Merges with Master (and solves conflicts)

spec/app/finders/config_backups/known_filenames_spec.rb

@@ -10,10 +10,10 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do
   describe '#aggressive' do
     before do
       expect(target).to receive(:sub_dir).at_least(1).and_return(false)
-      expect(target).to receive(:homepage_or_404?).at_least(1).and_return(false)
+      expect(target).to receive(:head_or_get_request_params).and_return(method: :head)
 
       finder.potential_urls(opts).each_key do |url|
-        stub_request(:get, url).to_return(status: 404)
+        stub_request(:head, url).to_return(status: 404)
       end
     end
 
@@ -24,11 +24,12 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do
     end
 
     context 'when some files exist' do
-      let(:files) { ['%23wp-config.php%23', 'wp-config.bak'] }
+      let(:found_files) { ['%23wp-config.php%23', 'wp-config.bak'] }
       let(:config_backup) { File.read(fixtures.join('wp-config.php')) }
 
       before do
-        files.each do |file|
+        found_files.each do |file|
+          stub_request(:head, "#{url}#{file}").to_return(status: 200)
           stub_request(:get, "#{url}#{file}").to_return(body: config_backup)
         end
       end
@@ -36,7 +37,7 @@ describe WPScan::Finders::ConfigBackups::KnownFilenames do
       it 'returns the expected Array<ConfigBackup>' do
         expected = []
 
-        files.each do |file|
+        found_files.each do |file|
           url = "#{target.url}#{file}"
           expected << WPScan::Model::ConfigBackup.new(
             url,

spec/app/finders/db_exports/known_locations_spec.rb

@@ -27,10 +27,10 @@ describe WPScan::Finders::DbExports::KnownLocations do
   describe '#aggressive' do
     before do
       expect(target).to receive(:sub_dir).at_least(1).and_return(false)
-      expect(target).to receive(:homepage_or_404?).at_least(1).and_return(false)
+      expect(target).to receive(:head_or_get_request_params).and_return(method: :head)
 
       finder.potential_urls(opts).each_key do |url|
-        stub_request(:get, url).to_return(status: 404)
+        stub_request(:head, url).to_return(status: 404)
       end
     end
 
@@ -40,20 +40,28 @@ describe WPScan::Finders::DbExports::KnownLocations do
       end
     end
 
+    context 'when a zip returns a 200' do
+      xit
+    end
+
     context 'when some files exist' do
-      let(:files) { %w[ex.sql backups/db_backup.sql] }
+      let(:found_files) { %w[ex.sql backups/db_backup.sql] }
       let(:db_export) { File.read(fixtures.join('dump.sql')) }
 
       before do
-        files.each do |file|
-          stub_request(:get, "#{url}#{file}").to_return(body: db_export)
+        found_files.each do |file|
+          stub_request(:head, "#{url}#{file}").to_return(status: 200)
+
+          stub_request(:get, "#{url}#{file}")
+            .with(headers: { 'Range' => 'bytes=0-3000' })
+            .to_return(body: db_export)
         end
       end
 
       it 'returns the expected Array<DbExport>' do
         expected = []
 
-        files.each do |file|
+        found_files.each do |file|
           url = "#{target.url}#{file}"
           expected << WPScan::Model::DbExport.new(
             url,

spec/app/finders/interesting_findings/upload_sql_dump_spec.rb

@@ -8,13 +8,16 @@ describe WPScan::Finders::InterestingFindings::UploadSQLDump do
   let(:wp_content) { 'wp-content' }
 
   describe '#aggressive' do
-    before { expect(target).to receive(:content_dir).at_least(1).and_return(wp_content) }
+    before do
+      expect(target).to receive(:content_dir).at_least(1).and_return(wp_content)
+      expect(target).to receive(:head_or_get_request_params).and_return(method: :head)
+    end
 
-    after {  expect(finder.aggressive).to eql @expected }
+    after { expect(finder.aggressive).to eql @expected }
 
     context 'when not a 200' do
       it 'returns nil' do
-        stub_request(:get, finder.dump_url).to_return(status: 404)
+        stub_request(:head, finder.dump_url).to_return(status: 404)
 
         @expected = nil
       end
@@ -22,8 +25,11 @@ describe WPScan::Finders::InterestingFindings::UploadSQLDump do
 
     context 'when a 200' do
       before do
+        stub_request(:head, finder.dump_url).to_return(status: 200)
+
         stub_request(:get, finder.dump_url)
-          .to_return(status: 200, body: File.read(fixtures.join(fixture)))
+          .with(headers: { 'Range' => 'bytes=0-3000' })
+          .to_return(body: File.read(fixtures.join(fixture)))
       end
 
       context 'when the body does not match a SQL dump' do

spec/app/finders/users/wp_json_api_spec.rb

@@ -7,7 +7,10 @@ describe WPScan::Finders::Users::WpJsonApi do
   let(:fixtures)   { FINDERS_FIXTURES.join('users', 'wp_json_api') }
 
   describe '#aggressive' do
-    before { allow(target).to receive(:sub_dir).and_return(false) }
+    before do
+      allow(target).to receive(:sub_dir).and_return(false)
+      allow(finder).to receive(:api_url).and_return(target.url('wp-json/wp/v2/users/'))
+    end
 
     context 'when only one page of results' do
       before do
@@ -80,4 +83,54 @@ describe WPScan::Finders::Users::WpJsonApi do
       end
     end
   end
+
+  describe '#api_url' do
+    let(:fixtures) { super().join('api_url') }
+
+    context 'when url in the homepage' do
+      {
+        in_scope: 'https://wp.lab/wp-json/wp/v2/users/',
+        out_of_scope: 'http://wp.lab/wp-json/wp/v2/users/'
+      }.each do |fixture, expected|
+        it "returns #{expected} for #{fixture}.html" do
+          stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{fixture}.html")))
+
+          expect(finder.api_url).to eql expected
+        end
+      end
+
+      context 'when subdir' do
+        before { allow(target).to receive(:subdir).and_return('cms') }
+
+        {
+          in_scope_subdir: 'https://wp.lab/cms/wp-json/wp/v2/users/',
+          in_scope_subdir_ignored: 'https://wp.lab/wp-json/wp/v2/users/'
+        }.each do |fixture, expected|
+          it "returns #{expected} for #{fixture}.html" do
+            stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{fixture}.html")))
+
+            expect(finder.api_url).to eql expected
+          end
+        end
+      end
+    end
+
+    context 'when not in the homepage' do
+      before { stub_request(:get, target.url) }
+
+      its(:api_url) { should eql target.url('wp-json/wp/v2/users/') }
+    end
+
+    context 'when api_url already found' do
+      before { allow(target).to receive(:sub_dir).and_return(false) }
+
+      it 'does not check the homepage again' do
+        url = target.url('wp-json/wp/v2/users/')
+
+        finder.instance_variable_set(:@api_url, url)
+
+        expect(finder.api_url).to eql url
+      end
+    end
+  end
 end

spec/fixtures/finders/users/rss_generator/feed.xml

@@ -59,5 +59,23 @@
       <dc:creator><dc:creator><![CDATA[Michael Schrage. <p>Michael Schrage is a researcher at the MIT Sloan School of Management Initiative on the Digital Economy, where he does research and advisory work on how digital media transforms agency, human capital, and innovation.</p>
 ]]></dc:creator></dc:creator>
     </item>
+
+    <item>
+      <title>Hello world!</title>
+      <link>http://ex.lo/2018/09/23/hello-world/</link>
+      <comments>http://ex.lo/2018/09/23/hello-world/#comments</comments>
+      <pubDate>Sun, 23 Sep 2018 11:31:56 +0000</pubDate>
+      <!-- Should be ignored as empty username -->
+      <dc:creator><![CDATA[]]></dc:creator>
+    </item>
+
+    <item>
+      <title>Hello world!</title>
+      <link>http://ex.lo/2018/09/23/hello-world/</link>
+      <comments>http://ex.lo/2018/09/23/hello-world/#comments</comments>
+      <pubDate>Sun, 23 Sep 2018 11:31:56 +0000</pubDate>
+      <!-- Should be ignored as empty username -->
+      <dc:creator><![CDATA[ ]]></dc:creator>
+    </item>
   </channel>
 </rss>

spec/fixtures/finders/users/wp_json_api/api_url/in_scope.html

@@ -0,0 +1 @@
+<link rel='https://api.w.org/' href='https://wp.lab/wp-json/' />

spec/fixtures/finders/users/wp_json_api/api_url/in_scope_subdir.html

@@ -0,0 +1,6 @@
+<link rel='https://api.w.org/' href='https://wp.lab/cms/wp-json/' />
+<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://wp.lab/cms/xmlrpc.php?rsd" />
+<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://wp.lab/cms/wp-includes/wlwmanifest.xml" />
+<link rel='shortlink' href='https://wp.lab/' />
+<link rel="alternate" type="application/json+oembed" href="https://wp.lab/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwp.lab%2F" />
+<link rel="alternate" type="text/xml+oembed" href="https://wp.lab/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwp.lab%2F&#038;format=xml" />

spec/fixtures/finders/users/wp_json_api/api_url/in_scope_subdir_ignored.html

@@ -0,0 +1,6 @@
+<link rel='https://api.w.org/' href='https://wp.lab/wp-json/' />
+<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://wp.lab/cms/xmlrpc.php?rsd" />
+<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://wp.lab/cms/wp-includes/wlwmanifest.xml" />
+<link rel='shortlink' href='https://wp.lab/' />
+<link rel="alternate" type="application/json+oembed" href="https://wp.lab/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwp.lab%2F" />
+<link rel="alternate" type="text/xml+oembed" href="https://wp.lab/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwp.lab%2F&#038;format=xml" />

spec/fixtures/finders/users/wp_json_api/api_url/out_of_scope.html

@@ -0,0 +1 @@
+<link rel='https://api.w.org/' href='https://out-there.com/wp-json/' />

spec/fixtures/target/platform/wordpress/custom_directories/relative_two_sub_dir.html

@@ -0,0 +1,6 @@
+<link rel='https://api.w.org/' href='https://ex.lo/wp-json/' />
+<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://ex.lo/cms/xmlrpc.php?rsd" />
+<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://ex.lo/cms/wp-includes/wlwmanifest.xml" />
+
+<link rel="shortcut icon" href="//ex.lo/cms/wp-content/uploads/2011/10/favicon.ico">
+<link rel="apple-touch-icon-precomposed" href="//ex.lo/cms/wp-content/uploads/2011/10/favicon.ico">

spec/shared_examples/target/platform/wordpress/custom_directories.rb

@@ -7,7 +7,7 @@ shared_examples 'WordPress::CustomDirectories' do
     {
       default: 'wp-content', https: 'wp-content', custom_w_spaces: 'custom content spaces',
       relative_one: 'wp-content', relative_two: 'wp-content', cache: 'wp-content',
-      in_raw_js: 'wp-content', with_sub_dir: 'app'
+      in_raw_js: 'wp-content', with_sub_dir: 'app', relative_two_sub_dir: 'cms/wp-content'
     }.each do |file, expected|
       it "returns #{expected} for #{file}.html" do
         stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{file}.html")))
@@ -49,7 +49,7 @@ shared_examples 'WordPress::CustomDirectories' do
   end
 
   describe '#sub_dir' do
-    { default: false, with_sub_dir: 'wp' }.each do |file, expected|
+    { default: false, with_sub_dir: 'wp', relative_two_sub_dir: 'cms' }.each do |file, expected|
       it "returns #{expected} for #{file}.html" do
         fixture = File.join(fixtures, "#{file}.html")