wpscan 3.0.8 → 3.1.0

data/app/finders/plugins/urls_in_homepage.rb

@@ -2,6 +2,8 @@ module WPScan
   module Finders
     module Plugins
       # URLs In Homepage Finder
+      # Typically, the items detected from URLs like
+      # /wp-content/plugins/<slug>/
       class UrlsInHomepage < CMSScanner::Finders::Finder
         include WpItems::URLsInHomepage
 
@@ -11,14 +13,8 @@ module WPScan
         def passive(opts = {})
           found = []
 
-          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |name|
-            found << Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 80))
-          end
-
-          DB::DynamicPluginFinders.urls_in_page.each do |name, config|
-            next unless target.homepage_res.html.xpath(config['xpath']).any?
-
-            found << Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 100))
+          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
+            found << Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
 
           found

data/app/finders/plugins/xpath.rb

@@ -0,0 +1,29 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'Xpath'
+      class Xpath < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 40
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath']).each do |node|
+            next if config['pattern'] && !node.text.match(config['pattern'])
+
+            return Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/theme_version.rb

@@ -21,7 +21,7 @@ module WPScan
         #
         # @param [ WPScan::Theme ] theme
         def load_specific_finders(theme)
-          module_name = theme.classify_name.to_sym
+          module_name = theme.classify
 
           return unless Finders::ThemeVersion.constants.include?(module_name)
 

data/app/finders/theme_version/woo_framework_meta_generator.rb

@@ -7,9 +7,9 @@ module WPScan
         #
         # @return [ Version ]
         def passive(_opts = {})
-          return unless target.target.homepage_res.body =~ Finders::MainTheme::WooFrameworkMetaGenerator::PATTERN
+          return unless target.blog.homepage_res.body =~ Finders::MainTheme::WooFrameworkMetaGenerator::PATTERN
 
-          return unless Regexp.last_match[1] == target.name
+          return unless Regexp.last_match[1] == target.slug
 
           WPScan::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
         end

data/app/finders/themes/known_locations.rb

@@ -12,12 +12,12 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts) do |res, name|
+          enumerate(target_urls(opts), opts) do |res, slug|
             # TODO: follow the location (from enumerate()) and remove the 301 here ?
             # As a result, it might remove false positive due to redirection to the homepage
             next unless [200, 401, 403, 301].include?(res.code)
 
-            found << WPScan::Theme.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
 
           found
@@ -28,12 +28,12 @@ module WPScan
         #
         # @return [ Hash ]
         def target_urls(opts = {})
-          names       = opts[:list] || DB::Themes.vulnerable_slugs
+          slugs       = opts[:list] || DB::Themes.vulnerable_slugs
           urls        = {}
           themes_url  = target.url('wp-content/themes/')
 
-          names.each do |name|
-            urls["#{themes_url}#{URI.encode(name)}/"] = name
+          slugs.each do |slug|
+            urls["#{themes_url}#{URI.encode(slug)}/"] = slug
           end
 
           urls

data/app/finders/themes/urls_in_homepage.rb

@@ -11,8 +11,8 @@ module WPScan
         def passive(opts = {})
           found = []
 
-          (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |name|
-            found << WPScan::Theme.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+          (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug|
+            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
 
           found

data/app/finders/users/login_error_messages.rb

@@ -17,10 +17,7 @@ module WPScan
           found = []
 
           usernames(opts).each do |username|
-            res = target.do_login(username, SecureRandom.hex[0, 8])
-
-            return found unless res.code == 200
-
+            res   = target.do_login(username, SecureRandom.hex[0, 8])
             error = res.html.css('div#login_error').text.strip
 
             return found if error.empty? # Protection plugin / error disabled

data/app/finders/users/wp_json_api.rb

@@ -12,7 +12,7 @@ module WPScan
         def aggressive(_opts = {})
           found = []
 
-          JSON.parse(Browser.get(api_url).body).each do |user|
+          JSON.parse(Browser.get(api_url).body)&.each do |user|
             found << WPScan::User.new(user['slug'],
                                       id: user['id'],
                                       found_by: found_by,
@@ -21,7 +21,7 @@ module WPScan
           end
 
           found
-        rescue JSON::ParserError
+        rescue JSON::ParserError, TypeError
           found
         end
 

data/app/finders/wp_items/urls_in_homepage.rb

@@ -30,7 +30,7 @@ module WPScan
             code = tag.text.to_s
             next if code.empty?
 
-            code.scan(item_code_pattern(type)).flatten.uniq.each { |name| found << name }
+            code.scan(item_code_pattern(type)).flatten.uniq.each { |slug| found << slug }
           end
 
           uniq ? found.uniq.sort : found.sort

data/app/finders/wp_version.rb

@@ -1,17 +1,23 @@
-require_relative 'wp_version/meta_generator'
 require_relative 'wp_version/rss_generator'
 require_relative 'wp_version/atom_generator'
 require_relative 'wp_version/rdf_generator'
 require_relative 'wp_version/readme'
-require_relative 'wp_version/sitemap_generator'
-require_relative 'wp_version/opml_generator'
-require_relative 'wp_version/homepage_stylesheet_numbers'
-require_relative 'wp_version/install_stylesheet_numbers'
-require_relative 'wp_version/upgrade_stylesheet_numbers'
 require_relative 'wp_version/unique_fingerprinting'
 
 module WPScan
   module Finders
+    # Specific Finders container to filter the version detected
+    # and remove the one with low confidence to avoid false
+    # positive when there is not enought information to accurately
+    # determine it.
+    class WpVersionFinders < UniqueFinders
+      def filter_findings
+        best_finding = super
+
+        best_finding && best_finding.confidence >= 40 ? best_finding : false
+      end
+    end
+
     module WpVersion
       # Wp Version Finder
       class Base
@@ -19,18 +25,15 @@ module WPScan
 
         # @param [ WPScan::Target ] target
         def initialize(target)
-          finders <<
-            WpVersion::MetaGenerator.new(target) <<
-            WpVersion::RSSGenerator.new(target) <<
-            WpVersion::AtomGenerator.new(target) <<
-            WpVersion::HomepageStylesheetNumbers.new(target) <<
-            WpVersion::InstallStylesheetNumbers.new(target) <<
-            WpVersion::UpgradeStylesheetNumbers.new(target) <<
-            WpVersion::RDFGenerator.new(target) <<
-            WpVersion::Readme.new(target) <<
-            WpVersion::SitemapGenerator.new(target) <<
-            WpVersion::OpmlGenerator.new(target) <<
-            WpVersion::UniqueFingerprinting.new(target)
+          (WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
+            %w[RSSGenerator AtomGenerator RDFGenerator Readme UniqueFingerprinting]
+          ).each do |finder_name|
+            finders << WpVersion.const_get(finder_name.to_sym).new(target)
+          end
+        end
+
+        def finders
+          @finders ||= Finders::WpVersionFinders.new
         end
       end
     end

data/app/models/plugin.rb

@@ -2,15 +2,15 @@ module WPScan
   # WordPress Plugin
   class Plugin < WpItem
     # See WpItem
-    def initialize(name, target, opts = {})
-      super(name, target, opts)
+    def initialize(slug, blog, opts = {})
+      super(slug, blog, opts)
 
-      @uri = Addressable::URI.parse(target.url("wp-content/plugins/#{name}/"))
+      @uri = Addressable::URI.parse(blog.url("wp-content/plugins/#{slug}/"))
     end
 
     # @return [ JSON ]
     def db_data
-      DB::Plugin.db_data(name)
+      DB::Plugin.db_data(slug)
     end
 
     # @param [ Hash ] opts

data/app/models/theme.rb

@@ -5,10 +5,10 @@ module WPScan
                 :license, :license_uri, :tags, :text_domain
 
     # See WpItem
-    def initialize(name, target, opts = {})
-      super(name, target, opts)
+    def initialize(slug, blog, opts = {})
+      super(slug, blog, opts)
 
-      @uri       = Addressable::URI.parse(target.url("wp-content/themes/#{name}/"))
+      @uri       = Addressable::URI.parse(blog.url("wp-content/themes/#{slug}/"))
       @style_url = opts[:style_url] || url('style.css')
 
       parse_style
@@ -16,7 +16,7 @@ module WPScan
 
     # @return [ JSON ]
     def db_data
-      DB::Theme.db_data(name)
+      DB::Theme.db_data(slug)
     end
 
     # @param [ Hash ] opts
@@ -39,7 +39,7 @@ module WPScan
         confidence: 100
       ).merge(version_detection: version_detection_opts)
 
-      self.class.new(template, target, opts)
+      self.class.new(template, blog, opts)
     end
 
     # @param [ Integer ] depth
@@ -89,7 +89,7 @@ module WPScan
     def parse_style_tag(body, tag)
       value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1]
 
-      value && !value.strip.empty? ? value.strip : nil # rubocop:disable Style/SafeNavigation
+      value && !value.strip.empty? ? value.strip : nil
     end
 
     def ==(other)

data/app/models/timthumb.rb

@@ -18,9 +18,7 @@ module WPScan
     #
     # @return [ WPScan::Version, false ]
     def version(opts = {})
-      if @version.nil?
-        @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts))
-      end
+      @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?
 
       @version
     end

data/app/models/wp_item.rb

@@ -9,20 +9,22 @@ module WPScan
     READMES    = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
     CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze
 
-    attr_reader :uri, :name, :detection_opts, :version_detection_opts, :target, :db_data
+    attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data
 
-    # @param [ String ] name The plugin/theme name
-    # @param [ Target ] target The targeted blog
+    delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog
+
+    # @param [ String ] slug The plugin/theme slug
+    # @param [ Target ] blog The targeted blog
     # @param [ Hash ] opts
     # @option opts [ Symbol ] :mode The detection mode to use
     # @option opts [ Hash ]   :version_detection The options to use when looking for the version
     # @option opts [ String ] :url The URL of the item
-    def initialize(name, target, opts = {})
-      @name           = URI.decode(name)
-      @target         = target
-      @uri            = Addressable::URI.parse(opts[:url]) if opts[:url]
+    def initialize(slug, blog, opts = {})
+      @slug  = URI.decode(slug)
+      @blog  = blog
+      @uri   = Addressable::URI.parse(opts[:url]) if opts[:url]
 
-      @detection_opts = { mode: opts[:mode] }
+      @detection_opts         = { mode: opts[:mode] }
       @version_detection_opts = opts[:version_detection] || {}
 
       parse_finding_options(opts)
@@ -95,18 +97,16 @@ module WPScan
 
     # @return [ Boolean ]
     def ==(other)
-      return false unless self.class == other.class
-
-      name == other.name
+      self.class == other.class && slug == other.slug
     end
 
     def to_s
-      name
+      slug
     end
 
-    # @return [ Symbol ] The Class name associated to the item name
-    def classify_name
-      name.to_s.tr('-', '_').camelize.to_s.to_sym
+    # @return [ Symbol ] The Class symbol associated to the item
+    def classify
+      @classify ||= classify_slug(slug)
     end
 
     # @return [ String ] The readme url if found

data/app/views/json/enumeration/plugins.erb

@@ -2,7 +2,7 @@
 <% unless @plugins.empty? -%>
 <% last_index = @plugins.size - 1 -%>
 <% @plugins.each_with_index do |plugin, index| -%>
-  <%= plugin.name.to_json %>: {
+  <%= plugin.slug.to_json %>: {
     <%= render('@wp_item', wp_item: plugin) %>,
     <%= render('@finding', item: plugin) -%>,
     <% if plugin.version -%>

data/app/views/json/enumeration/themes.erb

@@ -2,7 +2,7 @@
 <% unless @themes.empty? -%>
 <% last_index = @themes.size - 1 -%>
 <% @themes.each_with_index do |theme, index| -%>
-  <%= theme.name.to_json %>: {
+  <%= theme.slug.to_json %>: {
     <%= render('@theme', theme: theme) -%>
   }<% unless index == last_index -%>,<% end -%>
 <% end -%>

data/app/views/json/wp_item.erb

@@ -1,4 +1,4 @@
-"name": <%= @wp_item.name.to_json %>,
+"slug": <%= @wp_item.slug.to_json %>,
 "location": <%= @wp_item.url.to_json %>,
 "latest_version": <%= @wp_item.latest_version ? @wp_item.latest_version.number.to_json : nil.to_json %>,
 "last_updated": <%= @wp_item.last_updated.to_json %>,

data/bin/wpscan

@@ -9,7 +9,8 @@ WPScan::Scan.new do |s|
     WPScan::Controller::WpVersion.new <<
     WPScan::Controller::MainTheme.new <<
     WPScan::Controller::Enumeration.new <<
-    WPScan::Controller::BruteForce.new
+    WPScan::Controller::BruteForce.new <<
+    WPScan::Controller::Aliases.new
 
   s.run
 end

data/lib/wpscan/db.rb

@@ -1,10 +1,14 @@
-require 'wpscan/db/wp_item'
-require 'wpscan/db/updater'
-require 'wpscan/db/wp_items'
-require 'wpscan/db/plugins'
-require 'wpscan/db/themes'
-require 'wpscan/db/plugin'
-require 'wpscan/db/theme'
-require 'wpscan/db/wp_version'
-require 'wpscan/db/fingerprints'
-require 'wpscan/db/dynamic_finders'
+require_relative 'db/wp_item'
+require_relative 'db/updater'
+require_relative 'db/wp_items'
+require_relative 'db/plugins'
+require_relative 'db/themes'
+require_relative 'db/plugin'
+require_relative 'db/theme'
+require_relative 'db/wp_version'
+require_relative 'db/fingerprints'
+
+require_relative 'db/dynamic_finders/base'
+require_relative 'db/dynamic_finders/plugin'
+require_relative 'db/dynamic_finders/theme'
+require_relative 'db/dynamic_finders/wordpress'

data/lib/wpscan/db/dynamic_finders/base.rb

@@ -0,0 +1,41 @@
+module WPScan
+  module DB
+    module DynamicFinders
+      class Base
+        # @return [ String ]
+        def self.db_file
+          @db_file ||= File.join(DB_DIR, 'dynamic_finders.yml')
+        end
+
+        # @return [ Hash ]
+        def self.db_data
+          # true allows aliases to be loaded
+          @db_data ||= YAML.safe_load(File.read(db_file), [Regexp], [], true)
+        end
+
+        # @return [ Array<Symbol> ]
+        def self.allowed_classes
+          @allowed_classes ||= %i[Comment Xpath HeaderPattern BodyPattern JavascriptVar QueryParameter ConfigParser]
+        end
+
+        # @param [ Symbol ] sym
+        def self.method_missing(sym)
+          super unless sym =~ /\A(passive|aggressive)_(.*)_finder_configs\z/i
+
+          finder_class = Regexp.last_match[2].camelize.to_sym
+
+          raise "#{finder_class} is not allowed as a Dynamic Finder" unless allowed_classes.include?(finder_class)
+
+          finder_configs(
+            finder_class,
+            Regexp.last_match[1] == 'aggressive'
+          )
+        end
+
+        def self.respond_to_missing?(sym, *_args)
+          sym =~ /\A(passive|aggressive)_(.*)_finder_configs\z/i
+        end
+      end
+    end
+  end
+end