class WpTarget

Attributes

uri[R]

verbose[R]

Public Class Methods

new(target_url, options = {}) click to toggle source

# File lib/wpscan/wp_target.rb, line 36
def initialize(target_url, options = {})
  @uri            = URI.parse(add_trailing_slash(add_http_protocol(target_url)))
  @verbose        = options[:verbose]
  @wp_content_dir = options[:wp_content_dir]
  @wp_plugins_dir = options[:wp_plugins_dir]
  @multisite      = nil

  Browser.instance(options.merge(:max_threads => options[:threads]))
end

valid_response_codes() click to toggle source

Valid HTTP return codes

# File lib/wpscan/wp_target.rb, line 77
def self.valid_response_codes
  [200, 301, 302, 401, 403, 500]
end

Public Instance Methods

debug_log_url() click to toggle source

# File lib/wpscan/wp_target.rb, line 124
def debug_log_url
  @uri.merge("#{wp_content_dir()}/debug.log").to_s
end

error_404_hash() click to toggle source

Return the MD5 hash of a 404 page

# File lib/wpscan/wp_target.rb, line 64
def error_404_hash
  unless @error_404_hash
    non_existant_page = Digest::MD5.hexdigest(rand(9999999999).to_s) + ".html"

    response = Browser.instance.get(@uri.merge(non_existant_page).to_s)

    @error_404_hash = Digest::MD5.hexdigest(response.body)
  end

  @error_404_hash
end

has_debug_log?() click to toggle source

# File lib/wpscan/wp_target.rb, line 118
def has_debug_log?
  # We only get the first 700 bytes of the file to avoid loading huge file (like 2Go)
  response_body = Browser.instance.get(debug_log_url(), :headers => {"range" => "bytes=0-700"}).body
  response_body[%r{\[[^\]]+\] PHP (?:Warning|Error|Notice):}] ? true : false
end

is_multisite?() click to toggle source

# File lib/wpscan/wp_target.rb, line 163
def is_multisite?
  unless @multisite
    # when multi site, there is no redirection or a redirect to the site itself
    # otherwise redirect to wp-login.php
    url = @uri.merge("wp-signup.php")
    resp = Browser.instance.get(url)
    if resp.code == 302 and resp.headers_hash["location"] =~ %rwp-login\.php\?action=register/
      @multisite = false
    elsif resp.code == 302 and resp.headers_hash["location"] =~ %rwp-signup\.php/
      @multisite = true
    elsif resp.code == 200
      @multisite = true
    else
      @multisite = false
    end
  end
  @multisite
end

login_url() click to toggle source

# File lib/wpscan/wp_target.rb, line 51
def login_url
  url = @uri.merge("wp-login.php").to_s

  # Let's check if the login url is redirected (to https url for example)
  redirection = redirection(url)
  if redirection
    url = redirection
  end

  url
end

registration_enabled?() click to toggle source

Should check wp-login.php if registration is enabled or not

# File lib/wpscan/wp_target.rb, line 141
def registration_enabled?
  resp = Browser.instance.get(registration_url)
  # redirect only on non multi sites
  if resp.code == 302 and resp.headers_hash["location"] =~ %rwp-login\.php\?registration=disabled/
    enabled = false
  # multi site registration form
  elsif resp.code == 200 and resp.body =~ %r<form id="setupform" method="post" action="[^"]*wp-signup\.php[^"]*">/
    enabled = true
  # normal registration form
  elsif resp.code == 200 and resp.body =~ %r<form name="registerform" id="registerform" action="[^"]*wp-login\.php[^"]*"/
    enabled = true
  # registration disabled
  else
    enabled = false
  end
  enabled
end

registration_url() click to toggle source

# File lib/wpscan/wp_target.rb, line 159
def registration_url
  is_multisite? ? @uri.merge("wp-signup.php") : @uri.merge("wp-login.php?action=register")
end

search_replace_db_2_exists?() click to toggle source

# File lib/wpscan/wp_target.rb, line 135
def search_replace_db_2_exists?
  resp = Browser.instance.get(search_replace_db_2_url)
  resp.code == 200 && resp.body[%r{by interconnect}]
end

search_replace_db_2_url() click to toggle source

Script for replacing strings in wordpress databases reveals databse credentials after hitting submit interconnectit.com/124/search-and-replace-for-wordpress-databases/

# File lib/wpscan/wp_target.rb, line 131
def search_replace_db_2_url
  @uri.merge("searchreplacedb2.php").to_s
end

theme() click to toggle source

return WpTheme

# File lib/wpscan/wp_target.rb, line 82
def theme
  WpTheme.find(@uri)
end

url() click to toggle source

Alias of @uri.to_s

# File lib/wpscan/wp_target.rb, line 47
def url
  @uri.to_s
end

version() click to toggle source

return WpVersion

# File lib/wpscan/wp_target.rb, line 87
def version
  WpVersion.find(@uri, wp_content_dir)
end

wp_content_dir() click to toggle source

# File lib/wpscan/wp_target.rb, line 91
def wp_content_dir
  unless @wp_content_dir
    index_body = Browser.instance.get(@uri.to_s).body
    # Only use the path because domain can be text or an ip
    uri_path = @uri.path

    if index_body[%r\/wp-content\/(?:themes|plugins)\//]
      @wp_content_dir = "wp-content"
    else
      domains_excluded = "(?:www\.)?(facebook|twitter)\.com"
      @wp_content_dir  = index_body[%r(?:href|src)\s*=\s*(?:"|').+#{Regexp.escape(uri_path)}((?!#{domains_excluded})[^"']+)\/(?:themes|plugins)\/.*(?:"|')/, 1]
    end
  end
  @wp_content_dir
end

wp_plugins_dir() click to toggle source

# File lib/wpscan/wp_target.rb, line 107
def wp_plugins_dir
  unless @wp_plugins_dir
    @wp_plugins_dir = "#{wp_content_dir}/plugins"
  end
  @wp_plugins_dir
end

wp_plugins_dir_exists?() click to toggle source

# File lib/wpscan/wp_target.rb, line 114
def wp_plugins_dir_exists?
  Browser.instance.get(@uri.merge(wp_plugins_dir)).code != 404
end