Merges with Master (and solves conflicts)

2019-03-24 13:01:29 +00:00
parent 047a188b34 fa0582ce0b
commit f9435906e7
27 changed files with 245 additions and 80 deletions
--- a/app/finders/interesting_findings/tmm_db_migrate.rb
+++ b/app/finders/interesting_findings/tmm_db_migrate.rb
@@ -9,7 +9,7 @@ module WPScan
        def aggressive(_opts = {})
          path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'
          url  = target.url(path)
-          res  = Browser.get(url)
+          res  = browser.forge_request(url, target.head_or_get_request_params).run

          return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i

--- a/app/finders/interesting_findings/upload_sql_dump.rb
+++ b/app/finders/interesting_findings/upload_sql_dump.rb
@@ -5,24 +5,25 @@ module WPScan
    module InterestingFindings
      # UploadSQLDump finder
      class UploadSQLDump < CMSScanner::Finders::Finder
-        SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze

        # @return [ InterestingFinding ]
        def aggressive(_opts = {})
-          url = dump_url
-          res = Browser.get(url)
+          head_res = browser.forge_request(dump_url, target.head_or_get_request_params).run

-          return unless res.code == 200 && res.body =~ SQL_PATTERN
+          return unless head_res.code == 200
+
+          return unless Browser.get(dump_url, headers: { 'Range' => 'bytes=0-3000' }).body =~ SQL_PATTERN

          Model::UploadSQLDump.new(
-            url,
+            dump_url,
            confidence: 100,
            found_by: DIRECT_ACCESS
          )
        end

        def dump_url
-          target.url('wp-content/uploads/dump.sql')
+          @dump_url ||= target.url('wp-content/uploads/dump.sql')
        end
      end
    end