '' } + + its(:aggressive) { should be_nil } + end + + context 'when the body matches' do + let(:body) { File.read(fixtures.join('version.php')) } + + it 'returns the PHPDisabled' do + expect(finder.aggressive).to eql WPScan::Model::PHPDisabled.new( + file_url, + confidence: 100, + found_by: described_class::DIRECT_ACCESS + ) + end + end + end + end +end diff --git a/spec/app/finders/interesting_findings_spec.rb b/spec/app/finders/interesting_findings_spec.rb index 79c25066..59d96bfe 100644 --- a/spec/app/finders/interesting_findings_spec.rb +++ b/spec/app/finders/interesting_findings_spec.rb @@ -10,7 +10,7 @@ describe WPScan::Finders::InterestingFindings::Base do %w[ Readme DebugLog FullPathDisclosure Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate - UploadSQLDump + UploadSQLDump PHPDisabled ] end diff --git a/spec/fixtures/finders/interesting_findings/php_disabled/version.php b/spec/fixtures/finders/interesting_findings/php_disabled/version.php new file mode 100644 index 00000000..c0002b67 --- /dev/null +++ b/spec/fixtures/finders/interesting_findings/php_disabled/version.php @@ -0,0 +1,44 @@ +