diff --git a/app/finders/config_backups/known_filenames.rb b/app/finders/config_backups/known_filenames.rb index 50b68e20..017ddc6c 100644 --- a/app/finders/config_backups/known_filenames.rb +++ b/app/finders/config_backups/known_filenames.rb @@ -5,7 +5,7 @@ module WPScan module ConfigBackups # Config Backup finder class KnownFilenames < CMSScanner::Finders::Finder - include Finders::Finder::Enumerator + include CMSScanner::Finders::Finder::Enumerator # @param [ Hash ] opts # @option opts [ String ] :list @@ -15,21 +15,15 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(potential_urls(opts), opts) do |res| + enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res| + next unless res.body =~ /define/i && res.body !~ /<\s?html/i + found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100) end found end - def valid_response?(res, _exclude_content = nil) - return unless res.code == 200 - - full_res = Browser.get(res.effective_url) - - full_res.body =~ /define/i && full_res.body !~ /<\s?html/i - end - # @param [ Hash ] opts # @option opts [ String ] :list Mandatory # diff --git a/app/finders/db_exports/known_locations.rb b/app/finders/db_exports/known_locations.rb index 886cef3d..21d6be1e 100644 --- a/app/finders/db_exports/known_locations.rb +++ b/app/finders/db_exports/known_locations.rb @@ -6,7 +6,7 @@ module WPScan # DB Exports finder # See https://github.com/wpscanteam/wpscan-v3/issues/62 class KnownLocations < CMSScanner::Finders::Finder - include Finders::Finder::Enumerator + include CMSScanner::Finders::Finder::Enumerator SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze @@ -18,20 +18,21 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(potential_urls(opts), opts) do |res| + enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res| + if res.effective_url.end_with?('.zip') + next unless res.headers['Content-Type'] =~ %r{\Aapplication/zip}i + else + next unless res.body =~ SQL_PATTERN + end + found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100) end found end - def valid_response?(res, _exclude_content = nil) - return false unless res.code == 200 - - return true if res.effective_url.end_with?('.zip') && - res.headers['Content-Type'] =~ %r{\Aapplication/zip}i - - Browser.get(res.effective_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN ? true : false + def full_request_params + @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } } end # @param [ Hash ] opts diff --git a/app/finders/plugins/known_locations.rb b/app/finders/plugins/known_locations.rb index 92c75b5c..372d0c40 100644 --- a/app/finders/plugins/known_locations.rb +++ b/app/finders/plugins/known_locations.rb @@ -5,7 +5,12 @@ module WPScan module Plugins # Known Locations Plugins Finder class KnownLocations < CMSScanner::Finders::Finder - include Finders::Finder::Enumerator + include CMSScanner::Finders::Finder::Enumerator + + # @return [ Array ] + def valid_response_codes + @valid_response_codes ||= [200, 401, 403, 301] + end # @param [ Hash ] opts # @option opts [ String ] :list @@ -14,7 +19,7 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(target_urls(opts), opts) do |_res, slug| + enumerate(target_urls(opts), opts.merge(check_full_response: 200)) do |_res, slug| found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end diff --git a/app/finders/themes/known_locations.rb b/app/finders/themes/known_locations.rb index a36d3cc8..9574b072 100644 --- a/app/finders/themes/known_locations.rb +++ b/app/finders/themes/known_locations.rb @@ -5,7 +5,12 @@ module WPScan module Themes # Known Locations Themes Finder class KnownLocations < CMSScanner::Finders::Finder - include Finders::Finder::Enumerator + include CMSScanner::Finders::Finder::Enumerator + + # @return [ Array ] + def valid_response_codes + @valid_response_codes ||= [200, 401, 403, 301] + end # @param [ Hash ] opts # @option opts [ String ] :list @@ -14,7 +19,7 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(target_urls(opts), opts) do |_res, slug| + enumerate(target_urls(opts), opts.merge(check_full_response: 200)) do |_res, slug| found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) end diff --git a/app/finders/timthumbs/known_locations.rb b/app/finders/timthumbs/known_locations.rb index 1d40075e..3cc556e1 100644 --- a/app/finders/timthumbs/known_locations.rb +++ b/app/finders/timthumbs/known_locations.rb @@ -7,7 +7,12 @@ module WPScan # Note: A vulnerable version, 2.8.13 can be found here: # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php class KnownLocations < CMSScanner::Finders::Finder - include Finders::Finder::Enumerator + include CMSScanner::Finders::Finder::Enumerator + + # @return [ Array ] + def valid_response_codes + @valid_response_codes ||= [400] + end # @param [ Hash ] opts # @option opts [ String ] :list Mandatory @@ -16,23 +21,15 @@ module WPScan def aggressive(opts = {}) found = [] - enumerate(target_urls(opts), opts) do |res| + enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res| + next unless res.body =~ /no image specified/i + found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100)) end found end - # @param [ Typhoeus::Response ] res - # @param [ Regexp, nil ] exclude_content - # - # @return [ Boolean ] - def valid_response?(res, _exclude_content = nil) - return false unless res.code == 400 - - Browser.get(res.effective_url).body =~ /no image specified/i ? true : false - end - # @param [ Hash ] opts # @option opts [ String ] :list Mandatory # diff --git a/app/models/plugin.rb b/app/models/plugin.rb index 5ef7a33d..cbd8502e 100644 --- a/app/models/plugin.rb +++ b/app/models/plugin.rb @@ -8,11 +8,11 @@ module WPScan def initialize(slug, blog, opts = {}) super(slug, blog, opts) - @uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/")) - # To be used by #head_and_get # If custom wp-content, it will be replaced by blog#url @path_from_blog = "wp-content/plugins/#{slug}/" + + @uri = Addressable::URI.parse(blog.url(path_from_blog)) end # @return [ JSON ] diff --git a/app/models/theme.rb b/app/models/theme.rb index fca4037f..7f99bb80 100644 --- a/app/models/theme.rb +++ b/app/models/theme.rb @@ -11,13 +11,13 @@ module WPScan def initialize(slug, blog, opts = {}) super(slug, blog, opts) - @uri = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/")) - @style_url = opts[:style_url] || url('style.css') - # To be used by #head_and_get # If custom wp-content, it will be replaced by blog#url @path_from_blog = "wp-content/themes/#{slug}/" + @uri = Addressable::URI.parse(blog.url(path_from_blog)) + @style_url = opts[:style_url] || url('style.css') + parse_style end diff --git a/app/models/wp_item.rb b/app/models/wp_item.rb index 8c388408..b00f4981 100644 --- a/app/models/wp_item.rb +++ b/app/models/wp_item.rb @@ -14,7 +14,7 @@ module WPScan attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data - delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog + delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog # @param [ String ] slug The plugin/theme slug # @param [ Target ] blog The targeted blog diff --git a/lib/wpscan/finders.rb b/lib/wpscan/finders.rb index f3a20fb2..28368c29 100644 --- a/lib/wpscan/finders.rb +++ b/lib/wpscan/finders.rb @@ -26,81 +26,3 @@ module WPScan end end end - -# Better version of the CMSScanner Enumerator for plugins, themes and timthumbs, -# put here as temporary until implemented in it (and considering other finders using it, such as -# the config backups etc) -module WPScan - module Finders - class Finder - module Enumerator - # @param [ Hash ] The target urls - # @param [ Hash ] opts - # @option opts [ Boolean ] :show_progression Wether or not to display the progress bar - # @option opts [ Regexp ] :exclude_content - # - # @yield [ Typhoeus::Response, String ] - def enumerate(urls, opts = {}) - create_progress_bar(opts.merge(total: urls.size)) - - urls.each do |url, slug| - request = browser.forge_request(url, request_params) - - request.on_complete do |res| - progress_bar.increment - - yield res, slug if valid_response?(res, opts[:exclude_content]) - end - - hydra.queue(request) - end - - hydra.run - end - - # @return [ Hash ] - def request_params - @request_params ||= target.head_or_get_request_params.merge(cache_ttl: 0) - end - - # @param [ Typhoeus::Response ] res - # @param [ Regexp,nil ] exclude_content - # - # @return [ Boolean ] - # rubocop:disable Metrics/PerceivedComplexity - def valid_response?(res, exclude_content = nil) - return false unless valid_response_codes.include?(res.code) - - return false if exclude_content && res.response_headers&.match(exclude_content) - - # Perform a full get to check if homepage or custom 404 - if res.code == 200 - # The cache is not disabled to avoid additional request/s when checking - # for directory listing - full_res = Browser.get(res.effective_url) - - return false if target.homepage_or_404?(full_res) || - exclude_content && full_res.body.match(exclude_content) - end - - true - end - # rubocop:enable Metrics/PerceivedComplexity - - # @return [ Array ] - def valid_response_codes - @valid_response_codes ||= [200, 401, 403, 301] - end - - # Idea here would be to check the opts[:found] which - # contains items (such as plugins) found via other techniques, - # and see their responses to refine the #response_codes - def determine_valid_response_codes(opts) - return if opts[:found].empty? - - # TODO - end - end - end - end -end diff --git a/spec/app/finders/config_backups/known_filenames_spec.rb b/spec/app/finders/config_backups/known_filenames_spec.rb index 9aa2c165..30900f5d 100644 --- a/spec/app/finders/config_backups/known_filenames_spec.rb +++ b/spec/app/finders/config_backups/known_filenames_spec.rb @@ -10,7 +10,7 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do describe '#aggressive' do before do expect(target).to receive(:sub_dir).at_least(1).and_return(false) - expect(target).to receive(:head_or_get_request_params).and_return(method: :head) + expect(target).to receive(:head_or_get_params).and_return(method: :head) finder.potential_urls(opts).each_key do |url| stub_request(:head, url).to_return(status: 404) @@ -30,8 +30,10 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do before do found_files.each do |file| stub_request(:head, "#{url}#{file}").to_return(status: 200) - stub_request(:get, "#{url}#{file}").to_return(body: config_backup) + stub_request(:get, "#{url}#{file}").to_return(status: 200, body: config_backup) end + + expect(target).to receive(:homepage_or_404?).twice.and_return(false) end it 'returns the expected Array' do @@ -39,6 +41,7 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do found_files.each do |file| url = "#{target.url}#{file}" + expected << WPScan::Model::ConfigBackup.new( url, confidence: 100, diff --git a/spec/app/finders/db_exports/known_locations_spec.rb b/spec/app/finders/db_exports/known_locations_spec.rb index 407aa687..01729f5b 100644 --- a/spec/app/finders/db_exports/known_locations_spec.rb +++ b/spec/app/finders/db_exports/known_locations_spec.rb @@ -27,7 +27,7 @@ describe WPScan::Finders::DbExports::KnownLocations do describe '#aggressive' do before do expect(target).to receive(:sub_dir).at_least(1).and_return(false) - expect(target).to receive(:head_or_get_request_params).and_return(method: :head) + expect(target).to receive(:head_or_get_params).and_return(method: :head) finder.potential_urls(opts).each_key do |url| stub_request(:head, url).to_return(status: 404) @@ -56,6 +56,8 @@ describe WPScan::Finders::DbExports::KnownLocations do .with(headers: { 'Range' => 'bytes=0-3000' }) .to_return(body: db_export) end + + expect(target).to receive(:homepage_or_404?).twice.and_return(false) end it 'returns the expected Array' do