dradis-wpscan 4.9.0 → 4.11.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a5eced390e441a6ec6dbe30861731ba5e2a21a669dcac452b57a23e28d5a7a93
4
- data.tar.gz: 33bf17822b379dd88ee9c3b696f80769cbf7e2c3ff4c0ea9c058d207d9733518
3
+ metadata.gz: 2ae29d68f45bd66f747c8b908df0825151fff3cd63930fc575f34facd624d4d5
4
+ data.tar.gz: dcfd3644a8e7548116822285d4daa25e16530f06e06bacc6634689aa6c62d220
5
5
  SHA512:
6
- metadata.gz: a0f9cc14575819d423a9999c766566d0bacdb6876a5563b9d23a8ee93cb410e074e7b55f50d1a206b74e612c7eeada39647a4574800efbc46da7e2a23a9a9d9c
7
- data.tar.gz: 401b3e31509a3f3cf5af7ae9f7d3ef2ad6f2127408db838402b477ce00e680930f97ef455da8ac1d556a31ad78b21662293ffea4d0f6d309bef37945042625c9
6
+ metadata.gz: 3df23441ee1c6af6e5e8bdd6ef388a41d61e4d2ca72dad747a054f585c313c2ee899e208467d9873095ca2622d4591199cabcb6e935122804435e7974acd497b
7
+ data.tar.gz: fa06b88a2e4c91e81a4167f1e32d575a73c5083a0b0b0b6a2c837686c34f6d08441466b7388ea52797a6880df4f28a0329ba11744642c12b67cb4f85627ae48d
@@ -1,3 +1,5 @@
1
+ Please review [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md) and remove this line.
2
+
1
3
  ### Summary
2
4
 
3
5
  Provide a general description of the code changes in your pull
@@ -6,6 +8,11 @@ these bugs have open GitHub issues, be sure to tag them here as well,
6
8
  to keep the conversation linked together.
7
9
 
8
10
 
11
+ ### Testing Steps
12
+
13
+ Provide steps to test functionality, described in detail for someone not familiar with this part of the application / code base
14
+
15
+
9
16
  ### Other Information
10
17
 
11
18
  If there's anything else that's important and relevant to your pull
@@ -26,11 +33,13 @@ products, we must have the copyright associated with the entire
26
33
  codebase. Any code you create which is merged must be owned by us.
27
34
  That's not us trying to be a jerks, that's just the way it works.
28
35
 
29
- Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
30
- file for the details.
31
-
32
36
  You can delete this section, but the following sentence needs to
33
37
  remain in the PR's description:
34
38
 
35
39
  > I assign all rights, including copyright, to any future Dradis
36
40
  > work by myself to Security Roots.
41
+
42
+ ### Check List
43
+
44
+ - [ ] Added a CHANGELOG entry
45
+ - [ ] Added specs
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ v4.11.0 (January 2024)
2
+ - No changes
3
+
4
+ v4.10.0 (September 2023)
5
+ - Import "version" findings with status: outdated
6
+ - Update gemspec links
7
+
1
8
  v4.9.0 (June 2023)
2
9
  - No changes
3
10
 
data/README.md CHANGED
@@ -9,12 +9,12 @@ The add-on requires [Dradis CE](https://dradisframework.com/ce/) > 3.0, or [Drad
9
9
 
10
10
  ## More information
11
11
 
12
- See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework/blob/master/README.md)
12
+ See the Dradis Framework's [README.md](https://github.com/dradis/dradis-ce/blob/develop/README.md)
13
13
 
14
14
 
15
15
  ## Contributing
16
16
 
17
- See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
17
+ See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md)
18
18
 
19
19
 
20
20
  ## License
@@ -13,11 +13,10 @@ Gem::Specification.new do |spec|
13
13
  spec.license = 'GPL-2'
14
14
 
15
15
  spec.authors = ['Christian Mehlmauer', 'Daniel Martin', 'Erwan', 'Ryan Dewhurst']
16
- spec.email = ['etd@nomejortu.com']
17
- spec.homepage = 'http://dradisframework.org'
16
+ spec.homepage = 'https://dradis.com/integrations/wpscan.html'
18
17
 
19
18
  spec.files = `git ls-files`.split($\)
20
- spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
19
+ spec.executables = spec.files.grep(%r{^bin/}).map { |f| File.basename(f) }
21
20
  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
22
21
 
23
22
  # By not including Rails as a dependency, we can use the gem with different
@@ -8,11 +8,11 @@ module Dradis
8
8
 
9
9
  module VERSION
10
10
  MAJOR = 4
11
- MINOR = 9
11
+ MINOR = 11
12
12
  TINY = 0
13
13
  PRE = nil
14
14
 
15
- STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
15
+ STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
16
16
  end
17
17
  end
18
18
  end
@@ -7,9 +7,8 @@ module Dradis::Plugins::Wpscan
7
7
  # The framework will call this function if the user selects this plugin from
8
8
  # the dropdown list and uploads a file.
9
9
  # @returns true if the operation was successful, false otherwise
10
- def import(params={})
11
-
12
- file_content = File.read( params[:file] )
10
+ def import(params = {})
11
+ file_content = File.read(params[:file])
13
12
 
14
13
  # Parse the uploaded file into a Ruby Hash
15
14
  logger.info { "Parsing WPScan output from #{ params[:file] }..." }
@@ -20,35 +19,34 @@ module Dradis::Plugins::Wpscan
20
19
  # format.
21
20
  if data['target_url'].nil?
22
21
  error = "ERROR: No 'target_url' field present in the provided " \
23
- "JSON data. Are you sure you uploaded a WPScan JSON output file?"
22
+ 'JSON data. Are you sure you uploaded a WPScan JSON output file?'
24
23
  logger.fatal { error }
25
24
  content_service.create_note text: error
26
25
  return false
27
26
  end
28
27
 
29
28
  # Initial data normalisation
30
- data = parse_json( data )
29
+ data = parse_json(data)
31
30
 
32
31
  # Create a node based on the target_url
33
- node = create_node( data )
32
+ node = create_node(data)
34
33
 
35
34
  # Parse vulnerability data and make more human readable.
36
35
  # NOTE: You need an API token for the WPVulnDB vulnerability data.
37
- parse_known_vulnerabilities( data, node )
38
-
36
+ parse_known_vulnerabilities(data, node)
39
37
 
40
38
  # Add bespoke/config vulnerabilities to Dradis
41
39
  #
42
40
  # TODO: Can we add severity to issues?
43
41
  #
44
42
  # Note: No API key needed.
45
- parse_config_vulnerabilities( data, node )
43
+ parse_config_vulnerabilities(data, node)
46
44
  end
47
45
 
48
- def parse_json( data )
46
+ def parse_json(data)
49
47
  # Parse scan info data and make more human readable.
50
48
  data['wpscan_version'] = data.dig('banner', 'version')
51
- data['start_time'] = DateTime.strptime(data['start_time'].to_s,'%s')
49
+ data['start_time'] = DateTime.strptime(data['start_time'].to_s, '%s')
52
50
  data['elapsed'] = "#{data["elapsed"]} seconds"
53
51
  data['wordpress_version'] = data.dig('version', 'number') if data['version']
54
52
  data['plugins_string'] = data['plugins'].keys.join("\n") if data['plugins']
@@ -58,7 +56,7 @@ module Dradis::Plugins::Wpscan
58
56
  data
59
57
  end
60
58
 
61
- def create_node( data )
59
+ def create_node(data)
62
60
  node = content_service.create_node(label: data['target_url'], type: :host)
63
61
 
64
62
  # Define Node properties
@@ -74,14 +72,13 @@ module Dradis::Plugins::Wpscan
74
72
  node
75
73
  end
76
74
 
77
-
78
- def parse_known_vulnerabilities( data, node )
75
+ def parse_known_vulnerabilities(data, node)
79
76
  vulnerabilities = []
80
77
 
81
78
  # WordPress Vulnerabilities
82
- if data['version'] && data['version']['status'] == 'insecure'
79
+ if data['version'] && ['insecure', 'outdated'].include?(data['version']['status'])
83
80
  data['version']['vulnerabilities'].each do |vulnerability_data|
84
- vulnerabilities << parse_vulnerability( vulnerability_data )
81
+ vulnerabilities << parse_vulnerability(vulnerability_data)
85
82
  end
86
83
  end
87
84
 
@@ -90,7 +87,7 @@ module Dradis::Plugins::Wpscan
90
87
  data['plugins'].each do |key, plugin|
91
88
  if plugin['vulnerabilities']
92
89
  plugin['vulnerabilities'].each do |vulnerability_data|
93
- vulnerabilities << parse_vulnerability( vulnerability_data )
90
+ vulnerabilities << parse_vulnerability(vulnerability_data)
94
91
  end
95
92
  end
96
93
  end
@@ -101,7 +98,7 @@ module Dradis::Plugins::Wpscan
101
98
  data['themes'].each do |key, theme|
102
99
  if theme['vulnerabilities']
103
100
  theme['vulnerabilities'].each do |vulnerability_data|
104
- vulnerabilities << parse_vulnerability( vulnerability_data )
101
+ vulnerabilities << parse_vulnerability(vulnerability_data)
105
102
  end
106
103
  end
107
104
  end
@@ -121,7 +118,7 @@ module Dradis::Plugins::Wpscan
121
118
  end
122
119
  end
123
120
 
124
- def parse_config_vulnerabilities( data, node )
121
+ def parse_config_vulnerabilities(data, node)
125
122
  vulnerabilities = []
126
123
 
127
124
  if data['config_backups']
@@ -148,7 +145,7 @@ module Dradis::Plugins::Wpscan
148
145
  data['timthumbs'].each do |url, value|
149
146
  unless value['vulnerabilities'].empty?
150
147
  vulnerability = {}
151
- vulnerability['title'] = "Timthumb RCE File Found"
148
+ vulnerability['title'] = 'Timthumb RCE File Found'
152
149
  vulnerability['evidence'] = url
153
150
 
154
151
  vulnerabilities << vulnerability
@@ -159,7 +156,7 @@ module Dradis::Plugins::Wpscan
159
156
  if data['password_attack']
160
157
  data['password_attack'].each do |user|
161
158
  vulnerability = {}
162
- vulnerability['title'] = "WordPres Weak User Password Found"
159
+ vulnerability['title'] = 'WordPres Weak User Password Found'
163
160
  vulnerability['evidence'] = "#{user[0]}:#{user[1]['password']}"
164
161
 
165
162
  vulnerabilities << vulnerability
@@ -180,7 +177,7 @@ module Dradis::Plugins::Wpscan
180
177
  end
181
178
  end
182
179
 
183
- def parse_vulnerability( vulnerability_data )
180
+ def parse_vulnerability(vulnerability_data)
184
181
  wpvulndb_url = 'https://wpvulndb.com/vulnerabilities/'
185
182
 
186
183
  vulnerability = {}
metadata CHANGED
@@ -1,17 +1,17 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-wpscan
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.9.0
4
+ version: 4.11.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Christian Mehlmauer
8
8
  - Daniel Martin
9
9
  - Erwan
10
10
  - Ryan Dewhurst
11
- autorequire:
11
+ autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2023-05-31 00:00:00.000000000 Z
14
+ date: 2024-01-17 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: dradis-plugins
@@ -100,7 +100,6 @@ dependencies:
100
100
  description: This add-on allows you to upload and parse output produced from the WPScan
101
101
  WordPress security scanner into Dradis.
102
102
  email:
103
- - etd@nomejortu.com
104
103
  executables: []
105
104
  extensions: []
106
105
  extra_rdoc_files: []
@@ -139,11 +138,11 @@ files:
139
138
  - templates/vulnerability.fields
140
139
  - templates/vulnerability.sample
141
140
  - templates/vulnerability.template
142
- homepage: http://dradisframework.org
141
+ homepage: https://dradis.com/integrations/wpscan.html
143
142
  licenses:
144
143
  - GPL-2
145
144
  metadata: {}
146
- post_install_message:
145
+ post_install_message:
147
146
  rdoc_options: []
148
147
  require_paths:
149
148
  - lib
@@ -158,8 +157,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
158
157
  - !ruby/object:Gem::Version
159
158
  version: '0'
160
159
  requirements: []
161
- rubygems_version: 3.1.4
162
- signing_key:
160
+ rubygems_version: 3.3.7
161
+ signing_key:
163
162
  specification_version: 4
164
163
  summary: WPScan add-on for the Dradis Framework.
165
164
  test_files: