cms_scanner 0.0.37.9 → 0.0.37.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/core/cli_options.rb +12 -5
- data/app/controllers/interesting_findings.rb +1 -1
- data/app/finders/interesting_findings.rb +1 -1
- data/app/models/headers.rb +2 -2
- data/cms_scanner.gemspec +13 -9
- data/example/cmsscan.gemspec +3 -2
- data/lib/cms_scanner/browser.rb +1 -1
- data/lib/cms_scanner/browser/options.rb +16 -15
- data/lib/cms_scanner/finders/base_finders.rb +1 -1
- data/lib/cms_scanner/finders/finder.rb +1 -1
- data/lib/cms_scanner/finders/finding.rb +1 -1
- data/lib/cms_scanner/numeric.rb +1 -1
- data/lib/cms_scanner/references.rb +1 -1
- data/lib/cms_scanner/target.rb +1 -1
- data/lib/cms_scanner/target/scope.rb +1 -1
- data/lib/cms_scanner/version.rb +1 -1
- metadata +41 -27
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1916be2912eec9204b9acf8c0cb4d145e7f7dd76
|
4
|
+
data.tar.gz: 4235cf913d353741905ba1ba5e4114d5fa2a7316
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 16f5b5dd3ab709a33330650979255ee639d757a93c7c1b15c9e27b20b16fc7e91b09cef99bd6c4b218fe592b904e32ca549f9cbe4952be5129b3d23e8c9dcb45
|
7
|
+
data.tar.gz: c0825cfe663eb1ae87bfa8fc27eaf9f489cad2400eb64a22fcb2f15cc5bf69b6ae9886c856fba7430b9bd51609c9b3367f2360a0e9b0f8ae15028217c02942a4
|
@@ -8,12 +8,12 @@ module CMSScanner
|
|
8
8
|
[
|
9
9
|
OptURL.new(['-u', '--url URL', 'The URL to scan'], required: true, default_protocol: 'http'),
|
10
10
|
OptBoolean.new(['--ignore-main-redirect', 'Ignore the main redirect if any and scan the target url']),
|
11
|
-
OptBoolean.new(%w
|
11
|
+
OptBoolean.new(%w[-v --verbose]),
|
12
12
|
OptFilePath.new(['-o', '--output FILE', 'Output to FILE'], writable: true, exists: false),
|
13
13
|
OptChoice.new(['-f', '--format FORMAT',
|
14
14
|
'Output results in the format supplied'], choices: formats),
|
15
15
|
OptChoice.new(['--detection-mode MODE'],
|
16
|
-
choices: %w
|
16
|
+
choices: %w[mixed passive aggressive],
|
17
17
|
normalize: :to_sym,
|
18
18
|
default: :mixed),
|
19
19
|
OptArray.new(['--scope DOMAINS',
|
@@ -24,9 +24,7 @@ module CMSScanner
|
|
24
24
|
|
25
25
|
# @return [ Array<OptParseValidator::OptBase> ]
|
26
26
|
def cli_browser_options
|
27
|
-
[
|
28
|
-
OptString.new(['--user-agent VALUE', '--ua']),
|
29
|
-
OptString.new(['--vhost VALUE', 'The virtual host (Host header) to use in requests']),
|
27
|
+
cli_browser_headers_options + [
|
30
28
|
OptBoolean.new(['--random-user-agent', '--rua',
|
31
29
|
'Use a random user-agent for each scan']),
|
32
30
|
OptFilePath.new(['--user-agents-list FILE-PATH',
|
@@ -43,6 +41,15 @@ module CMSScanner
|
|
43
41
|
] + cli_browser_proxy_options + cli_browser_cookies_options + cli_browser_cache_options
|
44
42
|
end
|
45
43
|
|
44
|
+
# @return [ Array<OptParseValidator::OptBase> ]
|
45
|
+
def cli_browser_headers_options
|
46
|
+
[
|
47
|
+
OptString.new(['--user-agent VALUE', '--ua']),
|
48
|
+
OptHeaders.new(['--headers HEADERS', 'Additional headers to append in requests']),
|
49
|
+
OptString.new(['--vhost VALUE', 'The virtual host (Host header) to use in requests'])
|
50
|
+
]
|
51
|
+
end
|
52
|
+
|
46
53
|
# @return [ Array<OptParseValidator::OptBase> ]
|
47
54
|
def cli_browser_proxy_options
|
48
55
|
[
|
@@ -13,7 +13,7 @@ module CMSScanner
|
|
13
13
|
|
14
14
|
# @param [ CMSScanner::Target ] target
|
15
15
|
def initialize(target)
|
16
|
-
%w
|
16
|
+
%w[Headers RobotsTxt FantasticoFileslist SearchReplaceDB2 XMLRPC].each do |f|
|
17
17
|
finders << NS::Finders::InterestingFindings.const_get(f).new(target)
|
18
18
|
end
|
19
19
|
end
|
data/app/models/headers.rb
CHANGED
@@ -22,13 +22,13 @@ module CMSScanner
|
|
22
22
|
|
23
23
|
# @return [ Array<String> ] Downcased known headers
|
24
24
|
def known_headers
|
25
|
-
%w
|
25
|
+
%w[
|
26
26
|
age accept-ranges cache-control content-encoding content-length content-type connection date
|
27
27
|
etag expires keep-alive location last-modified link pragma set-cookie strict-transport-security
|
28
28
|
transfer-encoding vary x-cache x-content-security-policy x-content-type-options
|
29
29
|
x-frame-options x-language x-permitted-cross-domain-policies x-pingback x-varnish
|
30
30
|
x-webkit-csp x-xss-protection
|
31
|
-
|
31
|
+
]
|
32
32
|
end
|
33
33
|
|
34
34
|
def eql?(other)
|
data/cms_scanner.gemspec
CHANGED
@@ -32,20 +32,24 @@ Gem::Specification.new do |s|
|
|
32
32
|
s.executables = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
33
33
|
s.require_path = 'lib'
|
34
34
|
|
35
|
-
s.add_dependency 'typhoeus', '~> 1.
|
36
|
-
s.add_dependency 'nokogiri', '~> 1.
|
35
|
+
s.add_dependency 'typhoeus', '~> 1.3.0'
|
36
|
+
s.add_dependency 'nokogiri', '~> 1.8.0'
|
37
37
|
s.add_dependency 'yajl-ruby', '~> 1.3.0' # Better JSON parser regarding memory usage
|
38
|
-
s.add_dependency '
|
39
|
-
s.add_dependency 'activesupport', '~> 5.0.1'
|
40
|
-
s.add_dependency 'public_suffix', '~> 2.0.3'
|
38
|
+
s.add_dependency 'public_suffix', '~> 3.0.0'
|
41
39
|
s.add_dependency 'ruby-progressbar', '~> 1.8.1'
|
42
|
-
s.add_dependency 'opt_parse_validator', '~> 0.0.13.
|
40
|
+
s.add_dependency 'opt_parse_validator', '~> 0.0.13.7'
|
41
|
+
|
42
|
+
# Already required by opt_parse_validator
|
43
|
+
# so version restriction loosen to avoid potential future conflicts
|
44
|
+
s.add_dependency 'addressable', '~> 2.5'
|
45
|
+
s.add_dependency 'activesupport', '~> 5.0'
|
43
46
|
|
44
47
|
s.add_development_dependency 'rake', '~> 12.0'
|
45
|
-
s.add_development_dependency 'rspec', '~> 3.
|
48
|
+
s.add_development_dependency 'rspec', '~> 3.6.0'
|
46
49
|
s.add_development_dependency 'rspec-its', '~> 1.2.0'
|
47
50
|
s.add_development_dependency 'bundler', '~> 1.6'
|
48
|
-
s.add_development_dependency 'rubocop', '~> 0.
|
51
|
+
s.add_development_dependency 'rubocop', '~> 0.50.0'
|
49
52
|
s.add_development_dependency 'webmock', '~> 1.22.0'
|
50
|
-
s.add_development_dependency 'simplecov', '~> 0.
|
53
|
+
s.add_development_dependency 'simplecov', '~> 0.14.0' # Can't update to 0.15 as it breaks coveralls dep
|
54
|
+
s.add_development_dependency 'coveralls', '~> 0.8.0'
|
51
55
|
end
|
data/example/cmsscan.gemspec
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
# coding: utf-8
|
2
|
+
|
2
3
|
lib = File.expand_path('../lib', __FILE__)
|
3
4
|
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
5
|
|
@@ -33,9 +34,9 @@ Gem::Specification.new do |s|
|
|
33
34
|
s.executables = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
34
35
|
s.require_path = 'lib'
|
35
36
|
|
36
|
-
s.add_dependency 'yajl-ruby', '~> 1.3
|
37
|
+
s.add_dependency 'yajl-ruby', '~> 1.3' # Better JSON parser regarding memory usage
|
37
38
|
s.add_dependency 'cms_scanner', '~> 0.0.37.5'
|
38
|
-
s.add_dependency 'activesupport', '~> 5.0
|
39
|
+
s.add_dependency 'activesupport', '~> 5.0'
|
39
40
|
# DB dependencies
|
40
41
|
s.add_dependency 'dm-core', '~> 1.2.0'
|
41
42
|
s.add_dependency 'dm-migrations', '~> 1.2.0'
|
data/lib/cms_scanner/browser.rb
CHANGED
@@ -48,7 +48,7 @@ module CMSScanner
|
|
48
48
|
params = {
|
49
49
|
# Disable SSL-Certificate checks, see http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
|
50
50
|
ssl_verifypeer: false, ssl_verifyhost: 0,
|
51
|
-
headers: { 'User-Agent' => user_agent },
|
51
|
+
headers: { 'User-Agent' => user_agent }.merge(headers || {}),
|
52
52
|
accept_encoding: 'gzip, deflate',
|
53
53
|
method: :get
|
54
54
|
}
|
@@ -1,21 +1,22 @@
|
|
1
1
|
module CMSScanner
|
2
2
|
# Options available in the Browser
|
3
3
|
class Browser
|
4
|
-
OPTIONS = [
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
4
|
+
OPTIONS = %i[
|
5
|
+
cache_ttl
|
6
|
+
cookie_jar
|
7
|
+
cookie_string
|
8
|
+
connect_timeout
|
9
|
+
headers
|
10
|
+
http_auth
|
11
|
+
max_threads
|
12
|
+
proxy
|
13
|
+
proxy_auth
|
14
|
+
random_user_agent
|
15
|
+
request_timeout
|
16
|
+
throttle
|
17
|
+
user_agent
|
18
|
+
user_agents_list
|
19
|
+
vhost
|
19
20
|
].freeze
|
20
21
|
|
21
22
|
attr_accessor(*OPTIONS)
|
@@ -15,7 +15,7 @@ module CMSScanner
|
|
15
15
|
# @param [ Symbol ] mode :mixed, :passive or :aggressive
|
16
16
|
# @return [ Array<Symbol> ] The symbols to call for the mode
|
17
17
|
def symbols_from_mode(mode)
|
18
|
-
symbols = [
|
18
|
+
symbols = %i[passive aggressive]
|
19
19
|
|
20
20
|
return symbols if mode.nil? || mode == :mixed
|
21
21
|
symbols.include?(mode) ? [*mode] : []
|
@@ -8,7 +8,7 @@ module CMSScanner
|
|
8
8
|
super(base)
|
9
9
|
end
|
10
10
|
|
11
|
-
FINDING_OPTS = [
|
11
|
+
FINDING_OPTS = %i[confidence confirmed_by references found_by interesting_entries].freeze
|
12
12
|
|
13
13
|
attr_accessor(*FINDING_OPTS)
|
14
14
|
|
data/lib/cms_scanner/numeric.rb
CHANGED
@@ -7,7 +7,7 @@ module CMSScanner
|
|
7
7
|
module ClassMethods
|
8
8
|
# @return [ Array<Symbol> ]
|
9
9
|
def references_keys
|
10
|
-
@references_keys ||= [
|
10
|
+
@references_keys ||= %i[cve secunia osvdb exploitdb url metasploit packetstorm securityfocus]
|
11
11
|
end
|
12
12
|
end
|
13
13
|
|
data/lib/cms_scanner/target.rb
CHANGED
@@ -62,7 +62,7 @@ module CMSScanner
|
|
62
62
|
# @yield [ String, Nokogiri::XML::Element ] The url and its associated tag
|
63
63
|
#
|
64
64
|
# @return [ Array<String> ] The absolute URLs detected in the response's body from the HTML tags
|
65
|
-
def urls_from_page(page = nil, xpath = '//link|//script|//style|//img|//a', attributes = %w
|
65
|
+
def urls_from_page(page = nil, xpath = '//link|//script|//style|//img|//a', attributes = %w[href src])
|
66
66
|
page = NS::Browser.get(url(page)) unless page.is_a?(Typhoeus::Response)
|
67
67
|
found = []
|
68
68
|
|
@@ -22,7 +22,7 @@ module CMSScanner
|
|
22
22
|
# @yield [ String, Nokogiri::XML::Element ] The in scope url and its associated tag
|
23
23
|
#
|
24
24
|
# @return [ Array<String> ] The in scope absolute URLs detected in the response's body
|
25
|
-
def in_scope_urls(res, xpath = '//link|//script|//style|//img|//a', attributes = %w
|
25
|
+
def in_scope_urls(res, xpath = '//link|//script|//style|//img|//a', attributes = %w[href src])
|
26
26
|
found = []
|
27
27
|
|
28
28
|
urls_from_page(res, xpath, attributes) do |url, tag|
|
data/lib/cms_scanner/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cms_scanner
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.37.
|
4
|
+
version: 0.0.37.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- WPScanTeam
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-09-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: typhoeus
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 1.
|
19
|
+
version: 1.3.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 1.
|
26
|
+
version: 1.3.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: nokogiri
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
33
|
+
version: 1.8.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 1.
|
40
|
+
version: 1.8.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: yajl-ruby
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -53,75 +53,75 @@ dependencies:
|
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: 1.3.0
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
|
-
name:
|
56
|
+
name: public_suffix
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
59
|
- - "~>"
|
60
60
|
- !ruby/object:Gem::Version
|
61
|
-
version:
|
61
|
+
version: 3.0.0
|
62
62
|
type: :runtime
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
66
|
- - "~>"
|
67
67
|
- !ruby/object:Gem::Version
|
68
|
-
version:
|
68
|
+
version: 3.0.0
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
|
-
name:
|
70
|
+
name: ruby-progressbar
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
73
|
- - "~>"
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version:
|
75
|
+
version: 1.8.1
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version:
|
82
|
+
version: 1.8.1
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
|
-
name:
|
84
|
+
name: opt_parse_validator
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
86
86
|
requirements:
|
87
87
|
- - "~>"
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version:
|
89
|
+
version: 0.0.13.7
|
90
90
|
type: :runtime
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version:
|
96
|
+
version: 0.0.13.7
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
|
-
name:
|
98
|
+
name: addressable
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
100
100
|
requirements:
|
101
101
|
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version:
|
103
|
+
version: '2.5'
|
104
104
|
type: :runtime
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
108
|
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
|
-
version:
|
110
|
+
version: '2.5'
|
111
111
|
- !ruby/object:Gem::Dependency
|
112
|
-
name:
|
112
|
+
name: activesupport
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version:
|
117
|
+
version: '5.0'
|
118
118
|
type: :runtime
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version:
|
124
|
+
version: '5.0'
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: rake
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
@@ -142,14 +142,14 @@ dependencies:
|
|
142
142
|
requirements:
|
143
143
|
- - "~>"
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 3.
|
145
|
+
version: 3.6.0
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - "~>"
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 3.
|
152
|
+
version: 3.6.0
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
154
|
name: rspec-its
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -184,14 +184,14 @@ dependencies:
|
|
184
184
|
requirements:
|
185
185
|
- - "~>"
|
186
186
|
- !ruby/object:Gem::Version
|
187
|
-
version: 0.
|
187
|
+
version: 0.50.0
|
188
188
|
type: :development
|
189
189
|
prerelease: false
|
190
190
|
version_requirements: !ruby/object:Gem::Requirement
|
191
191
|
requirements:
|
192
192
|
- - "~>"
|
193
193
|
- !ruby/object:Gem::Version
|
194
|
-
version: 0.
|
194
|
+
version: 0.50.0
|
195
195
|
- !ruby/object:Gem::Dependency
|
196
196
|
name: webmock
|
197
197
|
requirement: !ruby/object:Gem::Requirement
|
@@ -212,14 +212,28 @@ dependencies:
|
|
212
212
|
requirements:
|
213
213
|
- - "~>"
|
214
214
|
- !ruby/object:Gem::Version
|
215
|
-
version: 0.
|
215
|
+
version: 0.14.0
|
216
|
+
type: :development
|
217
|
+
prerelease: false
|
218
|
+
version_requirements: !ruby/object:Gem::Requirement
|
219
|
+
requirements:
|
220
|
+
- - "~>"
|
221
|
+
- !ruby/object:Gem::Version
|
222
|
+
version: 0.14.0
|
223
|
+
- !ruby/object:Gem::Dependency
|
224
|
+
name: coveralls
|
225
|
+
requirement: !ruby/object:Gem::Requirement
|
226
|
+
requirements:
|
227
|
+
- - "~>"
|
228
|
+
- !ruby/object:Gem::Version
|
229
|
+
version: 0.8.0
|
216
230
|
type: :development
|
217
231
|
prerelease: false
|
218
232
|
version_requirements: !ruby/object:Gem::Requirement
|
219
233
|
requirements:
|
220
234
|
- - "~>"
|
221
235
|
- !ruby/object:Gem::Version
|
222
|
-
version: 0.
|
236
|
+
version: 0.8.0
|
223
237
|
description: Framework to provide an easy way to implement CMS Scanners
|
224
238
|
email:
|
225
239
|
- team@wpscan.org
|