wordstress 0.10.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +12 -1
  3. data/bin/wordstress +20 -3
  4. data/lib/wordstress/site.rb +5 -2
  5. data/lib/wordstress/utils.rb +10 -0
  6. data/lib/wordstress/version.rb +1 -1
  7. data/lib/wordstress.rb +1 -0
  8. data/wordstress.gemspec +2 -0
  9. metadata +17 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 95999506c82f7c592ba1519d3135c0e374bb7d7d
4
- data.tar.gz: d98e8756e937c3ff926036ea34ab8111be6b030d
3
+ metadata.gz: fca228d6b31e82ce2fcbb2aabc92f8eabdcec8e0
4
+ data.tar.gz: b8b73ea2d080055c5bbe4f6db344d862897d173d
5
5
  SHA512:
6
- metadata.gz: d0e4d4519077f8a3beb10db5733d4ac98e68cc74a0eae589c4ae69fad7767233013f573d9ffdefeed2bd0b46b8a45d683aed1c5dc4b834ac6403702908e80d13
7
- data.tar.gz: 189f863ab0ced45cef88ca6c87eed227d59d376db85a57d158cc88e2f428a774a7dc9040536169e687d1e64c622a8c787d69ef5069643911cb462b39f22c88c4
6
+ metadata.gz: cc948a3e1e29d6be48b94e9ad5388aab286a088eed454ff0e30541a85e16dabe07dcf4cee90cae74d3a6ea9c4f5da88f4911292c100a7fc98be250b9f43df605
7
+ data.tar.gz: d448841ddd551e57d9f33ea141ad04d527261f307d05a9b54e3a4f33354b4576d1ebc5092808a99b7c795b82c542ab5925e68812d1c50bbea1d8c80e8bc4b05c
data/README.md CHANGED
@@ -22,6 +22,16 @@ smaller project.
22
22
  Another thing I don't like about wpscan is that isn't distributed as ruby gem.
23
23
  I want a security tool that follows 'the ruby way'.
24
24
 
25
+ Furthermore, wordstress is designed to be more accurate in whitebox testing.
26
+ During those years I was very upset as pentester with false positives about
27
+ themes and plugins and their version. Since an authenticated check is necessary
28
+ to match scan results with installed plugin (or theme) version, I tought it was
29
+ a better idea to start authenticated from the beginning.
30
+
31
+ Of course, wordstress will perform blackbox testing, trying to guess the
32
+ installed wordpress version and listing vulnerabilities taken from
33
+ [wpvulndb](https://wpvulndb.com).
34
+
25
35
  ## Killing features
26
36
 
27
37
  * A great knowledge base powered by [wpvulndb API](https://wpvulndb.com)
@@ -30,7 +40,8 @@ I want a security tool that follows 'the ruby way'.
30
40
  * SQL and CSV output. Suitable for script integration
31
41
  * Massive websites scan from text file
32
42
  * SSL server rating using [Qualys SSL Labs rating guide](https://www.ssllabs.com/projects/rating-guide/)
33
- * Whitebox testing using existing wordpress user
43
+ * Whitebox testing using existing wordpress user for template and themes
44
+ vulnerabilities.
34
45
 
35
46
 
36
47
  ## Installation
data/bin/wordstress CHANGED
@@ -9,10 +9,12 @@ require 'wordstress'
9
9
  APPNAME = File.basename($0)
10
10
 
11
11
  $logger = Codesake::Commons::Logging.instance
12
+ @output_root = Dir.home + '/wordstress'
12
13
 
13
14
  opts = GetoptLong.new(
14
- [ '--version', '-v', GetoptLong::NO_ARGUMENT],
15
- [ '--help', '-h', GetoptLong::NO_ARGUMENT]
15
+ [ '--csv', '-C', GetoptLong::NO_ARGUMENT],
16
+ [ '--version', '-v', GetoptLong::NO_ARGUMENT],
17
+ [ '--help', '-h', GetoptLong::NO_ARGUMENT]
16
18
  )
17
19
 
18
20
  opts.quiet=true
@@ -36,16 +38,31 @@ end
36
38
  target=ARGV.shift
37
39
  $logger.helo APPNAME, Wordstress::VERSION
38
40
  $logger.toggle_syslog
41
+ @output_dir = @output_root + target_to_dirname(target)
42
+
43
+ unless Dir.exists?(@output_root)
44
+ $logger.ok "creating output dir #{@output_root}"
45
+ Dir.mkdir @output_root
46
+ end
47
+
48
+ unless Dir.exists?(@output_dir)
49
+ $logger.ok "
50
+ end
39
51
 
40
52
  trap("INT") { $logger.die('[INTERRUPTED]') }
41
53
  $logger.die("missing target") if target.nil?
42
54
 
43
55
  $logger.log "scanning #{target}"
44
56
  site = Wordstress::Site.new(target)
57
+
58
+ if site.version[:version] == "0.0.0"
59
+ $logger.err "can't detect wordpress version running on #{target}. Giving up!"
60
+ Kernel.exit(-2)
61
+ end
62
+
45
63
  $logger.ok "wordpress version #{site.version[:version]} detected"
46
64
  wp_vuln_hash = JSON.parse(site.wp_vuln_json)
47
65
  $logger.ok "#{wp_vuln_hash["wordpress"]["vulnerabilities"].size} vulnerabilities found due wordpress version"
48
66
  wp_vuln_hash["wordpress"]["vulnerabilities"].each do |v|
49
67
  $logger.log "#{v["id"]} - #{v["title"]}"
50
-
51
68
  end
data/lib/wordstress/site.rb CHANGED
@@ -18,8 +18,8 @@ module Wordstress
18
18
  @homepage = get(@raw_name)
19
19
  @version = detect_version
20
20
 
21
- @wp_vuln_json = get_wp_vulnerabilities
22
-
21
+ @wp_vuln_json = get_wp_vulnerabilities unless @version[:version] == "0.0.0"
22
+ @wp_vuln_json = Hash.new.to_json if @version[:version] == "0.0.0"
23
23
  end
24
24
 
25
25
  def get_wp_vulnerabilities
@@ -61,6 +61,9 @@ module Wordstress
61
61
 
62
62
  return {:version => v_meta, :accuracy => 1.0} if v_meta == v_readme && v_meta == v_rss
63
63
  return {:version => v_meta, :accuracy => 0.8} if v_meta == v_readme || v_meta == v_rss
64
+
65
+ # we failed detecting wordpress version
66
+ return {:version => "0.0.0", :accuracy => 0}
64
67
  end
65
68
 
66
69
  def get(page)
data/lib/wordstress/utils.rb ADDED
@@ -0,0 +1,10 @@
1
+ module Wordstress
2
+ class Utils
3
+
4
+ # Transform a given URL into a directory name to be used to store data
5
+ def target_to_dirname(target)
6
+ target.split("://")[1].gsub('.','_').gsub('/', '')
7
+ end
8
+
9
+ end
10
+ end
data/lib/wordstress/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Wordstress
2
- VERSION = "0.10.0"
2
+ VERSION = "0.10.1"
3
3
  end
data/lib/wordstress.rb CHANGED
@@ -1,2 +1,3 @@
1
+ require "wordstress/utils"
1
2
  require "wordstress/site"
2
3
  require "wordstress/version"
data/wordstress.gemspec CHANGED
@@ -23,4 +23,6 @@ Gem::Specification.new do |spec|
23
23
 
24
24
  spec.add_dependency 'codesake-commons'
25
25
  spec.add_dependency 'json'
26
+ spec.add_dependency 'ciphersurfer'
27
+
26
28
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: wordstress
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.10.0
4
+ version: 0.10.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-11-04 00:00:00.000000000 Z
11
+ date: 2014-11-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -66,6 +66,20 @@ dependencies:
66
66
  - - ">="
67
67
  - !ruby/object:Gem::Version
68
68
  version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: ciphersurfer
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :runtime
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
69
83
  description: wordstress is a security scanner for wordpress powered websites
70
84
  email:
71
85
  - thesp0nge@gmail.com
@@ -82,6 +96,7 @@ files:
82
96
  - bin/wordstress
83
97
  - lib/wordstress.rb
84
98
  - lib/wordstress/site.rb
99
+ - lib/wordstress/utils.rb
85
100
  - lib/wordstress/version.rb
86
101
  - wordstress.gemspec
87
102
  homepage: https://github.com/thesp0nge/wordstress