garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:wpscanteam/wpscan

Browse Source
This commit is contained in:
Christian Mehlmauer
2015-06-21 11:03:55 +02:00
parent 4cc9f7c8b5 14115761f9
commit ace64d88ce
5 changed files with 72 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
CHANGELOG.md
View File

@@ -1,6 +1,52 @@
# Changelog # Changelog
## Master ## Master
[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.7...master) [Work in progress](https://github.com/wpscanteam/wpscan/compare/2.8...master)
## Version 2.8
Released: 2015-06-XX
New
* Warn the user to update his DB files
* Added last db update to --version option (see #815)
* Add db checksum to verbose logging during update
* Option to hide banner
* Continue if user chooses not to update + db exists
* Don't update if user chooses default + no DBs exist
* Updates request timeout values to realistic ones (and in seconds)
Removed
* Removed `Time.parse('2000-01-01')` expedient
* Removed unnecessary 'return' and '()'
* Removed debug output
* Removed wpstools
General core
* Update to Ruby 2.2.2
* Switch to mitre
* Install bundler gem README
* Switch from gnutls to openssl
Fixed issues
* Fix #789 - Add blackarch to readme
* Fix #790 - Consider the target down after 30 requests timed out requests instead of 10
* Fix #791 - Rogue character causing the scan of non-wordpress site to crash
* Fix #792 - Adds the HttpError exception
* Fix #795 - Remove GHOST warning
* Fix #796 - Do not swallow exit code
* Fix #797 - Increases the timeout values
* Fix #801 - Forces UTF-8 encoding when enumerating usernames
* Fix #803 - Increases default connect-timeout to 10s
* Fix #804 - Updates the Theme detection pattern
* Fix #816 - Ignores potential non version chars in theme version detection
* Fix #819 - Removes potential spaces in robots.txt entries
WPScan Database Statistics:
* Total vulnerable versions: 98
* Total vulnerable plugins: 1076
* Total vulnerable themes: 361
* Total version vulnerabilities: 1104
* Total plugin vulnerabilities: 1763
* Total theme vulnerabilities: 443
## Version 2.7 ## Version 2.7
Released: 2015-03-16 Released: 2015-03-16

5
lib/wpscan/web_site.rb
View File

@@ -54,10 +54,7 @@ class WebSite
redirected_uri = URI.parse(add_trailing_slash(add_http_protocol(url))) redirected_uri = URI.parse(add_trailing_slash(add_http_protocol(url)))
if response.code == 301 || response.code == 302 if response.code == 301 || response.code == 302
redirection = response.headers_hash['location'] redirection = redirected_uri.merge(response.headers_hash['location']).to_s
if redirection[0] == '/'
redirection = "#{redirected_uri.scheme}://#{redirected_uri.host}#{redirection}"
end
return redirection if url == redirection # prevents infinite loop return redirection if url == redirection # prevents infinite loop

16
spec/lib/wpscan/web_site_spec.rb
View File

@@ -116,12 +116,24 @@ describe 'WebSite' do
expect(web_site.redirection).to eql absolute_location expect(web_site.redirection).to eql absolute_location
end end
context 'when starts with a ?' do
it 'returns the absolute URI' do
relative_location = '?p=blog'
absolute_location = web_site.uri.merge(relative_location).to_s
stub_request(:get, web_site.url).to_return(status: 301, headers: { location: relative_location })
stub_request(:get, absolute_location)
expect(web_site.redirection).to eql absolute_location
end
end
end end
context 'when multiple redirections' do context 'when multiple redirections' do
it 'returns the last redirection' do it 'returns the last redirection' do
first_redirection = 'www.redirection.com' first_redirection = 'http://www.redirection.com'
last_redirection = 'redirection.com' last_redirection = 'http://redirection.com'
stub_request(:get, web_site.url).to_return(status: 301, headers: { location: first_redirection }) stub_request(:get, web_site.url).to_return(status: 301, headers: { location: first_redirection })
stub_request(:get, first_redirection).to_return(status: 302, headers: { location: last_redirection }) stub_request(:get, first_redirection).to_return(status: 302, headers: { location: last_redirection })

2
spec/spec_helper.rb
View File

@@ -5,6 +5,8 @@ require 'webmock/rspec'
# Code Coverage (only works with ruby >= 1.9) # Code Coverage (only works with ruby >= 1.9)
require 'simplecov' if RUBY_VERSION >= '1.9' require 'simplecov' if RUBY_VERSION >= '1.9'
RSpec::Expectations.configuration.warn_about_potential_false_positives = false
require File.expand_path(File.dirname(__FILE__) + '/../lib/common/common_helper') require File.expand_path(File.dirname(__FILE__) + '/../lib/common/common_helper')
SPEC_DIR = ROOT_DIR + '/spec' SPEC_DIR = ROOT_DIR + '/spec'

9
wpscan.rb
View File

@@ -39,6 +39,8 @@ def main
if wpscan_options.version if wpscan_options.version
puts "Current version: #{WPSCAN_VERSION}" puts "Current version: #{WPSCAN_VERSION}"
date = last_update
puts "Last DB update: #{date.strftime('%Y-%m-%d')}" unless date.nil?
exit(0) exit(0)
end end
@@ -58,10 +60,15 @@ def main
elsif input =~ /^a/i elsif input =~ /^a/i
puts 'Scan aborted' puts 'Scan aborted'
exit(1) exit(1)
else
if missing_db_file?
puts critical('You can not run a scan without any databases.')
exit(1)
end
end end
end end
if wpscan_options.update || missing_db_file? if wpscan_options.update
puts notice('Updating the Database ...') puts notice('Updating the Database ...')
DbUpdater.new(DATA_DIR).update(wpscan_options.verbose) DbUpdater.new(DATA_DIR).update(wpscan_options.verbose)
puts notice('Update completed.') puts notice('Update completed.')