Merges with Master (and solves conflicts)

app/finders/config_backups/known_filenames.rb

@@ -5,7 +5,7 @@ module WPScan
     module ConfigBackups
       # Config Backup finder
       class KnownFilenames < CMSScanner::Finders::Finder
-        include CMSScanner::Finders::Finder::Enumerator
+        include Finders::Finder::Enumerator
 
         # @param [ Hash ] opts
         # @option opts [ String ] :list
@@ -16,17 +16,20 @@ module WPScan
           found = []
 
           enumerate(potential_urls(opts), opts) do |res|
-            # Might need to improve that
-            next unless res.body =~ /define/i && res.body !~ /<\s?html/i
-
-            found << Model::ConfigBackup.new(res.request.url,
-                                             found_by: DIRECT_ACCESS,
-                                             confidence: 100)
+            found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
           end
 
           found
         end
 
+        def valid_response?(res, _exclude_content = nil)
+          return unless res.code == 200
+
+          full_res = Browser.get(res.effective_url)
+
+          full_res.body =~ /define/i && full_res.body !~ /<\s?html/i
+        end
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list Mandatory
         #

app/finders/db_exports/known_locations.rb

@@ -6,7 +6,9 @@ module WPScan
       # DB Exports finder
       # See https://github.com/wpscanteam/wpscan-v3/issues/62
       class KnownLocations < CMSScanner::Finders::Finder
-        include CMSScanner::Finders::Finder::Enumerator
+        include Finders::Finder::Enumerator
+
+        SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
 
         # @param [ Hash ] opts
         # @option opts [ String ] :list
@@ -17,16 +19,21 @@ module WPScan
           found = []
 
           enumerate(potential_urls(opts), opts) do |res|
-            next unless res.code == 200 && res.body =~ /INSERT INTO/
-
-            found << Model::DbExport.new(res.request.url,
-                                         found_by: DIRECT_ACCESS,
-                                         confidence: 100)
+            found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
           end
 
           found
         end
 
+        def valid_response?(res, _exclude_content = nil)
+          return false unless res.code == 200
+
+          return true if res.effective_url.end_with?('.zip') &&
+                         res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
+
+          Browser.get(res.effective_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN ? true : false
+        end
+
         # @param [ Hash ] opts
         # @option opts [ String ] :list Mandatory
         #

app/finders/interesting_findings/tmm_db_migrate.rb

@@ -9,7 +9,7 @@ module WPScan
         def aggressive(_opts = {})
           path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
           url  = target.url(path)
-          res  = Browser.get(url)
+          res  = browser.forge_request(url, target.head_or_get_request_params).run
 
           return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
 

app/finders/interesting_findings/upload_sql_dump.rb

@@ -5,24 +5,25 @@ module WPScan
     module InterestingFindings
       # UploadSQLDump finder
       class UploadSQLDump < CMSScanner::Finders::Finder
-        SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
 
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
-          url = dump_url
-          res = Browser.get(url)
+          head_res = browser.forge_request(dump_url, target.head_or_get_request_params).run
 
-          return unless res.code == 200 && res.body =~ SQL_PATTERN
+          return unless head_res.code == 200
+
+          return unless Browser.get(dump_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN
 
           Model::UploadSQLDump.new(
-            url,
+            dump_url,
             confidence: 100,
             found_by: DIRECT_ACCESS
           )
         end
 
         def dump_url
-          target.url('wp-content/uploads/dump.sql')
+          @dump_url ||= target.url('wp-content/uploads/dump.sql')
         end
       end
     end

app/finders/timthumbs/known_locations.rb

@@ -24,15 +24,13 @@ module WPScan
         end
 
         # @param [ Typhoeus::Response ] res
-        # @param [ Regexp,nil ] exclude_content
+        # @param [ Regexp, nil ] exclude_content
         #
         # @return [ Boolean ]
         def valid_response?(res, _exclude_content = nil)
           return false unless res.code == 400
 
-          full_res = Browser.get(res.effective_url, cache_ttl: 0)
-
-          full_res.body =~ /no image specified/i ? true : false
+          Browser.get(res.effective_url).body =~ /no image specified/i ? true : false
         end
 
         # @param [ Hash ] opts

app/finders/users/rss_generator.rb

@@ -19,20 +19,20 @@ module WPScan
 
             begin
               res.xml.xpath('//item/dc:creator').each do |node|
-                potential_username = node.text.to_s
+                username = node.text.to_s
 
                 # Ignoring potential username longer than 60 characters and containing accents
                 # as they are considered invalid. See https://github.com/wpscanteam/wpscan/issues/1215
-                next if potential_username.length > 60 || potential_username =~ /[^\x00-\x7F]/
+                next if username.strip.empty? || username.length > 60 || username =~ /[^\x00-\x7F]/
 
-                potential_usernames << potential_username
+                potential_usernames << username
               end
             rescue Nokogiri::XML::XPath::SyntaxError
               next
             end
 
-            potential_usernames.uniq.each do |potential_username|
-              found << Model::User.new(potential_username, found_by: found_by, confidence: 50)
+            potential_usernames.uniq.each do |username|
+              found << Model::User.new(username, found_by: found_by, confidence: 50)
             end
 
             break

app/finders/users/wp_json_api.rb

@@ -55,7 +55,15 @@ module WPScan
 
         # @return [ String ] The URL of the API listing the Users
         def api_url
-          @api_url ||= target.url('wp-json/wp/v2/users/')
+          return @api_url if @api_url
+
+          target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag|
+            uri = Addressable::URI.parse(url.strip)
+
+            return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
+          end
+
+          @api_url = target.url('wp-json/wp/v2/users/')
         end
       end
     end

app/models/wp_version.rb

@@ -26,13 +26,12 @@ module WPScan
         @all_numbers = []
 
         DB::Fingerprints.wp_fingerprints.each_value do |fp|
-          fp.each_value do |versions|
-            versions.each do |version|
-              @all_numbers << version unless @all_numbers.include?(version)
-            end
-          end
+          @all_numbers << fp.values
         end
 
+        # @all_numbers.flatten.uniq.sort! {} doesn't produce the same result here.
+        @all_numbers.flatten!
+        @all_numbers.uniq!
         @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
       end