garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merges with Master (and solves conflicts)

Browse Source
This commit is contained in:
erwanlr
2019-03-24 13:01:29 +00:00
parent 047a188b34 fa0582ce0b
commit f9435906e7
27 changed files with 245 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/finders/config_backups/known_filenames.rb
View File

@@ -5,7 +5,7 @@ module WPScan
module ConfigBackups
# Config Backup finder
class KnownFilenames < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
include Finders::Finder::Enumerator
# @param [ Hash ] opts
# @option opts [ String ] :list
@@ -16,17 +16,20 @@ module WPScan
found = []
enumerate(potential_urls(opts), opts) do |res|
# Might need to improve that
next unless res.body =~ /define/i && res.body !~ /<\s?html/i
found << Model::ConfigBackup.new(res.request.url,
found_by: DIRECT_ACCESS,
confidence: 100)
found << Model::ConfigBackup.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
end
found
end
def valid_response?(res, _exclude_content = nil)
return unless res.code == 200
full_res = Browser.get(res.effective_url)
full_res.body =~ /define/i && full_res.body !~ /<\s?html/i
end
# @param [ Hash ] opts
# @option opts [ String ] :list Mandatory
#

19
app/finders/db_exports/known_locations.rb
View File

@@ -6,7 +6,9 @@ module WPScan
# DB Exports finder
# See https://github.com/wpscanteam/wpscan-v3/issues/62
class KnownLocations < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
include Finders::Finder::Enumerator
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
# @param [ Hash ] opts
# @option opts [ String ] :list
@@ -17,16 +19,21 @@ module WPScan
found = []
enumerate(potential_urls(opts), opts) do |res|
next unless res.code == 200 && res.body =~ /INSERT INTO/
found << Model::DbExport.new(res.request.url,
found_by: DIRECT_ACCESS,
confidence: 100)
found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
end
found
end
def valid_response?(res, _exclude_content = nil)
return false unless res.code == 200
return true if res.effective_url.end_with?('.zip') &&
res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
Browser.get(res.effective_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN ? true : false
end
# @param [ Hash ] opts
# @option opts [ String ] :list Mandatory
#

2
app/finders/interesting_findings/tmm_db_migrate.rb
View File

@@ -9,7 +9,7 @@ module WPScan
def aggressive(_opts = {})
path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
url = target.url(path)
res = Browser.get(url)
res = browser.forge_request(url, target.head_or_get_request_params).run
return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i

13
app/finders/interesting_findings/upload_sql_dump.rb
View File

@@ -5,24 +5,25 @@ module WPScan
module InterestingFindings
# UploadSQLDump finder
class UploadSQLDump < CMSScanner::Finders::Finder
SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
# @return [ InterestingFinding ]
def aggressive(_opts = {})
url = dump_url
res = Browser.get(url)
head_res = browser.forge_request(dump_url, target.head_or_get_request_params).run
return unless res.code == 200 && res.body =~ SQL_PATTERN
return unless head_res.code == 200
return unless Browser.get(dump_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN
Model::UploadSQLDump.new(
url,
dump_url,
confidence: 100,
found_by: DIRECT_ACCESS
)
end
def dump_url
target.url('wp-content/uploads/dump.sql')
@dump_url ||= target.url('wp-content/uploads/dump.sql')
end
end
end

6
app/finders/timthumbs/known_locations.rb
View File

@@ -24,15 +24,13 @@ module WPScan
end
# @param [ Typhoeus::Response ] res
# @param [ Regexp,nil ] exclude_content
# @param [ Regexp, nil ] exclude_content
#
# @return [ Boolean ]
def valid_response?(res, _exclude_content = nil)
return false unless res.code == 400
full_res = Browser.get(res.effective_url, cache_ttl: 0)
full_res.body =~ /no image specified/i ? true : false
Browser.get(res.effective_url).body =~ /no image specified/i ? true : false
end
# @param [ Hash ] opts

10
app/finders/users/rss_generator.rb
View File

@@ -19,20 +19,20 @@ module WPScan
begin
res.xml.xpath('//item/dc:creator').each do |node|
potential_username = node.text.to_s
username = node.text.to_s
# Ignoring potential username longer than 60 characters and containing accents
# as they are considered invalid. See https://github.com/wpscanteam/wpscan/issues/1215
next if potential_username.length > 60 || potential_username =~ /[^\x00-\x7F]/
next if username.strip.empty? || username.length > 60 || username =~ /[^\x00-\x7F]/
potential_usernames << potential_username
potential_usernames << username
end
rescue Nokogiri::XML::XPath::SyntaxError
next
end
potential_usernames.uniq.each do |potential_username|
found << Model::User.new(potential_username, found_by: found_by, confidence: 50)
potential_usernames.uniq.each do |username|
found << Model::User.new(username, found_by: found_by, confidence: 50)
end
break

10
app/finders/users/wp_json_api.rb
View File

@@ -55,7 +55,15 @@ module WPScan
# @return [ String ] The URL of the API listing the Users
def api_url
@api_url ||= target.url('wp-json/wp/v2/users/')
return @api_url if @api_url
target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag|
uri = Addressable::URI.parse(url.strip)
return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
end
@api_url = target.url('wp-json/wp/v2/users/')
end
end
end