dradis-wpscan 4.9.0 → 4.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/pull_request_template.md +12 -3
- data/CHANGELOG.md +7 -0
- data/README.md +2 -2
- data/dradis-wpscan.gemspec +2 -3
- data/lib/dradis/plugins/wpscan/gem_version.rb +2 -2
- data/lib/dradis/plugins/wpscan/importer.rb +19 -22
- metadata +7 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2ae29d68f45bd66f747c8b908df0825151fff3cd63930fc575f34facd624d4d5
|
|
4
|
+
data.tar.gz: dcfd3644a8e7548116822285d4daa25e16530f06e06bacc6634689aa6c62d220
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3df23441ee1c6af6e5e8bdd6ef388a41d61e4d2ca72dad747a054f585c313c2ee899e208467d9873095ca2622d4591199cabcb6e935122804435e7974acd497b
|
|
7
|
+
data.tar.gz: fa06b88a2e4c91e81a4167f1e32d575a73c5083a0b0b0b6a2c837686c34f6d08441466b7388ea52797a6880df4f28a0329ba11744642c12b67cb4f85627ae48d
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
Please review [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md) and remove this line.
|
|
2
|
+
|
|
1
3
|
### Summary
|
|
2
4
|
|
|
3
5
|
Provide a general description of the code changes in your pull
|
|
@@ -6,6 +8,11 @@ these bugs have open GitHub issues, be sure to tag them here as well,
|
|
|
6
8
|
to keep the conversation linked together.
|
|
7
9
|
|
|
8
10
|
|
|
11
|
+
### Testing Steps
|
|
12
|
+
|
|
13
|
+
Provide steps to test functionality, described in detail for someone not familiar with this part of the application / code base
|
|
14
|
+
|
|
15
|
+
|
|
9
16
|
### Other Information
|
|
10
17
|
|
|
11
18
|
If there's anything else that's important and relevant to your pull
|
|
@@ -26,11 +33,13 @@ products, we must have the copyright associated with the entire
|
|
|
26
33
|
codebase. Any code you create which is merged must be owned by us.
|
|
27
34
|
That's not us trying to be a jerks, that's just the way it works.
|
|
28
35
|
|
|
29
|
-
Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
|
|
30
|
-
file for the details.
|
|
31
|
-
|
|
32
36
|
You can delete this section, but the following sentence needs to
|
|
33
37
|
remain in the PR's description:
|
|
34
38
|
|
|
35
39
|
> I assign all rights, including copyright, to any future Dradis
|
|
36
40
|
> work by myself to Security Roots.
|
|
41
|
+
|
|
42
|
+
### Check List
|
|
43
|
+
|
|
44
|
+
- [ ] Added a CHANGELOG entry
|
|
45
|
+
- [ ] Added specs
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -9,12 +9,12 @@ The add-on requires [Dradis CE](https://dradisframework.com/ce/) > 3.0, or [Drad
|
|
|
9
9
|
|
|
10
10
|
## More information
|
|
11
11
|
|
|
12
|
-
See the Dradis Framework's [README.md](https://github.com/dradis/
|
|
12
|
+
See the Dradis Framework's [README.md](https://github.com/dradis/dradis-ce/blob/develop/README.md)
|
|
13
13
|
|
|
14
14
|
|
|
15
15
|
## Contributing
|
|
16
16
|
|
|
17
|
-
See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/
|
|
17
|
+
See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md)
|
|
18
18
|
|
|
19
19
|
|
|
20
20
|
## License
|
data/dradis-wpscan.gemspec
CHANGED
|
@@ -13,11 +13,10 @@ Gem::Specification.new do |spec|
|
|
|
13
13
|
spec.license = 'GPL-2'
|
|
14
14
|
|
|
15
15
|
spec.authors = ['Christian Mehlmauer', 'Daniel Martin', 'Erwan', 'Ryan Dewhurst']
|
|
16
|
-
spec.
|
|
17
|
-
spec.homepage = 'http://dradisframework.org'
|
|
16
|
+
spec.homepage = 'https://dradis.com/integrations/wpscan.html'
|
|
18
17
|
|
|
19
18
|
spec.files = `git ls-files`.split($\)
|
|
20
|
-
spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
|
19
|
+
spec.executables = spec.files.grep(%r{^bin/}).map { |f| File.basename(f) }
|
|
21
20
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
22
21
|
|
|
23
22
|
# By not including Rails as a dependency, we can use the gem with different
|
|
@@ -7,9 +7,8 @@ module Dradis::Plugins::Wpscan
|
|
|
7
7
|
# The framework will call this function if the user selects this plugin from
|
|
8
8
|
# the dropdown list and uploads a file.
|
|
9
9
|
# @returns true if the operation was successful, false otherwise
|
|
10
|
-
def import(params={})
|
|
11
|
-
|
|
12
|
-
file_content = File.read( params[:file] )
|
|
10
|
+
def import(params = {})
|
|
11
|
+
file_content = File.read(params[:file])
|
|
13
12
|
|
|
14
13
|
# Parse the uploaded file into a Ruby Hash
|
|
15
14
|
logger.info { "Parsing WPScan output from #{ params[:file] }..." }
|
|
@@ -20,35 +19,34 @@ module Dradis::Plugins::Wpscan
|
|
|
20
19
|
# format.
|
|
21
20
|
if data['target_url'].nil?
|
|
22
21
|
error = "ERROR: No 'target_url' field present in the provided " \
|
|
23
|
-
|
|
22
|
+
'JSON data. Are you sure you uploaded a WPScan JSON output file?'
|
|
24
23
|
logger.fatal { error }
|
|
25
24
|
content_service.create_note text: error
|
|
26
25
|
return false
|
|
27
26
|
end
|
|
28
27
|
|
|
29
28
|
# Initial data normalisation
|
|
30
|
-
data = parse_json(
|
|
29
|
+
data = parse_json(data)
|
|
31
30
|
|
|
32
31
|
# Create a node based on the target_url
|
|
33
|
-
node = create_node(
|
|
32
|
+
node = create_node(data)
|
|
34
33
|
|
|
35
34
|
# Parse vulnerability data and make more human readable.
|
|
36
35
|
# NOTE: You need an API token for the WPVulnDB vulnerability data.
|
|
37
|
-
parse_known_vulnerabilities(
|
|
38
|
-
|
|
36
|
+
parse_known_vulnerabilities(data, node)
|
|
39
37
|
|
|
40
38
|
# Add bespoke/config vulnerabilities to Dradis
|
|
41
39
|
#
|
|
42
40
|
# TODO: Can we add severity to issues?
|
|
43
41
|
#
|
|
44
42
|
# Note: No API key needed.
|
|
45
|
-
parse_config_vulnerabilities(
|
|
43
|
+
parse_config_vulnerabilities(data, node)
|
|
46
44
|
end
|
|
47
45
|
|
|
48
|
-
def parse_json(
|
|
46
|
+
def parse_json(data)
|
|
49
47
|
# Parse scan info data and make more human readable.
|
|
50
48
|
data['wpscan_version'] = data.dig('banner', 'version')
|
|
51
|
-
data['start_time'] = DateTime.strptime(data['start_time'].to_s,'%s')
|
|
49
|
+
data['start_time'] = DateTime.strptime(data['start_time'].to_s, '%s')
|
|
52
50
|
data['elapsed'] = "#{data["elapsed"]} seconds"
|
|
53
51
|
data['wordpress_version'] = data.dig('version', 'number') if data['version']
|
|
54
52
|
data['plugins_string'] = data['plugins'].keys.join("\n") if data['plugins']
|
|
@@ -58,7 +56,7 @@ module Dradis::Plugins::Wpscan
|
|
|
58
56
|
data
|
|
59
57
|
end
|
|
60
58
|
|
|
61
|
-
def create_node(
|
|
59
|
+
def create_node(data)
|
|
62
60
|
node = content_service.create_node(label: data['target_url'], type: :host)
|
|
63
61
|
|
|
64
62
|
# Define Node properties
|
|
@@ -74,14 +72,13 @@ module Dradis::Plugins::Wpscan
|
|
|
74
72
|
node
|
|
75
73
|
end
|
|
76
74
|
|
|
77
|
-
|
|
78
|
-
def parse_known_vulnerabilities( data, node )
|
|
75
|
+
def parse_known_vulnerabilities(data, node)
|
|
79
76
|
vulnerabilities = []
|
|
80
77
|
|
|
81
78
|
# WordPress Vulnerabilities
|
|
82
|
-
if data['version'] && data['version']['status']
|
|
79
|
+
if data['version'] && ['insecure', 'outdated'].include?(data['version']['status'])
|
|
83
80
|
data['version']['vulnerabilities'].each do |vulnerability_data|
|
|
84
|
-
vulnerabilities << parse_vulnerability(
|
|
81
|
+
vulnerabilities << parse_vulnerability(vulnerability_data)
|
|
85
82
|
end
|
|
86
83
|
end
|
|
87
84
|
|
|
@@ -90,7 +87,7 @@ module Dradis::Plugins::Wpscan
|
|
|
90
87
|
data['plugins'].each do |key, plugin|
|
|
91
88
|
if plugin['vulnerabilities']
|
|
92
89
|
plugin['vulnerabilities'].each do |vulnerability_data|
|
|
93
|
-
vulnerabilities << parse_vulnerability(
|
|
90
|
+
vulnerabilities << parse_vulnerability(vulnerability_data)
|
|
94
91
|
end
|
|
95
92
|
end
|
|
96
93
|
end
|
|
@@ -101,7 +98,7 @@ module Dradis::Plugins::Wpscan
|
|
|
101
98
|
data['themes'].each do |key, theme|
|
|
102
99
|
if theme['vulnerabilities']
|
|
103
100
|
theme['vulnerabilities'].each do |vulnerability_data|
|
|
104
|
-
vulnerabilities << parse_vulnerability(
|
|
101
|
+
vulnerabilities << parse_vulnerability(vulnerability_data)
|
|
105
102
|
end
|
|
106
103
|
end
|
|
107
104
|
end
|
|
@@ -121,7 +118,7 @@ module Dradis::Plugins::Wpscan
|
|
|
121
118
|
end
|
|
122
119
|
end
|
|
123
120
|
|
|
124
|
-
def parse_config_vulnerabilities(
|
|
121
|
+
def parse_config_vulnerabilities(data, node)
|
|
125
122
|
vulnerabilities = []
|
|
126
123
|
|
|
127
124
|
if data['config_backups']
|
|
@@ -148,7 +145,7 @@ module Dradis::Plugins::Wpscan
|
|
|
148
145
|
data['timthumbs'].each do |url, value|
|
|
149
146
|
unless value['vulnerabilities'].empty?
|
|
150
147
|
vulnerability = {}
|
|
151
|
-
vulnerability['title'] =
|
|
148
|
+
vulnerability['title'] = 'Timthumb RCE File Found'
|
|
152
149
|
vulnerability['evidence'] = url
|
|
153
150
|
|
|
154
151
|
vulnerabilities << vulnerability
|
|
@@ -159,7 +156,7 @@ module Dradis::Plugins::Wpscan
|
|
|
159
156
|
if data['password_attack']
|
|
160
157
|
data['password_attack'].each do |user|
|
|
161
158
|
vulnerability = {}
|
|
162
|
-
vulnerability['title'] =
|
|
159
|
+
vulnerability['title'] = 'WordPres Weak User Password Found'
|
|
163
160
|
vulnerability['evidence'] = "#{user[0]}:#{user[1]['password']}"
|
|
164
161
|
|
|
165
162
|
vulnerabilities << vulnerability
|
|
@@ -180,7 +177,7 @@ module Dradis::Plugins::Wpscan
|
|
|
180
177
|
end
|
|
181
178
|
end
|
|
182
179
|
|
|
183
|
-
def parse_vulnerability(
|
|
180
|
+
def parse_vulnerability(vulnerability_data)
|
|
184
181
|
wpvulndb_url = 'https://wpvulndb.com/vulnerabilities/'
|
|
185
182
|
|
|
186
183
|
vulnerability = {}
|
metadata
CHANGED
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dradis-wpscan
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.11.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Christian Mehlmauer
|
|
8
8
|
- Daniel Martin
|
|
9
9
|
- Erwan
|
|
10
10
|
- Ryan Dewhurst
|
|
11
|
-
autorequire:
|
|
11
|
+
autorequire:
|
|
12
12
|
bindir: bin
|
|
13
13
|
cert_chain: []
|
|
14
|
-
date:
|
|
14
|
+
date: 2024-01-17 00:00:00.000000000 Z
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
17
17
|
name: dradis-plugins
|
|
@@ -100,7 +100,6 @@ dependencies:
|
|
|
100
100
|
description: This add-on allows you to upload and parse output produced from the WPScan
|
|
101
101
|
WordPress security scanner into Dradis.
|
|
102
102
|
email:
|
|
103
|
-
- etd@nomejortu.com
|
|
104
103
|
executables: []
|
|
105
104
|
extensions: []
|
|
106
105
|
extra_rdoc_files: []
|
|
@@ -139,11 +138,11 @@ files:
|
|
|
139
138
|
- templates/vulnerability.fields
|
|
140
139
|
- templates/vulnerability.sample
|
|
141
140
|
- templates/vulnerability.template
|
|
142
|
-
homepage:
|
|
141
|
+
homepage: https://dradis.com/integrations/wpscan.html
|
|
143
142
|
licenses:
|
|
144
143
|
- GPL-2
|
|
145
144
|
metadata: {}
|
|
146
|
-
post_install_message:
|
|
145
|
+
post_install_message:
|
|
147
146
|
rdoc_options: []
|
|
148
147
|
require_paths:
|
|
149
148
|
- lib
|
|
@@ -158,8 +157,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
158
157
|
- !ruby/object:Gem::Version
|
|
159
158
|
version: '0'
|
|
160
159
|
requirements: []
|
|
161
|
-
rubygems_version: 3.
|
|
162
|
-
signing_key:
|
|
160
|
+
rubygems_version: 3.3.7
|
|
161
|
+
signing_key:
|
|
163
162
|
specification_version: 4
|
|
164
163
|
summary: WPScan add-on for the Dradis Framework.
|
|
165
164
|
test_files:
|