RubyGems - wpscan - Versions diffs - 3.0 - Mend

wpscan 3.0

Files changed (180) hide show

checksums.yaml +7 -0
data/Gemfile.lock +139 -0
data/LICENSE +74 -0
data/README.md +146 -0
data/app/app.rb +3 -0
data/app/controllers.rb +6 -0
data/app/controllers/brute_force.rb +126 -0
data/app/controllers/core.rb +104 -0
data/app/controllers/custom_directories.rb +23 -0
data/app/controllers/enumeration.rb +53 -0
data/app/controllers/enumeration/cli_options.rb +126 -0
data/app/controllers/enumeration/enum_methods.rb +157 -0
data/app/controllers/main_theme.rb +27 -0
data/app/controllers/wp_version.rb +30 -0
data/app/finders.rb +13 -0
data/app/finders/config_backups.rb +17 -0
data/app/finders/config_backups/known_filenames.rb +46 -0
data/app/finders/interesting_findings.rb +33 -0
data/app/finders/interesting_findings/backup_db.rb +25 -0
data/app/finders/interesting_findings/debug_log.rb +20 -0
data/app/finders/interesting_findings/duplicator_installer_log.rb +23 -0
data/app/finders/interesting_findings/full_path_disclosure.rb +23 -0
data/app/finders/interesting_findings/mu_plugins.rb +48 -0
data/app/finders/interesting_findings/multisite.rb +29 -0
data/app/finders/interesting_findings/readme.rb +26 -0
data/app/finders/interesting_findings/registration.rb +31 -0
data/app/finders/interesting_findings/tmm_db_migrate.rb +24 -0
data/app/finders/interesting_findings/upload_directory_listing.rb +24 -0
data/app/finders/interesting_findings/upload_sql_dump.rb +28 -0
data/app/finders/main_theme.rb +22 -0
data/app/finders/main_theme/css_style.rb +43 -0
data/app/finders/main_theme/urls_in_homepage.rb +25 -0
data/app/finders/main_theme/woo_framework_meta_generator.rb +22 -0
data/app/finders/medias.rb +17 -0
data/app/finders/medias/attachment_brute_forcing.rb +44 -0
data/app/finders/plugin_version.rb +44 -0
data/app/finders/plugin_version/layer_slider/translation_file.rb +40 -0
data/app/finders/plugin_version/readme.rb +79 -0
data/app/finders/plugin_version/revslider/release_log.rb +35 -0
data/app/finders/plugin_version/sitepress_multilingual_cms/meta_generator.rb +27 -0
data/app/finders/plugin_version/sitepress_multilingual_cms/version_parameter.rb +31 -0
data/app/finders/plugin_version/w3_total_cache/headers.rb +28 -0
data/app/finders/plugins.rb +24 -0
data/app/finders/plugins/comments.rb +31 -0
data/app/finders/plugins/headers.rb +36 -0
data/app/finders/plugins/known_locations.rb +48 -0
data/app/finders/plugins/urls_in_homepage.rb +29 -0
data/app/finders/theme_version.rb +41 -0
data/app/finders/theme_version/style.rb +43 -0
data/app/finders/theme_version/woo_framework_meta_generator.rb +19 -0
data/app/finders/themes.rb +20 -0
data/app/finders/themes/known_locations.rb +48 -0
data/app/finders/themes/urls_in_homepage.rb +23 -0
data/app/finders/timthumb_version.rb +17 -0
data/app/finders/timthumb_version/bad_request.rb +21 -0
data/app/finders/timthumbs.rb +17 -0
data/app/finders/timthumbs/known_locations.rb +56 -0
data/app/finders/users.rb +24 -0
data/app/finders/users/author_id_brute_forcing.rb +111 -0
data/app/finders/users/author_posts.rb +61 -0
data/app/finders/users/login_error_messages.rb +50 -0
data/app/finders/users/wp_json_api.rb +31 -0
data/app/finders/wp_items.rb +1 -0
data/app/finders/wp_items/urls_in_homepage.rb +68 -0
data/app/finders/wp_version.rb +34 -0
data/app/finders/wp_version/atom_generator.rb +40 -0
data/app/finders/wp_version/meta_generator.rb +27 -0
data/app/finders/wp_version/opml_generator.rb +23 -0
data/app/finders/wp_version/rdf_generator.rb +38 -0
data/app/finders/wp_version/readme.rb +28 -0
data/app/finders/wp_version/rss_generator.rb +43 -0
data/app/finders/wp_version/sitemap_generator.rb +23 -0
data/app/finders/wp_version/stylesheets.rb +55 -0
data/app/finders/wp_version/unique_fingerprinting.rb +64 -0
data/app/models.rb +10 -0
data/app/models/config_backup.rb +5 -0
data/app/models/interesting_finding.rb +6 -0
data/app/models/media.rb +5 -0
data/app/models/plugin.rb +25 -0
data/app/models/theme.rb +99 -0
data/app/models/timthumb.rb +74 -0
data/app/models/user.rb +31 -0
data/app/models/wp_item.rb +142 -0
data/app/models/wp_version.rb +49 -0
data/app/models/xml_rpc.rb +19 -0
data/app/views/cli/brute_force/error.erb +1 -0
data/app/views/cli/brute_force/found.erb +2 -0
data/app/views/cli/brute_force/users.erb +9 -0
data/app/views/cli/core/banner.erb +14 -0
data/app/views/cli/core/db_update_finished.erb +8 -0
data/app/views/cli/core/db_update_started.erb +1 -0
data/app/views/cli/core/not_fully_configured.erb +1 -0
data/app/views/cli/enumeration/config_backups.erb +11 -0
data/app/views/cli/enumeration/medias.erb +11 -0
data/app/views/cli/enumeration/plugins.erb +35 -0
data/app/views/cli/enumeration/themes.erb +11 -0
data/app/views/cli/enumeration/timthumbs.erb +18 -0
data/app/views/cli/enumeration/users.erb +11 -0
data/app/views/cli/finding.erb +32 -0
data/app/views/cli/info.erb +1 -0
data/app/views/cli/main_theme/theme.erb +6 -0
data/app/views/cli/notice.erb +1 -0
data/app/views/cli/theme.erb +64 -0
data/app/views/cli/usage.erb +3 -0
data/app/views/cli/vulnerability.erb +14 -0
data/app/views/cli/wp_version/version.erb +6 -0
data/app/views/json/brute_force/users.erb +10 -0
data/app/views/json/core/banner.erb +12 -0
data/app/views/json/core/db_update_finished.erb +2 -0
data/app/views/json/core/db_update_started.erb +1 -0
data/app/views/json/core/not_fully_configured.erb +1 -0
data/app/views/json/enumeration/config_backups.erb +10 -0
data/app/views/json/enumeration/medias.erb +10 -0
data/app/views/json/enumeration/plugins.erb +25 -0
data/app/views/json/enumeration/themes.erb +10 -0
data/app/views/json/enumeration/timthumbs.erb +19 -0
data/app/views/json/enumeration/users.erb +11 -0
data/app/views/json/finding.erb +26 -0
data/app/views/json/main_theme/theme.erb +7 -0
data/app/views/json/theme.erb +38 -0
data/app/views/json/wp_version/version.erb +8 -0
data/bin/wpscan +15 -0
data/coverage/assets/0.10.0/application.css +799 -0
data/coverage/assets/0.10.0/application.js +1707 -0
data/coverage/assets/0.10.0/colorbox/border.png +0 -0
data/coverage/assets/0.10.0/colorbox/controls.png +0 -0
data/coverage/assets/0.10.0/colorbox/loading.gif +0 -0
data/coverage/assets/0.10.0/colorbox/loading_background.png +0 -0
data/coverage/assets/0.10.0/favicon_green.png +0 -0
data/coverage/assets/0.10.0/favicon_red.png +0 -0
data/coverage/assets/0.10.0/favicon_yellow.png +0 -0
data/coverage/assets/0.10.0/loading.gif +0 -0
data/coverage/assets/0.10.0/magnify.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-icons_222222_256x240.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-icons_454545_256x240.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-icons_888888_256x240.png +0 -0
data/coverage/assets/0.10.0/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
data/coverage/index.html +27510 -0
data/lib/wpscan.rb +44 -0
data/lib/wpscan/browser.rb +16 -0
data/lib/wpscan/controller.rb +8 -0
data/lib/wpscan/controllers.rb +8 -0
data/lib/wpscan/db.rb +28 -0
data/lib/wpscan/db/dynamic_finders.rb +63 -0
data/lib/wpscan/db/plugin.rb +11 -0
data/lib/wpscan/db/plugins.rb +11 -0
data/lib/wpscan/db/schema.rb +39 -0
data/lib/wpscan/db/theme.rb +11 -0
data/lib/wpscan/db/themes.rb +11 -0
data/lib/wpscan/db/updater.rb +148 -0
data/lib/wpscan/db/wp_item.rb +18 -0
data/lib/wpscan/db/wp_items.rb +21 -0
data/lib/wpscan/db/wp_version.rb +11 -0
data/lib/wpscan/errors/http.rb +34 -0
data/lib/wpscan/errors/update.rb +8 -0
data/lib/wpscan/errors/wordpress.rb +22 -0
data/lib/wpscan/finders.rb +14 -0
data/lib/wpscan/finders/finder/plugin_version/comments.rb +25 -0
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +23 -0
data/lib/wpscan/helper.rb +6 -0
data/lib/wpscan/references.rb +31 -0
data/lib/wpscan/target.rb +81 -0
data/lib/wpscan/target/platform/wordpress.rb +74 -0
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +93 -0
data/lib/wpscan/version.rb +4 -0
data/lib/wpscan/vulnerability.rb +25 -0
data/lib/wpscan/vulnerable.rb +10 -0
data/wpscan-v3.sublime-project +8 -0
data/wpscan-v3.sublime-workspace +895 -0
data/wpscan.gemspec +55 -0
metadata +419 -0

data/lib/wpscan.rb ADDED

@@ -0,0 +1,44 @@
+# Gems
+require 'cms_scanner'
+require 'yajl/json_gem'
+require 'addressable/uri'
+require 'active_support/all'
+# Standard Lib
+require 'uri'
+require 'time'
+require 'readline'
+require 'securerandom'
+# Custom Libs
+require 'wpscan/helper'
+require 'wpscan/db'
+require 'wpscan/version'
+require 'wpscan/errors/wordpress'
+require 'wpscan/errors/http'
+require 'wpscan/errors/update'
+require 'wpscan/browser'
+require 'wpscan/target'
+require 'wpscan/finders'
+require 'wpscan/controller'
+require 'wpscan/controllers'
+require 'wpscan/references'
+require 'wpscan/vulnerable'
+require 'wpscan/vulnerability'
+Encoding.default_external = Encoding::UTF_8
+# WPScan
+module WPScan
+  include CMSScanner
+  APP_DIR = Pathname.new(__FILE__).dirname.join('..', 'app').expand_path
+  DB_DIR  = File.join(Dir.home, '.wpscan', 'db')
+  # Override, otherwise it would be returned as 'wp_scan'
+  #
+  # @return [ String ]
+  def self.app_name
+    'wpscan'
+  end
+end
+require "#{WPScan::APP_DIR}/app"

data/lib/wpscan/browser.rb ADDED

@@ -0,0 +1,16 @@
+module WPScan
+  # Custom Browser
+  class Browser < CMSScanner::Browser
+    extend Actions
+    # @return [ String ] The path to the user agents list
+    def user_agents_list
+      @user_agents_list ||= File.join(DB_DIR, 'user-agents.txt')
+    end
+    # @return [ String ]
+    def default_user_agent
+      "WPScan v#{VERSION} (http://wpscan.org/)"
+    end
+  end
+end

data/lib/wpscan/controller.rb ADDED

@@ -0,0 +1,8 @@
+module WPScan
+  # Needed to load at least the Core controller
+  # Otherwise, the following error will be raised:
+  # `initialize': uninitialized constant WPScan::Controller::Core (NameError)
+  module Controller
+    include CMSScanner::Controller
+  end
+end

data/lib/wpscan/controllers.rb ADDED

@@ -0,0 +1,8 @@
+module WPScan
+  # Override to set the OptParser's summary width to 45 (instead of 40 from the CMSScanner)
+  class Controllers < CMSScanner::Controllers
+    def initialize(option_parser = OptParseValidator::OptParser.new(nil, 45))
+      super(option_parser)
+    end
+  end
+end

data/lib/wpscan/db.rb ADDED

@@ -0,0 +1,28 @@
+require 'dm-core'
+require 'dm-migrations'
+require 'dm-constraints'
+require 'dm-sqlite-adapter'
+require 'wpscan/db/wp_item'
+require 'wpscan/db/schema'
+require 'wpscan/db/updater'
+require 'wpscan/db/wp_items'
+require 'wpscan/db/plugins'
+require 'wpscan/db/themes'
+require 'wpscan/db/plugin'
+require 'wpscan/db/theme'
+require 'wpscan/db/wp_version'
+require 'wpscan/db/dynamic_finders'
+module WPScan
+  # DB
+  module DB
+    def self.init_db
+      db_file ||= File.join(DB_DIR, 'wordpress.db')
+      # DataMapper::Logger.new($stdout, :debug)
+      DataMapper.setup(:default, "sqlite://#{db_file}")
+      DataMapper.auto_upgrade!
+    end
+  end
+end

data/lib/wpscan/db/dynamic_finders.rb ADDED

@@ -0,0 +1,63 @@
+module WPScan
+  module DB
+    # Dynamic Finders
+    class DynamicFinders
+      # @return [ String ]
+      def self.db_file
+        @db_file ||= File.join(DB_DIR, 'dynamic_finders.yml')
+      end
+      # @return [ Hash ]
+      def self.db_data
+        @db_data ||= YAML.load_file(db_file)
+      end
+      # @return [ Hash ]
+      def self.finder_configs(finder_klass)
+        configs = {}
+        db_data.each do |slug, config|
+          next unless config[finder_klass]
+          configs[slug] = config[finder_klass].dup
+        end
+        configs
+      end
+    end
+    # Dynamic Plugin Finders
+    class DynamicPluginFinders < DynamicFinders
+      # @return [ Hash ]
+      def self.db_data
+        @db_data ||= super['plugins'] || {}
+      end
+      # @return [ Hash ]
+      def self.comments
+        unless @comments
+          @comments = finder_configs('Comments')
+          @comments.each do |slug, config|
+            @comments[slug]['pattern'] = Regexp.new(config['pattern'], Regexp::IGNORECASE)
+          end
+        end
+        @comments
+      end
+      # @return [ Hash ]
+      def self.urls_in_page
+        @urls_in_page ||= finder_configs('UrlsInPage')
+      end
+    end
+    # Dynamic Theme Finders (none ATM)
+    class DynamicThemeFinders < DynamicFinders
+      # @return [ Hash ]
+      def self.db_data
+        @db_data ||= super['themes'] || {}
+      end
+    end
+  end
+end

data/lib/wpscan/db/plugin.rb ADDED

@@ -0,0 +1,11 @@
+module WPScan
+  module DB
+    # Plugin DB
+    class Plugin < WpItem
+      # @return [ String ]
+      def self.db_file
+        @db_file ||= File.join(DB_DIR, 'plugins.json')
+      end
+    end
+  end
+end

data/lib/wpscan/db/plugins.rb ADDED

@@ -0,0 +1,11 @@
+module WPScan
+  module DB
+    # WP Plugins
+    class Plugins < WpItems
+      # @return [ JSON ]
+      def self.db
+        Plugin.db
+      end
+    end
+  end
+end

data/lib/wpscan/db/schema.rb ADDED

@@ -0,0 +1,39 @@
+module WPScan
+  module DB
+    # WP Version
+    class Version < WpItem
+      include DataMapper::Resource
+      storage_names[:default] = 'versions'
+      has n, :fingerprints, constraint: :destroy
+      property :id, Serial
+      property :number, String, required: true, unique: true
+    end
+    # Path
+    class Path
+      include DataMapper::Resource
+      storage_names[:default] = 'paths'
+      has n, :fingerprints, constraint: :destroy
+      property :id, Serial
+      property :value, String, required: true, unique: true
+    end
+    # Fingerprint
+    class Fingerprint
+      include DataMapper::Resource
+      storage_names[:default] = 'fingerprints'
+      belongs_to :version, key: true
+      belongs_to :path, key: true
+      property :md5_hash, String, required: true, length: 32
+    end
+  end
+end

data/lib/wpscan/db/theme.rb ADDED

@@ -0,0 +1,11 @@
+module WPScan
+  module DB
+    # Theme DB
+    class Theme < WpItem
+      # @return [ String ]
+      def self.db_file
+        @db_file ||= File.join(DB_DIR, 'themes.json')
+      end
+    end
+  end
+end

data/lib/wpscan/db/themes.rb ADDED

@@ -0,0 +1,11 @@
+module WPScan
+  module DB
+    # WP Themes
+    class Themes < WpItems
+      # @return [ JSON ]
+      def self.db
+        Theme.db
+      end
+    end
+  end
+end

data/lib/wpscan/db/updater.rb ADDED

@@ -0,0 +1,148 @@
+module WPScan
+  module DB
+    # Class used to perform DB updates
+    # :nocov:
+    class Updater
+      # /!\ Might want to also update the Enumeration#cli_options when some filenames are changed here
+      FILES = %w(
+        plugins.json themes.json wordpresses.json
+        timthumbs-v3.txt user-agents.txt config_backups.txt
+        dynamic_finders.yml wordpress.db LICENSE
+      ).freeze
+      attr_reader :repo_directory
+      def initialize(repo_directory)
+        @repo_directory = repo_directory
+        FileUtils.mkdir_p(repo_directory) unless Dir.exist?(repo_directory)
+        raise "#{repo_directory} is not writable" unless Pathname.new(repo_directory).writable?
+      end
+      # @return [ Time, nil ]
+      def last_update
+        Time.parse(File.read(last_update_file))
+      rescue ArgumentError, Errno::ENOENT
+        nil # returns nil if the file does not exist or contains invalid time data
+      end
+      # @return [ String ]
+      def last_update_file
+        @last_update_file ||= File.join(repo_directory, '.last_update')
+      end
+      # @return [ Boolean ]
+      def outdated?
+        date = last_update
+        date.nil? || date < 5.days.ago
+      end
+      # @return [ Boolean ]
+      def missing_files?
+        FILES.each do |file|
+          return true unless File.exist?(File.join(repo_directory, file))
+        end
+        false
+      end
+      # @return [ Hash ] The params for Typhoeus::Request
+      def request_params
+        {
+          ssl_verifyhost: 2,
+          ssl_verifypeer: true,
+          timeout: 300,
+          connecttimeout: 120,
+          accept_encoding: 'gzip, deflate',
+          cache_ttl: 0
+        }
+      end
+      # @return [ String ] The raw file URL associated with the given filename
+      def remote_file_url(filename)
+        "https://data.wpscan.org/#{filename}"
+      end
+      # @return [ String ] The checksum of the associated remote filename
+      def remote_file_checksum(filename)
+        url = "#{remote_file_url(filename)}.sha512"
+        res = Browser.get(url, request_params)
+        raise DownloadError, res if res.timed_out? || res.code != 200
+        res.body.chomp
+      end
+      def local_file_path(filename)
+        File.join(repo_directory, filename.to_s)
+      end
+      def local_file_checksum(filename)
+        Digest::SHA512.file(local_file_path(filename)).hexdigest
+      end
+      def backup_file_path(filename)
+        File.join(repo_directory, "#{filename}.back")
+      end
+      def create_backup(filename)
+        return unless File.exist?(local_file_path(filename))
+        FileUtils.cp(local_file_path(filename), backup_file_path(filename))
+      end
+      def restore_backup(filename)
+        return unless File.exist?(backup_file_path(filename))
+        FileUtils.cp(backup_file_path(filename), local_file_path(filename))
+      end
+      def delete_backup(filename)
+        FileUtils.rm(backup_file_path(filename))
+      end
+      # @return [ String ] The checksum of the downloaded file
+      def download(filename)
+        file_path = local_file_path(filename)
+        file_url  = remote_file_url(filename)
+        res = Browser.get(file_url, request_params)
+        raise DownloadError, res if res.timed_out? || res.code != 200
+        File.open(file_path, 'wb') { |f| f.write(res.body) }
+        local_file_checksum(filename)
+      end
+      # rubocop:disable MethodLength
+      # @return [ Array<String> ] The filenames updated
+      def update
+        updated = []
+        FILES.each do |filename|
+          begin
+            db_checksum = remote_file_checksum(filename)
+            # Checking if the file needs to be updated
+            next if File.exist?(local_file_path(filename)) && db_checksum == local_file_checksum(filename)
+            create_backup(filename)
+            dl_checksum = download(filename)
+            raise "#{filename}: checksums do not match" unless dl_checksum == db_checksum
+            updated << filename
+          rescue => e
+            restore_backup(filename)
+            raise e
+          ensure
+            delete_backup(filename) if File.exist?(backup_file_path(filename))
+          end
+        end
+        File.write(last_update_file, Time.now)
+        updated
+      end
+      # rubocop:enable MethodLength
+    end
+  end
+  # :nocov:
+end

data/lib/wpscan/db/wp_item.rb ADDED

@@ -0,0 +1,18 @@
+module WPScan
+  module DB
+    # WpItem - super DB class for Plugin, Theme and Version
+    class WpItem
+      # @param [ String ] identifier The plugin/theme slug or version number
+      #
+      # @return [ Hash ] The JSON data from the DB associated to the identifier
+      def self.db_data(identifier)
+        db[identifier] || {}
+      end
+      # @return [ JSON ]
+      def self.db
+        @db ||= read_json_file(db_file)
+      end
+    end
+  end
+end

data/lib/wpscan/db/wp_items.rb ADDED

@@ -0,0 +1,21 @@
+module WPScan
+  module DB
+    # WP Items
+    class WpItems
+      # @return [ Array<String> ] The slug of all items
+      def self.all_slugs
+        db.keys
+      end
+      # @return [ Array<String> ] The slug of all popular items
+      def self.popular_slugs
+        db.select { |_key, item| item['popular'] == true }.keys
+      end
+      # @return [ Array<String> ] The slug of all vulnerable items
+      def self.vulnerable_slugs
+        db.select { |_key, item| !item['vulnerabilities'].empty? }.keys
+      end
+    end
+  end
+end