From 9450ba6cc5fb5be6a9036e54b7f32486897e8263 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Mon, 14 May 2018 13:44:02 +0100
Subject: [PATCH] Add RSS author information

---
 lib/wpscan/web_site.rb         |  7 ----
 lib/wpscan/wp_target.rb        |  2 ++
 lib/wpscan/wp_target/wp_rss.rb | 59 ++++++++++++++++++++++++++++++++++
 wpscan.rb                      | 12 +++++++
 4 files changed, 73 insertions(+), 7 deletions(-)
 create mode 100644 lib/wpscan/wp_target/wp_rss.rb

diff --git a/lib/wpscan/web_site.rb b/lib/wpscan/web_site.rb
index 3779210b..5b2b445c 100644
--- a/lib/wpscan/web_site.rb
+++ b/lib/wpscan/web_site.rb
@@ -125,13 +125,6 @@ class WebSite
     @error_404_hash
   end
 
-  # Will try to find the rss url in the homepage
-  # Only the first one found is returned
-  def rss_url
-    homepage_body = Browser.get(@uri.to_s).body
-    homepage_body[%r{<link .* type="application/rss\+xml" .* href="([^"]+)" />}, 1]
-  end
-
   # Only the first 700 bytes are checked to avoid the download
   # of the whole file which can be very huge (like 2 Go)
   #
diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb
index 32399056..f9f7c688 100644
--- a/lib/wpscan/wp_target.rb
+++ b/lib/wpscan/wp_target.rb
@@ -9,6 +9,7 @@ require 'wp_target/wp_login_protection'
 require 'wp_target/wp_must_use_plugins'
 require 'wp_target/wp_readme'
 require 'wp_target/wp_registrable'
+require 'wp_target/wp_rss'
 
 class WpTarget < WebSite
   include WpTarget::WpAPI
@@ -19,6 +20,7 @@ class WpTarget < WebSite
   include WpTarget::WpMustUsePlugins
   include WpTarget::WpReadme
   include WpTarget::WpRegistrable
+  include WpTarget::WpRSS
 
   attr_reader :verbose
 
diff --git a/lib/wpscan/wp_target/wp_rss.rb b/lib/wpscan/wp_target/wp_rss.rb
new file mode 100644
index 00000000..22a53176
--- /dev/null
+++ b/lib/wpscan/wp_target/wp_rss.rb
@@ -0,0 +1,59 @@
+# encoding: UTF-8
+
+class WpTarget < WebSite
+  module WpRSS
+
+    # Checks to see if there is an rss feed
+    # Will try to find the rss url in the homepage
+    # Only the first one found is returned
+    #
+    # This file comes by default in a WordPress installation
+    #
+    # @return [ Boolean ]
+    def rss_url
+      homepage_body = Browser.get(@uri.to_s).body
+      # Format: <link rel="alternate" type="application/rss+xml" title=".*" href=".*" />
+      homepage_body[%r{<link\s*.*\s*type=['|"]application\/rss\+xml['|"]\s*.*\stitle=".*" href=['|"]([^"]+)['|"]\s*\/?>}i, 1]
+    end
+
+
+    # Gets all the authors from the RSS feed
+    #
+    # @return [ string ]
+    def rss_authors(url)
+      # Variables
+      users = []
+
+      # Make the request
+      response = Browser.get(url)
+
+      # Valid repose to view? HTTP 200?
+      return false unless response.code == 200
+
+      # Get output
+      data = response.body
+
+      # Read in RSS/XML
+      xml = Nokogiri::XML(data)
+
+      # Look for <dc:creator> item
+      xml.xpath('//item/dc:creator').each do |node|
+        #Format: <dc:creator><![CDATA[.*]]></dc:creator>
+        users << [%r{.*}i.match(node).to_s]
+      end
+
+      if users
+        # Feedback
+        puts warning("Detected users from RSS feed:")
+
+        # Sort and uniq
+        users = users.sort_by { |user| user.to_s.downcase }.uniq
+
+        # Print results
+        table = Terminal::Table.new(headings: ['Name'],
+                                    rows: users)
+        puts table
+      end
+    end
+  end
+end
diff --git a/wpscan.rb b/wpscan.rb
index 3c480d54..bf8d2b66 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -323,6 +323,18 @@ def main
       spacer()
     end
 
+    # Get RSS
+    rss = wp_target.rss_url
+    if rss
+      # Feedback
+      puts info("RSS Feed: #{rss}")
+
+      # Print users from RSS feed
+      wp_target.rss_authors(rss)
+
+      spacer()
+    end
+
     if wp_target.has_full_path_disclosure?
       puts warning("Full Path Disclosure (FPD) in '#{wp_target.full_path_disclosure_url}': #{wp_target.full_path_disclosure_data}")
       spacer()