From fee3671e320ddca13694de3fef8f0b8683fc09bf Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sun, 10 Mar 2019 07:53:12 +0000 Subject: [PATCH] Adds wp-cron.php detection - Fixes #1299 --- app/finders/interesting_findings.rb | 3 +- app/finders/interesting_findings/wp_cron.rb | 31 +++++++++++++++++++ app/models/interesting_finding.rb | 3 ++ .../interesting_findings/wp_cron_spec.rb | 30 ++++++++++++++++++ 4 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 app/finders/interesting_findings/wp_cron.rb create mode 100644 spec/app/finders/interesting_findings/wp_cron_spec.rb diff --git a/app/finders/interesting_findings.rb b/app/finders/interesting_findings.rb index 1daf3c34..a68e499f 100644 --- a/app/finders/interesting_findings.rb +++ b/app/finders/interesting_findings.rb @@ -1,4 +1,5 @@ require_relative 'interesting_findings/readme' +require_relative 'interesting_findings/wp_cron' require_relative 'interesting_findings/multisite' require_relative 'interesting_findings/debug_log' require_relative 'interesting_findings/backup_db' @@ -23,7 +24,7 @@ module WPScan %w[ Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate - UploadSQLDump EmergencyPwdResetScript + UploadSQLDump EmergencyPwdResetScript WPCron ].each do |f| finders << InterestingFindings.const_get(f).new(target) end diff --git a/app/finders/interesting_findings/wp_cron.rb b/app/finders/interesting_findings/wp_cron.rb new file mode 100644 index 00000000..85a8d76c --- /dev/null +++ b/app/finders/interesting_findings/wp_cron.rb @@ -0,0 +1,31 @@ +module WPScan + module Finders + module InterestingFindings + # wp-cron.php finder + class WPCron < CMSScanner::Finders::Finder + # @return [ InterestingFinding ] + def aggressive(_opts = {}) + res = Browser.get(wp_cron_url) + + return unless res.code == 200 + + WPScan::WPCron.new( + wp_cron_url, + confidence: 100, + found_by: DIRECT_ACCESS, + references: { + url: [ + 'https://www.iplocation.net/defend-wordpress-from-ddos', + 'https://github.com/wpscanteam/wpscan/issues/1299' + ] + } + ) + end + + def wp_cron_url + @wp_cron_url ||= target.url('wp-cron.php') + end + end + end + end +end diff --git a/app/models/interesting_finding.rb b/app/models/interesting_finding.rb index c42d2d41..e6cb8496 100644 --- a/app/models/interesting_finding.rb +++ b/app/models/interesting_finding.rb @@ -42,4 +42,7 @@ module WPScan class UploadSQLDump < InterestingFinding end + + class WPCron < InterestingFinding + end end diff --git a/spec/app/finders/interesting_findings/wp_cron_spec.rb b/spec/app/finders/interesting_findings/wp_cron_spec.rb new file mode 100644 index 00000000..1b4b5fd0 --- /dev/null +++ b/spec/app/finders/interesting_findings/wp_cron_spec.rb @@ -0,0 +1,30 @@ +describe WPScan::Finders::InterestingFindings::WPCron do + subject(:finder) { described_class.new(target) } + let(:target) { WPScan::Target.new(url) } + let(:url) { 'http://ex.lo/' } + let(:wp_content) { 'wp-content' } + + before { expect(target).to receive(:sub_dir).at_least(1).and_return(false) } + + describe '#aggressive' do + before { stub_request(:get, finder.wp_cron_url).to_return(status: status) } + + context 'when 200' do + let(:status) { 200 } + + it 'returns the InterestingFinding' do + expect(finder.aggressive).to eql WPScan::WPCron.new( + finder.wp_cron_url, + confidence: 100, + found_by: described_class::DIRECT_ACCESS + ) + end + end + + context 'otherwise' do + let(:status) { 403 } + + its(:aggressive) { should be_nil } + end + end +end