garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: garfield:v3.8.10
Branches Tags
garfield:master garfield:dependabot/bundler/rubocop-tw-1.59.0 garfield:dfs garfield:fix/handle-invalid-wp-json-response garfield:fix/non-latin-character-slugs garfield:dependabot/bundler/rubocop-performance-tw-1.19.1 garfield:dependabot/github_actions/docker/login-action-3.0.0 garfield:dependabot/github_actions/docker/setup-qemu-action-3 garfield:dependabot/github_actions/docker/build-push-action-5 garfield:dependabot/github_actions/docker/setup-buildx-action-3 garfield:fix/gem-push garfield:revert-1757-master garfield:dependabot/bundler/simplecov-tw-0.22.0 garfield:gh-pages garfield:3.9.0 garfield:v2 garfield:plugin-backup-folder
garfield:v3.8.25 garfield:v3.8.24 garfield:v3.8.23 garfield:v3.8.22 garfield:v3.8.21 garfield:v3.8.20 garfield:v3.8.19 garfield:v3.8.18 garfield:v3.8.17 garfield:v3.8.16 garfield:v3.8.15 garfield:v3.8.14 garfield:v3.8.13 garfield:v3.8.12 garfield:v3.8.11 garfield:v3.8.10 garfield:v3.8.9 garfield:v3.8.8 garfield:v3.8.7 garfield:v3.8.6 garfield:v3.8.5 garfield:v3.8.4 garfield:v3.8.3 garfield:v3.8.2 garfield:v3.8.1 garfield:v3.8.0 garfield:v3.7.11 garfield:v3.7.10 garfield:v3.7.9 garfield:v3.7.8 garfield:v3.7.7 garfield:v3.7.6 garfield:v3.7.5 garfield:v3.7.4 garfield:v3.7.3 garfield:v3.7.2 garfield:v3.7.1 garfield:v3.7.0 garfield:v3.6.3 garfield:v3.6.2 garfield:v3.6.1 garfield:v3.6.0 garfield:v3.5.5 garfield:v3.5.4 garfield:v3.5.3 garfield:v3.5.2 garfield:v3.5.1 garfield:v3.5.0 garfield:v3.4.5 garfield:v3.4.4 garfield:v3.4.3 garfield:v3.4.2 garfield:v3.4.1 garfield:v3.4.0 garfield:v3.3.3 garfield:v3.3.2 garfield:v3.3.1 garfield:3.3.0 garfield:2.9.4 garfield:2.9.3 garfield:2.9.2 garfield:2.9.1 garfield:2.9 garfield:2.8 garfield:2.7 garfield:2.6 garfield:2.5.1 garfield:2.5 garfield:2.4.1 garfield:2.4 garfield:2.3 garfield:2.2 garfield:2.1
..
compare: garfield:plugin-backup-folder
Branches Tags
garfield:dependabot/bundler/rubocop-tw-1.59.0 garfield:master garfield:dfs garfield:fix/handle-invalid-wp-json-response garfield:fix/non-latin-character-slugs garfield:dependabot/bundler/rubocop-performance-tw-1.19.1 garfield:dependabot/github_actions/docker/login-action-3.0.0 garfield:dependabot/github_actions/docker/setup-qemu-action-3 garfield:dependabot/github_actions/docker/build-push-action-5 garfield:dependabot/github_actions/docker/setup-buildx-action-3 garfield:fix/gem-push garfield:revert-1757-master garfield:dependabot/bundler/simplecov-tw-0.22.0 garfield:gh-pages garfield:3.9.0 garfield:v2 garfield:plugin-backup-folder
garfield:v3.8.25 garfield:v3.8.24 garfield:v3.8.23 garfield:v3.8.22 garfield:v3.8.21 garfield:v3.8.20 garfield:v3.8.19 garfield:v3.8.18 garfield:v3.8.17 garfield:v3.8.16 garfield:v3.8.15 garfield:v3.8.14 garfield:v3.8.13 garfield:v3.8.12 garfield:v3.8.11 garfield:v3.8.10 garfield:v3.8.9 garfield:v3.8.8 garfield:v3.8.7 garfield:v3.8.6 garfield:v3.8.5 garfield:v3.8.4 garfield:v3.8.3 garfield:v3.8.2 garfield:v3.8.1 garfield:v3.8.0 garfield:v3.7.11 garfield:v3.7.10 garfield:v3.7.9 garfield:v3.7.8 garfield:v3.7.7 garfield:v3.7.6 garfield:v3.7.5 garfield:v3.7.4 garfield:v3.7.3 garfield:v3.7.2 garfield:v3.7.1 garfield:v3.7.0 garfield:v3.6.3 garfield:v3.6.2 garfield:v3.6.1 garfield:v3.6.0 garfield:v3.5.5 garfield:v3.5.4 garfield:v3.5.3 garfield:v3.5.2 garfield:v3.5.1 garfield:v3.5.0 garfield:v3.4.5 garfield:v3.4.4 garfield:v3.4.3 garfield:v3.4.2 garfield:v3.4.1 garfield:v3.4.0 garfield:v3.3.3 garfield:v3.3.2 garfield:v3.3.1 garfield:3.3.0 garfield:2.9.4 garfield:2.9.3 garfield:2.9.2 garfield:2.9.1 garfield:2.9 garfield:2.8 garfield:2.7 garfield:2.6 garfield:2.5.1 garfield:2.5 garfield:2.4.1 garfield:2.4 garfield:2.3 garfield:2.2 garfield:2.1

3 Commits
v3.8.10 ... plugin-bac

Author SHA1 Message Date
erwanlr
82db02a688 Updates spec for #1342 2019-05-03 14:25:17 +01:00
erwanlr
2c07de8c6b Updates class comment 2019-05-03 14:23:04 +01:00
erwanlr
4b0b8fa624 Fixes #1342 2019-05-03 14:04:50 +01:00
1105 changed files with 6295 additions and 452934 deletions
Expand all files Collapse all files

1
.dockerignore
View File

@@ -14,4 +14,3 @@ Dockerfile
*.orig
bin/wpscan-*
.wpscan/
.github/

41
.github/workflows/build.yml vendored
View File

@@ -1,41 +0,0 @@
name: Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
ruby: [2.5, 2.6, 2.7]
steps:
- name: Checkout code
uses: actions/checkout@v1
- name: Set up Ruby ${{ matrix.ruby }}
uses: actions/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}
- name: Install GEMs
run: |
gem install bundler
bundle config force_ruby_platform true
bundle config path vendor/bundle
bundle install --jobs 4 --retry 3
- name: rubocop
run: |
bundle exec rubocop
- name: rspec
run: |
bundle exec rspec
- name: Coveralls
uses: coverallsapp/github-action@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

40
.github/workflows/gempush.yml vendored
View File

@@ -1,40 +0,0 @@
name: Ruby Gem
on:
release:
types: [published]
jobs:
build:
name: Build + Publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Set up Ruby 2.6
uses: actions/setup-ruby@v1
with:
ruby-version: 2.6.x
#- name: Publish to GPR
# run: |
# mkdir -p $HOME/.gem
# touch $HOME/.gem/credentials
# chmod 0600 $HOME/.gem/credentials
# printf -- "---\n:github: Bearer ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
# gem build *.gemspec
# gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
# env:
# GEM_HOST_API_KEY: ${{secrets.GITHUB_TOKEN}}
# OWNER: wpscanteam
- name: Publish to RubyGems
run: |
mkdir -p $HOME/.gem
touch $HOME/.gem/credentials
chmod 0600 $HOME/.gem/credentials
printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
gem build *.gemspec
gem push *.gem
env:
GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}

5
.rspec
View File

@@ -1,2 +1,3 @@
--require spec_helper
--color
--color
--fail-fast
--require spec_helper

28
.rubocop.yml
View File

@@ -1,16 +1,15 @@
require: rubocop-performance
AllCops:
NewCops: enable
TargetRubyVersion: 2.5
TargetRubyVersion: 2.4
Exclude:
- '*.gemspec'
- 'vendor/**/*'
Layout/LineLength:
ClassVars:
Enabled: false
LineLength:
Max: 120
Lint/ConstantDefinitionInBlock:
Enabled: false
Lint/MissingSuper:
Enabled: false
MethodLength:
Max: 20
Lint/UriEscapeUnescape:
Enabled: false
Metrics/AbcSize:
@@ -20,22 +19,9 @@ Metrics/BlockLength:
- 'spec/**/*'
Metrics/ClassLength:
Max: 150
Exclude:
- 'app/controllers/enumeration/cli_options.rb'
Metrics/CyclomaticComplexity:
Max: 10
Metrics/MethodLength:
Max: 20
Exclude:
- 'app/controllers/enumeration/cli_options.rb'
Metrics/PerceivedComplexity:
Max: 11
Style/ClassVars:
Enabled: false
Max: 8
Style/Documentation:
Enabled: false
Style/FormatStringToken:
Enabled: false
Style/NumericPredicate:
Exclude:
- 'app/controllers/vuln_api.rb'

2
.ruby-version
View File

@@ -1 +1 @@
2.7.1
2.6.2

17
.simplecov
View File

@@ -1,19 +1,4 @@
# frozen_string_literal: true
if ENV['GITHUB_ACTION']
require 'simplecov-lcov'
SimpleCov::Formatter::LcovFormatter.config do |c|
c.single_report_path = 'coverage/lcov.info'
c.report_with_single_file = true
end
SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
end
SimpleCov.start do
enable_coverage :branch # Only supported for Ruby >= 2.5
add_filter '/spec/'
add_filter 'helper'
end
end

33
.travis.yml Normal file
View File

@@ -0,0 +1,33 @@
language: ruby
sudo: false
cache: bundler
rvm:
- 2.4.1
- 2.4.2
- 2.4.3
- 2.4.4
- 2.4.5
- 2.4.6
- 2.5.0
- 2.5.1
- 2.5.2
- 2.5.3
- 2.5.4
- 2.5.5
- 2.6.0
- 2.6.1
- 2.6.2
- 2.6.3
- ruby-head
before_install:
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
- gem update --system
matrix:
allow_failures:
- rvm: ruby-head
script:
- bundle exec rubocop
- bundle exec rspec
notifications:
email:
- team@wpscan.org

18
Dockerfile
View File

@@ -1,16 +1,16 @@
FROM ruby:2.7.1-alpine AS builder
FROM ruby:2.6.2-alpine3.9 AS builder
LABEL maintainer="WPScan Team <team@wpscan.org>"
RUN echo "install: --no-document --no-post-install-message\nupdate: --no-document --no-post-install-message" > /etc/gemrc
ARG BUNDLER_ARGS="--jobs=8 --without test development"
RUN echo "gem: --no-ri --no-rdoc" > /etc/gemrc
COPY . /wpscan
RUN apk add --no-cache git libcurl ruby-dev libffi-dev make gcc musl-dev zlib-dev procps sqlite-dev && \
bundle config force_ruby_platform true && \
bundle config disable_version_check 'true' && \
bundle config without "test development" && \
bundle config path.system 'true' && \
bundle install --gemfile=/wpscan/Gemfile --jobs=8
bundle install --system --clean --no-cache --gemfile=/wpscan/Gemfile $BUNDLER_ARGS && \
# temp fix for https://github.com/bundler/bundler/issues/6680
rm -rf /usr/local/bundle/cache
WORKDIR /wpscan
RUN rake install --trace
@@ -19,9 +19,8 @@ RUN rake install --trace
RUN chmod -R a+r /usr/local/bundle
FROM ruby:2.7.1-alpine
FROM ruby:2.6.2-alpine3.9
LABEL maintainer="WPScan Team <team@wpscan.org>"
LABEL org.opencontainers.image.source https://github.com/wpscanteam/wpscan
RUN adduser -h /wpscan -g WPScan -D wpscan
@@ -39,3 +38,4 @@ USER wpscan
RUN /usr/local/bundle/bin/wpscan --update --verbose
ENTRYPOINT ["/usr/local/bundle/bin/wpscan"]
CMD ["--help"]

4
LICENSE
View File

@@ -27,7 +27,9 @@ Example cases which do not require a commercial license, and thus fall under the
- Using WPScan to test your own systems.
- Any non-commercial use of WPScan.
If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
Free-use Terms and Conditions;

78
README.md
View File

@@ -7,16 +7,17 @@
<h3 align="center">WPScan</h3>
<p align="center">
WordPress Security Scanner
WordPress Vulnerability Scanner
<br>
<br>
<a href="https://wpscan.com/" title="homepage" target="_blank">WPScan WordPress Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
<a href="https://wpscan.org/" title="homepage" target="_blank">Homepage</a> - <a href="https://wpscan.io/" title="wpscan.io" target="_blank">WPScan.io</a> - <a href="https://wpvulndb.com/" title="vulnerability database" target="_blank">Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress plugin" target="_blank">WordPress Plugin</a>
</p>
<p align="center">
<a href="https://badge.fury.io/rb/wpscan" target="_blank"><img src="https://badge.fury.io/rb/wpscan.svg"></a>
<a href="https://github.com/wpscanteam/wpscan/actions?query=workflow%3ABuild" target="_blank"><img src="https://github.com/wpscanteam/wpscan/workflows/Build/badge.svg"></a>
<a href="https://travis-ci.org/wpscanteam/wpscan" target="_blank"><img src="https://travis-ci.org/wpscanteam/wpscan.svg?branch=master"></a>
<a href="https://codeclimate.com/github/wpscanteam/wpscan" target="_blank"><img src="https://codeclimate.com/github/wpscanteam/wpscan/badges/gpa.svg"></a>
<a href="https://www.patreon.com/wpscan" target="_blank"><img src="https://img.shields.io/badge/patreon-donate-green.svg"></a>
</p>
# INSTALL
@@ -29,13 +30,8 @@
- Curl >= 7.21 - Recommended: latest
- The 7.29 has a segfault
- RubyGems - Recommended: latest
- Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
### In a Pentesting distribution
When using a pentesting distubution (such as Kali Linux), it is recommended to install/update wpscan via the package manager if available.
### From RubyGems
### From RubyGems (Recommended)
```shell
gem install wpscan
@@ -43,6 +39,18 @@ gem install wpscan
On MacOSX, if a ```Gem::FilePermissionError``` is raised due to the Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run ```sudo gem install -n /usr/local/bin wpscan``` (see [#1286](https://github.com/wpscanteam/wpscan/issues/1286))
### From sources (NOT Recommended)
Prerequisites: Git
```shell
git clone https://github.com/wpscanteam/wpscan
cd wpscan/
bundle install && rake install
```
# Updating
You can update the local database by using ```wpscan --update```
@@ -69,67 +77,41 @@ docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-1
# Usage
Full user documentation can be found here; https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
The DB is located at ~/.wpscan/db
## Vulnerability Database
The WPScan CLI tool uses the [WPScan API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan](https://wpscan.com/register). Up to 50 API requests per day are given free of charge to registered users. Once the 50 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPScan](https://wpscan.com/).
## Load CLI options from file/s
WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
- ~/.wpscan/scan.json
- ~/.wpscan/scan.yml
- pwd/.wpscan/scan.json
- pwd/.wpscan/scan.yml
- ~/.wpscan/cli_options.json
- ~/.wpscan/cli_options.yml
- pwd/.wpscan/cli_options.json
- pwd/.wpscan/cli_options.yml
If those files exist, options from the `cli_options` key will be loaded and overridden if found twice.
If those files exist, options from them will be loaded and overridden if found twice.
e.g:
~/.wpscan/scan.yml:
~/.wpscan/cli_options.yml:
```yml
cli_options:
proxy: 'http://127.0.0.1:8080'
verbose: true
proxy: 'http://127.0.0.1:8080'
verbose: true
```
pwd/.wpscan/scan.yml:
pwd/.wpscan/cli_options.yml:
```yml
cli_options:
proxy: 'socks5://127.0.0.1:9090'
url: 'http://target.tld'
proxy: 'socks5://127.0.0.1:9090'
url: 'http://target.tld'
```
Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
## Save API Token in a file
The feature mentioned above is useful to keep the API Token in a config file and not have to supply it via the CLI each time. To do so, create the ~/.wpscan/scan.yml file containing the below:
```yml
cli_options:
api_token: YOUR_API_TOKEN
```
## Load API Token From ENV (since v3.7.10)
The API Token will be automatically loaded from the ENV variable `WPSCAN_API_TOKEN` if present. If the `--api-token` CLI option is also provided, the value from the CLI will be used.
## Enumerating usernames
Enumerating usernames
```shell
wpscan --url https://target.tld/ --enumerate u

6
Rakefile
View File

@@ -6,18 +6,14 @@ exec = []
begin
require 'rubocop/rake_task'
RuboCop::RakeTask.new
exec << :rubocop
rescue LoadError
end
begin
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) { |t| t.rspec_opts = %w{--tag ~slow} }
RSpec::Core::RakeTask.new(:spec)
exec << :spec
rescue LoadError
end

1
app/controllers.rb
View File

@@ -1,7 +1,6 @@
# frozen_string_literal: true
require_relative 'controllers/core'
require_relative 'controllers/vuln_api'
require_relative 'controllers/custom_directories'
require_relative 'controllers/wp_version'
require_relative 'controllers/main_theme'

4
app/controllers/custom_directories.rb
View File

@@ -18,7 +18,9 @@ module WPScan
target.content_dir = ParsedCli.wp_content_dir if ParsedCli.wp_content_dir
target.plugins_dir = ParsedCli.wp_plugins_dir if ParsedCli.wp_plugins_dir
raise Error::WpContentDirNotDetected unless target.content_dir
return if target.content_dir(ParsedCli.detection_mode)
raise Error::WpContentDirNotDetected
end
end
end

9
app/controllers/enumeration.rb
View File

@@ -7,6 +7,15 @@ module WPScan
module Controller
# Enumeration Controller
class Enumeration < CMSScanner::Controller::Base
def before_scan
DB::DynamicFinders::Plugin.create_versions_finders
DB::DynamicFinders::Theme.create_versions_finders
# Force the Garbage Collector to run due to the above method being
# quite heavy in objects allocation
GC.start
end
def run
enum = ParsedCli.enumerate || {}

21
app/controllers/enumeration/cli_options.rb
View File

@@ -11,6 +11,7 @@ module WPScan
end
# @return [ Array<OptParseValidator::OptBase> ]
# rubocop:disable Metrics/MethodLength
def cli_enum_choices
[
OptMultiChoices.new(
@@ -18,10 +19,10 @@ module WPScan
choices: {
vp: OptBoolean.new(['--vulnerable-plugins']),
ap: OptBoolean.new(['--all-plugins']),
p: OptBoolean.new(['--popular-plugins']),
p: OptBoolean.new(['--plugins']),
vt: OptBoolean.new(['--vulnerable-themes']),
at: OptBoolean.new(['--all-themes']),
t: OptBoolean.new(['--popular-themes']),
t: OptBoolean.new(['--themes']),
tt: OptBoolean.new(['--timthumbs']),
cb: OptBoolean.new(['--config-backups']),
dbe: OptBoolean.new(['--db-exports']),
@@ -44,6 +45,7 @@ module WPScan
)
]
end
# rubocop:enable Metrics/MethodLength
# @return [ Array<OptParseValidator::OptBase> ]
def cli_plugins_opts
@@ -51,7 +53,7 @@ module WPScan
OptSmartList.new(['--plugins-list LIST', 'List of plugins to enumerate'], advanced: true),
OptChoice.new(
['--plugins-detection MODE',
'Use the supplied mode to enumerate Plugins.'],
'Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.'],
choices: %w[mixed passive aggressive], normalize: :to_sym, default: :passive
),
OptBoolean.new(
@@ -62,13 +64,9 @@ module WPScan
),
OptChoice.new(
['--plugins-version-detection MODE',
'Use the supplied mode to check plugins\' versions.'],
'Use the supplied mode to check plugins versions instead of the --detection-mode ' \
'or --plugins-detection modes.'],
choices: %w[mixed passive aggressive], normalize: :to_sym, default: :mixed
),
OptInteger.new(
['--plugins-threshold THRESHOLD',
'Raise an error when the number of detected plugins via known locations reaches the threshold. ' \
'Set to 0 to ignore the threshold.'], default: 100, advanced: true
)
]
end
@@ -93,11 +91,6 @@ module WPScan
'Use the supplied mode to check themes versions instead of the --detection-mode ' \
'or --themes-detection modes.'],
choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
),
OptInteger.new(
['--themes-threshold THRESHOLD',
'Raise an error when the number of detected themes via known locations reaches the threshold. ' \
'Set to 0 to ignore the threshold.'], default: 20, advanced: true
)
]
end

10
app/controllers/enumeration/enum_methods.rb
View File

@@ -56,13 +56,12 @@ module WPScan
#
# @return [ Boolean ] Wether or not to enumerate the plugins
def enum_plugins?(opts)
opts[:popular_plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
opts[:plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
end
def enum_plugins
opts = default_opts('plugins').merge(
list: plugins_list_from_opts(ParsedCli.options),
threshold: ParsedCli.plugins_threshold,
sort: true
)
@@ -92,7 +91,7 @@ module WPScan
if opts[:enumerate][:all_plugins]
DB::Plugins.all_slugs
elsif opts[:enumerate][:popular_plugins]
elsif opts[:enumerate][:plugins]
DB::Plugins.popular_slugs
else
DB::Plugins.vulnerable_slugs
@@ -103,13 +102,12 @@ module WPScan
#
# @return [ Boolean ] Wether or not to enumerate the themes
def enum_themes?(opts)
opts[:popular_themes] || opts[:all_themes] || opts[:vulnerable_themes]
opts[:themes] || opts[:all_themes] || opts[:vulnerable_themes]
end
def enum_themes
opts = default_opts('themes').merge(
list: themes_list_from_opts(ParsedCli.options),
threshold: ParsedCli.themes_threshold,
sort: true
)
@@ -139,7 +137,7 @@ module WPScan
if opts[:enumerate][:all_themes]
DB::Themes.all_slugs
elsif opts[:enumerate][:popular_themes]
elsif opts[:enumerate][:themes]
DB::Themes.popular_slugs
else
DB::Themes.vulnerable_slugs

70
app/controllers/password_attack.rb
View File

@@ -19,37 +19,31 @@ module WPScan
OptChoice.new(['--password-attack ATTACK',
'Force the supplied attack to be used rather than automatically determining one.'],
choices: %w[wp-login xmlrpc xmlrpc-multicall],
normalize: %i[downcase underscore to_sym]),
OptString.new(['--login-uri URI', 'The URI of the login page if different from /wp-login.php'])
normalize: %i[downcase underscore to_sym])
]
end
def attack_opts
@attack_opts ||= {
show_progression: user_interaction?,
multicall_max_passwords: ParsedCli.multicall_max_passwords
}
end
def run
return unless ParsedCli.passwords
if user_interaction?
output('@info',
msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
end
attack_opts = {
show_progression: user_interaction?,
multicall_max_passwords: ParsedCli.multicall_max_passwords
}
begin
found = []
if user_interaction?
output('@info',
msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
end
attacker.attack(users, ParsedCli.passwords, attack_opts) do |user|
attacker.attack(users, passwords(ParsedCli.passwords), attack_opts) do |user|
found << user
attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
end
rescue Error::NoLoginInterfaceDetected => e
# TODO: Maybe output that in JSON as well.
output('@notice', msg: e.to_s) if user_interaction?
ensure
output('users', users: found)
end
@@ -71,47 +65,30 @@ module WPScan
case ParsedCli.password_attack
when :wp_login
raise Error::NoLoginInterfaceDetected unless target.login_url
Finders::Passwords::WpLogin.new(target)
WPScan::Finders::Passwords::WpLogin.new(target)
when :xmlrpc
raise Error::XMLRPCNotDetected unless xmlrpc
Finders::Passwords::XMLRPC.new(xmlrpc)
WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
when :xmlrpc_multicall
raise Error::XMLRPCNotDetected unless xmlrpc
Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
end
end
# @return [ Boolean ]
def xmlrpc_get_users_blogs_enabled?
if xmlrpc&.enabled? &&
xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
!xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
.run.body.match?(/>\s*405\s*</)
true
else
false
WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
end
end
# @return [ CMSScanner::Finders::Finder ]
def attacker_from_automatic_detection
if xmlrpc_get_users_blogs_enabled?
if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs')
wp_version = target.wp_version
if wp_version && wp_version < '4.4'
Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
else
Finders::Passwords::XMLRPC.new(xmlrpc)
WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
end
elsif target.login_url
Finders::Passwords::WpLogin.new(target)
else
raise Error::NoLoginInterfaceDetected
WPScan::Finders::Passwords::WpLogin.new(target)
end
end
@@ -123,6 +100,15 @@ module WPScan
acc << Model::User.new(elem.chomp)
end
end
# @param [ String ] wordlist_path
#
# @return [ Array<String> ]
def passwords(wordlist_path)
@passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
acc << elem.chomp
end
end
end
end
end

32
app/controllers/vuln_api.rb
View File

@@ -1,32 +0,0 @@
# frozen_string_literal: true
module WPScan
module Controller
# Controller to handle the API token
class VulnApi < CMSScanner::Controller::Base
ENV_KEY = 'WPSCAN_API_TOKEN'
def cli_options
[
OptString.new(['--api-token TOKEN', 'The WPVulnDB API Token to display vulnerability data'])
]
end
def before_scan
return unless ParsedCli.api_token || ENV.key?(ENV_KEY)
DB::VulnApi.token = ParsedCli.api_token || ENV[ENV_KEY]
api_status = DB::VulnApi.status
raise Error::InvalidApiToken if api_status['error']
raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
raise api_status['http_error'] if api_status['http_error']
end
def after_scan
output('status', status: DB::VulnApi.status, api_requests: WPScan.api_requests)
end
end
end
end

2
app/controllers/wp_version.rb
View File

@@ -17,7 +17,7 @@ module WPScan
end
def before_scan
DB::DynamicFinders::Wordpress.create_versions_finders
WPScan::DB::DynamicFinders::Wordpress.create_versions_finders
end
def run

7
app/finders/db_exports/known_locations.rb
View File

@@ -4,6 +4,7 @@ module WPScan
module Finders
module DbExports
# DB Exports finder
# See https://github.com/wpscanteam/wpscan-v3/issues/62
class KnownLocations < CMSScanner::Finders::Finder
include CMSScanner::Finders::Finder::Enumerator
@@ -19,9 +20,9 @@ module WPScan
enumerate(potential_urls(opts), opts.merge(check_full_response: 200)) do |res|
if res.effective_url.end_with?('.zip')
next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])
next unless res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
else
next unless SQL_PATTERN.match?(res.body)
next unless res.body =~ SQL_PATTERN
end
found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
@@ -40,7 +41,7 @@ module WPScan
# @return [ Hash ]
def potential_urls(opts = {})
urls = {}
domain_name = (PublicSuffix.domain(target.uri.host) || target.uri.host)[/(^[\w|-]+)/, 1]
domain_name = target.uri.host[/(^[\w|-]+)/, 1]
File.open(opts[:list]).each_with_index do |path, index|
path.gsub!('{domain_name}', domain_name)

4
app/finders/interesting_findings.rb
View File

@@ -4,7 +4,7 @@ require_relative 'interesting_findings/readme'
require_relative 'interesting_findings/wp_cron'
require_relative 'interesting_findings/multisite'
require_relative 'interesting_findings/debug_log'
require_relative 'interesting_findings/backup_db'
require_relative 'interesting_findings/plugin_backup_folders'
require_relative 'interesting_findings/mu_plugins'
require_relative 'interesting_findings/registration'
require_relative 'interesting_findings/tmm_db_migrate'
@@ -24,7 +24,7 @@ module WPScan
super(target)
%w[
Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
Readme DebugLog FullPathDisclosure PluginBackupFolders DuplicatorInstallerLog
Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
UploadSQLDump EmergencyPwdResetScript WPCron
].each do |f|

25
app/finders/interesting_findings/backup_db.rb
View File

@@ -1,25 +0,0 @@
# frozen_string_literal: true
module WPScan
module Finders
module InterestingFindings
# BackupDB finder
class BackupDB < CMSScanner::Finders::Finder
# @return [ InterestingFinding ]
def aggressive(_opts = {})
path = 'wp-content/backup-db/'
res = target.head_and_get(path, [200, 403])
return unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
Model::BackupDB.new(
target.url(path),
confidence: 70,
found_by: DIRECT_ACCESS,
interesting_entries: target.directory_listing_entries(path)
)
end
end
end
end
end

6
app/finders/interesting_findings/debug_log.rb
View File

@@ -11,7 +11,11 @@ module WPScan
return unless target.debug_log?(path)
Model::DebugLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
Model::DebugLog.new(
target.url(path),
confidence: 100, found_by: DIRECT_ACCESS,
references: { url: 'https://codex.wordpress.org/Debugging_in_WordPress' }
)
end
end
end

9
app/finders/interesting_findings/duplicator_installer_log.rb
View File

@@ -9,9 +9,14 @@ module WPScan
def aggressive(_opts = {})
path = 'installer-log.txt'
return unless /DUPLICATOR(-|\s)?(PRO|LITE)?:? INSTALL-LOG/i.match?(target.head_and_get(path).body)
return unless target.head_and_get(path).body =~ /DUPLICATOR INSTALL-LOG/
Model::DuplicatorInstallerLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
Model::DuplicatorInstallerLog.new(
target.url(path),
confidence: 100,
found_by: DIRECT_ACCESS,
references: { url: 'https://www.exploit-db.com/ghdb/3981/' }
)
end
end
end

5
app/finders/interesting_findings/emergency_pwd_reset_script.rb
View File

@@ -15,7 +15,10 @@ module WPScan
Model::EmergencyPwdResetScript.new(
target.url(path),
confidence: /password/i.match?(res.body) ? 100 : 40,
found_by: DIRECT_ACCESS
found_by: DIRECT_ACCESS,
references: {
url: 'https://codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script'
}
)
end
end

3
app/finders/interesting_findings/full_path_disclosure.rb
View File

@@ -16,7 +16,8 @@ module WPScan
target.url(path),
confidence: 100,
found_by: DIRECT_ACCESS,
interesting_entries: fpd_entries
interesting_entries: fpd_entries,
references: { url: 'https://www.owasp.org/index.php/Full_Path_Disclosure' }
)
end
end

22
app/finders/interesting_findings/mu_plugins.rb
View File

@@ -7,16 +7,22 @@ module WPScan
class MuPlugins < CMSScanner::Finders::Finder
# @return [ InterestingFinding ]
def passive(_opts = {})
pattern = %r{#{target.content_dir}/mu-plugins/}i
pattern = %r{#{target.content_dir}/mu\-plugins/}i
target.in_scope_uris(target.homepage_res, '(//@href|//@src)[contains(., "mu-plugins")]') do |uri|
next unless uri.path&.match?(pattern)
target.in_scope_uris(target.homepage_res) do |uri|
next unless uri.path =~ pattern
url = target.url('wp-content/mu-plugins/')
target.mu_plugins = true
return Model::MuPlugins.new(url, confidence: 70, found_by: 'URLs In Homepage (Passive Detection)')
return Model::MuPlugins.new(
url,
confidence: 70,
found_by: 'URLs In Homepage (Passive Detection)',
to_s: "This site has 'Must Use Plugins': #{url}",
references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
)
end
nil
end
@@ -31,7 +37,13 @@ module WPScan
target.mu_plugins = true
Model::MuPlugins.new(url, confidence: 80, found_by: DIRECT_ACCESS)
Model::MuPlugins.new(
url,
confidence: 80,
found_by: DIRECT_ACCESS,
to_s: "This site has 'Must Use Plugins': #{url}",
references: { url: 'http://codex.wordpress.org/Must_Use_Plugins' }
)
end
end
end

12
app/finders/interesting_findings/multisite.rb
View File

@@ -12,12 +12,18 @@ module WPScan
location = res.headers_hash['location']
return unless [200, 302].include?(res.code)
return if res.code == 302 && location&.include?('wp-login.php?action=register')
return unless res.code == 200 || res.code == 302 && location&.include?('wp-signup.php')
return if res.code == 302 && location =~ /wp-login\.php\?action=register/
return unless res.code == 200 || res.code == 302 && location =~ /wp-signup\.php/
target.multisite = true
Model::Multisite.new(url, confidence: 100, found_by: DIRECT_ACCESS)
Model::Multisite.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,
to_s: 'This site seems to be a multisite',
references: { url: 'http://codex.wordpress.org/Glossary#Multisite' }
)
end
end
end

34
app/finders/interesting_findings/plugin_backup_folders.rb Normal file
View File

@@ -0,0 +1,34 @@
# frozen_string_literal: true
module WPScan
module Finders
module InterestingFindings
# Known Backup Folders from Plugin finder
class PluginBackupFolders < CMSScanner::Finders::Finder
PATHS = %w[wp-content/backup-db/ wp-content/backups-dup-pro/ wp-content/updraft/].freeze
# @return [ InterestingFinding ]
def aggressive(_opts = {})
found = []
PATHS.each do |path|
res = target.head_and_get(path, [200, 403])
next unless [200, 403].include?(res.code) && !target.homepage_or_404?(res)
found << Model::PluginBackupFolder.new(
target.url(path),
confidence: 70,
found_by: DIRECT_ACCESS,
interesting_entries: target.directory_listing_entries(path),
references: { url: ['https://github.com/wpscanteam/wpscan/issues/422',
'https://github.com/wpscanteam/wpscan/issues/1342'] }
)
end
found
end
end
end
end
end

7
app/finders/interesting_findings/registration.rb
View File

@@ -20,7 +20,12 @@ module WPScan
target.registration_enabled = true
Model::Registration.new(res.effective_url, confidence: 100, found_by: DIRECT_ACCESS)
Model::Registration.new(
res.effective_url,
confidence: 100,
found_by: DIRECT_ACCESS,
to_s: "Registration is enabled: #{res.effective_url}"
)
end
end
end

7
app/finders/interesting_findings/tmm_db_migrate.rb
View File

@@ -13,7 +13,12 @@ module WPScan
return unless res.code == 200 && res.headers['Content-Type'] =~ %r{\Aapplication/zip}i
Model::TmmDbMigrate.new(url, confidence: 100, found_by: DIRECT_ACCESS)
Model::TmmDbMigrate.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,
references: { packetstorm: 131_957 }
)
end
end
end

7
app/finders/interesting_findings/upload_directory_listing.rb
View File

@@ -13,7 +13,12 @@ module WPScan
url = target.url(path)
Model::UploadDirectoryListing.new(url, confidence: 100, found_by: DIRECT_ACCESS)
Model::UploadDirectoryListing.new(
url,
confidence: 100,
found_by: DIRECT_ACCESS,
to_s: "Upload directory has listing enabled: #{url}"
)
end
end
end

8
app/finders/interesting_findings/upload_sql_dump.rb
View File

@@ -12,9 +12,13 @@ module WPScan
path = 'wp-content/uploads/dump.sql'
res = target.head_and_get(path, [200], get: { headers: { 'Range' => 'bytes=0-3000' } })
return unless SQL_PATTERN.match?(res.body)
return unless res.body =~ SQL_PATTERN
Model::UploadSQLDump.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
Model::UploadSQLDump.new(
target.url(path),
confidence: 100,
found_by: DIRECT_ACCESS
)
end
end
end

12
app/finders/interesting_findings/wp_cron.rb
View File

@@ -11,7 +11,17 @@ module WPScan
return unless res.code == 200
Model::WPCron.new(wp_cron_url, confidence: 60, found_by: DIRECT_ACCESS)
Model::WPCron.new(
wp_cron_url,
confidence: 60,
found_by: DIRECT_ACCESS,
references: {
url: [
'https://www.iplocation.net/defend-wordpress-from-ddos',
'https://github.com/wpscanteam/wpscan/issues/1299'
]
}
)
end
def wp_cron_url

10
app/finders/main_theme.rb
View File

@@ -1,10 +1,8 @@
# frozen_string_literal: true
require_relative 'main_theme/css_style_in_homepage'
require_relative 'main_theme/css_style_in_404_page'
require_relative 'main_theme/css_style'
require_relative 'main_theme/woo_framework_meta_generator'
require_relative 'main_theme/urls_in_homepage'
require_relative 'main_theme/urls_in_404_page'
module WPScan
module Finders
@@ -16,11 +14,9 @@ module WPScan
# @param [ WPScan::Target ] target
def initialize(target)
finders <<
MainTheme::CssStyleInHomepage.new(target) <<
MainTheme::CssStyleIn404Page.new(target) <<
MainTheme::CssStyle.new(target) <<
MainTheme::WooFrameworkMetaGenerator.new(target) <<
MainTheme::UrlsInHomepage.new(target) <<
MainTheme::UrlsIn404Page.new(target)
MainTheme::UrlsInHomepage.new(target)
end
end
end

12
app/finders/main_theme/css_style_in_homepage.rb → app/finders/main_theme/css_style.rb
View File

@@ -3,9 +3,9 @@
module WPScan
module Finders
module MainTheme
# From the CSS style in the homepage
class CssStyleInHomepage < CMSScanner::Finders::Finder
include Finders::WpItems::UrlsInPage # To have the item_code_pattern method available here
# From the css style
class CssStyle < CMSScanner::Finders::Finder
include Finders::WpItems::URLsInHomepage
def create_theme(slug, style_url, opts)
Model::Theme.new(
@@ -20,8 +20,8 @@ module WPScan
end
def passive_from_css_href(res, opts)
target.in_scope_uris(res, '//link/@href[contains(., "style.css")]') do |uri|
next unless uri.path =~ %r{/themes/([^/]+)/style.css\z}i
target.in_scope_uris(res, '//style/@src|//link/@href') do |uri|
next unless uri.path =~ %r{/themes/([^\/]+)/style.css\z}i
return create_theme(Regexp.last_match[1], uri.to_s, opts)
end
@@ -33,7 +33,7 @@ module WPScan
code = tag.text.to_s
next if code.empty?
next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'( ]*}i
next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'\( ]*}i
return create_theme(Regexp.last_match[1], Regexp.last_match[0].strip, opts)
end

14
app/finders/main_theme/css_style_in_404_page.rb
View File

@@ -1,14 +0,0 @@
# frozen_string_literal: true
module WPScan
module Finders
module MainTheme
# From the CSS style in the 404 page
class CssStyleIn404Page < CssStyleInHomepage
def passive(opts = {})
passive_from_css_href(target.error_404_res, opts) || passive_from_style_code(target.error_404_res, opts)
end
end
end
end
end

15
app/finders/main_theme/urls_in_404_page.rb
View File

@@ -1,15 +0,0 @@
# frozen_string_literal: true
module WPScan
module Finders
module MainTheme
# URLs In 404 Page Finder
class UrlsIn404Page < UrlsInHomepage
# @return [ Typhoeus::Response ]
def page_res
@page_res ||= target.error_404_res
end
end
end
end
end

9
app/finders/main_theme/urls_in_homepage.rb
View File

@@ -5,7 +5,7 @@ module WPScan
module MainTheme
# URLs In Homepage Finder
class UrlsInHomepage < CMSScanner::Finders::Finder
include WpItems::UrlsInPage
include WpItems::URLsInHomepage
# @param [ Hash ] opts
#
@@ -13,7 +13,7 @@ module WPScan
def passive(opts = {})
found = []
slugs = items_from_links('themes', uniq: false) + items_from_codes('themes', uniq: false)
slugs = items_from_links('themes', false) + items_from_codes('themes', false)
slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
@@ -21,11 +21,6 @@ module WPScan
found
end
# @return [ Typhoeus::Response ]
def page_res
@page_res ||= target.homepage_res
end
end
end
end

2
app/finders/main_theme/woo_framework_meta_generator.rb
View File

@@ -10,7 +10,7 @@ module WPScan
PATTERN = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
def passive(opts = {})
return unless target.homepage_res.body =~ PATTERN || target.error_404_res.body =~ PATTERN
return unless target.homepage_res.body =~ PATTERN
Model::Theme.new(
Regexp.last_match[1],

2
app/finders/passwords/wp_login.rb
View File

@@ -13,7 +13,7 @@ module WPScan
def valid_credentials?(response)
response.code == 302 &&
Array(response.headers['Set-Cookie'])&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
response.headers['Set-Cookie']&.any? { |cookie| cookie =~ /wordpress_logged_in_/i }
end
def errored_response?(response)

6
app/finders/passwords/xml_rpc.rb
View File

@@ -8,15 +8,15 @@ module WPScan
include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
def login_request(username, password)
target.method_call('wp.getUsersBlogs', [username, password], cache_ttl: 0)
target.method_call('wp.getUsersBlogs', [username, password])
end
def valid_credentials?(response)
response.code == 200 && response.body.include?('blogName')
response.code == 200 && response.body =~ /blogName/
end
def errored_response?(response)
response.code != 200 && response.body !~ /Incorrect username or password/i
response.code != 200 && response.body !~ /login_error/i
end
end
end

59
app/finders/passwords/xml_rpc_multicall.rb
View File

@@ -19,33 +19,11 @@ module WPScan
end
end
target.multi_call(methods, cache_ttl: 0).run
end
# @param [ IO ] file
# @param [ Integer ] passwords_size
# @return [ Array<String> ] The passwords from the last checked position in the file until there are
# passwords_size passwords retrieved
def passwords_from_wordlist(file, passwords_size)
pwds = []
added_pwds = 0
return pwds if passwords_size.zero?
# Make sure that the main code does not call #sysseek or #count etc
# otherwise the file descriptor will be set to somwehere else
file.each_line(chomp: true) do |line|
pwds << line
added_pwds += 1
break if added_pwds == passwords_size
end
pwds
target.multi_call(methods).run
end
# @param [ Array<Model::User> ] users
# @param [ String ] wordlist_path
# @param [ Array<String> ] passwords
# @param [ Hash ] opts
# @option opts [ Boolean ] :show_progression
# @option opts [ Integer ] :multicall_max_passwords
@@ -55,22 +33,18 @@ module WPScan
# TODO: Make rubocop happy about metrics etc
#
# rubocop:disable all
def attack(users, wordlist_path, opts = {})
checked_passwords = 0
wordlist = File.open(wordlist_path)
wordlist_size = wordlist.count
def attack(users, passwords, opts = {})
wordlist_index = 0
max_passwords = opts[:multicall_max_passwords]
current_passwords_size = passwords_size(max_passwords, users.size)
create_progress_bar(total: (wordlist_size / current_passwords_size.round(1)).ceil,
create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
show_progression: opts[:show_progression])
wordlist.sysseek(0) # reset the descriptor to the beginning of the file as it changed with #count
loop do
current_users = users.select { |user| user.password.nil? }
current_passwords = passwords_from_wordlist(wordlist, current_passwords_size)
checked_passwords += current_passwords_size
current_users = users.select { |user| user.password.nil? }
current_passwords = passwords[wordlist_index, current_passwords_size]
wordlist_index += current_passwords_size
break if current_users.empty? || current_passwords.nil? || current_passwords.empty?
@@ -102,19 +76,16 @@ module WPScan
break
end
begin
progress_bar.total = progress_bar.progress + ((wordlist_size - checked_passwords) / current_passwords_size.round(1)).ceil
rescue ProgressBar::InvalidProgressError
end
progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
end
end
# Maybe a progress_bar.stop ?
end
# rubocop:enable all
# rubocop:disable all
def passwords_size(max_passwords, users_size)
return 1 if max_passwords < users_size
return 0 if users_size.zero?
return 0 if users_size == 0
max_passwords / users_size
end
@@ -123,13 +94,9 @@ module WPScan
def check_and_output_errors(res)
progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200
if /parse error. not well formed/i.match?(res.body)
progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)')
end
progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i
return unless /requested method [^ ]+ does not exist/i.match?(res.body)
progress_bar.log('The requested method is not supported')
progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
end
end
end

20
app/finders/plugin_version.rb
View File

@@ -13,15 +13,25 @@ module WPScan
def initialize(plugin)
finders << PluginVersion::Readme.new(plugin)
create_and_load_dynamic_versions_finders(plugin)
load_specific_finders(plugin)
end
# Create the dynamic version finders related to the plugin and register them
# Load the finders associated with the plugin
#
# @param [ Model::Plugin ] plugin
def create_and_load_dynamic_versions_finders(plugin)
DB::DynamicFinders::Plugin.create_versions_finders(plugin.slug).each do |finder|
finders << finder.new(plugin)
def load_specific_finders(plugin)
module_name = plugin.classify
return unless Finders::PluginVersion.constants.include?(module_name)
mod = Finders::PluginVersion.const_get(module_name)
mod.constants.each do |constant|
c = mod.const_get(constant)
next unless c.is_a?(Class)
finders << c.new(plugin)
end
end
end

16
app/finders/plugin_version/readme.rb
View File

@@ -11,7 +11,7 @@ module WPScan
# The target(plugin)#readme_url can't be used directly here
# as if the --detection-mode is passive, it will always return nil
target.potential_readme_filenames.each do |file|
Model::WpItem::READMES.each do |file|
res = target.head_and_get(file)
next unless res.code == 200 && !(numbers = version_numbers(res.body)).empty?
@@ -48,18 +48,18 @@ module WPScan
#
# @return [ String, nil ] The version number detected from the stable tag
def from_stable_tag(body)
return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z.-]+)/i
return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z\.-]+)/i
number = Regexp.last_match[1]
number if /[0-9]+/.match?(number)
number if number =~ /[0-9]+/
end
# @param [ String ] body
#
# @return [ String, nil ] The best version number detected from the changelog section
def from_changelog_section(body)
extracted_versions = body.scan(%r{=+\s+(?:v(?:ersion)?\s*)?([0-9.-]+)[ \ta-z0-9().\-/]*=+}i)
extracted_versions = body.scan(%r{[=]+\s+(?:v(?:ersion)?\s*)?([0-9\.-]+)[ \ta-z0-9\(\)\.\-\/]*[=]+}i)
return if extracted_versions.nil? || extracted_versions.empty?
@@ -68,9 +68,11 @@ module WPScan
extracted_versions = extracted_versions.select { |x| x =~ /[0-9]+/ }
sorted = extracted_versions.sort do |x, y|
Gem::Version.new(x) <=> Gem::Version.new(y)
rescue StandardError
0
begin
Gem::Version.new(x) <=> Gem::Version.new(y)
rescue StandardError
0
end
end
sorted.last

2
app/finders/plugins.rb
View File

@@ -1,7 +1,6 @@
# frozen_string_literal: true
require_relative 'plugins/urls_in_homepage'
require_relative 'plugins/urls_in_404_page'
require_relative 'plugins/known_locations'
# From the DynamicFinders
require_relative 'plugins/comment'
@@ -23,7 +22,6 @@ module WPScan
def initialize(target)
finders <<
Plugins::UrlsInHomepage.new(target) <<
Plugins::UrlsIn404Page.new(target) <<
Plugins::HeaderPattern.new(target) <<
Plugins::Comment.new(target) <<
Plugins::Xpath.new(target) <<

4
app/finders/plugins/body_pattern.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from Dynamic Finder 'BodyPattern'
class BodyPattern < Finders::DynamicFinder::WpItems::Finder
class BodyPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 30
# @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -15,7 +15,7 @@ module WPScan
#
# @return [ Plugin ] The detected plugin in the response, related to the config
def process_response(opts, response, slug, klass, config)
return unless response.body&.match?(config['pattern'])
return unless response.body =~ config['pattern']
Model::Plugin.new(
slug,

4
app/finders/plugins/comment.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from the Dynamic Finder 'Comment'
class Comment < Finders::DynamicFinder::WpItems::Finder
class Comment < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 30
# @param [ Hash ] opts The options from the #passive, #aggressive methods
@@ -18,7 +18,7 @@ module WPScan
response.html.xpath(config['xpath'] || '//comment()').each do |node|
comment = node.text.to_s.strip
next unless comment&.match?(config['pattern'])
next unless comment =~ config['pattern']
return Model::Plugin.new(
slug,

2
app/finders/plugins/config_parser.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from Dynamic Finder 'ConfigParser'
class ConfigParser < Finders::DynamicFinder::WpItems::Finder
class ConfigParser < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 40
# @param [ Hash ] opts The options from the #passive, #aggressive methods

2
app/finders/plugins/header_pattern.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from Dynamic Finder 'HeaderPattern'
class HeaderPattern < Finders::DynamicFinder::WpItems::Finder
class HeaderPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 30
# @param [ Hash ] opts

2
app/finders/plugins/javascript_var.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from the Dynamic Finder 'JavascriptVar'
class JavascriptVar < Finders::DynamicFinder::WpItems::Finder
class JavascriptVar < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 60
# @param [ Hash ] opts The options from the #passive, #aggressive methods

10
app/finders/plugins/known_locations.rb
View File

@@ -19,14 +19,8 @@ module WPScan
def aggressive(opts = {})
found = []
enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
finding_opts = opts.merge(found_by: found_by,
confidence: 80,
interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
found << Model::Plugin.new(slug, target, finding_opts)
raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
found

2
app/finders/plugins/query_parameter.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from Dynamic Finder 'QueryParameter'
class QueryParameter < Finders::DynamicFinder::WpItems::Finder
class QueryParameter < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 10
def passive(_opts = {})

16
app/finders/plugins/urls_in_404_page.rb
View File

@@ -1,16 +0,0 @@
# frozen_string_literal: true
module WPScan
module Finders
module Plugins
# URLs In 404 Page Finder
# Typically, the items detected from URLs like /wp-content/plugins/<slug>/
class UrlsIn404Page < UrlsInHomepage
# @return [ Typhoeus::Response ]
def page_res
@page_res ||= target.error_404_res
end
end
end
end
end

10
app/finders/plugins/urls_in_homepage.rb
View File

@@ -4,9 +4,10 @@ module WPScan
module Finders
module Plugins
# URLs In Homepage Finder
# Typically, the items detected from URLs like /wp-content/plugins/<slug>/
# Typically, the items detected from URLs like
# /wp-content/plugins/<slug>/
class UrlsInHomepage < CMSScanner::Finders::Finder
include WpItems::UrlsInPage
include WpItems::URLsInHomepage
# @param [ Hash ] opts
#
@@ -20,11 +21,6 @@ module WPScan
found
end
# @return [ Typhoeus::Response ]
def page_res
@page_res ||= target.homepage_res
end
end
end
end

2
app/finders/plugins/xpath.rb
View File

@@ -4,7 +4,7 @@ module WPScan
module Finders
module Plugins
# Plugins finder from the Dynamic Finder 'Xpath'
class Xpath < Finders::DynamicFinder::WpItems::Finder
class Xpath < WPScan::Finders::DynamicFinder::WpItems::Finder
DEFAULT_CONFIDENCE = 40
# @param [ Hash ] opts The options from the #passive, #aggressive methods

20
app/finders/theme_version.rb
View File

@@ -16,15 +16,25 @@ module WPScan
ThemeVersion::Style.new(theme) <<
ThemeVersion::WooFrameworkMetaGenerator.new(theme)
create_and_load_dynamic_versions_finders(theme)
load_specific_finders(theme)
end
# Create the dynamic version finders related to the theme and register them
# Load the finders associated with the theme
#
# @param [ Model::Theme ] theme
def create_and_load_dynamic_versions_finders(theme)
DB::DynamicFinders::Theme.create_versions_finders(theme.slug).each do |finder|
finders << finder.new(theme)
def load_specific_finders(theme)
module_name = theme.classify
return unless Finders::ThemeVersion.constants.include?(module_name)
mod = Finders::ThemeVersion.const_get(module_name)
mod.constants.each do |constant|
c = mod.const_get(constant)
next unless c.is_a?(Class)
finders << c.new(theme)
end
end
end

2
app/finders/theme_version/style.rb
View File

@@ -30,7 +30,7 @@ module WPScan
# @return [ Version ]
def style_version
return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z.-]+)/i
return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
Model::Version.new(
Regexp.last_match[1],

4
app/finders/themes.rb
View File

@@ -1,13 +1,12 @@
# frozen_string_literal: true
require_relative 'themes/urls_in_homepage'
require_relative 'themes/urls_in_404_page'
require_relative 'themes/known_locations'
module WPScan
module Finders
module Themes
# Themes Finder
# themes Finder
class Base
include CMSScanner::Finders::SameTypeFinder
@@ -15,7 +14,6 @@ module WPScan
def initialize(target)
finders <<
Themes::UrlsInHomepage.new(target) <<
Themes::UrlsIn404Page.new(target) <<
Themes::KnownLocations.new(target)
end
end

10
app/finders/themes/known_locations.rb
View File

@@ -19,14 +19,8 @@ module WPScan
def aggressive(opts = {})
found = []
enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
finding_opts = opts.merge(found_by: found_by,
confidence: 80,
interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
found << Model::Theme.new(slug, target, finding_opts)
raise Error::ThemesThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
end
found

15
app/finders/themes/urls_in_404_page.rb
View File

@@ -1,15 +0,0 @@
# frozen_string_literal: true
module WPScan
module Finders
module Themes
# URLs In 04 Page Finder
class UrlsIn404Page < UrlsInHomepage
# @return [ Typhoeus::Response ]
def page_res
@page_res ||= target.error_404_res
end
end
end
end
end

7
app/finders/themes/urls_in_homepage.rb
View File

@@ -5,7 +5,7 @@ module WPScan
module Themes
# URLs In Homepage Finder
class UrlsInHomepage < CMSScanner::Finders::Finder
include WpItems::UrlsInPage
include WpItems::URLsInHomepage
# @param [ Hash ] opts
#
@@ -19,11 +19,6 @@ module WPScan
found
end
# @return [ Typhoeus::Response ]
def page_res
@page_res ||= target.homepage_res
end
end
end
end

2
app/finders/timthumbs/known_locations.rb
View File

@@ -22,7 +22,7 @@ module WPScan
found = []
enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
next unless /no image specified/i.match?(res.body)
next unless res.body =~ /no image specified/i
found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
end

4
app/finders/users.rb
View File

@@ -6,8 +6,7 @@ require_relative 'users/oembed_api'
require_relative 'users/rss_generator'
require_relative 'users/author_id_brute_forcing'
require_relative 'users/login_error_messages'
require_relative 'users/author_sitemap'
require_relative 'users/yoast_seo_author_sitemap'
require_relative 'users/yoast_seo_author_sitemap.rb'
module WPScan
module Finders
@@ -23,7 +22,6 @@ module WPScan
Users::WpJsonApi.new(target) <<
Users::OembedApi.new(target) <<
Users::RSSGenerator.new(target) <<
Users::AuthorSitemap.new(target) <<
Users::YoastSeoAuthorSitemap.new(target) <<
Users::AuthorIdBruteForcing.new(target) <<
Users::LoginErrorMessages.new(target)

19
app/finders/users/author_id_brute_forcing.rb
View File

@@ -71,13 +71,11 @@ module WPScan
return username, 'Display Name', 50 if username
end
# @param [ String, Addressable::URI ] uri
# @param [ String ] url
#
# @return [ String, nil ]
def username_from_author_url(uri)
uri = Addressable::URI.parse(uri) unless uri.is_a?(Addressable::URI)
uri.path[%r{/author/([^/\b]+)/?}i, 1]
def username_from_author_url(url)
url[%r{/author/([^/\b]+)/?}i, 1]
end
# @param [ Typhoeus::Response ] res
@@ -85,12 +83,12 @@ module WPScan
# @return [ String, nil ] The username found
def username_from_response(res)
# Permalink enabled
target.in_scope_uris(res, '//@href[contains(., "author/")]') do |uri|
username = username_from_author_url(uri)
target.in_scope_uris(res, '//link/@href|//a/@href') do |uri|
username = username_from_author_url(uri.to_s)
return username if username
end
# No permalink, TODO Maybe use xpath to extract the classes ?
# No permalink
res.body[/<body class="archive author author-([^\s]+)[ "]/i, 1]
end
@@ -99,12 +97,9 @@ module WPScan
# @return [ String, nil ]
def display_name_from_body(body)
page = Nokogiri::HTML.parse(body)
# WP >= 3.0
page.css('h1.page-title span').each do |node|
text = node.text.to_s.strip
return text unless text.empty?
return node.text.to_s
end
# WP < 3.0

2
app/finders/users/author_posts.rb
View File

@@ -45,7 +45,7 @@ module WPScan
def potential_usernames(res)
usernames = []
target.in_scope_uris(res, '//a/@href[contains(., "author")]') do |uri, node|
target.in_scope_uris(res, '//a/@href') do |uri, node|
if uri.path =~ %r{/author/([^/\b]+)/?\z}i
usernames << [Regexp.last_match[1], 'Author Pattern', 100]
elsif /author=[0-9]+/.match?(uri.query)

36
app/finders/users/author_sitemap.rb
View File

@@ -1,36 +0,0 @@
# frozen_string_literal: true
module WPScan
module Finders
module Users
# Since WP 5.5, /wp-sitemap-users-1.xml is generated and contains
# the usernames of accounts who made a post
class AuthorSitemap < CMSScanner::Finders::Finder
# @param [ Hash ] opts
#
# @return [ Array<User> ]
def aggressive(_opts = {})
found = []
Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
next unless username && !username.strip.empty?
found << Model::User.new(username,
found_by: found_by,
confidence: 100,
interesting_entries: [sitemap_url])
end
found
end
# @return [ String ] The URL of the sitemap
def sitemap_url
@sitemap_url ||= target.url('wp-sitemap-users-1.xml')
end
end
end
end
end

4
app/finders/users/login_error_messages.rb
View File

@@ -24,7 +24,7 @@ module WPScan
return found if error.empty? # Protection plugin / error disabled
next unless /The password you entered for the username|Incorrect Password/i.match?(error)
next unless error =~ /The password you entered for the username|Incorrect Password/i
found << Model::User.new(username, found_by: found_by, confidence: 100)
end
@@ -37,7 +37,7 @@ module WPScan
# usernames from the potential Users found
unames = opts[:found].map(&:username)
Array(opts[:list]).each { |uname| unames << uname.chomp }
[*opts[:list]].each { |uname| unames << uname.chomp }
unames.uniq
end

2
app/finders/users/oembed_api.rb
View File

@@ -34,8 +34,6 @@ module WPScan
def user_details_from_oembed_data(oembed_data)
return unless oembed_data
oembed_data = oembed_data.first if oembed_data.is_a?(Array)
if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
details = [Regexp.last_match[1], 'Author URL', 90]
elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?

4
app/finders/users/rss_generator.rb
View File

@@ -6,14 +6,14 @@ module WPScan
# Users disclosed from the dc:creator field in the RSS
# The names disclosed are display names, however depending on the configuration of the blog,
# they can be the same than usernames
class RSSGenerator < Finders::WpVersion::RSSGenerator
class RSSGenerator < WPScan::Finders::WpVersion::RSSGenerator
def process_urls(urls, _opts = {})
found = []
urls.each do |url|
res = Browser.get_and_follow_location(url)
next unless res.code == 200 && res.body =~ /<dc:creator>/i
next unless res.code == 200 && res.body =~ /<dc\:creator>/i
potential_usernames = []

2
app/finders/users/wp_json_api.rb
View File

@@ -21,7 +21,7 @@ module WPScan
loop do
current_page += 1
res = Browser.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })
res = Typhoeus.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })
total_pages ||= res.headers['X-WP-TotalPages'].to_i

22
app/finders/users/yoast_seo_author_sitemap.rb
View File

@@ -5,7 +5,27 @@ module WPScan
module Users
# The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
# See https://github.com/wpscanteam/wpscan/issues/1228
class YoastSeoAuthorSitemap < AuthorSitemap
class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
# @param [ Hash ] opts
#
# @return [ Array<User> ]
def aggressive(_opts = {})
found = []
Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
username = user_tag.text.to_s[%r{/author/([^\/]+)/}, 1]
next unless username && !username.strip.empty?
found << Model::User.new(username,
found_by: found_by,
confidence: 100,
interesting_entries: [sitemap_url])
end
found
end
# @return [ String ] The URL of the author-sitemap
def sitemap_url
@sitemap_url ||= target.url('author-sitemap.xml')

2
app/finders/wp_items.rb
View File

@@ -1,3 +1,3 @@
# frozen_string_literal: true
require_relative 'wp_items/urls_in_page'
require_relative 'wp_items/urls_in_homepage'

30
app/finders/wp_items/urls_in_page.rb → app/finders/wp_items/urls_in_homepage.rb
View File

@@ -4,24 +4,18 @@ module WPScan
module Finders
module WpItems
# URLs In Homepage Module to use in plugins & themes finders
module UrlsInPage
module URLsInHomepage
# @param [ String ] type plugins / themes
# @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
#
# @return [ Array<String> ] The plugins/themes detected in the href, src attributes of the page
def items_from_links(type, uniq: true)
# @return [Array<String> ] The plugins/themes detected in the href, src attributes of the homepage
def items_from_links(type, uniq = true)
found = []
xpath = format(
'(//@href|//@src|//@data-src)[contains(., "%s")]',
type == 'plugins' ? target.plugins_dir : target.content_dir
)
target.in_scope_uris(page_res, xpath) do |uri|
target.in_scope_uris(target.homepage_res) do |uri|
next unless uri.to_s =~ item_attribute_pattern(type)
slug = Regexp.last_match[1]&.strip
found << slug unless slug&.empty?
found << Regexp.last_match[1]
end
uniq ? found.uniq.sort : found.sort
@@ -31,10 +25,10 @@ module WPScan
# @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
#
# @return [Array<String> ] The plugins/themes detected in the javascript/style of the homepage
def items_from_codes(type, uniq: true)
def items_from_codes(type, uniq = true)
found = []
page_res.html.xpath('//script[not(@src)]|//style[not(@src)]').each do |tag|
target.homepage_res.html.css('script,style').each do |tag|
code = tag.text.to_s
next if code.empty?
@@ -48,14 +42,14 @@ module WPScan
#
# @return [ Regexp ]
def item_attribute_pattern(type)
@item_attribute_pattern ||= %r{#{item_url_pattern(type)}([^/]+)/}i
@item_attribute_pattern ||= %r{\A#{item_url_pattern(type)}([^/]+)/}i
end
# @param [ String ] type
#
# @return [ Regexp ]
def item_code_pattern(type)
@item_code_pattern ||= %r{["'( ]#{item_url_pattern(type)}([^\\/)"']+)}i
@item_code_pattern ||= %r{["'\( ]#{item_url_pattern(type)}([^\\\/\)"']+)}i
end
# @param [ String ] type
@@ -65,10 +59,10 @@ module WPScan
item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir
item_url = type == 'plugins' ? target.plugins_url : target.content_url
url = /#{item_url.gsub(/\A(?:https?)/i, 'https?').gsub('/', '\\\\\?\/')}/i
item_dir = %r{(?:#{url}|\\?/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
url = /#{item_url.gsub(/\A(?:http|https)/i, 'https?').gsub('/', '\\\\\?\/')}/i
item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?/}i
type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i
end
end
end

2
app/finders/wp_version.rb
View File

@@ -28,7 +28,7 @@ module WPScan
# @param [ WPScan::Target ] target
def initialize(target)
(%w[RSSGenerator AtomGenerator RDFGenerator] +
DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
%w[Readme UniqueFingerprinting]
).each do |finder_name|
finders << WpVersion.const_get(finder_name.to_sym).new(target)

2
app/finders/wp_version/rdf_generator.rb
View File

@@ -28,7 +28,7 @@ module WPScan
end
def passive_urls_xpath
'//a[contains(@href, "/rdf")]/@href'
'//a[contains(@href, "rdf")]/@href'
end
def aggressive_urls(_opts = {})

92
app/models/interesting_finding.rb
View File

@@ -7,130 +7,46 @@ module WPScan
include References
end
class BackupDB < InterestingFinding
def to_s
@to_s ||= "A backup directory has been found: #{url}"
end
# @return [ Hash ]
def references
@references ||= { url: ['https://github.com/wpscanteam/wpscan/issues/422'] }
end
#
# Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent)
#
class PluginBackupFolder < InterestingFinding
end
class DebugLog < InterestingFinding
def to_s
@to_s ||= "Debug Log found: #{url}"
end
# @ return [ Hash ]
def references
@references ||= { url: ['https://codex.wordpress.org/Debugging_in_WordPress'] }
end
end
class DuplicatorInstallerLog < InterestingFinding
# @return [ Hash ]
def references
@references ||= { url: ['https://www.exploit-db.com/ghdb/3981/'] }
end
end
class EmergencyPwdResetScript < InterestingFinding
def references
@references ||= {
url: ['https://codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script']
}
end
end
class FullPathDisclosure < InterestingFinding
def to_s
@to_s ||= "Full Path Disclosure found: #{url}"
end
# @return [ Hash ]
def references
@references ||= { url: ['https://www.owasp.org/index.php/Full_Path_Disclosure'] }
end
end
class MuPlugins < InterestingFinding
# @return [ String ]
def to_s
@to_s ||= "This site has 'Must Use Plugins': #{url}"
end
# @return [ Hash ]
def references
@references ||= { url: ['http://codex.wordpress.org/Must_Use_Plugins'] }
end
end
class Multisite < InterestingFinding
# @return [ String ]
def to_s
@to_s ||= 'This site seems to be a multisite'
end
# @return [ Hash ]
def references
@references ||= { url: ['http://codex.wordpress.org/Glossary#Multisite'] }
end
end
class Readme < InterestingFinding
def to_s
@to_s ||= "WordPress readme found: #{url}"
end
end
class Registration < InterestingFinding
# @return [ String ]
def to_s
@to_s ||= "Registration is enabled: #{url}"
end
end
class TmmDbMigrate < InterestingFinding
def to_s
@to_s ||= "ThemeMakers migration file found: #{url}"
end
# @return [ Hash ]
def references
@references ||= { packetstorm: [131_957] }
end
end
class UploadDirectoryListing < InterestingFinding
# @return [ String ]
def to_s
@to_s ||= "Upload directory has listing enabled: #{url}"
end
end
class UploadSQLDump < InterestingFinding
def to_s
@to_s ||= "SQL Dump found: #{url}"
end
end
class WPCron < InterestingFinding
# @return [ String ]
def to_s
@to_s ||= "The external WP-Cron seems to be enabled: #{url}"
end
# @return [ Hash ]
def references
@references ||= {
url: [
'https://www.iplocation.net/defend-wordpress-from-ddos',
'https://github.com/wpscanteam/wpscan/issues/1299'
]
}
end
end
end
end

16
app/models/plugin.rb
View File

@@ -15,16 +15,9 @@ module WPScan
@uri = Addressable::URI.parse(blog.url(path_from_blog))
end
# Retrieve the metadata from the vuln API if available (and a valid token is given),
# or the local metadata db otherwise
# @return [ Hash ]
def metadata
@metadata ||= db_data.empty? ? DB::Plugin.metadata_at(slug) : db_data
end
# @return [ Hash ]
# @return [ JSON ]
def db_data
@db_data ||= DB::VulnApi.plugin_data(slug)
@db_data ||= DB::Plugin.db_data(slug)
end
# @param [ Hash ] opts
@@ -35,11 +28,6 @@ module WPScan
@version
end
# @return [ Array<String> ]
def potential_readme_filenames
@potential_readme_filenames ||= Array((DB::DynamicFinders::Plugin.df_data.dig(slug, 'Readme', 'path') || super))
end
end
end
end

13
app/models/theme.rb
View File

@@ -21,16 +21,9 @@ module WPScan
parse_style
end
# Retrieve the metadata from the vuln API if available (and a valid token is given),
# or the local metadata db otherwise
# @return [ JSON ]
def metadata
@metadata ||= db_data.empty? ? DB::Theme.metadata_at(slug) : db_data
end
# @return [ Hash ]
def db_data
@db_data ||= DB::VulnApi.theme_data(slug)
@db_data ||= DB::Theme.db_data(slug)
end
# @param [ Hash ] opts
@@ -45,7 +38,7 @@ module WPScan
# @return [ Theme ]
def parent_theme
return unless template
return unless style_body =~ /^@import\surl\(["']?([^"')]+)["']?\);\s*$/i
return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i
opts = detection_opts.merge(
style_url: url(Regexp.last_match[1]),
@@ -101,7 +94,7 @@ module WPScan
#
# @return [ String ]
def parse_style_tag(body, tag)
value = body[/\b#{Regexp.escape(tag)}:[\t ]*([^\r\n*]+)/, 1]
value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1]
value && !value.strip.empty? ? value.strip : nil
end

12
app/models/timthumb.rb
View File

@@ -40,9 +40,9 @@ module WPScan
def rce_132_vuln
Vulnerability.new(
'Timthumb <= 1.32 Remote Code Execution',
references: { exploitdb: ['17602'] },
type: 'RCE',
fixed_in: '1.33'
{ exploitdb: ['17602'] },
'RCE',
'1.33'
)
end
@@ -50,12 +50,12 @@ module WPScan
def rce_webshot_vuln
Vulnerability.new(
'Timthumb <= 2.8.13 WebShot Remote Code Execution',
references: {
{
url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
cve: '2014-4663'
},
type: 'RCE',
fixed_in: '2.8.14'
'RCE',
'2.8.14'
)
end

28
app/models/wp_item.rb
View File

@@ -9,12 +9,11 @@ module WPScan
include CMSScanner::Target::Platform::PHP
include CMSScanner::Target::Server::Generic
# Most common readme filenames, based on checking all public plugins and themes.
READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
delegate :homepage_res, :error_404_res, :xpath_pattern_from_page, :in_scope_uris, :head_or_get_params, to: :blog
delegate :homepage_res, :xpath_pattern_from_page, :in_scope_uris, :head_or_get_params, to: :blog
# @param [ String ] slug The plugin/theme slug
# @param [ Target ] blog The targeted blog
@@ -23,7 +22,7 @@ module WPScan
# @option opts [ Hash ] :version_detection The options to use when looking for the version
# @option opts [ String ] :url The URL of the item
def initialize(slug, blog, opts = {})
@slug = Addressable::URI.unencode(slug)
@slug = URI.decode(slug)
@blog = blog
@uri = Addressable::URI.parse(opts[:url]) if opts[:url]
@@ -39,7 +38,7 @@ module WPScan
@vulnerabilities = []
Array(db_data['vulnerabilities']).each do |json_vuln|
[*db_data['vulnerabilities']].each do |json_vuln|
vulnerability = Vulnerability.load_from_json(json_vuln)
@vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
end
@@ -60,18 +59,18 @@ module WPScan
# @return [ String ]
def latest_version
@latest_version ||= metadata['latest_version'] ? Model::Version.new(metadata['latest_version']) : nil
@latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil
end
# Not used anywhere ATM
# @return [ Boolean ]
def popular?
@popular ||= metadata['popular'] ? true : false
@popular ||= db_data['popular']
end
# @return [ String ]
def last_updated
@last_updated ||= metadata['last_updated']
@last_updated ||= db_data['last_updated']
end
# @return [ Boolean ]
@@ -83,6 +82,11 @@ module WPScan
end
end
# URI.encode is preferered over Addressable::URI.encode as it will encode
# leading # character:
# URI.encode('#t#') => %23t%23
# Addressable::URI.encode('#t#') => #t%23
#
# @param [ String ] path Optional path to merge with the uri
#
# @return [ String ]
@@ -90,7 +94,7 @@ module WPScan
return unless @uri
return @uri.to_s unless path
@uri.join(Addressable::URI.encode(path)).to_s
@uri.join(URI.encode(path)).to_s
end
# @return [ Boolean ]
@@ -113,7 +117,7 @@ module WPScan
return @readme_url unless @readme_url.nil?
potential_readme_filenames.each do |path|
READMES.each do |path|
t_url = url(path)
return @readme_url = t_url if Browser.forge_request(t_url, blog.head_or_get_params).run.code == 200
@@ -122,10 +126,6 @@ module WPScan
@readme_url = false
end
def potential_readme_filenames
@potential_readme_filenames ||= READMES
end
# @param [ String ] path
# @param [ Hash ] params The request params
#
@@ -161,7 +161,7 @@ module WPScan
# @return [ Typhoeus::Response ]
def head_and_get(path, codes = [200], params = {})
final_path = +@path_from_blog
final_path << path unless path.nil?
final_path << URI.encode(path) unless path.nil?
blog.head_and_get(final_path, codes, params)
end

17
app/models/wp_version.rb
View File

@@ -35,16 +35,9 @@ module WPScan
@all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
end
# Retrieve the metadata from the vuln API if available (and a valid token is given),
# or the local metadata db otherwise
# @return [ Hash ]
def metadata
@metadata ||= db_data.empty? ? DB::Version.metadata_at(number) : db_data
end
# @return [ Hash ]
# @return [ JSON ]
def db_data
@db_data ||= DB::VulnApi.wordpress_data(number)
@db_data ||= DB::Version.db_data(number)
end
# @return [ Array<Vulnerability> ]
@@ -53,7 +46,7 @@ module WPScan
@vulnerabilities = []
Array(db_data['vulnerabilities']).each do |json_vuln|
[*db_data['vulnerabilities']].each do |json_vuln|
@vulnerabilities << Vulnerability.load_from_json(json_vuln)
end
@@ -62,12 +55,12 @@ module WPScan
# @return [ String ]
def release_date
@release_date ||= metadata['release_date'] || 'Unknown'
@release_date ||= db_data['release_date'] || 'Unknown'
end
# @return [ String ]
def status
@status ||= metadata['status'] || 'Unknown'
@status ||= db_data['status'] || 'Unknown'
end
end
end

2
app/models/xml_rpc.rb
View File

@@ -8,7 +8,7 @@ module WPScan
# @return [ Hash ]
def references
@references ||= {
{
url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
metasploit: [
'auxiliary/scanner/http/wordpress_ghost_scanner',

20
app/views/cli/core/banner.erb
View File

@@ -1,14 +1,14 @@
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version <%= WPScan::VERSION %>
<%= ' ' * ((63 - WPScan::DB::Sponsor.text.length)/2) + WPScan::DB::Sponsor.text %>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
WordPress Security Scanner by the WPScan Team
Version <%= WPScan::VERSION %>
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

2
app/views/cli/enumeration/config_backups.erb
View File

@@ -5,7 +5,7 @@
<%= notice_icon %> Config Backup(s) Identified:
<% @config_backups.each do |config_backup| -%>
<%= critical_icon %> <%= config_backup %>
<%= info_icon %> <%= config_backup %>
<%= render('@finding', item: config_backup) -%>
<% end -%>
<% end %>

2
app/views/cli/enumeration/db_exports.erb
View File

@@ -5,7 +5,7 @@
<%= notice_icon %> Db Export(s) Identified:
<% @db_exports.each do |db_export| -%>
<%= critical_icon %> <%= db_export %>
<%= info_icon %> <%= db_export %>
<%= render('@finding', item: db_export) -%>
<% end -%>
<% end %>

2
app/views/cli/finding.erb
View File

@@ -1,4 +1,4 @@
| Found By: <%= @item.found_by %>
| Detected By: <%= @item.found_by %>
<% @item.interesting_entries.each do |entry| -%>
| - <%= entry %>
<% end -%>

2
app/views/cli/password_attack/users.erb
View File

@@ -2,7 +2,7 @@
<% if @users.empty? -%>
<%= notice_icon %> No Valid Passwords Found.
<% else -%>
<%= critical_icon %> Valid Combinations Found:
<%= notice_icon %> Valid Combinations Found:
<% @users.each do |user| -%>
| Username: <%= user.username %>, Password: <%= user.password %>
<% end -%>

13
app/views/cli/vuln_api/status.erb
View File

@@ -1,13 +0,0 @@
<% unless @status.empty? -%>
<% if @status['http_error'] -%>
<%= critical_icon %> WPVulnDB API, <%= @status['http_error'].to_s %>
<% else -%>
<%= info_icon %> WPVulnDB API OK
| Plan: <%= @status['plan'] %>
| Requests Done (during the scan): <%= @api_requests %>
| Requests Remaining: <%= @status['requests_remaining'] %>
<% end -%>
<% else -%>
<%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
<%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
<% end -%>

3
app/views/cli/vulnerability.erb
View File

@@ -1,7 +1,4 @@
| <%= critical_icon %> Title: <%= @v.title %>
<% if @v.cvss -%>
| CVSS: <%= @v.cvss[:score] %> (<%= @v.cvss[:vector] %>)
<% end -%>
<% if @v.fixed_in -%>
| Fixed in: <%= @v.fixed_in %>
<% end -%>

4
app/views/json/core/banner.erb
View File

@@ -5,7 +5,7 @@
"@_WPScan_",
"@ethicalhack3r",
"@erwan_lr",
"@firefart"
"@_FireFart_"
],
"sponsor": <%= WPScan::DB::Sponsor.text.to_json %>
"sponsored_by": "Sucuri - https://sucuri.net"
},

13
app/views/json/finding.erb
View File

@@ -11,21 +11,16 @@
}<% unless index == last_index %>,<% end -%>
<% end -%>
<% end -%>
}
<% if @item.respond_to?(:vulnerabilities) -%>
,"vulnerabilities": [
<% unless (vulns = @item.vulnerabilities).empty? -%>
},
"vulnerabilities": [
<% if @item.respond_to?(:vulnerabilities) && !(vulns = @item.vulnerabilities).empty? -%>
<% last_index = vulns.size - 1 -%>
<% vulns.each_with_index do |v, index| -%>
{
"title": <%= v.title.to_json %>,
<% if v.cvss -%>
"cvss": <%= v.cvss.to_json %>,
<% end -%>
"fixed_in": <%= v.fixed_in.to_json %>,
"references": <%= v.references.to_json %>
}<% unless index == last_index -%>,<% end -%>
<% end -%>
<% end -%>
]
<% end -%>
]

13
app/views/json/vuln_api/status.erb
View File

@@ -1,13 +0,0 @@
"vuln_api": {
<% unless @status.empty? -%>
<% if @status['http_error'] -%>
"http_error": <%= @status['http_error'].to_s.to_json %>
<% else -%>
"plan": <%= @status['plan'].to_json %>,
"requests_done_during_scan": <%= @api_requests.to_json %>,
"requests_remaining": <%= @status['requests_remaining'].to_json %>
<% end -%>
<% else -%>
"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
<% end -%>
},

1
bin/wpscan
View File

@@ -5,7 +5,6 @@ require 'wpscan'
WPScan::Scan.new do |s|
s.controllers <<
WPScan::Controller::VulnApi.new <<
WPScan::Controller::CustomDirectories.new <<
WPScan::Controller::InterestingFindings.new <<
WPScan::Controller::WpVersion.new <<

1
bin/wpscan-memprof
View File

@@ -7,7 +7,6 @@ require 'wpscan'
report = MemoryProfiler.report(top: 15) do
WPScan::Scan.new do |s|
s.controllers <<
WPScan::Controller::VulnApi.new <<
WPScan::Controller::CustomDirectories.new <<
WPScan::Controller::InterestingFindings.new <<
WPScan::Controller::WpVersion.new <<

1
bin/wpscan-stackprof
View File

@@ -12,7 +12,6 @@ StackProf.run(mode: :cpu, out: '/tmp/stackprof-cpu.dump', interval: 500) do
# require_relative 'wpscan' doesn't work
WPScan::Scan.new do |s|
s.controllers <<
WPScan::Controller::VulnApi.new <<
WPScan::Controller::CustomDirectories.new <<
WPScan::Controller::InterestingFindings.new <<
WPScan::Controller::WpVersion.new <<

19
lib/wpscan.rb
View File

@@ -13,8 +13,7 @@ require 'uri'
require 'time'
require 'readline'
require 'securerandom'
# Monkey Patches/Fixes/Override
require 'wpscan/typhoeus/response' # Adds a from_vuln_api? method
# Custom Libs
require 'wpscan/helper'
require 'wpscan/db'
@@ -39,28 +38,12 @@ module WPScan
APP_DIR = Pathname.new(__FILE__).dirname.join('..', 'app').expand_path
DB_DIR = Pathname.new(Dir.home).join('.wpscan', 'db')
Typhoeus.on_complete do |response|
next if response.cached? || !response.from_vuln_api?
self.api_requests += 1
end
# Override, otherwise it would be returned as 'wp_scan'
#
# @return [ String ]
def self.app_name
'wpscan'
end
# @return [ Integer ]
def self.api_requests
@@api_requests ||= 0
end
# @param [ Integer ] value
def self.api_requests=(value)
@@api_requests = value
end
end
require "#{WPScan::APP_DIR}/app"

2
lib/wpscan/browser.rb
View File

@@ -7,7 +7,7 @@ module WPScan
# @return [ String ]
def default_user_agent
@default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.org/)"
"WPScan v#{VERSION} (https://wpscan.org/)"
end
end
end

3
lib/wpscan/db.rb
View File

@@ -7,12 +7,9 @@ require_relative 'db/plugins'
require_relative 'db/themes'
require_relative 'db/plugin'
require_relative 'db/theme'
require_relative 'db/sponsor'
require_relative 'db/wp_version'
require_relative 'db/fingerprints'
require_relative 'db/vuln_api'
require_relative 'db/dynamic_finders/base'
require_relative 'db/dynamic_finders/plugin'
require_relative 'db/dynamic_finders/theme'

Some files were not shown because too many files have changed in this diff Show More