From c48be5e9805c438980ca0fc44bdd16930ad9d71c Mon Sep 17 00:00:00 2001 From: erwanlr Date: Tue, 18 May 2021 12:05:27 +0200 Subject: [PATCH] Fixes #1642 --- .rubocop.yml | 2 +- app/finders/db_exports/known_locations.rb | 38 +++++++++++++++++-- .../db_exports/known_locations_spec.rb | 20 ++++++---- 3 files changed, 49 insertions(+), 11 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 26aa4123..e7d7bffe 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -15,7 +15,7 @@ Lint/MissingSuper: Lint/UriEscapeUnescape: Enabled: false Metrics/AbcSize: - Max: 25 + Max: 27 Metrics/BlockLength: Exclude: - 'spec/**/*' diff --git a/app/finders/db_exports/known_locations.rb b/app/finders/db_exports/known_locations.rb index 6db29397..de78773f 100644 --- a/app/finders/db_exports/known_locations.rb +++ b/app/finders/db_exports/known_locations.rb @@ -40,11 +40,24 @@ module WPScan # @return [ Hash ] def potential_urls(opts = {}) urls = {} + index = 0 - File.open(opts[:list]).each_with_index do |path, index| - path.gsub!('{domain_name}', domain_name) + File.open(opts[:list]).each do |path| + path.chomp! - urls[target.url(path.chomp)] = index + if path.include?('{domain_name}') + urls[target.url(path.gsub('{domain_name}', domain_name))] = index + + if domain_name != domain_name_with_sub + urls[target.url(path.gsub('{domain_name}', domain_name_with_sub))] = index + 1 + + index += 1 + end + else + urls[target.url(path)] = index + end + + index += 1 end urls @@ -58,6 +71,25 @@ module WPScan end end + def domain_name_with_sub + @domain_name_with_sub ||= + if Resolv::AddressRegex.match?(target.uri.host) + target.uri.host + else + parsed = PublicSuffix.parse(target.uri.host) + + if parsed.subdomain + parsed.subdomain.gsub(".#{parsed.tld}", '') + elsif parsed.domain + parsed.domain.gsub(".#{parsed.tld}", '') + else + target.uri.host + end + end + rescue PublicSuffix::DomainNotAllowed + @domain_name_with_sub = target.uri.host + end + def create_progress_bar(opts = {}) super(opts.merge(title: ' Checking DB Exports -')) end diff --git a/spec/app/finders/db_exports/known_locations_spec.rb b/spec/app/finders/db_exports/known_locations_spec.rb index cbcf0546..4cf9dae0 100644 --- a/spec/app/finders/db_exports/known_locations_spec.rb +++ b/spec/app/finders/db_exports/known_locations_spec.rb @@ -12,7 +12,7 @@ describe WPScan::Finders::DbExports::KnownLocations do allow(target).to receive(:sub_dir).and_return(false) end - it 'replaces {domain_name} by its value' do + it 'replaces {domain_name} by its values' do expect(finder.potential_urls(opts).keys).to eql %w[ http://ex.lo/aa/ex.sql http://ex.lo/aa/wordpress.sql @@ -27,8 +27,8 @@ describe WPScan::Finders::DbExports::KnownLocations do context "when #{sub_domain} sub-domain" do let(:url) { "https://#{sub_domain}.domain.tld" } - it 'replaces {domain_name} by its correct value' do - expect(finder.potential_urls(opts).keys).to include "#{url}/domain.sql" + it 'replaces {domain_name} by its correct values' do + expect(finder.potential_urls(opts).keys).to include "#{url}/domain.sql", "#{url}/#{sub_domain}.domain.sql" end end end @@ -44,16 +44,22 @@ describe WPScan::Finders::DbExports::KnownLocations do context 'when multi-level tlds and sub-domain' do let(:url) { 'https://dev.something.com.tr' } - it 'replaces {domain_name} by its correct value' do - expect(finder.potential_urls(opts).keys).to include 'https://dev.something.com.tr/something.sql' + it 'replaces {domain_name} by its correct values' do + expect(finder.potential_urls(opts).keys).to include( + 'https://dev.something.com.tr/something.sql', + 'https://dev.something.com.tr/dev.something.sql' + ) end end context 'when some weird stuff' do let(:url) { 'https://098f6bcd4621d373cade4e832627b4f6.aa-bb-ccc-dd.domain-test.com' } - it 'replaces {domain_name} by its correct value' do - expect(finder.potential_urls(opts).keys).to include "#{url}/domain-test.sql" + it 'replaces {domain_name} by its correct values' do + expect(finder.potential_urls(opts).keys).to include( + "#{url}/domain-test.sql", + "#{url}/098f6bcd4621d373cade4e832627b4f6.aa-bb-ccc-dd.domain-test.sql" + ) end end