wpscan 3.0.8 → 3.1.0

data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb

@@ -0,0 +1,56 @@
+module WPScan
+  module Finders
+    module DynamicFinder
+      module Version
+        # Version finder using JavaScript Variable method
+        class JavascriptVar < WPScan::Finders::DynamicFinder::Version::Finder
+          # @return [ Hash ]
+          def self.child_class_constants
+            @child_class_constants ||= super().merge(
+              XPATH: '//script[not(@src)]', VERSION_KEY: nil,
+              PATTERN: nil, CONFIDENCE: 60
+            )
+          end
+
+          # @param [ Typhoeus::Response ] response
+          # @param [ Hash ] opts
+          # @return [ Version ]
+          def find(response, _opts = {})
+            target.xpath_pattern_from_page(
+              self.class::XPATH, self.class::PATTERN, response
+            ) do |match_data, _node|
+              next unless (version_number = version_number_from_match_data(match_data))
+
+              # If the text to be output in the interesting_entries is > 50 chars,
+              # get 20 chars before and after (when possible) the detected version instead
+              match = match_data.to_s
+              match = match[/.*?(.{,20}#{Regexp.escape(version_number)}.{,20}).*/, 1] if match.size > 50
+
+              return create_version(
+                version_number,
+                interesting_entries: ["#{response.effective_url}, Match: '#{match.strip}'"]
+              )
+            end
+            nil
+          end
+
+          # @param [ MatchData ] match_data
+          # @return [ String ]
+          def version_number_from_match_data(match_data)
+            if self.class::VERSION_KEY
+              begin
+                json = JSON.parse("{#{match_data[:json].strip.tr("'", '"')}}")
+              rescue JSON::ParserError
+                return
+              end
+
+              json.dig(*self.class::VERSION_KEY.split(':'))
+            else
+              match_data[:v]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb

@@ -0,0 +1,62 @@
+module WPScan
+  module Finders
+    module DynamicFinder
+      module Version
+        # Version finder using QueryParameter method
+        class QueryParameter < WPScan::Finders::DynamicFinder::Version::Finder
+          # @return [ Hash ]
+          def self.child_class_constants
+            @child_class_constants ||= super().merge(
+              XPATH: nil, FILES: nil, PATTERN: /(?:v|ver|version)\=(?<v>\d+\.[\.\d]+)/i, CONFIDENCE_PER_OCCURENCE: 10
+            )
+          end
+
+          # @param [ Typhoeus::Response ] response
+          # @param [ Hash ] opts
+          # @return [ Array<Version>, nil ]
+          def find(response, _opts = {})
+            found = []
+
+            scan_response(response).each do |version_number, occurences|
+              found << create_version(
+                version_number,
+                confidence: self.class::CONFIDENCE_PER_OCCURENCE * occurences.size,
+                interesting_entries: occurences
+              )
+            end
+
+            found.compact
+          end
+
+          # @param [ Typhoeus::Response ] response
+          # @return [ Hash ]
+          def scan_response(response)
+            found = {}
+
+            target.in_scope_urls(response, xpath) do |url, _tag|
+              uri = Addressable::URI.parse(url)
+
+              next unless uri.path =~ path_pattern && uri.query&.match(self.class::PATTERN)
+              version = Regexp.last_match[:v].to_s
+
+              found[version] ||= []
+              found[version] << url
+            end
+
+            found
+          end
+
+          # @return [ String ]
+          def xpath
+            @xpath ||= self.class::XPATH || '//link[@href]|//script[@src]'
+          end
+
+          # @return [ Regexp ]
+          def path_pattern
+            @path_pattern ||= %r{/(?:#{self.class::FILES.join('|')})\z}i
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/dynamic_finder/version/xpath.rb

@@ -0,0 +1,34 @@
+module WPScan
+  module Finders
+    module DynamicFinder
+      module Version
+        # Version finder using Xpath method
+        class Xpath < WPScan::Finders::DynamicFinder::Version::Finder
+          # @return [ Hash ]
+          def self.child_class_constants
+            @child_class_constants ||= super().merge(
+              XPATH: nil, PATTERN: /\A(?<v>\d+\.[\.\d]+)/, CONFIDENCE: 60
+            )
+          end
+
+          # @param [ Typhoeus::Response ] response
+          # @param [ Hash ] opts
+          # @return [ Version ]
+          def find(response, _opts = {})
+            target.xpath_pattern_from_page(
+              self.class::XPATH, self.class::PATTERN, response
+            ) do |match_data, _node|
+              next unless match_data[:v]
+
+              return create_version(
+                match_data[:v],
+                interesting_entries: ["#{response.effective_url}, Match: '#{match_data}'"]
+              )
+            end
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb

@@ -0,0 +1,42 @@
+module WPScan
+  module Finders
+    module DynamicFinder
+      module WpItemVersion
+        class BodyPattern < WPScan::Finders::DynamicFinder::Version::BodyPattern
+        end
+
+        class Comment < WPScan::Finders::DynamicFinder::Version::Comment
+        end
+
+        class ConfigParser < WPScan::Finders::DynamicFinder::Version::ConfigParser
+        end
+
+        class HeaderPattern < WPScan::Finders::DynamicFinder::Version::HeaderPattern
+        end
+
+        class JavascriptVar < WPScan::Finders::DynamicFinder::Version::JavascriptVar
+        end
+
+        class QueryParameter < WPScan::Finders::DynamicFinder::Version::QueryParameter
+          # @return [ Regexp ]
+          def path_pattern
+            # TODO: consider the target.blog.themes_dir if the target is a Theme (maybe implement a WpItem#item_dir ?)
+            @path_pattern ||= %r{
+              #{Regexp.escape(target.blog.plugins_dir)}/
+              #{Regexp.escape(target.slug)}/
+              (?:#{self.class::FILES.join('|')})\z
+            }ix
+          end
+
+          def xpath
+            @xpath ||= self.class::XPATH ||
+                       "//link[contains(@href,'#{target.slug}')]|//script[contains(@src,'#{target.slug}')]"
+          end
+        end
+
+        class Xpath < WPScan::Finders::DynamicFinder::Version::Xpath
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb

@@ -0,0 +1,96 @@
+module WPScan
+  module Finders
+    module DynamicFinder
+      module WpItems
+        # Not really a dynamic finder in itself (hence not a child class of DynamicFinder::Finder)
+        # but will use the dynamic finder DB configs to find collections of
+        # WpItems (such as Plugins and Themes)
+        #
+        # Also used to factorise some code used between such finders.
+        # The #process_response should be implemented in each child class, or the
+        # #passive and #aggressive overriden
+        class Finder < CMSScanner::Finders::Finder
+          # @return [ Hash ] The related dynamic finder passive configurations
+          #                  for the current class (all its usefullness comes from child classes)
+          def passive_configs
+            # So far only the Plugins have dynamic finders so using DB:: DynamicFinders::Plugin
+            # is ok. However, when Themes have some, will need to create other child classes for them
+
+            method = "passive_#{self.class.to_s.demodulize.underscore}_finder_configs".to_sym
+
+            DB::DynamicFinders::Plugin.public_send(method)
+          end
+
+          # @param [ Hash ] opts
+          #
+          # @return [ Array<Plugin>, Array<Theme> ]
+          def passive(opts = {})
+            found = []
+
+            passive_configs.each do |slug, configs|
+              configs.each do |klass, config|
+                item = process_response(opts, target.homepage_res, slug, klass, config)
+
+                found << item if item.is_a?(WpItem)
+              end
+            end
+
+            found
+          end
+
+          # @return [ Hash ] The related dynamic finder passive configurations
+          #                  for the current class (all its usefullness comes from child classes)
+          def aggressive_configs
+            # So far only the Plugins have dynamic finders so using DB:: DynamicFinders::Plugin
+            # is ok. However, when Themes have some, will need to create other child classes for them
+
+            method = "aggressive_#{self.class.to_s.demodulize.underscore}_finder_configs".to_sym
+
+            DB::DynamicFinders::Plugin.public_send(method)
+          end
+
+          # @param [ Hash ] opts
+          #
+          # @return [ Array<Plugin>, Array<Theme> ]
+          def aggressive(_opts = {})
+            # Disable this as it would make quite a lot of extra requests just to find plugins/themes
+            # Kept the original method below for future implementation
+          end
+
+          # @param [ Hash ] opts
+          #
+          # @return [ Array<Plugin>, Array<Theme> ]
+          def aggressive_(opts = {})
+            found = []
+
+            aggressive_configs.each do |slug, configs|
+              configs.each do |klass, config|
+                path     = aggressive_path(slug, config)
+                response = Browser.get(target.url(path))
+
+                item = process_response(opts, response, slug, klass, config)
+
+                found << item if item.is_a?(WpItem)
+              end
+            end
+
+            found
+          end
+
+          # @param [ String ] slug
+          # @param [ Hash ] config from the YAML file with he 'path' key
+          #
+          # @return [ String ] The path related to the aggresive configuration
+          #                    ie config['path'] if it's an absolute path (like /file.txt)
+          #                    or the path from inside the related plugin directory
+          def aggressive_path(slug, config)
+            return config['path'] if config['path'][0] == '/'
+
+            # No need to set the correct plugins dir, it will be handled by target.url()
+            "wp-content/plugins/#{slug}/#{config['path']}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/dynamic_finder/wp_version.rb

@@ -0,0 +1,60 @@
+module WPScan
+  module Finders
+    module DynamicFinder
+      module WpVersion
+        module Finder
+          def create_version(number, finding_opts)
+            return unless WPScan::WpVersion.valid?(number)
+
+            WPScan::WpVersion.new(number, version_finding_opts(finding_opts))
+          end
+        end
+
+        class BodyPattern < WPScan::Finders::DynamicFinder::Version::BodyPattern
+          include Finder
+        end
+
+        class Comment < WPScan::Finders::DynamicFinder::Version::Comment
+          include Finder
+        end
+
+        class HeaderPattern < WPScan::Finders::DynamicFinder::Version::HeaderPattern
+          include Finder
+        end
+
+        class JavascriptVar < WPScan::Finders::DynamicFinder::Version::JavascriptVar
+          include Finder
+        end
+
+        class QueryParameter < WPScan::Finders::DynamicFinder::Version::QueryParameter
+          include Finder
+
+          # @return [ Hash ]
+          def self.child_class_constants
+            @child_class_constants ||= super().merge(PATTERN: /ver\=(?<v>\d+\.[\.\d]+)/i)
+          end
+        end
+
+        class WpItemQueryParameter < QueryParameter
+          def xpath
+            @xpath ||= self.class::XPATH ||
+                       "//link[contains(@href,'#{target.plugins_dir}') or contains(@href,'#{target.themes_dir}')]|" \
+                       "//script[contains(@src,'#{target.plugins_dir}') or contains(@src,'#{target.themes_dir}')]"
+          end
+
+          def path_pattern
+            @pattern ||= %r{
+              (?:#{Regexp.escape(target.plugins_dir)}|#{Regexp.escape(target.themes_dir)})/
+              [^/]+/
+              .*\.(?:css|js)\z
+            }ix
+          end
+        end
+
+        class Xpath < WPScan::Finders::DynamicFinder::Version::Xpath
+          include Finder
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/helper.rb

@@ -3,3 +3,14 @@ def read_json_file(file)
 rescue StandardError => e
   raise "JSON parsing error in #{file} #{e}"
 end
+
+# @return [ Symbol ]
+# @note As a class can not start with a digit or underscore, a D_ is
+# put as a prefix in such case. Ugly but well :x
+# Not only used to classify slugs though, but Dynamic Finder names as well
+def classify_slug(slug)
+  classified = slug.to_s.tr('-', '_').camelize.to_s
+  classified = "D_#{classified}" if classified[0] =~ /\d/
+
+  classified.to_sym
+end

data/lib/wpscan/target/platform/wordpress/custom_directories.rb

@@ -50,8 +50,23 @@ module WPScan
           plugins_uri.to_s
         end
 
+        # @return [ String ]
+        def themes_dir
+          @themes_dir ||= "#{content_dir}/themes"
+        end
+
+        # @return [ Addressable::URI ]
+        def themes_uri
+          uri.join("#{themes_dir}/")
+        end
+
+        # @return [ String ]
+        def themes_url
+          themes_uri.to_s
+        end
+
         # TODO: Factorise the code and the content_dir one ?
-        # @return [ String, False ] The sub_dir is found, false otherwise
+        # @return [ String, False ] String of the sub_dir found, false otherwise
         # @note: nil can not be returned here, otherwise if there is no sub_dir
         #        the check would be done each time
         def sub_dir

data/lib/wpscan/version.rb

@@ -1,4 +1,4 @@
 # Version
 module WPScan
-  VERSION = '3.0.8'.freeze
+  VERSION = '3.1.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.0.8
+  version: 3.1.0
 platform: ruby
 authors:
 - WPScanTeam
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-09 00:00:00.000000000 Z
+date: 2018-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.38.1
+        version: 0.0.39.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.38.1
+        version: 0.0.39.0
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.51.0
+        version: 0.52.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.51.0
+        version: 0.52.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.22.0
+        version: 3.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.22.0
+        version: 3.2.0
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
 - team@wpscan.org
@@ -176,6 +176,7 @@ files:
 - README.md
 - app/app.rb
 - app/controllers.rb
+- app/controllers/aliases.rb
 - app/controllers/brute_force.rb
 - app/controllers/core.rb
 - app/controllers/custom_directories.rb
@@ -207,18 +208,17 @@ files:
 - app/finders/medias.rb
 - app/finders/medias/attachment_brute_forcing.rb
 - app/finders/plugin_version.rb
-- app/finders/plugin_version/layer_slider/translation_file.rb
 - app/finders/plugin_version/readme.rb
-- app/finders/plugin_version/revslider/release_log.rb
-- app/finders/plugin_version/shareaholic/meta_tag.rb
-- app/finders/plugin_version/sitepress_multilingual_cms/meta_generator.rb
-- app/finders/plugin_version/sitepress_multilingual_cms/version_parameter.rb
-- app/finders/plugin_version/w3_total_cache/headers.rb
 - app/finders/plugins.rb
-- app/finders/plugins/comments.rb
-- app/finders/plugins/headers.rb
+- app/finders/plugins/body_pattern.rb
+- app/finders/plugins/comment.rb
+- app/finders/plugins/config_parser.rb
+- app/finders/plugins/header_pattern.rb
+- app/finders/plugins/javascript_var.rb
 - app/finders/plugins/known_locations.rb
+- app/finders/plugins/query_parameter.rb
 - app/finders/plugins/urls_in_homepage.rb
+- app/finders/plugins/xpath.rb
 - app/finders/theme_version.rb
 - app/finders/theme_version/style.rb
 - app/finders/theme_version/woo_framework_meta_generator.rb
@@ -239,16 +239,10 @@ files:
 - app/finders/wp_items/urls_in_homepage.rb
 - app/finders/wp_version.rb
 - app/finders/wp_version/atom_generator.rb
-- app/finders/wp_version/homepage_stylesheet_numbers.rb
-- app/finders/wp_version/install_stylesheet_numbers.rb
-- app/finders/wp_version/meta_generator.rb
-- app/finders/wp_version/opml_generator.rb
 - app/finders/wp_version/rdf_generator.rb
 - app/finders/wp_version/readme.rb
 - app/finders/wp_version/rss_generator.rb
-- app/finders/wp_version/sitemap_generator.rb
 - app/finders/wp_version/unique_fingerprinting.rb
-- app/finders/wp_version/upgrade_stylesheet_numbers.rb
 - app/models.rb
 - app/models/config_backup.rb
 - app/models/interesting_finding.rb
@@ -304,7 +298,10 @@ files:
 - lib/wpscan/controller.rb
 - lib/wpscan/controllers.rb
 - lib/wpscan/db.rb
-- lib/wpscan/db/dynamic_finders.rb
+- lib/wpscan/db/dynamic_finders/base.rb
+- lib/wpscan/db/dynamic_finders/plugin.rb
+- lib/wpscan/db/dynamic_finders/theme.rb
+- lib/wpscan/db/dynamic_finders/wordpress.rb
 - lib/wpscan/db/fingerprints.rb
 - lib/wpscan/db/plugin.rb
 - lib/wpscan/db/plugins.rb
@@ -318,7 +315,18 @@ files:
 - lib/wpscan/errors/update.rb
 - lib/wpscan/errors/wordpress.rb
 - lib/wpscan/finders.rb
-- lib/wpscan/finders/finder/plugin_version/comments.rb
+- lib/wpscan/finders/dynamic_finder/finder.rb
+- lib/wpscan/finders/dynamic_finder/version/body_pattern.rb
+- lib/wpscan/finders/dynamic_finder/version/comment.rb
+- lib/wpscan/finders/dynamic_finder/version/config_parser.rb
+- lib/wpscan/finders/dynamic_finder/version/finder.rb
+- lib/wpscan/finders/dynamic_finder/version/header_pattern.rb
+- lib/wpscan/finders/dynamic_finder/version/javascript_var.rb
+- lib/wpscan/finders/dynamic_finder/version/query_parameter.rb
+- lib/wpscan/finders/dynamic_finder/version/xpath.rb
+- lib/wpscan/finders/dynamic_finder/wp_item_version.rb
+- lib/wpscan/finders/dynamic_finder/wp_items/finder.rb
+- lib/wpscan/finders/dynamic_finder/wp_version.rb
 - lib/wpscan/finders/finder/wp_version/smart_url_checker.rb
 - lib/wpscan/helper.rb
 - lib/wpscan/references.rb