wpscan 3.0

data/lib/wpscan/db/wp_version.rb

@@ -0,0 +1,11 @@
+module WPScan
+  module DB
+    # WP Version
+    class Version < WpItem
+      # @return [ String ]
+      def self.db_file
+        @db_file ||= File.join(DB_DIR, 'wordpresses.json')
+      end
+    end
+  end
+end

data/lib/wpscan/errors/http.rb

@@ -0,0 +1,34 @@
+module WPScan
+  # HTTP Error
+  class HTTPError < StandardError
+    attr_reader :response
+
+    # @param [ Typhoeus::Response ] res
+    def initialize(response)
+      @response = response
+    end
+
+    def failure_details
+      msg = response.effective_url
+
+      msg += if response.code.zero? || response.timed_out?
+               " (#{response.return_message})"
+             else
+               " (status: #{response.code})"
+             end
+
+      msg
+    end
+
+    def to_s
+      "HTTP Error: #{failure_details}"
+    end
+  end
+
+  # Used in the Updater
+  class DownloadError < HTTPError
+    def to_s
+      "Unable to get #{failure_details}"
+    end
+  end
+end

data/lib/wpscan/errors/update.rb

@@ -0,0 +1,8 @@
+module WPScan
+  # Error raised when there is a missing  DB file and --no-update supplied
+  class MissingDatabaseFile < StandardError
+    def to_s
+      'Update required, you can not run a scan if a database file is missing.'
+    end
+  end
+end

data/lib/wpscan/errors/wordpress.rb

@@ -0,0 +1,22 @@
+module WPScan
+  # WordPress hosted (*.wordpress.com)
+  class WordPressHostedError < StandardError
+    def to_s
+      'Scanning *.wordpress.com hosted blogs is not supported.'
+    end
+  end
+
+  # Not WordPress Error
+  class NotWordPressError < StandardError
+    def to_s
+      'The remote website is up, but does not seem to be running WordPress.'
+    end
+  end
+
+  # Invalid Wp Version (used in the WpVersion#new)
+  class InvalidWordPressVersion < StandardError
+    def to_s
+      'The WordPress version is invalid'
+    end
+  end
+end

data/lib/wpscan/finders.rb

@@ -0,0 +1,14 @@
+require 'wpscan/finders/finder/wp_version/smart_url_checker'
+require 'wpscan/finders/finder/plugin_version/comments'
+
+module WPScan
+  # Custom Finders
+  module Finders
+    include CMSScanner::Finders
+
+    # Custom InterestingFindings
+    module InterestingFindings
+      include CMSScanner::Finders::InterestingFindings
+    end
+  end
+end

data/lib/wpscan/finders/finder/plugin_version/comments.rb

@@ -0,0 +1,25 @@
+module WPScan
+  module Finders
+    class Finder
+      module PluginVersion
+        # Plugin Version from the Comments in the homepage, used in dynamic PluginVersion finders
+        class Comments < CMSScanner::Finders::Finder
+          def passive(_opts = {})
+            target.target.comments_from_page(self.class::PATTERN) do |match|
+              # Avoid nil version, i.e a pattern allowing both versionable and non
+              # versionable string to be detected
+              next unless match[1]
+
+              return WPScan::Version.new(
+                match[1],
+                found_by: found_by,
+                confidence: 80,
+                interesting_entries: ["#{target.target.url}, Match: '#{match}'"]
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb

@@ -0,0 +1,23 @@
+module WPScan
+  module Finders
+    class Finder
+      module WpVersion
+        # SmartURLChecker specific for the WP Version
+        module SmartURLChecker
+          include CMSScanner::Finders::Finder::SmartURLChecker
+
+          def create_version(number, opts = {})
+            WPScan::WpVersion.new(
+              number,
+              found_by: opts[:found_by] || found_by,
+              confidence: opts[:confidence] || 80,
+              interesting_entries: opts[:entries]
+            )
+          rescue WPScan::InvalidWordPressVersion
+            nil # Invalid Version returned as nil and will be ignored by Finders
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/helper.rb

@@ -0,0 +1,6 @@
+def read_json_file(file)
+  # p "Reading #{file}"
+  JSON.parse(File.read(file))
+rescue => e
+  raise "JSON parsing error in #{file} #{e}"
+end

data/lib/wpscan/references.rb

@@ -0,0 +1,31 @@
+module WPScan
+  # References module (which should be included along with the CMSScanner::References)
+  # to allow the use of the wpvulndb reference
+  module References
+    extend ActiveSupport::Concern
+
+    # See ActiveSupport::Concern
+    module ClassMethods
+      # @return [ Array<Symbol> ]
+      def references_keys
+        @references_keys ||= super << :wpvulndb
+      end
+    end
+
+    def references_urls
+      wpvulndb_urls + super
+    end
+
+    def wpvulndb_ids
+      references[:wpvulndb] || []
+    end
+
+    def wpvulndb_urls
+      wpvulndb_ids.reduce([]) { |acc, elem| acc << wpvulndb_url(elem) }
+    end
+
+    def wpvulndb_url(id)
+      "https://wpvulndb.com/vulnerabilities/#{id}"
+    end
+  end
+end

data/lib/wpscan/target.rb

@@ -0,0 +1,81 @@
+require 'wpscan/target/platform/wordpress'
+
+module WPScan
+  # Includes the WordPress Platform
+  class Target < CMSScanner::Target
+    include Platform::WordPress
+
+    # @return [ Boolean ]
+    def vulnerable?
+      [@wp_version, @main_theme, @plugins, @themes, @timthumbs].each do |e|
+        [*e].each { |ae| return true if ae && ae.vulnerable? }
+      end
+
+      return true unless [*@config_backups].empty?
+
+      [*@users].each { |u| return true if u.password }
+
+      false
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ WpVersion, false ] The WpVersion found or false if not detected
+    def wp_version(opts = {})
+      @wp_version = Finders::WpVersion::Base.find(self, opts) if @wp_version.nil?
+
+      @wp_version
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Theme ]
+    def main_theme(opts = {})
+      @main_theme = Finders::MainTheme::Base.find(self, opts) if @main_theme.nil?
+
+      @main_theme
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<Plugin> ]
+    def plugins(opts = {})
+      @plugins ||= Finders::Plugins::Base.find(self, opts)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<Theme> ]
+    def themes(opts = {})
+      @themes ||= Finders::Themes::Base.find(self, opts)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<Timthumb> ]
+    def timthumbs(opts = {})
+      @timthumbs ||= Finders::Timthumbs::Base.find(self, opts)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<ConfigBackup> ]
+    def config_backups(opts = {})
+      @config_backups ||= Finders::ConfigBackups::Base.find(self, opts)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<Media> ]
+    def medias(opts = {})
+      @medias ||= Finders::Medias::Base.find(self, opts)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<User> ]
+    def users(opts = {})
+      @users ||= Finders::Users::Base.find(self, opts)
+    end
+  end
+end

data/lib/wpscan/target/platform/wordpress.rb

@@ -0,0 +1,74 @@
+%w(custom_directories).each do |required|
+  require "wpscan/target/platform/wordpress/#{required}"
+end
+
+module WPScan
+  class Target < CMSScanner::Target
+    module Platform
+      # Some WordPress specific implementation
+      module WordPress
+        include CMSScanner::Target::Platform::PHP
+
+        WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i
+
+        # These methods are used in the associated interesting_findings finders
+        # to keep the boolean state of the finding rather than re-check the whole thing again
+        attr_accessor :multisite, :registration_enabled, :mu_plugins
+        alias multisite? multisite
+        alias registration_enabled? registration_enabled
+        alias mu_plugins? mu_plugins
+
+        # @return [ Boolean ]
+        def wordpress?
+          # res = Browser.get(url)
+
+          in_scope_urls(homepage_res) do |url|
+            return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN)
+          end
+
+          homepage_res.html.css('meta[name="generator"]').each do |node|
+            return true if node['content'] =~ /wordpress/i
+          end
+
+          return true unless comments_from_page(/wordpress/i, homepage_res).empty?
+
+          false
+        end
+
+        # @return [ String ]
+        def registration_url
+          multisite? ? url('wp-signup.php') : url('wp-login.php?action=register')
+        end
+
+        def wordpress_hosted?
+          uri.host =~ /wordpress.com$/i ? true : false
+        end
+
+        # @param [ String ] username
+        # @param [ String ] password
+        #
+        # @return [ Typhoeus::Response ]
+        def do_login(username, password)
+          login_request(username, password).run
+        end
+
+        # @param [ String ] username
+        # @param [ String ] password
+        #
+        # @return [ Typhoeus::Request ]
+        def login_request(username, password)
+          Browser.instance.forge_request(
+            login_url,
+            method: :post,
+            body: { log: username, pwd: password }
+          )
+        end
+
+        # @return [ String ] The URL to the login page
+        def login_url
+          url('wp-login.php')
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/target/platform/wordpress/custom_directories.rb

@@ -0,0 +1,93 @@
+module WPScan
+  class Target < CMSScanner::Target
+    module Platform
+      # wp-content & plugins directory implementation
+      module WordPress
+        def content_dir=(dir)
+          @content_dir = dir.chomp('/')
+        end
+
+        def plugins_dir=(dir)
+          @plugins_dir = dir.chomp('/')
+        end
+
+        # @return [ String ] The wp-content directory
+        def content_dir
+          unless @content_dir
+            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
+            pattern     = %r{#{escaped_url}(.+?)\/(?:themes|plugins|uploads)\/}i
+
+            in_scope_urls(homepage_res) do |url|
+              return @content_dir = Regexp.last_match[1] if url.match(pattern)
+            end
+          end
+
+          @content_dir
+        end
+
+        # @return [ Addressable::URI ]
+        def content_uri
+          uri.join("#{content_dir}/")
+        end
+
+        # @return [ String ]
+        def content_url
+          content_uri.to_s
+        end
+
+        # @return [ String ]
+        def plugins_dir
+          @plugins_dir ||= "#{content_dir}/plugins"
+        end
+
+        # @return [ Addressable::URI ]
+        def plugins_uri
+          uri.join("#{plugins_dir}/")
+        end
+
+        # @return [ String ]
+        def plugins_url
+          plugins_uri.to_s
+        end
+
+        # TODO: Factorise the code and the content_dir one ?
+        # @return [ String, False ] The sub_dir is found, false otherwise
+        # @note: nil can not be returned here, otherwise if there is no sub_dir
+        #        the check would be done each time
+        def sub_dir
+          unless @sub_dir
+            escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
+            pattern     = %r{#{escaped_url}(.+?)\/(?:xmlrpc\.php|wp\-includes\/)}i
+
+            in_scope_urls(homepage_res) do |url|
+              return @sub_dir = Regexp.last_match[1] if url.match(pattern)
+            end
+
+            @sub_dir = false
+          end
+
+          @sub_dir
+        end
+
+        # Override of the WebSite#url to consider the custom WP directories
+        #
+        # @param [ String ] path Optional path to merge with the uri
+        #
+        # @return [ String ]
+        def url(path = nil)
+          return @uri.to_s unless path
+
+          if path =~ %r{wp\-content/plugins}i
+            path.gsub!('wp-content/plugins', plugins_dir)
+          elsif path =~ /wp\-content/i
+            path.gsub!('wp-content', content_dir)
+          elsif path[0] != '/' && sub_dir
+            path = "#{sub_dir}/#{path}"
+          end
+
+          super(path)
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/version.rb

@@ -0,0 +1,4 @@
+# Version
+module WPScan
+  VERSION = '3.0'.freeze
+end

data/lib/wpscan/vulnerability.rb

@@ -0,0 +1,25 @@
+module WPScan
+  # Specific implementation
+  class Vulnerability < CMSScanner::Vulnerability
+    include References
+
+    # @param [ Hash ] json_data
+    # @return [ Vulnerability ]
+    def self.load_from_json(json_data)
+      references = { wpvulndb: json_data['id'].to_s }
+
+      if json_data['references']
+        references_keys.each do |key|
+          references[key] = json_data['references'][key.to_s] if json_data['references'].key?(key.to_s)
+        end
+      end
+
+      new(
+        json_data['title'],
+        references,
+        json_data['vuln_type'],
+        json_data['fixed_in']
+      )
+    end
+  end
+end