Checks default wp-content dir regardless of detection mode if not found passively

2019-10-10 19:59:09 +01:00
parent d85035d5ef
commit e39a192e8d
7 changed files with 109 additions and 116 deletions
--- a/spec/app/controllers/core_spec.rb
+++ b/spec/app/controllers/core_spec.rb
@@ -166,6 +166,8 @@ describe WPScan::Controller::Core do
        before do
          expect(core).to receive(:load_server_module)
          expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true)
+          expect(core.target).to receive(:wordpress_hosted?).and_return(false)
+          # expect(core.target).to receive(:content_dir).and_return('wp-content')
        end

        it 'calls the formatter when started and finished to update the db' do
@@ -174,56 +176,6 @@ describe WPScan::Controller::Core do
      end
    end

-    context 'when a redirect occurs' do
-      before do
-        stub_request(:any, target_url)
-
-        expect(core.target).to receive(:homepage_res)
-          .at_least(1)
-          .and_return(Typhoeus::Response.new(effective_url: redirection, body: ''))
-      end
-
-      context 'to the wp-admin/install.php' do
-        let(:redirection) { "#{target_url}wp-admin/install.php" }
-
-        it 'calls the formatter with the correct parameters and exit' do
-          expect(core.formatter).to receive(:output)
-            .with('not_fully_configured', hash_including(url: redirection), 'core').ordered
-
-          # TODO: Would be cool to be able to test the exit code
-          expect { core.before_scan }.to raise_error(SystemExit)
-        end
-      end
-
-      context 'to something else' do
-        let(:redirection) { 'http://g.com/' }
-
-        it 'raises an error' do
-          expect { core.before_scan }.to raise_error(CMSScanner::Error::HTTPRedirect)
-        end
-      end
-
-      context 'to another path with the wp-admin/install.php in the query' do
-        let(:redirection) { "#{target_url}index.php?a=/wp-admin/install.php" }
-
-        context 'when wordpress' do
-          it 'does not raise an error' do
-            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true)
-
-            expect { core.before_scan }.to_not raise_error
-          end
-        end
-
-        context 'when not wordpress' do
-          it 'raises an error' do
-            expect(core.target).to receive(:wordpress?).twice.with(:mixed).and_return(false)
-
-            expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
-          end
-        end
-      end
-    end
-
    context 'when hosted on wordpress.com' do
      let(:target_url) { 'http://ex.wordpress.com' }

@@ -234,52 +186,106 @@ describe WPScan::Controller::Core do
      end
    end

-    context 'when wordpress' do
-      before do
-        expect(core).to receive(:load_server_module)
-        expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true)
-      end
+    context 'when not hosted on wordpress.com' do
+      before { allow(core.target).to receive(:wordpress_hosted?).and_return(false) }

-      it 'does not raise any error' do
-        expect { core.before_scan }.to_not raise_error
-      end
-    end
+      context 'when a redirect occurs' do
+        before do
+          stub_request(:any, target_url)

-    context 'when not wordpress' do
-      before do
-        expect(core).to receive(:load_server_module)
-      end
+          expect(core.target).to receive(:homepage_res)
+            .at_least(1)
+            .and_return(Typhoeus::Response.new(effective_url: redirection, body: ''))
+        end

-      context 'when no --force' do
-        before { expect(core.target).to receive(:maybe_add_cookies) }
+        context 'to the wp-admin/install.php' do
+          let(:redirection) { "#{target_url}wp-admin/install.php" }

-        context 'when no cookies added or still not wordpress after being added' do
-          it 'raises an error' do
-            expect(core.target).to receive(:wordpress?).twice.with(:mixed).and_return(false)
+          it 'calls the formatter with the correct parameters and exit' do
+            expect(core.formatter).to receive(:output)
+              .with('not_fully_configured', hash_including(url: redirection), 'core').ordered

-            expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
+            # TODO: Would be cool to be able to test the exit code
+            expect { core.before_scan }.to raise_error(SystemExit)
          end
        end

-        context 'when the added cookies solved it' do
-          it 'does not raise an error' do
-            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false).ordered
-            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true).ordered
+        context 'to something else' do
+          let(:redirection) { 'http://g.com/' }
+
+          it 'raises an error' do
+            expect { core.before_scan }.to raise_error(CMSScanner::Error::HTTPRedirect)
+          end
+        end
+
+        context 'to another path with the wp-admin/install.php in the query' do
+          let(:redirection) { "#{target_url}index.php?a=/wp-admin/install.php" }
+
+          context 'when wordpress' do
+            it 'does not raise an error' do
+              expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true)
+
+              expect { core.before_scan }.to_not raise_error
+            end
+          end
+
+          context 'when not wordpress' do
+            it 'raises an error' do
+              expect(core.target).to receive(:wordpress?).twice.with(:mixed).and_return(false)
+
+              expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
+            end
+          end
+        end
+      end
+
+      context 'when wordpress' do
+        before do
+          expect(core).to receive(:load_server_module)
+          expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true)
+        end
+
+        it 'does not raise any error' do
+          expect { core.before_scan }.to_not raise_error
+        end
+      end
+
+      context 'when not wordpress' do
+        before do
+          expect(core).to receive(:load_server_module)
+        end
+
+        context 'when no --force' do
+          before { expect(core.target).to receive(:maybe_add_cookies) }
+
+          context 'when no cookies added or still not wordpress after being added' do
+            it 'raises an error' do
+              expect(core.target).to receive(:wordpress?).twice.with(:mixed).and_return(false)
+
+              expect { core.before_scan }.to raise_error(WPScan::Error::NotWordPress)
+            end
+          end
+
+          context 'when the added cookies solved it' do
+            it 'does not raise an error' do
+              expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false).ordered
+              expect(core.target).to receive(:wordpress?).with(:mixed).and_return(true).ordered
+
+              expect { core.before_scan }.to_not raise_error
+            end
+          end
+        end
+
+        context 'when --force' do
+          let(:cli_args) { "#{super()} --force" }
+
+          it 'does not raise any error' do
+            expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false)

            expect { core.before_scan }.to_not raise_error
          end
        end
      end
-
-      context 'when --force' do
-        let(:cli_args) { "#{super()} --force" }
-
-        it 'does not raise any error' do
-          expect(core.target).to receive(:wordpress?).with(:mixed).and_return(false)
-
-          expect { core.before_scan }.to_not raise_error
-        end
-      end
    end
  end
 end