garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Uses the new CMSScanner Enumerator module

Browse Source
This commit is contained in:
erwanlr
2019-03-26 15:23:34 +00:00
parent 32270efd65
commit cfab2a9cd7
11 changed files with 51 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/finders/config_backups/known_filenames.rb
View File

@@ -5,7 +5,7 @@ module WPScan
module ConfigBackups module ConfigBackups
# Config Backup finder # Config Backup finder
class KnownFilenames < CMSScanner::Finders::Finder class KnownFilenames < CMSScanner::Finders::Finder
include Finders::Finder::Enumerator include CMSScanner::Finders::Finder::Enumerator
# @param [ Hash ] opts # @param [ Hash ] opts
# @option opts [ String ] :list # @option opts [ String ] :list
@@ -15,21 +15,15 @@ module WPScan
def aggressive(opts = {}) def aggressive(opts = {})
found = [] found = []
enumerate(potential_urls(opts), opts) do |res| enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
next unless res.body =~ /define/i && res.body !~ /<\s?html/i
found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100) found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
end end
found found
end end
def valid_response?(res, _exclude_content = nil)
return unless res.code == 200
full_res = Browser.get(res.effective_url)
full_res.body =~ /define/i && full_res.body !~ /<\s?html/i
end
# @param [ Hash ] opts # @param [ Hash ] opts
# @option opts [ String ] :list Mandatory # @option opts [ String ] :list Mandatory
# #

19
app/finders/db_exports/known_locations.rb
View File

@@ -6,7 +6,7 @@ module WPScan
# DB Exports finder # DB Exports finder
# See https://github.com/wpscanteam/wpscan-v3/issues/62 # See https://github.com/wpscanteam/wpscan-v3/issues/62
class KnownLocations < CMSScanner::Finders::Finder class KnownLocations < CMSScanner::Finders::Finder
include Finders::Finder::Enumerator include CMSScanner::Finders::Finder::Enumerator
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
@@ -18,20 +18,21 @@ module WPScan
def aggressive(opts = {}) def aggressive(opts = {})
found = [] found = []
enumerate(potential_urls(opts), opts) do |res| enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
if res.effective_url.end_with?('.zip')
next unless res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
else
next unless res.body =~ SQL_PATTERN
end
found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100) found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
end end
found found
end end
def valid_response?(res, _exclude_content = nil) def full_request_params
return false unless res.code == 200 @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } }
return true if res.effective_url.end_with?('.zip') &&
res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
Browser.get(res.effective_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN ? true : false
end end
# @param [ Hash ] opts # @param [ Hash ] opts

9
app/finders/plugins/known_locations.rb
View File

@@ -5,7 +5,12 @@ module WPScan
module Plugins module Plugins
# Known Locations Plugins Finder # Known Locations Plugins Finder
class KnownLocations < CMSScanner::Finders::Finder class KnownLocations < CMSScanner::Finders::Finder
include Finders::Finder::Enumerator include CMSScanner::Finders::Finder::Enumerator
# @return [ Array<Integer> ]
def valid_response_codes
@valid_response_codes ||= [200, 401, 403, 301]
end
# @param [ Hash ] opts # @param [ Hash ] opts
# @option opts [ String ] :list # @option opts [ String ] :list
@@ -14,7 +19,7 @@ module WPScan
def aggressive(opts = {}) def aggressive(opts = {})
found = [] found = []
enumerate(target_urls(opts), opts) do |_res, slug| enumerate(target_urls(opts), opts.merge(check_full_response: 200)) do |_res, slug|
found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end end

9
app/finders/themes/known_locations.rb
View File

@@ -5,7 +5,12 @@ module WPScan
module Themes module Themes
# Known Locations Themes Finder # Known Locations Themes Finder
class KnownLocations < CMSScanner::Finders::Finder class KnownLocations < CMSScanner::Finders::Finder
include Finders::Finder::Enumerator include CMSScanner::Finders::Finder::Enumerator
# @return [ Array<Integer> ]
def valid_response_codes
@valid_response_codes ||= [200, 401, 403, 301]
end
# @param [ Hash ] opts # @param [ Hash ] opts
# @option opts [ String ] :list # @option opts [ String ] :list
@@ -14,7 +19,7 @@ module WPScan
def aggressive(opts = {}) def aggressive(opts = {})
found = [] found = []
enumerate(target_urls(opts), opts) do |_res, slug| enumerate(target_urls(opts), opts.merge(check_full_response: 200)) do |_res, slug|
found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80)) found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end end

21
app/finders/timthumbs/known_locations.rb
View File

@@ -7,7 +7,12 @@ module WPScan
# Note: A vulnerable version, 2.8.13 can be found here: # Note: A vulnerable version, 2.8.13 can be found here:
# https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
class KnownLocations < CMSScanner::Finders::Finder class KnownLocations < CMSScanner::Finders::Finder
include Finders::Finder::Enumerator include CMSScanner::Finders::Finder::Enumerator
# @return [ Array<Integer> ]
def valid_response_codes
@valid_response_codes ||= [400]
end
# @param [ Hash ] opts # @param [ Hash ] opts
# @option opts [ String ] :list Mandatory # @option opts [ String ] :list Mandatory
@@ -16,23 +21,15 @@ module WPScan
def aggressive(opts = {}) def aggressive(opts = {})
found = [] found = []
enumerate(target_urls(opts), opts) do |res| enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
next unless res.body =~ /no image specified/i
found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100)) found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
end end
found found
end end
# @param [ Typhoeus::Response ] res
# @param [ Regexp, nil ] exclude_content
#
# @return [ Boolean ]
def valid_response?(res, _exclude_content = nil)
return false unless res.code == 400
Browser.get(res.effective_url).body =~ /no image specified/i ? true : false
end
# @param [ Hash ] opts # @param [ Hash ] opts
# @option opts [ String ] :list Mandatory # @option opts [ String ] :list Mandatory
# #

4
app/models/plugin.rb
View File

@@ -8,11 +8,11 @@ module WPScan
def initialize(slug, blog, opts = {}) def initialize(slug, blog, opts = {})
super(slug, blog, opts) super(slug, blog, opts)
@uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/"))
# To be used by #head_and_get # To be used by #head_and_get
# If custom wp-content, it will be replaced by blog#url # If custom wp-content, it will be replaced by blog#url
@path_from_blog = "wp-content/plugins/#{slug}/" @path_from_blog = "wp-content/plugins/#{slug}/"
@uri = Addressable::URI.parse(blog.url(path_from_blog))
end end
# @return [ JSON ] # @return [ JSON ]

6
app/models/theme.rb
View File

@@ -11,13 +11,13 @@ module WPScan
def initialize(slug, blog, opts = {}) def initialize(slug, blog, opts = {})
super(slug, blog, opts) super(slug, blog, opts)
@uri = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/"))
@style_url = opts[:style_url] || url('style.css')
# To be used by #head_and_get # To be used by #head_and_get
# If custom wp-content, it will be replaced by blog#url # If custom wp-content, it will be replaced by blog#url
@path_from_blog = "wp-content/themes/#{slug}/" @path_from_blog = "wp-content/themes/#{slug}/"
@uri = Addressable::URI.parse(blog.url(path_from_blog))
@style_url = opts[:style_url] || url('style.css')
parse_style parse_style
end end

2
app/models/wp_item.rb
View File

@@ -14,7 +14,7 @@ module WPScan
attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog
# @param [ String ] slug The plugin/theme slug # @param [ String ] slug The plugin/theme slug
# @param [ Target ] blog The targeted blog # @param [ Target ] blog The targeted blog

78
lib/wpscan/finders.rb
View File

@@ -26,81 +26,3 @@ module WPScan
end end
end end
end end
# Better version of the CMSScanner Enumerator for plugins, themes and timthumbs,
# put here as temporary until implemented in it (and considering other finders using it, such as
# the config backups etc)
module WPScan
module Finders
class Finder
module Enumerator
# @param [ Hash ] The target urls
# @param [ Hash ] opts
# @option opts [ Boolean ] :show_progression Wether or not to display the progress bar
# @option opts [ Regexp ] :exclude_content
#
# @yield [ Typhoeus::Response, String ]
def enumerate(urls, opts = {})
create_progress_bar(opts.merge(total: urls.size))
urls.each do |url, slug|
request = browser.forge_request(url, request_params)
request.on_complete do |res|
progress_bar.increment
yield res, slug if valid_response?(res, opts[:exclude_content])
end
hydra.queue(request)
end
hydra.run
end
# @return [ Hash ]
def request_params
@request_params ||= target.head_or_get_request_params.merge(cache_ttl: 0)
end
# @param [ Typhoeus::Response ] res
# @param [ Regexp,nil ] exclude_content
#
# @return [ Boolean ]
# rubocop:disable Metrics/PerceivedComplexity
def valid_response?(res, exclude_content = nil)
return false unless valid_response_codes.include?(res.code)
return false if exclude_content && res.response_headers&.match(exclude_content)
# Perform a full get to check if homepage or custom 404
if res.code == 200
# The cache is not disabled to avoid additional request/s when checking
# for directory listing
full_res = Browser.get(res.effective_url)
return false if target.homepage_or_404?(full_res) ||
exclude_content && full_res.body.match(exclude_content)
end
true
end
# rubocop:enable Metrics/PerceivedComplexity
# @return [ Array<Integer> ]
def valid_response_codes
@valid_response_codes ||= [200, 401, 403, 301]
end
# Idea here would be to check the opts[:found] which
# contains items (such as plugins) found via other techniques,
# and see their responses to refine the #response_codes
def determine_valid_response_codes(opts)
return if opts[:found].empty?
# TODO
end
end
end
end
end

7
spec/app/finders/config_backups/known_filenames_spec.rb
View File

@@ -10,7 +10,7 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do
describe '#aggressive' do describe '#aggressive' do
before do before do
expect(target).to receive(:sub_dir).at_least(1).and_return(false) expect(target).to receive(:sub_dir).at_least(1).and_return(false)
expect(target).to receive(:head_or_get_request_params).and_return(method: :head) expect(target).to receive(:head_or_get_params).and_return(method: :head)
finder.potential_urls(opts).each_key do |url| finder.potential_urls(opts).each_key do |url|
stub_request(:head, url).to_return(status: 404) stub_request(:head, url).to_return(status: 404)
@@ -30,8 +30,10 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do
before do before do
found_files.each do |file| found_files.each do |file|
stub_request(:head, "#{url}#{file}").to_return(status: 200) stub_request(:head, "#{url}#{file}").to_return(status: 200)
stub_request(:get, "#{url}#{file}").to_return(body: config_backup) stub_request(:get, "#{url}#{file}").to_return(status: 200, body: config_backup)
end end
expect(target).to receive(:homepage_or_404?).twice.and_return(false)
end end
it 'returns the expected Array<ConfigBackup>' do it 'returns the expected Array<ConfigBackup>' do
@@ -39,6 +41,7 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do
found_files.each do |file| found_files.each do |file|
url = "#{target.url}#{file}" url = "#{target.url}#{file}"
expected << WPScan::Model::ConfigBackup.new( expected << WPScan::Model::ConfigBackup.new(
url, url,
confidence: 100, confidence: 100,

4
spec/app/finders/db_exports/known_locations_spec.rb
View File

@@ -27,7 +27,7 @@ describe WPScan::Finders::DbExports::KnownLocations do
describe '#aggressive' do describe '#aggressive' do
before do before do
expect(target).to receive(:sub_dir).at_least(1).and_return(false) expect(target).to receive(:sub_dir).at_least(1).and_return(false)
expect(target).to receive(:head_or_get_request_params).and_return(method: :head) expect(target).to receive(:head_or_get_params).and_return(method: :head)
finder.potential_urls(opts).each_key do |url| finder.potential_urls(opts).each_key do |url|
stub_request(:head, url).to_return(status: 404) stub_request(:head, url).to_return(status: 404)
@@ -56,6 +56,8 @@ describe WPScan::Finders::DbExports::KnownLocations do
.with(headers: { 'Range' => 'bytes=0-3000' }) .with(headers: { 'Range' => 'bytes=0-3000' })
.to_return(body: db_export) .to_return(body: db_export)
end end
expect(target).to receive(:homepage_or_404?).twice.and_return(false)
end end
it 'returns the expected Array<DbExport>' do it 'returns the expected Array<DbExport>' do