HELLO v3!!!

2018-09-26 21:12:01 +02:00
parent 28b9c15256
commit d268a86795
1871 changed files with 988118 additions and 0 deletions
--- a/app/finders/interesting_findings/backup_db.rb
+++ b/app/finders/interesting_findings/backup_db.rb
@@ -0,0 +1,25 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # BackupDB finder
+      class BackupDB < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/backup-db/'
+          url  = target.url(path)
+          res  = Browser.get(url)
+
+          return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 70,
+            found_by: DIRECT_ACCESS,
+            interesting_entries: target.directory_listing_entries(path),
+            references: { url: 'https://github.com/wpscanteam/wpscan/issues/422' }
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/debug_log.rb
+++ b/app/finders/interesting_findings/debug_log.rb
@@ -0,0 +1,20 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # debug.log finder
+      class DebugLog < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/debug.log'
+
+          return unless target.debug_log?(path)
+
+          WPScan::InterestingFinding.new(
+            target.url(path),
+            confidence: 100, found_by: DIRECT_ACCESS
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/duplicator_installer_log.rb
+++ b/app/finders/interesting_findings/duplicator_installer_log.rb
@@ -0,0 +1,23 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # DuplicatorInstallerLog finder
+      class DuplicatorInstallerLog < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url = target.url('installer-log.txt')
+          res = Browser.get(url)
+
+          return unless res.body =~ /DUPLICATOR INSTALL-LOG/
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            references: { url: 'https://www.exploit-db.com/ghdb/3981/' }
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/emergency_pwd_reset_script.rb
+++ b/app/finders/interesting_findings/emergency_pwd_reset_script.rb
@@ -0,0 +1,25 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Emergency Password Reset Script finder
+      class EmergencyPwdResetScript < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url  = target.url('/emergency.php')
+          res  = Browser.get(url)
+
+          return unless res.code == 200 && !target.homepage_or_404?(res)
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: res.body =~ /password/i ? 100 : 40,
+            found_by: DIRECT_ACCESS,
+            references: {
+              url: 'https://codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script'
+            }
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/full_path_disclosure.rb
+++ b/app/finders/interesting_findings/full_path_disclosure.rb
@@ -0,0 +1,23 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Full Path Disclosure finder
+      class FullPathDisclosure < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path        = 'wp-includes/rss-functions.php'
+          fpd_entries = target.full_path_disclosure_entries(path)
+
+          return if fpd_entries.empty?
+
+          WPScan::InterestingFinding.new(
+            target.url(path),
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            interesting_entries: fpd_entries
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/mu_plugins.rb
+++ b/app/finders/interesting_findings/mu_plugins.rb
@@ -0,0 +1,49 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Must Use Plugins Directory checker
+      class MuPlugins < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          pattern = %r{#{target.content_dir}/mu\-plugins/}i
+
+          target.in_scope_urls(target.homepage_res) do |url|
+            next unless Addressable::URI.parse(url).path =~ pattern
+
+            url = target.url('wp-content/mu-plugins/')
+
+            return WPScan::InterestingFinding.new(
+              url,
+              confidence: 70,
+              found_by: 'URLs In Homepage (Passive Detection)',
+              to_s: "This site has 'Must Use Plugins': #{url}",
+              references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
+            )
+          end
+          nil
+        end
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url = target.url('wp-content/mu-plugins/')
+          res = Browser.get_and_follow_location(url)
+
+          return unless [200, 401, 403].include?(res.code)
+          return if target.homepage_or_404?(res)
+
+          # TODO: add the check for --exclude-content once implemented ?
+
+          target.mu_plugins = true
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 80,
+            found_by: DIRECT_ACCESS,
+            to_s: "This site has 'Must Use Plugins': #{url}",
+            references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/multisite.rb
+++ b/app/finders/interesting_findings/multisite.rb
@@ -0,0 +1,29 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Multisite checker
+      class Multisite < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url      = target.url('wp-signup.php')
+          res      = Browser.get(url)
+          location = res.headers_hash['location']
+
+          return unless [200, 302].include?(res.code)
+          return if res.code == 302 && location =~ /wp-login\.php\?action=register/
+          return unless res.code == 200 || res.code == 302 && location =~ /wp-signup\.php/
+
+          target.multisite = true
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            to_s: 'This site seems to be a multisite',
+            references: { url: 'http://codex.wordpress.org/Glossary#Multisite' }
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/readme.rb
+++ b/app/finders/interesting_findings/readme.rb
@@ -0,0 +1,26 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Readme.html finder
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          potential_files.each do |file|
+            url = target.url(file)
+            res = Browser.get(url)
+
+            if res.code == 200 && res.body =~ /wordpress/i
+              return WPScan::InterestingFinding.new(url, confidence: 100, found_by: DIRECT_ACCESS)
+            end
+          end
+          nil
+        end
+
+        # @retun [ Array<String> ] The list of potential readme files
+        def potential_files
+          %w[readme.html olvasdel.html lisenssi.html liesmich.html]
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/registration.rb
+++ b/app/finders/interesting_findings/registration.rb
@@ -0,0 +1,31 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Registration Enabled checker
+      class Registration < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          # Maybe check in the homepage if there is the registration url ?
+        end
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          res = Browser.get_and_follow_location(target.registration_url)
+
+          return unless res.code == 200
+          return if res.html.css('form#setupform').empty? &&
+                    res.html.css('form#registerform').empty?
+
+          target.registration_enabled = true
+
+          WPScan::InterestingFinding.new(
+            res.effective_url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            to_s: "Registration is enabled: #{res.effective_url}"
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/tmm_db_migrate.rb
+++ b/app/finders/interesting_findings/tmm_db_migrate.rb
@@ -0,0 +1,24 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Tmm DB Migrate finder
+      class TmmDbMigrate < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
+          url  = target.url(path)
+          res  = Browser.get(url)
+
+          return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            references: { packetstorm: 131_957 }
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/upload_directory_listing.rb
+++ b/app/finders/interesting_findings/upload_directory_listing.rb
@@ -0,0 +1,24 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # UploadDirectoryListing finder
+      class UploadDirectoryListing < CMSScanner::Finders::Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-content/uploads/'
+
+          return unless target.directory_listing?(path)
+
+          url = target.url(path)
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS,
+            to_s: "Upload directory has listing enabled: #{url}"
+          )
+        end
+      end
+    end
+  end
+end
--- a/app/finders/interesting_findings/upload_sql_dump.rb
+++ b/app/finders/interesting_findings/upload_sql_dump.rb
@@ -0,0 +1,28 @@
+module WPScan
+  module Finders
+    module InterestingFindings
+      # UploadSQLDump finder
+      class UploadSQLDump < CMSScanner::Finders::Finder
+        SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          url = dump_url
+          res = Browser.get(url)
+
+          return unless res.code == 200 && res.body =~ SQL_PATTERN
+
+          WPScan::InterestingFinding.new(
+            url,
+            confidence: 100,
+            found_by: DIRECT_ACCESS
+          )
+        end
+
+        def dump_url
+          target.url('wp-content/uploads/dump.sql')
+        end
+      end
+    end
+  end
+end