Version 2.9 release

new dependency

.gitignore

@@ -12,3 +12,4 @@ log.txt
 debug.log
 wordlist.txt
 rspec_results.html
+data/

.ruby-gemset

@@ -0,0 +1 @@
+wpscan

.ruby-version

@@ -0,0 +1 @@
+2.2.3

.travis.yml

@@ -1,11 +1,30 @@
 language: ruby
+sudo: false
+cache: bundler
 rvm:
   - 1.9.2
   - 1.9.3
   - 2.0.0
   - 2.1.0
   - 2.1.1
-script: bundle exec rspec --format documentation
+  - 2.1.2
+  - 2.1.3
+  - 2.1.4
+  - 2.1.5
+  - 2.2.0
+  - 2.2.1
+  - 2.2.2
+  - 2.2.3
+before_install:
+  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
+script: bundle exec rspec
 notifications:
   email:
-    - wpscanteam@gmail.com
+    - team@wpscan.org
+matrix:
+  allow_failures:
+    - rvm: 1.9.2
+# do not build gh-pages branch
+branches:
+  except:
+    - gh-pages

CHANGELOG.md

@@ -1,6 +1,259 @@
 # Changelog
 ## Master
-[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.4...master)
+[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.9...master)
+
+## Version 2.9
+Released: 2015-10-15
+
+New
+* GZIP Encoding in updater
+* Adds --throttle option to throttle requests
+* Uses new API and local database file structure
+* Adds last updated and latest version to plugins and themes
+
+Removed
+* ArchAssault from README
+* APIv1 local databases
+
+General core
+* Update to Ruby 2.2.3
+* Use yajl-ruby as JSON parser
+* New dependancy for Ubuntu 14.04 (libgmp-dev)
+* Use Travis container based infra and caching
+
+Fixed issues
+* Fix #835 - Readme requests to wp root dir
+* Fix #836 - Critical icon output twice when the site is not running WP
+* Fix #839 - Terminal-table dependency is broken
+* Fix #841 - error: undefined method `cells' for #<Array:0x000000029cc2f8>
+* Fix #852 - GZIP Encoding in updater
+* Fix #853 - APIv2 integration
+* Fix #858 - Detection FP
+* Fix #873 - false positive "site has Must Use Plugins"
+
+WPScan Database Statistics:
+* Total vulnerable versions: 132
+* Total vulnerable plugins:  1170
+* Total vulnerable themes:   368
+* Total version vulnerabilities: 1476
+* Total plugin vulnerabilities:  1913
+* Total theme vulnerabilities:   450
+
+## Version 2.8
+Released: 2015-06-22
+
+New
+* Warn the user to update his DB files
+* Added last db update to --version option (see #815)
+* Add db checksum to verbose logging during update
+* Option to hide banner
+* Continue if user chooses not to update + db exists
+* Don't update if user chooses default + no DBs exist
+* Updates request timeout values to realistic ones (and in seconds)
+
+Removed
+* Removed `Time.parse('2000-01-01')` expedient
+* Removed unnecessary 'return' and '()'
+* Removed debug output
+* Removed wpstools
+
+General core
+* Update to Ruby 2.2.2
+* Switch to mitre
+* Install bundler gem README
+* Switch from gnutls to openssl
+
+Fixed issues
+* Fix #789 - Add blackarch to readme
+* Fix #790 - Consider the target down after 30 requests timed out requests instead of 10
+* Fix #791 - Rogue character causing the scan of non-wordpress site to crash
+* Fix #792 - Adds the HttpError exception
+* Fix #795 - Remove GHOST warning
+* Fix #796 - Do not swallow exit code
+* Fix #797 - Increases the timeout values
+* Fix #801 - Forces UTF-8 encoding when enumerating usernames
+* Fix #803 - Increases default connect-timeout to 10s
+* Fix #804 - Updates the Theme detection pattern
+* Fix #816 - Ignores potential non version chars in theme version detection
+* Fix #819 - Removes potential spaces in robots.txt entries
+
+WPScan Database Statistics:
+* Total vulnerable versions: 98
+* Total vulnerable plugins:  1076
+* Total vulnerable themes:   361
+* Total version vulnerabilities: 1104
+* Total plugin vulnerabilities:  1763
+* Total theme vulnerabilities:   443
+
+## Version 2.7
+Released: 2015-03-16
+
+New
+* Detects version in release date format
+* Copyrights updated
+* WP version detection from stylesheets
+* New license
+* Global HTTP request counter
+* Add security-protection plugin detection
+* Add GHOST warning if XMLRPC enabled
+* Update databases from wpvulndb.com
+* Enumerate usernames from WP <= 3.0 (thanks berotti3)
+
+Removed
+* README.txt
+
+General core
+* Update to Ruby 2.2.1
+* Update to Ruby 2.2.0
+* Add addressable gem
+* Update Typhoeus gem to 0.7.0
+* IDN support: encode non-ascii domain names (thanks dctabuyz)
+* Improve page hash calculation (thanks dctabuyz)
+* Version detection regex improved
+
+Fixed issues
+* Fix #745 - Plugin version pattern in readme.txt file not detected
+* Fix #746 - Add a global counter for all active requests to server.
+* Fix #747 - Add 'security-protection' plugin to wp_login_protection module
+* Fix #753 - undefined method `round' for "10":String for request or connect timeouts
+* Fix #760 - typhoeus issue (infinite loop)
+
+WPScan Database Statistics:
+* Total vulnerable versions: 89
+* Total vulnerable plugins:  953
+* Total vulnerable themes:   329
+* Total version vulnerabilities: 1070
+* Total plugin vulnerabilities:  1451
+* Total theme vulnerabilities:   378
+
+## Version 2.6
+Released: 2014-12-19
+
+New
+* Updates the readmes to reflect the new --usernames option
+* Improves plugin/theme version detection by looking at the "Version:"
+* Solution to avoid mandatory blank newline at the end of the wordlist
+* Add check for valid credentials
+* Add Sucuri sponsor to banner
+* Add protocol to sucuri url in banner
+* Add response code to proxy error output
+* Add a statement about mendatory newlines at the end of list
+* Give warning if default username 'admin' is still used
+* License amendment to make it more clear about value added usage
+
+Removed
+* remove malwares
+* remove malware folder
+* Removes the theme version check from the readme, unrealistic scenario
+
+General core
+* Update to Ruby 2.1.5 and travis
+* Prevent parent theme infinite loop
+* Fixes the progressbar being overriden by next brute forcing attempts
+
+Fixed issues
+* Fix UTF-8 encode on security db file download
+* Fix #703 - Disable logging by default. Implement log option.
+* Fix #705 - Installation instructions for Ubuntu < 14.04 apparently incomplete
+* Fix #717 - Expand on readme.html finding output
+* Fix #716 - Adds the --version in the help
+* Fix #715 - Add new updating info to docs
+* Fix #727 - WpItems detection: Perform the passive check and filter only vulnerable results at the end if required
+* Fix #737 - Adds some readme files to check for plugin versions
+* Fix #739 - Adds the --usernames option
+
+WPScan Database Statistics:
+* Total vulnerable versions: 88
+* Total vulnerable plugins: 901
+* Total vulnerable themes: 313
+* Total version vulnerabilities: 1050
+* Total plugin vulnerabilities: 1355
+* Total theme vulnerabilities: 349
+
+## Version 2.5.1
+Released: 2014-09-29
+
+Fixes reference URL to WPVDB
+
+## Version 2.5
+Released: 2014-09-26 (@ BruCON 2014)
+
+New
+* Exit program after --update
+* Detect directory listing in upload folder
+* Be more verbose when no version can be detected
+* Added detection for Yoast Wordpress SEO plugin
+* Also ensure to not process empty Location headers
+* Ensures a nil location is not processed when enumerating usernames
+* Fix #626 - Detect 'Must_Use_Plugins'
+* better username extraction
+* Add a --cookie option. Ref #485
+* Add a --no-color option
+* Output: Give 'Fixed in' an informational tag
+* Added ArchAssault distro - WPScan comes pre-installed with this distro
+* Layout changes with new colors
+
+Removed
+* Removes the source code updaters
+* Removes the ListGenerator plugin from WPStools
+* Removes all files from data/
+
+General core
+* Update docs to reflect new updating logic
+* Little output change and coloring
+* Adds a missing verbose output
+* Re-build redirection url if begin with slash '/'
+* Fixes the remove_conditional_comments function
+* Ensures to give a string to Typhoeus
+* Fix wpstools check-vuln-ref-urls
+* Fix rspecs for new json
+* Only output if different from style_url
+* Add exception so 'ruby wpscan.rb http://domain.com' is detected
+* Added make to Debian installation, which is needed in minimal installation.
+* Add build-essentials requirement to Ubuntu > 14.04
+* Updated installation instr. for GNU/Linux Debian.
+* Changes VersionCompare#is_newer_or_same? by lesser_or_equal?
+* Fixes the location of the robots.txt check
+* Updates the recommended ruby version
+* Rspec 3.0 support
+* Adds ruby 2.1.2 to Travis
+* Updated ruby-progressbar to 1.5.0
+
+WordPress Fingerprints
+* Adds WP 4.0 fingerprints
+* Adds WP 3.9.2, 3.8.4 & 3.7.4 fingerprints - Ref #652
+* Adds 3.9.1 fingerprints
+
+Fixed issues
+* Fix #689 - Adds config file to check
+* Fix #694 - Output Arrays
+* Fix #693 - Adds pathname require statement
+* Fix #657 - generate method
+* Fix #685 - Potenial fix for 'marshal data too short' error
+* Fix #686 - Adds specs for relative URI in Location headers
+* Fix #435 - Update license
+* Fix #674 - Improves the Plugins & Themes passive detection
+* Fix #673 - Problem with the output
+* Fix #661 - Don't hash directories named like a file
+* Fix #653 - Fix for infinite loop in wpstools
+* Fix #625 - Only parse styles when needed
+* Fix #481 - Fix for Jetpack plugin false positive
+* Fix #480 - Properly removes the colour sequence from log
+* Fix #472 - WPScan stops after redirection if not WordPress website
+* Fix #464 - Readmes updated to reflect recent changes about the config file & batch mode
+
+Vulnerabilities
+* geoplaces4 also uses name GeoPlaces4beta
+* Added metasploit module's
+* Added some timthumb detections
+
+WPScan Database Statistics:
+* Total vulnerable versions: 87
+* Total vulnerable plugins: 854
+* Total vulnerable themes: 303
+* Total version vulnerabilities: 752
+* Total plugin vulnerabilities: 1351
+* Total theme vulnerabilities: 345
 
 ## Version 2.4
 Released: 2014-04-17
@@ -12,7 +265,6 @@ New
 * Switch over to nist - Fix #301
 * New choice added when a redirection is detected - Fix #438
 
-
 Removed
 * Removed 'Total WordPress Sites in the World' counter from stats
 * Old wpscan repo links removed - Fix #440

CREDITS

@@ -1,20 +1,21 @@
 **CREDITS**
 
-This file is to give credit to WPScan's contributors. If you feel your name should be in here, email ryandewhurst at gmail.
+This file is used to state the individual WPScan Team members (core developers) and give credit to WPScan's other contributors. If you feel your name should be in here email team@wpscan.org.
 
 *WPScan Team*
 
 Erwan.LR - @erwan_lr - (Project Developer)
 Christian Mehlmauer - @_FireFart_ - (Project Developer)
-Peter van der Laan - pvdl - (Vuln Hunter and Code Cleaner)
+Peter van der Laan - pvdl - (Project Developer)
 Ryan Dewhurst - @ethicalhack3r (Project Lead)
 
 *Other Contributors*
 
+Henri Salo AKA fgeek - Reported lots of vulnerabilities
 Alip AKA Undead - alip.aswalid at gmail.com
-michee08 - Reported and gave potential solutions to bugs.
+michee08 - Reported and gave potential solutions to bugs
 Callum Pember - Implemented proxy support - callumpember at gmail.com
-g0tmi1k - Additional timthumb checks + bug reports.
+g0tmi1k - Additional timthumb checks + bug reports
 Melvin Lammerts - Reported a couple of fake vulnerabilities - melvin at 12k.nl
 Paolo Perego - @thesp0nge - Basic authentication
-Gianluca Brindisi - @gbrindisi - Project Developer
+Gianluca Brindisi - @gbrindisi - Ex Project Developer

DISCLAIMER.txt

@@ -0,0 +1,2 @@
+WPScan is not responsible for misuse or for any damage that you may cause!
+You agree that you use this software at your own risk.

Gemfile

@@ -1,13 +1,17 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "typhoeus", "~>0.6.8"
-gem "nokogiri"
-gem "json"
-gem "terminal-table"
-gem "ruby-progressbar", ">=1.2.0"
+gem 'typhoeus', '~>0.8.0'
+gem 'nokogiri'
+gem 'addressable'
+gem 'yajl-ruby' # Better JSON parser regarding memory usage
+# TODO: update the below when terminal-table 1.5.3+ is released.
+# (and delete the Terminal module in lib/common/hacks.rb)
+gem 'terminal-table', '~>1.4.5'
+gem 'ruby-progressbar', '>=1.6.0'
 
 group :test do
-  gem "webmock", ">=1.17.2"
-  gem "simplecov"
-  gem "rspec", :require => "spec"
+  gem 'webmock', '>=1.17.2'
+  gem 'simplecov'
+  gem 'rspec', '>=3.3.0'
+  gem 'rspec-its'
 end

LICENSE

@@ -1,15 +1,70 @@
-WPScan - WordPress Security Scanner
-Copyright (C) 2012-2013
+WPScan Public Source License
 
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2015 WPScan Team.
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+1. Definitions
+
+1.1 “License” means this document.
+1.2 “Contributor” means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+1.3 “WPScan Team” means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+
+2. Commercialization
+
+A commercial use is one intended for commercial advantage or monetary compensation.
+
+Example cases of commercialization are:
+
+ - Using WPScan to provide commercial managed/Software-as-a-Service services.
+ - Distributing WPScan as a commercial product or as part of one.
+ - Using WPScan as a value added service/product.
+
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+
+ - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+ - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+ - Using WPScan to test your own systems.
+ - Any non-commercial use of WPScan.
+
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+
+We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+
+Free-use Terms and Conditions;
+
+3. Redistribution
+
+Redistribution is permitted under the following conditions:
+
+ - Unmodified License is provided with WPScan.
+ - Unmodified Copyright notices are provided with WPScan.
+ - Does not conflict with the commercialization clause.
+
+4. Copying
+
+Copying is permitted so long as it does not conflict with the Redistribution clause.
+
+5. Modification
+
+Modification is permitted so long as it does not conflict with the Redistribution clause.
+
+6. Contributions
+
+Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
+
+7. Support
+
+WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
+
+8. Disclaimer of Warranty
+
+WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+
+9. Limitation of Liability
+
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
+
+10. Disclaimer
+
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.

README

@@ -1,250 +0,0 @@
-__________________________________________________
- __          _______   _____
- \ \        / /  __ \ / ____|
-  \ \  /\  / /| |__) | (___   ___  __ _ _ __
-   \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
-    \  /\  /  | |     ____) | (__| (_| | | | |
-     \/  \/   |_|    |_____/ \___|\__,_|_| |_|
-__________________________________________________
-
-==LICENSE==
-
-WPScan - WordPress Security Scanner
-Copyright (C) 2011-2013 The WPScan Team
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-ryandewhurst at gmail
-
-==INSTALL==
-
-  WPScan comes pre-installed on the following Linux distributions:
-
-   * BackBox Linux
-   * Kali Linux
-   * Pentoo
-   * SamuraiWTF
-
-  Prerequisites:
-
-   * Windows not supported
-   * Ruby >= 1.9.2 - Recommended: 1.9.3
-   * Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
-   * RubyGems      - Recommended: latest
-   * Git
-
-  -> Installing on Debian/Ubuntu:
-
-    sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test
-
-  -> Installing on Fedora:
-
-    sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test
-
-  -> Installing on Archlinux:
-
-    pacman -Syu ruby
-    pacman -Syu libyaml
-
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && bundle install --without test
-
-    gem install typhoeus
-    gem install nokogiri
-
-  -> Installing on Mac OS X:
-
-    Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error
-
-    git clone https://github.com/wpscanteam/wpscan.git
-    cd wpscan
-    sudo gem install bundler && sudo bundle install --without test
-
-==KNOWN ISSUES==
-
-  - Typhoeus segmentation fault:
-      Update cURL to version => 7.21 (may have to install from source)
-
-  - Proxy not working:
-      Update cURL to version => 7.21.7 (may have to install from source).
-
-      Installation from sources :
-        - Grab the sources from http://curl.haxx.se/download.html
-        - Decompress the archive
-        - Open the folder with the extracted files
-        - Run ./configure
-        - Run make
-        - Run sudo make install
-        - Run sudo ldconfig
-
-  - cannot load such file -- readline:
-      Run sudo aptitude install libreadline5-dev libncurses5-dev
-
-      Then, open the directory of the readline gem (you have to locate it)
-
-      cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
-      ruby extconf.rb
-      make
-      make install
-
-      See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details
-
-  - no such file to load -- rubygems
-      Run update-alternatives --config ruby
-      And select your ruby version
-
-      See https://github.com/wpscanteam/wpscan/issues/148
-
-
-==WPSCAN ARGUMENTS==
-
---update   Update to the latest revision
-
---url   | -u <target url>  The WordPress URL/domain to scan.
-
---force | -f Forces WPScan to not check if the remote site is running WordPress.
-
---enumerate | -e [option(s)]  Enumeration.
-  option :
-    u        usernames from id 1 to 10
-    u[10-20] usernames from id 10 to 20 (you must write [] chars)
-    p        plugins
-    vp       only vulnerable plugins
-    ap       all plugins (can take a long time)
-    tt       timthumbs
-    t        themes
-    vp       only vulnerable themes
-    at       all themes (can take a long time)
-  Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins
-  If no option is supplied, the default is 'vt,tt,u,vp'
-
---exclude-content-based '<regexp or string>'  Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
-                                              You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
-
---config-file | -c <config file> Use the specified config file
-
---user-agent | -a <User-Agent> Use the specified User-Agent
-
---random-agent | -r Use a random User-Agent
-
---follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not
-
---wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
-
---wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
-
---proxy <[protocol://]host:port>  Supply a proxy (will override the one from conf/browser.conf.json).
-                                  HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
-
---proxy-auth <username:password>  Supply the proxy login credentials (will override the one from conf/browser.conf.json).
-
---basic-auth <username:password>  Set the HTTP Basic authentication
-
---wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.
-
---threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
-
---username | -U <username>  Only brute force the supplied username.
-
---cache-ttl <cache-ttl>  Typhoeus cache TTL
-
---request-timeout <request-timeout>  Request Timeout
-
---connect-timeout <connect-timeout>  Connect Timeout
-
---max-threads <max-threads>  Maximum Threads
-
---help     | -h This help screen.
-
---verbose  | -v Verbose output.
-
-==WPSCAN EXAMPLES==
-
-Do 'non-intrusive' checks...
-
-  ruby wpscan.rb --url www.example.com
-
-Do wordlist password brute force on enumerated users using 50 threads...
-
-  ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
-
-Do wordlist password brute force on the 'admin' username only...
-
-  ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
-
-Enumerate installed plugins...
-
-  ruby wpscan.rb --url www.example.com --enumerate p
-
-Run all enumeration tools...
-
-  ruby wpscan.rb --url www.example.com --enumerate
-
-Use custom content directory...
-
-  ruby wpscan.rb -u www.example.com --wp-content-dir custom-content
-
-Update WPScan...
-
-  ruby wpscan.rb --update
-
-Debug output...
-
-  ruby wpscan.rb --url www.example.com --debug-output 2>debug.log
-
-==WPSTOOLS ARGUMENTS==
-
---help    | -h   This help screen.
---Verbose | -v   Verbose output.
---update  | -u   Update to the latest revision.
---generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
---gpl  Alias for --generate_plugin_list
---check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells
-
-==WPSTOOLS EXAMPLES==
-
-- Generate a new 'most popular' plugin list, up to 150 pages ...
-ruby wpstools.rb --generate_plugin_list 150
-
-- Locally scan a wordpress installation for vulnerable files or shells :
-ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/
-
-===PROJECT HOME===
-
-www.wpscan.org
-
-===REPOSITORY===
-
-https://github.com/wpscanteam/wpscan
-
-===ISSUES===
-
-https://github.com/wpscanteam/wpscan/issues
-
-===DEVELOPER DOCUMENTATION===
-
-http://rdoc.info/github/wpscanteam/wpscan/frames
-
-===SPONSOR===
-
-WPScan is sponsored by the RandomStorm Open Source Initiative.
-
-Visit RandomStorm at http://www.randomstorm.com

README.md

@@ -1,26 +1,84 @@
-![alt text](http://dvwa.co.uk/images/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner")
+![alt text](https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner")
 
-[![Build Status](https://travis-ci.org/wpscanteam/wpscan.png?branch=master)](https://travis-ci.org/wpscanteam/wpscan)
+
+[![Build Status](https://travis-ci.org/wpscanteam/wpscan.svg?branch=master)](https://travis-ci.org/wpscanteam/wpscan)
+[![Code Climate](https://img.shields.io/codeclimate/github/wpscanteam/wpscan.svg)](https://codeclimate.com/github/wpscanteam/wpscan)
+[![Dependency Status](https://img.shields.io/gemnasium/wpscanteam/wpscan.svg)](https://gemnasium.com/wpscanteam/wpscan)
 
 #### LICENSE
 
-WPScan - WordPress Security Scanner
-Copyright (C), 2011-2013 The WPScan Team
+#### WPScan Public Source License
 
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2015 WPScan Team.
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+##### 1. Definitions
 
-ryandewhurst at gmail
+1.1 "License" means this document.
+
+1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+
+1.3 "WPScan Team" means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+
+##### 2. Commercialization
+
+A commercial use is one intended for commercial advantage or monetary compensation.
+
+Example cases of commercialization are:
+
+ - Using WPScan to provide commercial managed/Software-as-a-Service services.
+ - Distributing WPScan as a commercial product or as part of one.
+ - Using WPScan as a value added service/product.
+
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+
+ - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+ - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+ - Using WPScan to test your own systems.
+ - Any non-commercial use of WPScan.
+
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+
+We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+
+Free-use Terms and Conditions;
+
+##### 3. Redistribution
+
+Redistribution is permitted under the following conditions:
+
+ - Unmodified License is provided with WPScan.
+ - Unmodified Copyright notices are provided with WPScan.
+ - Does not conflict with the commercialization clause.
+
+##### 4. Copying
+
+Copying is permitted so long as it does not conflict with the Redistribution clause.
+
+##### 5. Modification
+
+Modification is permitted so long as it does not conflict with the Redistribution clause.
+
+##### 6. Contributions
+
+Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
+
+##### 7. Support
+
+WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
+
+##### 8. Disclaimer of Warranty
+
+WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+
+##### 9. Limitation of Liability
+
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
+
+##### 10. Disclaimer
+
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.
 
 #### INSTALL
 
@@ -30,60 +88,81 @@ WPScan comes pre-installed on the following Linux distributions:
 - [Kali Linux](http://www.kali.org/)
 - [Pentoo](http://www.pentoo.ch/)
 - [SamuraiWTF](http://samurai.inguardians.com/)
+- [BlackArch](http://blackarch.org/)
 
 Prerequisites:
 
-- Windows not supported
-- Ruby >= 1.9.2 - Recommended: 1.9.3
+- Ruby >= 1.9.2 - Recommended: 2.2.3
 - Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
 - RubyGems      - Recommended: latest
 - Git
 
-*Installing on Debian/Ubuntu:*
+Windows is not supported.
+If installed from Github update the code base with ```git pull```. The databases are updated with ```wpscan.rb --update```.
 
-```sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev```
+####Installing on Ubuntu:
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+Before Ubuntu 14.04:
 
-```cd wpscan```
+    sudo apt-get install libcurl4-openssl-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
 
-```sudo gem install bundler && bundle install --without test```
+From Ubuntu 14.04:
 
-*Installing on Fedora:*
+    sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
 
-```sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel```
+####Installing on Debian:
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+    sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler
+    bundle install --without test --path vendor/bundle
 
-```cd wpscan```
+####Installing on Fedora:
 
-```sudo gem install bundler && bundle install --without test```
+    sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
 
-*Installing on Archlinux:*
+####Installing on Archlinux:
 
-```pacman -Syu ruby```
+    pacman -Syu ruby
+    pacman -Syu libyaml
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && bundle install --without test
+    gem install typhoeus
+    gem install nokogiri
 
-```pacman -Syu libyaml```
+####Installing on Mac OSX:
 
-```git clone https://github.com/wpscanteam/wpscan.git```
+Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See [http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error](http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error)
 
-```cd wpscan```
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    sudo gem install bundler && sudo bundle install --without test
 
-```sudo gem install bundler && bundle install --without test```
+####Installing with RVM:
 
-```gem install typhoeus```
-
-```gem install nokogiri```
-
-*Installing on Mac OSX:*
-
-Apple Xcode, Command Line Tools and the libffi are needed (to be able to install the FFI gem), See http://stackoverflow.com/questions/17775115/cant-setup-ruby-environment-installing-fii-gem-error
-
-```git clone https://github.com/wpscanteam/wpscan.git```
-
-```cd wpscan```
-
-```sudo gem install bundler && sudo bundle install --without test```
+    cd ~
+    curl -sSL https://get.rvm.io | bash -s stable
+    source ~/.rvm/scripts/rvm
+    echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
+    rvm install 2.2.3
+    rvm use 2.2.3 --default
+    echo "gem: --no-ri --no-rdoc" > ~/.gemrc
+    gem install bundler
+    git clone https://github.com/wpscanteam/wpscan.git
+    cd wpscan
+    gem install bundler
+    bundle install --without test
 
 #### KNOWN ISSUES
 
@@ -96,7 +175,7 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
       Update cURL to version => 7.21.7 (may have to install from source).
 
       Installation from sources :
-      ```
+
         Grab the sources from http://curl.haxx.se/download.html
         Decompress the archive
         Open the folder with the extracted files
@@ -104,21 +183,21 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
         Run make
         Run sudo make install
         Run sudo ldconfig
-      ```
+
 
   - cannot load such file -- readline:
 
-      ```sudo aptitude install libreadline5-dev libncurses5-dev```
+        sudo aptitude install libreadline5-dev libncurses5-dev
 
       Then, open the directory of the readline gem (you have to locate it)
-      ```
+
         cd ~/.rvm/src/ruby-1.9.2-p180/ext/readline
         ruby extconf.rb
         make
         make install
-      ```
 
-      See http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/ for more details
+
+      See [http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/](http://vvv.tobiassjosten.net/ruby-on-rails/fixing-readline-for-the-ruby-on-rails-console/) for more details
 
   - no such file to load -- rubygems
 
@@ -126,11 +205,11 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
       And select your ruby version
 
-      See https://github.com/wpscanteam/wpscan/issues/148
+      See [https://github.com/wpscanteam/wpscan/issues/148](https://github.com/wpscanteam/wpscan/issues/148)
 
 #### WPSCAN ARGUMENTS
 
-    --update  Update to the latest revision
+    --update   Update the databases.
 
     --url   | -u <target url>  The WordPress URL/domain to scan.
 
@@ -147,13 +226,13 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
         t        themes
         vt       only vulnerable themes
         at       all themes (can take a long time)
-    Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins
-    If no option is supplied, the default is 'vt,tt,u,vp'
+      Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
+      If no option is supplied, the default is "vt,tt,u,vp"
 
-    --exclude-content-based '<regexp or string>'  Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
-                                                  You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
+    --exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
+                                                 You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
 
-    --config-file | -c <config file> Use the specified config file
+    --config-file | -c <config file> Use the specified config file, see the example.conf.json
 
     --user-agent | -a <User-Agent> Use the specified User-Agent
 
@@ -165,31 +244,39 @@ Apple Xcode, Command Line Tools and the libffi are needed (to be able to install
 
     --wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
 
-    --proxy <[protocol://]host:port>  Supply a proxy (will override the one from conf/browser.conf.json).
-                                      HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
+    --proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json).
+                                     HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
 
-    --proxy-auth <username:password>  Supply the proxy login credentials (will override the one from conf/browser.conf.json).
+    --proxy-auth <username:password>  Supply the proxy login credentials.
 
-    --basic-auth <username:password>  Set the HTTP Basic authentication
+    --basic-auth <username:password>  Set the HTTP Basic authentication.
 
-    --wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.
+    --wordlist | -w <wordlist>  Supply a wordlist for the password brute forcer.
 
-    --threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
+    --threads  | -t <number of threads>  The number of threads to use when multi-threading requests.
 
     --username | -U <username>  Only brute force the supplied username.
 
-    --cache-ttl <cache-ttl>  Typhoeus cache TTL
+    --usernames  <path-to-file>  Only brute force the usernames from the file.
 
-    --request-timeout <request-timeout>  Request Timeout
+    --cache-ttl <cache-ttl>  Typhoeus cache TTL.
 
-    --connect-timeout <connect-timeout>  Connect Timeout
+    --request-timeout <request-timeout>  Request Timeout.
 
-    --max-threads <max-threads>  Maximum Threads
+    --connect-timeout <connect-timeout>  Connect Timeout.
+
+    --max-threads <max-threads>  Maximum Threads.
 
     --help     | -h This help screen.
 
     --verbose  | -v Verbose output.
 
+    --batch Never ask for user input, use the default behavior.
+
+    --no-color Do not use colors in the output.
+
+    --log Save STDOUT to log.txt
+
 #### WPSCAN EXAMPLES
 
 Do 'non-intrusive' checks...
@@ -216,7 +303,7 @@ Use custom content directory...
 
 ```ruby wpscan.rb -u www.example.com --wp-content-dir custom-content```
 
-Update WPScan...
+Update WPScan's databases...
 
 ```ruby wpscan.rb --update```
 
@@ -224,41 +311,26 @@ Debug output...
 
 ```ruby wpscan.rb --url www.example.com --debug-output 2>debug.log```
 
-#### WPSTOOLS ARGUMENTS
-
-    --help    | -h   This help screen.
-    --Verbose | -v   Verbose output.
-    --update  | -u   Update to the latest revision.
-    --generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
-    --gpl  Alias for --generate_plugin_list
-    --check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells
-
-#### WPSTOOLS EXAMPLES
-
-Generate a new 'most popular' plugin list, up to 150 pages...
-
-```ruby wpstools.rb --generate_plugin_list 150```
-
-Locally scan a wordpress installation for vulnerable files or shells :
-```ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/```
-
-
 #### PROJECT HOME
 
-www.wpscan.org
+[http://www.wpscan.org](http://www.wpscan.org)
+
+#### VULNERABILITY DATABASE
+
+[https://wpvulndb.com](https://wpvulndb.com)
 
 #### GIT REPOSITORY
 
-https://github.com/wpscanteam/wpscan
+[https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan)
 
 #### ISSUES
 
-https://github.com/wpscanteam/wpscan/issues
+[https://github.com/wpscanteam/wpscan/issues](https://github.com/wpscanteam/wpscan/issues)
 
 #### DEVELOPER DOCUMENTATION
 
-http://rdoc.info/github/wpscanteam/wpscan/frames
+[http://rdoc.info/github/wpscanteam/wpscan/frames](http://rdoc.info/github/wpscanteam/wpscan/frames)
 
-#### SPONSOR
+#### SPECIAL THANKS
 
-WPScan is sponsored by the [RandomStorm](http://www.randomstorm.com) Open Source Initiative.
+[RandomStorm](https://www.randomstorm.com)

data/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

data/local_vulnerable_files.xml

@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-  Only he following extensions are scanned : js, php, swf, html, htm
-  If you want to add one, modify the variable file_extension_to_scan, line 191 in wpstools.rb
--->
-
-<hashes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:noNamespaceSchemaLocation="local_vulnerable_files.xsd">
-
-  <hash sha1="17c372678aafb3bc1a7b37320b5cc1d8af433527">
-    <title>XSS in swfupload.swf</title>
-    <file>swfupload.swf</file>
-    <reference>http://brindi.si/g/blog/vulnerable-swf-bundled-in-wordpress-plugins.html</reference>
-  </hash>
-
-  <hash sha1="775dc1089829ef07838406def28a4d8bfef69d66">
-    <title>Arbitrary File Upload Vulnerability</title>
-    <file>php.php</file>
-    <reference>http://packetstormsecurity.com/files/119241/wpvalums-shell.txt</reference>
-  </hash>
-
-  <!-- This one a is the same as above, but the postSize verification has been removed -->
-  <hash sha1="5e8f0d5a917d2937318a9bafd0529135bd473e70">
-    <title>Arbitrary File Upload Vulnerability</title>
-    <file>php.php</file>
-    <reference>http://packetstormsecurity.com/files/119218/wpreflexgallery-shell.txt</reference>
-  </hash>
-
-  <hash sha1="3f9ad05b05b65ee2b6efa1373f708293dd2005c7">
-    <title>Arbitrary File Upload Vulnerability</title>
-    <file>uploadify.php</file>
-    <reference>http://packetstormsecurity.com/files/119219/wpuploader104-shell.txt</reference>
-  </hash>
-
-  <hash sha1="ac638cc38f011b74a8d9a4e7d3d60358e472166c">
-    <title>Inline phpinfo()</title>
-    <file>phpinfo.php</file>
-    <reference>http://php.net/manual/en/function.phpinfo.php</reference>
-  </hash>
-
-  <hash sha1="012ee25cceff745e681fbb3697a06f3712f55554">
-    <title>phpinfo()</title>
-    <file>phpinfo.php</file>
-    <reference>http://php.net/manual/en/function.phpinfo.php</reference>
-  </hash>
-
-</hashes>

data/local_vulnerable_files.xsd

@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-
-  <xs:simpleType name="stringtype">
-    <xs:restriction base="xs:string">
-      <xs:whiteSpace value="preserve" />
-      <xs:minLength value="1" />
-      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="uritype">
-    <xs:restriction base="xs:anyURI">
-      <xs:minLength value="1" />
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="sha1type">
-    <xs:restriction base="stringtype">
-      <xs:pattern value="[0-9a-f]{40}"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="hashtype">
-    <xs:sequence minOccurs="1" maxOccurs="1">
-      <xs:element name="title" type="stringtype"/>
-      <xs:element name="file" type="stringtype"/>
-      <xs:element name="reference" type="uritype"/>
-    </xs:sequence>
-    <xs:attribute type="sha1type" name="sha1" use="required"/>
-  </xs:complexType>
-
-  <xs:element name="hashes">
-    <xs:complexType>
-      <xs:sequence>
-        <xs:element name="hash" type="hashtype" maxOccurs="unbounded" minOccurs="1"/>
-      </xs:sequence>
-    </xs:complexType>
-  </xs:element>
-
-</xs:schema>

data/malwares.txt

@@ -1,3 +0,0 @@
-http://.*\.rr\.nu
-http://www\.thesea\.org/media\.php
-

data/themes.txt

@@ -1,298 +0,0 @@
-aadya
-abaris
-adamos
-adaptive-flat
-adelle
-admired
-adventure
-advertica-lite
-albinomouse
-aldehyde
-alexandria
-analytical-lite
-anarcho-notepad
-apprise
-arcade-basic
-arunachala
-aspen
-asteria-lite
-asteroid
-atahualpa
-attitude
-base-wp
-beach
-bearded
-big-city
-bizantine
-bizark
-bizflare
-bizkit
-biznez-lite
-bizsphere
-bizstudio-lite
-bizway
-blackbird
-blankslate
-blogbox
-blogolife
-blox
-bluegray
-boldr-lite
-boot-store
-bootstrap-ultimate
-bouquet
-bresponzive
-brightnews
-bueno
-business-lite
-busiprof
-buzz
-capture
-catch-box
-catch-everest
-catch-evolution
-catch-kathmandu
-celestial-lite
-chaostheory
-childishly-simple
-church
-cirrus
-clean-retina
-cleo
-coller
-colorway
-contango
-coraline
-corpo
-custom-community
-customizr
-cyberchimps
-dark-tt
-dazzling
-decode
-designfolio
-desk-mess-mirrored
-destro
-discover
-dms
-drop
-duena
-dusk-to-dawn
-duster
-dw-minion
-dw-timeline
-dw-wallpress
-eclipse
-elegantwhite
-elmax
-engrave-lite
-epic
-esell
-esplanade
-esquire
-evolve
-expert
-expound
-family
-fifteen
-fine
-firmasite
-flat
-focus
-forever
-formation
-fresh-lite
-frontier
-fruitful
-gamepress
-gold
-govpress
-graphene
-graphy
-gridbulletin
-gridiculous
-gridster-lite
-hatch
-hazen
-health-center-lite
-hemingway
-highwind
-hueman
-i-transform
-iconic-one
-ifeature
-imprint
-independent-publisher
-infinite
-infoway
-inkness
-inkzine
-intuition
-invert-lite
-irex-lite
-iribbon
-isis
-itek
-justwrite
-kavya
-klasik
-leatherdiary
-lingonberry
-linia-magazine
-luminescence-lite
-lupercalia
-magazine-style
-magazino
-mantra
-market
-match
-matheson
-max-magazine
-maxflat-core
-meadowhill
-mesocolumn
-mh-magazine-lite
-midnightcity
-minimatica
-minimize
-mn-flow
-modern-estate
-monaco
-montezuma
-multiloquent
-mywiki
-neuro
-newgamer
-newpro
-next-saturday
-nictitate
-omega
-one-page
-onetone
-openstrap
-opulus-sombre
-origami
-origin
-oxygen
-p2
-padhang
-pagelines
-parabola
-parallax
-parament
-phonix
-pilcrow
-pilot-fish
-pinbin
-pinboard
-pink-touch-2
-platform
-point
-portfolio-press
-pr-news
-preference-lite
-preus
-primo-lite
-promax
-quark
-radiant
-radiate
-raindrops
-rambo
-raptor
-raven
-redesign
-responsive
-restaurante
-restaurateur
-restimpo
-retention
-reviewgine-affiliate
-ridizain
-sampression-lite
-semper-fi-lite
-sensitive
-sequel
-serene
-shopping
-simple-catch
-simply-vision
-singl
-sixteen
-skt-full-width
-sliding-door
-smpl-skeleton
-snaps
-snapshot
-sneak-lite
-socialize-lite
-spacious
-spartan
-spasalon
-sporty
-spun
-stairway
-stargazer
-start-point
-steira
-storefront-paper
-story
-suevafree
-suffusion
-sugar-and-spice
-sundance
-sunny-blue-sky
-sunrain
-sunspot
-superhero
-supernova
-surfarama
-swift-basic
-tanzanite
-teal
-tempera
-temptation
-terrifico
-the-newswire
-thematic
-theron-lite
-tiga
-timeturner
-tiny-forge
-tonal
-tonic
-travelify
-twentyeleven
-twentyfourteen
-twentyten
-twentythirteen
-twentytwelve
-typal-makewp005
-unite
-untitled
-uu-2014
-vantage
-venom
-viper
-virtue
-vision
-visitpress
-visual
-vryn-restaurant
-ward
-weaver-ii
-wilson
-wp-creativix
-wp-opulus
-wp-simple
-wpchimp-countdown
-writr
-x2
-yoko
-zbench
-zeedynamic
-zeeflow
-zeeminty
-zeenoble
-zeestyle
-zeetasty

data/user-agents.txt

@@ -1,36 +0,0 @@
-# Windows
-Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5
-Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14
-Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27
-Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1
-Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E)
-Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
-Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6
-Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
-Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0
-Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1
-Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
-Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
-Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0)
-Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
-Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
-
-# MAC
-Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13
-Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
-Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
-
-# Linux
-Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1
-Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24
-Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9
-Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0
-Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
-Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00
-Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0

data/vuln.xsd

@@ -1,109 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-
-  <xs:simpleType name="stringtype">
-    <xs:restriction base="xs:string">
-      <xs:whiteSpace value="preserve" />
-      <xs:minLength value="1" />
-      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="inttype">
-    <xs:restriction base="xs:positiveInteger" />
-  </xs:simpleType>
-
-  <xs:simpleType name="uritype">
-    <xs:restriction base="xs:anyURI">
-      <xs:minLength value="1" />
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="cvetype">
-    <xs:restriction base="xs:token">
-      <xs:pattern value="[0-9]{4}-[0-9]{4,}"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:simpleType name="typetype">
-    <xs:restriction base="stringtype">
-      <xs:enumeration value="SQLI"/>
-      <xs:enumeration value="MULTI"/>
-      <xs:enumeration value="REDIRECT"/>
-      <xs:enumeration value="RCE"/>
-      <xs:enumeration value="RFI"/>
-      <xs:enumeration value="LFI"/>
-      <xs:enumeration value="UPLOAD"/>
-      <xs:enumeration value="UNKNOWN"/>
-      <xs:enumeration value="XSS"/>
-      <xs:enumeration value="CSRF"/>
-      <xs:enumeration value="SSRF"/>
-      <xs:enumeration value="AUTHBYPASS"/>
-      <xs:enumeration value="BYPASS"/>
-      <xs:enumeration value="FPD"/>
-      <xs:enumeration value="XXE"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="itemtype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:element name="vulnerability" type="vulntype" />
-    </xs:sequence>
-    <xs:attribute type="stringtype" name="name" use="required"/>
-  </xs:complexType>
-
-  <xs:complexType name="wordpresstype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:element name="vulnerability" type="vulntype"/>
-    </xs:sequence>
-    <xs:attribute type="stringtype" name="version" use="required"/>
-  </xs:complexType>
-
-  <xs:complexType name="vulntype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:choice>
-        <xs:element name="title" type="stringtype"/>
-        <xs:element name="type" type="typetype"/>
-        <xs:element name="fixed_in" type="stringtype"/>
-        <xs:element name="references" type="referencetype"/>
-      </xs:choice>
-    </xs:sequence>
-  </xs:complexType>
-
-  <xs:complexType name="referencetype">
-    <xs:sequence minOccurs="1" maxOccurs="unbounded">
-      <xs:choice>
-        <xs:element name="url" type="uritype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="cve" type="cvetype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="secunia" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="osvdb" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="metasploit" type="stringtype" minOccurs="0" maxOccurs="unbounded"/>
-        <xs:element name="exploitdb" type="inttype" minOccurs="0" maxOccurs="unbounded"/>
-      </xs:choice>
-    </xs:sequence>
-  </xs:complexType>
-
-  <xs:element name="vulnerabilities">
-    <xs:complexType>
-      <xs:choice>
-        <xs:element name="plugin" type="itemtype" maxOccurs="unbounded" minOccurs="0"/>
-        <xs:element name="theme" type="itemtype" maxOccurs="unbounded" minOccurs="0"/>
-        <xs:element name="wordpress" type="wordpresstype" maxOccurs="unbounded" minOccurs="0"/>
-      </xs:choice>
-    </xs:complexType>
-    <xs:unique name="uniquePlugin">
-      <xs:selector xpath="plugin"/>
-      <xs:field xpath="@name"/>
-    </xs:unique>
-    <xs:unique name="uniqueTheme">
-      <xs:selector xpath="theme"/>
-      <xs:field xpath="@name"/>
-    </xs:unique>
-    <xs:unique name="uniqueWordpress">
-      <xs:selector xpath="wordpress"/>
-      <xs:field xpath="@version"/>
-    </xs:unique>
-  </xs:element>
-
-</xs:schema>

data/wp_versions.xml

@@ -1,218 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-  This file contains identification data to identify WordPress versions.
-  http://wordpress.org/download/release-archive/
-
-  Position is important, DO NOT change anything unless you know what you are doing :p
--->
-
-<wp-versions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-             xsi:noNamespaceSchemaLocation="wp_versions.xsd">
-
-  <file src="readme.html">
-    <hash md5="84b54c54aa48ae72e633685c17e67457">
-      <version>3.9</version>
-    </hash>
-    <hash md5="c6de8fc70a18be7e5c36198cd0f99a64">
-      <version>3.8.3</version>
-    </hash>
-    <hash md5="e01a2663475f6a7a8363a7c75a73fe23">
-      <version>3.8.2</version>
-    </hash>
-    <hash md5="0d0eb101038124a108f608d419387b92">
-      <version>3.8.1</version>
-    </hash>
-    <hash md5="38ee273095b8f25b9ffd5ce5018fc4f0">
-      <version>3.8</version>
-    </hash>
-    <hash md5="813e06052daa0692036e60d76d7141d3">
-      <version>3.7.3</version>
-    </hash>
-    <hash md5="b3a05c7a344c2f53cb6b680fd65a91e8">
-      <version>3.7.2</version>
-    </hash>
-    <hash md5="e82f4fe7d3c1166afb4c00856b875f16">
-      <version>3.6.1</version>
-    </hash>
-    <hash md5="477f1e652f31dae76a38e3559c91deb9">
-      <version>3.6</version>
-    </hash>
-    <hash md5="caf7946275c3e885419b1d36b22cb5f3">
-      <version>3.5.2</version>
-    </hash>
-    <hash md5="05d50a04ef19bd4b0a280362469bf22f">
-      <version>3.5.1</version>
-    </hash>
-    <hash md5="066cfc0f9b29ae6d491aa342ebfb1b71">
-      <version>3.5</version>
-    </hash>
-    <hash md5="36b2b72a0f22138a921a38db890d18c1">
-      <version>3.3.3</version>
-    </hash>
-    <hash md5="628419c327ca5ed8685ae3af6f753eb8">
-      <version>3.3.2</version>
-    </hash>
-    <hash md5="c1ed266e26a829b772362d5135966bc3">
-      <version>3.3.1</version>
-    </hash>
-    <hash md5="9ea06ab0184049bf4ea2410bf51ce402">
-      <version>3.0</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/css/buttons-rtl.css">
-    <hash md5="d24d1d1eb3a4b9a4998e4df1761f8b9e">
-      <version>3.9</version>
-    </hash>
-    <hash md5="71c13ab1693b45fb3d7712e540c4dfe0">
-      <version>3.8</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/wp-tinymce.js.gz">
-    <!-- Note: 3.7.1 has no unique file (the hash below is the same than the 3.7.2) -->
-    <hash md5="44d281b0d84cc494e2b095a6d2202f4d">
-      <version>3.7.1</version>
-    </hash>
-    <hash md5="b0bcf8091516db358ee9c833afd73175">
-      <version>3.7</version>
-    </hash>
-    <hash md5="cf4bbd562430a9bcbe735062be851be1">
-      <version>3.6.1</version>
-    </hash>
-    <hash md5="42ce18e88f1c21d4e991fcd431bcb606">
-      <version>3.6</version>
-    </hash>
-    <hash md5="a58dd12608659503cf087e879e720354">
-      <version>3.5.2</version>
-    </hash>
-    <hash md5="55c80a4794624ce9b94aa3631ad46c0b">
-      <version>3.5.1</version>
-    </hash>
-    <hash md5="8e529a971610d7ebe7851339c5cb3d67">
-      <version>3.5</version>
-    </hash>
-    <hash md5="ff19e44be975f89b647274d85b70f821">
-      <version>3.4.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-admin/js/customize-controls.js">
-    <hash md5="aa0d38bd6f590ad8c3126074145b1bf1">
-      <version>3.4.1</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/customize-preview.js">
-    <hash md5="da36bc2dfcb13350c799b62de68dfa4b">
-      <version>3.4</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/plupload/plupload.js">
-    <hash md5="85199c05db63fcb5880de4af8be7b571">
-      <version>3.3.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-admin/js/common.js">
-    <hash md5="4516252d47a73630280869994d510180">
-      <version>3.3</version>
-    </hash>
-  </file>
-
-  <file src="wp-admin/js/wp-fullscreen.js">
-    <hash md5="5675f7793f171b6424bf72f9d7bf4d9a">
-      <version>3.2.1</version>
-    </hash>
-    <hash md5="7b423e0b7c9221092737ad5271d09863">
-      <version>3.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/css/admin-bar.css">
-    <hash md5="181250fab3a7e2549a7e7fa21c2e6079">
-      <version>3.1</version>
-    </hash>
-  </file>
-
-  <file src="$wp-content$/themes/twentyten/style.css">
-    <hash md5="6211e2ac1463bf99e98f28ab63e47c54">
-      <version>3.0</version>
-    </hash>
-  </file>
-
-  <file src="$wp-plugins$/akismet/readme.txt">
-    <hash md5="4d5e52da417aa0101054bd41e6243389">
-      <version>2.8.6</version>
-    </hash>
-    <hash md5="58e086dea9d24ed074fe84ba87386c69">
-      <version>2.8.5</version>
-    </hash>
-    <hash md5="48c52025b5f28731e9a0c864c189c2e7">
-      <version>2.8.2</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/wp-ajax-response.js">
-    <hash md5="0289d1c13821599764774d55516ab81a">
-      <version>2.7.1</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/thickbox/thickbox.css">
-    <hash md5="9c2bd2be0893adbe02a0f864526734c2">
-      <version>2.7</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/plugins/wpeditimage/editor_plugin.js">
-    <hash md5="5b140ddf0f08034402ae78b31d8a1a28">
-      <version>2.6</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/themes/advanced/js/image.js">
-    <hash md5="088245408531c58bb52cc092294cc384">
-      <version>2.5.1</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/tinymce/themes/advanced/js/link.js">
-    <hash md5="19c6f3118728c38eb7779aab4847d2d9">
-      <version>2.5</version>
-    </hash>
-  </file>
-
-  <file src="wp-includes/js/wp-ajax.js">
-    <hash md5="c5dbce0c3232c477033e0ce486c62755">
-      <version>2.2</version>
-    </hash>
-  </file>
-
-  <file src="$wp-content$/themes/default/style.css">
-    <hash md5="e44545f529a54de88209ce588676231c">
-      <version>2.0.1</version>
-    </hash>
-    <hash md5="f786f66d3a40846aa22dcdfeb44fa562">
-      <version>2.0</version>
-    </hash>
-  </file>
-
-  <file src="wp-layout.css">
-    <hash md5="7140e06c00ed03d2bb3dad7672557510">
-      <version>1.2.1</version>
-    </hash>
-    <hash md5="1bcc9253506c067eb130c9fc4f211a2f">
-      <version>1.2-delta</version>
-    </hash>
-  </file>
-
-  <file src="layout2b.css">
-    <hash md5="baec6b6ccbf71d8dced9f1bf67c751e1">
-      <version>0.71-gold</version>
-    </hash>
-  </file>
-
-</wp-versions>

data/wp_versions.xsd

@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
-
-  <xs:simpleType name="stringtype">
-    <xs:restriction base="xs:string">
-      <xs:whiteSpace value="preserve" />
-      <xs:minLength value="1" />
-      <xs:pattern value="[^\s].+[^\s]|[^\s]"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="filetype">
-    <xs:sequence>
-      <xs:element name="hash" type="hashtype" maxOccurs="unbounded" minOccurs="1"/>
-    </xs:sequence>
-    <xs:attribute type="stringtype" name="src" use="required"/>
-  </xs:complexType>
-
-  <xs:simpleType name="md5type">
-    <xs:restriction base="stringtype">
-      <xs:pattern value="[0-9a-f]{32}"/>
-    </xs:restriction>
-  </xs:simpleType>
-
-  <xs:complexType name="hashtype">
-    <xs:sequence minOccurs="1" maxOccurs="1">
-      <xs:element name="version" type="stringtype"/>
-    </xs:sequence>
-    <xs:attribute type="md5type" name="md5" use="required"/>
-  </xs:complexType>
-
-  <xs:element name="wp-versions">
-    <xs:complexType>
-      <xs:sequence>
-        <xs:element name="file" type="filetype" maxOccurs="unbounded" minOccurs="0"/>
-      </xs:sequence>
-    </xs:complexType>
-  </xs:element>
-
-</xs:schema>

dev/pre-commit-hook.rb

@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
 
-# ln -sf /Users/xxx/wpscan/dev/pre-commit-hook.rb /Users/xxx/wpscan/.git/hooks/pre-commit
+# from the top level dir:
+# ln -sf ../../dev/pre-commit-hook.rb .git/hooks/pre-commit
 
 require 'pty'
 html_path = 'rspec_results.html'
@@ -22,7 +23,7 @@ end
 html = open(html_path).read
 examples = html.match(/(\d+) examples/)[0].to_i rescue 0
 errors = html.match(/(\d+) errors/)[0].to_i rescue 0
-if errors == 0 then
+if errors == 0
   errors = html.match(/(\d+) failure/)[0].to_i rescue 0
 end
 pending = html.match(/(\d+) pending/)[0].to_i rescue 0

example.conf.json

@@ -10,9 +10,9 @@
 
     "cache_ttl": 600, // 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
 
-    "request_timeout": 2000, // 2s
+    "request_timeout": 60, // 1min
 
-    "connect_timeout": 1000, // 1s
+    "connect_timeout": 10, // 10s
 
     "max_threads": 20
 }

lib/common/browser.rb

@@ -16,20 +16,22 @@ class Browser
     :proxy,
     :proxy_auth,
     :request_timeout,
-    :connect_timeout
+    :connect_timeout,
+    :cookie,
+    :throttle
   ]
 
   @@instance = nil
 
   attr_reader :hydra, :cache_dir
 
-  attr_accessor :referer
+  attr_accessor :referer, :cookie, :vhost
 
   # @param [ Hash ] options
   #
   # @return [ Browser ]
   def initialize(options = {})
-    @cache_dir   = options[:cache_dir]   || CACHE_DIR + '/browser'
+    @cache_dir   = options[:cache_dir] || CACHE_DIR + '/browser'
 
     # sets browser defaults
     browser_defaults
@@ -69,14 +71,14 @@ class Browser
   # sets browser default values
   #
   def browser_defaults
-    @max_threads = 20
-    # 10 minutes, at this time the cache is cleaned before each scan. If this value is set to 0, the cache will be disabled
-    @cache_ttl = 600
-    # 2s
-    @request_timeout = 2000
-    # 1s
-    @connect_timeout = 1000
-    @user_agent = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
+    @max_threads     = 20
+    # 10 minutes, at this time the cache is cleaned before each scan.
+    # If this value is set to 0, the cache will be disabled
+    @cache_ttl       = 600
+    @request_timeout = 60 # 60s
+    @connect_timeout = 10 # 10s
+    @user_agent      = "WPScan v#{WPSCAN_VERSION} (http://wpscan.org)"
+    @throttle        = 0
   end
 
   #
@@ -87,7 +89,6 @@ class Browser
   #
   # @return [ void ]
   def load_config(config_file = nil)
-
     if File.symlink?(config_file)
       raise '[ERROR] Config file is a symlink.'
     else
@@ -100,7 +101,6 @@ class Browser
         self.send(:"#{option_name}=", data[option_name])
       end
     end
-
   end
 
   # @param [ String ] url
@@ -122,11 +122,8 @@ class Browser
     )
 
     if @proxy
-      params = params.merge(proxy: @proxy)
-
-      if @proxy_auth
-        params = params.merge(proxyauth: @proxy_auth)
-      end
+      params.merge!(proxy: @proxy)
+      params.merge!(proxyauth: @proxy_auth) if @proxy_auth
     end
 
     if @basic_auth
@@ -137,15 +134,23 @@ class Browser
       )
     end
 
+    if vhost
+      params = Browser.append_params_header_field(
+        params,
+        'Host',
+        vhost
+      )
+    end
+
     params.merge!(referer: referer)
     params.merge!(timeout: @request_timeout) if @request_timeout
     params.merge!(connecttimeout: @connect_timeout) if @connect_timeout
 
     # Used to enable the cache system if :cache_ttl > 0
-    params.merge!(cache_ttl: @cache_ttl) unless params.has_key?(:cache_ttl)
+    params.merge!(cache_ttl: @cache_ttl) unless params.key?(:cache_ttl)
 
     # Prevent infinite self redirection
-    params.merge!(maxredirs: 3) unless params.has_key?(:maxredirs)
+    params.merge!(maxredirs: 3) unless params.key?(:maxredirs)
 
     # Disable SSL-Certificate checks
     params.merge!(ssl_verifypeer: false)
@@ -153,6 +158,7 @@ class Browser
 
     params.merge!(cookiejar: @cache_dir + '/cookie-jar')
     params.merge!(cookiefile: @cache_dir + '/cookie-jar')
+    params.merge!(cookie: @cookie) if @cookie
 
     params
   end
@@ -172,5 +178,4 @@ class Browser
     end
     params
   end
-
 end

lib/common/browser/options.rb

@@ -4,7 +4,7 @@ class Browser
   module Options
 
     attr_accessor :cache_ttl, :request_timeout, :connect_timeout
-    attr_reader   :basic_auth, :proxy, :proxy_auth
+    attr_reader   :basic_auth, :proxy, :proxy_auth, :throttle
     attr_writer   :user_agent
 
     # Sets the Basic Authentification credentials
@@ -82,7 +82,7 @@ class Browser
     #
     # @return [ void ]
     def request_timeout=(timeout)
-      @request_timeout = timeout
+      @request_timeout = timeout.to_i
     end
 
     # Sets the connect timeout
@@ -90,7 +90,12 @@ class Browser
     #
     # @return [ void ]
     def connect_timeout=(timeout)
-      @connect_timeout = timeout
+      @connect_timeout = timeout.to_i
+    end
+
+    # @param [ String, Integer ] throttle
+    def throttle=(throttle)
+      @throttle = throttle.to_i.abs / 1000.0
     end
 
     protected
@@ -110,6 +115,5 @@ class Browser
         end
       end
     end
-
   end
 end

lib/common/cache_file_store.rb

@@ -9,16 +9,18 @@
 #
 
 require 'yaml'
+require 'fileutils'
 
 class CacheFileStore
-  attr_reader :storage_path, :serializer
+  attr_reader :storage_path, :cache_dir, :serializer
 
   # The serializer must have the 2 methods .load and .dump
   #   (Marshal and YAML have them)
   # YAML is Human Readable, contrary to Marshal which store in a binary format
   # Marshal does not need any "require"
   def initialize(storage_path, serializer = Marshal)
-    @storage_path = File.expand_path(storage_path + '/' + storage_dir)
+    @cache_dir    = File.expand_path(storage_path)
+    @storage_path = File.expand_path(File.join(storage_path, storage_dir))
     @serializer   = serializer
 
     # File.directory? for ruby <= 1.9 otherwise,
@@ -29,16 +31,22 @@ class CacheFileStore
   end
 
   def clean
-    Dir[File.join(@storage_path, '*')].each do |f|
-      File.delete(f) unless File.symlink?(f)
+    # clean old directories
+    Dir[File.join(@cache_dir, '*')].each do |f|
+      if File.directory?(f)
+        # delete directory if create time is older than 4 hours
+        FileUtils.rm_rf(f) if File.mtime(f) < (Time.now - (60*240))
+      else
+        File.delete(f) unless File.symlink?(f)
+      end
     end
   end
 
   def read_entry(key)
-    entry_file_path = get_entry_file_path(key)
-
-    if File.exists?(entry_file_path)
-      return @serializer.load(File.read(entry_file_path))
+    begin
+      @serializer.load(File.read(get_entry_file_path(key)))
+    rescue
+      nil
     end
   end
 

lib/common/collections/wp_items.rb

@@ -1,74 +1,75 @@
-# encoding: UTF-8
-
-require 'common/collections/wp_items/detectable'
-require 'common/collections/wp_items/output'
-
-class WpItems < Array
-  extend WpItems::Detectable
-  include WpItems::Output
-
-  attr_accessor :wp_target
-
-  # @param [ WpTarget ] wp_target
-  def initialize(wp_target = nil)
-    self.wp_target = wp_target
-  end
-
-  # @param [String,] argv
-  #
-  # @return [ void ]
-  def add(*args)
-    index = 0
-
-    until args[index].nil?
-      arg = args[index]
-
-      if arg.is_a?(String)
-        if (next_arg = args[index + 1]).is_a?(Hash)
-          item = create_item(arg, next_arg)
-          index += 1
-        else
-          item = create_item(arg)
-        end
-      elsif arg.is_a?(Item)
-        item = arg
-      else
-        raise 'Invalid arguments'
-      end
-
-      self << item
-      index += 1
-    end
-  end
-
-  # @param [ String ] name
-  # @param [ Hash ] attrs
-  #
-  # @return [ WpItem ]
-  def create_item(name, attrs = {})
-    raise 'wp_target must be set' unless wp_target
-
-    item_class.new(
-      wp_target.uri,
-      attrs.merge(
-        name: name,
-        wp_content_dir: wp_target.wp_content_dir,
-        wp_plugins_dir: wp_target.wp_plugins_dir
-      ) { |key, oldval, newval| oldval }
-    )
-  end
-
-  # @param [ WpItems ] other
-  #
-  # @return [ self ]
-  def +(other)
-    other.each { |item| self << item }
-    self
-  end
-
-  protected
-  # @return [ Class ]
-  def item_class
-    Object.const_get(self.class.to_s.gsub(/.$/, ''))
-  end
-end
+# encoding: UTF-8
+
+require 'common/collections/wp_items/detectable'
+require 'common/collections/wp_items/output'
+
+class WpItems < Array
+  extend WpItems::Detectable
+  include WpItems::Output
+
+  attr_accessor :wp_target
+
+  # @param [ WpTarget ] wp_target
+  def initialize(wp_target = nil)
+    self.wp_target = wp_target
+  end
+
+  # @param [String] args
+  #
+  # @return [ void ]
+  def add(*args)
+    index = 0
+
+    until args[index].nil?
+      arg = args[index]
+
+      if arg.is_a?(String)
+        if (next_arg = args[index + 1]).is_a?(Hash)
+          item = create_item(arg, next_arg)
+          index += 1
+        else
+          item = create_item(arg)
+        end
+      elsif arg.is_a?(Item)
+        item = arg
+      else
+        raise 'Invalid arguments'
+      end
+
+      self << item
+      index += 1
+    end
+  end
+
+  # @param [ String ] name
+  # @param [ Hash ] attrs
+  #
+  # @return [ WpItem ]
+  def create_item(name, attrs = {})
+    raise 'wp_target must be set' unless wp_target
+
+    item_class.new(
+      wp_target.uri,
+      attrs.merge(
+        name: name,
+        wp_content_dir: wp_target.wp_content_dir,
+        wp_plugins_dir: wp_target.wp_plugins_dir
+      ) { |key, oldval, newval| oldval }
+    )
+  end
+
+  # @param [ WpItems ] other
+  #
+  # @return [ self ]
+  def +(other)
+    other.each { |item| self << item }
+    self
+  end
+
+  protected
+  
+  # @return [ Class ]
+  def item_class
+    Object.const_get(self.class.to_s.gsub(/.$/, ''))
+  end
+end

lib/common/collections/wp_items/detectable.rb

@@ -1,202 +1,236 @@
-# encoding: UTF-8
-
-class WpItems < Array
-  module Detectable
-
-    attr_reader :vulns_file, :item_xpath
-
-    # @param [ WpTarget ] wp_target
-    # @param [ Hash ] options
-    # @option options [ Boolean ] :show_progression  Whether or not output the progress bar
-    # @option options [ Boolean ] :only_vulnerable   Only check for vulnerable items
-    # @option options [ String ]  :exclude_content
-    #
-    # @return [ WpItems ]
-    def aggressive_detection(wp_target, options = {})
-      browser          = Browser.instance
-      hydra            = browser.hydra
-      targets          = targets_items(wp_target, options)
-      progress_bar     = progress_bar(targets.size, options)
-      queue_count      = 0
-      exist_options    = {
-        error_404_hash:  wp_target.error_404_hash,
-        homepage_hash:   wp_target.homepage_hash,
-        exclude_content: options[:exclude_content] ? %r{#{options[:exclude_content]}} : nil
-      }
-
-      # If we only want the vulnerable ones, the passive detection is ignored
-      # Otherwise, a passive detection is performed, and results will be merged
-      results = options[:only_vulnerable] ? new : passive_detection(wp_target, options)
-
-      targets.each do |target_item|
-        request = browser.forge_request(target_item.url, request_params)
-
-        request.on_complete do |response|
-          progress_bar.progress += 1 if options[:show_progression]
-
-          if target_item.exists?(exist_options, response)
-            if !results.include?(target_item)
-              if !options[:only_vulnerable] || options[:only_vulnerable] && target_item.vulnerable?
-                results << target_item
-              end
-            end
-          end
-        end
-
-        hydra.queue(request)
-        queue_count += 1
-
-        if queue_count >= browser.max_threads
-          hydra.run
-          queue_count = 0
-          puts "Sent #{browser.max_threads} requests ..." if options[:verbose]
-        end
-      end
-
-      # run the remaining requests
-      hydra.run
-      results.sort!
-      results # can't just return results.sort because the #sort returns an array, and we want a WpItems
-    end
-
-    # @param [ Integer ] targets_size
-    # @param [ Hash ] options
-    #
-    # @return [ ProgressBar ]
-    # :nocov:
-    def progress_bar(targets_size, options)
-      if options[:show_progression]
-        ProgressBar.create(
-          format: '%t %a <%B> (%c / %C) %P%% %e',
-          title: '  ', # Used to craete a left margin
-          total: targets_size
-        )
-      end
-    end
-    # :nocov:
-
-    # @param [ WpTarget ] wp_target
-    # @param [ Hash ] options
-    #
-    # @return [ WpItems ]
-    def passive_detection(wp_target, options = {})
-      results  = new(wp_target)
-      body     = Browser.get(wp_target.url).body
-      # improves speed
-      body     = remove_base64_images_from_html(body)
-      names    = body.scan(passive_detection_pattern(wp_target))
-
-      names.flatten.uniq.each { |name| results.add(name) }
-
-      results.sort!
-      results
-    end
-
-    protected
-
-    # @param [ WpTarget ] wp_target
-    #
-    # @return [ Regex ]
-    def passive_detection_pattern(wp_target)
-      type   = self.to_s.gsub(/Wp/, '').downcase
-      regex1 = %r{(?:[^=:\(]+)\s?(?:=|:|\()\s?(?:"|')[^"']+\\?/}
-      regex2 = %r{\\?/}
-      regex3 = %r{\\?/([^/\\"']+)\\?(?:/|"|')}
-
-      /#{regex1}#{Regexp.escape(wp_target.wp_content_dir)}#{regex2}#{Regexp.escape(type)}#{regex3}/i
-    end
-
-    # The default request parameters
-    #
-    # @return [ Hash ]
-    def request_params; { cache_ttl: 0, followlocation: true } end
-
-    # @param [ WpTarget ] wp_target
-    # @param [ options ] options
-    # @option options [ Boolean ] :only_vulnerable
-    # @option options [ String ]  :file The path to the file containing the targets
-    #
-    # @return [ Array<WpItem> ]
-    def targets_items(wp_target, options = {})
-      item_class = self.item_class
-      vulns_file = self.vulns_file
-
-      targets = vulnerable_targets_items(wp_target, item_class, vulns_file)
-
-      unless options[:only_vulnerable]
-        unless options[:file]
-          raise 'A file must be supplied'
-        end
-
-        targets += targets_items_from_file(options[:file], wp_target, item_class, vulns_file)
-      end
-
-      targets.uniq! { |t| t.name }
-      targets.sort_by { rand }
-    end
-
-    # @param [ WpTarget ] wp_target
-    # @param [ Class ] item_class
-    # @param [ String ] vulns_file
-    #
-    # @return [ Array<WpItem> ]
-    def vulnerable_targets_items(wp_target, item_class, vulns_file)
-      targets = []
-      xml     = xml(vulns_file)
-
-      xml.xpath(item_xpath).each do |node|
-        targets << create_item(
-          item_class,
-          node.attribute('name').text,
-          wp_target,
-          vulns_file
-        )
-      end
-      targets
-    end
-
-    # @param [ Class ] klass
-    # @param [ String ] name
-    # @param [ WpTarget ] wp_target
-    # @option [ String ] vulns_file
-    #
-    # @return [ WpItem ]
-    def create_item(klass, name, wp_target, vulns_file = nil)
-      klass.new(
-        wp_target.uri,
-        name:           name,
-        vulns_file:     vulns_file,
-        wp_content_dir: wp_target.wp_content_dir,
-        wp_plugins_dir: wp_target.wp_plugins_dir
-      )
-    end
-
-    # @param [ String ] file
-    # @param [ WpTarget ] wp_target
-    # @param [ Class ] item_class
-    # @param [ String ] vulns_file
-    #
-    # @return [ Array<WpItem> ]
-    def targets_items_from_file(file, wp_target, item_class, vulns_file)
-      targets = []
-
-      File.open(file, 'r') do |f|
-        f.readlines.collect do |item_name|
-          targets << create_item(
-            item_class,
-            item_name.strip,
-            wp_target,
-            vulns_file
-          )
-        end
-      end
-      targets
-    end
-
-    # @return [ Class ]
-    def item_class
-      Object.const_get(self.to_s.gsub(/.$/, ''))
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpItems < Array
+  module Detectable
+
+    attr_reader :vulns_file, :item_xpath
+
+    # @param [ WpTarget ] wp_target
+    # @param [ Hash ] options
+    # @option options [ Boolean ] :show_progression  Whether or not output the progress bar
+    # @option options [ Boolean ] :only_vulnerable   Only check for vulnerable items
+    # @option options [ String ]  :exclude_content
+    #
+    # @return [ WpItems ]
+    def aggressive_detection(wp_target, options = {})
+      browser          = Browser.instance
+      hydra            = browser.hydra
+      targets          = targets_items(wp_target, options)
+      progress_bar     = progress_bar(targets.size, options)
+      queue_count      = 0
+      exist_options    = {
+        error_404_hash:  wp_target.error_404_hash,
+        homepage_hash:   wp_target.homepage_hash,
+        exclude_content: options[:exclude_content] ? %r{#{options[:exclude_content]}} : nil
+      }
+      results          = passive_detection(wp_target, options)
+
+      targets.each do |target_item|
+        request = browser.forge_request(target_item.url, request_params)
+
+        request.on_complete do |response|
+          progress_bar.progress += 1 if options[:show_progression]
+
+          if target_item.exists?(exist_options, response)
+            results << target_item unless results.include?(target_item)
+          end
+        end
+
+        hydra.queue(request)
+        queue_count += 1
+
+        if queue_count >= browser.max_threads
+          hydra.run
+          queue_count = 0
+          puts "Sent #{browser.max_threads} requests ..." if options[:verbose]
+        end
+      end
+
+      # run the remaining requests
+      hydra.run
+
+      results.select!(&:vulnerable?) if options[:type] == :vulnerable
+      results.sort!
+
+      results  # can't just return results.sort as it would return an array, and we want a WpItems
+    end
+
+    # @param [ Integer ] targets_size
+    # @param [ Hash ] options
+    #
+    # @return [ ProgressBar ]
+    # :nocov:
+    def progress_bar(targets_size, options)
+      if options[:show_progression]
+        ProgressBar.create(
+          format: '%t %a <%B> (%c / %C) %P%% %e',
+          title: '  ', # Used to craete a left margin
+          total: targets_size
+        )
+      end
+    end
+    # :nocov:
+
+    # @param [ WpTarget ] wp_target
+    # @param [ Hash ] options
+    #
+    # @return [ WpItems ]
+    def passive_detection(wp_target, options = {})
+      results = new(wp_target)
+      # improves speed
+      body    = remove_base64_images_from_html(Browser.get(wp_target.url).body)
+      page    = Nokogiri::HTML(body)
+      names   = []
+
+      page.css('link,script,style').each do |tag|
+        %w(href src).each do |attribute|
+          attr_value = tag.attribute(attribute).to_s
+          next unless attr_value
+
+          names << Regexp.last_match[1] if attr_value.match(attribute_pattern(wp_target))
+        end
+
+        next unless tag.name == 'script' || tag.name == 'style'
+
+        code = tag.text.to_s
+        next if code.empty?
+
+        code.scan(code_pattern(wp_target)).flatten.uniq.each do |item_name|
+          names << item_name
+        end
+      end
+
+      names.uniq.each { |name| results.add(name) }
+
+      results.sort!
+      results
+    end
+
+    protected
+
+    # @param [ WpTarget ] wp_target
+    #
+    # @return [ Regex ]
+    def item_pattern(wp_target)
+      type = to_s.gsub(/Wp/, '').downcase
+      wp_content_dir = wp_target.wp_content_dir
+      wp_content_url = wp_target.uri.merge(wp_content_dir).to_s
+
+      url = /#{wp_content_url.gsub(%r{\A(?:http|https)}, 'https?').gsub('/', '\\\\\?\/')}/i
+      content_dir = %r{(?:#{url}|\\?\/\\?\/?#{wp_content_dir})}i
+
+      %r{#{content_dir}\\?/#{type}\\?/}
+    end
+
+    # @param [ WpTarget ] wp_target
+    #
+    # @return [ Regex ]
+    def attribute_pattern(wp_target)
+      /\A#{item_pattern(wp_target)}([^\/]+)/i
+    end
+
+    # @param [ WpTarget ] wp_target
+    #
+    # @return [ Regex ]
+    def code_pattern(wp_target)
+      /["'\(]#{item_pattern(wp_target)}([^\\\/\)"']+)/i
+    end
+
+    # The default request parameters
+    #
+    # @return [ Hash ]
+    def request_params; { cache_ttl: 0, followlocation: true } end
+
+    # @param [ WpTarget ] wp_target
+    # @param [ options ] options
+    # @option options [ Boolean ] :only_vulnerable
+    # @option options [ String ]  :file The path to the file containing the targets
+    #
+    # @return [ Array<WpItem> ]
+    def targets_items(wp_target, options = {})
+      item_class = self.item_class
+      vulns_file = self.vulns_file
+
+      targets = target_items_from_type(wp_target, item_class, vulns_file, options[:type])
+
+      targets.uniq! { |t| t.name }
+      targets.sort_by { rand }
+    end
+
+    # @param [ WpTarget ] wp_target
+    # @param [ Class ] item_class
+    # @param [ String ] vulns_file
+    #
+    # @return [ Array<WpItem> ]
+    def target_items_from_type(wp_target, item_class, vulns_file, type)
+      targets = []
+      json    = json(vulns_file)
+
+      case type
+      when :vulnerable
+        items = json.select { |item| !json[item]['vulnerabilities'].empty? }.keys
+      when :popular
+        items = json.select { |item| json[item]['popular'] == true }.keys
+      when :all
+        items = json.keys
+      else
+        raise "Unknown type #{type}"
+      end
+
+      items.each do |item|
+        targets << create_item(
+          item_class,
+          item,
+          wp_target,
+          vulns_file
+        )
+      end
+
+      targets
+    end
+
+    # @param [ Class ] klass
+    # @param [ String ] name
+    # @param [ WpTarget ] wp_target
+    # @option [ String ] vulns_file
+    #
+    # @return [ WpItem ]
+    def create_item(klass, name, wp_target, vulns_file = nil)
+      klass.new(
+        wp_target.uri,
+        name:           name,
+        vulns_file:     vulns_file,
+        wp_content_dir: wp_target.wp_content_dir,
+        wp_plugins_dir: wp_target.wp_plugins_dir
+      )
+    end
+
+    # @param [ String ] file
+    # @param [ WpTarget ] wp_target
+    # @param [ Class ] item_class
+    # @param [ String ] vulns_file
+    #
+    # @return [ Array<WpItem> ]
+    def targets_items_from_file(file, wp_target, item_class, vulns_file)
+      targets = []
+
+      File.open(file, 'r') do |f|
+        f.readlines.collect do |item_name|
+          targets << create_item(
+            item_class,
+            item_name.strip,
+            wp_target,
+            vulns_file
+          )
+        end
+      end
+
+      targets
+    end
+
+    # @return [ Class ]
+    def item_class
+      Object.const_get(self.to_s.gsub(/.$/, ''))
+    end
+  end
+end

lib/common/collections/wp_plugins/detectable.rb

@@ -2,15 +2,9 @@
 
 class WpPlugins < WpItems
   module Detectable
-
     # @return [ String ]
     def vulns_file
-      PLUGINS_VULNS_FILE
-    end
-
-    # @return [ String ]
-    def item_xpath
-      '//plugin'
+      PLUGINS_FILE
     end
 
     # @param [ WpTarget ] wp_target
@@ -68,6 +62,10 @@ class WpPlugins < WpItems
         wp_plugins.add('all-in-one-seo-pack', version: $1)
       end
 
+      if body =~ /<!-- This site is optimized with the Yoast WordPress SEO plugin v([^\s]+) -/i
+        wp_plugins.add('wordpress-seo', version: $1)
+      end
+
       wp_plugins
     end
 

lib/common/collections/wp_themes/detectable.rb

@@ -5,13 +5,7 @@ class WpThemes < WpItems
 
     # @return [ String ]
     def vulns_file
-      THEMES_VULNS_FILE
+      THEMES_FILE
     end
-
-    # @return [ String ]
-    def item_xpath
-      '//theme'
-    end
-
   end
 end

lib/common/collections/wp_users/output.rb

@@ -38,6 +38,7 @@ class WpUsers < WpItems
       junk = get_equal_string_end(display_names)
       unless junk.nil? or junk.empty?
         self.each do |u|
+          u.display_name ||= ''
           u.display_name = u.display_name.sub(/#{Regexp.escape(junk)}$/, '')
         end
       end

lib/common/common_helper.rb

@@ -1,40 +1,34 @@
 # encoding: UTF-8
 
-LIB_DIR              = File.expand_path(File.dirname(__FILE__) + '/..')
-ROOT_DIR             = File.expand_path(LIB_DIR + '/..') # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
-DATA_DIR             = ROOT_DIR + '/data'
-CONF_DIR             = ROOT_DIR + '/conf'
-CACHE_DIR            = ROOT_DIR + '/cache'
-WPSCAN_LIB_DIR       = LIB_DIR + '/wpscan'
-WPSTOOLS_LIB_DIR     = LIB_DIR + '/wpstools'
-UPDATER_LIB_DIR      = LIB_DIR + '/updater'
-COMMON_LIB_DIR       = LIB_DIR + '/common'
-MODELS_LIB_DIR       = COMMON_LIB_DIR + '/models'
-COLLECTIONS_LIB_DIR  = COMMON_LIB_DIR + '/collections'
+LIB_DIR              = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+ROOT_DIR             = File.expand_path(File.join(LIB_DIR, '..')) # expand_path is used to get "wpscan/" instead of "wpscan/lib/../"
+DATA_DIR             = File.join(ROOT_DIR, 'data')
+CONF_DIR             = File.join(ROOT_DIR, 'conf')
+CACHE_DIR            = File.join(ROOT_DIR, 'cache')
+WPSCAN_LIB_DIR       = File.join(LIB_DIR, 'wpscan')
+UPDATER_LIB_DIR      = File.join(LIB_DIR, 'updater')
+COMMON_LIB_DIR       = File.join(LIB_DIR, 'common')
+MODELS_LIB_DIR       = File.join(COMMON_LIB_DIR, 'models')
+COLLECTIONS_LIB_DIR  = File.join(COMMON_LIB_DIR, 'collections')
 
-LOG_FILE             = ROOT_DIR + '/log.txt'
+LOG_FILE             = File.join(ROOT_DIR, 'log.txt')
 
 # Plugins directories
-COMMON_PLUGINS_DIR   = COMMON_LIB_DIR + '/plugins'
-WPSCAN_PLUGINS_DIR   = WPSCAN_LIB_DIR + '/plugins' # Not used ATM
-WPSTOOLS_PLUGINS_DIR = WPSTOOLS_LIB_DIR + '/plugins'
+COMMON_PLUGINS_DIR   = File.join(COMMON_LIB_DIR, 'plugins')
+WPSCAN_PLUGINS_DIR   = File.join(WPSCAN_LIB_DIR, 'plugins') # Not used ATM
 
 # Data files
-PLUGINS_FILE        = DATA_DIR + '/plugins.txt'
-PLUGINS_FULL_FILE   = DATA_DIR + '/plugins_full.txt'
-PLUGINS_VULNS_FILE  = DATA_DIR + '/plugin_vulns.xml'
-THEMES_FILE         = DATA_DIR + '/themes.txt'
-THEMES_FULL_FILE    = DATA_DIR + '/themes_full.txt'
-THEMES_VULNS_FILE   = DATA_DIR + '/theme_vulns.xml'
-WP_VULNS_FILE       = DATA_DIR + '/wp_vulns.xml'
-WP_VERSIONS_FILE    = DATA_DIR + '/wp_versions.xml'
-LOCAL_FILES_FILE    = DATA_DIR + '/local_vulnerable_files.xml'
-VULNS_XSD           = DATA_DIR + '/vuln.xsd'
-WP_VERSIONS_XSD     = DATA_DIR + '/wp_versions.xsd'
-LOCAL_FILES_XSD     = DATA_DIR + '/local_vulnerable_files.xsd'
-USER_AGENTS_FILE    = DATA_DIR + '/user-agents.txt'
+WORDPRESSES_FILE  = File.join(DATA_DIR, 'wordpresses.json')
+PLUGINS_FILE      = File.join(DATA_DIR, 'plugins.json')
+THEMES_FILE       = File.join(DATA_DIR, 'themes.json')
+WP_VERSIONS_FILE  = File.join(DATA_DIR, 'wp_versions.xml')
+LOCAL_FILES_FILE  = File.join(DATA_DIR, 'local_vulnerable_files.xml')
+WP_VERSIONS_XSD   = File.join(DATA_DIR, 'wp_versions.xsd')
+LOCAL_FILES_XSD   = File.join(DATA_DIR, 'local_vulnerable_files.xsd')
+USER_AGENTS_FILE  = File.join(DATA_DIR, 'user-agents.txt')
+LAST_UPDATE_FILE  = File.join(DATA_DIR, '.last_update')
 
-WPSCAN_VERSION       = '2.4'
+WPSCAN_VERSION       = '2.9'
 
 $LOAD_PATH.unshift(LIB_DIR)
 $LOAD_PATH.unshift(WPSCAN_LIB_DIR)
@@ -42,7 +36,7 @@ $LOAD_PATH.unshift(MODELS_LIB_DIR)
 
 def kali_linux?
   begin
-    File.readlines("/etc/debian_version").grep(/^kali/i).any?
+    File.readlines('/etc/debian_version').grep(/^kali/i).any?
   rescue
     false
   end
@@ -50,28 +44,24 @@ end
 
 require 'environment'
 
+def escape_glob(s)
+  s.gsub(/[\\\{\}\[\]\*\?]/) { |x| '\\' + x }
+end
+
 # TODO : add an exclude pattern ?
 def require_files_from_directory(absolute_dir_path, files_pattern = '*.rb')
-  files = Dir[File.join(absolute_dir_path, files_pattern)]
+  files = Dir[File.join(escape_glob(absolute_dir_path), files_pattern)]
 
-  # Files in the root dir are loaded first, then thoses in the subdirectories
-  files.sort_by { |file| [file.count("/"), file] }.each do |f|
+  # Files in the root dir are loaded first, then those in the subdirectories
+  files.sort_by { |file| [file.count('/'), file] }.each do |f|
     f = File.expand_path(f)
-    #puts "require #{f}" # Used for debug
+    # puts "require #{f}" # Used for debug
     require f
   end
 end
 
 require_files_from_directory(COMMON_LIB_DIR, '**/*.rb')
 
-# Hook to check if the target if down during the scan
-# The target is considered down after 10 requests with status = 0
-down = 0
-Typhoeus.on_complete do |response|
-  down += 1 if response.code == 0
-  fail 'The target seems to be down' if down >= 10
-end
-
 # Add protocol
 def add_http_protocol(url)
   url =~ /^https?:/ ? url : "http://#{url}"
@@ -81,18 +71,72 @@ def add_trailing_slash(url)
   url =~ /\/$/ ? url : "#{url}/"
 end
 
-# loading the updater
-require_files_from_directory(UPDATER_LIB_DIR)
-@updater = UpdaterFactory.get_updater(ROOT_DIR)
-
-if @updater
-  REVISION = @updater.local_revision_number()
-else
-  REVISION = nil
+def missing_db_file?
+  DbUpdater::FILES.each do |db_file|
+    return true unless File.exist?(File.join(DATA_DIR, db_file))
+  end
+  false
 end
 
-def version
-  REVISION ? "v#{WPSCAN_VERSION}r#{REVISION}" : "v#{WPSCAN_VERSION}"
+def last_update
+  date = nil
+  if File.exists?(LAST_UPDATE_FILE)
+    content = File.read(LAST_UPDATE_FILE)
+    date = Time.parse(content) rescue nil
+  end
+  date
+end
+
+def update_required?
+  date = last_update
+  (true if date.nil?) or (date < 5.days.ago)
+end
+
+# Define colors
+def colorize(text, color_code)
+  if $COLORSWITCH
+    "#{text}"
+  else
+    "\e[#{color_code}m#{text}\e[0m"
+  end
+end
+
+def bold(text)
+  colorize(text, 1)
+end
+
+def red(text)
+  colorize(text, 31)
+end
+
+def green(text)
+  colorize(text, 32)
+end
+
+def amber(text)
+  colorize(text, 33)
+end
+
+def blue(text)
+  colorize(text, 34)
+end
+
+def critical(text)
+  $exit_code += 1 if defined?($exit_code) # hack for undefined var via rspec
+  "#{red('[!]')} #{text}"
+end
+
+def warning(text)
+  $exit_code += 1 if defined?($exit_code) # hack for undefined var via rspec
+  "#{amber('[!]')} #{text}"
+end
+
+def info(text)
+  "#{green('[+]')} #{text}"
+end
+
+def notice(text)
+  "#{blue('[i]')} #{text}"
 end
 
 # our 1337 banner
@@ -106,36 +150,30 @@ def banner
   puts '            \\/  \\/   |_|    |_____/ \\___|\\__,_|_| |_|'
   puts
   puts '        WordPress Security Scanner by the WPScan Team '
-  # Alignment of the version (w & w/o the Revision)
-  if REVISION
-    puts "                    Version #{version}"
-  else
-    puts "                        Version #{version}"
-  end
-  puts '     Sponsored by the RandomStorm Open Source Initiative'
+  puts "                       Version #{WPSCAN_VERSION}"
+  puts '          Sponsored by Sucuri - https://sucuri.net'
   puts '   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_'
   puts '_______________________________________________________________'
   puts
 end
 
-def colorize(text, color_code)
-  "\e[#{color_code}m#{text}\e[0m"
-end
-
-def red(text)
-  colorize(text, 31)
-end
-
-def green(text)
-  colorize(text, 32)
-end
-
 def xml(file)
   Nokogiri::XML(File.open(file)) do |config|
     config.noblanks
   end
 end
 
+def json(file)
+  content = File.open(file).read
+
+  begin
+    JSON.parse(content)
+  rescue => e
+    puts "[ERROR] In JSON file parsing #{file} #{e}"
+    raise
+  end
+end
+
 def redefine_constant(constant, value)
   Object.send(:remove_const, constant)
   Object.const_set(constant, value)
@@ -212,3 +250,10 @@ def get_random_user_agent
   # return ransom user-agent
   user_agents.sample
 end
+
+# Directory listing enabled on url?
+#
+# @return [ Boolean ]
+def directory_listing_enabled?(url)
+  Browser.get(url.to_s).body[%r{<title>Index of}] ? true : false
+end

lib/common/db_updater.rb

@@ -0,0 +1,119 @@
+# encoding: UTF-8
+
+# DB Updater
+class DbUpdater
+  FILES = %w(
+    local_vulnerable_files.xml local_vulnerable_files.xsd
+    timthumbs.txt user-agents.txt wp_versions.xml wp_versions.xsd
+    wordpresses.json plugins.json themes.json LICENSE
+  )
+
+  attr_reader :repo_directory
+
+  def initialize(repo_directory)
+    @repo_directory = repo_directory
+
+    fail "#{repo_directory} is not writable" unless \
+      Pathname.new(repo_directory).writable?
+  end
+
+  # @return [ Hash ] The params for Typhoeus::Request
+  def request_params
+    {
+      ssl_verifyhost: 2,
+      ssl_verifypeer: true,
+      accept_encoding: 'gzip, deflate'
+    }
+  end
+
+  # @return [ String ] The raw file URL associated with the given filename
+  def remote_file_url(filename)
+    "https://wpvulndb.com/data/#{filename}"
+  end
+
+  # @return [ String ] The checksum of the associated remote filename
+  def remote_file_checksum(filename)
+    url = "#{remote_file_url(filename)}.sha512"
+
+    res = Browser.get(url, request_params)
+    fail DownloadError, res if res.timed_out? || res.code != 200
+    res.body.chomp
+  end
+
+  def local_file_path(filename)
+    File.join(repo_directory, "#{filename}")
+  end
+
+  def local_file_checksum(filename)
+    Digest::SHA512.file(local_file_path(filename)).hexdigest
+  end
+
+  def backup_file_path(filename)
+    File.join(repo_directory, "#{filename}.back")
+  end
+
+  def create_backup(filename)
+    return unless File.exist?(local_file_path(filename))
+    FileUtils.cp(local_file_path(filename), backup_file_path(filename))
+  end
+
+  def restore_backup(filename)
+    return unless File.exist?(backup_file_path(filename))
+    FileUtils.cp(backup_file_path(filename), local_file_path(filename))
+  end
+
+  def delete_backup(filename)
+    FileUtils.rm(backup_file_path(filename))
+  end
+
+  # @return [ String ] The checksum of the downloaded file
+  def download(filename)
+    file_path = local_file_path(filename)
+    file_url  = remote_file_url(filename)
+
+    res = Browser.get(file_url, request_params)
+    fail DownloadError, res if res.timed_out? || res.code != 200
+    File.open(file_path, 'wb') { |f| f.write(res.body) }
+
+    local_file_checksum(filename)
+  end
+
+  def update(verbose = false)
+    FILES.each do |filename|
+      begin
+        puts "[+] Checking #{filename}" if verbose
+        db_checksum = remote_file_checksum(filename)
+
+        # Checking if the file needs to be updated
+        if File.exist?(local_file_path(filename)) && db_checksum == local_file_checksum(filename)
+          puts '  [i] Already Up-To-Date' if verbose
+          next
+        end
+
+        puts '  [i] Needs to be updated' if verbose
+        create_backup(filename)
+        puts '  [i] Backup Created' if verbose
+        puts '  [i] Downloading new file' if verbose
+        dl_checksum = download(filename)
+        puts "  [i] Downloaded File Checksum: #{dl_checksum}" if verbose
+        puts "  [i] Database File Checksum  : #{db_checksum}" if verbose
+
+        unless dl_checksum == db_checksum
+          fail "#{filename}: checksums do not match"
+        end
+      rescue => e
+        puts '  [i] Restoring Backup due to error' if verbose
+        restore_backup(filename)
+        raise e
+      ensure
+        if File.exist?(backup_file_path(filename))
+          puts '  [i] Deleting Backup' if verbose
+          delete_backup(filename)
+        end
+      end
+    end
+
+    # write last_update date to file
+    File.write(LAST_UPDATE_FILE, Time.now)
+  end
+end

lib/common/errors.rb

@@ -0,0 +1,33 @@
+
+# HTTP Error
+class HttpError < StandardError
+  attr_reader :response
+
+  # @param [ Typhoeus::Response ] response
+  def initialize(response)
+    @response = response
+  end
+
+  def failure_details
+    msg = response.effective_url
+
+    if response.code == 0 || response.timed_out?
+      msg += " (#{response.return_message})"
+    else
+      msg += " (status: #{response.code})"
+    end
+
+    msg
+  end
+
+  def message
+    "HTTP Error: #{failure_details}"
+  end
+end
+
+# Used in the Updater
+class DownloadError < HttpError
+  def message
+    "Unable to get #{failure_details}"
+  end
+end

lib/common/hacks.rb

@@ -49,11 +49,11 @@ end
 
 # Override for puts to enable logging
 def puts(o = '')
-  # remove color for logging
-  if o.respond_to?(:gsub)
-    temp = o.gsub(/\e\[\d+m(.*)?\e\[0m/, '\1')
+  if $log && o.respond_to?(:gsub)
+    temp = o.gsub(/\e\[\d+m/, '') # remove color for logging
     File.open(LOG_FILE, 'a+') { |f| f.puts(temp) }
   end
+
   super(o)
 end
 
@@ -78,7 +78,7 @@ module Terminal
 
     class Style
       @@defaults = {
-        :border_x => "-", :border_y => "|", :border_i => "+",
+        :border_x => '-', :border_y => '|', :border_i => '+',
         :padding_left => 1, :padding_right => 1,
         :margin_left => '',
         :width => nil, :alignment => nil
@@ -102,7 +102,20 @@ class Numeric
   def bytes_to_human
     units = %w{B KB MB GB TB}
     e = (Math.log(self)/Math.log(1024)).floor
-    s = "%.3f" % (to_f / 1024**e)
+    s = '%.3f' % (to_f / 1024**e)
     s.sub(/\.?0*$/, ' ' + units[e])
   end
 end
+
+# time calculations
+class Fixnum
+  SECONDS_IN_DAY = 24 * 60 * 60
+
+  def days
+    self * SECONDS_IN_DAY
+  end
+
+  def ago
+    Time.now - self
+  end
+end

lib/common/models/vulnerability.rb

@@ -35,27 +35,27 @@ class Vulnerability
   end
   # :nocov:
 
-  # Create the Vulnerability from the xml_node
+  # Create the Vulnerability from the json_item
   #
-  # @param [ Nokogiri::XML::Node ] xml_node
+  # @param [ Hash ] json_item
   #
   # @return [ Vulnerability ]
-  def self.load_from_xml_node(xml_node)
+  def self.load_from_json_item(json_item)
     references = {}
-    refs = xml_node.search('references')
-    if refs
-      references[:url] = refs.search('url').map(&:text)
-      references[:cve] = refs.search('cve').map(&:text)
-      references[:secunia] = refs.search('secunia').map(&:text)
-      references[:osvdb] = refs.search('osvdb').map(&:text)
-      references[:metasploit] = refs.search('metasploit').map(&:text)
-      references[:exploitdb] = refs.search('exploitdb').map(&:text)
+    references['id'] = [json_item['id']]
+
+    %w(url cve secunia osvdb metasploit exploitdb).each do |key|
+      if json_item['references'][key]
+        json_item['references'][key] = [json_item['references'][key]] if json_item['references'][key].class != Array
+        references[key] = json_item['references'][key]
+      end
     end
+
     new(
-      xml_node.search('title').text,
-      xml_node.search('type').text,
+      json_item['title'],
+      json_item['type'],
       references,
-      xml_node.search('fixed_in').text,
+      json_item['fixed_in']
     )
   end
 

lib/common/models/vulnerability/output.rb

@@ -2,21 +2,22 @@
 
 class Vulnerability
   module Output
-
     # output the vulnerability
     def output(verbose = false)
-      puts ' |'
-      puts ' | ' + red("* Title: #{title}")
+      puts
+      puts critical("Title: #{title}")
+
       references.each do |key, urls|
         methodname = "url_#{key}"
+
         urls.each do |u|
+          next unless respond_to?(methodname)
           url = send(methodname, u)
-          puts ' | ' + red("* Reference: #{url}") if url
+          puts "    Reference: #{url}" if url
         end
       end
-      if !fixed_in.empty?
-         puts " | * Fixed in: #{fixed_in}"
-      end
+      
+      puts notice("Fixed in: #{fixed_in}") if fixed_in
     end
   end
 end

lib/common/models/vulnerability/urls.rb

@@ -6,28 +6,39 @@ class Vulnerability
     def url_metasploit(module_path)
       # remove leading slash
       module_path = module_path.sub(/^\//, '')
-      "http://www.metasploit.com/modules/#{module_path}"
+      "https://www.rapid7.com/db/modules/#{module_path}"
     end
 
     def url_url(url)
       url
     end
 
-    def url_cve(cve)
-      "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-#{cve}"
+    def url_cve(id)
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{id}"
     end
 
     def url_osvdb(id)
-      "http://osvdb.org/#{id}"
+      "http://osvdb.org/show/osvdb/#{id}"
     end
 
     def url_secunia(id)
-      "http://secunia.com/advisories/#{id}"
+      "https://secunia.com/advisories/#{id}/"
     end
 
     def url_exploitdb(id)
-      "http://www.exploit-db.com/exploits/#{id}/"
+      "https://www.exploit-db.com/exploits/#{id}/"
     end
 
+    def url_id(id)
+      "https://wpvulndb.com/vulnerabilities/#{id}"
+    end
+
+    def url_packetstorm(id)
+      "http://packetstormsecurity.com/files/#{id}/"
+    end
+
+    def url_securityfocus(id)
+      "http://www.securityfocus.com/bid/#{id}/"
+    end
   end
 end

lib/common/models/wp_item.rb

@@ -22,7 +22,7 @@ class WpItem
   # @return [ Array ]
   # Make it private ?
   def allowed_options
-    [:name, :wp_content_dir, :wp_plugins_dir, :path, :version, :vulns_file]
+    [:name, :wp_content_dir, :wp_plugins_dir, :path, :version, :db_file]
   end
 
   # @param [ URI ] target_base_uri
@@ -30,7 +30,6 @@ class WpItem
   #
   # @return [ WpItem ]
   def initialize(target_base_uri, options = {})
-
     options[:wp_content_dir] ||= 'wp-content'
     options[:wp_plugins_dir] ||= options[:wp_content_dir] + '/plugins'
 
@@ -38,6 +37,27 @@ class WpItem
     forge_uri(target_base_uri)
   end
 
+  def identifier
+    @identifier ||= name
+  end
+
+  # @return [ Hash ]
+  def db_data
+    @db_data ||= json(db_file)[identifier] || {}
+  end
+
+  def latest_version
+    db_data['latest_version']
+  end
+
+  def last_updated
+    db_data['last_ipdated']
+  end
+
+  def popular?
+    db_data['popular']
+  end
+
   # @param [ Hash ] options
   #
   # @return [ void ]

lib/common/models/wp_item/infos.rb

@@ -12,7 +12,9 @@ class WpItem
 
     # @return [ String,nil ] The url to the readme file, nil if not found
     def readme_url
-      %w{readme.txt README.txt}.each do |readme|
+      # See https://github.com/wpscanteam/wpscan/pull/737#issuecomment-66375445
+      # for any question about the order
+      %w{readme.txt README.txt Readme.txt ReadMe.txt README.TXT readme.TXT}.each do |readme|
         url = @uri.merge(readme).to_s
         return url if url_is_200?(url)
       end
@@ -40,7 +42,7 @@ class WpItem
 
     # @return [ Boolean ]
     def has_directory_listing?
-      Browser.get(@uri.to_s).body[%r{<title>Index of}] ? true : false
+      directory_listing_enabled?(@uri)
     end
 
     # Discover any error_log files created by WordPress

lib/common/models/wp_item/output.rb

@@ -5,17 +5,27 @@ class WpItem
 
     # @return [ Void ]
     def output(verbose = false)
+      outdated = VersionCompare.lesser?(version, latest_version) if latest_version
+
       puts
-      puts " | Name: #{self}" #this will also output the version number if detected
-      puts " | Location: #{url}"
-      #puts " | WordPress: #{wordpress_url}" if wordpress_org_item?
-      puts " | Readme: #{readme_url}" if has_readme?
-      puts " | Changelog: #{changelog_url}" if has_changelog?
-      puts " | " + red('[!]') + " Directory listing is enabled: #{url}" if has_directory_listing?
-      puts " | " + red('[!]') + " An error_log file has been found: #{error_log_url}" if has_error_log?
+      puts info("Name: #{self}") #this will also output the version number if detected
+      puts " |  Latest version: #{latest_version} #{'(up to date)' if version}" if latest_version && !outdated
+      puts " |  Last updated: #{last_updated}" if last_updated
+      puts " |  Location: #{url}"
+      puts " |  Readme: #{readme_url}" if has_readme?
+      puts " |  Changelog: #{changelog_url}" if has_changelog?
+      puts warning("The version is out of date, the latest version is #{latest_version}") if latest_version && outdated
+
+      puts warning("Directory listing is enabled: #{url}") if has_directory_listing?
+      puts warning("An error_log file has been found: #{error_log_url}") if has_error_log?
 
       additional_output(verbose) if respond_to?(:additional_output)
 
+      if version.nil? && vulnerabilities.length > 0
+        puts
+        puts warning('We could not determine a version so all vulnerabilities are printed out')
+      end
+
       vulnerabilities.output
     end
   end

lib/common/models/wp_item/versionable.rb

@@ -1,29 +1,53 @@
-# encoding: UTF-8
-
-class WpItem
-  attr_writer :version
-
-  module Versionable
-
-    # Get the version from the readme.txt
-    #
-    # @return [ String ] The version number
-    def version
-      unless @version
-        # This check is needed because readme_url can return nil
-        if has_readme?
-          response = Browser.get(readme_url)
-          @version = response.body[%r{stable tag: #{WpVersion.version_pattern}}i, 1]
-        end
-      end
-      @version
-    end
-
-    # @return [ String ]
-    def to_s
-      item_version = self.version
-      "#@name#{' - v' + item_version.strip if item_version}"
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpItem
+  attr_writer :version
+
+  module Versionable
+
+    # Get the version from the readme.txt
+    #
+    # @return [ String ] The version number
+    def version
+      unless @version
+        # This check is needed because readme_url can return nil
+        if has_readme?
+          response = Browser.get(readme_url)
+          @version = extract_version(response.body)
+        end
+      end
+      @version
+    end
+
+    # @return [ String ]
+    def to_s
+      item_version = self.version
+      "#{@name}#{' - v' + item_version.strip if item_version}"
+    end
+
+    # Extracts the version number from a given string/body
+    #
+    # @return [ String ] detected version
+    def extract_version(body)
+      version = body[/\b(?:stable tag|version):\s*(?!trunk)([0-9a-z\.-]+)/i, 1]
+      if version.nil? || version !~ /[0-9]+/
+        extracted_versions = body.scan(/[=]+\s+(?:v(?:ersion)?\s*)?([0-9\.-]+)[ \ta-z0-9\(\)\.-]*[=]+/i)
+        return if extracted_versions.nil? || extracted_versions.length == 0
+        extracted_versions.flatten!
+        # must contain at least one number
+        extracted_versions = extracted_versions.select { |x| x =~ /[0-9]+/ }
+        sorted = extracted_versions.sort { |x,y|
+          begin
+            Gem::Version.new(x) <=> Gem::Version.new(y)
+          rescue
+            0
+          end
+        }
+        return sorted.last
+      else
+        return version
+      end
+    end
+
+  end
+end

lib/common/models/wp_item/vulnerable.rb

@@ -2,23 +2,23 @@
 
 class WpItem
   module Vulnerable
-    attr_accessor :vulns_file, :vulns_xpath
+    attr_accessor :db_file, :identifier
 
     # Get the vulnerabilities associated to the WpItem
     # Filters out already fixed vulnerabilities
     #
     # @return [ Vulnerabilities ]
     def vulnerabilities
-      xml             = xml(vulns_file)
-      vulnerabilities = Vulnerabilities.new
+      return @vulnerabilities if @vulnerabilities
 
-      xml.xpath(vulns_xpath).each do |node|
-        vuln = Vulnerability.load_from_xml_node(node)
-        if vulnerable_to?(vuln)
-          vulnerabilities << vuln
-        end
+      @vulnerabilities = Vulnerabilities.new
+
+      [*db_data['vulnerabilities']].each do |vulnerability|
+        vulnerability = Vulnerability.load_from_json_item(vulnerability)
+        @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
       end
-      vulnerabilities
+
+      @vulnerabilities
     end
 
     def vulnerable?
@@ -32,7 +32,7 @@ class WpItem
     # @return [ Boolean ]
     def vulnerable_to?(vuln)
       if version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
-        unless VersionCompare::is_newer_or_same?(vuln.fixed_in, version)
+        unless VersionCompare::lesser_or_equal?(vuln.fixed_in, version)
           return true
         end
       else
@@ -41,5 +41,4 @@ class WpItem
       return false
     end
   end
-
 end

lib/common/models/wp_plugin.rb

@@ -1,10 +1,6 @@
 # encoding: UTF-8
 
-require 'wp_plugin/vulnerable'
-
 class WpPlugin < WpItem
-  include WpPlugin::Vulnerable
-
   # Sets the @uri
   #
   # @param [ URI ] target_base_uri The URI of the wordpress blog
@@ -14,4 +10,7 @@ class WpPlugin < WpItem
     @uri = target_base_uri.merge(URI.encode(wp_plugins_dir + '/' + name + '/'))
   end
 
+  def db_file
+    @db_file ||= PLUGINS_FILE
+  end
 end

lib/common/models/wp_plugin/vulnerable.rb

@@ -1,20 +0,0 @@
-# encoding: UTF-8
-
-class WpPlugin < WpItem
-  module Vulnerable
-
-    # @return [ String ] The path to the file containing vulnerabilities
-    def vulns_file
-      unless @vulns_file
-        @vulns_file = PLUGINS_VULNS_FILE
-      end
-      @vulns_file
-    end
-
-    # @return [ String ]
-    def vulns_xpath
-      "//plugin[@name='#{@name}']/vulnerability"
-    end
-
-  end
-end

lib/common/models/wp_theme.rb

@@ -2,7 +2,6 @@
 
 require 'wp_theme/findable'
 require 'wp_theme/versionable'
-require 'wp_theme/vulnerable'
 require 'wp_theme/info'
 require 'wp_theme/output'
 require 'wp_theme/childtheme'
@@ -10,20 +9,13 @@ require 'wp_theme/childtheme'
 class WpTheme < WpItem
   extend WpTheme::Findable
   include WpTheme::Versionable
-  include WpTheme::Vulnerable
   include WpTheme::Info
   include WpTheme::Output
   include WpTheme::Childtheme
 
-  attr_writer :style_url
+  attr_accessor :referenced_url
 
-  def allowed_options; super << :style_url end
-
-  def initialize(*args)
-    super(*args)
-
-    parse_style
-  end
+  def allowed_options; super << :referenced_url end
 
   # Sets the @uri
   #
@@ -36,10 +28,10 @@ class WpTheme < WpItem
 
   # @return [ String ] The url to the theme stylesheet
   def style_url
-    unless @style_url
-      @style_url = uri.merge('style.css').to_s
-    end
-    @style_url
+    @uri.merge('style.css').to_s
   end
 
+  def db_file
+    @db_file ||= THEMES_FILE
+  end
 end

lib/common/models/wp_theme/childtheme.rb

@@ -3,6 +3,10 @@
 class WpTheme < WpItem
   module Childtheme
 
+    def parent_theme_limit
+      3
+    end
+
     def is_child_theme?
       return true unless @theme_template.nil?
       false
@@ -10,7 +14,7 @@ class WpTheme < WpItem
 
     def get_parent_theme_style_url
       if is_child_theme?
-        return style_url.sub("/#{name}/style.css", "/#@theme_template/style.css")
+        return style_url.sub("/#{name}/style.css", "/#{@theme_template}/style.css")
       end
       nil
     end

lib/common/models/wp_theme/findable.rb

@@ -30,17 +30,14 @@ class WpTheme < WpItem
       response = Browser.get_and_follow_location(target_uri.to_s)
 
       # https + domain is optional because of relative links
-      matches = %r{(?:https?://[^"']+)?/([^/]+)/themes/([^"']+)/style.css}i.match(response.body)
-      if matches
-        return new(
-          target_uri,
-          {
-            name:           matches[2],
-            style_url:      matches[0],
-            wp_content_dir: matches[1]
-          }
-        )
-      end
+      return unless response.body =~ %r{(?:https?://[^"']+/)?([^/\s]+)/themes/([^"'/]+)[^"']*/style.css}i
+
+      new(
+        target_uri,
+        name:           Regexp.last_match[2],
+        referenced_url: Regexp.last_match[0],
+        wp_content_dir: Regexp.last_match[1]
+      )
     end
 
     # @param [ URI ] target_uri
@@ -50,7 +47,6 @@ class WpTheme < WpItem
       body = Browser.get(target_uri.to_s).body
       regexp = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?" />\s+<meta name="generator" content="WooFramework\s?([^"]+)?" />}
 
-
       if matches = regexp.match(body)
         woo_theme_name = matches[1]
         woo_theme_version = matches[2]
@@ -58,10 +54,8 @@ class WpTheme < WpItem
 
         return new(
           target_uri,
-          {
-            name:    woo_theme_name,
-            version: woo_theme_version
-          }
+          name:    woo_theme_name,
+          version: woo_theme_version
         )
       end
     end

lib/common/models/wp_theme/output.rb

@@ -5,18 +5,21 @@ class WpTheme
 
     # @return [ Void ]
     def additional_output(verbose = false)
-      puts " | Style URL: #{style_url}"
-      puts " | Theme Name: #@theme_name" if @theme_name
-      puts " | Theme URI: #@theme_uri" if @theme_uri
+      parse_style
+      
       theme_desc = verbose ? @theme_description : truncate(@theme_description, 100)
-      puts " | Description: #{theme_desc}"
-      puts " | Author: #@theme_author" if @theme_author
-      puts " | Author URI: #@theme_author_uri" if @theme_author_uri
-      puts " | Template: #@theme_template" if @theme_template and verbose
-      puts " | License: #@theme_license" if @theme_license and verbose
-      puts " | License URI: #@theme_license_uri" if @theme_license_uri and verbose
-      puts " | Tags: #@theme_tags" if @theme_tags and verbose
-      puts " | Text Domain: #@theme_text_domain" if @theme_text_domain and verbose
+      puts " |  Style URL: #{style_url}"
+      puts " |  Referenced style.css: #{referenced_url}" if referenced_url && referenced_url != style_url
+      puts " |  Theme Name: #{@theme_name}" if @theme_name
+      puts " |  Theme URI: #{@theme_uri}" if @theme_uri
+      puts " |  Description: #{theme_desc}"
+      puts " |  Author: #{@theme_author}" if @theme_author
+      puts " |  Author URI: #{@theme_author_uri}" if @theme_author_uri
+      puts " |  Template: #{@theme_template}" if @theme_template and verbose
+      puts " |  License: #{@theme_license}" if @theme_license and verbose
+      puts " |  License URI: #{@theme_license_uri}" if @theme_license_uri and verbose
+      puts " |  Tags: #{@theme_tags}" if @theme_tags and verbose
+      puts " |  Text Domain: #{@theme_text_domain}" if @theme_text_domain and verbose
     end
 
   end

lib/common/models/wp_theme/versionable.rb

@@ -2,16 +2,8 @@
 
 class WpTheme < WpItem
   module Versionable
-
     def version
-      unless @version
-        @version = Browser.get(style_url).body[%r{Version:\s*([^\s]+)}i, 1]
-
-        # Get Version from readme.txt
-        @version ||= super
-      end
-      @version
+      @version ||= Browser.get(style_url).body[%r{Version:\s*(?!trunk)([0-9a-z\.-]+)}i, 1]
     end
-
   end
 end

lib/common/models/wp_theme/vulnerable.rb

@@ -1,20 +0,0 @@
-# encoding: UTF-8
-
-class WpTheme < WpItem
-  module Vulnerable
-
-    # @return [ String ] The path to the file containing vulnerabilities
-    def vulns_file
-      unless @vulns_file
-        @vulns_file = THEMES_VULNS_FILE
-      end
-      @vulns_file
-    end
-
-    # @return [ String ]
-    def vulns_xpath
-      "//theme[@name='#{@name}']/vulnerability"
-    end
-
-  end
-end

lib/common/models/wp_timthumb/output.rb

@@ -4,7 +4,10 @@ class WpTimthumb < WpItem
   module Output
 
     def output(verbose = false)
-      puts " | #{vulnerable? ? red('[!] Vulnerable') : green('[i] Not Vulnerable')} #{self}"
+      puts
+      puts info("#{self}") #this will also output the version number if detected
+
+      vulnerabilities.output
     end
 
   end

lib/common/models/wp_timthumb/vulnerable.rb

@@ -2,8 +2,54 @@
 
 class WpTimthumb < WpItem
   module Vulnerable
-    def vulnerable?
-      VersionCompare.is_newer_or_same?(version, '1.34')
+    # @return [ Vulnerabilities ]
+    def vulnerabilities
+      vulns = Vulnerabilities.new
+
+      [:check_rce_132, :check_rce_webshot].each do |method|
+        vuln = self.send(method)
+
+        vulns << vuln if vuln
+      end
+      vulns
+    end
+
+    def check_rce_132
+      rce_132_vuln unless VersionCompare.lesser_or_equal?('1.33', version)
+    end
+
+    # Vulnerable versions : > 1.35 (or >= 2.0) and < 2.8.14
+    def check_rce_webshot
+      return if VersionCompare.lesser_or_equal?('2.8.14', version) || VersionCompare.lesser_or_equal?(version, '1.35')
+
+      response = Browser.get(uri.merge('?webshot=1&src=http://' + default_allowed_domains.sample))
+
+      rce_webshot_vuln unless response.body =~ /WEBSHOT_ENABLED == true/
+    end
+
+    # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
+    def default_allowed_domains
+      %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
+    end
+
+    # @return [ Vulnerability ] The RCE in the <= 1.32
+    def rce_132_vuln
+      Vulnerability.new(
+        'Timthumb <= 1.32 Remote Code Execution',
+        'RCE',
+        { exploitdb: ['17602'] },
+        '1.33'
+      )
+    end
+
+    # @return [ Vulnerability ] The RCE due to the WebShot in the <= 2.8.13
+    def rce_webshot_vuln
+      Vulnerability.new(
+        'Timthumb <= 2.8.13 WebShot Remote Code Execution',
+        'RCE',
+        { url: ['http://seclists.org/fulldisclosure/2014/Jun/117'] },
+        '2.8.14'
+      )
     end
   end
 end

lib/common/models/wp_user.rb

@@ -1,81 +1,81 @@
-# encoding: UTF-8
-
-require 'wp_user/existable'
-require 'wp_user/brute_forcable'
-
-class WpUser < WpItem
-  include WpUser::Existable
-  include WpUser::BruteForcable
-
-  attr_accessor :id, :login, :display_name, :password
-
-  # @return [ Array<Symbol> ]
-  def allowed_options; [:id, :login, :display_name, :password] end
-
-  # @return [ URI ] The uri to the author page
-  def uri
-    if id
-      return @uri.merge("?author=#{id}")
-    else
-      raise 'The id is nil'
-    end
-  end
-
-  # @return [ String ]
-  def login_url
-    unless @login_url
-      @login_url = @uri.merge('wp-login.php').to_s
-
-      # Let's check if the login url is redirected (to https url for example)
-      if redirection = redirection(@login_url)
-        @login_url = redirection
-      end
-    end
-
-    @login_url
-  end
-
-  def redirection(url)
-    redirection = nil
-    response = Browser.get(url)
-
-    if response.code == 301 || response.code == 302
-      redirection = response.headers_hash['location']
-
-      # Let's check if there is a redirection in the redirection
-      if other_redirection = redirection(redirection)
-        redirection = other_redirection
-      end
-    end
-
-    redirection
-  end
-
-  # @return [ String ]
-  def to_s
-    s  = "#{id}"
-    s << " | #{login}" if login
-    s << " | #{display_name}" if display_name
-    s
-  end
-
-  # @param [ WpUser ] other
-  def <=>(other)
-    id <=> other.id
-  end
-
-  # @param [ WpUser ] other
-  #
-  # @return [ Boolean ]
-  def ==(other)
-    self === other
-  end
-
-  # @param [ WpUser ] other
-  #
-  # @return [ Boolean ]
-  def ===(other)
-    id === other.id && login === other.login
-  end
-
-end
+# encoding: UTF-8
+
+require 'wp_user/existable'
+require 'wp_user/brute_forcable'
+
+class WpUser < WpItem
+  include WpUser::Existable
+  include WpUser::BruteForcable
+
+  attr_accessor :id, :login, :display_name, :password
+
+  # @return [ Array<Symbol> ]
+  def allowed_options; [:id, :login, :display_name, :password] end
+
+  # @return [ URI ] The uri to the author page
+  def uri
+    if id
+      @uri.merge("?author=#{id}")
+    else
+      raise 'The id is nil'
+    end
+  end
+
+  # @return [ String ]
+  def login_url
+    unless @login_url
+      @login_url = @uri.merge('wp-login.php').to_s
+
+      # Let's check if the login url is redirected (to https url for example)
+      if redirection = redirection(@login_url)
+        @login_url = redirection
+      end
+    end
+
+    @login_url
+  end
+
+  def redirection(url)
+    redirection = nil
+    response = Browser.get(url)
+
+    if response.code == 301 || response.code == 302
+      redirection = response.headers_hash['location']
+
+      # Let's check if there is a redirection in the redirection
+      if other_redirection = redirection(redirection)
+        redirection = other_redirection
+      end
+    end
+
+    redirection
+  end
+
+  # @return [ String ]
+  def to_s
+    s  = "#{id}"
+    s << " | #{login}" if login
+    s << " | #{display_name}" if display_name
+    s
+  end
+
+  # @param [ WpUser ] other
+  def <=>(other)
+    id <=> other.id
+  end
+
+  # @param [ WpUser ] other
+  #
+  # @return [ Boolean ]
+  def ==(other)
+    self === other
+  end
+
+  # @param [ WpUser ] other
+  #
+  # @return [ Boolean ]
+  def ===(other)
+    id === other.id && login === other.login
+  end
+
+end

lib/common/models/wp_user/brute_forcable.rb

@@ -25,16 +25,16 @@ class WpUser < WpItem
       hydra        = browser.hydra
       queue_count  = 0
       found        = false
-      progress_bar = self.progress_bar(count_file_lines(wordlist), options)
+      progress_bar = self.progress_bar(count_file_lines(wordlist)+1, options)
 
       File.open(wordlist).each do |password|
-        password.chop!
-        
+        password.chomp!
+
         # A successfull login will redirect us to the redirect_to parameter
         # Generate a random one on each request
         unless redirect_url
           random = (0...8).map { 65.+(rand(26)).chr }.join
-          redirect_url = "#@uri#{random}/"
+          redirect_url = "#{@uri}#{random}/"
         end
 
         request = login_request(password, redirect_url)
@@ -63,9 +63,10 @@ class WpUser < WpItem
 
       # run all of the remaining requests
       hydra.run
+      puts if options[:show_progression] # mandatory to avoid the output of the progressbar to be overriden
     end
 
-    # @param [ Integer ] targets_size
+    # @param [ Integer ] passwords_size
     # @param [ Hash ] options
     #
     # @return [ ProgressBar ]
@@ -103,19 +104,19 @@ class WpUser < WpItem
     # @return [ Boolean ]
     def valid_password?(response, password, redirect_url, options = {})
       if response.code == 302 && response.headers_hash && response.headers_hash['Location'] == redirect_url
-        progression = "#{green('[SUCCESS]')} Login : #{login} Password : #{password}\n\n"
+        progression = "#{info('[SUCCESS]')} Login : #{login} Password : #{password}\n\n"
         valid       = true
       elsif response.body =~ /login_error/i
         verbose = "\n  Incorrect login and/or password."
       elsif response.timed_out?
-        progression = "#{red('ERROR:')} Request timed out."
+        progression = critical('ERROR: Request timed out.')
       elsif response.code == 0
-        progression = "#{red('ERROR:')} No response from remote server. WAF/IPS?"
+        progression = critical("ERROR: No response from remote server. WAF/IPS? (#{response.return_message})")
       elsif response.code.to_s =~ /^50/
-        progression = "#{red('ERROR:')} Server error, try reducing the number of threads."
+        progression = critical('ERROR: Server error, try reducing the number of threads.')
       else
-        progression = "#{red('ERROR:')} We received an unknown response for #{password}..."
-        verbose     = red("    Code: #{response.code}\n    Body: #{response.body}\n")
+        progression = critical("ERROR: We received an unknown response for #{password}...")
+        verbose     = critical("    Code: #{response.code}\n    Body: #{response.body}\n")
       end
 
       puts "\n  " + progression if progression && options[:show_progression]

lib/common/models/wp_user/existable.rb

@@ -22,6 +22,8 @@ class WpUser < WpItem
       if response.code == 301 # login in location?
         location = response.headers_hash['Location']
 
+        return if location.nil? || location.empty?
+
         @login        = Existable.login_from_author_pattern(location)
         @display_name = Existable.display_name_from_body(
           Browser.get(location).body
@@ -37,7 +39,9 @@ class WpUser < WpItem
     #
     # @return [ String ] The login
     def self.login_from_author_pattern(text)
-      text[%r{/author/([^/\b]+)/?}i, 1]
+      return unless text =~ %r{/author/([^/\b"']+)/?}i
+
+      Regexp.last_match[1].force_encoding('UTF-8')
     end
 
     # @param [ String ] body
@@ -49,7 +53,8 @@ class WpUser < WpItem
 
       unless login
         # No Permalinks
-        login = body[%r{<body class="archive author author-([^\s]+) author-(\d+)}i, 1]
+        login = body[%r{<body class="archive author author-([^\s]+)[ "]}i, 1]
+        login ? login.force_encoding('UTF-8') : nil
       end
 
       login
@@ -66,9 +71,12 @@ class WpUser < WpItem
         title_tag.force_encoding('UTF-8') if title_tag.encoding == Encoding::ASCII_8BIT
         title_tag = Nokogiri::HTML::DocumentFragment.parse(title_tag).to_s
         # &amp; are not decoded with Nokogiri
-        title_tag.sub!('&amp;', '&')
+        title_tag.gsub!('&amp;', '&')
 
-        name = title_tag[%r{([^|«]+) }, 1]
+        # replace UTF chars like  &#187; with dummy character
+        title_tag.gsub!(/&#(\d+);/, '|')
+
+        name = title_tag[%r{([^|«»]+) }, 1]
 
         return name.strip if name
       end

lib/common/models/wp_version.rb

@@ -1,21 +1,27 @@
 # encoding: UTF-8
 
 require 'wp_version/findable'
-require 'wp_version/vulnerable'
 require 'wp_version/output'
 
 class WpVersion < WpItem
-
   extend  WpVersion::Findable
-  include WpVersion::Vulnerable
   include WpVersion::Output
 
   # The version number
   attr_accessor :number
+  alias_method :version, :number # Needed to have the right behaviour in Vulnerable#vulnerable_to?
 
   # @return [ Array ]
   def allowed_options; super << :number << :found_from end
 
+  def identifier
+    @identifier ||= number
+  end
+
+  def db_file
+    @db_file ||= WORDPRESSES_FILE
+  end
+
   # @param [ WpVersion ] other
   #
   # @return [ Boolean ]
@@ -23,4 +29,10 @@ class WpVersion < WpItem
     number == other.number
   end
 
+  # @return [ Array<String> ] All the stable versions from version_file
+  def self.all(versions_file = WP_VERSIONS_FILE)
+    Nokogiri.XML(File.open(versions_file)).css('version').reduce([]) do |a, node|
+      a << node.text.to_s
+    end
+  end
 end

lib/common/models/wp_version/findable.rb

@@ -1,218 +1,222 @@
-# encoding: UTF-8
-
-class WpVersion < WpItem
-
-  module Findable
-
-    # Find the version of the blog designated from target_uri
-    #
-    # @param [ URI ] target_uri
-    # @param [ String ] wp_content_dir
-    # @param [ String ] wp_plugins_dir
-    #
-    # @return [ WpVersion ]
-    def find(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-      methods.grep(/^find_from_/).each do |method|
-
-        if method === :find_from_advanced_fingerprinting
-          version = send(method, target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-        else
-          version = send(method, target_uri)
-        end
-
-        if version
-          return new(target_uri, number: version, found_from: method)
-        end
-      end
-      nil
-    end
-
-    # Used to check if the version is correct: must contain at least one dot.
-    #
-    # @return [ String ]
-    def version_pattern
-      '([^\r\n"\']+\.[^\r\n"\']+)'
-    end
-
-    protected
-
-    # Returns the first match of <pattern> in the body of the url
-    #
-    # @param [ URI ] target_uri
-    # @param [ Regex ] pattern
-    # @param [ String ] path
-    #
-    # @return [ String ]
-    def scan_url(target_uri, pattern, path = nil)
-      url = path ? target_uri.merge(path).to_s : target_uri.to_s
-      response = Browser.get_and_follow_location(url)
-
-      response.body[pattern, 1]
-    end
-
-    #
-    # DO NOT Change the order of the following methods
-    # unless you know what you are doing
-    # See WpVersion.find
-    #
-
-    # Attempts to find the wordpress version from,
-    # the generator meta tag in the html source.
-    #
-    # The meta tag can be removed however it seems,
-    # that it is reinstated on upgrade.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_meta_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{name="generator" content="wordpress #{version_pattern}"}i
-      )
-    end
-
-    # Attempts to find the WordPress version from,
-    # the generator tag in the RSS feed source.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_rss_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{<generator>http://wordpress.org/\?v=#{version_pattern}</generator>}i,
-        'feed/'
-      )
-    end
-
-    # Attempts to find WordPress version from,
-    # the generator tag in the RDF feed source.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_rdf_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{<admin:generatorAgent rdf:resource="http://wordpress.org/\?v=#{version_pattern}" />}i,
-        'feed/rdf/'
-      )
-    end
-
-    # Attempts to find the WordPress version from,
-    # the generator tag in the RSS2 feed source.
-    #
-    # Have not been able to find an example of this - Ryan
-    #def find_from_rss2_generator(target_uri)
-    #  scan_url(
-    #    target_uri,
-    #    %r{<generator>http://wordpress.org/?v=(#{WpVersion.version_pattern})</generator>}i,
-    #    'feed/rss/'
-    #  )
-    #end
-
-    # Attempts to find the WordPress version from,
-    # the generator tag in the Atom source.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_atom_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{<generator uri="http://wordpress.org/" version="#{version_pattern}">WordPress</generator>}i,
-        'feed/atom/'
-      )
-    end
-
-    # Attempts to find the WordPress version from,
-    # the generator tag in the comment rss source.
-    #
-    # Have not been able to find an example of this - Ryan
-    #def find_from_comments_rss_generator(target_uri)
-    # scan_url(
-    # target_uri,
-    # %r{<!-- generator="WordPress/#{WpVersion.version_pattern}" -->}i,
-    # 'comments/feed/'
-    # )
-    #end
-
-    # Uses data/wp_versions.xml to try to identify a
-    # wordpress version.
-    #
-    # It does this by using client side file hashing
-    #
-    # /!\ Warning : this method might return false positive if the file used for fingerprinting is part of a theme (they can be updated)
-    #
-    # @param [ URI ] target_uri
-    # @param [ String ] wp_content_dir
-    # @param [ String ] wp_plugins_dir
-    # @param [ String ] versions_xml The path to the xml containing all versions
-    #
-    # @return [ String ] The version number
-    def find_from_advanced_fingerprinting(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
-      xml     = xml(versions_xml)
-
-      # This wp_item will take care of encoding the path
-      # and replace variables like $wp-content$ & $wp-plugins$
-      wp_item = WpItem.new(target_uri,
-                           wp_content_dir: wp_content_dir,
-                           wp_plugins_dir: wp_plugins_dir)
-
-      xml.xpath('//file').each do |node|
-        wp_item.path = node.attribute('src').text
-
-        response = Browser.get(wp_item.url)
-        md5sum = Digest::MD5.hexdigest(response.body)
-
-        node.search('hash').each do |hash|
-          if hash.attribute('md5').text == md5sum
-            return hash.search('version').text
-          end
-        end
-      end
-      nil
-    end
-
-    # Attempts to find the WordPress version from the readme.html file.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_readme(target_uri)
-      scan_url(
-        target_uri,
-        %r{<br />\sversion #{version_pattern}}i,
-        'readme.html'
-      )
-    end
-
-    # Attempts to find the WordPress version from the sitemap.xml file.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_sitemap_generator(target_uri)
-      scan_url(
-        target_uri,
-        %r{generator="wordpress/#{version_pattern}"}i,
-        'sitemap.xml'
-      )
-    end
-
-    # Attempts to find the WordPress version from the p-links-opml.php file.
-    #
-    # @param [ URI ] target_uri
-    #
-    # @return [ String ] The version number
-    def find_from_links_opml(target_uri)
-      scan_url(
-        target_uri,
-        %r{generator="wordpress/#{version_pattern}"}i,
-        'wp-links-opml.php'
-      )
-    end
-
-  end
-end
+# encoding: UTF-8
+
+class WpVersion < WpItem
+
+  module Findable
+
+    # Find the version of the blog designated from target_uri
+    #
+    # @param [ URI ] target_uri
+    # @param [ String ] wp_content_dir
+    # @param [ String ] wp_plugins_dir
+    #
+    # @return [ WpVersion ]
+    def find(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
+      methods.grep(/^find_from_/).each do |method|
+
+        if method === :find_from_advanced_fingerprinting
+          version = send(method, target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
+        else
+          version = send(method, target_uri)
+        end
+
+        if version
+          return new(target_uri, number: version, found_from: method)
+        end
+      end
+      nil
+    end
+
+    # Used to check if the version is correct: must contain at least one dot.
+    #
+    # @return [ String ]
+    def version_pattern
+      '([^\r\n"\',]+\.[^\r\n"\',]+)'
+    end
+
+    protected
+
+    # Returns the first match of <pattern> in the body of the url
+    #
+    # @param [ URI ] target_uri
+    # @param [ Regex ] pattern
+    # @param [ String ] path
+    #
+    # @return [ String ]
+    def scan_url(target_uri, pattern, path = nil)
+      url = path ? target_uri.merge(path).to_s : target_uri.to_s
+      response = Browser.get_and_follow_location(url)
+
+      response.body[pattern, 1]
+    end
+
+    #
+    # DO NOT Change the order of the following methods
+    # unless you know what you are doing
+    # See WpVersion.find
+    #
+
+    # Attempts to find the wordpress version from,
+    # the generator meta tag in the html source.
+    #
+    # The meta tag can be removed however it seems,
+    # that it is reinstated on upgrade.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_meta_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{name="generator" content="wordpress #{version_pattern}.*"}i
+      )
+    end
+
+    # Attempts to find the WordPress version from,
+    # the generator tag in the RSS feed source.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_rss_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{<generator>http://wordpress.org/\?v=#{version_pattern}</generator>}i,
+        'feed/'
+      )
+    end
+
+    # Attempts to find WordPress version from,
+    # the generator tag in the RDF feed source.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_rdf_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{<admin:generatorAgent rdf:resource="http://wordpress.org/\?v=#{version_pattern}" />}i,
+        'feed/rdf/'
+      )
+    end
+
+    # Attempts to find the WordPress version from,
+    # the generator tag in the Atom source.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_atom_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{<generator uri="http://wordpress.org/" version="#{version_pattern}">WordPress</generator>}i,
+        'feed/atom/'
+      )
+    end
+
+    def find_from_stylesheets_numbers(target_uri)
+      wp_versions = WpVersion.all
+      found       = {}
+      pattern     = /\bver=([0-9\.]+)/i
+
+      Nokogiri::HTML(Browser.get(target_uri.to_s).body).css('link,script').each do |tag|
+        %w(href src).each do |attribute|
+          attr_value = tag.attribute(attribute).to_s
+
+          next if attr_value.nil? || attr_value.empty?
+
+          uri = Addressable::URI.parse(attr_value)
+          next unless uri.query && uri.query.match(pattern)
+
+          version = Regexp.last_match[1].to_s
+
+          found[version] ||= 0
+          found[version] += 1
+        end
+      end
+
+      found.delete_if { |v, _| !wp_versions.include?(v) }
+
+      best_guess = found.sort_by(&:last).last
+      # best_guess[0]: version number, [1] numbers of occurences
+      best_guess && best_guess[1] > 1 ? best_guess[0] : nil
+    end
+
+    # Uses data/wp_versions.xml to try to identify a
+    # wordpress version.
+    #
+    # It does this by using client side file hashing
+    #
+    # /!\ Warning : this method might return false positive if the file used for fingerprinting is part of a theme (they can be updated)
+    #
+    # @param [ URI ] target_uri
+    # @param [ String ] wp_content_dir
+    # @param [ String ] wp_plugins_dir
+    # @param [ String ] versions_xml The path to the xml containing all versions
+    #
+    # @return [ String ] The version number
+    def find_from_advanced_fingerprinting(target_uri, wp_content_dir, wp_plugins_dir, versions_xml)
+      xml     = xml(versions_xml)
+
+      # This wp_item will take care of encoding the path
+      # and replace variables like $wp-content$ & $wp-plugins$
+      wp_item = WpItem.new(target_uri,
+                           wp_content_dir: wp_content_dir,
+                           wp_plugins_dir: wp_plugins_dir)
+
+      xml.xpath('//file').each do |node|
+        wp_item.path = node.attribute('src').text
+
+        response = Browser.get(wp_item.url)
+        md5sum = Digest::MD5.hexdigest(response.body)
+
+        node.search('hash').each do |hash|
+          if hash.attribute('md5').text == md5sum
+            return hash.search('version').text
+          end
+        end
+      end
+      nil
+    end
+
+    # Attempts to find the WordPress version from the readme.html file.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_readme(target_uri)
+      scan_url(
+        target_uri,
+        %r{<br />\sversion #{version_pattern}}i,
+        'readme.html'
+      )
+    end
+
+    # Attempts to find the WordPress version from the sitemap.xml file.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_sitemap_generator(target_uri)
+      scan_url(
+        target_uri,
+        %r{generator="wordpress/#{version_pattern}"}i,
+        'sitemap.xml'
+      )
+    end
+
+    # Attempts to find the WordPress version from the p-links-opml.php file.
+    #
+    # @param [ URI ] target_uri
+    #
+    # @return [ String ] The version number
+    def find_from_links_opml(target_uri)
+      scan_url(
+        target_uri,
+        %r{generator="wordpress/#{version_pattern}"}i,
+        'wp-links-opml.php'
+      )
+    end
+
+  end
+end

lib/common/models/wp_version/output.rb

@@ -5,13 +5,16 @@ class WpVersion < WpItem
 
     def output(verbose = false)
       puts
-      puts green('[+]') + " WordPress version #{self.number} identified from #{self.found_from}"
+      puts info("WordPress version #{self.number} identified from #{self.found_from}")
 
       vulnerabilities = self.vulnerabilities
 
       unless vulnerabilities.empty?
-        puts red('[!]') + " #{vulnerabilities.size} vulnerabilities identified from the version number"
-
+        if vulnerabilities.size == 1
+           puts critical("#{vulnerabilities.size} vulnerability identified from the version number")
+        else
+           puts critical("#{vulnerabilities.size} vulnerabilities identified from the version number")
+        end
         vulnerabilities.output
       end
     end

lib/common/models/wp_version/vulnerable.rb

@@ -1,20 +0,0 @@
-# encoding: UTF-8
-
-class WpVersion < WpItem
-  module Vulnerable
-
-    # @return [ String ] The path to the file containing vulnerabilities
-    def vulns_file
-      unless @vulns_file
-        @vulns_file = WP_VULNS_FILE
-      end
-      @vulns_file
-    end
-
-    # @return [ String ]
-    def vulns_xpath
-      "//wordpress[@version='#{@number}']/vulnerability"
-    end
-
-  end
-end

lib/common/updater/git_updater.rb

@@ -1,37 +0,0 @@
-# encoding: UTF-8
-
-require 'common/updater/updater'
-
-class GitUpdater < Updater
-
-  def is_installed?
-    %x[git #{repo_directory_arguments()} status 2>&1] =~ /On branch/ ? true : false
-  end
-
-  # Git has not a revsion number like SVN,
-  # so we will take the 7 first chars of the last commit hash
-  def local_revision_number
-    git_log = %x[git #{repo_directory_arguments()} log -1 2>&1]
-    git_log[/commit ([0-9a-z]{7})/i, 1].to_s
-  end
-
-  def update
-    %x[git #{repo_directory_arguments()} pull]
-  end
-
-  def has_local_changes?
-    %x[git #{repo_directory_arguments()} diff --exit-code 2>&1] =~ /diff/ ? true : false
-  end
-
-  def reset_head
-    %x[git #{repo_directory_arguments()} reset --hard HEAD]
-  end
-
-  protected
-  def repo_directory_arguments
-    if @repo_directory
-      return "--git-dir=\"#{@repo_directory}/.git\" --work-tree=\"#{@repo_directory}\""
-    end
-  end
-
-end

lib/common/updater/svn_updater.rb

@@ -1,23 +0,0 @@
-# encoding: UTF-8
-
-require 'common/updater/updater'
-
-class SvnUpdater < Updater
-
-  REVISION_PATTERN = /revision="(\d+)"/i
-  TRUNK_URL        = 'https://github.com/wpscanteam/wpscan'
-
-  def is_installed?
-    %x[svn info "#@repo_directory" --xml 2>&1] =~ /revision=/ ? true : false
-  end
-
-  def local_revision_number
-    local_revision = %x[svn info "#@repo_directory" --xml 2>&1]
-    local_revision[REVISION_PATTERN, 1].to_s
-  end
-
-  def update
-    %x[svn up "#@repo_directory"]
-  end
-
-end

lib/common/updater/updater.rb

@@ -1,25 +0,0 @@
-# encoding: UTF-8
-
-# This class act as an absract one
-class Updater
-
-  attr_reader :repo_directory
-
-  # TODO : add a last '/ to repo_directory if it's not present
-  def initialize(repo_directory = nil)
-    @repo_directory = repo_directory
-  end
-
-  def is_installed?
-    raise NotImplementedError
-  end
-
-  def local_revision_number
-    raise NotImplementedError
-  end
-
-  def update
-    raise NotImplementedError
-  end
-
-end

lib/common/updater/updater_factory.rb

@@ -1,23 +0,0 @@
-# encoding: UTF-8
-
-class UpdaterFactory
-
-  def self.get_updater(repo_directory)
-    self.available_updaters_classes().each do |updater_symbol|
-      updater = Object.const_get(updater_symbol).new(repo_directory)
-
-      if updater.is_installed?
-        return updater
-      end
-    end
-    nil
-  end
-
-  protected
-
-  # return array of class symbols
-  def self.available_updaters_classes
-    Object.constants.grep(/^.+Updater$/)
-  end
-
-end

lib/common/version_compare.rb

@@ -2,14 +2,18 @@
 
 class VersionCompare
 
-  # Compares two version strings. Returns true if version1 is equal to version2
-  # or when version1 is older than version2
+  # Compares two version strings. Returns true if version1 <= version2
+  # and false otherwise
   #
   # @param [ String ] version1
   # @param [ String ] version2
   #
   # @return [ Boolean ]
-  def self.is_newer_or_same?(version1, version2)
+  def self.lesser_or_equal?(version1, version2)
+    # Prepend a '0' if the version starts with a '.'
+    version1 = prepend_zero(version1)
+    version2 = prepend_zero(version2)
+
     return true if (version1 == version2)
     # Both versions must be set
     return false unless (version1 and version2)
@@ -23,4 +27,36 @@ class VersionCompare
     end
     return false
   end
+
+  # Compares two version strings. Returns true if version1 < version2
+  # and false otherwise
+  #
+  # @param [ String ] version1
+  # @param [ String ] version2
+  #
+  # @return [ Boolean ]
+  def self.lesser?(version1, version2)
+    # Prepend a '0' if the version starts with a '.'
+    version1 = prepend_zero(version1)
+    version2 = prepend_zero(version2)
+
+    return false if (version1 == version2)
+    # Both versions must be set
+    return false unless (version1 and version2)
+    return false if (version1.empty? or version2.empty?)
+    begin
+      return true if (Gem::Version.new(version1) < Gem::Version.new(version2))
+    rescue ArgumentError => e
+      # Example: ArgumentError: Malformed version number string a
+      return false if e.message =~ /Malformed version number string/
+      raise
+    end
+    return false
+  end
+
+  # @return [ String ]
+  def self.prepend_zero(version)
+    return nil if version.nil?
+    version[0,1] == '.' ? "0#{version}" : version
+  end
 end

lib/environment.rb

@@ -28,12 +28,14 @@ begin
   require 'pp'
   require 'shellwords'
   require 'fileutils'
+  require 'pathname'
   # Third party libs
   require 'typhoeus'
-  require 'json'
+  require 'yajl/json_gem'
   require 'nokogiri'
   require 'terminal-table'
   require 'ruby-progressbar'
+  require 'addressable/uri'
   # Custom libs
   require 'common/browser'
   require 'common/custom_option_parser'

lib/wpscan/web_site.rb

@@ -52,8 +52,11 @@ class WebSite
     url ||= @uri.to_s
     response = Browser.get(url)
 
+    redirected_uri = URI.parse(add_trailing_slash(add_http_protocol(url)))
     if response.code == 301 || response.code == 302
-      redirection = response.headers_hash['location']
+      redirection = redirected_uri.merge(response.headers_hash['location']).to_s
+
+      return redirection if url == redirection # prevents infinite loop
 
       # Let's check if there is a redirection in the redirection
       if other_redirection = redirection(redirection)

lib/wpscan/web_site/robots_txt.rb

@@ -12,12 +12,9 @@ class WebSite
     # Gets a robots.txt URL
     # @return [ String ]
     def robots_url
-      temp = @uri.clone
-      temp.path = '/robots.txt'
-      temp.to_s
+      @uri.clone.merge('robots.txt').to_s
     end
 
-
     # Parse robots.txt
     # @return [ Array ] URLs generated from robots.txt
     def parse_robots_txt
@@ -31,6 +28,7 @@ class WebSite
       if entries
         entries.flatten!
         entries.compact.sort!
+        entries.uniq!
         wordpress_path = @uri.path
         RobotsTxt.known_dirs.each do |d|
           entries.delete(d)
@@ -42,9 +40,9 @@ class WebSite
         entries.each do |d|
           begin
             temp = @uri.clone
-            temp.path = d
+            temp.path = d.strip
           rescue URI::Error
-            temp = d
+            temp = d.strip
           end
           return_object << temp.to_s
         end

lib/wpscan/wp_target.rb

@@ -1,19 +1,19 @@
 # encoding: UTF-8
 
 require 'web_site'
-require 'wp_target/malwares'
 require 'wp_target/wp_readme'
 require 'wp_target/wp_registrable'
 require 'wp_target/wp_config_backup'
+require 'wp_target/wp_must_use_plugins'
 require 'wp_target/wp_login_protection'
 require 'wp_target/wp_custom_directories'
 require 'wp_target/wp_full_path_disclosure'
 
 class WpTarget < WebSite
-  include WpTarget::Malwares
   include WpTarget::WpReadme
   include WpTarget::WpRegistrable
   include WpTarget::WpConfigBackup
+  include WpTarget::WpMustUsePlugins
   include WpTarget::WpLoginProtection
   include WpTarget::WpCustomDirectories
   include WpTarget::WpFullPathDisclosure
@@ -21,15 +21,20 @@ class WpTarget < WebSite
   attr_reader :verbose
 
   def initialize(target_url, options = {})
+    raise Exception.new('target_url can not be nil or empty') if target_url.nil? || target_url == ''
     super(target_url)
 
     @verbose        = options[:verbose]
     @wp_content_dir = options[:wp_content_dir]
     @wp_plugins_dir = options[:wp_plugins_dir]
     @multisite      = nil
+    @vhost = options[:vhost]
 
-    Browser.instance(options.merge(:max_threads => options[:threads]))
     Browser.instance.referer = url
+    if @vhost
+      Browser.instance.vhost = @vhost
+    end
+
   end
 
   # check if the target website is
@@ -41,10 +46,12 @@ class WpTarget < WebSite
 
     # Note: in the future major WPScan version, change the user-agent to see
     # if the response is a 200 ?
-    fail "The target is responding with a 403, this might be due to a WAF or a plugin\n" \
-          'You should try to supply a valid user-agent via the --user-agent option' if response.code == 403
+    fail "The target is responding with a 403, this might be due to a WAF or a plugin.\n" \
+          'You should try to supply a valid user-agent via the --user-agent option or use the --random-agent option' if response.code == 403
 
-    if response.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i
+    dir = wp_content_dir ? wp_content_dir : 'wp-content'
+
+    if response.body =~ /["'][^"']*\/#{Regexp.escape(dir)}\/[^"']*["']/i
       wordpress = true
     else
 
@@ -71,9 +78,7 @@ class WpTarget < WebSite
 
     # Let's check if the login url is redirected (to https url for example)
     redirection = redirection(url)
-    if redirection
-      url = redirection
-    end
+    url = redirection if redirection
 
     url
   end
@@ -122,7 +127,12 @@ class WpTarget < WebSite
 
   # @return [ String ]
   def debug_log_url
-    @uri.merge("#{wp_content_dir()}/debug.log").to_s
+    @uri.merge("#{wp_content_dir}/debug.log").to_s
+  end
+
+  # @return [ String ]
+  def upload_dir_url
+    @uri.merge("#{wp_content_dir}/uploads/").to_s
   end
 
   # Script for replacing strings in wordpress databases
@@ -139,4 +149,8 @@ class WpTarget < WebSite
     resp = Browser.get(search_replace_db_2_url)
     resp.code == 200 && resp.body[%r{by interconnect}i]
   end
+
+  def upload_directory_listing_enabled?
+    directory_listing_enabled?(upload_dir_url)
+  end
 end

lib/wpscan/wp_target/malwares.rb

@@ -1,50 +0,0 @@
-# encoding: UTF-8
-
-class WpTarget < WebSite
-  module Malwares
-    # Used as cache :
-    #   nil => malwares not checked,
-    #   [] => no malwares,
-    #   otherwise array of malwares url found
-    @malwares = nil
-
-    def has_malwares?(malwares_file_path = nil)
-      !malwares(malwares_file_path).empty?
-    end
-
-    # return array of string (url of malwares found)
-    def malwares(malwares_file_path = nil)
-      unless @malwares
-        malwares_found = []
-        malwares_file = Malwares.malwares_file(malwares_file_path)
-        index_page_body = Browser.get(@uri.to_s).body
-
-        File.open(malwares_file, 'r') do |file|
-          file.readlines.collect do |url|
-            chomped_url = url.chomp
-
-            if chomped_url.length > 0
-              malwares_found += index_page_body.scan(Malwares.malware_pattern(chomped_url))
-            end
-          end
-        end
-
-        malwares_found.flatten!
-        malwares_found.uniq!
-
-        @malwares = malwares_found
-      end
-      @malwares
-    end
-
-    def self.malwares_file(malwares_file_path)
-      malwares_file_path || DATA_DIR + '/malwares.txt'
-    end
-
-    def self.malware_pattern(url_regex)
-      # no need to escape regex here, because malware.txt contains regex
-      %r{<(?:script|iframe).* src=(?:"|')(#{url_regex}[^"']*)(?:"|')[^>]*>}i
-    end
-
-  end
-end

lib/wpscan/wp_target/wp_config_backup.rb

@@ -40,9 +40,9 @@ class WpTarget < WebSite
     # @return [ Array ]
     def self.config_backup_files
       %w{
-        wp-config.php~ #wp-config.php# wp-config.php.save wp-config.php.swp wp-config.php.swo wp-config.php_bak
-        wp-config.bak wp-config.php.bak wp-config.save wp-config.old wp-config.php.old wp-config.php.orig
-        wp-config.orig wp-config.php.original wp-config.original wp-config.txt
+        wp-config.php~ #wp-config.php# wp-config.php.save .wp-config.php.swp wp-config.php.swp wp-config.php.swo
+        wp-config.php_bak wp-config.bak wp-config.php.bak wp-config.save wp-config.old wp-config.php.old
+        wp-config.php.orig wp-config.orig wp-config.php.original wp-config.original wp-config.txt
       } # thanks to Feross.org for these
     end
 

lib/wpscan/wp_target/wp_custom_directories.rb

@@ -23,9 +23,9 @@ class WpTarget < WebSite
     # @return [ Boolean ]
     def default_wp_content_dir_exists?
       response = Browser.get(@uri.merge('wp-content').to_s)
-      hash = Digest::MD5.hexdigest(response.body)
 
       if WpTarget.valid_response_codes.include?(response.code)
+        hash = WebSite.page_hash(response)
         return true if hash != error_404_hash and hash != homepage_hash
       end
 

lib/wpscan/wp_target/wp_full_path_disclosure.rb

@@ -2,19 +2,21 @@
 
 class WpTarget < WebSite
   module WpFullPathDisclosure
-
     # Check for Full Path Disclosure (FPD)
     #
     # @return [ Boolean ]
     def has_full_path_disclosure?
-      response = Browser.get(full_path_disclosure_url())
-      response.body[%r{Fatal error}i] ? true : false
+      Browser.get(full_path_disclosure_url).body[%r/Fatal error/i] ? true : false
+    end
+
+    def full_path_disclosure_data
+      return nil unless has_full_path_disclosure?
+      Browser.get(full_path_disclosure_url).body[/Fatal error:.+? in (.+?) on/i, 1]
     end
 
     # @return [ String ]
     def full_path_disclosure_url
       @uri.merge('wp-includes/rss-functions.php').to_s
     end
-
   end
 end

lib/wpscan/wp_target/wp_login_protection.rb

@@ -8,7 +8,7 @@ class WpTarget < WebSite
     @login_protection_plugin = nil
 
     def has_login_protection?
-      !login_protection_plugin().nil?
+      !login_protection_plugin.nil?
     end
 
     # Checks if a login protection plugin is enabled
@@ -74,7 +74,7 @@ class WpTarget < WebSite
 
     # http://wordpress.org/extend/plugins/login-security-solution/
     def has_login_security_solution_protection?
-      Browser.get(login_security_solution_url()).code != 404
+      Browser.get(login_security_solution_url).code != 404
     end
 
     def login_security_solution_url
@@ -99,5 +99,12 @@ class WpTarget < WebSite
       plugin_url('bluetrait-event-viewer')
     end
 
+    # https://wordpress.org/plugins/security-protection/
+    def has_security_protection_protection?
+      Nokogiri::HTML(Browser.get(login_url).body).css('script').each do |node|
+        return true if node['src'] =~ /security-protection.js/i
+      end
+      false
+    end
   end
 end

lib/wpscan/wp_target/wp_must_use_plugins.rb

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+
+class WpTarget < WebSite
+  module WpMustUsePlugins
+    # Checks to see if the must use plugin folder exists
+    #
+    # @return [ Boolean ]
+    def has_must_use_plugins?
+      response = Browser.get(must_use_url)
+
+      if response && [200, 401, 403].include?(response.code)
+        hash = WebSite.page_hash(response)
+        return true if hash != error_404_hash && hash != homepage_hash
+      end
+
+      false
+    end
+
+    # @return [ String ] The must use plugins directory URL
+    def must_use_url
+      @uri.merge("#{wp_content_dir}/mu-plugins/").to_s
+    end
+  end
+end

lib/wpscan/wp_target/wp_readme.rb

@@ -10,7 +10,7 @@ class WpTarget < WebSite
     #
     # @return [ Boolean ]
     def has_readme?
-      response = Browser.get(readme_url())
+      response = Browser.get(readme_url)
 
       unless response.code == 404
         return response.body =~ %r{wordpress}i ? true : false

lib/wpscan/wpscan_helper.rb

@@ -46,7 +46,7 @@ def usage
   puts '-Use custom plugins directory ...'
   puts "ruby #{script_name} -u www.example.com --wp-plugins-dir wp-content/custom-plugins"
   puts
-  puts '-Update ...'
+  puts '-Update the DB ...'
   puts "ruby #{script_name} --update"
   puts
   puts '-Debug output ...'
@@ -60,13 +60,12 @@ end
 def help
   puts 'Help :'
   puts
-  puts 'Some values are settable in conf/browser.conf.json :'
-  puts '  user-agent, proxy, proxy-auth, threads, cache timeout and request timeout'
+  puts 'Some values are settable in a config file, see the example.conf.json'
   puts
-  puts '--update   Update to the latest revision'
-  puts '--url   | -u <target url>  The WordPress URL/domain to scan.'
-  puts '--force | -f Forces WPScan to not check if the remote site is running WordPress.'
-  puts '--enumerate | -e [option(s)]  Enumeration.'
+  puts '--update                            Update to the database to the latest version.'
+  puts '--url       | -u <target url>       The WordPress URL/domain to scan.'
+  puts '--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.'
+  puts '--enumerate | -e [option(s)]        Enumeration.'
   puts '  option :'
   puts '    u        usernames from id 1 to 10'
   puts '    u[10-20] usernames from id 10 to 20 (you must write [] chars)'
@@ -80,27 +79,54 @@ def help
   puts '  Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins'
   puts '  If no option is supplied, the default is "vt,tt,u,vp"'
   puts
-  puts '--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied'
-  puts '                                             You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)'
-  puts '--config-file | -c <config file> Use the specified config file'
-  puts '--user-agent | -a <User-Agent> Use the specified User-Agent'
-  puts '--random-agent | -r Use a random User-Agent'
-  puts '--follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
-  puts '--wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed'
-  puts '--wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed'
-  puts '--proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json).'
-  puts '                                 HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used'
-  puts '--proxy-auth <username:password>  Supply the proxy login credentials (will override the one from conf/browser.conf.json).'
-  puts '--basic-auth <username:password>  Set the HTTP Basic authentication'
-  puts '--wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.'
-  puts '--threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)'
-  puts '--username | -U <username>  Only brute force the supplied username.'
-  puts '--cache-ttl <cache-ttl>  Typhoeus cache TTL'
-  puts '--request-timeout <request-timeout>  Request Timeout'
-  puts '--connect-timeout <connect-timeout>  Connect Timeout'
-  puts '--max-threads <max-threads>  Maximum Threads'
-  puts '--help     | -h This help screen.'
-  puts '--verbose  | -v Verbose output.'
-  puts '--batch Never ask for user input, use the default behaviour.'
+  puts '--exclude-content-based "<regexp or string>"'
+  puts '                                    Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.'
+  puts '                                    You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).'
+  puts '--config-file  | -c <config file>   Use the specified config file, see the example.conf.json.'
+  puts '--user-agent   | -a <User-Agent>    Use the specified User-Agent.'
+  puts '--cookie <String>                   String to read cookies from.'
+  puts '--random-agent | -r                 Use a random User-Agent.'
+  puts '--follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not'
+  puts '--batch                             Never ask for user input, use the default behaviour.'
+  puts '--no-color                          Do not use colors in the output.'
+  puts '--wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.'
+  puts '                                    Subdirectories are allowed.'
+  puts '--wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.'
+  puts '                                    If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed'
+  puts '--proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.'
+  puts '                                    If no protocol is given (format host:port), HTTP will be used.'
+  puts '--proxy-auth <username:password>    Supply the proxy login credentials.'
+  puts '--basic-auth <username:password>    Set the HTTP Basic authentication.'
+  puts '--wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.'
+  puts '--username | -U <username>          Only brute force the supplied username.'
+  puts '--usernames     <path-to-file>      Only brute force the usernames from the file.'
+  puts '--threads  | -t <number of threads> The number of threads to use when multi-threading requests.'
+  puts '--cache-ttl       <cache-ttl>       Typhoeus cache TTL.'
+  puts '--request-timeout <request-timeout> Request Timeout.'
+  puts '--connect-timeout <connect-timeout> Connect Timeout.'
+  puts '--max-threads     <max-threads>     Maximum Threads.'
+  puts '--throttle        <milliseconds>    Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.'
+  puts '--help     | -h                     This help screen.'
+  puts '--verbose  | -v                     Verbose output.'
+  puts '--version                           Output the current version and exit.'
   puts
 end
+
+# Hook to check if the target if down during the scan
+# And have the number of requests performed to display at the end of the scan
+# The target is considered down after 30 requests with status = 0
+down                 = 0
+@total_requests_done = 0
+
+Typhoeus.on_complete do |response|
+  next if response.cached?
+
+  down += 1 if response.code == 0
+  @total_requests_done += 1
+
+  fail 'The target seems to be down' if down >= 30
+
+  next unless Browser.instance.throttle > 0
+
+  sleep(Browser.instance.throttle)
+end

lib/wpscan/wpscan_options.rb

@@ -1,7 +1,6 @@
 # encoding: UTF-8
 
 class WpscanOptions
-
   ACCESSOR_OPTIONS = [
     :batch,
     :enumerate_plugins,
@@ -13,21 +12,26 @@ class WpscanOptions
     :enumerate_timthumbs,
     :enumerate_usernames,
     :enumerate_usernames_range,
+    :no_color,
+    :log,
     :proxy,
     :proxy_auth,
     :threads,
     :url,
+    :vhost,
     :wordlist,
     :force,
     :update,
     :verbose,
     :username,
+    :usernames,
     :password,
     :follow_redirection,
     :wp_content_dir,
     :wp_plugins_dir,
     :help,
     :config_file,
+    :cookie,
     :exclude_content_based,
     :basic_auth,
     :debug_output,
@@ -37,7 +41,9 @@ class WpscanOptions
     :cache_ttl,
     :request_timeout,
     :connect_timeout,
-    :max_threads
+    :max_threads,
+    :no_banner,
+    :throttle
   ]
 
   attr_accessor *ACCESSOR_OPTIONS
@@ -49,11 +55,17 @@ class WpscanOptions
   end
 
   def url=(url)
-    raise 'Empty URL given' if !url
+    raise  Exception.new('Empty URL given') if url.nil? || url == ''
+
+    url = Addressable::URI.parse(url).normalize.to_s unless url.ascii_only?
 
     @url = URI.parse(add_http_protocol(url)).to_s
   end
 
+  def vhost=(vhost)
+    @vhost = vhost
+  end
+
   def threads=(threads)
     @threads = threads.is_a?(Integer) ? threads : threads.to_i
   end
@@ -66,6 +78,12 @@ class WpscanOptions
     end
   end
 
+  def usernames=(file)
+    fail "The file #{file} does not exist" unless File.exists?(file)
+
+    @usernames = file
+  end
+
   def proxy=(proxy)
     if proxy.index(':') == nil
       raise 'Invalid proxy format. Should be host:port.'
@@ -233,8 +251,10 @@ class WpscanOptions
   def self.get_opt_long
     GetoptLong.new(
       ['--url', '-u', GetoptLong::REQUIRED_ARGUMENT],
+      ['--vhost',GetoptLong::OPTIONAL_ARGUMENT],
       ['--enumerate', '-e', GetoptLong::OPTIONAL_ARGUMENT],
       ['--username', '-U', GetoptLong::REQUIRED_ARGUMENT],
+      ['--usernames', GetoptLong::REQUIRED_ARGUMENT],
       ['--wordlist', '-w', GetoptLong::REQUIRED_ARGUMENT],
       ['--threads', '-t', GetoptLong::REQUIRED_ARGUMENT],
       ['--force', '-f', GetoptLong::NO_ARGUMENT],
@@ -257,7 +277,12 @@ class WpscanOptions
       ['--request-timeout', GetoptLong::REQUIRED_ARGUMENT],
       ['--connect-timeout', GetoptLong::REQUIRED_ARGUMENT],
       ['--max-threads', GetoptLong::REQUIRED_ARGUMENT],
-      ['--batch', GetoptLong::NO_ARGUMENT]
+      ['--batch', GetoptLong::NO_ARGUMENT],
+      ['--no-color', GetoptLong::NO_ARGUMENT],
+      ['--cookie', GetoptLong::REQUIRED_ARGUMENT],
+      ['--log', GetoptLong::NO_ARGUMENT],
+      ['--no-banner', GetoptLong::NO_ARGUMENT],
+      ['--throttle', GetoptLong::REQUIRED_ARGUMENT]
     )
   end
 

lib/wpstools/plugins/checker/checker_plugin.rb

@@ -1,129 +0,0 @@
-# encoding: UTF-8
-
-class CheckerPlugin < Plugin
-
-  def initialize
-    super(author: 'WPScanTeam - @erwanlr')
-
-    register_options(
-      ['--check-vuln-ref-urls', '--cvru', 'Check all the vulnerabilities reference urls for 404'],
-      ['--check-local-vulnerable-files LOCAL_DIRECTORY', '--clvf', 'Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells']
-    )
-  end
-
-  def run(options = {})
-    if options[:check_vuln_ref_urls]
-      check_vuln_ref_urls
-    end
-
-    if options[:check_local_vulnerable_files]
-      check_local_vulnerable_files(options[:check_local_vulnerable_files])
-    end
-  end
-
-  def check_vuln_ref_urls
-    vuln_ref_files   = [PLUGINS_VULNS_FILE, THEMES_VULNS_FILE, WP_VULNS_FILE]
-    error_codes      = [404, 500, 403]
-    not_found_regexp = %r{No Results Found|error 404|ID Invalid or Not Found}i
-
-    puts '[+] Checking vulnerabilities reference urls'
-
-    vuln_ref_files.each do |vuln_ref_file|
-      xml = xml(vuln_ref_file)
-
-      urls = []
-      xml.xpath('//references/url').each { |node| urls << node.text }
-
-      urls.uniq!
-
-      puts "[!] No URLs found in #{vuln_ref_file}!" if urls.empty?
-
-      dead_urls       = []
-      queue_count     = 0
-      request_count   = 0
-      browser         = Browser.instance
-      hydra           = browser.hydra
-      number_of_urls  = urls.size
-
-      urls.each do |url|
-        request = browser.forge_request(url, { cache_ttl: 0, followlocation: true })
-        request_count += 1
-
-        request.on_complete do |response|
-          print "\r  [+] Checking #{vuln_ref_file} #{number_of_urls} total ... #{(request_count * 100) / number_of_urls}% complete."
-
-          if error_codes.include?(response.code) or not_found_regexp.match(response.body)
-            dead_urls << url
-          end
-        end
-
-        hydra.queue(request)
-        queue_count += 1
-
-        if queue_count == browser.max_threads
-          hydra.run
-          queue_count = 0
-        end
-      end
-
-      hydra.run
-      puts
-      unless dead_urls.empty?
-        dead_urls.each { |url| puts "    Not Found #{url}" }
-      end
-    end
-  end
-
-  def check_local_vulnerable_files(dir_to_scan)
-    if Dir::exist?(dir_to_scan)
-      xml_file               = LOCAL_FILES_FILE
-      local_hashes           = {}
-      file_extension_to_scan = '*.{js,php,swf,html,htm}'
-
-      print '[+] Generating local hashes ... '
-
-      Dir[File::join(dir_to_scan, '**', file_extension_to_scan)].each do |filename|
-        sha1sum = Digest::SHA1.file(filename).hexdigest
-
-        if local_hashes.has_key?(sha1sum)
-          local_hashes[sha1sum] << filename
-        else
-          local_hashes[sha1sum] = [filename]
-        end
-      end
-
-      puts 'done.'
-
-      puts '[+] Checking for vulnerable files ...'
-
-      xml = xml(xml_file)
-
-      xml.xpath('//hash').each do |node|
-        sha1sum = node.attribute('sha1').text
-
-        if local_hashes.has_key?(sha1sum)
-          local_filenames = local_hashes[sha1sum]
-          vuln_title      = node.search('title').text
-          vuln_filename   = node.search('file').text
-          vuln_refrence   = node.search('reference').text
-
-          puts "  #{vuln_filename} found :"
-          puts '  | Location(s):'
-          local_filenames.each do |file|
-            puts "  |  - #{file}"
-          end
-          puts '  |'
-          puts "  | Title: #{vuln_title}"
-          puts "  | Refrence: #{vuln_refrence}" if !vuln_refrence.empty?
-          puts
-        end
-      end
-
-      puts 'done.'
-
-    else
-      puts "The supplied directory '#{dir_to_scan}' does not exist"
-    end
-  end
-
-end

lib/wpstools/plugins/checker/checker_spelling.rb

@@ -1,91 +0,0 @@
-# encoding: UTF-8
-
-class CheckerSpelling < Plugin
-
-  def initialize
-    super(author: 'WPScanTeam - @ethicalhack3r')
-
-    register_options(['--spellcheck', '--sc', 'Check all files for common spelling mistakes.'])
-  end
-
-  def run(options = {})
-    spellcheck if options[:spellcheck]
-  end
-
-  def spellcheck
-    mistakes = 0
-
-    puts '[+] Checking for spelling mistakes'
-    puts
-
-    files.each do |file_name|
-      if File.exists?(file_name)
-        file = File.open(file_name, 'r')
-
-        misspellings.each_key do |misspelling|
-          begin
-            file.read.scan(/#{misspelling}/).each do |match|
-              mistakes += 1
-              puts "[MISSPELLING] File: #{file_name} Bad: #{match} Good: #{misspellings[misspelling]}"
-            end
-          rescue => e
-            puts "Error in #{file_name} #{e}"
-            next
-          end
-        end
-
-        file.close
-      end
-    end
-
-    puts
-    puts "[+] Found #{mistakes} spelling mistakes"
-
-    mistakes
-  end
-
-  def misspellings
-    {
-      /databse/i    => 'database',
-      /whith/i      => 'with',
-      /wich/i       => 'which',
-      /verions/i    => 'versions',
-      /vulnerabilitiy/i => 'vulnerability',
-      /unkown/i     => 'unknown',
-      /recieved/i   => 'received',
-      /acheive/i    => 'achieve',
-      /wierd/i      => 'weird',
-      /untill/i     => 'until',
-      /alot/i       => 'a lot',
-      /randomstorm/ => 'RandomStorm',
-      /wpscan/      => 'WPScan',
-      /Wordpress/   => 'WordPress'
-    }
-  end
-
-  def files
-    files = Dir['**/*'].reject {|fn| File.directory?(fn) }
-
-    ignore.each do |ignore|
-      files.delete_if { |data| data.match(ignore) }
-    end
-
-    files
-  end
-
-  def ignore
-    ignore = []
-
-    ignore << File.basename(__FILE__)
-    ignore << 'spec/cache/'
-    ignore << 'spec/spec_session/'
-    ignore << 'cache/'
-    ignore << 'coverage/'
-    ignore << 'wordlist-iso-8859-1'
-    ignore << 'log.txt'
-    ignore << 'debug.log'
-    ignore << 'wordlist.txt'
-
-    ignore
-  end
-end

lib/wpstools/plugins/list_generator/generate_list.rb

@@ -1,104 +0,0 @@
-# encoding: UTF-8
-
-# This tool generates a list to use for plugin and theme enumeration
-class GenerateList
-
-  attr_accessor :verbose
-
-  # type = themes | plugins
-  def initialize(type, verbose)
-    if type =~ /plugins/i
-      @type           = 'plugin'
-      @svn_url        = 'http://plugins.svn.wordpress.org/'
-      @popular_url    = 'http://wordpress.org/plugins/browse/popular/'
-      @popular_regex  = %r{<h3><a href="http://wordpress.org/plugins/([^/]+)/">.+</a></h3>}i
-    elsif type =~ /themes/i
-      @type           = 'theme'
-      @svn_url        = 'http://themes.svn.wordpress.org/'
-      @popular_url    = 'http://wordpress.org/themes/browse/popular/'
-      @popular_regex  = %r{<h3><a href="http://wordpress.org/themes/([^/]+)">.+</a></h3>}i
-    else
-      raise "Type #{type} not defined"
-    end
-    @verbose  = verbose
-    @browser  = Browser.instance(request_timeout: 20000, connect_timeout: 20000, max_threads: 1, cache_ttl: 0)
-  end
-
-  def set_file_name(type)
-    case @type
-    when 'plugin'
-      case type
-      when :full
-        @file_name = PLUGINS_FULL_FILE
-      when :popular
-        @file_name = PLUGINS_FILE
-      else
-        raise 'Unknown type'
-      end
-    when 'theme'
-      case type
-      when :full
-        @file_name = THEMES_FULL_FILE
-      when :popular
-        @file_name = THEMES_FILE
-      else
-        raise 'Unknown type'
-      end
-      else
-        raise "Unknown type #@type"
-    end
-  end
-
-  def generate_full_list
-    set_file_name(:full)
-    items = SvnParser.new(@svn_url).parse
-    save items
-  end
-
-  def generate_popular_list(pages)
-    set_file_name(:popular)
-    items = get_popular_items(pages)
-    save items
-  end
-
-  # Send a HTTP request to the WordPress most popular theme or plugin webpage
-  # parse the response for the names.
-  def get_popular_items(pages)
-    found_items = []
-    page_count = 1
-
-    (1...(pages.to_i + 1)).each do |page|
-      # First page has another URL
-      url = (page == 1) ? @popular_url : @popular_url + 'page/' + page.to_s + '/'
-      puts "[+] Parsing page #{page_count}" if @verbose
-      code = 0
-      while code != 200
-        puts red("[!] Retrying request for page #{page} (Code: #{code})") unless code == 0
-        request = @browser.forge_request(url)
-        response = request.run
-        code = response.code
-        sleep(5) unless code == 200
-      end
-      page_count += 1
-      found = 0
-      response.body.scan(@popular_regex).each do |item|
-        found_items << item[0]
-        found = found + 1
-      end
-      puts "[+] Found #{found} items on page #{page}" if @verbose
-    end
-
-    found_items.sort!
-    found_items.uniq
-  end
-
-  # Save the file
-  def save(items)
-    items.sort!
-    items.uniq!
-    puts "[*] We have parsed #{items.length} #{@type}s"
-    File.open(@file_name, 'w') { |f| f.puts(items) }
-    puts "New #@file_name file created"
-  end
-
-end

lib/wpstools/plugins/list_generator/list_generator_plugin.rb

@@ -1,53 +0,0 @@
-# encoding: UTF-8
-
-class ListGeneratorPlugin < Plugin
-
-  def initialize
-    super(author: 'WPScanTeam - @FireFart')
-
-    register_options(
-      ['--generate-plugin-list [NUMBER_OF_PAGES]', '--gpl', Integer, 'Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)'],
-      ['--generate-full-plugin-list', '--gfpl', 'Generate a new full data/plugins.txt file'],
-
-      ['--generate-theme-list [NUMBER_OF_PAGES]', '--gtl', Integer, 'Generate a new data/themes.txt file. (supply number of *pages* to parse, default : 20)'],
-      ['--generate-full-theme-list', '--gftl', 'Generate a new full data/themes.txt file'],
-
-      ['--generate-all', '--ga', 'Generate a new full plugins, full themes, popular plugins and popular themes list']
-    )
-  end
-
-  def run(options = {})
-    @verbose     = options[:verbose] || false
-    generate_all = options[:generate_all] || false
-
-    if options.has_key?(:generate_plugin_list) || generate_all
-      most_popular('plugin', options[:generate_plugin_list] || 150)
-    end
-
-    if options[:generate_full_plugin_list] || generate_all
-      full('plugin')
-    end
-
-    if options.has_key?(:generate_theme_list) || generate_all
-      most_popular('theme', options[:generate_theme_list] || 20)
-    end
-
-    if options[:generate_full_theme_list] || generate_all
-      full('theme')
-    end
-  end
-
-  private
-
-  def most_popular(type, number_of_pages)
-    puts "[+] Generating new most popular #{type} list"
-    puts
-    GenerateList.new(type + 's', @verbose).generate_popular_list(number_of_pages)
-  end
-
-  def full(type)
-    puts "[+] Generating new full #{type} list"
-    puts
-    GenerateList.new(type + 's', @verbose).generate_full_list
-  end
-end

lib/wpstools/plugins/list_generator/svn_parser.rb

@@ -1,31 +0,0 @@
-# encoding: UTF-8
-
-# This Class Parses SVN Repositories via HTTP
-class SvnParser
-
-  attr_accessor :verbose, :svn_root, :keep_empty_dirs
-
-  def initialize(svn_root)
-    @svn_root    = svn_root
-  end
-
-  def parse
-    get_root_directories
-  end
-
-  #Private methods start here
-  private
-
-  # Gets all directories in the SVN root
-  def get_root_directories
-    dirs      = []
-    rootindex = Browser.get(@svn_root).body
-
-    rootindex.scan(%r{<li><a href=".+">(.+)/</a></li>}i).each do |dir|
-      dirs << dir[0]
-    end
-
-    dirs.sort!
-    dirs.uniq
-  end
-end

lib/wpstools/plugins/stats/stats_plugin.rb

@@ -1,81 +0,0 @@
-# encoding: UTF-8
-
-class StatsPlugin < Plugin
-
-  def initialize
-    super(author: 'WPScanTeam - Christian Mehlmauer')
-
-    register_options(
-        ['--stats', '--s', 'Show WpScan Database statistics']
-    )
-  end
-
-  def run(options = {})
-    if options[:stats]
-      date_wp = File.mtime(WP_VULNS_FILE)
-      date_plugins = File.mtime(PLUGINS_VULNS_FILE)
-      date_themes = File.mtime(THEMES_VULNS_FILE)
-      date_plugins_full = File.mtime(PLUGINS_FULL_FILE)
-      date_themes_full = File.mtime(THEMES_FULL_FILE)
-
-      puts "WPScan Database Statistics:"
-      puts "---------------------------"
-      puts
-      puts "[#] Total vulnerable versions: #{vuln_core_count}"
-      puts "[#] Total vulnerable plugins:  #{vuln_plugin_count}"
-      puts "[#] Total vulnerable themes:   #{vuln_theme_count}"
-      puts
-      puts "[#] Total version vulnerabilities: #{version_vulns_count}"
-      puts "[#] Total plugin vulnerabilities:  #{plugin_vulns_count}"
-      puts "[#] Total theme vulnerabilities:   #{theme_vulns_count}"
-      puts
-      puts "[#] Total plugins to enumerate:  #{total_plugins}"
-      puts "[#] Total themes to enumerate:   #{total_themes}"
-      puts
-      puts "[+] WordPress DB modified: #{date_wp.strftime('%Y-%m-%d %H:%M:%S')}"
-      puts "[+] Plugins DB modified:   #{date_plugins.strftime('%Y-%m-%d %H:%M:%S')}"
-      puts "[+] Themes DB modified:    #{date_themes.strftime('%Y-%m-%d %H:%M:%S')}"
-      puts "[+] Enumeration plugins:   #{date_plugins_full.strftime('%Y-%m-%d %H:%M:%S')}"
-      puts "[+] Enumeration themes:    #{date_themes_full.strftime('%Y-%m-%d %H:%M:%S')}"
-      puts
-      puts "[+] Report generated:      #{Time.now.strftime('%Y-%m-%d %H:%M:%S')}"
-    end
-  end
-
-  def vuln_core_count(file=WP_VULNS_FILE)
-    xml(file).xpath('count(//wordpress)').to_i
-  end
-
-  def vuln_plugin_count(file=PLUGINS_VULNS_FILE)
-    xml(file).xpath('count(//plugin)').to_i
-  end
-
-  def vuln_theme_count(file=THEMES_VULNS_FILE)
-    xml(file).xpath('count(//theme)').to_i
-  end
-
-  def version_vulns_count(file=WP_VULNS_FILE)
-    xml(file).xpath('count(//vulnerability)').to_i
-  end
-
-  def plugin_vulns_count(file=PLUGINS_VULNS_FILE)
-    xml(file).xpath('count(//vulnerability)').to_i
-  end
-
-  def theme_vulns_count(file=THEMES_VULNS_FILE)
-    xml(file).xpath('count(//vulnerability)').to_i
-  end
-
-  def total_plugins(file=PLUGINS_FULL_FILE)
-    lines_in_file(file)
-  end
-
-  def total_themes(file=THEMES_FULL_FILE)
-    lines_in_file(file)
-  end
-
-  def lines_in_file(file)
-    IO.readlines(file).size
-  end
-
-end

lib/wpstools/wpstools_helper.rb

@@ -1,35 +0,0 @@
-# encoding: UTF-8
-
-require File.expand_path(File.dirname(__FILE__) + '/../common/common_helper')
-
-require_files_from_directory(WPSTOOLS_LIB_DIR)
-require_files_from_directory(WPSTOOLS_PLUGINS_DIR, '**/*.rb')
-
-def usage
-  script_name = $0
-  puts
-  puts '-h for further help.'
-  puts
-  puts 'Examples:'
-  puts
-  puts "- Generate a new 'most popular' plugin list, up to 150 pages ..."
-  puts "ruby #{script_name} --generate-plugin-list 150"
-  puts
-  puts '- Generate a new full plugin list'
-  puts "ruby #{script_name} --generate-full-plugin-list"
-  puts
-  puts "- Generate a new 'most popular' theme list, up to 150 pages ..."
-  puts "ruby #{script_name} --generate-theme-list 150"
-  puts
-  puts '- Generate a new full theme list'
-  puts "ruby #{script_name} --generate-full-theme-list"
-  puts
-  puts '- Generate all list'
-  puts "ruby #{script_name} --generate-all"
-  puts
-  puts 'Locally scan a wordpress installation for vulnerable files or shells'
-  puts "ruby #{script_name} --check-local-vulnerable-files /var/www/wordpress/"
-  puts
-  puts 'See README for further information.'
-  puts
-end

spec/lib/common/browser_spec.rb

@@ -25,7 +25,7 @@ describe Browser do
     json_expected_vars['max_threads'] ||= 20 # max_thread can not be nil
 
     instance_vars_to_check.each do |variable_name|
-      browser.send(:"#{variable_name}").should === json_expected_vars[variable_name]
+      expect(browser.send(:"#{variable_name}")).to be === json_expected_vars[variable_name]
     end
   end
 
@@ -50,7 +50,7 @@ describe Browser do
       let(:cache_dir) { CACHE_DIR + '/somewhere' }
       let(:options) { { cache_dir: cache_dir } }
 
-      after { subject.cache_dir.should == cache_dir }
+      after { expect(subject.cache_dir).to eq cache_dir }
 
       it 'sets @cache_dir' do
         @json_expected_vars = json_config_without_proxy
@@ -64,7 +64,7 @@ describe Browser do
 
       it 'raises an error' do
         File.symlink('./testfile', config_file)
-        expect { browser.load_config(config_file) }.to raise_error("[ERROR] Config file is a symlink.")
+        expect { browser.load_config(config_file) }.to raise_error('[ERROR] Config file is a symlink.')
         File.unlink(config_file)
       end
     end
@@ -84,11 +84,11 @@ describe Browser do
 
   describe '::append_params_header_field' do
     after :each do
-      Browser.append_params_header_field(
+      expect(Browser.append_params_header_field(
         @params,
         @field,
         @field_value
-      ).should === @expected
+      )).to be === @expected
     end
 
     context 'when there is no headers' do
@@ -130,7 +130,7 @@ describe Browser do
         headers: { 'User-Agent' => 'SomeUA' },
         ssl_verifypeer: false, ssl_verifyhost: 0,
         cookiejar: cookie_jar, cookiefile: cookie_jar,
-        timeout: 2000, connecttimeout: 1000,
+        timeout: 60, connecttimeout: 10,
         maxredirs: 3,
         referer: nil
       }
@@ -140,14 +140,13 @@ describe Browser do
       browser.user_agent = 'SomeUA'
       browser.cache_ttl = 250
 
-      browser.merge_request_params(params).should == @expected
+      expect(browser.merge_request_params(params)).to eq @expected
     end
 
     it 'sets the User-Agent header field and cache_ttl' do
       @expected = default_expectation
     end
 
-
     context 'when @proxy' do
       let(:proxy) { '127.0.0.1:9050' }
       let(:proxy_expectation) { default_expectation.merge(proxy: proxy) }
@@ -166,11 +165,19 @@ describe Browser do
       end
     end
 
+    context 'when @request_timeout' do
+      it 'gives an Integer' do
+        browser.request_timeout = '10'
+
+        @expected = default_expectation.merge(timeout: 10)
+      end
+    end
+
     context 'when @basic_auth' do
       it 'appends the basic_auth' do
         browser.basic_auth  = 'user:pass'
         @expected           = default_expectation.merge(
-          headers: default_expectation[:headers].merge('Authorization' => 'Basic '+Base64.encode64('user:pass').chomp)
+          headers: default_expectation[:headers].merge('Authorization' => 'Basic ' + Base64.encode64('user:pass').chomp)
         )
       end
     end
@@ -190,18 +197,27 @@ describe Browser do
         @expected = default_expectation.merge(params)
       end
     end
+
+    context 'when @cookie' do
+      let(:cookie) { 'foor=bar;bar=foo' }
+      before       { browser.cookie = cookie }
+
+      it 'sets the cookie' do
+        @expected = default_expectation.merge(cookie: cookie)
+      end
+    end
   end
 
   describe '#forge_request' do
     let(:url) { 'http://example.localhost' }
 
     it 'returns the correct Typhoeus::Request' do
-      subject.stub(merge_request_params: { cache_ttl: 10 })
+      allow(subject).to receive_messages(merge_request_params: { cache_ttl: 10 })
 
       request = subject.forge_request(url)
-      request.should be_a Typhoeus::Request
-      request.url.should == url
-      request.cache_ttl.should == 10
+      expect(request).to be_a Typhoeus::Request
+      expect(request.url).to eq url
+      expect(request.cache_ttl).to eq 10
     end
 
   end
@@ -216,7 +232,7 @@ describe Browser do
       response1 = Browser.get(url)
       response2 = Browser.get(url)
 
-      response1.body.should == response2.body
+      expect(response1.body).to eq response2.body
       #WebMock.should have_requested(:get, url).times(1) # This one fail, dunno why :s (but it works without mock)
     end
   end

spec/lib/common/cache_file_store_spec.rb

@@ -17,33 +17,50 @@ describe CacheFileStore do
 
   describe '#storage_path' do
     it 'returns the storage path given in the #new' do
-      @cache.storage_path.should match(/#{cache_dir}/)
+      expect(@cache.storage_path).to match(/#{cache_dir}/)
     end
   end
 
   describe '#serializer' do
     it 'should return the default serializer : Marshal' do
-      @cache.serializer.should     == Marshal
-      @cache.serializer.should_not == YAML
+      expect(@cache.serializer).to     eq Marshal
+      expect(@cache.serializer).not_to eq YAML
     end
   end
 
   describe '#clean' do
     it "should remove all files from the cache dir (#{@cache_dir}" do
-      # let's create some files into the directory first
-      (0..5).each do |i|
-        File.new(@cache.storage_path + "/file_#{i}.txt", File::CREAT)
-      end
-
-      count_files_in_dir(@cache.storage_path, 'file_*.txt').should == 6
+      # clean is executed by other tests before
+      before = count_files_in_dir(@cache.cache_dir)
+      test_dir = File.expand_path("#{@cache.cache_dir}/test")
+      Dir.mkdir test_dir
+      #change the modification date
+      %x[ touch -t 200701310846.26 #{test_dir} ]
+      expect(count_files_in_dir(@cache.cache_dir)).to eq (before + 1)
       @cache.clean
-      count_files_in_dir(@cache.storage_path).should == 0
+      expect(count_files_in_dir(@cache.cache_dir)).to eq before
     end
   end
 
-  describe '#read_entry (nonexistent entry)' do
-    it 'should return nil' do
-      @cache.read_entry(Digest::SHA1.hexdigest('hello world')).should be_nil
+  describe '#read_entry' do
+    after { expect(@cache.read_entry(key)).to eq @expected }
+
+    context 'when the entry does not exist' do
+      let(:key) { Digest::SHA1.hexdigest('hello world') }
+
+      it 'should return nil' do
+        @expected = nil
+      end
+    end
+
+    context 'when the file exist but is empty (marshal data too short error)' do
+      let(:key) { 'empty-file' }
+
+      it 'returns nil' do
+        File.new(File.join(@cache.storage_path, key), File::CREAT)
+
+        @expected = nil
+      end
     end
   end
 
@@ -51,7 +68,7 @@ describe CacheFileStore do
 
     after :each do
       @cache.write_entry(@key, @data, @timeout)
-      @cache.read_entry(@key).should === @expected
+      expect(@cache.read_entry(@key)).to be === @expected
     end
 
     it 'should get the correct entry (string)' do
@@ -75,11 +92,11 @@ describe CacheFileStore do
     it 'should create a unique storage dir' do
       storage_dirs = []
 
-      (1..5).each do |i|
+      (1..5).each do |_|
         storage_dirs << CacheFileStore.new(cache_dir).storage_path
       end
 
-      storage_dirs.uniq.size.should == 5
+      expect(storage_dirs.uniq.size).to eq 5
     end
   end
 end

spec/lib/common/collections/wp_items_spec.rb

@@ -10,20 +10,15 @@ describe WpItems do
 
     let(:expected) do
       {
-        request_params:                 { cache_ttl: 0, followlocation: true },
-        targets_items_from_file:        [ WpItem.new(uri, name: 'item1'),
-                                          WpItem.new(uri, name:'item-2'),
-                                          WpItem.new(uri, name: 'mr-smith')],
+        request_params:           { cache_ttl: 0, followlocation: true },
+        targets_items_from_file:  [ WpItem.new(uri, name: 'item1'),
+                                    WpItem.new(uri, name: 'item-2'),
+                                    WpItem.new(uri, name: 'mr-smith')],
 
-        vulnerable_targets_items:       [ WpItem.new(uri, name: 'mr-smith'),
-                                          WpItem.new(uri, name: 'neo')],
+        vulnerable_targets_items: [ WpItem.new(uri, name: 'mr-smith'),
+                                    WpItem.new(uri, name: 'neo')],
 
-        passive_detection: WpItems.new << WpItem.new(uri, name: 'js-source') <<
-                                          WpItem.new(uri, name: 'escaped-url') <<
-                                          WpItem.new(uri, name: 'link-tag') <<
-                                          WpItem.new(uri, name: 'script-tag') <<
-                                          WpItem.new(uri, name: 'style-tag') <<
-                                          WpItem.new(uri, name: 'style-tag-import')
+        passive_detection: (1..13).reduce(WpItems.new) { |o, i| o << WpItem.new(uri, name: "detect-me-#{i}") }
       }
     end
   end

spec/lib/common/collections/wp_plugins/detectable_spec.rb

@@ -15,7 +15,7 @@ describe 'WpPlugins::Detectable' do
     context 'when no header' do
       it 'returns an empty WpPlugins' do
         stub_request(:get, url).to_return(status: 200)
-        subject.send(:from_header, wp_target).should == subject.new
+        expect(subject.send(:from_header, wp_target)).to eq subject.new
       end
     end
 
@@ -25,7 +25,7 @@ describe 'WpPlugins::Detectable' do
 
       after :each do
         stub_request(:get, url).to_return(status: 200, headers: headers, body: '')
-        subject.send(:from_header, wp_target).should == expected
+        expect(subject.send(:from_header, wp_target)).to eq expected
       end
 
       context 'when w3-total-cache detected' do
@@ -66,7 +66,7 @@ describe 'WpPlugins::Detectable' do
     context 'when no body' do
       it 'returns an empty WpPlugins' do
         stub_request(:get, url).to_return(status: 200, body: '')
-        subject.send(:from_content, wp_target).should == subject.new
+        expect(subject.send(:from_content, wp_target)).to eq subject.new
       end
     end
 
@@ -77,7 +77,7 @@ describe 'WpPlugins::Detectable' do
       after :each do
         stub_request(:get, url).to_return(status: 200, body: @body)
         stub_request(:get, /readme\.txt/i).to_return(status: 404)
-        subject.send(:from_content, wp_target).should == expected
+        expect(subject.send(:from_content, wp_target)).to eq expected
       end
 
       context 'when w3 total cache detected' do

spec/lib/common/collections/wp_plugins_spec.rb

@@ -11,7 +11,7 @@ describe WpPlugins do
     let(:expected) do
       {
         request_params:                   { cache_ttl: 0, followlocation: true },
-        vulns_file:                       PLUGINS_VULNS_FILE,
+        vulns_file:                       PLUGINS_FILE,
         targets_items_from_file:          [ WpPlugin.new(uri, name: 'plugin1'),
                                             WpPlugin.new(uri, name:'plugin-2'),
                                             WpPlugin.new(uri, name: 'mr-smith')],
@@ -19,8 +19,7 @@ describe WpPlugins do
         vulnerable_targets_items:         [ WpPlugin.new(uri, name: 'mr-smith'),
                                             WpPlugin.new(uri, name: 'neo')],
 
-        passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'js-source') <<
-                                            WpPlugin.new(uri, name: 'escaped-url') <<
+        passive_detection: WpPlugins.new << WpPlugin.new(uri, name: 'escaped-url') <<
                                             WpPlugin.new(uri, name: 'link-tag') <<
                                             WpPlugin.new(uri, name: 'script-tag') <<
                                             WpPlugin.new(uri, name: 'style-tag') <<

spec/lib/common/collections/wp_themes_spec.rb

@@ -13,7 +13,7 @@ describe WpThemes do
     let(:expected) do
       {
         request_params:                  { cache_ttl: 0, followlocation: true },
-        vulns_file:                      THEMES_VULNS_FILE,
+        vulns_file:                      THEMES_FILE,
         targets_items_from_file:         [ WpTheme.new(uri, name: '3colours'),
                                            WpTheme.new(uri, name:'42k'),
                                            WpTheme.new(uri, name: 'a-ri')],

spec/lib/common/collections/wp_timthumbs/detectable_spec.rb

@@ -38,7 +38,7 @@ describe 'WpTimthumbs::Detectable' do
 
   describe '::passive_detection' do
     it 'returns an empty WpTimthumbs' do
-      subject.passive_detection(wp_target).should == subject.new
+      expect(subject.passive_detection(wp_target)).to eq subject.new
     end
   end
 
@@ -46,7 +46,7 @@ describe 'WpTimthumbs::Detectable' do
     after do
       targets = subject.send(:targets_items_from_file, file, wp_target)
 
-      targets.map { |t| t.url }.should == @expected.map { |t| t.url }
+      expect(targets.map { |t| t.url }).to eq @expected.map { |t| t.url }
     end
 
     context 'when an empty file' do
@@ -71,7 +71,7 @@ describe 'WpTimthumbs::Detectable' do
       theme   = 'hello-world'
       targets = subject.send(:theme_timthumbs, theme, wp_target)
 
-      targets.map { |t| t.url }.should == expected_targets_from_theme(theme).map { |t| t.url }
+      expect(targets.map { |t| t.url }).to eq expected_targets_from_theme(theme).map { |t| t.url }
     end
   end
 
@@ -81,7 +81,7 @@ describe 'WpTimthumbs::Detectable' do
     after do
       targets = subject.send(:targets_items, wp_target, options)
 
-      targets.map { |t| t.url }.should == @expected.sort.map { |t| t.url }
+      expect(targets.map { |t| t.url }).to eq @expected.sort.map { |t| t.url }
     end
 
     context 'when no :theme_name' do

spec/lib/common/collections/wp_users/detectable_spec.rb

@@ -22,13 +22,13 @@ describe 'WpUsers::Detectable' do
 
   describe '::request_params' do
     it 'return an empty Hash' do
-      subject.request_params.should === {}
+      expect(subject.request_params).to be === {}
     end
   end
 
   describe '::passive_detection' do
     it 'return an empty WpUsers' do
-      subject.passive_detection(wp_target).should == subject.new
+      expect(subject.passive_detection(wp_target)).to eq subject.new
     end
   end
 
@@ -36,7 +36,7 @@ describe 'WpUsers::Detectable' do
     after do
       targets = subject.send(:targets_items, wp_target, options)
 
-      targets.should == @expected
+      expect(targets).to eq @expected
     end
 
     context 'when no :range' do