From 4a427f1ff6d35aea383fcef21311d6b5f0aba799 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Mon, 18 Mar 2019 19:15:43 +0000 Subject: [PATCH] Adds a custom temporary Enumerator for Plugins,Themes and Timthumbs --- app/finders/plugins/known_locations.rb | 11 +-- app/finders/themes/known_locations.rb | 15 +-- app/finders/timthumbs/known_locations.rb | 18 +++- lib/wpscan/finders.rb | 91 +++++++++++++++++++ .../platform/wordpress/custom_directories.rb | 14 +++ 5 files changed, 128 insertions(+), 21 deletions(-) diff --git a/app/finders/plugins/known_locations.rb b/app/finders/plugins/known_locations.rb index 6578d5a8..3968c60d 100644 --- a/app/finders/plugins/known_locations.rb +++ b/app/finders/plugins/known_locations.rb @@ -3,7 +3,7 @@ module WPScan module Plugins # Known Locations Plugins Finder class KnownLocations < CMSScanner::Finders::Finder - include CMSScanner::Finders::Finder::Enumerator + include Finders::Finder::Enumerator # @param [ Hash ] opts # @option opts [ String ] :list @@ -12,11 +12,7 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(target_urls(opts), opts) do |res, slug| - # TODO: follow the location (from enumerate()) and remove the 301 here ? - # As a result, it might remove false positive due to redirection to the homepage - next unless [200, 401, 403, 301].include?(res.code) - + enumerate(target_urls(opts), opts) do |_res, slug| found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end @@ -30,10 +26,9 @@ module WPScan def target_urls(opts = {}) slugs = opts[:list] || DB::Plugins.vulnerable_slugs urls = {} - plugins_url = target.plugins_url slugs.each do |slug| - urls["#{plugins_url}#{URI.encode(slug)}/"] = slug + urls[target.plugin_url(slug)] = slug end urls diff --git a/app/finders/themes/known_locations.rb b/app/finders/themes/known_locations.rb index 7fb53ae8..ddd86a8a 100644 --- a/app/finders/themes/known_locations.rb +++ b/app/finders/themes/known_locations.rb @@ -3,7 +3,7 @@ module WPScan module Themes # Known Locations Themes Finder class KnownLocations < CMSScanner::Finders::Finder - include CMSScanner::Finders::Finder::Enumerator + include Finders::Finder::Enumerator # @param [ Hash ] opts # @option opts [ String ] :list @@ -12,11 +12,7 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(target_urls(opts), opts) do |res, slug| - # TODO: follow the location (from enumerate()) and remove the 301 here ? - # As a result, it might remove false positive due to redirection to the homepage - next unless [200, 401, 403, 301].include?(res.code) - + enumerate(target_urls(opts), opts) do |_res, slug| found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end @@ -28,12 +24,11 @@ module WPScan # # @return [ Hash ] def target_urls(opts = {}) - slugs = opts[:list] || DB::Themes.vulnerable_slugs - urls = {} - themes_url = target.url('wp-content/themes/') + slugs = opts[:list] || DB::Themes.vulnerable_slugs + urls = {} slugs.each do |slug| - urls["#{themes_url}#{URI.encode(slug)}/"] = slug + urls[target.theme_url(slug)] = slug end urls diff --git a/app/finders/timthumbs/known_locations.rb b/app/finders/timthumbs/known_locations.rb index 428ce15b..e6923436 100644 --- a/app/finders/timthumbs/known_locations.rb +++ b/app/finders/timthumbs/known_locations.rb @@ -2,8 +2,10 @@ module WPScan module Finders module Timthumbs # Known Locations Timthumbs Finder + # Note: A vulnerable version, 2.8.13 can be found here: + # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php class KnownLocations < CMSScanner::Finders::Finder - include CMSScanner::Finders::Finder::Enumerator + include Finders::Finder::Enumerator # @param [ Hash ] opts # @option opts [ String ] :list Mandatory @@ -13,14 +15,24 @@ module WPScan found = [] enumerate(target_urls(opts), opts) do |res| - next unless res.code == 400 && res.body =~ /no image specified/i - found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100)) end found end + # @param [ Typhoeus::Response ] res + # @param [ Regexp,nil ] exclude_content + # + # @return [ Boolean ] + def valid_response?(res, _exclude_content = nil) + return false unless res.code == 400 + + full_res = Browser.get(res.effective_url, cache_ttl: 0) + + full_res.body =~ /no image specified/i ? true : false + end + # @param [ Hash ] opts # @option opts [ String ] :list Mandatory # diff --git a/lib/wpscan/finders.rb b/lib/wpscan/finders.rb index 904a4824..c191f5f6 100644 --- a/lib/wpscan/finders.rb +++ b/lib/wpscan/finders.rb @@ -24,3 +24,94 @@ module WPScan end end end + +# Better version of the CMSScanner Enumerator for plugins, themes and timthumbs, +# put here as temporary until implemented in it (and considering other finders using it, such as +# the config backups etc) +module WPScan + module Finders + class Finder + module Enumerator + # @param [ Hash ] The target urls + # @param [ Hash ] opts + # @option opts [ Boolean ] :show_progression Wether or not to display the progress bar + # @option opts [ Regexp ] :exclude_content + # + # @yield [ Typhoeus::Response, String ] + def enumerate(urls, opts = {}) + determine_request_params(urls, opts) + # determine_valid_response_codes(opts) + + create_progress_bar(opts.merge(total: urls.size)) + + urls.each do |url, slug| + request = browser.forge_request(url, request_params) + + request.on_complete do |res| + progress_bar.increment + + yield res, slug if valid_response?(res, opts[:exclude_content]) + end + + hydra.queue(request) + end + + hydra.run + end + + # @param [ Typhoeus::Response ] res + # @param [ Regexp,nil ] exclude_content + # + # @return [ Boolean ] + # rubocop:disable Metrics/PerceivedComplexity + def valid_response?(res, exclude_content = nil) + return false unless valid_response_codes.include?(res.code) + + return false if exclude_content && res.response_headers&.match(exclude_content) + + # Perform a full get to check if homepage or custom 404 + if res.code == 200 + full_res = Browser.get(res.effective_url, cache_ttl: 0) + + return false if target.homepage_or_404?(full_res) || + exclude_content && full_res.body.match(exclude_content) + end + + true + end + # rubocop:enable Metrics/PerceivedComplexity + + # @return [ Hash ] + def request_params + @request_params ||= { cache_ttl: 0 } + end + + # @param [ Hash ] urls + # @param [ Hash ] opts + def determine_request_params(urls, _opts) + head_res = Browser.head(urls.first[0], cache_ttl: 0) + + @request_params = if head_res.code == 405 + { method: :get, maxfilesize: 1, cache_ttl: 0 } + else + { method: :head, cache_ttl: 0 } + end + end + + # @return [ Array ] + def valid_response_codes + @valid_response_codes ||= [200, 401, 403, 301] + end + + # Idea here would be to check the opts[:found] which + # contains items (such as plugins) found via other techniques, + # and see their responses to refine the #response_codes + def determine_valid_response_codes(opts) + return if opts[:found].empty? + + # TODO + end + end + end + end +end diff --git a/lib/wpscan/target/platform/wordpress/custom_directories.rb b/lib/wpscan/target/platform/wordpress/custom_directories.rb index a69aac47..0aba4577 100644 --- a/lib/wpscan/target/platform/wordpress/custom_directories.rb +++ b/lib/wpscan/target/platform/wordpress/custom_directories.rb @@ -54,6 +54,13 @@ module WPScan plugins_uri.to_s end + # @param [ String ] slug + # + # @return [ String ] + def plugin_url(slug) + plugins_uri.join("#{URI.encode(slug)}/").to_s + end + # @return [ String ] def themes_dir @themes_dir ||= "#{content_dir}/themes" @@ -69,6 +76,13 @@ module WPScan themes_uri.to_s end + # @param [ String ] slug + # + # @return [ String ] + def theme_url(slug) + themes_uri.join("#{URI.encode(slug)}/").to_s + end + # TODO: Factorise the code and the content_dir one ? # @return [ String, False ] String of the sub_dir found, false otherwise # @note: nil can not be returned here, otherwise if there is no sub_dir