dradis-wpscan 4.8.0 → 4.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/dradis-wpscan.gemspec +2 -3
- data/lib/dradis/plugins/wpscan/gem_version.rb +2 -2
- data/lib/dradis/plugins/wpscan/importer.rb +19 -22
- metadata +4 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 04053fb23a9bd7d39c7c5640b0a3d8a9bac576de9f09a4d5ac163de670975887
|
4
|
+
data.tar.gz: 4bd01d6905569d04ddf5934744af6036cbce3f55b9cdfb0656163b8fb56d828e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8becfb81a6b67a4ccf52ac15e8a38b071416d14e4f07a3cee77893cd24a84f89badf549a0acc6f82127f28d34b44dcb1ba40659d06ba3bbd036c4d68eca6fedb
|
7
|
+
data.tar.gz: 48ee083ec5ad44ead933671b8593cd14189dbd55a750516361df2ebaa02f99ac856b783d7b668d9afcb165f4d4e48143c70650d8609560c38e8b39c1d6a620bd
|
data/CHANGELOG.md
CHANGED
data/dradis-wpscan.gemspec
CHANGED
@@ -13,11 +13,10 @@ Gem::Specification.new do |spec|
|
|
13
13
|
spec.license = 'GPL-2'
|
14
14
|
|
15
15
|
spec.authors = ['Christian Mehlmauer', 'Daniel Martin', 'Erwan', 'Ryan Dewhurst']
|
16
|
-
spec.
|
17
|
-
spec.homepage = 'http://dradisframework.org'
|
16
|
+
spec.homepage = 'https://dradis.com/integrations/wpscan.html'
|
18
17
|
|
19
18
|
spec.files = `git ls-files`.split($\)
|
20
|
-
spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
19
|
+
spec.executables = spec.files.grep(%r{^bin/}).map { |f| File.basename(f) }
|
21
20
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
22
21
|
|
23
22
|
# By not including Rails as a dependency, we can use the gem with different
|
@@ -7,9 +7,8 @@ module Dradis::Plugins::Wpscan
|
|
7
7
|
# The framework will call this function if the user selects this plugin from
|
8
8
|
# the dropdown list and uploads a file.
|
9
9
|
# @returns true if the operation was successful, false otherwise
|
10
|
-
def import(params={})
|
11
|
-
|
12
|
-
file_content = File.read( params[:file] )
|
10
|
+
def import(params = {})
|
11
|
+
file_content = File.read(params[:file])
|
13
12
|
|
14
13
|
# Parse the uploaded file into a Ruby Hash
|
15
14
|
logger.info { "Parsing WPScan output from #{ params[:file] }..." }
|
@@ -20,35 +19,34 @@ module Dradis::Plugins::Wpscan
|
|
20
19
|
# format.
|
21
20
|
if data['target_url'].nil?
|
22
21
|
error = "ERROR: No 'target_url' field present in the provided " \
|
23
|
-
|
22
|
+
'JSON data. Are you sure you uploaded a WPScan JSON output file?'
|
24
23
|
logger.fatal { error }
|
25
24
|
content_service.create_note text: error
|
26
25
|
return false
|
27
26
|
end
|
28
27
|
|
29
28
|
# Initial data normalisation
|
30
|
-
data = parse_json(
|
29
|
+
data = parse_json(data)
|
31
30
|
|
32
31
|
# Create a node based on the target_url
|
33
|
-
node = create_node(
|
32
|
+
node = create_node(data)
|
34
33
|
|
35
34
|
# Parse vulnerability data and make more human readable.
|
36
35
|
# NOTE: You need an API token for the WPVulnDB vulnerability data.
|
37
|
-
parse_known_vulnerabilities(
|
38
|
-
|
36
|
+
parse_known_vulnerabilities(data, node)
|
39
37
|
|
40
38
|
# Add bespoke/config vulnerabilities to Dradis
|
41
39
|
#
|
42
40
|
# TODO: Can we add severity to issues?
|
43
41
|
#
|
44
42
|
# Note: No API key needed.
|
45
|
-
parse_config_vulnerabilities(
|
43
|
+
parse_config_vulnerabilities(data, node)
|
46
44
|
end
|
47
45
|
|
48
|
-
def parse_json(
|
46
|
+
def parse_json(data)
|
49
47
|
# Parse scan info data and make more human readable.
|
50
48
|
data['wpscan_version'] = data.dig('banner', 'version')
|
51
|
-
data['start_time'] = DateTime.strptime(data['start_time'].to_s,'%s')
|
49
|
+
data['start_time'] = DateTime.strptime(data['start_time'].to_s, '%s')
|
52
50
|
data['elapsed'] = "#{data["elapsed"]} seconds"
|
53
51
|
data['wordpress_version'] = data.dig('version', 'number') if data['version']
|
54
52
|
data['plugins_string'] = data['plugins'].keys.join("\n") if data['plugins']
|
@@ -58,7 +56,7 @@ module Dradis::Plugins::Wpscan
|
|
58
56
|
data
|
59
57
|
end
|
60
58
|
|
61
|
-
def create_node(
|
59
|
+
def create_node(data)
|
62
60
|
node = content_service.create_node(label: data['target_url'], type: :host)
|
63
61
|
|
64
62
|
# Define Node properties
|
@@ -74,14 +72,13 @@ module Dradis::Plugins::Wpscan
|
|
74
72
|
node
|
75
73
|
end
|
76
74
|
|
77
|
-
|
78
|
-
def parse_known_vulnerabilities( data, node )
|
75
|
+
def parse_known_vulnerabilities(data, node)
|
79
76
|
vulnerabilities = []
|
80
77
|
|
81
78
|
# WordPress Vulnerabilities
|
82
|
-
if data['version'] && data['version']['status']
|
79
|
+
if data['version'] && ['insecure', 'outdated'].include?(data['version']['status'])
|
83
80
|
data['version']['vulnerabilities'].each do |vulnerability_data|
|
84
|
-
vulnerabilities << parse_vulnerability(
|
81
|
+
vulnerabilities << parse_vulnerability(vulnerability_data)
|
85
82
|
end
|
86
83
|
end
|
87
84
|
|
@@ -90,7 +87,7 @@ module Dradis::Plugins::Wpscan
|
|
90
87
|
data['plugins'].each do |key, plugin|
|
91
88
|
if plugin['vulnerabilities']
|
92
89
|
plugin['vulnerabilities'].each do |vulnerability_data|
|
93
|
-
vulnerabilities << parse_vulnerability(
|
90
|
+
vulnerabilities << parse_vulnerability(vulnerability_data)
|
94
91
|
end
|
95
92
|
end
|
96
93
|
end
|
@@ -101,7 +98,7 @@ module Dradis::Plugins::Wpscan
|
|
101
98
|
data['themes'].each do |key, theme|
|
102
99
|
if theme['vulnerabilities']
|
103
100
|
theme['vulnerabilities'].each do |vulnerability_data|
|
104
|
-
vulnerabilities << parse_vulnerability(
|
101
|
+
vulnerabilities << parse_vulnerability(vulnerability_data)
|
105
102
|
end
|
106
103
|
end
|
107
104
|
end
|
@@ -121,7 +118,7 @@ module Dradis::Plugins::Wpscan
|
|
121
118
|
end
|
122
119
|
end
|
123
120
|
|
124
|
-
def parse_config_vulnerabilities(
|
121
|
+
def parse_config_vulnerabilities(data, node)
|
125
122
|
vulnerabilities = []
|
126
123
|
|
127
124
|
if data['config_backups']
|
@@ -148,7 +145,7 @@ module Dradis::Plugins::Wpscan
|
|
148
145
|
data['timthumbs'].each do |url, value|
|
149
146
|
unless value['vulnerabilities'].empty?
|
150
147
|
vulnerability = {}
|
151
|
-
vulnerability['title'] =
|
148
|
+
vulnerability['title'] = 'Timthumb RCE File Found'
|
152
149
|
vulnerability['evidence'] = url
|
153
150
|
|
154
151
|
vulnerabilities << vulnerability
|
@@ -159,7 +156,7 @@ module Dradis::Plugins::Wpscan
|
|
159
156
|
if data['password_attack']
|
160
157
|
data['password_attack'].each do |user|
|
161
158
|
vulnerability = {}
|
162
|
-
vulnerability['title'] =
|
159
|
+
vulnerability['title'] = 'WordPres Weak User Password Found'
|
163
160
|
vulnerability['evidence'] = "#{user[0]}:#{user[1]['password']}"
|
164
161
|
|
165
162
|
vulnerabilities << vulnerability
|
@@ -180,7 +177,7 @@ module Dradis::Plugins::Wpscan
|
|
180
177
|
end
|
181
178
|
end
|
182
179
|
|
183
|
-
def parse_vulnerability(
|
180
|
+
def parse_vulnerability(vulnerability_data)
|
184
181
|
wpvulndb_url = 'https://wpvulndb.com/vulnerabilities/'
|
185
182
|
|
186
183
|
vulnerability = {}
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dradis-wpscan
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.10.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Christian Mehlmauer
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date: 2023-
|
14
|
+
date: 2023-09-07 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: dradis-plugins
|
@@ -99,8 +99,7 @@ dependencies:
|
|
99
99
|
version: 0.5.2
|
100
100
|
description: This add-on allows you to upload and parse output produced from the WPScan
|
101
101
|
WordPress security scanner into Dradis.
|
102
|
-
email:
|
103
|
-
- etd@nomejortu.com
|
102
|
+
email:
|
104
103
|
executables: []
|
105
104
|
extensions: []
|
106
105
|
extra_rdoc_files: []
|
@@ -139,7 +138,7 @@ files:
|
|
139
138
|
- templates/vulnerability.fields
|
140
139
|
- templates/vulnerability.sample
|
141
140
|
- templates/vulnerability.template
|
142
|
-
homepage:
|
141
|
+
homepage: https://dradis.com/integrations/wpscan.html
|
143
142
|
licenses:
|
144
143
|
- GPL-2
|
145
144
|
metadata: {}
|