garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HELLO v3!!!

Browse Source
This commit is contained in:
Ryan Dewhurst
2018-09-26 21:12:01 +02:00
parent 28b9c15256
commit d268a86795
1871 changed files with 988118 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
lib/wpscan/finders/dynamic_finder/finder.rb Normal file
View File

@@ -0,0 +1,66 @@
module WPScan
module Finders
module DynamicFinder
# To be used as a base when creating a dynamic finder
class Finder < CMSScanner::Finders::Finder
# @param [ Array ] args
def self.child_class_constant(*args)
args.each do |arg|
if arg.is_a?(Hash)
child_class_constants.merge!(arg)
else
child_class_constants[arg] = nil
end
end
end
# Needed to have inheritance of the @child_class_constants
# If inheritance is not needed, then the #child_class_constant can be used in the classe definition, ie
# child_class_constant :FILES, PATTERN: /aaa/i
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= { PATH: nil }
end
# @param [ Constant ] mod
# @param [ Constant ] klass
# @param [ Hash ] config
def self.create_child_class(mod, klass, config)
# Can't use the #child_class_constants directly in the Class.new(self) do; end below
class_constants = child_class_constants
mod.const_set(
klass, Class.new(self) do
class_constants.each do |key, value|
const_set(key, config[key.downcase.to_s] || value)
end
end
)
end
# This method has to be overriden in child classes
#
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Mixed ]
def find(_response, _opts = {})
raise NoMethodError
end
# @param [ Hash ] opts
def passive(opts = {})
return if self.class::PATH
find(target.homepage_res, opts)
end
# @param [ Hash ] opts
def aggressive(opts = {})
return unless self.class::PATH
find(Browser.get(target.url(self.class::PATH)), opts)
end
end
end
end
end

28
lib/wpscan/finders/dynamic_finder/version/body_pattern.rb Normal file
View File

@@ -0,0 +1,28 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder using Body Pattern method. Tipically used when the response is not
# an HTML doc and Xpath can't be used
class BodyPattern < WPScan::Finders::DynamicFinder::Version::Finder
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(PATTERN: nil, CONFIDENCE: 60)
end
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Version ]
def find(response, _opts = {})
return unless response.body =~ self.class::PATTERN
create_version(
Regexp.last_match[:v],
interesting_entries: ["#{response.effective_url}, Match: '#{Regexp.last_match}'"]
)
end
end
end
end
end
end

16
lib/wpscan/finders/dynamic_finder/version/comment.rb Normal file
View File

@@ -0,0 +1,16 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder in Comment, which is basically an Xpath one with a default
# Xpath of //comment()
class Comment < WPScan::Finders::DynamicFinder::Version::Xpath
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(PATTERN: nil, XPATH: '//comment()')
end
end
end
end
end
end

56
lib/wpscan/finders/dynamic_finder/version/config_parser.rb Normal file
View File

@@ -0,0 +1,56 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder using by parsing config files, such as composer.json
# and so on
class ConfigParser < WPScan::Finders::DynamicFinder::Version::Finder
ALLOWED_PARSERS = [JSON, YAML].freeze
def self.child_class_constants
@child_class_constants ||= super.merge(
PARSER: nil, KEY: nil, PATTERN: /(?<v>\d+\.[\.\d]+)/, CONFIDENCE: 70
)
end
# @param [ String ] body
# @return [ Hash, nil ] The parsed body, with an available parser, if possible
def parse(body)
parsers = ALLOWED_PARSERS.include?(self.class::PARSER) ? [self.class::PARSER] : ALLOWED_PARSERS
parsers.each do |parser|
begin
parsed = parser.respond_to?(:safe_load) ? parser.safe_load(body) : parser.load(body)
return parsed if parsed.is_a?(Hash) || parsed.is_a?(Array)
rescue StandardError
next
end
end
nil # Make sure nil is returned in case none of the parsers managed to parse the body correctly
end
# No Passive way
def passive(opts = {}); end
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Version ]
def find(response, _opts = {})
parsed_body = parse(response.body)
# Create indexes for the #dig, digits are converted to integers
indexes = self.class::KEY.split(':').map { |e| e == e.to_i.to_s ? e.to_i : e }
return unless (data = parsed_body&.dig(*indexes)) && data =~ self.class::PATTERN
create_version(
Regexp.last_match[:v],
interesting_entries: ["#{response.effective_url}, Match: '#{Regexp.last_match}'"]
)
end
end
end
end
end
end

29
lib/wpscan/finders/dynamic_finder/version/finder.rb Normal file
View File

@@ -0,0 +1,29 @@
module WPScan
module Finders
module DynamicFinder
module Version
# To be used as a base when creating
# a dynamic finder to find the version of a WP Item (such as theme/plugin)
class Finder < Finders::DynamicFinder::Finder
protected
# @param [ String ] number
# @param [ Hash ] finding_opts
# @return [ WPScan::Version ]
def create_version(number, finding_opts)
WPScan::Version.new(number, version_finding_opts(finding_opts))
end
# @param [ Hash ] opts
# @retutn [ Hash ]
def version_finding_opts(opts)
opts[:found_by] ||= found_by
opts[:confidence] ||= self.class::CONFIDENCE
opts
end
end
end
end
end
end

28
lib/wpscan/finders/dynamic_finder/version/header_pattern.rb Normal file
View File

@@ -0,0 +1,28 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder using Header Pattern method
class HeaderPattern < WPScan::Finders::DynamicFinder::Version::Finder
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(HEADER: nil, PATTERN: nil, CONFIDENCE: 60)
end
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Version ]
def find(response, _opts = {})
return unless response.headers && response.headers[self.class::HEADER]
return unless response.headers[self.class::HEADER].to_s =~ self.class::PATTERN
create_version(
Regexp.last_match[:v],
interesting_entries: ["#{response.effective_url}, Match: '#{Regexp.last_match}'"]
)
end
end
end
end
end
end

56
lib/wpscan/finders/dynamic_finder/version/javascript_var.rb Normal file
View File

@@ -0,0 +1,56 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder using JavaScript Variable method
class JavascriptVar < WPScan::Finders::DynamicFinder::Version::Finder
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(
XPATH: '//script[not(@src)]', VERSION_KEY: nil,
PATTERN: nil, CONFIDENCE: 60
)
end
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Version ]
def find(response, _opts = {})
target.xpath_pattern_from_page(
self.class::XPATH, self.class::PATTERN, response
) do |match_data, _node|
next unless (version_number = version_number_from_match_data(match_data))
# If the text to be output in the interesting_entries is > 50 chars,
# get 20 chars before and after (when possible) the detected version instead
match = match_data.to_s
match = match[/.*?(.{,20}#{Regexp.escape(version_number)}.{,20}).*/, 1] if match.size > 50
return create_version(
version_number,
interesting_entries: ["#{response.effective_url}, Match: '#{match.strip}'"]
)
end
nil
end
# @param [ MatchData ] match_data
# @return [ String ]
def version_number_from_match_data(match_data)
if self.class::VERSION_KEY
begin
json = JSON.parse("{#{match_data[:json].strip.chomp(',').tr("'", '"')}}")
rescue JSON::ParserError
return
end
json.dig(*self.class::VERSION_KEY.split(':'))
else
match_data[:v]
end
end
end
end
end
end
end

63
lib/wpscan/finders/dynamic_finder/version/query_parameter.rb Normal file
View File

@@ -0,0 +1,63 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder using QueryParameter method
class QueryParameter < WPScan::Finders::DynamicFinder::Version::Finder
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(
XPATH: nil, FILES: nil, PATTERN: /(?:v|ver|version)\=(?<v>\d+\.[\.\d]+)/i, CONFIDENCE_PER_OCCURENCE: 10
)
end
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Array<Version>, nil ]
def find(response, _opts = {})
found = []
scan_response(response).each do |version_number, occurences|
found << create_version(
version_number,
confidence: self.class::CONFIDENCE_PER_OCCURENCE * occurences.size,
interesting_entries: occurences
)
end
found.compact
end
# @param [ Typhoeus::Response ] response
# @return [ Hash ]
def scan_response(response)
found = {}
target.in_scope_urls(response, xpath) do |url, _tag|
uri = Addressable::URI.parse(url)
next unless uri.path =~ path_pattern && uri.query&.match(self.class::PATTERN)
version = Regexp.last_match[:v].to_s
found[version] ||= []
found[version] << url
end
found
end
# @return [ String ]
def xpath
@xpath ||= self.class::XPATH || '//link[@href]/@href|//script[@src]/@src'
end
# @return [ Regexp ]
def path_pattern
@path_pattern ||= %r{/(?:#{self.class::FILES.join('|')})\z}i
end
end
end
end
end
end

34
lib/wpscan/finders/dynamic_finder/version/xpath.rb Normal file
View File

@@ -0,0 +1,34 @@
module WPScan
module Finders
module DynamicFinder
module Version
# Version finder using Xpath method
class Xpath < WPScan::Finders::DynamicFinder::Version::Finder
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(
XPATH: nil, PATTERN: /\A(?<v>\d+\.[\.\d]+)/, CONFIDENCE: 60
)
end
# @param [ Typhoeus::Response ] response
# @param [ Hash ] opts
# @return [ Version ]
def find(response, _opts = {})
target.xpath_pattern_from_page(
self.class::XPATH, self.class::PATTERN, response
) do |match_data, _node|
next unless match_data[:v]
return create_version(
match_data[:v],
interesting_entries: ["#{response.effective_url}, Match: '#{match_data}'"]
)
end
nil
end
end
end
end
end
end

43
lib/wpscan/finders/dynamic_finder/wp_item_version.rb Normal file
View File

@@ -0,0 +1,43 @@
module WPScan
module Finders
module DynamicFinder
module WpItemVersion
class BodyPattern < WPScan::Finders::DynamicFinder::Version::BodyPattern
end
class Comment < WPScan::Finders::DynamicFinder::Version::Comment
end
class ConfigParser < WPScan::Finders::DynamicFinder::Version::ConfigParser
end
class HeaderPattern < WPScan::Finders::DynamicFinder::Version::HeaderPattern
end
class JavascriptVar < WPScan::Finders::DynamicFinder::Version::JavascriptVar
end
class QueryParameter < WPScan::Finders::DynamicFinder::Version::QueryParameter
# @return [ Regexp ]
def path_pattern
# TODO: consider the target.blog.themes_dir if the target is a Theme (maybe implement a WpItem#item_dir ?)
@path_pattern ||= %r{
#{Regexp.escape(target.blog.plugins_dir)}/
#{Regexp.escape(target.slug)}/
(?:#{self.class::FILES.join('|')})\z
}ix
end
def xpath
@xpath ||= self.class::XPATH ||
"//link[contains(@href,'#{target.slug}')]/@href" \
"|//script[contains(@src,'#{target.slug}')]/@src"
end
end
class Xpath < WPScan::Finders::DynamicFinder::Version::Xpath
end
end
end
end
end

96
lib/wpscan/finders/dynamic_finder/wp_items/finder.rb Normal file
View File

@@ -0,0 +1,96 @@
module WPScan
module Finders
module DynamicFinder
module WpItems
# Not really a dynamic finder in itself (hence not a child class of DynamicFinder::Finder)
# but will use the dynamic finder DB configs to find collections of
# WpItems (such as Plugins and Themes)
#
# Also used to factorise some code used between such finders.
# The #process_response should be implemented in each child class, or the
# #passive and #aggressive overriden
class Finder < CMSScanner::Finders::Finder
# @return [ Hash ] The related dynamic finder passive configurations
# for the current class (all its usefullness comes from child classes)
def passive_configs
# So far only the Plugins have dynamic finders so using DB:: DynamicFinders::Plugin
# is ok. However, when Themes have some, will need to create other child classes for them
method = "passive_#{self.class.to_s.demodulize.underscore}_finder_configs".to_sym
DB::DynamicFinders::Plugin.public_send(method)
end
# @param [ Hash ] opts
#
# @return [ Array<Plugin>, Array<Theme> ]
def passive(opts = {})
found = []
passive_configs.each do |slug, configs|
configs.each do |klass, config|
item = process_response(opts, target.homepage_res, slug, klass, config)
found << item if item.is_a?(WpItem)
end
end
found
end
# @return [ Hash ] The related dynamic finder passive configurations
# for the current class (all its usefullness comes from child classes)
def aggressive_configs
# So far only the Plugins have dynamic finders so using DB:: DynamicFinders::Plugin
# is ok. However, when Themes have some, will need to create other child classes for them
method = "aggressive_#{self.class.to_s.demodulize.underscore}_finder_configs".to_sym
DB::DynamicFinders::Plugin.public_send(method)
end
# @param [ Hash ] opts
#
# @return [ Array<Plugin>, Array<Theme> ]
def aggressive(_opts = {})
# Disable this as it would make quite a lot of extra requests just to find plugins/themes
# Kept the original method below for future implementation
end
# @param [ Hash ] opts
#
# @return [ Array<Plugin>, Array<Theme> ]
def aggressive_(opts = {})
found = []
aggressive_configs.each do |slug, configs|
configs.each do |klass, config|
path = aggressive_path(slug, config)
response = Browser.get(target.url(path))
item = process_response(opts, response, slug, klass, config)
found << item if item.is_a?(WpItem)
end
end
found
end
# @param [ String ] slug
# @param [ Hash ] config from the YAML file with he 'path' key
#
# @return [ String ] The path related to the aggresive configuration
# ie config['path'] if it's an absolute path (like /file.txt)
# or the path from inside the related plugin directory
def aggressive_path(slug, config)
return config['path'] if config['path'][0] == '/'
# No need to set the correct plugins dir, it will be handled by target.url()
"wp-content/plugins/#{slug}/#{config['path']}"
end
end
end
end
end
end

61
lib/wpscan/finders/dynamic_finder/wp_version.rb Normal file
View File

@@ -0,0 +1,61 @@
module WPScan
module Finders
module DynamicFinder
module WpVersion
module Finder
def create_version(number, finding_opts)
return unless WPScan::WpVersion.valid?(number)
WPScan::WpVersion.new(number, version_finding_opts(finding_opts))
end
end
class BodyPattern < WPScan::Finders::DynamicFinder::Version::BodyPattern
include Finder
end
class Comment < WPScan::Finders::DynamicFinder::Version::Comment
include Finder
end
class HeaderPattern < WPScan::Finders::DynamicFinder::Version::HeaderPattern
include Finder
end
class JavascriptVar < WPScan::Finders::DynamicFinder::Version::JavascriptVar
include Finder
end
class QueryParameter < WPScan::Finders::DynamicFinder::Version::QueryParameter
include Finder
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(PATTERN: /ver\=(?<v>\d+\.[\.\d]+)/i)
end
end
class WpItemQueryParameter < QueryParameter
def xpath
@xpath ||=
self.class::XPATH ||
"//link[contains(@href,'#{target.plugins_dir}') or contains(@href,'#{target.themes_dir}')]/@href" \
"|//script[contains(@src,'#{target.plugins_dir}') or contains(@src,'#{target.themes_dir}')]/@src"
end
def path_pattern
@path_pattern ||= %r{
(?:#{Regexp.escape(target.plugins_dir)}|#{Regexp.escape(target.themes_dir)})/
[^/]+/
.*\.(?:css|js)\z
}ix
end
end
class Xpath < WPScan::Finders::DynamicFinder::Version::Xpath
include Finder
end
end
end
end
end

23
lib/wpscan/finders/finder/wp_version/smart_url_checker.rb Normal file
View File

@@ -0,0 +1,23 @@
module WPScan
module Finders
class Finder
module WpVersion
# SmartURLChecker specific for the WP Version
module SmartURLChecker
include CMSScanner::Finders::Finder::SmartURLChecker
def create_version(number, opts = {})
WPScan::WpVersion.new(
number,
found_by: opts[:found_by] || found_by,
confidence: opts[:confidence] || 80,
interesting_entries: opts[:entries]
)
rescue WPScan::InvalidWordPressVersion
nil # Invalid Version returned as nil and will be ignored by Finders
end
end
end
end
end
end