dradis-wpscan 3.17.0

data/README.md

@@ -0,0 +1,27 @@
+# WPScan add-on for Dradis
+
+[![Build Status](https://secure.travis-ci.org/dradis/dradis-wpscan.png?branch=master)](http://travis-ci.org/dradis/dradis-wpscan) [![Code Climate](https://codeclimate.com/github/dradis/dradis-wpscan.png)](https://codeclimate.com/github/dradis/dradis-wpscan.png)
+
+Upload [WPScan](https://wpscan.org/) security scanner JSON output into Dradis.
+
+The add-on requires [Dradis CE](https://dradisframework.com/ce/) > 3.0, or [Dradis Pro](https://dradisframework.com/pro/).
+
+
+## More information
+
+See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework/blob/master/README.md)
+
+
+## Contributing
+
+See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
+
+
+## License
+
+Dradis Framework and all its components are released under [GNU General Public License version 2.0](http://www.gnu.org/licenses/old-licenses/gpl-2.0.html) as published by the Free Software Foundation and appearing in the file LICENSE included in the packaging of this file.
+
+
+## Feature requests and bugs
+
+Please use the [Dradis Framework issue tracker](https://github.com/dradis/dradis-ce/issues) for add-on improvements and bug reports.

data/Rakefile

@@ -0,0 +1 @@
+require 'bundler/gem_tasks'

data/dradis-wpscan.gemspec

@@ -0,0 +1,34 @@
+$:.push File.expand_path('../lib', __FILE__)
+require 'dradis/plugins/wpscan/version'
+version = Dradis::Plugins::Wpscan::VERSION::STRING
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |spec|
+  spec.platform    = Gem::Platform::RUBY
+  spec.name        = 'dradis-wpscan'
+  spec.version     = version
+  spec.summary     = 'WPScan add-on for the Dradis Framework.'
+  spec.description = 'This add-on allows you to upload and parse output produced from the WPScan WordPress security scanner into Dradis.'
+
+  spec.license     = 'GPL-2'
+
+  spec.authors     = ['Christian Mehlmauer', 'Daniel Martin', 'Erwan', 'Ryan Dewhurst']
+  spec.email       = ['etd@nomejortu.com']
+  spec.homepage    = 'http://dradisframework.org'
+
+  spec.files       = `git ls-files`.split($\)
+  spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  spec.test_files  = spec.files.grep(%r{^(test|spec|features)/})
+
+  # By not including Rails as a dependency, we can use the gem with different
+  # versions of Rails (a sure recipe for disaster, I'm sure), which is needed
+  # until we bump Dradis Pro to 4.1.
+  # s.add_dependency 'rails', '~> 4.1.1'
+  spec.add_dependency 'dradis-plugins', '~> 3.6'
+  spec.add_dependency 'multi_json'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '~> 12.3.3'
+  spec.add_development_dependency 'rspec-rails'
+  spec.add_development_dependency 'combustion', '~> 0.5.2'
+end

data/lib/dradis-wpscan.rb

@@ -0,0 +1,7 @@
+# Hook to the framework base clases
+require 'dradis-plugins'
+
+# Load this add-on's engine
+require 'dradis/plugins/wpscan'
+
+require 'multi_json'

data/lib/dradis/plugins/wpscan.rb

@@ -0,0 +1,11 @@
+module Dradis
+  module Plugins
+    module Wpscan
+    end
+  end
+end
+
+require 'dradis/plugins/wpscan/engine'
+require 'dradis/plugins/wpscan/field_processor'
+require 'dradis/plugins/wpscan/importer'
+require 'dradis/plugins/wpscan/version'

data/lib/dradis/plugins/wpscan/engine.rb

@@ -0,0 +1,13 @@
+module Dradis
+  module Plugins
+    module Wpscan
+      class Engine < ::Rails::Engine
+        isolate_namespace Dradis::Plugins::Wpscan
+
+        include ::Dradis::Plugins::Base
+        description 'Processes WPScan JSON output'
+        provides :upload
+      end
+    end
+  end
+end

data/lib/dradis/plugins/wpscan/field_processor.rb

@@ -0,0 +1,21 @@
+module Dradis
+  module Plugins
+    module Wpscan
+      class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+        # No need to implement anything here
+        # def post_initialize(args={})
+        # end
+
+        def value(args={})
+          field = args[:field]
+
+          # fields in the template are of the form <foo>.<field>, where <foo>
+          # is common across all fields for a given template (and meaningless).
+          type, name, attribute = field.split('.')
+
+          @data.key?(name) ? @data[name] : 'n/a'
+        end
+      end
+    end
+  end
+end

data/lib/dradis/plugins/wpscan/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Wpscan
+      # Returns the version of the currently loaded Dradis as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 17
+        TINY = 0
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/wpscan/importer.rb

@@ -0,0 +1,193 @@
+module Dradis::Plugins::Wpscan
+  class Importer < Dradis::Plugins::Upload::Importer
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params={})
+
+      file_content = File.read( params[:file] )
+
+      # Parse the uploaded file into a Ruby Hash
+      logger.info { "Parsing WPScan output from #{ params[:file] }..." }
+      data = MultiJson.decode(file_content)
+      logger.info { 'Done.' }
+
+      # Do a sanity check to confirm the user uploaded the right file
+      # format.
+      if data['target_url'].nil?
+        error = "ERROR: No 'target_url' field present in the provided " \
+                "JSON data. Are you sure you uploaded a WPScan JSON output file?"
+        logger.fatal { error }
+        content_service.create_note text: error
+        return false
+      end
+
+      # Initial data normalisation
+      data = parse_json( data )
+
+      # Create a node based on the target_url
+      node = create_node( data )
+
+      # Parse vulnerability data and make more human readable.
+      # NOTE: You need an API token for the WPVulnDB vulnerability data.
+      parse_known_vulnerabilities( data, node )
+
+
+      # Add bespoke/config vulnerabilities to Dradis
+      #
+      # TODO: Can we add severity to issues?
+      #
+      # Note: No API key needed.
+      parse_config_vulnerabilities( data, node )
+    end
+
+    def parse_json( data )
+      # Parse scan info data and make more human readable.
+      data['wpscan_version']    = data.dig('banner', 'version')
+      data['start_time']        = DateTime.strptime(data['start_time'].to_s,'%s')
+      data['elapsed']           = "#{data["elapsed"]} seconds"
+      data['wordpress_version'] = data.dig('version', 'number')   if data['version']
+      data['plugins_string']    = data['plugins'].keys.join("\n") if data['plugins']
+      data['themes_string']     = data['themes'].keys.join("\n")  if data['themes']
+      data['users']             = data['users'].keys.join("\n")   if data['users']
+
+      data
+    end
+
+    def create_node( data )
+      node = content_service.create_node(label: data['target_url'], type: :host)
+
+      # Define Node properties
+      if node.respond_to?(:properties)
+        node.set_property(:start_url, data['target_url'])
+        #node.set_property(:start_time, data['start_time'])
+        node.set_property(:scan_time, data['elapsed'])
+      end
+
+      scan_info = template_service.process_template(template: 'scan_info', data: data)
+      content_service.create_note text: scan_info, node: node
+
+      node
+    end
+
+
+    def parse_known_vulnerabilities( data, node )
+      vulnerabilities = []
+
+      # WordPress Vulnerabilities
+      if data['version'] && data['version']['status'] == 'insecure'
+        data['version']['vulnerabilities'].each do |vulnerability_data|
+          vulnerabilities << parse_vulnerability( vulnerability_data )
+        end
+      end
+
+      # Plugin Vulnerabilities
+      if data['plugins']
+        data['plugins'].each do |key, plugin|
+          if plugin['vulnerabilities']
+            plugin['vulnerabilities'].each do |vulnerability_data|
+              vulnerabilities << parse_vulnerability( vulnerability_data )
+            end
+          end
+        end
+      end
+
+      # Theme Vulnerabilities
+      if data['themes']
+        data['themes'].each do |key, theme|
+          if theme['vulnerabilities']
+            theme['vulnerabilities'].each do |vulnerability_data|
+              vulnerabilities << parse_vulnerability( vulnerability_data )
+            end
+          end
+        end
+      end
+
+      # Add vulnerabilities from WPVulnDB to Dradis
+      vulnerabilities.each do |vulnerability|
+        logger.info { "Adding vulnerability: #{vulnerability['title']}" }
+
+        vulnerability_template = template_service.process_template(template: 'vulnerability', data: vulnerability)
+        issue = content_service.create_issue(text: vulnerability_template, id: vulnerability['wpvulndb_id'], node: node)
+
+        if vulnerability['evidence']
+          evidence_content = template_service.process_template(template: 'evidence', data: vulnerability)
+          content_service.create_evidence(issue: issue, node: node, content: vulnerability['evidence'])
+        end
+      end
+    end
+
+    def parse_config_vulnerabilities( data, node )
+      vulnerabilities = []
+
+      if data['config_backups']
+        data['config_backups'].each do |url, value|
+          vulnerability = {}
+          vulnerability['title']    = 'WordPress Configuration Backup Found'
+          vulnerability['evidence'] = url
+
+          vulnerabilities << vulnerability
+        end
+      end
+
+      if data['db_exports']
+        data['db_exports'].each do |url, value|
+          vulnerability = {}
+          vulnerability['title']    = 'Database Backup File Found'
+          vulnerability['evidence'] = url
+
+          vulnerabilities << vulnerability
+        end
+      end
+
+      if data['timthumbs']
+        data['timthumbs'].each do |url, value|
+          unless value['vulnerabilities'].empty?
+            vulnerability = {}
+            vulnerability['title']    = "Timthumb RCE File Found"
+            vulnerability['evidence'] = url
+
+            vulnerabilities << vulnerability
+          end
+        end
+      end
+
+      if data['password_attack']
+        data['password_attack'].each do |user|
+          vulnerability = {}
+          vulnerability['title'] = "WordPres Weak User Password Found"
+          vulnerability['evidence'] = "#{user[0]}:#{user[1]['password']}"
+
+          vulnerabilities << vulnerability
+        end
+      end
+
+      # Add WordPress configuration vulnerabilities to Dradis
+      vulnerabilities.each do |vulnerability|
+        logger.info { "Adding vulnerability: #{vulnerability['title']}" }
+
+        vulnerability_template = template_service.process_template(template: 'vulnerability', data: vulnerability)
+        issue = content_service.create_issue(text: vulnerability_template, id: "wpscan_#{rand(999999)}")
+
+        if vulnerability['evidence']
+          evidence_content = template_service.process_template(template: 'evidence', data: vulnerability)
+          content_service.create_evidence(issue: issue, node: node, content: vulnerability['evidence'])
+        end
+      end
+    end
+
+    def parse_vulnerability( vulnerability_data )
+      wpvulndb_url = 'https://wpvulndb.com/vulnerabilities/'
+
+      vulnerability = {}
+      vulnerability['title']        = vulnerability_data['title']
+      vulnerability['fixed_in']     = vulnerability_data['fixed_in'] if vulnerability_data['fixed_in']
+      vulnerability['cve']          = 'CVE-' + vulnerability_data['references']['cve'][0] if vulnerability_data['references']['cve']
+      vulnerability['url']          = vulnerability_data['references']['url'].join("\n") if vulnerability_data['references']['url']
+      vulnerability['wpvulndb_url'] = wpvulndb_url + vulnerability_data['references']['wpvulndb'][0]
+      vulnerability['wpvulndb_id']  = vulnerability_data['references']['wpvulndb'][0]
+
+      vulnerability
+    end
+  end
+end

data/lib/dradis/plugins/wpscan/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module Wpscan
+      # Returns the version of the currently loaded WPScan as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/tasks/thorfile.rb

@@ -0,0 +1,23 @@
+class WpscanTasks < Thor
+  include Rails.application.config.dradis.thor_helper_module
+
+  namespace "dradis:plugins:wpscan"
+
+  desc      "upload FILE", "upload WPScan results in JSON format"
+  long_desc "This plugin expects a JSON file generated by WPScan using: -f "\
+            "json -o results.json"
+  def upload(file_path)
+    require 'config/environment'
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit(-1)
+    end
+
+    detect_and_set_project_scope
+
+    importer = Dradis::Plugins::Wpscan::Importer.new(task_options)
+    importer.import(file: file_path)
+  end
+
+end

data/output.json

@@ -0,0 +1,323 @@
+{
+  "banner": {
+    "description": "WordPress Security Scanner by the WPScan Team",
+    "version": "3.7.5",
+    "authors": [
+      "@_WPScan_",
+      "@ethicalhack3r",
+      "@erwan_lr",
+      "@_FireFart_"
+    ],
+    "sponsor": "WPScan.io - Online WordPress Vulnerability Scanner"
+  },
+  "start_time": 1573482044,
+  "start_memory": 50507776,
+  "target_url": "http://www.lagardelanguages.com/",
+  "effective_url": "http://www.lagardelanguages.com/",
+  "interesting_findings": [
+    {
+      "url": "http://www.lagardelanguages.com/",
+      "to_s": "http://www.lagardelanguages.com/",
+      "type": "headers",
+      "found_by": "Headers (Passive Detection)",
+      "confidence": 100,
+      "confirmed_by": {
+
+      },
+      "references": {
+
+      },
+      "interesting_entries": [
+        "Server: nginx"
+      ]
+    },
+    {
+      "url": "http://www.lagardelanguages.com/robots.txt",
+      "to_s": "http://www.lagardelanguages.com/robots.txt",
+      "type": "robots_txt",
+      "found_by": "Robots Txt (Aggressive Detection)",
+      "confidence": 100,
+      "confirmed_by": {
+
+      },
+      "references": {
+
+      },
+      "interesting_entries": [
+        "/wp-admin/",
+        "/wp-admin/admin-ajax.php"
+      ]
+    },
+    {
+      "url": "http://www.lagardelanguages.com/xmlrpc.php",
+      "to_s": "http://www.lagardelanguages.com/xmlrpc.php",
+      "type": "xmlrpc",
+      "found_by": "Headers (Passive Detection)",
+      "confidence": 100,
+      "confirmed_by": {
+        "Link Tag (Passive Detection)": {
+          "confidence": 30
+        },
+        "Direct Access (Aggressive Detection)": {
+          "confidence": 100
+        }
+      },
+      "references": {
+        "url": [
+          "http://codex.wordpress.org/XML-RPC_Pingback_API"
+        ],
+        "metasploit": [
+          "auxiliary/scanner/http/wordpress_ghost_scanner",
+          "auxiliary/dos/http/wordpress_xmlrpc_dos",
+          "auxiliary/scanner/http/wordpress_xmlrpc_login",
+          "auxiliary/scanner/http/wordpress_pingback_access"
+        ]
+      },
+      "interesting_entries": [
+
+      ]
+    },
+    {
+      "url": "http://www.lagardelanguages.com/readme.html",
+      "to_s": "http://www.lagardelanguages.com/readme.html",
+      "type": "readme",
+      "found_by": "Direct Access (Aggressive Detection)",
+      "confidence": 100,
+      "confirmed_by": {
+
+      },
+      "references": {
+
+      },
+      "interesting_entries": [
+
+      ]
+    },
+    {
+      "url": "http://www.lagardelanguages.com/wp-cron.php",
+      "to_s": "http://www.lagardelanguages.com/wp-cron.php",
+      "type": "wp_cron",
+      "found_by": "Direct Access (Aggressive Detection)",
+      "confidence": 60,
+      "confirmed_by": {
+
+      },
+      "references": {
+        "url": [
+          "https://www.iplocation.net/defend-wordpress-from-ddos",
+          "https://github.com/wpscanteam/wpscan/issues/1299"
+        ]
+      },
+      "interesting_entries": [
+
+      ]
+    }
+  ],
+  "version": {
+    "number": "5.1.3",
+    "release_date": "2019-10-14",
+    "status": "latest",
+    "found_by": "Rss Generator (Passive Detection)",
+    "confidence": 100,
+    "interesting_entries": [
+      "http://www.lagardelanguages.com/feed/, <generator>https://wordpress.org/?v=5.1.3</generator>",
+      "http://www.lagardelanguages.com/comments/feed/, <generator>https://wordpress.org/?v=5.1.3</generator>",
+      "http://www.lagardelanguages.com/sample-page/feed/, <generator>https://wordpress.org/?v=5.1.3</generator>"
+    ],
+    "confirmed_by": {
+
+    },
+    "vulnerabilities": [
+
+    ]
+  },
+  "main_theme": {
+    "slug": "liquorice",
+    "location": "http://www.lagardelanguages.com/wp-content/themes/liquorice/",
+    "latest_version": "2.3",
+    "last_updated": "2013-05-30T00:00:00.000Z",
+    "outdated": false,
+    "readme_url": "http://www.lagardelanguages.com/wp-content/themes/liquorice/readme.txt",
+    "directory_listing": false,
+    "error_log_url": null,
+    "style_url": "http://www.lagardelanguages.com/wp-content/themes/liquorice/style.css",
+    "style_name": "Liquorice",
+    "style_uri": "http://www.nudgedesign.ca/wordpress-themes/liquorice",
+    "description": "A simple and clean vintage looking theme for you to build on using Google's font API Lobster font. Custom background feature enabled.",
+    "author": "Nudge Design",
+    "author_uri": "http://www.nudgedesign.ca",
+    "template": null,
+    "license": "GNU General Public License v2.0",
+    "license_uri": "http://www.gnu.org/licenses/gpl-2.0.html",
+    "tags": "custom-background, two-columns, fixed-width, right-sidebar, light, brown, orange, blue",
+    "text_domain": null,
+    "found_by": "Css Style In Homepage (Passive Detection)",
+    "confidence": 100,
+    "interesting_entries": [
+
+    ],
+    "confirmed_by": {
+      "Css Style In 404 Page (Passive Detection)": {
+        "confidence": 70,
+        "interesting_entries": [
+
+        ]
+      }
+    },
+    "vulnerabilities": [
+
+    ],
+    "version": {
+      "number": "2.3",
+      "confidence": 80,
+      "found_by": "Style (Passive Detection)",
+      "interesting_entries": [
+        "http://www.lagardelanguages.com/wp-content/themes/liquorice/style.css, Match: 'Version: 2.3'"
+      ],
+      "confirmed_by": {
+
+      }
+    },
+    "parents": [
+
+    ]
+  },
+  "plugins": {
+    "all-in-one-seo-pack": {
+      "slug": "all-in-one-seo-pack",
+      "location": "http://www.lagardelanguages.com/wp-content/plugins/all-in-one-seo-pack/",
+      "latest_version": "3.2.10",
+      "last_updated": "2019-10-17T15:07:00.000Z",
+      "outdated": true,
+      "readme_url": null,
+      "directory_listing": null,
+      "error_log_url": null,
+      "found_by": "Comment (Passive Detection)",
+      "confidence": 30,
+      "interesting_entries": [
+
+      ],
+      "confirmed_by": {
+
+      },
+      "vulnerabilities": [
+
+      ],
+      "version": {
+        "number": "3.1",
+        "confidence": 100,
+        "found_by": "Comment (Passive Detection)",
+        "interesting_entries": [
+          "http://www.lagardelanguages.com/, Match: 'All in One SEO Pack 3.1 by'"
+        ],
+        "confirmed_by": {
+          "Readme - Stable Tag (Aggressive Detection)": {
+            "confidence": 80,
+            "interesting_entries": [
+              "http://www.lagardelanguages.com/wp-content/plugins/all-in-one-seo-pack/readme.txt"
+            ]
+          }
+        }
+      }
+    },
+    "qtranslate": {
+      "slug": "qtranslate",
+      "location": "http://www.lagardelanguages.com/wp-content/plugins/qtranslate/",
+      "latest_version": null,
+      "last_updated": null,
+      "outdated": false,
+      "readme_url": null,
+      "directory_listing": null,
+      "error_log_url": null,
+      "found_by": "Urls In Homepage (Passive Detection)",
+      "confidence": 100,
+      "interesting_entries": [
+
+      ],
+      "confirmed_by": {
+        "Urls In 404 Page (Passive Detection)": {
+          "confidence": 80,
+          "interesting_entries": [
+
+          ]
+        }
+      },
+      "vulnerabilities": [
+
+      ],
+      "version": null
+    }
+  },
+  "config_backups": {
+    "http://www.lagardelanguages.com/wp-config.txt": {
+      "found_by": "Direct Access (Aggressive Detection)",
+      "confidence": 100,
+      "interesting_entries": [
+
+      ],
+      "confirmed_by": {
+
+      }
+    }
+  },
+  "users": {
+    "marie": {
+      "id": null,
+      "found_by": "Rss Generator (Passive Detection)",
+      "confidence": 100,
+      "interesting_entries": [
+
+      ],
+      "confirmed_by": {
+        "Wp Json Api (Aggressive Detection)": {
+          "confidence": 100,
+          "interesting_entries": [
+            "http://www.lagardelanguages.com/wp-json/wp/v2/users/?per_page=100&page=1"
+          ]
+        },
+        "Oembed API - Author URL (Aggressive Detection)": {
+          "confidence": 90,
+          "interesting_entries": [
+            "http://www.lagardelanguages.com/wp-json/oembed/1.0/embed?url=http://www.lagardelanguages.com/&format=json"
+          ]
+        },
+        "Rss Generator (Aggressive Detection)": {
+          "confidence": 50,
+          "interesting_entries": [
+
+          ]
+        },
+        "Author Id Brute Forcing - Author Pattern (Aggressive Detection)": {
+          "confidence": 100,
+          "interesting_entries": [
+
+          ]
+        },
+        "Login Error Messages (Aggressive Detection)": {
+          "confidence": 100,
+          "interesting_entries": [
+
+          ]
+        }
+      }
+    }
+  },
+  "password_attack": {
+    "marie": {
+      "password": "polluxtip"
+    }
+  },
+  "vuln_api": {
+    "error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up."
+  },
+  "stop_time": 1573482053,
+  "elapsed": 8,
+  "requests_done": 47,
+  "cached_requests": 52,
+  "data_sent": 19085,
+  "data_sent_humanised": "18.638 KB",
+  "data_received": 42204,
+  "data_received_humanised": "41.215 KB",
+  "used_memory": 200556544,
+  "used_memory_humanised": "191.266 MB"
+}