garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

formats

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-22 16:19:21 +02:00
parent b9d8e5a3e2
commit ef72568688
17 changed files with 144 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/common_helper.rb
View File

@@ -16,14 +16,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
LIB_DIR = File.dirname(__FILE__)
ROOT_DIR = File.expand_path(LIB_DIR + '/..') # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
DATA_DIR = ROOT_DIR + "/data"
CONF_DIR = ROOT_DIR + "/conf"
CACHE_DIR = ROOT_DIR + "/cache"
WPSCAN_LIB_DIR = LIB_DIR + "/wpscan"
WPSTOOLS_LIB_DIR = LIB_DIR + "/wpstools"
UPDATER_LIB_DIR = LIB_DIR + "/updater"
LIB_DIR = File.dirname(__FILE__)
ROOT_DIR = File.expand_path(LIB_DIR + '/..') # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
DATA_DIR = ROOT_DIR + "/data"
CONF_DIR = ROOT_DIR + "/conf"
CACHE_DIR = ROOT_DIR + "/cache"
WPSCAN_LIB_DIR = LIB_DIR + "/wpscan"
WPSTOOLS_LIB_DIR = LIB_DIR + "/wpstools"
UPDATER_LIB_DIR = LIB_DIR + "/updater"
WPSCAN_VERSION = "2.0"
@@ -127,9 +127,9 @@ def colorize(text, color_code)
end
def red(text)
; colorize(text, 31)
colorize(text, 31)
end
def green(text)
; colorize(text, 32)
colorize(text, 32)
end

10
lib/wpscan/modules/web_site.rb
View File

@@ -23,15 +23,17 @@ module WebSite
def is_wordpress?
wordpress = false
response = Browser.instance.get(login_url(),
{:follow_location => true, :max_redirects => 2}
response = Browser.instance.get(
login_url(),
{:follow_location => true, :max_redirects => 2}
)
if response.body =~ %r{WordPress}i
wordpress = true
else
response = Browser.instance.get(xmlrpc_url(),
{:follow_location => true, :max_redirects => 2}
response = Browser.instance.get(
xmlrpc_url(),
{:follow_location => true, :max_redirects => 2}
)
if response.body =~ %r{XML-RPC server accepts POST requests only}i

46
lib/wpscan/modules/wp_login_protection.rb
View File

@@ -37,9 +37,9 @@ module WpLoginProtection
plugin_name = symbol_to_call[LOGIN_PROTECTION_METHOD_PATTERN, 1].gsub('_', '-')
return @login_protection_plugin = WpPlugin.new(
:name => plugin_name,
:url => @uri,
:path => "/plugins/#{plugin_name}/",
:name => plugin_name,
:url => @uri,
:path => "/plugins/#{plugin_name}/",
:wp_content_dir => @wp_content_dir
)
end
@@ -67,10 +67,10 @@ module WpLoginProtection
end
def better_wp_security_url
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/better-wp-security/",
:name => "better-wp-security"
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/better-wp-security/",
:name => "better-wp-security"
).get_url_without_filename
end
@@ -80,10 +80,10 @@ module WpLoginProtection
end
def simple_login_lockdown_url
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/simple-login-lockdown/",
:name => "simple-login-lockdown"
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/simple-login-lockdown/",
:name => "simple-login-lockdown"
).get_url_without_filename
end
@@ -93,10 +93,10 @@ module WpLoginProtection
end
def login_security_solution_url
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/login-security-solution/",
:name => "login-security-solution"
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/login-security-solution/",
:name => "login-security-solution"
).get_url_without_filename
end
@@ -106,10 +106,10 @@ module WpLoginProtection
end
def limit_login_attempts_url
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/limit-login-attempts/",
:name => "limit-login-attempts"
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/limit-login-attempts/",
:name => "limit-login-attempts"
).get_url_without_filename
end
@@ -119,10 +119,10 @@ module WpLoginProtection
end
def bluetrait_event_viewer_url
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/bluetrait-event-viewer/",
:name => "bluetrait-event-viewer"
WpPlugin.new(:wp_content_dir => @wp_content_dir,
:url => @uri,
:path => "/plugins/bluetrait-event-viewer/",
:name => "bluetrait-event-viewer"
).get_url_without_filename
end
end

20
lib/wpscan/modules/wp_plugins.rb
View File

@@ -22,19 +22,19 @@ module WpPlugins
#
# return array of WpPlugin
def plugins_from_aggressive_detection(options)
options[:file] = options[:file] || "#{DATA_DIR}/plugins.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/plugin_vulns.xml"
options[:vulns_xpath] = "//plugin[@name='#{@name}']/vulnerability"
options[:file] = options[:file] || "#{DATA_DIR}/plugins.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/plugin_vulns.xml"
options[:vulns_xpath] = "//plugin[@name='#{@name}']/vulnerability"
options[:vulns_xpath_2] = "//plugin"
options[:type] = "plugins"
options[:type] = "plugins"
result = WpDetector.aggressive_detection(options)
plugins = []
result.each do |r|
plugins << WpPlugin.new(
:url => r[:url],
:path => r[:path],
:url => r[:url],
:path => r[:path],
:wp_content_dir => r[:wp_content_dir],
:name => r[:name]
:name => r[:name]
)
end
plugins.sort_by { |p| p.name }
@@ -52,9 +52,9 @@ module WpPlugins
temp.each do |item|
plugins << WpPlugin.new(
:url => item[:url],
:name => item[:name],
:path => item[:path],
:url => item[:url],
:name => item[:name],
:path => item[:path],
:wp_content_dir => options[:wp_content_dir]
)
end

20
lib/wpscan/modules/wp_themes.rb
View File

@@ -19,19 +19,19 @@
module WpThemes
def themes_from_aggressive_detection(options)
options[:file] = options[:file] || "#{DATA_DIR}/themes.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/wp_theme_vulns.xml"
options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
options[:file] = options[:file] || "#{DATA_DIR}/themes.txt"
options[:vulns_file] = options[:vulns_file] || "#{DATA_DIR}/wp_theme_vulns.xml"
options[:vulns_xpath] = "//theme[@name='#{@name}']/vulnerability"
options[:vulns_xpath_2] = "//theme"
options[:type] = "themes"
options[:type] = "themes"
result = WpDetector.aggressive_detection(options)
themes = []
result.each do |r|
themes << WpTheme.new(
:url => r[:url],
:path => r[:path],
:url => r[:url],
:path => r[:path],
:wp_content_dir => r[:wp_content_dir],
:name => r[:name]
:name => r[:name]
)
end
themes.sort_by { |t| t.name }
@@ -43,9 +43,9 @@ module WpThemes
temp.each do |item|
themes << WpTheme.new(
:url => item[:url],
:name => item[:name],
:path => item[:path],
:url => item[:url],
:name => item[:name],
:path => item[:path],
:wp_content_dir => options[:wp_content_dir]
)
end

18
lib/wpscan/modules/wp_timthumbs.rb
View File

@@ -27,12 +27,12 @@ module WpTimthumbs
def timthumbs(theme_name = nil, options = {})
if @wp_timthumbs.nil?
options[:type] = "timthumbs"
options[:only_vulnerable_ones] = false
options[:file] = options[:file] || DATA_DIR + "/timthumbs.txt"
options[:vulns_file] = "xxx"
options[:vulns_xpath] = "xxx"
options[:vulns_xpath_2] = "xxx"
options[:type] = "timthumbs"
options[:only_vulnerable_ones] = false
options[:file] = options[:file] || DATA_DIR + "/timthumbs.txt"
options[:vulns_file] = "xxx"
options[:vulns_xpath] = "xxx"
options[:vulns_xpath_2] = "xxx"
WpOptions.check_options(options)
if theme_name == nil
@@ -55,10 +55,10 @@ module WpTimthumbs
scripts/timthumb.php tools/timthumb.php functions/timthumb.php
}.each do |file|
targets << {
:url => options[:url],
:path => "themes/#{theme_name}/#{file}",
:url => options[:url],
:path => "themes/#{theme_name}/#{file}",
:wp_content_dir => options[:wp_content_dir],
:name => options[:name]
:name => options[:name]
}
end
targets

18
lib/wpscan/wp_item.rb
View File

@@ -24,17 +24,17 @@ class WpItem < Vulnerable
def initialize(options = {})
@wp_content_dir = options[:wp_content_dir] || "wp-content"
@url = options[:url]
@path = options[:path]
@name = options[:name] || extract_name_from_url
@vulns_xml = options[:vulns_xml]
@vulns_xpath = options[:vulns_xpath].sub(/\$name\$/, @name)
@url = options[:url]
@path = options[:path]
@name = options[:name] || extract_name_from_url
@vulns_xml = options[:vulns_xml]
@vulns_xpath = options[:vulns_xpath].sub(/\$name\$/, @name)
raise("url not set") unless @url
raise("path not set") unless @path
raise("url not set") unless @url
raise("path not set") unless @path
raise("wp_content_dir not set") unless @wp_content_dir
raise("name not set") unless @name
raise("vulns_xml not set") unless @vulns_xml
raise("name not set") unless @name
raise("vulns_xml not set") unless @vulns_xml
end
# Get the full url for this item

18
lib/wpscan/wp_options.rb
View File

@@ -32,16 +32,16 @@
# * +type+ - Type: plugins, themes
class WpOptions
def self.check_options(options)
raise("url must be set") unless options[:url] != nil and options[:url].to_s.length > 0
raise("url must be set") unless options[:url] != nil and options[:url].to_s.length > 0
raise("only_vulnerable_ones must be set") unless options[:only_vulnerable_ones] != nil
raise("file must be set") unless options[:file] != nil and options[:file].length > 0
raise("vulns_file must be set") unless options[:vulns_file] != nil and options[:vulns_file].length > 0
raise("vulns_xpath must be set") unless options[:vulns_xpath] != nil and options[:vulns_xpath].length > 0
raise("vulns_xpath_2 must be set") unless options[:vulns_xpath_2] != nil and options[:vulns_xpath_2].length > 0
raise("wp_content_dir must be set") unless options[:wp_content_dir] != nil and options[:wp_content_dir].length > 0
raise("show_progress_bar must be set") unless options[:show_progress_bar] != nil
raise("error_404_hash must be set") unless options[:error_404_hash] != nil and options[:error_404_hash].length > 0
raise("type must be set") unless options[:type] != nil and options[:type].length > 0
raise("file must be set") unless options[:file] != nil and options[:file].length > 0
raise("vulns_file must be set") unless options[:vulns_file] != nil and options[:vulns_file].length > 0
raise("vulns_xpath must be set") unless options[:vulns_xpath] != nil and options[:vulns_xpath].length > 0
raise("vulns_xpath_2 must be set") unless options[:vulns_xpath_2] != nil and options[:vulns_xpath_2].length > 0
raise("wp_content_dir must be set") unless options[:wp_content_dir] != nil and options[:wp_content_dir].length > 0
raise("show_progress_bar must be set") unless options[:show_progress_bar] != nil
raise("error_404_hash must be set") unless options[:error_404_hash] != nil and options[:error_404_hash].length > 0
raise("type must be set") unless options[:type] != nil and options[:type].length > 0
unless options[:type] =~ /plugins/i or options[:type] =~ /themes/i or options[:type] =~ /timthumbs/i
raise("Unknown type #{options[:type]}")

6
lib/wpscan/wp_plugin.rb
View File

@@ -18,10 +18,10 @@
class WpPlugin < WpItem
def initialize(options = {})
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/plugin_vulns.xml'
options[:vulns_xpath] = "//plugin[@name='$name$']/vulnerability"
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/plugin_vulns.xml'
options[:vulns_xpath] = "//plugin[@name='$name$']/vulnerability"
options[:vulns_xpath_2] = "//plugin"
options[:type] = "plugins"
options[:type] = "plugins"
super(options)
end

4
lib/wpscan/wp_target.rb
View File

@@ -34,8 +34,8 @@ class WpTarget
attr_reader :uri, :verbose
def initialize(target_url, options = {})
@uri = URI.parse(add_trailing_slash(add_http_protocol(target_url)))
@verbose = options[:verbose]
@uri = URI.parse(add_trailing_slash(add_http_protocol(target_url)))
@verbose = options[:verbose]
@wp_content_dir = options[:wp_content_dir]
@wp_plugins_dir = options[:wp_plugins_dir]

26
lib/wpscan/wp_theme.rb
View File

@@ -23,10 +23,10 @@ class WpTheme < WpItem
attr_reader :name, :style_url, :version
def initialize(options = {})
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
options[:vulns_xml] = options[:vulns_xml] || DATA_DIR + '/wp_theme_vulns.xml'
options[:vulns_xpath] = "//theme[@name='$name$']/vulnerability"
@version = options[:version]
@style_url = options[:style_url]
@version = options[:version]
@style_url = options[:style_url]
super(options)
end
@@ -63,11 +63,11 @@ class WpTheme < WpItem
style_url = matches[0]
theme_name = matches[1]
return new(:name => theme_name,
:style_url => style_url,
:url => style_url,
:path => "",
:wp_content_dir => ""
return new(:name => theme_name,
:style_url => style_url,
:url => style_url,
:path => "",
:wp_content_dir => ""
)
end
end
@@ -83,11 +83,11 @@ class WpTheme < WpItem
woo_theme_version = matches[2]
woo_framework_version = matches[3] # Not used at this time
return new(:name => woo_theme_name,
:version => woo_theme_version,
:url => matches[0],
:path => "",
:wp_content_dir => ""
return new(:name => woo_theme_name,
:version => woo_theme_version,
:url => matches[0],
:path => "",
:wp_content_dir => ""
)
end
end

4
lib/wpscan/wp_user.rb
View File

@@ -20,8 +20,8 @@ class WpUser
attr_accessor :name, :id, :nickname
def initialize(name, id, nickname)
@name = name ? name : "empty"
@id = id ? id : "empty"
@name = name ? name : "empty"
@id = id ? id : "empty"
@nickname = nickname ? nickname : "empty"
end

8
lib/wpscan/wp_version.rb
View File

@@ -23,10 +23,10 @@ class WpVersion < Vulnerable
attr_reader :number, :discovery_method
def initialize(number, options = {})
@number = number
@number = number
@discovery_method = options[:discovery_method]
@vulns_xml = options[:vulns_xml] || DATA_DIR + '/wp_vulns.xml'
@vulns_xpath = "//wordpress[@version='#{@number}']/vulnerability"
@vulns_xml = options[:vulns_xml] || DATA_DIR + '/wp_vulns.xml'
@vulns_xpath = "//wordpress[@version='#{@number}']/vulnerability"
end
# Will use all method self.find_from_* to try to detect the version
@@ -38,7 +38,7 @@ class WpVersion < Vulnerable
# (find_from_meta_generator, find_from_rss_generator etc)
def self.find(target_uri, wp_content_dir)
options = {
:url => target_uri,
:url => target_uri,
:wp_content_dir => wp_content_dir
}
self.methods.grep(/find_from_/).each do |method_to_call|

6
lib/wpscan/wp_vulnerability.rb
View File

@@ -20,8 +20,8 @@ class WpVulnerability
attr_accessor :title, :reference, :type
def initialize(title, reference, type)
@title = title
@reference = reference
@type = type
@title = title
@reference = reference
@type = type
end
end

26
lib/wpstools/generate_list.rb
View File

@@ -26,23 +26,23 @@ class Generate_List
# type = themes | plugins
def initialize(type, verbose)
if type =~ /plugins/i
@type = "plugin"
@svn_url = 'http://plugins.svn.wordpress.org/'
@file_name = DATA_DIR + '/plugins.txt'
@popular_url = 'http://wordpress.org/extend/plugins/browse/popular/'
@popular_regex = %r{<h3><a href="http://wordpress.org/extend/plugins/(.+)/">.+</a></h3>}i
@type = "plugin"
@svn_url = 'http://plugins.svn.wordpress.org/'
@file_name = DATA_DIR + '/plugins.txt'
@popular_url = 'http://wordpress.org/extend/plugins/browse/popular/'
@popular_regex = %r{<h3><a href="http://wordpress.org/extend/plugins/(.+)/">.+</a></h3>}i
elsif type =~ /themes/i
@type = "theme"
@svn_url = 'http://themes.svn.wordpress.org/'
@file_name = DATA_DIR + '/themes.txt'
@popular_url = 'http://wordpress.org/extend/themes/browse/popular/'
@popular_regex = %r{<h3><a href="http://wordpress.org/extend/themes/(.+)">.+</a></h3>}i
@type = "theme"
@svn_url = 'http://themes.svn.wordpress.org/'
@file_name = DATA_DIR + '/themes.txt'
@popular_url = 'http://wordpress.org/extend/themes/browse/popular/'
@popular_regex = %r{<h3><a href="http://wordpress.org/extend/themes/(.+)">.+</a></h3>}i
else
raise "Type #{type} not defined"
end
@verbose = verbose
@browser = Browser.instance
@hydra = @browser.hydra
@verbose = verbose
@browser = Browser.instance
@hydra = @browser.hydra
end
def generate_full_list

10
lib/wpstools/parse_svn.rb
View File

@@ -24,11 +24,11 @@ class Svn_Parser
attr_accessor :verbose, :svn_root, :keep_empty_dirs
def initialize(svn_root, verbose, keep_empty_dirs = false)
@svn_root = svn_root
@verbose = verbose
@keep_empty_dirs = keep_empty_dirs
@svn_browser = Browser.instance
@svn_hydra = @svn_browser.hydra
@svn_root = svn_root
@verbose = verbose
@keep_empty_dirs = keep_empty_dirs
@svn_browser = Browser.instance
@svn_hydra = @svn_browser.hydra
end
def parse(dirs=nil)

26
wpscan.rb
View File

@@ -181,11 +181,11 @@ begin
puts
options = {}
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_plugins || false
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_plugins || false
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
plugins = wp_target.plugins_from_aggressive_detection(options)
unless plugins.empty?
@@ -235,11 +235,11 @@ begin
puts
options = {}
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_themes || false
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
options[:url] = wp_target.uri
options[:only_vulnerable_ones] = wpscan_options.enumerate_only_vulnerable_themes || false
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
themes = wp_target.themes_from_aggressive_detection(options)
unless themes.empty?
@@ -281,10 +281,10 @@ begin
puts
options = {}
options[:url] = wp_target.uri
options[:url] = wp_target.uri
options[:show_progress_bar] = true
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
options[:wp_content_dir] = wp_target.wp_content_dir
options[:error_404_hash] = wp_target.error_404_hash
theme_name = wp_theme ? wp_theme.name : nil
if wp_target.has_timthumbs?(theme_name, options)