307 lines
9.4 KiB
Ruby
307 lines
9.4 KiB
Ruby
# encoding: UTF-8
|
|
#--
|
|
# WPScan - WordPress Security Scanner
|
|
# Copyright (C) 2012-2013
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#++
|
|
|
|
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
|
|
|
|
describe WpVersion do
|
|
|
|
before :all do
|
|
@target_uri = URI.parse('http://example.localhost/')
|
|
@browser = Browser.instance(config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json')
|
|
end
|
|
|
|
describe '#find_from_meta_generator' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/meta-generator' }
|
|
|
|
after :each do
|
|
stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture)
|
|
WpVersion.find_from_meta_generator(base_uri: @target_uri.to_s).should === @expected
|
|
end
|
|
|
|
it 'should return nil if the meta-generator is not found' do
|
|
@fixture = fixtures_dir + '/no-meta-generator.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return 3.3.2' do
|
|
@fixture = fixtures_dir + '/3.3.2.htm'
|
|
@expected = '3.3.2'
|
|
end
|
|
|
|
it 'should return 3.4-beta4' do
|
|
@fixture = fixtures_dir + '/3.4-beta4.htm'
|
|
@expected = '3.4-beta4'
|
|
end
|
|
|
|
it "should return nil if it's not a valid version, must contains at least one '.'" do
|
|
@fixture = fixtures_dir + '/invalid_version.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return 3.5' do
|
|
@fixture = fixtures_dir + '/3.5_minified.htm'
|
|
@expected = '3.5'
|
|
end
|
|
end
|
|
|
|
describe '#find_from_rss_generator' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/rss-generator' }
|
|
|
|
after :each do
|
|
@status_code ||= 200
|
|
stub_request_to_fixture(url: @target_uri.merge('feed/').to_s, status: @status_code, fixture: @fixture)
|
|
WpVersion.find_from_rss_generator(base_uri: @target_uri).should === @expected
|
|
end
|
|
|
|
it 'should return nil on a 404' do
|
|
@status_code = 404
|
|
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the rss-generator is not found' do
|
|
@fixture = fixtures_dir + '/no-rss-generator.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the version is not found (but the rss-generator is present)' do
|
|
@fixture = fixtures_dir + '/no-version.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'shuld return 3.3.2' do
|
|
@fixture = fixtures_dir + '/3.3.2.htm'
|
|
@expected = '3.3.2'
|
|
end
|
|
|
|
it 'should return 3.4-beta4' do
|
|
@fixture = fixtures_dir + '/3.4-beta4.htm'
|
|
@expected = '3.4-beta4'
|
|
end
|
|
|
|
it "should return nil if it's not a valid version, must contains at least one '.'" do
|
|
@fixture = fixtures_dir + '/invalid_version.htm'
|
|
@expected = nil
|
|
end
|
|
end
|
|
|
|
describe '#find_from_rdf_generator' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/rdf-generator' }
|
|
|
|
after :each do
|
|
@status_code ||= 200
|
|
stub_request_to_fixture(url: @target_uri.merge('feed/rdf/').to_s, status: @status_code, fixture: @fixture)
|
|
WpVersion.find_from_rdf_generator(base_uri: @target_uri).should === @expected
|
|
end
|
|
|
|
it 'should return nil on a 404' do
|
|
@status_code = 404
|
|
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the rdf-generator is not found' do
|
|
@fixture = fixtures_dir + '/no-rdf-generator.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the version is not found (but the rdf-generator is present)' do
|
|
@fixture = fixtures_dir + '/no-version.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'shuld return 3.3.2' do
|
|
@fixture = fixtures_dir + '/3.3.2.htm'
|
|
@expected = '3.3.2'
|
|
end
|
|
|
|
it 'should return 3.4-beta4' do
|
|
@fixture = fixtures_dir + '/3.4-beta4.htm'
|
|
@expected = '3.4-beta4'
|
|
end
|
|
|
|
it "should return nil if it's not a valid version, must contains at least one '.'" do
|
|
@fixture = fixtures_dir + '/invalid_version.htm'
|
|
@expected = nil
|
|
end
|
|
end
|
|
|
|
describe '#find_from_atom_generator' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/atom-generator' }
|
|
|
|
after :each do
|
|
@status_code ||= 200
|
|
stub_request_to_fixture(url: @target_uri.merge('feed/atom/').to_s, status: @status_code, fixture: @fixture)
|
|
WpVersion.find_from_atom_generator(base_uri: @target_uri).should === @expected
|
|
end
|
|
|
|
it 'should return nil on a 404' do
|
|
@status_code = 404
|
|
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the atom-generator is not found' do
|
|
@fixture = fixtures_dir + '/no-atom-generator.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the version is not found (but the atom-generator is present)' do
|
|
@fixture = fixtures_dir + '/no-version.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'shuld return 3.3.2' do
|
|
@fixture = fixtures_dir + '/3.3.2.htm'
|
|
@expected = '3.3.2'
|
|
end
|
|
|
|
it 'should return 3.4-beta4' do
|
|
@fixture = fixtures_dir + '/3.4-beta4.htm'
|
|
@expected = '3.4-beta4'
|
|
end
|
|
|
|
it "should return nil if it's not a valid version, must contains at least one '.'" do
|
|
@fixture = fixtures_dir + '/invalid_version.htm'
|
|
@expected = nil
|
|
end
|
|
end
|
|
|
|
describe '#find_from_sitemap_generator' do
|
|
after :each do
|
|
stub_request(:get, @target_uri.merge('sitemap.xml').to_s).
|
|
to_return(status: 200, body: @body)
|
|
|
|
WpVersion.find_from_sitemap_generator(base_uri: @target_uri).should === @expected
|
|
end
|
|
|
|
it 'should return nil if the generator is not found' do
|
|
@body = ''
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return the version : 3.3.2' do
|
|
@body = '<!-- generator="wordpress/3.3.2" -->'
|
|
@expected = '3.3.2'
|
|
end
|
|
|
|
it "should return nil if it's not a valid version, must contains at least one '.'" do
|
|
@body = '<!-- generator="wordpress/5065" -->'
|
|
@expected = nil
|
|
end
|
|
end
|
|
|
|
describe '#find_from_readme' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/readme' }
|
|
|
|
after :each do
|
|
@status_code ||= 200
|
|
stub_request_to_fixture(url: @target_uri.merge('readme.html').to_s, status: @status_code, fixture: @fixture)
|
|
|
|
WpVersion.find_from_readme(base_uri: @target_uri).should === @expected
|
|
end
|
|
|
|
it 'should return nil on a 404' do
|
|
@status_code = 404
|
|
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return nil if the version number is not present' do
|
|
@fixture = fixtures_dir + '/empty-version.html'
|
|
@expected = nil
|
|
end
|
|
|
|
it 'should return 3.3.2' do
|
|
@fixture = fixtures_dir + '/readme-3.3.2.html'
|
|
@expected = '3.3.2'
|
|
end
|
|
|
|
it "should return nil if it's not a valid version, must contains at least one '.'" do
|
|
@fixture = fixtures_dir + '/invalid_version.html'
|
|
@expected = nil
|
|
end
|
|
end
|
|
|
|
describe '#find_from_advanced_fingerprinting' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/advanced' }
|
|
|
|
it 'should return 3.2.1' do
|
|
stub_request_to_fixture(
|
|
url: @target_uri.merge('wp-admin/js/wp-fullscreen.js').to_s,
|
|
fixture: "#{fixtures_dir}/3.2.1.js"
|
|
)
|
|
version = WpVersion.find_from_advanced_fingerprinting(
|
|
base_uri: @target_uri,
|
|
wp_content_dir: 'wp-content',
|
|
version_xml: "#{fixtures_dir}/wp_versions.xml"
|
|
)
|
|
version.should == '3.2.1'
|
|
end
|
|
end
|
|
|
|
describe '#find_from_links_opml' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/opml' }
|
|
|
|
it 'should return 3.4.2' do
|
|
stub_request_to_fixture(
|
|
url: @target_uri.merge('wp-links-opml.php').to_s,
|
|
fixture: "#{fixtures_dir}/wp-links-opml.xml"
|
|
)
|
|
version = WpVersion.find_from_links_opml(base_uri: @target_uri)
|
|
version.should == '3.4.2'
|
|
end
|
|
|
|
it 'should return nil' do
|
|
stub_request_to_fixture(
|
|
url: @target_uri.merge('wp-links-opml.php').to_s,
|
|
fixture: "#{fixtures_dir}/wp-links-opml-nogenerator.xml"
|
|
)
|
|
version = WpVersion.find_from_links_opml(base_uri: @target_uri)
|
|
version.should be_nil
|
|
end
|
|
end
|
|
|
|
describe '#initialize' do
|
|
it 'should initialize a WpVersion object' do
|
|
v = WpVersion.new(1, {discovery_method: 'method', vulns_file: 'asdf.xml'})
|
|
v.number.should == 1
|
|
v.discovery_method.should == 'method'
|
|
end
|
|
end
|
|
|
|
describe '#find' do
|
|
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/advanced' }
|
|
|
|
it 'should find all versions' do
|
|
# All requests get a HTTP 404
|
|
stub_request(:any, /.*/).to_return(status: 404)
|
|
# Wordpress Version 3.2.1
|
|
stub_request_to_fixture(
|
|
url: @target_uri.merge('wp-admin/js/wp-fullscreen.js').to_s,
|
|
fixture: "#{fixtures_dir}/3.2.1.js"
|
|
)
|
|
version = WpVersion.find(@target_uri, 'wp-content')
|
|
version.number.should == '3.2.1'
|
|
version.discovery_method.should == 'advanced fingerprinting'
|
|
end
|
|
end
|
|
|
|
end
|