diff --git a/README b/README index f53e1105..486ccf9b 100644 --- a/README +++ b/README @@ -119,6 +119,9 @@ ryandewhurst at gmail Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins If no option is supplied, the default is 'vt,tt,u,vp' +--exclude-content-based '' Used with the enumeration option, will exclude all occurence based on the regexp or string supplied + You do not need to provide the regexp delimiters, but you must write the quotes (simple or double) + --config-file | -c Use the specified config file --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not diff --git a/README.md b/README.md index f4d4e507..7f8573f5 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,9 @@ Prerequisites: Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins If no option is supplied, the default is 'vt,tt,u,vp' + --exclude-content-based '' Used with the enumeration option, will exclude all occurence based on the regexp or string supplied + You do not need to provide the regexp delimiters, but you must write the quotes (simple or double) + --config-file | -c Use the specified config file --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not diff --git a/lib/wpscan/wp_enumerator.rb b/lib/wpscan/wp_enumerator.rb index 8615d546..3a7615bc 100644 --- a/lib/wpscan/wp_enumerator.rb +++ b/lib/wpscan/wp_enumerator.rb @@ -42,12 +42,13 @@ class WpEnumerator end end - found = [] - queue_count = 0 - request_count = 0 - enum_browser = Browser.instance - enum_hydra = enum_browser.hydra + found = [] + queue_count = 0 + request_count = 0 + enum_browser = Browser.instance + enum_hydra = enum_browser.hydra enumerate_size = targets.size + exclude_regexp = options[:exclude_content_based] ? %r{#{options[:exclude_content_based]}} : nil targets.each do |target| url = target.get_full_url @@ -61,7 +62,13 @@ class WpEnumerator if WpTarget.valid_response_codes.include?(response.code) if Digest::MD5.hexdigest(response.body) != options[:error_404_hash] - found << target + if options[:exclude_content_based] + unless response.body[exclude_regexp] + found << target + end + else + found << target + end end end end diff --git a/lib/wpscan/wpscan_helper.rb b/lib/wpscan/wpscan_helper.rb index 5df68a6d..6229ba14 100644 --- a/lib/wpscan/wpscan_helper.rb +++ b/lib/wpscan/wpscan_helper.rb @@ -93,6 +93,8 @@ def help() puts " Multiple values are allowed : '-e t,p' will enumerate timthumbs and plugins" puts " If no option is supplied, the default is 'vt,tt,u,vp'" puts + puts "--exclude-content-based '' Used with the enumeration option, will exclude all occurence based on the regexp or string supplied" + puts " You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)" puts "--config-file | -c Use the specified config file" puts "--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not" puts "--wp-content-dir WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed" diff --git a/lib/wpscan/wpscan_options.rb b/lib/wpscan/wpscan_options.rb index 7893729a..d5557303 100644 --- a/lib/wpscan/wpscan_options.rb +++ b/lib/wpscan/wpscan_options.rb @@ -19,30 +19,31 @@ class WpscanOptions ACCESSOR_OPTIONS = [ - :enumerate_plugins, - :enumerate_only_vulnerable_plugins, - :enumerate_all_plugins, - :enumerate_themes, - :enumerate_only_vulnerable_themes, - :enumerate_all_themes, - :enumerate_timthumbs, - :enumerate_usernames, - :enumerate_usernames_range, - :proxy, - :proxy_auth, - :threads, - :url, - :wordlist, - :force, - :update, - :verbose, - :username, - :password, - :follow_redirection, - :wp_content_dir, - :wp_plugins_dir, - :help, - :config_file + :enumerate_plugins, + :enumerate_only_vulnerable_plugins, + :enumerate_all_plugins, + :enumerate_themes, + :enumerate_only_vulnerable_themes, + :enumerate_all_themes, + :enumerate_timthumbs, + :enumerate_usernames, + :enumerate_usernames_range, + :proxy, + :proxy_auth, + :threads, + :url, + :wordlist, + :force, + :update, + :verbose, + :username, + :password, + :follow_redirection, + :wp_content_dir, + :wp_plugins_dir, + :help, + :config_file, + :exclude_content_based ] attr_accessor *ACCESSOR_OPTIONS @@ -238,7 +239,8 @@ class WpscanOptions ["--follow-redirection", GetoptLong::NO_ARGUMENT], ["--wp-content-dir", GetoptLong::REQUIRED_ARGUMENT], ["--wp-plugins-dir", GetoptLong::REQUIRED_ARGUMENT], - ["--config-file", "-c", GetoptLong::REQUIRED_ARGUMENT] + ["--config-file", "-c", GetoptLong::REQUIRED_ARGUMENT], + ["--exclude-content-based", GetoptLong::REQUIRED_ARGUMENT] ) end diff --git a/wpscan.rb b/wpscan.rb index fddd08ab..02743689 100755 --- a/wpscan.rb +++ b/wpscan.rb @@ -202,14 +202,16 @@ begin puts green("[+]") + " Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ..." puts - options = {} - options[:base_url] = wp_target.uri - options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_plugins || false - options[:show_progress_bar] = true - options[:wp_content_dir] = wp_target.wp_content_dir - options[:error_404_hash] = wp_target.error_404_hash - options[:wp_plugins_dir] = wp_target.wp_plugins_dir - options[:full] = wpscan_options.enumerate_all_plugins + options = { + :base_url => wp_target.uri, + :only_vulnerable_ones => wpscan_options.enumerate_only_vulnerable_plugins || false, + :show_progress_bar => true, + :wp_content_dir => wp_target.wp_content_dir, + :error_404_hash => wp_target.error_404_hash, + :wp_plugins_dir => wp_target.wp_plugins_dir, + :full => wpscan_options.enumerate_all_plugins, + :exclude_content_based => wpscan_options.exclude_content_based + } plugins = wp_target.plugins_from_aggressive_detection(options) unless plugins.empty? @@ -258,13 +260,15 @@ begin puts green("[+]") + " Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..." puts - options = {} - options[:base_url] = wp_target.uri - options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_themes || false - options[:show_progress_bar] = true - options[:wp_content_dir] = wp_target.wp_content_dir - options[:error_404_hash] = wp_target.error_404_hash - options[:full] = wpscan_options.enumerate_all_themes + options = { + :base_url => wp_target.uri, + :only_vulnerable_ones => wpscan_options.enumerate_only_vulnerable_themes || false, + :show_progress_bar => true, + :wp_content_dir => wp_target.wp_content_dir, + :error_404_hash => wp_target.error_404_hash, + :full => wpscan_options.enumerate_all_themes, + :exclude_content_based => wpscan_options.exclude_content_based + } themes = wp_target.themes_from_aggressive_detection(options) unless themes.empty? @@ -305,11 +309,13 @@ begin puts green("[+]") + " Enumerating timthumb files ..." puts - options = {} - options[:base_url] = wp_target.uri - options[:show_progress_bar] = true - options[:wp_content_dir] = wp_target.wp_content_dir - options[:error_404_hash] = wp_target.error_404_hash + options = { + :base_url => wp_target.uri, + :show_progress_bar => true, + :wp_content_dir => wp_target.wp_content_dir, + :error_404_hash => wp_target.error_404_hash, + :exclude_content_based => wpscan_options.exclude_content_based + } theme_name = wp_theme ? wp_theme.name : nil if wp_target.has_timthumbs?(theme_name, options) @@ -383,7 +389,7 @@ begin puts puts green("[+]") + " Starting the password brute forcer" puts - wp_target.brute_force(usernames, wpscan_options.wordlist) + wp_target.brute_force(usernames, wpscan_options.wordlist) else puts puts "Brute forcing aborted"