From f146ee7e9f646d6461a2678de430d1a7e47bba9e Mon Sep 17 00:00:00 2001 From: erwanlr Date: Wed, 15 Apr 2020 17:02:41 +0200 Subject: [PATCH] Adds YT references and CVSS to output --- app/models/timthumb.rb | 12 +++---- app/views/cli/vulnerability.erb | 3 ++ app/views/json/finding.erb | 3 ++ lib/wpscan/references.rb | 31 ++---------------- lib/wpscan/vulnerability.rb | 9 ++++-- spec/app/models/plugin_spec.rb | 8 ++--- spec/app/models/theme_spec.rb | 8 ++--- spec/app/models/wp_version_spec.rb | 32 +++++-------------- .../fixtures/db/vuln_api/wordpresses/381.json | 4 ++- spec/lib/vulnerability_spec.rb | 2 +- .../wp_version/with_vulns.cli_no_colour | 1 + spec/output/wp_version/with_vulns.json | 4 +++ 12 files changed, 46 insertions(+), 71 deletions(-) diff --git a/app/models/timthumb.rb b/app/models/timthumb.rb index 2da163c4..5adee0df 100644 --- a/app/models/timthumb.rb +++ b/app/models/timthumb.rb @@ -40,9 +40,9 @@ module WPScan def rce_132_vuln Vulnerability.new( 'Timthumb <= 1.32 Remote Code Execution', - { exploitdb: ['17602'] }, - 'RCE', - '1.33' + references: { exploitdb: ['17602'] }, + type: 'RCE', + fixed_in: '1.33' ) end @@ -50,12 +50,12 @@ module WPScan def rce_webshot_vuln Vulnerability.new( 'Timthumb <= 2.8.13 WebShot Remote Code Execution', - { + references: { url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'], cve: '2014-4663' }, - 'RCE', - '2.8.14' + type: 'RCE', + fixed_in: '2.8.14' ) end diff --git a/app/views/cli/vulnerability.erb b/app/views/cli/vulnerability.erb index 6c11151b..4071dfb3 100644 --- a/app/views/cli/vulnerability.erb +++ b/app/views/cli/vulnerability.erb @@ -1,4 +1,7 @@ | <%= critical_icon %> Title: <%= @v.title %> +<% if @v.cvss -%> + | CVSS: <%= @v.cvss[:score] %> (<%= @v.cvss[:vector] %>) +<% end -%> <% if @v.fixed_in -%> | Fixed in: <%= @v.fixed_in %> <% end -%> diff --git a/app/views/json/finding.erb b/app/views/json/finding.erb index 674e721f..d021c432 100644 --- a/app/views/json/finding.erb +++ b/app/views/json/finding.erb @@ -19,6 +19,9 @@ <% vulns.each_with_index do |v, index| -%> { "title": <%= v.title.to_json %>, + <% if v.cvss -%> + "cvss": <%= v.cvss.to_json %>, + <% end -%> "fixed_in": <%= v.fixed_in.to_json %>, "references": <%= v.references.to_json %> }<% unless index == last_index -%>,<% end -%> diff --git a/lib/wpscan/references.rb b/lib/wpscan/references.rb index f21b7447..a2573612 100644 --- a/lib/wpscan/references.rb +++ b/lib/wpscan/references.rb @@ -2,9 +2,7 @@ module WPScan # References module (which should be included along with the CMSScanner::References) - # to allow the use of the wpvulndb and youtube references. - # Notes: The youtube references are not handled the same way all the others, especialy in the JSON output - # as we output the full URL and not just the ID. Hence the override of the references= method + # to allow the use of the wpvulndb reference. module References extend ActiveSupport::Concern @@ -12,27 +10,12 @@ module WPScan module ClassMethods # @return [ Array ] def references_keys - @references_keys ||= super << :wpvulndb << :youtube - end - end - - # @param [ Hash ] refs - def references=(refs) - @references = {} - - self.class.references_keys.each do |key| - next unless refs.key?(key) - - @references[key] = if key == :youtube - [*refs[:youtube]].map { |id| youtube_url(id) } - else - [*refs[key]].map(&:to_s) - end + @references_keys ||= super << :wpvulndb end end def references_urls - wpvulndb_urls + super + youtube_urls + wpvulndb_urls + super end def wpvulndb_ids @@ -46,13 +29,5 @@ module WPScan def wpvulndb_url(id) "https://wpvulndb.com/vulnerabilities/#{id}" end - - def youtube_urls - references[:youtube] || [] - end - - def youtube_url(id) - "https://www.youtube.com/watch?v=#{id}" - end end end diff --git a/lib/wpscan/vulnerability.rb b/lib/wpscan/vulnerability.rb index f918c175..214edef2 100644 --- a/lib/wpscan/vulnerability.rb +++ b/lib/wpscan/vulnerability.rb @@ -16,11 +16,14 @@ module WPScan end end + cvss = { score: json_data['cvss_risk_score'], vector: json_data['cvss_vector'] } if json_data['cvss_risk_score'] + new( json_data['title'], - references, - json_data['vuln_type'], - json_data['fixed_in'] + references: references, + type: json_data['vuln_type'], + fixed_in: json_data['fixed_in'], + cvss: cvss ) end end diff --git a/spec/app/models/plugin_spec.rb b/spec/app/models/plugin_spec.rb index aa92ef0f..051ba705 100644 --- a/spec/app/models/plugin_spec.rb +++ b/spec/app/models/plugin_spec.rb @@ -202,11 +202,11 @@ describe WPScan::Model::Plugin do [ WPScan::Vulnerability.new( 'First Vuln <= 6.3.10 - LFI', - { wpvulndb: '1' }, - 'LFI', - '6.3.10' + references: { wpvulndb: '1' }, + type: 'LFI', + fixed_in: '6.3.10' ), - WPScan::Vulnerability.new('No Fixed In', wpvulndb: '2') + WPScan::Vulnerability.new('No Fixed In', references: { wpvulndb: '2' }) ] end diff --git a/spec/app/models/theme_spec.rb b/spec/app/models/theme_spec.rb index 51505309..e86dd229 100644 --- a/spec/app/models/theme_spec.rb +++ b/spec/app/models/theme_spec.rb @@ -224,11 +224,11 @@ describe WPScan::Model::Theme do [ WPScan::Vulnerability.new( 'First Vuln', - { wpvulndb: '1' }, - 'LFI', - '6.3.10' + references: { wpvulndb: '1' }, + type: 'LFI', + fixed_in: '6.3.10' ), - WPScan::Vulnerability.new('No Fixed In', wpvulndb: '2') + WPScan::Vulnerability.new('No Fixed In', references: { wpvulndb: '2' }) ] end diff --git a/spec/app/models/wp_version_spec.rb b/spec/app/models/wp_version_spec.rb index e1f8ecd7..11df66ce 100644 --- a/spec/app/models/wp_version_spec.rb +++ b/spec/app/models/wp_version_spec.rb @@ -55,31 +55,15 @@ describe WPScan::Model::WpVersion do expect(version).to be_vulnerable end - let(:all_vulns) do - [ - WPScan::Vulnerability.new( - 'WP 3.8.1 - Vuln 1', - { wpvulndb: '1' }, - 'SQLI' - ), - WPScan::Vulnerability.new( - 'WP 3.8.1 - Vuln 2', - { url: %w[url-2 url-3], osvdb: %w[10], cve: %w[2014-0166], wpvulndb: '2' }, - nil, - '3.8.2' - ) - ] - end - context 'when a signle vuln' do - let(:number) { '3.8.1' } + let(:number) { '3.8' } let(:db_data) { vuln_api_data_for('wordpresses/38') } it 'returns the expected result' do @expected = [WPScan::Vulnerability.new( 'WP 3.8 - Vuln 1', - { url: %w[url-4], wpvulndb: '3' }, - 'AUTHBYPASS' + references: { url: %w[url-4], wpvulndb: '3' }, + type: 'AUTHBYPASS' )] end end @@ -92,14 +76,14 @@ describe WPScan::Model::WpVersion do @expected = [ WPScan::Vulnerability.new( 'WP 3.8.1 - Vuln 1', - { wpvulndb: '1' }, - 'SQLI' + references: { wpvulndb: '1' }, + type: 'SQLI', + cvss: { score: '5.4', vector: 'VECTOR' } ), WPScan::Vulnerability.new( 'WP 3.8.1 - Vuln 2', - { url: %w[url-2 url-3], cve: %w[2014-0166], wpvulndb: '2' }, - nil, - '3.8.2' + references: { url: %w[url-2 url-3], cve: %w[2014-0166], wpvulndb: '2' }, + fixed_in: '3.8.2' ) ] end diff --git a/spec/fixtures/db/vuln_api/wordpresses/381.json b/spec/fixtures/db/vuln_api/wordpresses/381.json index aee93345..b43bb22e 100644 --- a/spec/fixtures/db/vuln_api/wordpresses/381.json +++ b/spec/fixtures/db/vuln_api/wordpresses/381.json @@ -9,7 +9,9 @@ "id" : 1, "vuln_type" : "SQLI", "published_date" : null, - "fixed_in" : null + "fixed_in" : null, + "cvss_risk_score": "5.4", + "cvss_vector": "VECTOR" }, { "references" : { diff --git a/spec/lib/vulnerability_spec.rb b/spec/lib/vulnerability_spec.rb index 18a61494..66f4e2ba 100644 --- a/spec/lib/vulnerability_spec.rb +++ b/spec/lib/vulnerability_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true describe WPScan::Vulnerability do - subject(:vuln) { described_class.new(title, references) } + subject(:vuln) { described_class.new(title, references: references) } let(:title) { 'Test Vuln' } let(:references) { {} } diff --git a/spec/output/wp_version/with_vulns.cli_no_colour b/spec/output/wp_version/with_vulns.cli_no_colour index 33445ed4..399d20f9 100644 --- a/spec/output/wp_version/with_vulns.cli_no_colour +++ b/spec/output/wp_version/with_vulns.cli_no_colour @@ -4,6 +4,7 @@ | [!] 2 vulnerabilities identified: | | [!] Title: WP 3.8.1 - Vuln 1 + | CVSS: 5.4 (VECTOR) | Reference: https://wpvulndb.com/vulnerabilities/1 | | [!] Title: WP 3.8.1 - Vuln 2 diff --git a/spec/output/wp_version/with_vulns.json b/spec/output/wp_version/with_vulns.json index 8dd8430e..f67a5fb8 100644 --- a/spec/output/wp_version/with_vulns.json +++ b/spec/output/wp_version/with_vulns.json @@ -14,6 +14,10 @@ "vulnerabilities": [ { "title": "WP 3.8.1 - Vuln 1", + "cvss": { + "score": "5.4", + "vector": "VECTOR" + }, "fixed_in": null, "references": { "wpvulndb": [