Change: v2.3

CVE ID for OptimizePress theme file upload vulnerability

.gitignore

@@ -11,3 +11,4 @@ log.txt
 .yardoc
 debug.log
 wordlist.txt
+rspec_results.html

.travis.yml

@@ -1,6 +1,7 @@
 language: ruby
 rvm:
-  - "1.9.2"
-  - "1.9.3"
-  - "2.0.0"
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
 script: bundle exec rspec --format documentation

CHANGELOG.md

@@ -1,9 +1,65 @@
 # Changelog
+## Master
+[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.3...master)
+
+## Version 2.3
+Released: 2014-02-11
+
+New
+* Brute forcing over https!
+* Detect and output parent theme!
+* Complete fingerprint script & hash search
+* New spell checker!
+* Added database modification dates in status report
+* Added 'Total WordPress Sites in the World' statistics
+* Added separator between Name and Version in Item 
+* Added a "Work in progress" URL in the CHANGELOG
+
+Removed
+* Removed "Exiting!" sentence
+* Removed Backtrack Linux. Not maintained anymore.
+
+General core
+* Ruby 2.1.0 added to Travis
+* Updated the version of WebMock required
+* Better string concatenation in code (improves speed)
+* Some modifications in the output of an item
+* Output cosmetics
+* rspec-mocks version constraint released
+* Tabs replaced by spaces
+* Rspecs update
+* Indent code cleanup
+* Themes & Plugins lists regenerated
+
+Vulnerabilities
+* Update WordPress Vulnerabilities
+* Disabled some fake reported vulnerabilities
+* Fixed some duplicate vulnerabilities
+
+WPScan Database Statistics:
+* Total vulnerable versions: 78; 2 are new
+* Total vulnerable plugins: 693; 83 are new
+* Total vulnerable themes: 251; 55 are new
+* Total version vulnerabilities: 291 17 are new
+* Total plugin vulnerabilities: 1016; 236 are new
+* Total theme vulnerabilities: 283; 79 are new
+
+Add WP Fingerprints
+* Better fingerprints
+* WP 3.8.1 Fingerprinting
+* WP 3.8 Fingerprinting
+
+Fixed issues
+* Fix #404 - Brute forcing issue over https
+* Fix #398 - Removed a fake vuln in WP Super Cache
+* Fix #393 - sudo added to the bundle install cmd for Mac OSX
+* Fix #228, #327 - Infinite loop when self-redirect 
+* Fix #201 - Incorrect Paramter Parsing when no url was supplied
 
 ## Version 2.2 
 Released: 2013-11-12
 
-Added
+New
 * Output the vulnerability fix if available
 * Added 'WordPress Version Vulnerability' statistics
 * Added Kali Linux on the list of pre-installed Linux distributions
@@ -82,13 +138,13 @@ Vulnerabilities
 * Update timthumb due to Secunia #54801
 * Added WP vuln: 3.4 - 3.5.1 wp-admin/users.php FPD
 
-WPScan Databse Statistics:
-* Total vulnerable versions: 76, 4 are new
-* Total vulnerable plugins: 606, 197 are new
-* Total vulnerable themes: 194, 45 are new
-* Total version vulnerabilities: 274, 53 are new
-* Total plugin vulnerabilities: 764, 270 are new
-* Total theme vulnerabilities: 198, 46 are new
+WPScan Database Statistics:
+* Total vulnerable versions: 76; 4 are new
+* Total vulnerable plugins: 610; 201 are new
+* Total vulnerable themes: 196; 47 are new
+* Total version vulnerabilities: 274; 53 are new
+* Total plugin vulnerabilities: 780; 286 are new
+* Total theme vulnerabilities: 204; 52 are new
 
 Add WP Fingerprints
 * WP 3.7.1 Fingerprinting

CREDITS

@@ -6,7 +6,7 @@ This file is to give credit to WPScan's contributors. If you feel your name shou
 
 Erwan.LR - @erwan_lr - (Project Developer)
 Christian Mehlmauer - @_FireFart_ - (Project Developer)
-Gianluca Brindisi - @gbrindisi (Project Developer)
+Peter van der Laan - pvdl - (Vuln Hunter and Code Cleaner)
 Ryan Dewhurst - @ethicalhack3r (Project Lead)
 
 *Other Contributors*
@@ -17,4 +17,4 @@ Callum Pember - Implemented proxy support - callumpember at gmail.com
 g0tmi1k - Additional timthumb checks + bug reports.
 Melvin Lammerts - Reported a couple of fake vulnerabilities - melvin at 12k.nl
 Paolo Perego - @thesp0nge - Basic authentication
-Peter van der Laan - The Vuln Hunter and Code Cleaner
+Gianluca Brindisi - @gbrindisi - Project Developer

Gemfile

@@ -1,6 +1,5 @@
 source "https://rubygems.org"
 
-# Seg fault in Typhoeus 0.6.3 (and ethon > 0.5.11) with rspec
 gem "typhoeus", ">=0.6.3"
 gem "nokogiri"
 gem "json"
@@ -8,8 +7,7 @@ gem "terminal-table"
 gem "ruby-progressbar", ">=1.2.0"
 
 group :test do
-  gem "webmock", ">=1.9.3"
+  gem "webmock", ">=1.17.2"
   gem "simplecov"
   gem "rspec", :require => "spec"
-  gem "rspec-mocks", "<=2.14.2" # 2.14.3 just messed around :/
 end

README

@@ -32,7 +32,7 @@ ryandewhurst at gmail
   WPScan comes pre-installed on the following Linux distributions:
 
    * BackBox Linux
-   * BackTrack Linux
+   * Kali Linux
    * Pentoo
    * SamuraiWTF
 
@@ -76,7 +76,7 @@ ryandewhurst at gmail
 
     git clone https://github.com/wpscanteam/wpscan.git
     cd wpscan
-    sudo gem install bundler && bundle install --without test
+    sudo gem install bundler && sudo bundle install --without test
 
 ==KNOWN ISSUES==
 

README.md

@@ -27,7 +27,6 @@ ryandewhurst at gmail
 WPScan comes pre-installed on the following Linux distributions:
 
 - [BackBox Linux](http://www.backbox.org/)
-- [BackTrack Linux](http://www.backtrack-linux.org/)
 - [Kali Linux](http://www.kali.org/)
 - [Pentoo](http://www.pentoo.ch/)
 - [SamuraiWTF](http://samurai.inguardians.com/)
@@ -84,7 +83,7 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
 ```cd wpscan```
 
-```sudo gem install bundler && bundle install --without test```
+```sudo gem install bundler && sudo bundle install --without test```
 
 #### KNOWN ISSUES
 

data/local_vulnerable_files.xsd

@@ -4,7 +4,9 @@
 
   <xs:simpleType name="stringtype">
     <xs:restriction base="xs:string">
+      <xs:whiteSpace value="preserve" />
       <xs:minLength value="1" />
+      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
     </xs:restriction>
   </xs:simpleType>
 

data/themes.txt

@@ -1,189 +1,189 @@
-2013-black-and-white
 academica
-accessible-zen
+activetab
 adamos
 adelle
 admired
 adventure
-adventure-journal
 aldehyde
 alexandria
-alhena-lite
 analytical-lite
+anarcho-notepad
 andrina-lite
-annotum-base
+appointment
+aquarius
 ascetica
 aspen
+asteria-lite
+asteroid
 atahualpa
-atheros
 attitude
-attorney
 autofocus
 beach
+bearded
+bicubic
 birdsite
-birdtips
+bizantine
+bizark
+bizflare
+bizkit
 biznez-lite
+bizsphere
 bizstudio-lite
 bizway
-black-rider
 blackbird
 blain
 blankslate
 blogbox
+blogly-lite
 blogolife
-bold-headline
+blogotron
+blox
+blue-planet
 boldr-lite
-book-lite
 boot-store
+bootstrap-ultimate
 bota
 bouquet
 bresponzive
+brightnews
 bueno
+bushwick
 business-lite
 busiprof
+butterbelly
 buzz
-careta
+byblos
 carton
 catch-box
 catch-everest
 catch-evolution
-cazuela
-celebrate
 celestial-lite
-central
 chaostheory
-cherry-blossom
 childishly-simple
+chooko-lite
 church
-clean-black
+cirrus
 clean-retina
 coller
 colorway
 contango
 coraline
 corpo
+crates
+current
 custom-community
 customizr
 cyberchimps
-cycnus
-d5-business-line
-d5-design
 d5-socialia
-dailypost
 decode
-delicate
-delighted
 designfolio
 destro
-deux-milles-douze
 discover
 dms
 duena
 dusk-to-dawn
 duster
 dw-minion
-easel
+dw-wallpress
+dzonia-lite
 eclipse
-elegantwhite
-emphaino
-encounters-lite
+elisium
 engrave-lite
+enough
+envision
 epic
+esell
 esplanade
-espressionista
 esquire
 estate
 evolve
 expound
+family
 fashionistas
+fastr
+figero
 fine
 firmasite
-fluxipress
+fixy
+flounder
 focus
+forestly
 forever
+formidable-restaurant
+frau
+fresh-lite
 frisco-for-buddypress
 frontier
 fruitful
-futuristica
+future
 gamepress
+gold
 golden-eagle-lite
 graphene
-greenpage
+gridbulletin
 gridiculous
 gridster-lite
-hannari
 hatch
 hazen
-heatmap-adaptive
 hero
-hiero
 highwind
-hostmarks
-houston
-hro
-hybrid
+hueman
+hypnotist
 iconic-one
-icy
 ifeature
-imag-mag
-impressio-lite
-impulse
-infoway
-innovative
+inkness
+inkzine
 intuition
-irex-lite
+invert-lite
 iribbon
-kabbo
+isis
+journalism
 klasik
-koenda
-lamya
-landscape
-leaf
-litesta
-lobster
+leatherdiary
+leniy-radius
+limelight
+lizardbusiness
 local-business
 lugada
-luminescence-lite
-magazine
 magazine-basic
 magazine-style
 magazino
-manchester
 mantra
-marla
 max-magazine
-melany
+meadowhill
+medicine
+mesocolumn
 mh-magazine-lite
+ming
 minimatica
 minimize
-mixfolio
 modern-estate
-mon-cahier
 montezuma
-multipurpose
-my-depressive
-my-world-with-grass-and-dew
-mystique
-narga
+multiloquent
 neuro
+neutro
+newdark
+newlife
 newp
+newtek
 next-saturday
+nictitate
 omega
+one-page
+onecolumn
 openstrap
 opulus-sombre
 origami
 origin
 oxygen
 p2
-p2-categories
 pagelines
 parabola
+parallax
 parament
-path
 phonix
-photographic
 photolistic
-photologger
+piedmont
 pilcrow
 pilot-fish
 pinbin
@@ -193,48 +193,51 @@ pitch
 platform
 point
 portfolio-press
-pr-news
-prana
+pr-pin
 preference-lite
+preus
+primo-lite
+privatebusiness
 quark
-r2d2
 raindrops
 raptor
 raven
+ready-review
+reddle
+redify
+reizend
 response
 responsive
 restaurateur
-retro
-road-fighter
-ryu
+reviewgine-affiliate
+ridizain
+rtpanel
+rundown
 sampression-lite
 sensitive
 serene
-shprink-one
+shopping
+sigma
 silverclean-lite
-simple-and-clean
 simple-catch
 simpleo
 simplicity-lite
-simplify
 sixteen
 sliding-door
-small-business
 snaps
 snapshot
-snowblind
-socially-awkward
+sorbet
 spartan
 spasalon
-spine
+sporty
 spun
-squirrel
+stargazer
 startupwp
 steira
 strapvert
-striker
 suevafree
 suffusion
+sugar-and-spice
 suits
 sukelius-magazine
 sundance
@@ -242,46 +245,45 @@ sunny-blue-sky
 sunspot
 supernova
 surfarama
-sweet-tech
 swift-basic
-tampa
-target
+syntax
+tanzanite
 teal
+techism
+tempera
 terrifico
-tesla
-the-bootstrap
+the-falcon
 thematic
 themia-lite
 theron-lite
-timeturner
 tiny-forge
 tonic
-toolbox
 travel-blogger
+travel-lite
 travelify
-tribbiani
 twentyeleven
+twentyfourteen
 twentyten
 twentythirteen
 twentytwelve
-unique
-untitled
-uptown
+unite
 vantage
+venom
 viper
 virtue
-visitpress
-visual
-vortex
 voyage
 ward
 weaver-ii
-wordpost
+weavr
+wiziapp-smooth-touch
+wordplus
+wp-advocate
+wp-barrister
 wp-creativix
-wp-flatthirteen
-wp-knowledge-base
 wp-opulus
-xin-magazine
+wp-simple
+writr
+x2
 yoko
 zalive
 zbench
@@ -290,9 +292,7 @@ zeebusiness
 zeedynamic
 zeeflow
 zeefocus
-zeemagazine
 zeeminty
-zeenews
 zeenoble
 zeestyle
 zeesynergie

data/vuln.xsd

@@ -4,7 +4,9 @@
 
   <xs:simpleType name="stringtype">
     <xs:restriction base="xs:string">
+      <xs:whiteSpace value="preserve" />
       <xs:minLength value="1" />
+      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
     </xs:restriction>
   </xs:simpleType>
 

data/wp_versions.xml

@@ -10,65 +10,52 @@
 <wp-versions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:noNamespaceSchemaLocation="wp_versions.xsd">
 
-  <file src="wp-includes/js/tinymce/plugins/wpeditimage/editor_plugin_src.js">
-    <hash md5="5d01c0e812cdcd6356b78ee0cb4e5426">
+  <file src="wp-includes/css/buttons-rtl.css">
+    <hash md5="fb062ed92b76638c161e80f4a5426586">
+      <version>3.8.1</version>
+    </hash>
+    <hash md5="71c13ab1693b45fb3d7712e540c4dfe0">
+      <version>3.8</version>
+    </hash>
+  </file>
+
+  <file src="wp-includes/js/tinymce/wp-tinymce.js.gz">
+    <hash md5="44d281b0d84cc494e2b095a6d2202f4d">
       <version>3.7.1</version>
     </hash>
-  </file>
-
-  <file src="wp-includes/js/jquery/jquery.form.js">
-    <hash md5="e5afd8e41d2ec22c19932b068cd90a71">
+    <hash md5="b0bcf8091516db358ee9c833afd73175">
       <version>3.7</version>
     </hash>
-  </file>
-
-  <file src="wp-admin/js/common.js">
-    <hash md5="03eaffeef39119f0523a49c7f9767f3b">
+    <hash md5="cf4bbd562430a9bcbe735062be851be1">
       <version>3.6.1</version>
     </hash>
-    <hash md5="4516252d47a73630280869994d510180">
-      <version>3.3</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/jquery/jquery.js">
-    <hash md5="9dcde2d5e8aeda556a0c52239fa2f44c">
+    <hash md5="42ce18e88f1c21d4e991fcd431bcb606">
       <version>3.6</version>
     </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/tiny_mce.js">
-    <hash md5="eddb5fda74d41dbdac018167536d8d53">
+    <hash md5="a58dd12608659503cf087e879e720354">
       <version>3.5.2</version>
     </hash>
-
-    <hash md5="6e79ab6d786c5c95920064add33ee599">
+    <hash md5="55c80a4794624ce9b94aa3631ad46c0b">
       <version>3.5.1</version>
     </hash>
-
-    <hash md5="55cd8e5ceca9c1763b1401164d70df50">
+    <hash md5="8e529a971610d7ebe7851339c5cb3d67">
       <version>3.5</version>
     </hash>
-  </file>
-
-  <file src="wp-includes/js/wp-lists.js">
-    <hash md5="46e1341cd4ea49f31046f7d7962adc7f">
+    <hash md5="ff19e44be975f89b647274d85b70f821">
       <version>3.4.2</version>
     </hash>
   </file>
 
-  <file src="wp-includes/js/customize-preview.js">
-    <hash md5="617d9fd858e117c7d1d087be168b5643">
+  <file src="wp-admin/js/customize-controls.js">
+    <hash md5="aa0d38bd6f590ad8c3126074145b1bf1">
       <version>3.4.1</version>
     </hash>
+  </file>
 
+  <file src="wp-includes/js/customize-preview.js">
     <hash md5="da36bc2dfcb13350c799b62de68dfa4b">
       <version>3.4</version>
     </hash>
-
-    <hash md5="a8a259fc5197a78ffe62d6be38dc52f8">
-      <version>3.4-beta4</version>
-    </hash>
   </file>
 
   <file src="wp-includes/js/plupload/plupload.js">
@@ -77,27 +64,26 @@
     </hash>
   </file>
 
-
   <file src="$wp-content$/themes/twentyeleven/style.css">
-
     <!-- same md5 for 3.3.2 -->
     <hash md5="030d3bac906ba69e9fbc99c5bac54a8e">
       <version>3.3.1</version>
     </hash>
-
   </file>
 
+  <file src="wp-admin/js/common.js">
+    <hash md5="4516252d47a73630280869994d510180">
+      <version>3.3</version>
+    </hash>
+  </file>
 
   <file src="wp-admin/js/wp-fullscreen.js">
-
     <hash md5="5675f7793f171b6424bf72f9d7bf4d9a">
       <version>3.2.1</version>
     </hash>
-
     <hash md5="7b423e0b7c9221092737ad5271d09863">
       <version>3.2</version>
     </hash>
-
   </file>
 
   <file src="wp-includes/css/admin-bar.css">
@@ -106,118 +92,82 @@
     </hash>
   </file>
 
-
   <file src="$wp-content$/themes/twentyten/style.css">
-
     <hash md5="6211e2ac1463bf99e98f28ab63e47c54">
       <version>3.0</version>
     </hash>
-
   </file>
 
-
   <file src="$wp-plugins$/akismet/readme.txt">
-
     <hash md5="4d5e52da417aa0101054bd41e6243389">
       <version>2.8.6</version>
     </hash>
-
     <hash md5="58e086dea9d24ed074fe84ba87386c69">
       <version>2.8.5</version>
     </hash>
-
     <hash md5="48c52025b5f28731e9a0c864c189c2e7">
       <version>2.8.2</version>
     </hash>
-
   </file>
 
-
   <file src="wp-includes/js/wp-ajax-response.js">
-
     <hash md5="0289d1c13821599764774d55516ab81a">
       <version>2.7.1</version>
     </hash>
-
   </file>
 
-
   <file src="wp-includes/js/thickbox/thickbox.css">
-
     <hash md5="9c2bd2be0893adbe02a0f864526734c2">
       <version>2.7</version>
     </hash>
-
   </file>
 
-
   <file src="wp-includes/js/tinymce/plugins/wpeditimage/editor_plugin.js">
-
     <hash md5="5b140ddf0f08034402ae78b31d8a1a28">
       <version>2.6</version>
     </hash>
-
   </file>
 
-
   <file src="wp-includes/js/tinymce/themes/advanced/js/image.js">
-
     <hash md5="088245408531c58bb52cc092294cc384">
       <version>2.5.1</version>
     </hash>
-
   </file>
 
-
   <file src="wp-includes/js/tinymce/themes/advanced/js/link.js">
-
     <hash md5="19c6f3118728c38eb7779aab4847d2d9">
       <version>2.5</version>
     </hash>
-
   </file>
 
-
   <file src="wp-includes/js/wp-ajax.js">
-
     <hash md5="c5dbce0c3232c477033e0ce486c62755">
       <version>2.2</version>
     </hash>
-
   </file>
 
-
   <file src="$wp-content$/themes/default/style.css">
-
     <hash md5="e44545f529a54de88209ce588676231c">
       <version>2.0.1</version>
     </hash>
-
     <hash md5="f786f66d3a40846aa22dcdfeb44fa562">
       <version>2.0</version>
     </hash>
-
   </file>
 
-
   <file src="wp-layout.css">
-
     <hash md5="7140e06c00ed03d2bb3dad7672557510">
       <version>1.2.1</version>
     </hash>
-
     <hash md5="1bcc9253506c067eb130c9fc4f211a2f">
       <version>1.2-delta</version>
     </hash>
   </file>
 
-
   <file src="layout2b.css">
-
     <hash md5="baec6b6ccbf71d8dced9f1bf67c751e1">
       <version>0.71-gold</version>
     </hash>
-
   </file>
 
 </wp-versions>

data/wp_versions.xsd

@@ -4,7 +4,9 @@
 
   <xs:simpleType name="stringtype">
     <xs:restriction base="xs:string">
+      <xs:whiteSpace value="preserve" />
       <xs:minLength value="1" />
+      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
     </xs:restriction>
   </xs:simpleType>
 

data/wp_vulns.xml

@@ -3,6 +3,28 @@
 <vulnerabilities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:noNamespaceSchemaLocation="vuln.xsd">
 
+  <wordpress version="3.8">
+    <vulnerability>
+      <title>wp-admin/options-writing.php Cleartext Admin Credentials Disclosure</title>
+      <references>
+        <osvdb>101101</osvdb>
+        <url>http://seclists.org/fulldisclosure/2013/Dec/135</url>
+      </references>
+      <type>AUTHBYPASS</type>
+    </vulnerability>
+  </wordpress>
+
+  <wordpress version="3.7.1">
+    <vulnerability>
+      <title>wp-admin/options-writing.php Cleartext Admin Credentials Disclosure</title>
+      <references>
+        <osvdb>101101</osvdb>
+        <url>http://seclists.org/fulldisclosure/2013/Dec/135</url>
+      </references>
+      <type>AUTHBYPASS</type>
+    </vulnerability>
+  </wordpress>
+
   <wordpress version="3.6">
     <vulnerability>
       <title>PHP Object Injection</title>
@@ -34,6 +56,7 @@
         <osvdb>97212</osvdb>
         <cve>2013-4339</cve>
         <secunia>54803</secunia>
+        <exploitdb>28958</exploitdb>
         <url>http://packetstormsecurity.com/files/123589/</url>
         <url>http://core.trac.wordpress.org/changeset/25323</url>
       </references>
@@ -61,9 +84,43 @@
       <type>XSS</type>
       <fixed_in>3.6.1</fixed_in>
     </vulnerability>
+    <vulnerability>
+      <title>Multiple Function Path Disclosure</title>
+      <references>
+        <osvdb>100487</osvdb>
+        <url>http://seclists.org/fulldisclosure/2013/Nov/220</url>
+      </references>
+      <type>UNKNOWN</type>
+    </vulnerability>
+    <vulnerability>
+      <title>Multiple Script Arbitrary Site Redirect</title>
+      <references>
+        <osvdb>101181</osvdb>
+        <url>http://seclists.org/fulldisclosure/2013/Dec/174</url>
+      </references>
+      <type>REDIRECT</type>
+      <fixed_in>3.6.1</fixed_in>
+    </vulnerability>
+    <vulnerability>
+      <title>wp-admin/edit-tags.php _wp_http_referer Parameter Reflected XSS</title>
+      <references>
+        <osvdb>101182</osvdb>
+        <url>http://seclists.org/fulldisclosure/2013/Dec/174</url>
+      </references>
+      <type>XSS</type>
+      <fixed_in>3.6.1</fixed_in>
+    </vulnerability>
   </wordpress>
 
   <wordpress version="3.5.2">
+    <vulnerability>
+      <title>Media Library Multiple Function Path Disclosure</title>
+      <references>
+        <osvdb>100484</osvdb>
+        <url>http://websecurity.com.ua/6795/</url>
+      </references>
+      <type>FPD</type>
+    </vulnerability>
     <vulnerability>
       <title>SWFUpload Content Spoofing</title>
       <references>
@@ -85,7 +142,7 @@
       <fixed_in>3.5.2</fixed_in>
     </vulnerability>
     <vulnerability>
-      <title>WordPress 3.4 - 3.5.1 DoS in class-phpass.php</title>
+      <title>WordPress 3.4-3.5.1 DoS in class-phpass.php</title>
       <references>
         <url>http://seclists.org/fulldisclosure/2013/Jun/65</url>
         <secunia>53676</secunia>
@@ -103,6 +160,7 @@
         <osvdb>94790</osvdb>
       </references>
       <type>XSS</type>
+      <fixed_in>3.5.2</fixed_in>
     </vulnerability>
     <vulnerability>
       <title>WordPress TinyMCE Plugin Flash Applet Unspecified Spoofing Weakness</title>
@@ -110,6 +168,7 @@
         <osvdb>94787</osvdb>
       </references>
       <type>UNKNOWN</type>
+      <fixed_in>3.5.2</fixed_in>
     </vulnerability>
     <vulnerability>
       <title>WordPress File Upload Unspecified Path Disclosure</title>
@@ -117,27 +176,31 @@
         <osvdb>94788</osvdb>
       </references>
       <type>UNKNOWN</type>
+      <fixed_in>3.5.2</fixed_in>
     </vulnerability>
     <vulnerability>
-      <title>WordPress oEmbed Unspecified XML External Entity (XXE) Arbitrary File Disclosure</title>
+      <title>WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE) Arbitrary File Disclosure</title>
       <references>
         <osvdb>94789</osvdb>
       </references>
       <type>XXE</type>
+      <fixed_in>3.5.2</fixed_in>
     </vulnerability>
     <vulnerability>
-      <title>WordPress Multiple Role Remote Privilege Escalation</title>
+      <title>WordPress 3.5-3.5.1 Multiple Role Remote Privilege Escalation</title>
       <references>
         <osvdb>94783</osvdb>
       </references>
       <type>UNKNOWN</type>
+      <fixed_in>3.5.2</fixed_in>
     </vulnerability>
     <vulnerability>
-      <title>WordPress HTTP API Unspecified Server Side Request Forgery (SSRF)</title>
+      <title>WordPress 3.5-3.5.1 HTTP API Unspecified Server Side Request Forgery (SSRF)</title>
       <references>
         <osvdb>94784</osvdb>
       </references>
       <type>SSRF</type>
+      <fixed_in>3.5.2</fixed_in>
     </vulnerability>
   </wordpress>
 
@@ -422,7 +485,7 @@
       <type>MULTI</type>
     </vulnerability>
     <vulnerability>
-      <title>Wordpress 3.3.1 Multiple CSRF Vulnerabilities</title>
+      <title>Wordpress 3.3.1 - Multiple CSRF Vulnerabilities</title>
       <references>
         <exploitdb>18791</exploitdb>
       </references>
@@ -556,11 +619,14 @@
 
   <wordpress version="3.1.3">
     <vulnerability>
-      <title>Multiple SQL Injection Vulnerabilities</title>
+      <title>wp-admin/link-manager.php Multiple Parameter SQL Injection</title>
       <references>
+        <osvdb>73723</osvdb>
         <exploitdb>17465</exploitdb>
+        <secunia>45099</secunia>
       </references>
       <type>SQLI</type>
+      <fixed_in>3.1.4</fixed_in>
     </vulnerability>
     <vulnerability>
       <title>XSS vulnerability in swfupload in WordPress</title>
@@ -1724,6 +1790,17 @@
       </references>
       <type>UNKNOWN</type>
     </vulnerability>
+    <vulnerability>
+      <title>WordPress Command Execution and PHP Injection</title>
+      <references>
+        <cve>2007-1277</cve>
+        <secunia>24374</secunia>
+        <url>http://www.securityfocus.com/bid/22797</url>
+        <url>http://xforce.iss.net/xforce/xfdb/32807</url>
+      </references>
+      <type>RCE</type>
+      <fixed_in>2.1.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>XMLRPC Pingback API Internal/External Port Scanning</title>
       <references>
@@ -1947,6 +2024,13 @@
       </references>
       <type>UNKNOWN</type>
     </vulnerability>
+    <vulnerability>
+      <title>WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection Vulnerability</title>
+      <references>
+        <url>http://www.securityfocus.com/bid/18779</url>
+      </references>
+      <type>SQLI</type>
+    </vulnerability>
   </wordpress>
 
   <wordpress version="2.0.3">
@@ -1971,6 +2055,13 @@
       </references>
       <type>UNKNOWN</type>
     </vulnerability>
+    <vulnerability>
+      <title>WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection Vulnerability</title>
+      <references>
+        <url>http://www.securityfocus.com/bid/18779</url>
+      </references>
+      <type>SQLI</type>
+    </vulnerability>
   </wordpress>
 
   <wordpress version="2.0.2">
@@ -2002,9 +2093,24 @@
       </references>
       <type>UNKNOWN</type>
     </vulnerability>
+    <vulnerability>
+      <title>WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection Vulnerability</title>
+      <references>
+        <url>http://www.securityfocus.com/bid/18779</url>
+      </references>
+      <type>SQLI</type>
+    </vulnerability>
   </wordpress>
 
   <wordpress version="2.0.1">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass Vulnerability</title>
       <references>
@@ -2029,6 +2135,14 @@
   </wordpress>
 
   <wordpress version="2.0">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass Vulnerability</title>
       <references>
@@ -2053,6 +2167,14 @@
   </wordpress>
 
   <wordpress version="1.5.2">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>XMLRPC Pingback API Internal/External Port Scanning</title>
       <references>
@@ -2070,6 +2192,14 @@
   </wordpress>
 
   <wordpress version="1.5.1.3">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>Wordpress &lt;= 1.5.1.3 Remote Code Execution eXploit (metasploit)</title>
       <references>
@@ -2094,6 +2224,14 @@
   </wordpress>
 
   <wordpress version="1.5.1.2">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>Wordpress &lt;= 1.5.1.2 xmlrpc Interface SQL Injection Exploit</title>
       <references>
@@ -2128,6 +2266,14 @@
   </wordpress>
 
   <wordpress version="1.5.1.1">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>WordPress &lt;= 1.5.1.1 &quot;add new admin&quot; SQL Injection Exploit</title>
       <references>
@@ -2159,6 +2305,14 @@
   </wordpress>
 
   <wordpress version="1.5.1">
+    <vulnerability>
+      <title>Wordpress wp-register.php Multiple Parameter XSS</title>
+      <references>
+        <osvdb>38577</osvdb>
+      </references>
+      <type>XSS</type>
+      <fixed_in>2.0.2</fixed_in>
+    </vulnerability>
     <vulnerability>
       <title>XMLRPC Pingback API Internal/External Port Scanning</title>
       <references>

dev/pre-commit-hook.rb

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+
+# ln -sf /Users/xxx/wpscan/dev/pre-commit-hook.rb /Users/xxx/wpscan/.git/hooks/pre-commit
+
+require 'pty'
+html_path = 'rspec_results.html'
+
+begin
+  PTY.spawn( "rspec spec --format h > #{html_path}" ) do |stdin, stdout, pid|
+    begin
+      stdin.each { |line| print line }
+    rescue Errno::EIO => e
+      puts "Error: #{e.to.s}"
+      return 1
+    end
+  end
+rescue PTY::ChildExited
+  puts 'Child process exit!'
+end
+
+# find out if there were any errors
+html = open(html_path).read
+examples = html.match(/(\d+) examples/)[0].to_i rescue 0
+errors = html.match(/(\d+) errors/)[0].to_i rescue 0
+if errors == 0 then
+  errors = html.match(/(\d+) failure/)[0].to_i rescue 0
+end
+pending = html.match(/(\d+) pending/)[0].to_i rescue 0
+
+if errors.zero?
+  puts "0 failed! #{examples} run, #{pending} pending"
+  sleep 1
+  exit 0
+else
+  puts "\aCOMMIT FAILED!!"
+  puts "View your rspec results at #{File.expand_path(html_path)}"
+  puts
+  puts "#{errors} failed! #{examples} run, #{pending} pending"
+  exit 1
+end

dev/wp-versions.rb

@@ -0,0 +1,237 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'uri'
+require 'dm-core'
+require 'dm-migrations'
+require 'dm-constraints'
+require 'optparse'
+require 'nokogiri'
+require 'typhoeus'
+
+@db = "#{Dir.pwd}/wp-versions.db"
+
+# return [ Array<String> ] The Stable versions (sorted by number DESC)
+def get_remote_wp_versions
+  versions = []
+  page = Nokogiri::HTML(Typhoeus.get('http://wordpress.org/download/release-archive/').body)
+
+  page.css('.widefat').first.css('tbody tr td:first').each do |node|
+    versions << node.text.strip
+  end
+  versions.reverse
+end
+
+def remove_dir(dir)
+  %x{rm -rf #{dir}}
+end
+
+def download(file_url, dest)
+  %x{wget -q -np -O #{dest} #{file_url} > /dev/null}
+end
+
+def wp_version_zip_url(version)
+  "http://wordpress.org/wordpress-#{version}.zip"
+end
+
+def wp_version_zip_md5(version)
+  Typhoeus.get("#{wp_version_zip_url(version)}.md5").body
+end
+
+def file_md5(file_path)
+  Digest::MD5.file(file_path).hexdigest
+end
+
+def web_page_md5(url)
+  Digest::MD5.hexdigest(Typhoeus.get(url).body)
+end
+
+def download_and_unzip_version(version, dest)
+  dest_zip = "/tmp/wp-#{version}.zip"
+
+  download(wp_version_zip_url(version), dest_zip)
+
+  if $?.exitstatus === 0 and File.exists?(dest_zip)
+    if file_md5(dest_zip) === wp_version_zip_md5(version)
+      remove_dir("#{dest}/wordpress/")
+      unzip(dest_zip, dest)
+
+      return true
+    else
+      raise 'Invalid md5'
+      # Redownload the file ?
+    end
+  else
+    raise 'Download error'
+  end
+end
+
+def unzip(zip_path, dest)
+  %x{unzip -o -d #{dest} #{zip_path}}
+end
+
+parser = OptionParser.new("Usage: ruby #{$0} [options]", 50) do |opts|
+  opts.on('--db PATH-TO-DB', '-d', 'Path to the db, default: wp-versions.db') do |db|
+    @db = db
+  end
+
+  opts.on('--update', '-u', 'Update the db') do
+    @update = true
+  end
+
+  opts.on('--verbose', '-v', 'Verbose Mode') do
+    @verbose = true
+  end
+
+  opts.on('--show-unique-fingerprints WP-VERSION', '--suf', 'Output the unique file hashes for the given version of WordPress') do |version|
+    @version = version
+  end
+
+  opts.on('--search-hash HASH', '--sh', 'Search the hash and output the WP versions & file') do |hash|
+    @hash = hash
+  end
+
+  opts.on('--search-file RELATIVE-FILE-PATH', '--sf', 'Search the file and output the Wp versions & hashes') do |file|
+    @file = file
+  end
+
+  opts.on('--fingerprint URL', 'Fingerprint a remote wordpress blog') do |url|
+    @target_url  = url
+    @target_url += '/' if @target_url[-1,1] != '/'
+  end
+end
+parser.parse!
+
+DataMapper::Logger.new($stdout, @verbose ? :debug : :fatal)
+DataMapper::setup(:default, "sqlite://#{@db}")
+
+class Version
+  include DataMapper::Resource
+
+  has n, :fingerprints, constraint: :destroy
+
+  property :id, Serial
+  property :number, String, required: true, unique: true
+end
+
+class Path
+  include DataMapper::Resource
+
+  has n, :fingerprints, constraint: :destroy
+
+  property :id, Serial
+  property :value, String, required: true, unique: true
+end
+
+class Fingerprint
+  include DataMapper::Resource
+
+  belongs_to :version, key: true
+  belongs_to :path, key: true
+
+  property :md5_hash, String, required: true, length: 32
+
+  # DataMapper does not seem to support ordering by a column in a joining model
+  # Solution found on StackOverflow ("DataMapper: Sorting results though association")
+  def self.order_by_version(direction = :asc)
+    order = DataMapper::Query::Direction.new(version.number, direction)
+    query = all.query
+    query.instance_variable_set('@order', [order])
+    query.instance_variable_set('@links', [relationships['version'].inverse])
+    all(query)
+  end
+end
+
+DataMapper.auto_upgrade!
+
+# Update
+if @update
+  remote_versions = get_remote_wp_versions()
+  puts "#{remote_versions.size} remote versions number retrieved"
+
+  remote_versions.each do |version|
+    unless Version.first(number: version)
+      db_version = Version.create(number: version)
+      version_dir = "/tmp/wordpress/"
+
+      puts "Downloading and unziping v#{version} to #{version_dir}"
+      download_and_unzip_version(version, '/tmp/')
+
+      puts 'Processing Fingerprints'
+      Dir[File.join(version_dir, '**', '*')].reject { |f| f =~ /^*.php$/ || Dir.exists?(f) }.each do |filename|
+        hash      = Digest::MD5.file(filename).hexdigest
+        file_path = filename.gsub(version_dir, '')
+        db_path   = Path.first_or_create(value: file_path)
+        fingerprint = Fingerprint.create(path_id: db_path.id, md5_hash: hash)
+
+
+        db_version.fingerprints << fingerprint
+      end
+      db_version.save
+    else
+      puts "Version #{version} already in DB, skipping"
+    end
+  end
+end
+
+if @version
+  if version = Version.first(number: @version)
+    repository(:default).adapter.select('SELECT md5_hash, path_id, version_id, paths.value AS path FROM fingerprints LEFT JOIN paths ON path_id = id WHERE md5_hash NOT IN (SELECT DISTINCT md5_hash FROM fingerprints WHERE version_id != ?) ORDER BY path ASC', version.id).each do |f|
+      if f.version_id == version.id
+        puts "#{f.md5_hash} #{f.path}"
+      end
+    end
+  else
+    puts "The version supplied: '#{@version}' is not in the database"
+  end
+end
+
+if @hash
+  puts "Results for #{@hash}:"
+  Fingerprint.order_by_version(:desc).all(md5_hash: @hash).each do |f|
+    puts "  #{f.version.number} #{f.path.value}"
+  end
+end
+
+if @file
+  puts "Results for #{@file}:"
+
+  if path = Path.first(value: @file)
+    Fingerprint.order_by_version(:desc).all(path_id: path.id).each do |f|
+      puts "  #{f.md5_hash} #{f.version.number}"
+    end
+  else
+    puts 'File not found (the argument must be a relative file path. e.g: wp-admin/css/widgets.css)'
+  end
+end
+
+if @target_url
+  uri = URI.parse(@target_url)
+
+  Version.all(order: [ :number.desc ]).each do |version|
+    total_urls = version.fingerprints.count
+    matches    = 0
+    percent    = 0
+
+    version.fingerprints.each do |f|
+      url = uri.merge(f.path.value).to_s
+
+      if web_page_md5(url) == f.md5_hash
+        matches += 1
+        puts "#{url} matches v#{version.number}" if @verbose
+      end
+
+      percent = ((matches / total_urls.to_f) * 100).round(2)
+
+      print("Version #{version.number} [#{matches}/#{total_urls} #{percent}% matches]\r")
+    end
+
+    puts
+
+    if percent == 100.0
+      puts "The remote version is #{version.number}"
+      exit
+    end
+  end
+end
+

lib/common/browser.rb

@@ -120,18 +120,14 @@ class Browser
       )
     end
 
-    if @request_timeout
-      params = params.merge(timeout: @request_timeout)
-    end
-
-    if @connect_timeout
-      params = params.merge(connecttimeout: @connect_timeout)
-    end
+    params.merge!(timeout: @request_timeout) if @request_timeout
+    params.merge!(connecttimeout: @connect_timeout) if @connect_timeout
 
     # Used to enable the cache system if :cache_ttl > 0
-    unless params.has_key?(:cache_ttl)
-      params = params.merge(cache_ttl: @cache_ttl)
-    end
+    params.merge!(cache_ttl: @cache_ttl) unless params.has_key?(:cache_ttl)
+
+    # Prevent infinite self redirection
+    params.merge!(maxredirs: 3) unless params.has_key?(:maxredirs)
 
     # Disable SSL-Certificate checks
     params.merge!(ssl_verifypeer: false)

lib/common/cache_file_store.rb

@@ -18,8 +18,8 @@ class CacheFileStore
   # YAML is Human Readable, contrary to Marshal which store in a binary format
   # Marshal does not need any "require"
   def initialize(storage_path, serializer = Marshal)
-    @storage_path = File.expand_path(storage_path)
-    @serializer = serializer
+    @storage_path = File.expand_path(storage_path + '/' + storage_dir)
+    @serializer   = serializer
 
     # File.directory? for ruby <= 1.9 otherwise,
     # it makes more sense to do Dir.exist? :/
@@ -58,4 +58,11 @@ class CacheFileStore
     File::join(@storage_path, key)
   end
 
+  def storage_dir
+    time   = Time.now
+    random = (0...8).map { (65 + rand(26)).chr }.join
+
+    Digest::MD5.hexdigest("#{time}#{random}")
+  end
+
 end

lib/common/collections/vulnerabilities/output.rb

@@ -3,9 +3,9 @@
 class Vulnerabilities < Array
   module Output
 
-    def output
+    def output(verbose = false)
       self.each do |v|
-        v.output
+        v.output(verbose)
       end
     end
 

lib/common/collections/wp_items/output.rb

@@ -3,8 +3,8 @@
 class WpItems < Array
   module Output
 
-    def output
-      self.each { |item| item.output }
+    def output(verbose = false)
+      self.each { |item| item.output(verbose) }
     end
 
   end

lib/common/common_helper.rb

@@ -33,7 +33,7 @@ VULNS_XSD           = DATA_DIR + '/vuln.xsd'
 WP_VERSIONS_XSD     = DATA_DIR + '/wp_versions.xsd'
 LOCAL_FILES_XSD     = DATA_DIR + '/local_vulnerable_files.xsd'
 
-WPSCAN_VERSION       = '2.2'
+WPSCAN_VERSION       = '2.3'
 
 $LOAD_PATH.unshift(LIB_DIR)
 $LOAD_PATH.unshift(WPSCAN_LIB_DIR)
@@ -103,7 +103,7 @@ def banner
     puts "                        Version #{version}"
   end
   puts '     Sponsored by the RandomStorm Open Source Initiative'
-  puts ' @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_'
+  puts '   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_'
   puts '_______________________________________________________________'
   puts
 end
@@ -177,3 +177,12 @@ end
 def count_file_lines(file)
   `wc -l #{file.shellescape}`.split[0].to_i
 end
+
+# Truncates a string to a specific length and adds ... at the end
+def truncate(input, size, trailing = '...')
+  size = size.to_i
+  trailing ||= ''
+  return input if input.nil? or size <= 0 or input.length <= size or
+      trailing.length >= input.length or size-trailing.length-1 >= input.length
+  return "#{input[0..size-trailing.length-1]}#{trailing}"
+end

lib/common/models/vulnerability.rb

@@ -5,7 +5,7 @@ require 'vulnerability/urls'
 
 class Vulnerability
   include Vulnerability::Output
-	include Vulnerability::Urls
+  include Vulnerability::Urls
 
   attr_accessor :title, :references, :type, :fixed_in
 
@@ -41,16 +41,16 @@ class Vulnerability
   #
   # @return [ Vulnerability ]
   def self.load_from_xml_node(xml_node)
-		references = {}
-		refs = xml_node.search('references')
-		if refs
-			references[:url] = refs.search('url').map(&:text)
-			references[:cve] = refs.search('cve').map(&:text)
-			references[:secunia] = refs.search('secunia').map(&:text)
-			references[:osvdb] = refs.search('osvdb').map(&:text)
-			references[:metasploit] = refs.search('metasploit').map(&:text)
-			references[:exploitdb] = refs.search('exploitdb').map(&:text)
-		end
+    references = {}
+    refs = xml_node.search('references')
+    if refs
+      references[:url] = refs.search('url').map(&:text)
+      references[:cve] = refs.search('cve').map(&:text)
+      references[:secunia] = refs.search('secunia').map(&:text)
+      references[:osvdb] = refs.search('osvdb').map(&:text)
+      references[:metasploit] = refs.search('metasploit').map(&:text)
+      references[:exploitdb] = refs.search('exploitdb').map(&:text)
+    end
     new(
       xml_node.search('title').text,
       xml_node.search('type').text,

lib/common/models/vulnerability/output.rb

@@ -4,16 +4,16 @@ class Vulnerability
   module Output
 
     # output the vulnerability
-    def output
+    def output(verbose = false)
       puts ' |'
       puts ' | ' + red("* Title: #{title}")
       references.each do |key, urls|
-				methodname = "url_#{key}"
-				urls.each do |u|
-					url = send(methodname, u)
-					puts ' | ' + red("* Reference: #{url}") if url
-				end
-			end
+        methodname = "url_#{key}"
+        urls.each do |u|
+          url = send(methodname, u)
+          puts ' | ' + red("* Reference: #{url}") if url
+        end
+      end
       if !fixed_in.empty?
          puts " | * Fixed in: #{fixed_in}"
       end

lib/common/models/vulnerability/urls.rb

@@ -1,33 +1,33 @@
 # encoding: UTF-8
 
 class Vulnerability
-	module Urls
-		# @return [ String ] The url to the metasploit module page
-		def url_metasploit(module_path)
-			# remove leading slash
-			module_path = module_path.sub(/^\//, '')
-			"http://www.metasploit.com/modules/#{module_path}"
-		end
+  module Urls
+    # @return [ String ] The url to the metasploit module page
+    def url_metasploit(module_path)
+      # remove leading slash
+      module_path = module_path.sub(/^\//, '')
+      "http://www.metasploit.com/modules/#{module_path}"
+    end
 
-		def url_url(url)
-			url
-		end
+    def url_url(url)
+      url
+    end
 
-		def url_cve(cve)
-			"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
-		end
+    def url_cve(cve)
+      "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
+    end
 
-		def url_osvdb(id)
-			"http://osvdb.org/#{id}"
-		end
+    def url_osvdb(id)
+      "http://osvdb.org/#{id}"
+    end
 
-		def url_secunia(id)
-			"http://secunia.com/advisories/#{id}"
-		end
+    def url_secunia(id)
+      "http://secunia.com/advisories/#{id}"
+    end
 
-		def url_exploitdb(id)
-			"http://www.exploit-db.com/exploits/#{id}/"
-		end
+    def url_exploitdb(id)
+      "http://www.exploit-db.com/exploits/#{id}/"
+    end
 
-	end
+  end
 end

lib/common/models/wp_item/existable.rb

@@ -29,7 +29,10 @@ class WpItem
     #
     # @return [ Boolean ]
     def exists_from_response?(response, options = {})
-      if [200, 401, 403].include?(response.code)
+      # 301 included as some items do a self-redirect
+      # Redirects to the 404 and homepage should be ignored (unless dynamic content is used)
+      # by the page hashes (error_404_hash & homepage_hash)
+      if [200, 401, 403, 301].include?(response.code)
         if response.has_valid_hash?(options[:error_404_hash], options[:homepage_hash])
           if options[:exclude_content]
             unless response.body.match(options[:exclude_content])

lib/common/models/wp_item/output.rb

@@ -4,21 +4,19 @@ class WpItem
   module Output
 
     # @return [ Void ]
-    def output
+    def output(verbose = false)
       puts
       puts " | Name: #{self}" #this will also output the version number if detected
       puts " | Location: #{url}"
       #puts " | WordPress: #{wordpress_url}" if wordpress_org_item?
-      puts ' | Directory listing enabled: Yes' if has_directory_listing?
       puts " | Readme: #{readme_url}" if has_readme?
       puts " | Changelog: #{changelog_url}" if has_changelog?
+      puts " | " + red('[!]') + " Directory listing is enabled: #{url}" if has_directory_listing?
+      puts " | " + red('[!]') + " An error_log file has been found: #{error_log_url}" if has_error_log?
+
+      additional_output(verbose) if respond_to?(:additional_output)
 
       vulnerabilities.output
-
-      if has_error_log?
-        puts ' | ' + red('[!]') + " An error_log file has been found : #{error_log_url}"
-      end
     end
-
   end
 end

lib/common/models/wp_item/versionable.rb

@@ -22,7 +22,7 @@ class WpItem
     # @return [ String ]
     def to_s
       item_version = self.version
-      "#@name#{' v' + item_version.strip if item_version}"
+      "#@name#{' - v' + item_version.strip if item_version}"
     end
 
   end

lib/common/models/wp_theme.rb

@@ -3,16 +3,28 @@
 require 'wp_theme/findable'
 require 'wp_theme/versionable'
 require 'wp_theme/vulnerable'
+require 'wp_theme/info'
+require 'wp_theme/output'
+require 'wp_theme/childtheme'
 
 class WpTheme < WpItem
   extend WpTheme::Findable
   include WpTheme::Versionable
   include WpTheme::Vulnerable
+  include WpTheme::Info
+  include WpTheme::Output
+  include WpTheme::Childtheme
 
   attr_writer :style_url
 
   def allowed_options; super << :style_url end
 
+  def initialize(*args)
+    super(*args)
+
+    parse_style
+  end
+
   # Sets the @uri
   #
   # @param [ URI ] target_base_uri The URI of the wordpress blog

lib/common/models/wp_theme/childtheme.rb

@@ -0,0 +1,33 @@
+# encoding: UTF-8
+
+class WpTheme < WpItem
+  module Childtheme
+
+    def is_child_theme?
+      return true unless @theme_template.nil?
+      false
+    end
+
+    def get_parent_theme_style_url
+      if is_child_theme?
+        return style_url.sub("/#{name}/style.css", "/#@theme_template/style.css")
+      end
+      nil
+    end
+
+    def get_parent_theme
+      if is_child_theme?
+        base_url = @uri.clone
+        base_url.path = base_url.path.sub(/(?<url>.*\/)#{Regexp.escape(@wp_content_dir)}\/.+/, '\k<url>')
+        return WpTheme.new(base_url,
+                           {
+                               name: @theme_template,
+                               style_url: get_parent_theme_style_url,
+                               wp_content_dir: @wp_content_dir
+                           })
+      end
+      nil
+    end
+
+  end
+end

lib/common/models/wp_theme/info.rb

@@ -0,0 +1,34 @@
+# encoding: UTF-8
+
+class WpTheme < WpItem
+  module Info
+
+    attr_reader :theme_name, :theme_uri, :theme_description,
+                :theme_author, :theme_author_uri, :theme_template,
+                :theme_license, :theme_license_uri, :theme_tags,
+                :theme_text_domain
+
+    def parse_style
+      style = Browser.get(style_url).body
+      @theme_name = parse_style_tag(style, 'Theme Name')
+      @theme_uri = parse_style_tag(style, 'Theme URI')
+      @theme_description = parse_style_tag(style, 'Description')
+      @theme_author = parse_style_tag(style, 'Author')
+      @theme_author_uri = parse_style_tag(style, 'Author URI')
+      @theme_template = parse_style_tag(style, 'Template')
+      @theme_license = parse_style_tag(style, 'License')
+      @theme_license_uri = parse_style_tag(style, 'License URI')
+      @theme_tags = parse_style_tag(style, 'Tags')
+      @theme_text_domain = parse_style_tag(style, 'Text Domain')
+    end
+
+    private
+
+    def parse_style_tag(style, tag)
+      value = style[/^\s*#{Regexp.escape(tag)}:\s*(.*)/i, 1]
+      return value.strip if value
+      nil
+    end
+
+  end
+end

lib/common/models/wp_theme/output.rb

@@ -0,0 +1,23 @@
+# encoding: UTF-8
+
+class WpTheme
+  module Output
+
+    # @return [ Void ]
+    def additional_output(verbose = false)
+      puts " | Style URL: #{style_url}"
+      puts " | Theme Name: #@theme_name" if @theme_name
+      puts " | Theme URI: #@theme_uri" if @theme_uri
+      theme_desc = verbose ? @theme_description : truncate(@theme_description, 100)
+      puts " | Description: #{theme_desc}"
+      puts " | Author: #@theme_author" if @theme_author
+      puts " | Author URI: #@theme_author_uri" if @theme_author_uri
+      puts " | Template: #@theme_template" if @theme_template and verbose
+      puts " | License: #@theme_license" if @theme_license and verbose
+      puts " | License URI: #@theme_license_uri" if @theme_license_uri and verbose
+      puts " | Tags: #@theme_tags" if @theme_tags and verbose
+      puts " | Text Domain: #@theme_text_domain" if @theme_text_domain and verbose
+    end
+
+  end
+end

lib/common/models/wp_theme/versionable.rb

@@ -5,7 +5,7 @@ class WpTheme < WpItem
 
     def version
       unless @version
-        @version = Browser.get(style_url).body[%r{Version:\s([^\s]+)}i, 1]
+        @version = Browser.get(style_url).body[%r{Version:\s*([^\s]+)}i, 1]
 
         # Get Version from readme.txt
         @version ||= super

lib/common/models/wp_timthumb/output.rb

@@ -3,7 +3,7 @@
 class WpTimthumb < WpItem
   module Output
 
-    def output
+    def output(verbose = false)
       puts ' | ' + red('[!]') + " #{self}"
     end
 

lib/common/models/wp_user.rb

@@ -23,7 +23,32 @@ class WpUser < WpItem
 
   # @return [ String ]
   def login_url
-    @uri.merge('wp-login.php').to_s
+    unless @login_url
+      @login_url = @uri.merge('wp-login.php').to_s
+
+      # Let's check if the login url is redirected (to https url for example)
+      if redirection = redirection(@login_url)
+        @login_url = redirection
+      end
+    end
+
+    @login_url
+  end
+
+  def redirection(url)
+    redirection = nil
+    response = Browser.get(url)
+
+    if response.code == 301 || response.code == 302
+      redirection = response.headers_hash['location']
+
+      # Let's check if there is a redirection in the redirection
+      if other_redirection = redirection(redirection)
+        redirection = other_redirection
+      end
+    end
+
+    redirection
   end
 
   # @return [ String ]

lib/common/models/wp_version/findable.rb

@@ -12,7 +12,7 @@ class WpVersion < WpItem
     #
     # @return [ WpVersion ]
     def find(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-      methods.grep(/find_from_/).each do |method|
+      methods.grep(/^find_from_/).each do |method|
 
         if method === :find_from_advanced_fingerprinting
           version = send(method, target_uri, wp_content_dir, wp_plugins_dir, versions_xml)

lib/common/models/wp_version/output.rb

@@ -3,14 +3,14 @@
 class WpVersion < WpItem
   module Output
 
-    def output
+    def output(verbose = false)
+      puts
       puts green('[+]') + " WordPress version #{self.number} identified from #{self.found_from}"
 
       vulnerabilities = self.vulnerabilities
 
       unless vulnerabilities.empty?
-        puts
-        puts red('[!]') + " #{vulnerabilities.size} vulnerabilities identified from the version number:"
+        puts red('[!]') + " #{vulnerabilities.size} vulnerabilities identified from the version number"
 
         vulnerabilities.output
       end

lib/common/version_compare.rb

@@ -22,5 +22,5 @@ class VersionCompare
       raise
     end
     return false
-	end
+  end
 end

lib/wpscan/wp_target.rb

@@ -120,7 +120,7 @@ class WpTarget < WebSite
   end
 
   # Script for replacing strings in wordpress databases
-  # reveals databse credentials after hitting submit
+  # reveals database credentials after hitting submit
   # http://interconnectit.com/124/search-and-replace-for-wordpress-databases/
   #
   # @return [ String ]

lib/wpstools/plugins/checker/checker_spelling.rb

@@ -0,0 +1,91 @@
+# encoding: UTF-8
+
+class CheckerSpelling < Plugin
+
+  def initialize
+    super(author: 'WPScanTeam - @ethicalhack3r')
+
+    register_options(['--spellcheck', '--sc', 'Check all files for common spelling mistakes.'])
+  end
+
+  def run(options = {})
+    spellcheck if options[:spellcheck]
+  end
+
+  def spellcheck
+    mistakes = 0
+
+    puts '[+] Checking for spelling mistakes'
+    puts
+
+    files.each do |file_name|
+      if File.exists?(file_name)
+        file = File.open(file_name, 'r')
+
+        misspellings.each_key do |misspelling|
+          begin
+            file.read.scan(/#{misspelling}/).each do |match|
+              mistakes += 1
+              puts "[MISSPELLING] File: #{file_name} Bad: #{match} Good: #{misspellings[misspelling]}"
+            end
+          rescue => e
+            puts "Error in #{file_name} #{e}"
+            next
+          end
+        end
+
+        file.close
+      end
+    end
+
+    puts
+    puts "[+] Found #{mistakes} spelling mistakes"
+
+    mistakes
+  end
+
+  def misspellings
+    {
+      /databse/i    => 'database',
+      /whith/i      => 'with',
+      /wich/i       => 'which',
+      /verions/i    => 'versions',
+      /vulnerabilitiy/i => 'vulnerability',
+      /unkown/i     => 'unknown',
+      /recieved/i   => 'received',
+      /acheive/i    => 'achieve',
+      /wierd/i      => 'weird',
+      /untill/i     => 'until',
+      /alot/i       => 'a lot',
+      /randomstorm/ => 'RandomStorm',
+      /wpscan/      => 'WPScan',
+      /Wordpress/   => 'WordPress'
+    }
+  end
+
+  def files
+    files = Dir['**/*'].reject {|fn| File.directory?(fn) }
+
+    ignore.each do |ignore|
+      files.delete_if { |data| data.match(ignore) }
+    end
+
+    files
+  end
+
+  def ignore
+    ignore = []
+
+    ignore << File.basename(__FILE__)
+    ignore << 'spec/cache/'
+    ignore << 'spec/spec_session/'
+    ignore << 'cache/'
+    ignore << 'coverage/'
+    ignore << 'wordlist-iso-8859-1'
+    ignore << 'log.txt'
+    ignore << 'debug.log'
+    ignore << 'wordlist.txt'
+
+    ignore
+  end
+end

lib/wpstools/plugins/stats/stats_plugin.rb

@@ -12,17 +12,34 @@ class StatsPlugin < Plugin
 
   def run(options = {})
     if options[:stats]
-      puts 'Wpscan Databse Statistics:'
-      puts '--------------------------'
-      puts "[#] Total vulnerable versions: #{vuln_core_count}"
-      puts "[#] Total vulnerable plugins: #{vuln_plugin_count}"
-      puts "[#] Total vulnerable themes: #{vuln_theme_count}"
-      puts "[#] Total version vulnerabilities: #{version_vulns_count}"
-      puts "[#] Total plugin vulnerabilities: #{plugin_vulns_count}"
-      puts "[#] Total theme vulnerabilities: #{theme_vulns_count}"
-      puts "[#] Total plugins to enumerate: #{total_plugins}"
-      puts "[#] Total themes to enumerate: #{total_themes}"
+      date_wp = File.mtime(WP_VULNS_FILE)
+      date_plugins = File.mtime(PLUGINS_VULNS_FILE)
+      date_themes = File.mtime(THEMES_VULNS_FILE)
+      date_plugins_full = File.mtime(PLUGINS_FULL_FILE)
+      date_themes_full = File.mtime(THEMES_FULL_FILE)
+
+      puts "WPScan Database Statistics:"
+      puts "---------------------------"
+      puts "[#] Total WordPress Sites in the World: #{get_wp_installations}"
       puts
+      puts "[#] Total vulnerable versions: #{vuln_core_count}"
+      puts "[#] Total vulnerable plugins:  #{vuln_plugin_count}"
+      puts "[#] Total vulnerable themes:   #{vuln_theme_count}"
+      puts
+      puts "[#] Total version vulnerabilities: #{version_vulns_count}"
+      puts "[#] Total plugin vulnerabilities:  #{plugin_vulns_count}"
+      puts "[#] Total theme vulnerabilities:   #{theme_vulns_count}"
+      puts
+      puts "[#] Total plugins to enumerate:  #{total_plugins}"
+      puts "[#] Total themes to enumerate:   #{total_themes}"
+      puts
+      puts "[+] WordPress DB modified: #{date_wp.strftime('%Y-%m-%d %H:%M:%S')}"
+      puts "[+] Plugins DB modified:   #{date_plugins.strftime('%Y-%m-%d %H:%M:%S')}"
+      puts "[+] Themes DB modified:    #{date_themes.strftime('%Y-%m-%d %H:%M:%S')}"
+      puts "[+] Enumeration plugins:   #{date_plugins_full.strftime('%Y-%m-%d %H:%M:%S')}"
+      puts "[+] Enumeration themes:    #{date_themes_full.strftime('%Y-%m-%d %H:%M:%S')}"
+      puts
+      puts "[+] Report generated:      #{Time.now.strftime('%Y-%m-%d %H:%M:%S')}"
     end
   end
 
@@ -62,4 +79,9 @@ class StatsPlugin < Plugin
     IO.readlines(file).size
   end
 
+  def get_wp_installations()
+    page = Nokogiri::HTML(Typhoeus.get('http://en.wordpress.com/stats/').body)
+    page.css('span[class="stats-flipper-number"]').text
+  end
+
 end

spec/lib/common/browser_spec.rb

@@ -137,7 +137,8 @@ describe Browser do
         headers: { 'User-Agent' => 'SomeUA' },
         ssl_verifypeer: false, ssl_verifyhost: 0,
         cookiejar: cookie_jar, cookiefile: cookie_jar,
-        timeout: 2000, connecttimeout: 1000
+        timeout: 2000, connecttimeout: 1000,
+        maxredirs: 3
       }
     }
 
@@ -187,6 +188,14 @@ describe Browser do
         @expected = default_expectation.merge(params)
       end
     end
+
+    context 'when the maxredirs is alreday set' do
+      let(:params) { { maxredirs: 100 } }
+
+      it 'does not override it' do
+        @expected = default_expectation.merge(params)
+      end
+    end
   end
 
   describe '#forge_request' do

spec/lib/common/cache_file_store_spec.rb

@@ -17,13 +17,13 @@ describe CacheFileStore do
 
   describe '#storage_path' do
     it 'returns the storage path given in the #new' do
-      @cache.storage_path.should == cache_dir
+      @cache.storage_path.should match(/#{cache_dir}/)
     end
   end
 
   describe '#serializer' do
     it 'should return the default serializer : Marshal' do
-      @cache.serializer.should == Marshal
+      @cache.serializer.should     == Marshal
       @cache.serializer.should_not == YAML
     end
   end
@@ -32,12 +32,12 @@ describe CacheFileStore do
     it "should remove all files from the cache dir (#{@cache_dir}" do
       # let's create some files into the directory first
       (0..5).each do |i|
-        File.new(cache_dir + "/file_#{i}.txt", File::CREAT)
+        File.new(@cache.storage_path + "/file_#{i}.txt", File::CREAT)
       end
 
-      count_files_in_dir(cache_dir, 'file_*.txt').should == 6
+      count_files_in_dir(@cache.storage_path, 'file_*.txt').should == 6
       @cache.clean
-      count_files_in_dir(cache_dir).should == 0
+      count_files_in_dir(@cache.storage_path).should == 0
     end
   end
 
@@ -70,4 +70,16 @@ describe CacheFileStore do
 
     ## TODO write / read for an object
   end
+
+  describe '#storage_dir' do
+    it 'should create a unique storage dir' do
+      storage_dirs = []
+
+      (1..5).each do |i|
+        storage_dirs << CacheFileStore.new(cache_dir).storage_path
+      end
+
+      storage_dirs.uniq.size.should == 5
+    end
+  end
 end

spec/lib/common/collections/wp_themes_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe WpThemes do
+  before { stub_request(:get, /.+\/style.css$/).to_return(status: 200) }
+
   it_behaves_like 'WpItems::Detectable' do
     subject(:wp_themes) { WpThemes }
     let(:item_class)    { WpTheme }

spec/lib/common/common_helper_spec.rb

@@ -88,4 +88,83 @@ describe 'common_helper' do
       @expected = @html
     end
   end
+
+  describe '#truncate' do
+    after :each do
+      output = truncate(@input, @length, @trailing)
+      output.should == @expected
+    end
+
+    it 'returns nil on no input' do
+      @input = nil
+      @length = 1
+      @expected = nil
+      @trailing = '...'
+    end
+
+    it 'returns input when length > input' do
+      @input = '1234567890'
+      @length = 13
+      @expected = @input
+      @trailing = '...'
+    end
+
+    it 'truncates the input' do
+      @input = '1234567890'
+      @length = 6
+      @expected = '123...'
+      @trailing = '...'
+    end
+
+    it 'adds own trailing' do
+      @input = '1234567890'
+      @length = 7
+      @expected = '123xxxx'
+      @trailing = 'xxxx'
+    end
+
+    it 'accepts strings as length' do
+      @input = '1234567890'
+      @length = '6'
+      @expected = '123...'
+      @trailing = '...'
+    end
+
+    it 'checks if trailing is longer than input' do
+      @input = '1234567890'
+      @length = 1
+      @expected = @input
+      @trailing = 'A' * 20
+    end
+
+    it 'returns input on negative length' do
+      @input = '1234567890'
+      @length = -1
+      @expected = @input
+      @trailing = '...'
+    end
+
+    it 'returns input on length == input.length' do
+      @input = '1234567890'
+      @length = '10'
+      @expected = @input
+      @trailing = '...'
+    end
+
+    it 'returns cut string on nil trailing' do
+      @input = '1234567890'
+      @length = 9
+      @expected = '123456789'
+      @trailing = nil
+    end
+
+    it 'trailing.length > length' do
+      @input = '1234567890'
+      @length = 1
+      @expected = @input
+      @trailing = 'A' * 20
+    end
+
+  end
+
 end

spec/lib/common/models/vulnerability_spec.rb

@@ -21,10 +21,10 @@ describe Vulnerability do
 
     context 'with fixed version argument' do
       let(:fixed_version)  { '1.0' }
-			its(:title)              { should be title }
-			its(:references)         { should be references }
-			its(:type)               { should be type }
-			its(:fixed_in)           { should be fixed_version }
+      its(:title)              { should be title }
+      its(:references)         { should be references }
+      its(:type)               { should be type }
+      its(:fixed_in)           { should be fixed_version }
     end
 
   end
@@ -35,14 +35,14 @@ describe Vulnerability do
       xml(MODELS_FIXTURES + '/vulnerability/xml_node.xml').xpath('//vulnerability')
     }
 
-		expected_refs = {
-				:url=>['Ref 1', 'Ref 2'],
-				:cve=>['2011-001'],
-				:secunia=>['secunia'],
-				:osvdb=>['osvdb'],
-				:metasploit=>['exploit/ex1'],
-				:exploitdb=>['exploitdb']
-		}
+    expected_refs = {
+        :url=>['Ref 1', 'Ref 2'],
+        :cve=>['2011-001'],
+        :secunia=>['secunia'],
+        :osvdb=>['osvdb'],
+        :metasploit=>['exploit/ex1'],
+        :exploitdb=>['exploitdb']
+    }
 
     its(:title)              { should == 'Vuln Title' }
     its(:type)               { should == 'CSRF' }

spec/lib/common/models/wp_item_spec.rb

@@ -13,14 +13,14 @@ describe WpItem do
   it_behaves_like 'WpItem::Vulnerable' do
     let(:vulns_file)     { MODELS_FIXTURES + '/wp_item/vulnerable/items_vulns.xml' }
     let(:vulns_xpath)    { "//item[@name='neo']/vulnerability" }
-		let(:expected_refs)  { {
-				:url => ['Ref 1', 'Ref 2'],
-				:cve => ['2011-001'],
-				:secunia => ['secunia'],
-				:osvdb => ['osvdb'],
-				:metasploit => ['exploit/ex1'],
-				:exploitdb => ['exploitdb']
-		} }
+    let(:expected_refs)  { {
+        :url => ['Ref 1', 'Ref 2'],
+        :cve => ['2011-001'],
+        :secunia => ['secunia'],
+        :osvdb => ['osvdb'],
+        :metasploit => ['exploit/ex1'],
+        :exploitdb => ['exploitdb']
+    } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new("I'm the one", 'XSS', expected_refs) }
   end
 

spec/lib/common/models/wp_plugin_spec.rb

@@ -7,14 +7,14 @@ describe WpPlugin do
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { name: 'white-rabbit' } }
     let(:vulns_file)     { MODELS_FIXTURES + '/wp_plugin/vulnerable/plugins_vulns.xml' }
-		let(:expected_refs)  { {
-				:url => ['Ref 1', 'Ref 2'],
-				:cve => ['2011-001'],
-				:secunia => ['secunia'],
-				:osvdb => ['osvdb'],
-				:metasploit => ['exploit/ex1'],
-				:exploitdb => ['exploitdb']
-		} }
+    let(:expected_refs)  { {
+        :url => ['Ref 1', 'Ref 2'],
+        :cve => ['2011-001'],
+        :secunia => ['secunia'],
+        :osvdb => ['osvdb'],
+        :metasploit => ['exploit/ex1'],
+        :exploitdb => ['exploitdb']
+    } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Follow me!', 'REDIRECT', expected_refs) }
   end
 

spec/lib/common/models/wp_theme/findable_spec.rb

@@ -7,6 +7,10 @@ describe 'WpTheme::Findable' do
   let(:uri)          { URI.parse('http://example.com/') }
 
   describe '::find_from_css_link' do
+    before do
+      stub_request(:get, /.+\/style.css$/).to_return(status: 200)
+    end
+
     after do
       @body ||= File.new(fixtures_dir + '/css_link/' + @file)
       stub_request(:get, uri.to_s).to_return(status: 200, body: @body)
@@ -51,6 +55,10 @@ describe 'WpTheme::Findable' do
   end
 
   describe '::find_from_wooframework' do
+    before do
+      stub_request(:get, /.+\/style.css$/).to_return(status: 200)
+    end
+
     after do
       @body ||= File.new(fixtures_dir + '/wooframework/' + @file)
       stub_request(:get, uri.to_s).to_return(status: 200, body: @body)
@@ -119,6 +127,7 @@ describe 'WpTheme::Findable' do
     context 'when the theme is found' do
       it 'returns it, with the :found_from set' do
         stub_all_to_nil()
+        stub_request(:get, /.+\/the-oracle\/style.css$/).to_return(status: 200)
         expected = WpTheme.new(uri, name: 'the-oracle')
 
         WpTheme.stub(:find_from_css_link).and_return(expected)

spec/lib/common/models/wp_theme_spec.rb

@@ -3,19 +3,23 @@
 require 'spec_helper'
 
 describe WpTheme do
+  before do
+    stub_request(:get, /.+\/style.css$/).to_return(status: 200)
+  end
+
   it_behaves_like 'WpTheme::Versionable'
   it_behaves_like 'WpTheme::Vulnerable'
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { name: 'the-oracle' } }
     let(:vulns_file)     { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.xml' }
-		let(:expected_refs)  { {
-				:url => ['Ref 1', 'Ref 2'],
-				:cve => ['2011-001'],
-				:secunia => ['secunia'],
-				:osvdb => ['osvdb'],
-				:metasploit => ['exploit/ex1'],
-				:exploitdb => ['exploitdb']
-		} }
+    let(:expected_refs)  { {
+        :url => ['Ref 1', 'Ref 2'],
+        :cve => ['2011-001'],
+        :secunia => ['secunia'],
+        :osvdb => ['osvdb'],
+        :metasploit => ['exploit/ex1'],
+        :exploitdb => ['exploitdb']
+    } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('I see you', 'FPD', expected_refs) }
   end
 

spec/lib/common/models/wp_user_spec.rb

@@ -34,10 +34,6 @@ describe WpUser do
     end
   end
 
-  describe '#login_url' do
-    its(:login_url) { should == 'http://example.com/wp-login.php' }
-  end
-
   describe '#to_s' do
     after do
       subject.id = 1

spec/lib/common/models/wp_version_spec.rb

@@ -7,14 +7,14 @@ describe WpVersion do
   it_behaves_like 'WpItem::Vulnerable' do
     let(:options)        { { number: '3.2' } }
     let(:vulns_file)     { MODELS_FIXTURES + '/wp_version/vulnerable/versions_vulns.xml' }
-		let(:expected_refs)  { {
-				:url => ['Ref 1', 'Ref 2'],
-				:cve => ['2011-001'],
-				:secunia => ['secunia'],
-				:osvdb => ['osvdb'],
-				:metasploit => ['exploit/ex1'],
-				:exploitdb => ['exploitdb']
-		} }
+    let(:expected_refs)  { {
+        :url => ['Ref 1', 'Ref 2'],
+        :cve => ['2011-001'],
+        :secunia => ['secunia'],
+        :osvdb => ['osvdb'],
+        :metasploit => ['exploit/ex1'],
+        :exploitdb => ['exploitdb']
+    } }
     let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('Here I Am', 'SQLI', expected_refs) }
   end
 

spec/lib/wpscan/web_site_spec.rb

@@ -28,7 +28,7 @@ describe 'WebSite' do
     end
 
     context 'when protocol or trailing slash is missing' do
-      it 'should add the them' do
+      it 'should add them' do
         @uri      = 'example.localhost'
         @expected = 'http://example.localhost/'
       end

spec/samples/common/models/wp_theme/versionable/firefart.net.css

@@ -0,0 +1,11 @@
+/*
+ Theme Name:     firefart.net
+ Theme URI:      http://www.firefart.net/
+ Description:    firefart.net Theme
+ Author:         Christian Mehlmauer
+ Author URI:     http://www.firefart.net%
+ Template:       twentytwelve
+ Version:        1.0.0
+*/
+
+@import url("../twentytwelve/style.css");

spec/shared_examples/wp_item_versionable.rb

@@ -53,7 +53,7 @@ shared_examples 'WpItem::Versionable' do
     context 'when the version exists' do
       it 'returns the name and the version' do
         @version  = '1.3'
-        @expected = 'some-name v1.3'
+        @expected = 'some-name - v1.3'
       end
     end
   end

spec/shared_examples/wp_theme_versionable.rb

@@ -55,6 +55,11 @@ shared_examples 'WpTheme::Versionable' do
       @file = 'twentyeleven-1.3.css'
       @expected = '1.3'
     end
+
+    it 'returns the correct version' do
+      @file = 'firefart.net.css'
+      @expected = '1.0.0'
+    end
   end
 
 end

spec/shared_examples/wp_user/brute_forcable.rb

@@ -66,7 +66,8 @@ shared_examples 'WpUser::BruteForcable' do
   end
 
   describe '#brute_force' do
-    let(:login) { 'someuser' }
+    let(:login)     { 'someuser' }
+    let(:login_url) { uri.merge('wp-login.php').to_s }
 
     after do
       [wordlist_utf8, wordlist_iso].each do |wordlist|
@@ -78,8 +79,10 @@ shared_examples 'WpUser::BruteForcable' do
 
     context 'when no password is valid' do
       before do
+        stub_request(:get, login_url).to_return(status: 200)
         stub_request(:post, wp_user.login_url).
-          #with(body: { log: login }). # produces an error : undefined method `split' for {:log=>"someuser", :pwd=>"password1"}:Hash
+          # with(body: { log: login }). # produces an error : undefined method `split' for {:log=>"someuser", :pwd=>"password1"}:Hash
+          # Fixed in WebMock 1.17.2, TODO: Modify the specs
           to_return(body: 'login_error')
       end
 
@@ -92,7 +95,8 @@ shared_examples 'WpUser::BruteForcable' do
       let(:redirect_url) { nil }
 
       before do
-        stub_request(:post, wp_user.login_url).to_return(status: 302, headers: { 'Location' => 'wrong-location' } )
+        stub_request(:get, login_url).to_return(status: 200)
+        stub_request(:post, wp_user.login_url).to_return(status: 302, headers: { 'Location' => 'wrong-location' })
       end
 
       it 'does not set the @password' do
@@ -104,15 +108,32 @@ shared_examples 'WpUser::BruteForcable' do
       # Due to the error with .with(body: { log: login }) above
       # We can't use it to stub the request for a specific password
       # So, the first one will be valid
+      # Fixed in WebMock 1.17.2, TODO: Modify the specs
 
       before do
-        stub_request(:post, wp_user.login_url).to_return(status: 302, headers: { 'Location' => redirect_url } )
+        stub_request(:get, login_url).to_return(status: 200)
+        stub_request(:post, wp_user.login_url).to_return(status: 302, headers: { 'Location' => redirect_url })
       end
 
       it 'sets the @password' do
         @expected = 'password1'
       end
     end
+
+    context 'when the login url is redirected to https' do
+      let(:https_login_url) { 'https://example.com/wp-login.php' }
+
+      before do
+        stub_request(:any, uri.merge('wp-login.php').to_s).to_return(status: 302, headers: { 'Location' => https_login_url})
+        stub_request(:get, https_login_url).to_return(status: 200)
+        stub_request(:post, https_login_url).with(body: hash_including({ log: 'someuser', pwd: 'root'})).to_return(status: 302, headers: { 'Location' => redirect_url })
+        stub_request(:post, https_login_url).with(body: /pwd=(?!root)/).to_return(body: 'login_error')
+      end
+
+      it 'does not raise any error' do
+        @expected = 'root'
+      end
+    end
   end
 
 end

wpscan.rb

@@ -44,6 +44,10 @@ def main
       exit(0)
     end
 
+    unless wpscan_options.url
+      raise 'The URL is mandatory, please supply it with --url or -u'
+    end
+
     wp_target = WpTarget.new(wpscan_options.url, wpscan_options.to_h)
 
     # Remote website up?
@@ -105,16 +109,16 @@ def main
     # Output runtime data
     start_time   = Time.now
     start_memory = get_memory_usage
-    puts "| URL: #{wp_target.url}"
-    puts "| Started: #{start_time.asctime}"
+    puts "#{green('[+]')} URL: #{wp_target.url}"
+    puts "#{green('[+]')} Started: #{start_time.asctime}"
     puts
 
     if wp_target.wordpress_hosted?
-      puts "#{red('[!]')} We do not support scanning *.wordpress.com hosted blogs."
+      puts "#{red('[!]')} We do not support scanning *.wordpress.com hosted blogs"
     end
 
     if wp_target.has_robots?
-      puts green('[+]') + " robots.txt available under: '#{wp_target.robots_url}'"
+      puts "#{green('[+]')} robots.txt available under: '#{wp_target.robots_url}'"
 
       wp_target.parse_robots_txt.each do |dir|
         puts "#{green('[+]')} Interesting entry from robots.txt: #{dir}"
@@ -122,15 +126,15 @@ def main
     end
 
     if wp_target.has_readme?
-      puts red('[!]') + " The WordPress '#{wp_target.readme_url}' file exists"
+      puts "#{red('[!]')} The WordPress '#{wp_target.readme_url}' file exists"
     end
 
     if wp_target.has_full_path_disclosure?
-      puts red('[!]') + " Full Path Disclosure (FPD) in: '#{wp_target.full_path_disclosure_url}'"
+      puts "#{red('[!]')} Full Path Disclosure (FPD) in: '#{wp_target.full_path_disclosure_url}'"
     end
 
     if wp_target.has_debug_log?
-      puts red('[!]') + " Debug log file found: #{wp_target.debug_log_url}"
+      puts "#{red('[!]')} Debug log file found: #{wp_target.debug_log_url}"
     end
 
     wp_target.config_backup.each do |file_url|
@@ -154,20 +158,20 @@ def main
     end
 
     if wp_target.multisite?
-      puts green('[+]') + ' This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)'
+      puts "#{green('[+]')} This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)"
     end
 
     if wp_target.registration_enabled?
-      puts green('[+]') + ' User registration is enabled'
+      puts "#{green('[+]')} User registration is enabled"
     end
 
     if wp_target.has_xml_rpc?
-      puts green('[+]') + " XML-RPC Interface available under: #{wp_target.xml_rpc_url}"
+      puts "#{green('[+]')} XML-RPC Interface available under: #{wp_target.xml_rpc_url}"
     end
 
     if wp_target.has_malwares?
       malwares = wp_target.malwares
-      puts red('[!]') + " #{malwares.size} malware(s) found:"
+      puts "#{red('[!]')} #{malwares.size} malware(s) found:"
 
       malwares.each do |malware_url|
         puts
@@ -182,34 +186,44 @@ def main
     }
 
     if wp_version = wp_target.version(WP_VERSIONS_FILE)
-      wp_version.output
+      wp_version.output(wpscan_options.verbose)
     end
 
     if wp_theme = wp_target.theme
       puts
       # Theme version is handled in #to_s
-      puts green('[+]') + " WordPress theme in use: #{wp_theme}"
-      wp_theme.output
+      puts "#{green('[+]')} WordPress theme in use: #{wp_theme}"
+      wp_theme.output(wpscan_options.verbose)
+
+      # Check for parent Themes
+      while wp_theme.is_child_theme?
+        parent = wp_theme.get_parent_theme
+        puts
+        puts "#{green('[+]')} Detected parent theme: #{parent}"
+        parent.output(wpscan_options.verbose)
+        wp_theme = parent
+      end
+
     end
 
     if wpscan_options.enumerate_plugins == nil and wpscan_options.enumerate_only_vulnerable_plugins == nil
       puts
-      puts green('[+]') + ' Enumerating plugins from passive detection ... '
+      puts "#{green('[+]')} Enumerating plugins from passive detection ..."
 
       wp_plugins = WpPlugins.passive_detection(wp_target)
       if !wp_plugins.empty?
         puts " |  #{wp_plugins.size} plugins found:"
 
-        wp_plugins.output
+        wp_plugins.output(wpscan_options.verbose)
       else
-        puts 'No plugins found'
+        puts "#{green('[+]')} No plugins found"
       end
     end
 
     # Enumerate the installed plugins
     if wpscan_options.enumerate_plugins or wpscan_options.enumerate_only_vulnerable_plugins or wpscan_options.enumerate_all_plugins
       puts
-      puts green('[+]') + " Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ..."
+      puts "#{green('[+]')} Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ..."
       puts
 
       wp_plugins = WpPlugins.aggressive_detection(wp_target,
@@ -220,18 +234,18 @@ def main
       )
       puts
       if !wp_plugins.empty?
-        puts green('[+]') + " We found #{wp_plugins.size} plugins:"
+        puts "#{green('[+]')} We found #{wp_plugins.size} plugins:"
 
-        wp_plugins.output
+        wp_plugins.output(wpscan_options.verbose)
       else
-        puts 'No plugins found'
+        puts "#{green('[+]')} No plugins found"
       end
     end
 
     # Enumerate installed themes
     if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes or wpscan_options.enumerate_all_themes
       puts
-      puts green('[+]') + " Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..."
+      puts "#{green('[+]')} Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..."
       puts
 
       wp_themes = WpThemes.aggressive_detection(wp_target,
@@ -242,17 +256,17 @@ def main
       )
       puts
       if !wp_themes.empty?
-        puts green('[+]') + " We found #{wp_themes.size} themes:"
+        puts "#{green('[+]')} We found #{wp_themes.size} themes:"
 
-        wp_themes.output
+        wp_themes.output(wpscan_options.verbose)
       else
-        puts 'No themes found'
+        puts "#{green('[+]')} No themes found"
       end
     end
 
     if wpscan_options.enumerate_timthumbs
       puts
-      puts green('[+]') + ' Enumerating timthumb files ...'
+      puts "#{green('[+]')} Enumerating timthumb files ..."
       puts
 
       wp_timthumbs = WpTimthumbs.aggressive_detection(wp_target,
@@ -263,22 +277,22 @@ def main
       )
       puts
       if !wp_timthumbs.empty?
-        puts green('[+]') + " We found #{wp_timthumbs.size} timthumb file/s:"
+        puts "#{green('[+]')} We found #{wp_timthumbs.size} timthumb file/s:"
         puts
 
-        wp_timthumbs.output
+        wp_timthumbs.output(wpscan_options.verbose)
 
         puts
         puts red(' * Reference: http://www.exploit-db.com/exploits/17602/')
       else
-        puts 'No timthumb files found'
+        puts "#{green('[+]')} No timthumb files found"
       end
     end
 
     # If we haven't been supplied a username, enumerate them...
     if !wpscan_options.username and wpscan_options.wordlist or wpscan_options.enumerate_usernames
       puts
-      puts green('[+]') + ' Enumerating usernames ...'
+      puts "#{green('[+]')} Enumerating usernames ..."
 
       wp_users = WpUsers.aggressive_detection(wp_target,
         enum_options.merge(
@@ -288,7 +302,7 @@ def main
       )
 
       if wp_users.empty?
-        puts 'We did not enumerate any usernames'
+        puts "#{green('[+]')} We did not enumerate any usernames"
 
         if wpscan_options.wordlist
           puts 'Try supplying your own username with the --username option'
@@ -296,7 +310,7 @@ def main
           exit(1)
         end
       else
-        puts green('[+]') + " We found the following #{wp_users.size} user/s:"
+        puts "#{green('[+]')} Identified the following #{wp_users.size} user/s:"
         wp_users.output(margin_left: ' ' * 4)
       end
 
@@ -314,13 +328,13 @@ def main
 
         puts
         puts "The plugin #{protection_plugin.name} has been detected. It might record the IP and timestamp of every failed login and/or prevent brute forcing altogether. Not a good idea for brute forcing!"
-        print '[?] Do you want to start the brute force anyway ? [y/n] '
+        print "[?] Do you want to start the brute force anyway ? [y/n] "
 
         bruteforce = false if Readline.readline !~ /^y/i
       end
       puts
       if bruteforce
-        puts green('[+]') + ' Starting the password brute forcer'
+        puts "#{green('[+]')} Starting the password brute forcer"
 
         begin
           wp_users.brute_force(
@@ -333,7 +347,7 @@ def main
           wp_users.output(show_password: true, margin_left: ' ' * 2)
         end
       else
-        puts 'Brute forcing aborted'
+        puts "Brute forcing aborted"
       end
     end
 
@@ -348,13 +362,13 @@ def main
     exit(0) # must exit!
 
   rescue SystemExit, Interrupt
-    puts 'Exiting!'
+    
   rescue => e
     if e.backtrace[0] =~ /main/
       puts red(e.message)
     else
       puts red("[ERROR] #{e.message}")
-      puts red('Trace:')
+      puts red("Trace:")
       puts red(e.backtrace.join("\n"))
     end
     exit(1)

wpstools.rb

@@ -18,7 +18,8 @@ begin
   plugins.register(
     CheckerPlugin.new,
     ListGeneratorPlugin.new,
-    StatsPlugin.new
+    StatsPlugin.new,
+    CheckerSpelling.new
   )
 
   options = option_parser.results