wordstress 0.10.3 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 47711364bb49aa85f8a3e426d687bb3b628c69fa
-  data.tar.gz: 3c2d000a48d7a35bf7edfdbb6f0096dfa44aced1
+  metadata.gz: 559b014cd3100530e2a30f54da9bbebcd37530c4
+  data.tar.gz: 0398ef2797138d181fba62c84609456e5a1e4d76
 SHA512:
-  metadata.gz: 93e2d400927c84b8dc665e84a075f19616c7320a6e8fa4908c19942ca613cb08eec46e447dd0d8b0bc3679aa89f0c2d3935c78a7d4336b8e4662a142cb866f6f
-  data.tar.gz: 10d005cbc9ca7effc097869e19daa4f5d65bc54956320f18ba1125b650c40872d3824e4d3358e4a7f3de091f168e817acc8fc07cfee3b2b8d08b8d3733794a07
+  metadata.gz: a1c1a877d30ef0557957ac1bc2f56bedc33653e78cb16b0c014ba667a38fb5ef3b8572cfe93e09ba06f97e0980de749270f815034d914cf159bae93371d50ab9
+  data.tar.gz: 0b9cc780b6a570919b72aa637b6f86c00c63ac6a91fc3eac59c5f547113cc7232d70e42f2d9af01aca9da9444d388989f1ee0f356f2257babf30b23ceb03eaa0

data/.gitignore

@@ -1,4 +1,6 @@
 *.sw?
+plugins.db
+themes.db
 .rvmrc
 .DS_Store
 /.bundle/

data/Rakefile

@@ -1,2 +1,23 @@
 require "bundler/gem_tasks"
 
+namespace :import do
+  desc 'Import themes'
+  task :themes, :name do |t,args|
+    require 'wordstress/models/themes'
+    name = args.name
+    puts "reading themes from #{name}"
+    t = Wordstress::Models::Themes.new({:dbname=>"themes.db"})
+    t.import_from_file(name)
+  end
+
+  desc 'Import plugins'
+  task :plugins, :name do |t, args|
+    require 'wordstress/models/plugins'
+    name = args.name
+    puts "reading themes from #{name}"
+    p = Wordstress::Models::Plugins.new({:dbname=>"plugins.db"})
+    p.import_from_file(name)
+
+  end
+end
+

data/bin/wordstress

@@ -6,12 +6,22 @@ require 'codesake-commons'
 
 require 'wordstress'
 
+# Scanning modes for plugins and themes
+#   + gentleman: wordstress will try to fetch plugins and themes only using
+#     info in the HTML page (this is very polite but also very inaccurate).
+#   + interactive: wordstress will use a target installed plugin to fetch
+#     installed plugins and themes with their version
+#   + aggressive: wordstress will use enumeration to find installed plugins and
+#     themes. This will lead to false positives.
+MODES = [:gentleman,:interactive,:aggressive]
 APPNAME = File.basename($0)
 
 $logger  = Codesake::Commons::Logging.instance
 @output_root = File.join(Dir.home, '/wordstress')
+scanning_mode = :gentleman
 
 opts    = GetoptLong.new(
+  [ '--gentleman','-G',   GetoptLong::NO_ARGUMENT],
   [ '--csv',      '-C',   GetoptLong::NO_ARGUMENT],
   [ '--version',  '-v',   GetoptLong::NO_ARGUMENT],
   [ '--help',     '-h',   GetoptLong::NO_ARGUMENT]
@@ -53,7 +63,7 @@ trap("INT")   { $logger.die('[INTERRUPTED]') }
 $logger.die("missing target") if target.nil?
 
 $logger.log "scanning #{target}"
-site = Wordstress::Site.new(target)
+site = Wordstress::Site.new({:target=>target, :scanning_mode=>scanning_mode})
 
 if site.version[:version] == "0.0.0"
   $logger.err "can't detect wordpress version running on #{target}. Giving up!"
@@ -61,8 +71,29 @@ if site.version[:version] == "0.0.0"
 end
 
 $logger.ok "wordpress version #{site.version[:version]} detected"
-wp_vuln_hash = JSON.parse(site.wp_vuln_json)
-$logger.ok "#{wp_vuln_hash["wordpress"]["vulnerabilities"].size} vulnerabilities found due wordpress version"
-wp_vuln_hash["wordpress"]["vulnerabilities"].each do |v|
-  $logger.log "#{v["id"]} - #{v["title"]}"
+$logger.warn "scan mode is set to 'gentleman'. We are using only information found on resulting HTML. This can be lead to undetected plugins or themes" if site.scanning_mode == :gentleman
+if site.online?
+  wp_vuln_hash = JSON.parse(site.wp_vuln_json)
+  $logger.ok "#{wp_vuln_hash["wordpress"]["vulnerabilities"].size} vulnerabilities found due wordpress version"
+  wp_vuln_hash["wordpress"]["vulnerabilities"].each do |v|
+    $logger.log "#{v["id"]} - #{v["title"]}"
+  end
+else
+  $logger.err "it seems we are offline. wordstress can't reach https://wpvulndb.com"
+  $logger.err "wordpress can't enumerate vulnerabilities"
+end
+$logger.log "#{target} has #{site.themes.count} themes"
+site.themes.each do |t|
+  $logger.log "searching wpvulndb for theme #{t} vulnerabilities"
+  v = site.get_theme_vulnerabilities(t)
+  $logger.debug v
 end
+
+$logger.log "#{target} has #{site.plugins.count} plugins"
+site.plugins.each do |t|
+  $logger.log "searching wpvulndb for plugin #{t} vulnerabilities"
+  v = site.get_plugin_vulnerabilities(t)
+  $logger.debug v
+end
+
+$logger.bye

data/lib/wordstress/models/plugins.rb

@@ -0,0 +1,60 @@
+require 'data_mapper'
+require 'dm-sqlite-adapter'
+
+module Wordstress
+  module Models
+
+    class PluginInfo
+      include DataMapper::Resource
+
+      property :id,           Serial
+      property :revision,     Integer
+      property :created_at,   DateTime, :default=>DateTime.now
+      property :updated_at,   DateTime, :default=>DateTime.now
+    end
+
+    class Plugin
+      include DataMapper::Resource
+
+      property :id,           Serial
+      property :name,         String
+      property :link,         String
+      property :created_at,   DateTime, :default=>DateTime.now
+      property :updated_at,   DateTime, :default=>DateTime.now
+    end
+
+    class Plugins
+
+      def initialize(options={:dbname=>"plugins.db"})
+        DataMapper.setup(:default, "sqlite3://#{File.join(Dir.pwd, options[:dbname])}")
+        DataMapper.finalize
+        DataMapper.auto_migrate!
+      end
+
+      def import_from_file(filename)
+        doc = Nokogiri::HTML(File.read(filename))
+        title = doc.at_css('title').children.text
+
+        return nil unless title.include?"Revision"
+        revision = title.split("Revision ")[1].split(':')[0].to_i
+        links = doc.xpath('//li//a')
+
+        puts "Plugin SVN revision is: #{revision}"
+        puts "#{links.count} plugins found"
+
+        i = PluginInfo.new
+        i.revision = revision
+        i.save
+
+        links.each do |link|
+          p = Plugin.new
+          p.name = link.text.chop
+          p.link = 'https://plugins.svn.wordpress.org/'+link.attr('href')
+          p.save
+
+        end
+      end
+
+    end
+  end
+end

data/lib/wordstress/models/themes.rb

@@ -0,0 +1,62 @@
+require 'data_mapper'
+require 'dm-sqlite-adapter'
+
+module Wordstress
+  module Models
+
+    class Info
+      include DataMapper::Resource
+
+      property :id,           Serial
+      property :revision,     Integer
+      property :created_at,   DateTime, :default=>DateTime.now
+      property :updated_at,   DateTime, :default=>DateTime.now
+    end
+
+    class Theme
+      include DataMapper::Resource
+
+      property :id,           Serial
+      property :name,         String
+      property :link,         String
+      property :created_at,   DateTime, :default=>DateTime.now
+      property :updated_at,   DateTime, :default=>DateTime.now
+    end
+
+    class Themes
+
+      def initialize(options={:dbname=>"themes.db"})
+        DataMapper.setup(:default, "sqlite3://#{File.join(Dir.pwd, options[:dbname])}")
+        DataMapper.finalize
+        DataMapper.auto_migrate!
+      end
+
+      def import_from_file(filename)
+        doc = Nokogiri::HTML(File.read(filename))
+        title = doc.at_css('title').children.text
+
+        return nil unless title.include?"Revision"
+        revision = title.split("Revision ")[1].split(':')[0].to_i
+        links = doc.xpath('//li//a')
+
+
+        puts "Theme SVN revision is: #{revision}"
+        puts "#{links.count} themes found"
+
+        i = Info.new
+        i.revision = revision
+        i.save
+
+        links.each do |link|
+          # puts "-> #{link.attr('href')} - #{link.text.chop}"
+          t = Theme.new
+          t.name = link.text.chop
+          t.link = 'https://themes.svn.wordpress.org/'+link.attr('href')
+          t.save
+
+        end
+      end
+
+    end
+  end
+end

data/lib/wordstress/site.rb

@@ -3,27 +3,71 @@ require 'net/http'
 module Wordstress
   class Site
 
-    attr_reader :version, :wp_vuln_json
-    def initialize(name="")
+    attr_reader :version, :scanning_mode, :wp_vuln_json, :plugins, :themes, :themes_vuln_json
+
+    def initialize(options={:target=>"http://localhost", :scanning_mode=>:gentleman})
       begin
-        @uri      = URI(name)
-        @raw_name = name
+        @uri      = URI(options[:target])
+        @raw_name = options[:target]
         @valid    = true
       rescue
         @valid = false
       end
+      @scanning_mode = options[:scanning_mode]
 
       @robots_txt   = get(@raw_name + "/robots.txt")
       @readme_html  = get(@raw_name + "/readme.html")
       @homepage     = get(@raw_name)
       @version      = detect_version
+      @online       = true
 
       @wp_vuln_json = get_wp_vulnerabilities  unless @version[:version] == "0.0.0"
       @wp_vuln_json = Hash.new.to_json        if @version[:version] == "0.0.0"
+
+      @plugins      = find_plugins
+      @themes       = find_themes
+      # @themes_vuln_json = get_themes_vulnerabilities
+    end
+
+    def get_themes_vulnerabilities
+      vuln = []
+      @themes.each do |t|
+        vuln << {:theme=>t, :vulns=>get_theme_vulnerabilities(t)}
+      end
+    end
+
+    def get_plugin_vulnerabilities(theme)
+      begin
+        json= get_https("https://wpvulndb.com/api/v1/plugins/#{theme}").body
+        return "Plugin #{theme} is not present on wpvulndb.com" if json.include?"The page you were looking for doesn't exist (404)"
+        return json
+      rescue => e
+        $logger.err e.message
+        @online = false
+        return []
+      end
+    end
+
+    def get_theme_vulnerabilities(theme)
+      begin
+        json=get_https("https://wpvulndb.com/api/v1/themes/#{theme}").body
+        return "Theme #{theme} is not present on wpvulndb.com" if json.include?"The page you were looking for doesn't exist (404)"
+        return json
+      rescue => e
+        $logger.err e.message
+        @online = false
+        return []
+      end
     end
 
     def get_wp_vulnerabilities
-      get_https("https://wpvulndb.com/api/v1/wordpresses/#{version_pad(@version[:version])}").body
+      begin
+        return get_https("https://wpvulndb.com/api/v1/wordpresses/#{version_pad(@version[:version])}").body
+      rescue => e
+        $logger.err e.message
+        @online = false
+        return ""
+      end
     end
 
     def version_pad(version)
@@ -74,8 +118,66 @@ module Wordstress
     def is_valid?
       return @valid
     end
+    def online?
+      return @online
+    end
+
+    def find_themes
+      return find_themes_gentleman if @scanning_mode == :gentleman
+      return []
+    end
+    def find_plugins
+      return find_plugins_gentleman if @scanning_mode == :gentleman
+
+      # bruteforce check must start with error page discovery.
+      # the idea is to send 2 random plugin names (e.g. 2 sha256 of time seed)
+      # and see how webserver answers and then understand if we can rely on a
+      # pattern for the error page.
+      return []
+    end
 
     private
+    def find_themes_gentleman
+      ret = []
+      doc = Nokogiri::HTML(@homepage.body)
+      doc.css('link').each do |link|
+        if link.attr('href').include?("wp-content/themes")
+        theme = theme_name(link.attr('href'))
+        ret << theme if ret.index(theme).nil?
+        end
+      end
+      ret
+    end
+
+    def theme_name(url)
+      url.match(/\/wp-content\/themes\/(\w)+/)[0].split('/').last
+    end
+    def plugin_name(url)
+      url.match(/\/wp-content\/plugins\/(\w)+/)[0].split('/').last
+    end
+
+    def find_plugins_gentleman
+      ret = []
+      doc = Nokogiri::HTML(@homepage.body)
+      doc.css('script').each do |link|
+        if ! link.attr('src').nil?
+          if link.attr('src').include?("wp-content/plugins")
+          plugin = plugin_name(link.attr('src'))
+          ret << plugin if ret.index(plugin).nil?
+          end
+        end
+      end
+      doc.css('link').each do |link|
+        if link.attr('href').include?("wp-content/plugins")
+        plugin = plugin_name(link.attr('href'))
+        ret << plugin if ret.index(plugin).nil?
+        end
+
+      end
+
+      ret
+    end
+
     def get_http(page)
       uri = URI.parse(page)
       http = Net::HTTP.new(uri.host, uri.port)

data/lib/wordstress/version.rb

@@ -1,3 +1,3 @@
 module Wordstress
-  VERSION = "0.10.3"
+  VERSION = "0.15.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wordstress
 version: !ruby/object:Gem::Version
-  version: 0.10.3
+  version: 0.15.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-25 00:00:00.000000000 Z
+date: 2014-11-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -95,6 +95,8 @@ files:
 - Rakefile
 - bin/wordstress
 - lib/wordstress.rb
+- lib/wordstress/models/plugins.rb
+- lib/wordstress/models/themes.rb
 - lib/wordstress/site.rb
 - lib/wordstress/utils.rb
 - lib/wordstress/version.rb