garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merges the db-update branch

Browse Source
This commit is contained in:
erwanlr
2014-09-17 16:12:12 +02:00
parent 280a91f139 c31a06e255
commit 9d084a7b2f
40 changed files with 141 additions and 60089 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/common/common_helper.rb
View File

@@ -73,18 +73,11 @@ def add_trailing_slash(url)
url =~ /\/$/ ? url : "#{url}/"
end
# loading the updater
require_files_from_directory(UPDATER_LIB_DIR)
@updater = UpdaterFactory.get_updater(ROOT_DIR)
if @updater
REVISION = @updater.local_revision_number()
else
REVISION = nil
end
def version
REVISION ? "v#{WPSCAN_VERSION}r#{REVISION}" : "v#{WPSCAN_VERSION}"
def missing_db_file?
DbUpdater::FILES.each do |db_file|
return true unless File.exist?(File.join(DATA_DIR, db_file))
end
false
end
# Define colors
@@ -127,12 +120,7 @@ def banner
puts ' \\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|'
puts
puts ' WordPress Security Scanner by the WPScan Team '
# Alignment of the version (w & w/o the Revision)
if REVISION
puts " Version #{version}"
else
puts " Version #{version}"
end
puts " Version #{WPSCAN_VERSION}"
puts ' Sponsored by the RandomStorm Open Source Initiative'
puts ' @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_'
puts '_______________________________________________________________'

115
lib/common/db_updater.rb Normal file
View File

@@ -0,0 +1,115 @@
# encoding: UTF-8
# DB Updater
class DbUpdater
FILES = %w(
local_vulnerable_files.xml local_vulnerable_files.xsd malwares.txt
plugins_full.txt plugins.txt themes_full.txt themes.txt
timthumbs.txt user-agents.txt wp_versions.xml wp_versions.xsd
plugin_vulns.json theme_vulns.json wp_vulns.json
)
attr_reader :repo_directory
def initialize(repo_directory)
@repo_directory = repo_directory
fail "#{repo_directory} is not writable" unless \
Pathname.new(repo_directory).writable?
end
# @return [ Hash ] The params for Typhoeus::Request
def request_params
{
ssl_verifyhost: 2,
ssl_verifypeer: true
}
end
# @return [ String ] The raw file URL associated with the given filename
def remote_file_url(filename)
"https://raw.githubusercontent.com/wpscanteam/vulndb/master/#{filename}"
end
# @return [ String ] The checksum of the associated remote filename
def remote_file_checksum(filename)
url = "#{remote_file_url(filename)}.sha512"
res = Browser.get(url, request_params)
fail "Unable to get #{url}" unless res.code == 200
res.body
end
def local_file_path(filename)
File.join(repo_directory, "#{filename}")
end
def local_file_checksum(filename)
Digest::SHA512.file(local_file_path(filename)).hexdigest
end
def backup_file_path(filename)
File.join(repo_directory, "#{filename}.back")
end
def create_backup(filename)
return unless File.exist?(local_file_path(filename))
FileUtils.cp(local_file_path(filename), backup_file_path(filename))
end
def restore_backup(filename)
return unless File.exist?(backup_file_path(filename))
FileUtils.cp(backup_file_path(filename), local_file_path(filename))
end
def delete_backup(filename)
FileUtils.rm(backup_file_path(filename))
end
# @return [ String ] The checksum of the downloaded file
def download(filename)
file_path = local_file_path(filename)
file_url = remote_file_url(filename)
res = Browser.get(file_url, request_params)
fail "Error while downloading #{file_url}" unless res.code == 200
File.write(file_path, res.body)
local_file_checksum(filename)
end
def update(verbose = false)
FILES.each do |filename|
begin
puts "[+] Checking #{filename}" if verbose
db_checksum = remote_file_checksum(filename)
# Checking if the file needs to be updated
if File.exist?(local_file_path(filename)) && db_checksum == local_file_checksum(filename)
puts ' [i] Already Up-To-Date' if verbose
next
end
puts ' [i] Needs to be updated' if verbose
create_backup(filename)
puts ' [i] Backup Created' if verbose
puts ' [i] Downloading new file' if verbose
dl_checksum = download(filename)
puts " [i] Downloaded File Checksum: #{dl_checksum}" if verbose
unless dl_checksum == db_checksum
fail "#{filename}: checksums do not match"
end
rescue => e
puts ' [i] Restoring Backup due to error' if verbose
restore_backup(filename)
raise e
ensure
if File.exist?(backup_file_path(filename))
puts ' [i] Deleting Backup' if verbose
delete_backup(filename)
end
end
end
end
end

37
lib/common/updater/git_updater.rb
View File

@@ -1,37 +0,0 @@
# encoding: UTF-8
require 'common/updater/updater'
class GitUpdater < Updater
def is_installed?
%x[git #{repo_directory_arguments()} status 2>&1] =~ /On branch/ ? true : false
end
# Git has not a revsion number like SVN,
# so we will take the 7 first chars of the last commit hash
def local_revision_number
git_log = %x[git #{repo_directory_arguments()} log -1 2>&1]
git_log[/commit ([0-9a-z]{7})/i, 1].to_s
end
def update
%x[git #{repo_directory_arguments()} pull]
end
def has_local_changes?
%x[git #{repo_directory_arguments()} diff --exit-code 2>&1] =~ /diff/ ? true : false
end
def reset_head
%x[git #{repo_directory_arguments()} reset --hard HEAD]
end
protected
def repo_directory_arguments
if @repo_directory
return "--git-dir=\"#{@repo_directory}/.git\" --work-tree=\"#{@repo_directory}\""
end
end
end

23
lib/common/updater/svn_updater.rb
View File

@@ -1,23 +0,0 @@
# encoding: UTF-8
require 'common/updater/updater'
class SvnUpdater < Updater
REVISION_PATTERN = /revision="(\d+)"/i
TRUNK_URL = 'https://github.com/wpscanteam/wpscan'
def is_installed?
%x[svn info "#@repo_directory" --xml 2>&1] =~ /revision=/ ? true : false
end
def local_revision_number
local_revision = %x[svn info "#@repo_directory" --xml 2>&1]
local_revision[REVISION_PATTERN, 1].to_s
end
def update
%x[svn up "#@repo_directory"]
end
end

25
lib/common/updater/updater.rb
View File

@@ -1,25 +0,0 @@
# encoding: UTF-8
# This class act as an absract one
class Updater
attr_reader :repo_directory
# TODO : add a last '/ to repo_directory if it's not present
def initialize(repo_directory = nil)
@repo_directory = repo_directory
end
def is_installed?
raise NotImplementedError
end
def local_revision_number
raise NotImplementedError
end
def update
raise NotImplementedError
end
end

23
lib/common/updater/updater_factory.rb
View File

@@ -1,23 +0,0 @@
# encoding: UTF-8
class UpdaterFactory
def self.get_updater(repo_directory)
self.available_updaters_classes().each do |updater_symbol|
updater = Object.const_get(updater_symbol).new(repo_directory)
if updater.is_installed?
return updater
end
end
nil
end
protected
# return array of class symbols
def self.available_updaters_classes
Object.constants.grep(/^.+Updater$/)
end
end

1
lib/wpscan/wp_target.rb
View File

@@ -30,7 +30,6 @@ class WpTarget < WebSite
@wp_plugins_dir = options[:wp_plugins_dir]
@multisite = nil
Browser.instance(options.merge(:max_threads => options[:threads]))
Browser.instance.referer = url
end

4
lib/wpscan/wpscan_helper.rb
View File

@@ -46,7 +46,7 @@ def usage
puts '-Use custom plugins directory ...'
puts "ruby #{script_name} -u www.example.com --wp-plugins-dir wp-content/custom-plugins"
puts
puts '-Update ...'
puts '-Update the DB ...'
puts "ruby #{script_name} --update"
puts
puts '-Debug output ...'
@@ -62,7 +62,7 @@ def help
puts
puts 'Some values are settable in a config file, see the example.conf.json'
puts
puts '--update Update to the latest revision.'
puts '--update Update to the database to the latest version.'
puts '--url | -u <target url> The WordPress URL/domain to scan.'
puts '--force | -f Forces WPScan to not check if the remote site is running WordPress.'
puts '--enumerate | -e [option(s)] Enumeration.'

118
lib/wpstools/plugins/list_generator/generate_list.rb
View File

@@ -1,118 +0,0 @@
# encoding: UTF-8
# This tool generates a list to use for plugin and theme enumeration
class GenerateList
attr_accessor :verbose
# type = themes | plugins
def initialize(type, verbose)
if type =~ /plugins/i
@type = 'plugin'
@svn_url = 'http://plugins.svn.wordpress.org/'
@popular_url = 'http://api.wordpress.org/plugins/info/1.0/'
@popular_action = 'query_plugins'
elsif type =~ /themes/i
@type = 'theme'
@svn_url = 'http://themes.svn.wordpress.org/'
@popular_url = 'http://api.wordpress.org/themes/info/1.0/'
@popular_action = 'query_themes'
else
raise "Type #{type} not defined"
end
@verbose = verbose
@browser = Browser.instance(request_timeout: 20000, connect_timeout: 20000, max_threads: 1, cache_ttl: 0)
end
def set_file_name(type)
case @type
when 'plugin'
case type
when :full
@file_name = PLUGINS_FULL_FILE
when :popular
@file_name = PLUGINS_FILE
else
raise 'Unknown type'
end
when 'theme'
case type
when :full
@file_name = THEMES_FULL_FILE
when :popular
@file_name = THEMES_FILE
else
raise 'Unknown type'
end
else
raise "Unknown type #@type"
end
end
def generate_full_list
set_file_name(:full)
items = SvnParser.new(@svn_url).parse
save items
end
def generate_popular_list(items)
set_file_name(:popular)
items = get_popular_items(items)
save items
end
# Fets most popular items via unofficial wordpress api
# see https://github.com/wpscanteam/wpscan/issues/657
def get_popular_items(items)
found_items = []
# in chunks of 100
step = 100
number_of_requests = (items.to_f / step.to_f).ceil
counter = 1
while items > 0
puts "[+] Request #{counter} / #{number_of_requests}"
rest = items < step ? items : step
# we need to fetch step entries every time, because the starting page
# is calculated: page * entries per page. If we would reduce the
# per page entries, the starting point will not match. So we are
# stripping down the array later
post_data = get_serialized(counter, step)
resp = Browser.post(@popular_url, { :body => { :action => @popular_action, :request => post_data } })
raise "Unknown reponse (code #{resp.code})" unless resp.code == 200
found = resp.body.scan(/"slug";s:[0-9]+:"([^"]+)";/).flatten
# too much entries? remove them
if found.length > rest
found = found[0,rest]
end
found_items << found
items -= rest
counter += 1
end
found_items.flatten!
found_items.sort!
found_items.uniq
end
# Save the file
def save(items)
items.sort!
items.uniq!
puts "[*] We have parsed #{items.length} #{@type}s"
File.open(@file_name, 'w') { |f| f.puts(items) }
puts "New #@file_name file created"
end
private
def get_serialized(page_start, count)
'O:8:"stdClass":4:{s:4:"page";i:' + page_start.to_s + ';s:8:"per_page";i:' + count.to_s + ';s:6:"browse";s:7:"popular";s:6:"fields";a:9:{s:11:"description";b:0;s:8:"sections";b:0;s:6:"tested";b:0;s:8:"requires";b:0;s:6:"rating";b:0;s:12:"downloadlink";b:0;s:12:"last_updated";b:0;s:8:"homepage";b:0;s:4:"tags";b:0;}}'
end
end

53
lib/wpstools/plugins/list_generator/list_generator_plugin.rb
View File

@@ -1,53 +0,0 @@
# encoding: UTF-8
class ListGeneratorPlugin < Plugin
def initialize
super(author: 'WPScanTeam - @FireFart')
register_options(
['--generate-plugin-list [NUMBER_OF_ITEMS]', '--gpl', Integer, 'Generate a new data/plugins.txt file. (supply number of *items* to parse, default : 1500)'],
['--generate-full-plugin-list', '--gfpl', 'Generate a new full data/plugins.txt file'],
['--generate-theme-list [NUMBER_OF_ITEMS]', '--gtl', Integer, 'Generate a new data/themes.txt file. (supply number of *items* to parse, default : 200)'],
['--generate-full-theme-list', '--gftl', 'Generate a new full data/themes.txt file'],
['--generate-all', '--ga', 'Generate a new full plugins, full themes, popular plugins and popular themes list']
)
end
def run(options = {})
@verbose = options[:verbose] || false
generate_all = options[:generate_all] || false
if options.has_key?(:generate_plugin_list) || generate_all
most_popular('plugin', options[:generate_plugin_list] || 1500)
end
if options[:generate_full_plugin_list] || generate_all
full('plugin')
end
if options.has_key?(:generate_theme_list) || generate_all
most_popular('theme', options[:generate_theme_list] || 200)
end
if options[:generate_full_theme_list] || generate_all
full('theme')
end
end
private
def most_popular(type, number_of_items)
puts "[+] Generating new most popular #{type} list (#{number_of_items} items)"
puts
GenerateList.new(type + 's', @verbose).generate_popular_list(number_of_items)
end
def full(type)
puts "[+] Generating new full #{type} list"
puts
GenerateList.new(type + 's', @verbose).generate_full_list
end
end

31
lib/wpstools/plugins/list_generator/svn_parser.rb
View File

@@ -1,31 +0,0 @@
# encoding: UTF-8
# This Class Parses SVN Repositories via HTTP
class SvnParser
attr_accessor :verbose, :svn_root, :keep_empty_dirs
def initialize(svn_root)
@svn_root = svn_root
end
def parse
get_root_directories
end
#Private methods start here
private
# Gets all directories in the SVN root
def get_root_directories
dirs = []
rootindex = Browser.get(@svn_root).body
rootindex.scan(%r{<li><a href=".+">(.+)/</a></li>}i).each do |dir|
dirs << dir[0]
end
dirs.sort!
dirs.uniq
end
end

15
lib/wpstools/wpstools_helper.rb
View File

@@ -12,21 +12,6 @@ def usage
puts
puts 'Examples:'
puts
puts "- Generate a new 'most popular' plugin list, up to 1500 items ..."
puts "ruby #{script_name} --generate-plugin-list 1500"
puts
puts '- Generate a new full plugin list'
puts "ruby #{script_name} --generate-full-plugin-list"
puts
puts "- Generate a new 'most popular' theme list, up to 1500 items ..."
puts "ruby #{script_name} --generate-theme-list 1500"
puts
puts '- Generate a new full theme list'
puts "ruby #{script_name} --generate-full-theme-list"
puts
puts '- Generate all list'
puts "ruby #{script_name} --generate-all"
puts
puts 'Locally scan a wordpress installation for vulnerable files or shells'
puts "ruby #{script_name} --check-local-vulnerable-files /var/www/wordpress/"
puts