Merges the db-update branch

2014-09-17 16:12:12 +02:00
parent 280a91f139 c31a06e255
commit 9d084a7b2f
40 changed files with 141 additions and 60089 deletions
--- a/lib/common/common_helper.rb
+++ b/lib/common/common_helper.rb
@@ -73,18 +73,11 @@ def add_trailing_slash(url)
  url =~ /\/$/ ? url : "#{url}/"
 end

-# loading the updater
-require_files_from_directory(UPDATER_LIB_DIR)
-@updater = UpdaterFactory.get_updater(ROOT_DIR)
-
-if @updater
-  REVISION = @updater.local_revision_number()
-else
-  REVISION = nil
-end
-
-def version
-  REVISION ? "v#{WPSCAN_VERSION}r#{REVISION}" : "v#{WPSCAN_VERSION}"
+def missing_db_file?
+  DbUpdater::FILES.each do |db_file|
+    return true unless File.exist?(File.join(DATA_DIR, db_file))
+  end
+  false
 end

 # Define colors
@@ -127,12 +120,7 @@ def banner
  puts '            \\/  \\/   |_|    |_____/ \\___|\\__,_|_| |_|'
  puts
  puts '        WordPress Security Scanner by the WPScan Team '
-  # Alignment of the version (w & w/o the Revision)
-  if REVISION
-    puts "                    Version #{version}"
-  else
-    puts "                        Version #{version}"
-  end
+  puts "                       Version #{WPSCAN_VERSION}"
  puts '     Sponsored by the RandomStorm Open Source Initiative'
  puts '   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_'
  puts '_______________________________________________________________'
--- a/lib/common/db_updater.rb
+++ b/lib/common/db_updater.rb
@@ -0,0 +1,115 @@
+# encoding: UTF-8
+
+# DB Updater
+class DbUpdater
+  FILES = %w(
+    local_vulnerable_files.xml local_vulnerable_files.xsd malwares.txt
+    plugins_full.txt plugins.txt themes_full.txt themes.txt
+    timthumbs.txt user-agents.txt wp_versions.xml wp_versions.xsd
+    plugin_vulns.json theme_vulns.json wp_vulns.json
+  )
+
+  attr_reader :repo_directory
+
+  def initialize(repo_directory)
+    @repo_directory = repo_directory
+
+    fail "#{repo_directory} is not writable" unless \
+      Pathname.new(repo_directory).writable?
+  end
+
+  # @return [ Hash ] The params for Typhoeus::Request
+  def request_params
+    {
+      ssl_verifyhost: 2,
+      ssl_verifypeer: true
+    }
+  end
+
+  # @return [ String ] The raw file URL associated with the given filename
+  def remote_file_url(filename)
+    "https://raw.githubusercontent.com/wpscanteam/vulndb/master/#{filename}"
+  end
+
+  # @return [ String ] The checksum of the associated remote filename
+  def remote_file_checksum(filename)
+    url = "#{remote_file_url(filename)}.sha512"
+
+    res = Browser.get(url, request_params)
+    fail "Unable to get #{url}" unless res.code == 200
+    res.body
+  end
+
+  def local_file_path(filename)
+    File.join(repo_directory, "#{filename}")
+  end
+
+  def local_file_checksum(filename)
+    Digest::SHA512.file(local_file_path(filename)).hexdigest
+  end
+
+  def backup_file_path(filename)
+    File.join(repo_directory, "#{filename}.back")
+  end
+
+  def create_backup(filename)
+    return unless File.exist?(local_file_path(filename))
+    FileUtils.cp(local_file_path(filename), backup_file_path(filename))
+  end
+
+  def restore_backup(filename)
+    return unless File.exist?(backup_file_path(filename))
+    FileUtils.cp(backup_file_path(filename), local_file_path(filename))
+  end
+
+  def delete_backup(filename)
+    FileUtils.rm(backup_file_path(filename))
+  end
+
+  # @return [ String ] The checksum of the downloaded file
+  def download(filename)
+    file_path = local_file_path(filename)
+    file_url  = remote_file_url(filename)
+
+    res = Browser.get(file_url, request_params)
+    fail "Error while downloading #{file_url}" unless res.code == 200
+    File.write(file_path, res.body)
+
+    local_file_checksum(filename)
+  end
+
+  def update(verbose = false)
+    FILES.each do |filename|
+      begin
+        puts "[+] Checking #{filename}" if verbose
+        db_checksum = remote_file_checksum(filename)
+
+        # Checking if the file needs to be updated
+        if File.exist?(local_file_path(filename)) && db_checksum == local_file_checksum(filename)
+          puts '  [i] Already Up-To-Date' if verbose
+          next
+        end
+
+        puts '  [i] Needs to be updated' if verbose
+        create_backup(filename)
+        puts '  [i] Backup Created' if verbose
+        puts '  [i] Downloading new file' if verbose
+        dl_checksum = download(filename)
+        puts "  [i] Downloaded File Checksum: #{dl_checksum}" if verbose
+
+        unless dl_checksum == db_checksum
+          fail "#{filename}: checksums do not match"
+        end
+      rescue => e
+        puts '  [i] Restoring Backup due to error' if verbose
+        restore_backup(filename)
+        raise e
+      ensure
+        if File.exist?(backup_file_path(filename))
+          puts '  [i] Deleting Backup' if verbose
+          delete_backup(filename)
+        end
+      end
+    end
+  end
+end
--- a/lib/common/updater/git_updater.rb
+++ b/lib/common/updater/git_updater.rb
@@ -1,37 +0,0 @@
-# encoding: UTF-8
-
-require 'common/updater/updater'
-
-class GitUpdater < Updater
-
-  def is_installed?
-    %x[git #{repo_directory_arguments()} status 2>&1] =~ /On branch/ ? true : false
-  end
-
-  # Git has not a revsion number like SVN,
-  # so we will take the 7 first chars of the last commit hash
-  def local_revision_number
-    git_log = %x[git #{repo_directory_arguments()} log -1 2>&1]
-    git_log[/commit ([0-9a-z]{7})/i, 1].to_s
-  end
-
-  def update
-    %x[git #{repo_directory_arguments()} pull]
-  end
-
-  def has_local_changes?
-    %x[git #{repo_directory_arguments()} diff --exit-code 2>&1] =~ /diff/ ? true : false
-  end
-
-  def reset_head
-    %x[git #{repo_directory_arguments()} reset --hard HEAD]
-  end
-
-  protected
-  def repo_directory_arguments
-    if @repo_directory
-      return "--git-dir=\"#{@repo_directory}/.git\" --work-tree=\"#{@repo_directory}\""
-    end
-  end
-
-end
--- a/lib/common/updater/svn_updater.rb
+++ b/lib/common/updater/svn_updater.rb
@@ -1,23 +0,0 @@
-# encoding: UTF-8
-
-require 'common/updater/updater'
-
-class SvnUpdater < Updater
-
-  REVISION_PATTERN = /revision="(\d+)"/i
-  TRUNK_URL        = 'https://github.com/wpscanteam/wpscan'
-
-  def is_installed?
-    %x[svn info "#@repo_directory" --xml 2>&1] =~ /revision=/ ? true : false
-  end
-
-  def local_revision_number
-    local_revision = %x[svn info "#@repo_directory" --xml 2>&1]
-    local_revision[REVISION_PATTERN, 1].to_s
-  end
-
-  def update
-    %x[svn up "#@repo_directory"]
-  end
-
-end
--- a/lib/common/updater/updater.rb
+++ b/lib/common/updater/updater.rb
@@ -1,25 +0,0 @@
-# encoding: UTF-8
-
-# This class act as an absract one
-class Updater
-
-  attr_reader :repo_directory
-
-  # TODO : add a last '/ to repo_directory if it's not present
-  def initialize(repo_directory = nil)
-    @repo_directory = repo_directory
-  end
-
-  def is_installed?
-    raise NotImplementedError
-  end
-
-  def local_revision_number
-    raise NotImplementedError
-  end
-
-  def update
-    raise NotImplementedError
-  end
-
-end
--- a/lib/common/updater/updater_factory.rb
+++ b/lib/common/updater/updater_factory.rb
@@ -1,23 +0,0 @@
-# encoding: UTF-8
-
-class UpdaterFactory
-
-  def self.get_updater(repo_directory)
-    self.available_updaters_classes().each do |updater_symbol|
-      updater = Object.const_get(updater_symbol).new(repo_directory)
-
-      if updater.is_installed?
-        return updater
-      end
-    end
-    nil
-  end
-
-  protected
-
-  # return array of class symbols
-  def self.available_updaters_classes
-    Object.constants.grep(/^.+Updater$/)
-  end
-
-end