cms_scanner 0.12.1 → 0.13.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/core.rb +1 -1
- data/app/controllers/core/cli_options.rb +2 -1
- data/app/views/json/scan_aborted.erb +1 -0
- data/lib/cms_scanner/cache/file_store.rb +1 -1
- data/lib/cms_scanner/errors/http.rb +1 -1
- data/lib/cms_scanner/finders/finder.rb +3 -1
- data/lib/cms_scanner/finders/finder/enumerator.rb +2 -0
- data/lib/cms_scanner/numeric.rb +1 -1
- data/lib/cms_scanner/references.rb +1 -1
- data/lib/cms_scanner/scan.rb +9 -5
- data/lib/cms_scanner/target.rb +5 -5
- data/lib/cms_scanner/target/scope.rb +1 -1
- data/lib/cms_scanner/target/server/generic.rb +1 -1
- data/lib/cms_scanner/version.rb +1 -1
- data/lib/cms_scanner/vulnerability.rb +8 -6
- data/lib/cms_scanner/web_site.rb +1 -1
- metadata +27 -21
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 89d37ba77ff1070c9addc53d0ecabaf1252e3cf2bf88a91b3af80f91342adbf3
|
|
4
|
+
data.tar.gz: 8f3b10edf7482677f61b50725fb8567149fec6d2df40ad47f45a98f8452cd774
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: acd1f06bbc57f14b3c82de562f424892e9af6b1eda64e7dcdbc9a8ade93cd87ed5bab4f449cedf0653dab7df3ba9e9f3cdb84e2847da9a68f958cd8d7e0531a1
|
|
7
|
+
data.tar.gz: 1d0f21bd6935c6fa2e4302db95a70932b7a472ec68dceb42b7cd44ed2a999b893313e924b7b8bd5396eac2ce2739f3d5ef675b2d5a3c408e4bd12666904a99cf
|
data/app/controllers/core.rb
CHANGED
|
@@ -43,7 +43,7 @@ module CMSScanner
|
|
|
43
43
|
when 401
|
|
44
44
|
raise Error::HTTPAuthRequired
|
|
45
45
|
when 403
|
|
46
|
-
raise Error::AccessForbidden, NS::ParsedCli.random_user_agent
|
|
46
|
+
raise Error::AccessForbidden, NS::ParsedCli.random_user_agent unless NS::ParsedCli.force
|
|
47
47
|
when 407
|
|
48
48
|
raise Error::ProxyAuthRequired
|
|
49
49
|
end
|
|
@@ -10,7 +10,8 @@ module CMSScanner
|
|
|
10
10
|
[
|
|
11
11
|
OptURL.new(['-u', '--url URL', 'The URL to scan'],
|
|
12
12
|
required_unless: %i[help hh version],
|
|
13
|
-
default_protocol: 'http')
|
|
13
|
+
default_protocol: 'http'),
|
|
14
|
+
OptBoolean.new(['--force', 'Do not check if target returns a 403'])
|
|
14
15
|
] + mixed_cli_options + [
|
|
15
16
|
OptFilePath.new(['-o', '--output FILE', 'Output to FILE'], writable: true, exists: false),
|
|
16
17
|
OptChoice.new(['-f', '--format FORMAT',
|
|
@@ -44,7 +44,7 @@ module CMSScanner
|
|
|
44
44
|
|
|
45
45
|
def to_s
|
|
46
46
|
msg = if random_user_agent_used
|
|
47
|
-
'Well... --random-user-agent didn\'t work,
|
|
47
|
+
'Well... --random-user-agent didn\'t work, use --force to skip this check if needed.'
|
|
48
48
|
else
|
|
49
49
|
'Please re-try with --random-user-agent'
|
|
50
50
|
end
|
|
@@ -57,10 +57,12 @@ module CMSScanner
|
|
|
57
57
|
# @param [String, Class ] klass
|
|
58
58
|
# @return [ String ]
|
|
59
59
|
def found_by(klass = self.class)
|
|
60
|
+
labels = %w[aggressive passive]
|
|
61
|
+
|
|
60
62
|
caller_locations.each do |call|
|
|
61
63
|
label = call.label
|
|
62
64
|
|
|
63
|
-
next unless
|
|
65
|
+
next unless labels.include? label
|
|
64
66
|
|
|
65
67
|
title = klass.to_s.demodulize.gsub(/(\d+)[a-z]+/i, '_\0').titleize(keep_id_suffix: true)
|
|
66
68
|
|
|
@@ -59,6 +59,8 @@ module CMSScanner
|
|
|
59
59
|
|
|
60
60
|
full_res = NS::Browser.get(head_res.effective_url, full_request_params)
|
|
61
61
|
|
|
62
|
+
return unless valid_response_codes.include?(full_res.code)
|
|
63
|
+
|
|
62
64
|
return if target.homepage_or_404?(full_res) ||
|
|
63
65
|
opts[:exclude_content] && full_res.body&.match(opts[:exclude_content])
|
|
64
66
|
|
data/lib/cms_scanner/numeric.rb
CHANGED
|
@@ -86,7 +86,7 @@ module CMSScanner
|
|
|
86
86
|
|
|
87
87
|
# @return [ String ] The URL to the metasploit module page
|
|
88
88
|
def msf_url(mod)
|
|
89
|
-
"https://www.rapid7.com/db/modules/#{mod.sub(%r{^/}, '')}"
|
|
89
|
+
"https://www.rapid7.com/db/modules/#{mod.sub(%r{^/}, '')}/"
|
|
90
90
|
end
|
|
91
91
|
|
|
92
92
|
# @return [ Array<String> ] The Packetstormsecurity IDs
|
data/lib/cms_scanner/scan.rb
CHANGED
|
@@ -29,11 +29,15 @@ module CMSScanner
|
|
|
29
29
|
rescue NoMemoryError, ScriptError, SecurityError, SignalException, StandardError, SystemStackError => e
|
|
30
30
|
@run_error = e
|
|
31
31
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
32
|
+
output_params = {
|
|
33
|
+
reason: e.is_a?(Interrupt) ? 'Canceled by User' : e.message,
|
|
34
|
+
trace: e.backtrace,
|
|
35
|
+
verbose: NS::ParsedCli.verbose || run_error_exit_code == NS::ExitCode::EXCEPTION
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
output_params[:url] = controllers.first.target.url if NS::ParsedCli.url
|
|
39
|
+
|
|
40
|
+
formatter.output('@scan_aborted', output_params)
|
|
37
41
|
ensure
|
|
38
42
|
formatter.beautify
|
|
39
43
|
end
|
data/lib/cms_scanner/target.rb
CHANGED
|
@@ -105,11 +105,11 @@ module CMSScanner
|
|
|
105
105
|
next unless attr_value && !attr_value.empty?
|
|
106
106
|
|
|
107
107
|
node_uri = begin
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
108
|
+
uri.join(attr_value.strip)
|
|
109
|
+
rescue StandardError
|
|
110
|
+
# Skip potential malformed URLs etc.
|
|
111
|
+
next
|
|
112
|
+
end
|
|
113
113
|
|
|
114
114
|
next unless node_uri.host
|
|
115
115
|
|
|
@@ -60,7 +60,7 @@ module CMSScanner
|
|
|
60
60
|
|
|
61
61
|
domains.map! { |d| Regexp.escape(d.delete_suffix('/')).gsub('\*', '.*').gsub('/', '\\\\\?/') }
|
|
62
62
|
|
|
63
|
-
domains[0].gsub!(Regexp.escape(uri.host), Regexp.escape(uri.host)
|
|
63
|
+
domains[0].gsub!(Regexp.escape(uri.host), "#{Regexp.escape(uri.host)}(?::\\d+)?") if uri.port
|
|
64
64
|
|
|
65
65
|
@scope_url_pattern = %r{https?:\\?/\\?/(?:#{domains.join('|')})\\?/?}i
|
|
66
66
|
end
|
|
@@ -41,7 +41,7 @@ module CMSScanner
|
|
|
41
41
|
def directory_listing?(path = nil, params = {})
|
|
42
42
|
res = NS::Browser.get(url(path), params)
|
|
43
43
|
|
|
44
|
-
res.code == 200 && res.body.include?('<h1>Index of')
|
|
44
|
+
res.code == 200 && res.body.include?('<h1>Index of')
|
|
45
45
|
end
|
|
46
46
|
|
|
47
47
|
# @param [ String ] path
|
data/lib/cms_scanner/version.rb
CHANGED
|
@@ -5,7 +5,7 @@ module CMSScanner
|
|
|
5
5
|
class Vulnerability
|
|
6
6
|
include References
|
|
7
7
|
|
|
8
|
-
attr_reader :title, :type, :fixed_in, :cvss
|
|
8
|
+
attr_reader :title, :type, :fixed_in, :introduced_in, :cvss
|
|
9
9
|
|
|
10
10
|
# @param [ String ] title
|
|
11
11
|
# @param [ Hash ] references
|
|
@@ -18,14 +18,16 @@ module CMSScanner
|
|
|
18
18
|
# @option references [ Array<String> ] :youtube
|
|
19
19
|
# @param [ String ] type
|
|
20
20
|
# @param [ String ] fixed_in
|
|
21
|
+
# @param [ String ] introduced_in
|
|
21
22
|
# @param [ HashSymbol ] cvss
|
|
22
23
|
# @option cvss [ String ] :score
|
|
23
24
|
# @option cvss [ String ] :vector
|
|
24
|
-
def initialize(title, references: {}, type: nil, fixed_in: nil, cvss: nil)
|
|
25
|
-
@title
|
|
26
|
-
@type
|
|
27
|
-
@fixed_in
|
|
28
|
-
@
|
|
25
|
+
def initialize(title, references: {}, type: nil, fixed_in: nil, introduced_in: nil, cvss: nil)
|
|
26
|
+
@title = title
|
|
27
|
+
@type = type
|
|
28
|
+
@fixed_in = fixed_in
|
|
29
|
+
@introduced_in = introduced_in
|
|
30
|
+
@cvss = { score: cvss[:score], vector: cvss[:vector] } if cvss
|
|
29
31
|
|
|
30
32
|
self.references = references
|
|
31
33
|
end
|
data/lib/cms_scanner/web_site.rb
CHANGED
|
@@ -62,7 +62,7 @@ module CMSScanner
|
|
|
62
62
|
|
|
63
63
|
# @return [ String ] The URL of an unlikely existant page
|
|
64
64
|
def error_404_url
|
|
65
|
-
@error_404_url ||= uri.join(Digest::MD5.hexdigest(rand(999_999).to_s)[0..6]
|
|
65
|
+
@error_404_url ||= uri.join("#{Digest::MD5.hexdigest(rand(999_999).to_s)[0..6]}.html").to_s
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
# Checks if the remote website is up.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cms_scanner
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.13.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- WPScanTeam
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-03-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: get_process_mem
|
|
@@ -30,28 +30,28 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 1.
|
|
33
|
+
version: 1.11.0
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 1.
|
|
40
|
+
version: 1.11.0
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: opt_parse_validator
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
45
|
- - "~>"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: 1.9.
|
|
47
|
+
version: 1.9.4
|
|
48
48
|
type: :runtime
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: 1.9.
|
|
54
|
+
version: 1.9.4
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: public_suffix
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -70,16 +70,22 @@ dependencies:
|
|
|
70
70
|
name: ruby-progressbar
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
72
72
|
requirements:
|
|
73
|
-
- - "
|
|
73
|
+
- - ">="
|
|
74
74
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: 1.10
|
|
75
|
+
version: '1.10'
|
|
76
|
+
- - "<"
|
|
77
|
+
- !ruby/object:Gem::Version
|
|
78
|
+
version: '1.12'
|
|
76
79
|
type: :runtime
|
|
77
80
|
prerelease: false
|
|
78
81
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
82
|
requirements:
|
|
80
|
-
- - "
|
|
83
|
+
- - ">="
|
|
81
84
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: 1.10
|
|
85
|
+
version: '1.10'
|
|
86
|
+
- - "<"
|
|
87
|
+
- !ruby/object:Gem::Version
|
|
88
|
+
version: '1.12'
|
|
83
89
|
- !ruby/object:Gem::Dependency
|
|
84
90
|
name: typhoeus
|
|
85
91
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -176,14 +182,14 @@ dependencies:
|
|
|
176
182
|
requirements:
|
|
177
183
|
- - "~>"
|
|
178
184
|
- !ruby/object:Gem::Version
|
|
179
|
-
version: 3.
|
|
185
|
+
version: 3.10.0
|
|
180
186
|
type: :development
|
|
181
187
|
prerelease: false
|
|
182
188
|
version_requirements: !ruby/object:Gem::Requirement
|
|
183
189
|
requirements:
|
|
184
190
|
- - "~>"
|
|
185
191
|
- !ruby/object:Gem::Version
|
|
186
|
-
version: 3.
|
|
192
|
+
version: 3.10.0
|
|
187
193
|
- !ruby/object:Gem::Dependency
|
|
188
194
|
name: rspec-its
|
|
189
195
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -204,42 +210,42 @@ dependencies:
|
|
|
204
210
|
requirements:
|
|
205
211
|
- - "~>"
|
|
206
212
|
- !ruby/object:Gem::Version
|
|
207
|
-
version:
|
|
213
|
+
version: 1.11.0
|
|
208
214
|
type: :development
|
|
209
215
|
prerelease: false
|
|
210
216
|
version_requirements: !ruby/object:Gem::Requirement
|
|
211
217
|
requirements:
|
|
212
218
|
- - "~>"
|
|
213
219
|
- !ruby/object:Gem::Version
|
|
214
|
-
version:
|
|
220
|
+
version: 1.11.0
|
|
215
221
|
- !ruby/object:Gem::Dependency
|
|
216
222
|
name: rubocop-performance
|
|
217
223
|
requirement: !ruby/object:Gem::Requirement
|
|
218
224
|
requirements:
|
|
219
225
|
- - "~>"
|
|
220
226
|
- !ruby/object:Gem::Version
|
|
221
|
-
version: 1.
|
|
227
|
+
version: 1.10.0
|
|
222
228
|
type: :development
|
|
223
229
|
prerelease: false
|
|
224
230
|
version_requirements: !ruby/object:Gem::Requirement
|
|
225
231
|
requirements:
|
|
226
232
|
- - "~>"
|
|
227
233
|
- !ruby/object:Gem::Version
|
|
228
|
-
version: 1.
|
|
234
|
+
version: 1.10.0
|
|
229
235
|
- !ruby/object:Gem::Dependency
|
|
230
236
|
name: simplecov
|
|
231
237
|
requirement: !ruby/object:Gem::Requirement
|
|
232
238
|
requirements:
|
|
233
239
|
- - "~>"
|
|
234
240
|
- !ruby/object:Gem::Version
|
|
235
|
-
version: 0.
|
|
241
|
+
version: 0.21.0
|
|
236
242
|
type: :development
|
|
237
243
|
prerelease: false
|
|
238
244
|
version_requirements: !ruby/object:Gem::Requirement
|
|
239
245
|
requirements:
|
|
240
246
|
- - "~>"
|
|
241
247
|
- !ruby/object:Gem::Version
|
|
242
|
-
version: 0.
|
|
248
|
+
version: 0.21.0
|
|
243
249
|
- !ruby/object:Gem::Dependency
|
|
244
250
|
name: simplecov-lcov
|
|
245
251
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -260,17 +266,17 @@ dependencies:
|
|
|
260
266
|
requirements:
|
|
261
267
|
- - "~>"
|
|
262
268
|
- !ruby/object:Gem::Version
|
|
263
|
-
version: 3.
|
|
269
|
+
version: 3.12.0
|
|
264
270
|
type: :development
|
|
265
271
|
prerelease: false
|
|
266
272
|
version_requirements: !ruby/object:Gem::Requirement
|
|
267
273
|
requirements:
|
|
268
274
|
- - "~>"
|
|
269
275
|
- !ruby/object:Gem::Version
|
|
270
|
-
version: 3.
|
|
276
|
+
version: 3.12.0
|
|
271
277
|
description: Framework to provide an easy way to implement CMS Scanners
|
|
272
278
|
email:
|
|
273
|
-
-
|
|
279
|
+
- contact@wpscan.com
|
|
274
280
|
executables: []
|
|
275
281
|
extensions: []
|
|
276
282
|
extra_rdoc_files: []
|