RubyGems - wordstress - Versions diffs - 0.0.1 → 0.10.0 - Mend

wordstress 0.0.1 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9301fb80995974a668a7245491db622a632666ca
-  data.tar.gz: 7c5d509f3ccbc31daf5ce31530dc8c2c52fffe9d
+  metadata.gz: 95999506c82f7c592ba1519d3135c0e374bb7d7d
+  data.tar.gz: d98e8756e937c3ff926036ea34ab8111be6b030d
 SHA512:
-  metadata.gz: 3db58fd8f50d296511f44936ca1094f591914b100da227aba099ff3b904227ee4621a8b828c6b4e115efd6e71332d79f2263e0bda482464b59778bc47f898313
-  data.tar.gz: c09c73dec2c66493bde8b7a1499f2a52f2af34c45704e4c15f619555aadadcdc3055dbdf3197a8a7ed2a37b7ed94be88a04c6b6d688ad83429cbd83f9c6c9dbf
+  metadata.gz: d0e4d4519077f8a3beb10db5733d4ac98e68cc74a0eae589c4ae69fad7767233013f573d9ffdefeed2bd0b46b8a45d683aed1c5dc4b834ac6403702908e80d13
+  data.tar.gz: 189f863ab0ced45cef88ca6c87eed227d59d376db85a57d158cc88e2f428a774a7dc9040536169e687d1e64c622a8c787d69ef5069643911cb462b39f22c88c4

data/.gitignore CHANGED Viewed

@@ -1,4 +1,5 @@
 *.sw?
+.rvmrc
 .DS_Store
 /.bundle/
 /.yardoc

data/README.md CHANGED Viewed

@@ -30,6 +30,7 @@ I want a security tool that follows 'the ruby way'.
 * SQL and CSV output. Suitable for script integration
 * Massive websites scan from text file
 * SSL server rating using [Qualys SSL Labs rating guide](https://www.ssllabs.com/projects/rating-guide/)
+* Whitebox testing using existing wordpress user
 ## Installation

data/bin/wordstress ADDED Viewed

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+require 'getoptlong'
+require 'json'
+require 'codesake-commons'
+require 'wordstress'
+APPNAME = File.basename($0)
+$logger  = Codesake::Commons::Logging.instance
+opts    = GetoptLong.new(
+  [ '--version',                '-v',   GetoptLong::NO_ARGUMENT],
+  [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
+)
+opts.quiet=true
+begin
+  opts.each do |opt, val|
+    case opt
+    when '--version'
+      puts "#{Wordstress::VERSION}"
+      Kernel.exit(0)
+    when '--help'
+      Kernel.exit(0)
+    end
+  end
+rescue GetoptLong::InvalidOption => e
+  $logger.helo APPNAME, Wordstress::VERSION
+  $logger.err e.message
+  Kernel.exit(-1)
+end
+target=ARGV.shift
+$logger.helo APPNAME, Wordstress::VERSION
+$logger.toggle_syslog
+trap("INT")   { $logger.die('[INTERRUPTED]') }
+$logger.die("missing target") if target.nil?
+$logger.log "scanning #{target}"
+site = Wordstress::Site.new(target)
+$logger.ok "wordpress version #{site.version[:version]} detected"
+wp_vuln_hash = JSON.parse(site.wp_vuln_json)
+$logger.ok "#{wp_vuln_hash["wordpress"]["vulnerabilities"].size} vulnerabilities found due wordpress version"
+wp_vuln_hash["wordpress"]["vulnerabilities"].each do |v|
+  $logger.log "#{v["id"]} - #{v["title"]}"
+end

data/lib/wordstress/site.rb ADDED Viewed

@@ -0,0 +1,91 @@
+require 'net/http'
+module Wordstress
+  class Site
+    attr_reader :version, :wp_vuln_json
+    def initialize(name="")
+      begin
+        @uri      = URI(name)
+        @raw_name = name
+        @valid    = true
+      rescue
+        @valid = false
+      end
+      @robots_txt   = get(@raw_name + "/robots.txt")
+      @readme_html  = get(@raw_name + "/readme.html")
+      @homepage     = get(@raw_name)
+      @version      = detect_version
+      @wp_vuln_json = get_wp_vulnerabilities
+    end
+    def get_wp_vulnerabilities
+      get_https("https://wpvulndb.com/api/v1/wordpresses/#{version_pad(@version[:version])}").body
+    end
+    def version_pad(version)
+      # 3.2.1 => 321
+      # 4.0 => 400
+      return version.gsub('.', '')      if version.split('.').count == 3
+      return version.gsub('.', '')+'0'  if version.split('.').count == 2
+    end
+    def detect_version
+      #
+      # 1. trying to detect wordpress version from homepage body meta generator
+      # tag
+      v_meta = ""
+      doc = Nokogiri::HTML(@homepage.body)
+      doc.xpath("//meta[@name='generator']/@content").each do |attr|
+        v_meta = attr.value.split(' ')[1]
+      end
+      #
+      # 2. trying to detect wordpress version from readme.html in the root
+      # directory
+      v_readme = ""
+      doc = Nokogiri::HTML(@readme_html.body)
+      v_readme = doc.at_css('h1').children.last.text.chop.lstrip.split(' ')[1]
+      v_rss = ""
+      rss_doc = Nokogiri::HTML(@homepage.body)
+      rss = Nokogiri::HTML(get(rss_doc.css('link[type="application/rss+xml"]').first.attr('href')).body)
+      v_rss= rss.css('generator').text.split('=')[1]
+      return {:version => v_meta, :accuracy => 1.0} if v_meta == v_readme && v_meta == v_rss
+      return {:version => v_meta, :accuracy => 0.8} if v_meta == v_readme || v_meta == v_rss
+    end
+    def get(page)
+      return get_http(page)   if @uri.scheme == "http"
+      return get_https(page)  if @uri.scheme == "https"
+    end
+    def is_valid?
+      return @valid
+    end
+    private
+    def get_http(page)
+      uri = URI.parse(page)
+      http = Net::HTTP.new(uri.host, uri.port)
+      request = Net::HTTP::Get.new(uri.request_uri)
+      return http.request(request)
+    end
+    def get_https(page)
+      uri = URI.parse(page)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      request = Net::HTTP::Get.new(uri.request_uri)
+      return http.request(request)
+    end
+  end
+end

data/lib/wordstress/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Wordstress
-  VERSION = "0.0.1"
+  VERSION = "0.10.0"
 end

data/lib/wordstress.rb CHANGED Viewed

@@ -1,5 +1,2 @@
+require "wordstress/site"
 require "wordstress/version"
-module Wordstress
-  # Your code goes here...
-end

data/wordstress.gemspec CHANGED Viewed

@@ -20,4 +20,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_dependency 'codesake-commons'
+  spec.add_dependency 'json'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wordstress
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Paolo Perego
@@ -38,10 +38,39 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: codesake-commons
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: wordstress is a security scanner for wordpress powered websites
 email:
 - thesp0nge@gmail.com
-executables: []
+executables:
+- wordstress
 extensions: []
 extra_rdoc_files: []
 files:
@@ -50,7 +79,9 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- bin/wordstress
 - lib/wordstress.rb
+- lib/wordstress/site.rb
 - lib/wordstress/version.rb
 - wordstress.gemspec
 homepage: https://github.com/thesp0nge/wordstress