wpscan 3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 537ba09b3dc99b6f649528a6a3d65028a8d0e6e4
+  data.tar.gz: cf6709c4f5ca16f3818a1ccf40a75d5947273d26
+SHA512:
+  metadata.gz: 3b90b3cf872ef7c32a011f4e53a20eb5300613f21b18c66ec34871a736d499dc0fad551201f90de2069244a2a78d971041094cd1be89ae0e6b5168d048f9da26
+  data.tar.gz: ef27c3536fe5306dc4d2e987d627b05a9b4bf5bd604408b359fcdebe48b4ba1ac49c4e15d2ae9e45095da7b954983e88cef52b2335bad94bdb94cb2490b090e1

data/Gemfile.lock

@@ -0,0 +1,139 @@
+PATH
+  remote: .
+  specs:
+    wpscan (3.0)
+      activesupport (~> 5.0.1.0)
+      cms_scanner (~> 0.0.37.7)
+      dm-constraints (~> 1.2.0)
+      dm-core (~> 1.2.0)
+      dm-migrations (~> 1.2.0)
+      dm-sqlite-adapter (~> 1.2.0)
+      yajl-ruby (~> 1.3.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.0.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.5.0)
+      public_suffix (~> 2.0, >= 2.0.2)
+    ast (2.3.0)
+    cms_scanner (0.0.37.7)
+      activesupport (~> 5.0.1)
+      addressable (~> 2.5.0)
+      nokogiri (~> 1.7.0.1)
+      opt_parse_validator (~> 0.0.13.5)
+      public_suffix (~> 2.0.3)
+      ruby-progressbar (~> 1.8.1)
+      typhoeus (~> 1.1.0)
+      yajl-ruby (~> 1.3.0)
+    concurrent-ruby (1.0.4)
+    coveralls (0.8.19)
+      json (>= 1.8, < 3)
+      simplecov (~> 0.12.0)
+      term-ansicolor (~> 1.3)
+      thor (~> 0.19.1)
+      tins (~> 1.6)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    data_objects (0.10.17)
+      addressable (~> 2.1)
+    diff-lcs (1.3)
+    dm-constraints (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-core (1.2.1)
+      addressable (~> 2.3)
+    dm-do-adapter (1.2.0)
+      data_objects (~> 0.10.6)
+      dm-core (~> 1.2.0)
+    dm-migrations (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-sqlite-adapter (1.2.0)
+      dm-do-adapter (~> 1.2.0)
+      do_sqlite3 (~> 0.10.6)
+    do_sqlite3 (0.10.17)
+      data_objects (= 0.10.17)
+    docile (1.1.5)
+    ethon (0.10.1)
+      ffi (>= 1.3.0)
+    ffi (1.9.17)
+    hashdiff (0.3.2)
+    i18n (0.7.0)
+    json (2.0.3)
+    mini_portile2 (2.1.0)
+    minitest (5.10.1)
+    nokogiri (1.7.0.1)
+      mini_portile2 (~> 2.1.0)
+    opt_parse_validator (0.0.13.5)
+      activesupport (~> 5.0.1)
+      addressable (~> 2.5.0)
+    parser (2.3.3.1)
+      ast (~> 2.2)
+    powerpack (0.1.1)
+    public_suffix (2.0.5)
+    rainbow (2.2.1)
+    rake (12.0.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    rubocop (0.47.1)
+      parser (>= 2.3.3.1, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.8.1)
+    safe_yaml (1.0.4)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    term-ansicolor (1.4.0)
+      tins (~> 1.0)
+    thor (0.19.4)
+    thread_safe (0.3.5)
+    tins (1.13.0)
+    typhoeus (1.1.2)
+      ethon (>= 0.9.0)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.1.3)
+    webmock (1.22.6)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+    yajl-ruby (1.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.6)
+  coveralls (~> 0.8.0)
+  rake (~> 12.0)
+  rspec (~> 3.5.0)
+  rspec-its (~> 1.2.0)
+  rubocop (~> 0.47.1)
+  simplecov (~> 0.12.0)
+  webmock (~> 1.22.0)
+  wpscan!
+
+BUNDLED WITH
+   1.14.3

data/LICENSE

@@ -0,0 +1,74 @@
+WPScan Public Source License
+
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2017 WPScan Team.
+
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
+
+1. Definitions
+
+1.1 “License” means this document.
+1.2 “Contributor” means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+1.3 “WPScan Team” means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+
+2. Commercialization
+
+A commercial use is one intended for commercial advantage or monetary compensation.
+
+Example cases of commercialization are:
+
+ - Using WPScan to provide commercial managed/Software-as-a-Service services.
+ - Distributing WPScan as a commercial product or as part of one.
+ - Using WPScan as a value added service/product.
+
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+
+ - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+ - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+ - Using WPScan to test your own systems.
+ - Any non-commercial use of WPScan.
+
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+
+We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+
+Free-use Terms and Conditions;
+
+3. Redistribution
+
+Redistribution is permitted under the following conditions:
+
+ - Unmodified License is provided with WPScan.
+ - Unmodified Copyright notices are provided with WPScan.
+ - Does not conflict with the commercialization clause.
+
+4. Copying
+
+Copying is permitted so long as it does not conflict with the Redistribution clause.
+
+5. Modification
+
+Modification is permitted so long as it does not conflict with the Redistribution clause.
+
+6. Contributions
+
+Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
+
+7. Support
+
+WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
+
+8. Disclaimer of Warranty
+
+WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+
+9. Limitation of Liability
+
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
+
+10. Disclaimer
+
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.
+
+11. Trademark
+
+The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.

data/README.md

@@ -0,0 +1,146 @@
+![alt text](https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/wpscan_logo_407x80.png "WPScan - WordPress Security Scanner") v3 BETA
+
+# LICENSE
+
+## WPScan Public Source License
+
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2017 WPScan Team.
+
+Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
+
+### 1. Definitions
+
+1.1 "License" means this document.
+
+1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
+
+1.3 "WPScan Team" means WPScan’s core developers, an updated list of whom can be found within the CREDITS file.
+
+### 2. Commercialization
+
+A commercial use is one intended for commercial advantage or monetary compensation.
+
+Example cases of commercialization are:
+
+ - Using WPScan to provide commercial managed/Software-as-a-Service services.
+ - Distributing WPScan as a commercial product or as part of one.
+ - Using WPScan as a value added service/product.
+
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+
+ - Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
+ - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+ - Using WPScan to test your own systems.
+ - Any non-commercial use of WPScan.
+
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+
+We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the WPScan Team to significantly benefit WPScan.
+
+Free-use Terms and Conditions;
+
+### 3. Redistribution
+
+Redistribution is permitted under the following conditions:
+
+ - Unmodified License is provided with WPScan.
+ - Unmodified Copyright notices are provided with WPScan.
+ - Does not conflict with the commercialization clause.
+
+### 4. Copying
+
+Copying is permitted so long as it does not conflict with the Redistribution clause.
+
+### 5. Modification
+
+Modification is permitted so long as it does not conflict with the Redistribution clause.
+
+### 6. Contributions
+
+Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
+
+### 7. Support
+
+WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.
+
+### 8. Disclaimer of Warranty
+
+WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.
+
+### 9. Limitation of Liability
+
+To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.
+
+### 10. Disclaimer
+
+Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.
+
+### 11. Trademark
+
+The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.
+
+# INSTALL
+
+## Prerequisites:
+
+- Ruby >= 2.2.2 - Recommended: 2.3.3
+- Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
+- RubyGems      - Recommended: latest
+
+
+### From RubyGems:
+
+```gem install wpscan```
+
+### From sources:
+
+Prerequisites: Git
+
+```git clone https://bitbucket.org/wpscan/wpscan-v3```
+
+```cd wpscan```
+
+```bundle install && rake install```
+
+# Docker
+
+Pull the repo with ```docker pull wpscanteam/wpscan-v3```
+
+# Usage
+
+Open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
+
+The DB is located at ~/.wpscan/db
+
+WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
+
+* ~/.wpscan/cli_options.json
+* ~/.wpscan/cli_options.yml
+* pwd/.wpscan/cli_options.json
+* pwd/.wpscan/cli_options.yml
+
+If those files exist, options from them will be loaded and overridden if found twice.
+
+e.g:
+
+~/.wpscan/cli_options.yml:
+```
+proxy: 'http://127.0.0.1:8080'
+verbose: true
+```
+
+pwd/.wpscan/cli_options.yml:
+```
+proxy: 'socks5://127.0.0.1:9090'
+url: 'http://target.tld'
+```
+
+Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
+
+# PROJECT HOME
+
+[https://wpscan.org](https://wpscan.org)
+
+# VULNERABILITY DATABASE
+
+[https://wpvulndb.com](https://wpvulndb.com)

data/app/app.rb

@@ -0,0 +1,3 @@
+require_relative 'models'
+require_relative 'finders'
+require_relative 'controllers'

data/app/controllers.rb

@@ -0,0 +1,6 @@
+require_relative 'controllers/core'
+require_relative 'controllers/custom_directories'
+require_relative 'controllers/wp_version'
+require_relative 'controllers/main_theme'
+require_relative 'controllers/enumeration'
+require_relative 'controllers/brute_force'

data/app/controllers/brute_force.rb

@@ -0,0 +1,126 @@
+module WPScan
+  module Controller
+    # Brute Force Controller
+    class BruteForce < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptFilePath.new(
+            ['--passwords FILE-PATH', '-P',
+             'List of passwords to use during the brute forcing.',
+             'If no --username/s option supplied, user enumeration will be run'],
+            exists: true
+          ),
+          OptString.new(['--username USERNAME', '-u', 'The username to brute force']),
+          OptFilePath.new(
+            ['--usernames FILE-PATH', '-U', 'List of usernames to use during the brute forcing'],
+            exists: true
+          )
+        ]
+      end
+
+      def run
+        return unless parsed_options[:passwords]
+
+        begin
+          found = []
+
+          brute_force(users, passwords(parsed_options[:passwords])) do |user|
+            found << user
+
+            output('found', user: user) if user_interaction?
+          end
+        ensure
+          output('users', users: found)
+        end
+      end
+
+      # @return [ Array<Users> ] The users to brute force
+      def users
+        return target.users unless parsed_options[:usernames] || parsed_options[:username]
+
+        if parsed_options[:username]
+          [User.new(parsed_options[:username])]
+        else
+          File.open(parsed_options[:usernames]).reduce([]) do |acc, elem|
+            acc << User.new(elem.chomp)
+          end
+        end
+      end
+
+      # the iteration should be on the passwords to be more efficient
+      # however, it's not that simple expecially when a combination is found:
+      #  - the estimated number of requests (for the progressbar) has to be updated.
+      #  - the user found has to be deleted from the loop
+      #
+      # @param [ Array<User> ] users
+      # @param [ Array<String> ] passwords
+      #
+      # @yield [ User ] when a valid combination is found
+      # rubocop:disable all
+      def brute_force(users, passwords)
+        hydra = Browser.instance.hydra
+
+        users.each do |user|
+          bar = progress_bar(passwords.size, user.username) if user_interaction?
+
+          passwords.each do |password|
+            request = target.login_request(user.username, password)
+
+            request.on_complete do |res|
+              bar.progress += 1 if user_interaction?
+
+              if res.code == 302
+                user.password = password
+                hydra.abort
+
+                yield user
+                next
+              elsif user_interaction? && res.code != 200
+                # Errors not displayed when using formats other than cli/cli-no-colour
+                output_error(res)
+              end
+            end
+
+            hydra.queue(request)
+          end
+          hydra.run
+        end
+      end
+      # rubocop:enable all
+
+      def progress_bar(size, username)
+        ProgressBar.create(
+          format: '%t %a <%B> (%c / %C) %P%% %e',
+          title: "Brute Forcing #{username}",
+          total: size
+        )
+      end
+
+      # @param [ String ] wordlist_path
+      #
+      # @return [ Array<String> ]
+      def passwords(wordlist_path)
+        @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
+          acc << elem.chomp
+        end
+      end
+
+      # @param [ Typhoeus::Response ] response
+      def output_error(response)
+        return if response.body =~ /login_error/i
+
+        error = if response.timed_out?
+                  'Request timed out.'
+                elsif response.code.zero?
+                  "No response from remote server. WAF/IPS? (#{response.return_message})"
+                elsif response.code.to_s =~ /^50/
+                  'Server error, try reducing the number of threads.'
+                else
+                  "Unknown response received Code: #{response.code}\n Body: #{response.body}"
+                end
+
+        output('error', msg: error)
+      end
+    end
+  end
+end