Adds check for PHP disabled, Ref #1593

2021-01-12 14:03:25 +01:00
parent 689252c715
commit 8c6234879e
6 changed files with 132 additions and 2 deletions
--- a/app/finders/interesting_findings.rb
+++ b/app/finders/interesting_findings.rb
@@ -6,6 +6,7 @@ require_relative 'interesting_findings/multisite'
 require_relative 'interesting_findings/debug_log'
 require_relative 'interesting_findings/backup_db'
 require_relative 'interesting_findings/mu_plugins'
+require_relative 'interesting_findings/php_disabled'
 require_relative 'interesting_findings/registration'
 require_relative 'interesting_findings/tmm_db_migrate'
 require_relative 'interesting_findings/upload_sql_dump'
@@ -26,7 +27,7 @@ module WPScan
          %w[
            Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
            Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
-            UploadSQLDump EmergencyPwdResetScript WPCron
+            UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
          ].each do |f|
            finders << InterestingFindings.const_get(f).new(target)
          end
--- a/app/finders/interesting_findings/php_disabled.rb
+++ b/app/finders/interesting_findings/php_disabled.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # See https://github.com/wpscanteam/wpscan/issues/1593
+      class PHPDisabled < CMSScanner::Finders::Finder
+        PATTERN = /\$wp_version =/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-includes/version.php'
+
+          return unless PATTERN.match?(target.head_and_get(path).body)
+
+          Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end
--- a/app/models/interesting_finding.rb
+++ b/app/models/interesting_finding.rb
@@ -132,5 +132,19 @@ module WPScan
        }
      end
    end
+
+    class PHPDisabled < InterestingFinding
+      # @return [ String ]
+      def to_s
+        @to_s ||= 'PHP seems to be disabled'
+      end
+
+      # @return [ Hash ]
+      def references
+        @references ||= {
+          url: ['https://github.com/wpscanteam/wpscan/issues/1593']
+        }
+      end
+    end
  end
 end
--- a/spec/app/finders/interesting_findings/php_disabled_spec.rb
+++ b/spec/app/finders/interesting_findings/php_disabled_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+describe WPScan::Finders::InterestingFindings::PHPDisabled do
+  subject(:finder) { described_class.new(target) }
+  let(:target)     { WPScan::Target.new(url).extend(CMSScanner::Target::Server::Apache) }
+  let(:url)        { 'http://ex.lo/' }
+  let(:fixtures)   { FINDERS_FIXTURES.join('interesting_findings', 'php_disabled') }
+  let(:file_path)  { 'wp-includes/version.php' }
+  let(:file_url)   { target.url(file_path) }
+
+  describe '#aggressive' do
+    before do
+      expect(target).to receive(:sub_dir).at_least(1).and_return(false)
+      expect(target).to receive(:head_or_get_params).and_return(method: :head)
+    end
+
+    context 'when not a 200' do
+      it 'return nil' do
+        stub_request(:head, file_url).to_return(status: 404)
+
+        expect(finder.aggressive).to eql nil
+      end
+    end
+
+    context 'when a 200' do
+      before do
+        stub_request(:head, file_url)
+        stub_request(:get, file_url).to_return(body: body)
+      end
+
+      context 'when the body does not match' do
+        let(:body) { '' }
+
+        its(:aggressive) { should be_nil }
+      end
+
+      context 'when the body matches' do
+        let(:body) { File.read(fixtures.join('version.php')) }
+
+        it 'returns the PHPDisabled' do
+          expect(finder.aggressive).to eql WPScan::Model::PHPDisabled.new(
+            file_url,
+            confidence: 100,
+            found_by: described_class::DIRECT_ACCESS
+          )
+        end
+      end
+    end
+  end
+end
--- a/spec/app/finders/interesting_findings_spec.rb
+++ b/spec/app/finders/interesting_findings_spec.rb
@@ -10,7 +10,7 @@ describe WPScan::Finders::InterestingFindings::Base do
      %w[
        Readme DebugLog FullPathDisclosure
        Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
-        UploadSQLDump
+        UploadSQLDump PHPDisabled
      ]
    end

--- a/spec/fixtures/finders/interesting_findings/php_disabled/version.php
+++ b/spec/fixtures/finders/interesting_findings/php_disabled/version.php
@@ -0,0 +1,44 @@
+<?php
+/**
+ * WordPress Version
+ *
+ * Contains version information for the current WordPress release.
+ *
+ * @package WordPress
+ * @since 1.1.0
+ */
+
+/**
+ * The WordPress version string.
+ *
+ * @global string $wp_version
+ */
+$wp_version = '5.6';
+
+/**
+ * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
+ *
+ * @global int $wp_db_version
+ */
+$wp_db_version = 49752;
+
+/**
+ * Holds the TinyMCE version.
+ *
+ * @global string $tinymce_version
+ */
+$tinymce_version = '49110-20201110';
+
+/**
+ * Holds the required PHP version.
+ *
+ * @global string $required_php_version
+ */
+$required_php_version = '5.6.20';
+
+/**
+ * Holds the required MySQL version.
+ *
+ * @global string $required_mysql_version
+ */
+$required_mysql_version = '5.0';