garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WPSTools plugins mode activated

Browse Source
This commit is contained in:
erwanlr
2013-01-17 13:08:01 +01:00
parent 1d7923c7b7
commit d9fd20c6fe
17 changed files with 749 additions and 251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
lib/common/custom_option_parser.rb Normal file
View File

@@ -0,0 +1,89 @@
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
class CustomOptionParser < OptionParser
attr_reader :symbols_used
def initialize(banner = nil, width = 32, indent = ' ' * 4)
@results = {}
@symbols_used = []
super(banner, width, indent)
end
# param Array(Array) or Array options
def add(options)
if options.is_a?(Array)
if options[0].is_a?(Array)
options.each do |option|
add_option(option)
end
else
add_option(options)
end
else
raise "Options must be at least an Array, or an Array(Array). #{options.class} supplied"
end
end
# param Array option
def add_option(option)
if option.is_a?(Array)
option_symbol = CustomOptionParser::option_to_symbol(option)
unless @symbols_used.include?(option_symbol)
@symbols_used << option_symbol
self.on(*option) do |arg|
@results[option_symbol] = arg
end
else
raise "The option #{option_symbol} is already used !"
end
else
raise "The option must be an array, #{option.class} supplied : '#{option}'"
end
end
# return Hash
def results(argv = default_argv)
self.parse!(argv) if @results.empty?
@results
end
protected
# param Array option
def self.option_to_symbol(option)
option_name = nil
option.each do |option_attr|
if option_attr =~ /^--/
option_name = option_attr
break
end
end
if option_name
option_name = option_name.gsub(/^--/, '').gsub(/-/, '_').gsub(/ .*$/, '')
:"#{option_name}"
else
raise "Could not find the option name for #{option}"
end
end
end

40
lib/common/plugins/plugin.rb Normal file
View File

@@ -0,0 +1,40 @@
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
class Plugin
attr_reader :author, :registered_options
def initialize(infos = {})
@author = infos[:author]
end
def run(options = {})
raise NotImplementedError
end
# param Array options
def register_options(*options)
options.each do |option|
unless option.is_a?(Array)
raise "Each option must be an array, #{option.class} supplied"
end
end
@registered_options = options
end
end

55
lib/common/plugins/plugins.rb Normal file
View File

@@ -0,0 +1,55 @@
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
class Plugins < Array
attr_reader :option_parser
def initialize(option_parser = nil)
if option_parser
if option_parser.is_a?(CustomOptionParser)
@option_parser = option_parser
else
raise "The parser must be an instance of CustomOptionParser, #{option_parser.class} supplied"
end
else
@option_parser = CustomOptionParser.new
end
end
# param Array(Plugin) plugins
def register(*plugins)
plugins.each do |plugin|
register_plugin(plugin)
end
end
# param Plugin plugin
def register_plugin(plugin)
if plugin.is_a?(Plugin)
self << plugin
# A plugin may not have options
if plugin_options = plugin.registered_options
@option_parser.add(plugin_options)
end
else
raise "The argument must be an instance of Plugin, #{plugin.class} supplied"
end
end
end

38
lib/common_helper.rb
View File

@@ -16,17 +16,22 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
LIB_DIR = File.dirname(__FILE__)
ROOT_DIR = File.expand_path(LIB_DIR + '/..') # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
DATA_DIR = ROOT_DIR + "/data"
CONF_DIR = ROOT_DIR + "/conf"
CACHE_DIR = ROOT_DIR + "/cache"
WPSCAN_LIB_DIR = LIB_DIR + "/wpscan"
WPSTOOLS_LIB_DIR = LIB_DIR + "/wpstools"
UPDATER_LIB_DIR = LIB_DIR + "/updater"
LOG_FILE = ROOT_DIR + "/log.txt"
LIB_DIR = File.dirname(__FILE__)
ROOT_DIR = File.expand_path(LIB_DIR + '/..') # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
DATA_DIR = ROOT_DIR + "/data"
CONF_DIR = ROOT_DIR + "/conf"
CACHE_DIR = ROOT_DIR + "/cache"
WPSCAN_LIB_DIR = LIB_DIR + "/wpscan"
WPSTOOLS_LIB_DIR = LIB_DIR + "/wpstools"
UPDATER_LIB_DIR = LIB_DIR + "/updater"
COMMON_LIB_DIR = LIB_DIR + "/common"
LOG_FILE = ROOT_DIR + "/log.txt"
# Plugins directories
COMON_PLUGINS_DIR = COMMON_LIB_DIR + "/plugins"
WPSCAN_PLUGINS_DIR = WPSCAN_LIB_DIR + "/plugins"
WPSTOOLS_PLUGINS_DIR = WPSTOOLS_LIB_DIR + "/plugins"
WPSCAN_VERSION = "2.0"
WPSCAN_VERSION = "2.0"
require "#{LIB_DIR}/environment"
@@ -39,6 +44,9 @@ def require_files_from_directory(absolute_dir_path, files_pattern = "*.rb")
end
end
#require_files_from_directory(COMMON_LIB_DIR)
require_files_from_directory(COMMON_LIB_DIR, "**/*.rb")
# Add protocol
def add_http_protocol(url)
url =~ /^https?:/ ? url : "http://#{url}"
@@ -148,9 +156,9 @@ def get_metasploit_url(module_path)
end
# Override for puts to enable logging
def puts(o = "")
#def puts(o = "")
# remove color for logging
temp = o.gsub(/\e\[\d+m(?<text>.*)?\e\[0m/, '\k<text>')
File.open(LOG_FILE, "a+") { |f| f.puts(temp) }
super(o)
end
#temp = o.gsub(/\e\[\d+m(?<text>.*)?\e\[0m/, '\k<text>')
#File.open(LOG_FILE, "a+") { |f| f.puts(temp) }
#super(o)
#end

1
lib/environment.rb
View File

@@ -20,6 +20,7 @@ begin
# Standard libs
require 'rubygems'
require 'getoptlong'
require 'optparse' # Will replace getoptlong
require 'uri'
require 'time'
require 'resolv'

148
lib/wpstools/plugins/checker/checker_plugin.rb Normal file
View File

@@ -0,0 +1,148 @@
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
class CheckerPlugin < Plugin
def initialize
super(
:author => "@wpscanteam - @erwanlr"
)
register_options(
["--check-vuln-ref-urls", "--cvru", "Check all the vulnerabilities reference urls for 404"],
["--check-local-vulnerable-files LOCAL_DIRECTORY", "--clvf", "Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells"]
)
end
def run(options = {})
if options[:check_vuln_ref_urls]
check_vuln_ref_urls
end
if options[:check_local_vulnerable_files]
check_local_vulnerable_files(options[:check_local_vulnerable_files])
end
end
def check_vuln_ref_urls
vuln_ref_files = ["plugin_vulns.xml", "theme_vulns.xml", "wp_vulns.xml"]
error_codes = [404, 500, 403]
not_found_regexp = %r{No Results Found|error 404|ID Invalid or Not Found}i
puts "[+] Checking vulnerabilities reference urls"
vuln_ref_files.each do |vuln_ref_file|
xml = Nokogiri::XML(File.open(DATA_DIR + '/' + vuln_ref_file)) do |config|
config.noblanks
end
urls = []
xml.xpath("//reference").each { |node| urls << node.text }
urls.uniq!
dead_urls = []
queue_count = 0
request_count = 0
browser = Browser.instance
hydra = browser.hydra
number_of_urls = urls.size
urls.each do |url|
request = browser.forge_request(url, { :cache_timeout => 0, :follow_location => true })
request_count += 1
request.on_complete do |response|
print "\r [+] Checking #{vuln_ref_file} #{number_of_urls} total ... #{(request_count * 100) / number_of_urls}% complete."
if error_codes.include?(response.code) or not_found_regexp.match(response.body)
dead_urls << url
end
end
hydra.queue(request)
queue_count += 1
if queue_count == browser.max_threads
hydra.run
queue_count = 0
end
end
hydra.run
puts
unless dead_urls.empty?
dead_urls.each { |url| puts " Not Found #{url}" }
end
end
end
def check_local_vulnerable_files(dir_to_scan)
if Dir::exist?(dir_to_scan)
xml_file = DATA_DIR + "/local_vulnerable_files.xml"
local_hashes = {}
file_extension_to_scan = "*.{js,php,swf,html,htm}"
print "[+] Generating local hashes ... "
Dir[File::join(dir_to_scan, "**", file_extension_to_scan)].each do |filename|
sha1sum = Digest::SHA1.file(filename).hexdigest
if local_hashes.has_key?(sha1sum)
local_hashes[sha1sum] << filename
else
local_hashes[sha1sum] = [filename]
end
end
puts "done."
puts "[+] Checking for vulnerable files ..."
xml = Nokogiri::XML(File.open(xml_file)) do |config|
config.noblanks
end
xml.xpath("//hash").each do |node|
sha1sum = node.attribute("sha1").text
if local_hashes.has_key?(sha1sum)
local_filenames = local_hashes[sha1sum]
vuln_title = node.search("title").text
vuln_filename = node.search("file").text
vuln_refrence = node.search("reference").text
puts " #{vuln_filename} found :"
puts " | Location(s):"
local_filenames.each do |file|
puts " | - #{file}"
end
puts " |"
puts " | Title: #{vuln_title}"
puts " | Refrence: #{vuln_refrence}" if !vuln_refrence.empty?
puts
end
end
puts "done."
else
puts "The supplied directory '#{dir_to_scan}' does not exist"
end
end
end

6
lib/wpstools/generate_list.rb → lib/wpstools/plugins/list_generator/generate_list.rb
View File

@@ -19,7 +19,7 @@
#++
# This tool generates a list to use for plugin and theme enumeration
class Generate_List
class GenerateList
attr_accessor :verbose
@@ -70,14 +70,14 @@ class Generate_List
def generate_full_list
set_file_name(:full)
items = Svn_Parser.new(@svn_url, @verbose).parse
items = SvnParser.new(@svn_url, @verbose).parse
save items
end
def generate_popular_list(pages)
set_file_name(:popular)
popular = get_popular_items(pages)
items = Svn_Parser.new(@svn_url, @verbose).parse(popular)
items = SvnParser.new(@svn_url, @verbose).parse(popular)
save items
end

69
lib/wpstools/plugins/list_generator/list_generator_plugin.rb Normal file
View File

@@ -0,0 +1,69 @@
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
class ListGeneratorPlugin < Plugin
def initialize
super(
:author => "WPScanTeam - @FireFart"
)
register_options(
["--generate-plugin-list [NUMBER_OF_PAGES]", "--gpl", Integer, "Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)"],
["--generate-full-plugin-list", "--gfpl", "Generate a new full data/plugins.txt file"],
["--generate-theme-list [NUMBER_OF_PAGES]", "--gtl", Integer, "Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 150)"],
["--generate-full-theme-list", "--gftl", "Generate a new full data/themes.txt file"],
["--generate-all", "--ga", "Generate a new full plugins, full themes, popular plugins and popular themes list"],
)
end
def run(options = {})
verbose = options[:verbose] || false
generate_all = options[:generate_all] || false
if options.has_key?(:generate_plugin_list) || generate_all
number_of_pages = options[:generate_plugin_list] || 150
puts "[+] Generating new most popular plugin list"
puts
GenerateList.new('plugins', verbose).generate_popular_list(number_of_pages)
end
if options[:generate_full_plugin_list] || generate_all
puts "[+] Generating new full plugin list"
puts
GenerateList.new('plugins', verbose).generate_full_list
end
if options.has_key?(:generate_theme_list) || generate_all
number_of_pages = options[:generate_theme_list] || 150
puts "[+] Generating new most popular theme list"
puts
GenerateList.new('themes', verbose).generate_popular_list(number_of_pages)
end
if options[:generate_full_theme_list] || generate_all
puts "[+] Generating new full theme list"
puts
GenerateList.new('themes', verbose).generate_full_list
end
end
end

2
lib/wpstools/parse_svn.rb → lib/wpstools/plugins/list_generator/svn_parser.rb
View File

@@ -19,7 +19,7 @@
#++
# This Class Parses SVN Repositories via HTTP
class Svn_Parser
class SvnParser
attr_accessor :verbose, :svn_root, :keep_empty_dirs

32
lib/wpstools/wpstools_helper.rb
View File

@@ -19,6 +19,7 @@
require File.expand_path(File.dirname(__FILE__) + '/../common_helper')
require_files_from_directory(WPSTOOLS_LIB_DIR)
require_files_from_directory(WPSTOOLS_PLUGINS_DIR, "**/*.rb")
def usage()
script_name = $0
@@ -28,19 +29,19 @@ def usage()
puts "Examples:"
puts
puts "- Generate a new 'most popular' plugin list, up to 150 pages ..."
puts "ruby #{script_name} --generate_plugin_list 150"
puts "ruby #{script_name} --generate-plugin-list 150"
puts
puts "- Generate a new full plugin list"
puts "ruby #{script_name} --generate_full_plugin_list"
puts "ruby #{script_name} --generate-full-plugin-list"
puts
puts "- Generate a new 'most popular' theme list, up to 150 pages ..."
puts "ruby #{script_name} --generate_theme_list 150"
puts "ruby #{script_name} --generate-theme-list 150"
puts
puts "- Generate a new full theme list"
puts "ruby #{script_name} --generate_full_theme_list"
puts "ruby #{script_name} --generate-full-theme-list"
puts
puts "- Generate all list"
puts "ruby #{script_name} --generate_all"
puts "ruby #{script_name} --generate-all"
puts
puts "Locally scan a wordpress installation for vulnerable files or shells"
puts "ruby #{script_name} --check-local-vulnerable-files /var/www/wordpress/"
@@ -48,24 +49,3 @@ def usage()
puts "See README for further information."
puts
end
def help()
puts "Help :"
puts
puts "--help | -h This help screen."
puts "--Verbose | -v Verbose output."
puts "--update | -u Update to the latest revision."
puts "--generate_plugin_list [number of pages] Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)"
puts "--gpl Alias for --generate_plugin_list"
puts "--generate_full_plugin_list Generate a new full data/plugins.txt file"
puts "--gfpl Alias for --generate_full_plugin_list"
puts "--generate_theme_list [number of pages] Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 150)"
puts "--gtl Alias for --generate_theme_list"
puts "--generate_full_theme_list Generate a new full data/themes.txt file"
puts "--gftl Alias for --generate_full_theme_list"
puts "--generate_all Generate a new full plugins, full themes, popular plugins and popular themes list"
puts "--ga Alias for --generate_all"
puts "--check-vuln-ref-urls | --cvru Check all the vulnerabilities reference urls for 404"
puts "--check-local-vulnerable-files | --clvf <local directory> Perform a recursive scan in the <local directory> to find vulnerable files or shells"
puts
end