garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

custom plugins directory

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-22 23:50:14 +02:00
parent ef72568688
commit 9b6a2805d7
86 changed files with 892 additions and 461 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/wpscan/modules/wp_plugins.rb
View File

@@ -31,10 +31,12 @@ module WpPlugins
plugins = []
result.each do |r|
plugins << WpPlugin.new(
:url => r[:url],
:path => r[:path],
:wp_content_dir => r[:wp_content_dir],
:name => r[:name]
:url => r.url,
:path => r.path,
:wp_content_dir => r.wp_content_dir,
:name => r.name,
:type => "plugins",
:wp_plugins_dir => r.wp_plugin_dir
)
end
plugins.sort_by { |p| p.name }
@@ -52,10 +54,12 @@ module WpPlugins
temp.each do |item|
plugins << WpPlugin.new(
:url => item[:url],
:name => item[:name],
:path => item[:path],
:wp_content_dir => options[:wp_content_dir]
:url => item.url,
:name => item.name,
:path => item.path,
:wp_content_dir => options[:wp_content_dir],
:type => "plugins",
:wp_plugins_dir => options[:wp_plugin_dir]
)
end
plugins.sort_by { |p| p.name }

17
lib/wpscan/modules/wp_themes.rb
View File

@@ -20,7 +20,8 @@ module WpThemes
def themes_from_aggressive_detection(options)
options[:file] = options[:file] || "#{DATA_DIR}/themes.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/wp_theme_vulns.xml"
options[:vulns_file] = (options[:vulns_file] != nil and options[:vulns_file] != "") ?
options[:vulns_file] : DATA_DIR + "/wp_theme_vulns.xml"
options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
options[:vulns_xpath_2] = "//theme"
options[:type] = "themes"
@@ -28,10 +29,10 @@ module WpThemes
themes = []
result.each do |r|
themes << WpTheme.new(
:url => r[:url],
:path => r[:path],
:wp_content_dir => r[:wp_content_dir],
:name => r[:name]
:url => r.url,
:path => r.path,
:wp_content_dir => r.wp_content_dir,
:name => r.name
)
end
themes.sort_by { |t| t.name }
@@ -43,9 +44,9 @@ module WpThemes
temp.each do |item|
themes << WpTheme.new(
:url => item[:url],
:name => item[:name],
:path => item[:path],
:url => item.url,
:name => item.name,
:path => item.path,
:wp_content_dir => options[:wp_content_dir]
)
end

9
lib/wpscan/modules/wp_timthumbs.rb
View File

@@ -54,12 +54,15 @@ module WpTimthumbs
timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
scripts/timthumb.php tools/timthumb.php functions/timthumb.php
}.each do |file|
targets << {
targets << WpItem.new(
:url => options[:url],
:path => "themes/#{theme_name}/#{file}",
:wp_content_dir => options[:wp_content_dir],
:name => options[:name]
}
:name => theme_name,
:vulns_file => "XX",
:type => "timthumbs",
:wp_plugins_dir => options[:wp_plugins_dir]
)
end
targets
end

4
lib/wpscan/vulnerable.rb
View File

@@ -18,13 +18,13 @@
class Vulnerable
attr_reader :vulns_xml, :vulns_xpath
attr_reader :vulns_file, :vulns_xpath
# @return an array of WpVulnerability (can be empty)
def vulnerabilities
vulnerabilities = []
xml = Nokogiri::XML(File.open(@vulns_xml)) do |config|
xml = Nokogiri::XML(File.open(@vulns_file)) do |config|
config.noblanks
end

12
lib/wpscan/wp_detector.rb
View File

@@ -31,7 +31,7 @@ class WpDetector
already_present = false
result.each do |r|
# Already found via passive detection
if r[:name] == enum_result[:name]
if r.name == enum_result.name
already_present = true
break
end
@@ -60,12 +60,14 @@ class WpDetector
names.uniq!
names.each do |item|
items << {
items << WpItem.new(
:url => url,
:name => item,
:path => "#{type}/#{item}/",
:wp_content_dir => wp_content_dir
}
:type => type,
:path => "#{item}/",
:wp_content_dir => wp_content_dir,
:vulns_file => ""
)
end
items
end

31
lib/wpscan/wp_enumerator.rb
View File

@@ -50,11 +50,7 @@ class WpEnumerator
enumerate_size = targets.size
targets.each do |target|
# Timthumb files have no /timthumbs/ directory
unless options[:type] =~ /timthumbs/i
target[:path] = "#{options[:type]}/#{target[:path]}"
end
url = "#{target[:url]}#{target[:wp_content_dir]}/#{target[:path]}"
url = target.get_url
request = enum_browser.forge_request(url, { :cache_timeout => 0, :follow_location => true })
request_count += 1
@@ -92,18 +88,22 @@ class WpEnumerator
wp_content_dir = options[:wp_content_dir]
url = options[:url]
type = options[:type]
plugins_dir = options[:wp_plugins_dir]
targets_url = []
unless only_vulnerable
# Open and parse the 'most popular' plugin list...
File.open(file, 'r') do |f|
File.open(file, "r") do |f|
f.readlines.collect do |line|
targets_url << {
targets_url << WpItem.new(
:url => url,
:path => line.strip,
:wp_content_dir => wp_content_dir,
:name => File.dirname(line.strip)
}
:name => File.dirname(line.strip),
:vulns_file => vulns_file,
:type => type,
:wp_plugins_dir => plugins_dir
)
end
end
end
@@ -117,17 +117,20 @@ class WpEnumerator
# We check if the plugin name from the plugin_vulns_file is already in targets, otherwise we add it
xml.xpath(options[:vulns_xpath_2]).each do |node|
name = node.attribute("name").text
targets_url << {
targets_url << WpItem.new(
:url => url,
:path => name,
:wp_content_dir => wp_content_dir,
:name => name
}
:name => name,
:vulns_file => vulns_file,
:type => type,
:wp_plugins_dir => plugins_dir
)
end
end
targets_url.flatten!
targets_url.uniq!
targets_url.flatten! { |t| t.name }
targets_url.uniq! { |t| t.name }
# randomize the plugins array to *maybe* help in some crappy IDS/IPS/WAF detection
targets_url.sort_by! { rand }
end

36
lib/wpscan/wp_item.rb
View File

@@ -19,22 +19,40 @@
require "#{WPSCAN_LIB_DIR}/vulnerable"
class WpItem < Vulnerable
attr_accessor :path, :url, :wp_content_dir, :name, :vulns_xml, :vulns_xpath
attr_accessor :path, :url, :wp_content_dir, :name, :vulns_file, :vulns_xpath, :wp_plugin_dir, :type
@version = nil
def initialize(options = {})
def initialize(options)
@type = options[:type]
@wp_content_dir = options[:wp_content_dir] || "wp-content"
@wp_plugin_dir = options[:wp_plugins_dir] || "plugins"
@url = options[:url]
@path = options[:path]
@name = options[:name] || extract_name_from_url
@vulns_xml = options[:vulns_xml]
@vulns_xpath = options[:vulns_xpath].sub(/\$name\$/, @name)
@vulns_file = options[:vulns_file]
@vulns_xpath = options[:vulns_xpath].sub(/\$name\$/, @name) unless options[:vulns_xpath] == nil
raise("url not set") unless @url
raise("path not set") unless @path
raise("wp_content_dir not set") unless @wp_content_dir
raise("name not set") unless @name
raise("vulns_xml not set") unless @vulns_xml
raise("vulns_file not set") unless @vulns_file
raise("type not set") unless @type
end
def get_sub_folder
case @type
when "plugins"
folder = @wp_plugin_dir
when "themes"
folder = "themes"
when "timthumbs"
# not needed
folder = nil
else
raise("unknown type #@type")
end
folder
end
# Get the full url for this item
@@ -44,7 +62,13 @@ class WpItem < Vulnerable
wp_content_dir = @wp_content_dir.sub(/^\//, "").sub(/\/$/, "")
# remove first /
path = @path.sub(/^\//, "")
URI.parse("#{url}#{wp_content_dir}/#{path}")
if type == "timthumbs"
# timthumbs have folder in path variable
ret = URI.parse("#{url}#{wp_content_dir}/#{path}")
else
ret = URI.parse("#{url}#{wp_content_dir}/#{get_sub_folder}/#{path}")
end
ret
end
# Gets the full url for this item without filenames

3
lib/wpscan/wp_plugin.rb
View File

@@ -18,7 +18,8 @@
class WpPlugin < WpItem
def initialize(options = {})
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/plugin_vulns.xml'
options[:vulns_file] = (options[:vulns_file] != nil and options[:vulns_file] != "") ?
options[:vulns_file] : DATA_DIR + "/plugin_vulns.xml"
options[:vulns_xpath] = "//plugin[@name='$name$']/vulnerability"
options[:vulns_xpath_2] = "//plugin"
options[:type] = "plugins"

2
lib/wpscan/wp_target.rb
View File

@@ -104,7 +104,7 @@ class WpTarget
def wp_plugins_dir
unless @wp_plugins_dir
@wp_plugins_dir = wp_content_dir() + "/plugins"
@wp_plugins_dir = "plugins"
end
@wp_plugins_dir
end

4
lib/wpscan/wp_theme.rb
View File

@@ -23,8 +23,10 @@ class WpTheme < WpItem
attr_reader :name, :style_url, :version
def initialize(options = {})
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
options[:vulns_file] = (options[:vulns_file] != nil and options[:vulns_file] != "") ?
options[:vulns_file] : DATA_DIR + "/wp_theme_vulns.xml"
options[:vulns_xpath] = "//theme[@name='$name$']/vulnerability"
options[:type] = "themes"
@version = options[:version]
@style_url = options[:style_url]
super(options)

2
lib/wpscan/wp_version.rb
View File

@@ -25,7 +25,7 @@ class WpVersion < Vulnerable
def initialize(number, options = {})
@number = number
@discovery_method = options[:discovery_method]
@vulns_xml = options[:vulns_xml] || DATA_DIR + '/wp_vulns.xml'
@vulns_file = options[:vulns_file] || DATA_DIR + '/wp_vulns.xml'
@vulns_xpath = "//wordpress[@version='#{@number}']/vulnerability"
end