wpscan 3.0

data/app/controllers/core.rb

@@ -0,0 +1,104 @@
+module WPScan
+  module Controller
+    # Specific Core controller to include WordPress checks
+    class Core < CMSScanner::Controller::Core
+      # @return [ Array<OptParseValidator::Opt> ]
+      def cli_options
+        [OptURL.new(['--url URL', 'The URL of the blog to scan'], required_unless: :update, default_protocol: 'http')] +
+          super.drop(1) + # delete the --url from CMSScanner
+          [
+            OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
+                          choices: %w(apache iis nginx),
+                          normalize: [:downcase, :to_sym]),
+            OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
+            OptBoolean.new(['--[no-]update', 'Wether or not to update the Database'], required_unless: :url)
+          ]
+      end
+
+      # @return [ DB::Updater ]
+      def local_db
+        @local_db ||= DB::Updater.new(DB_DIR)
+      end
+
+      # @return [ Boolean ]
+      def update_db_required?
+        if local_db.missing_files?
+          raise MissingDatabaseFile if parsed_options[:update] == false
+
+          return true
+        end
+
+        return parsed_options[:update] unless parsed_options[:update].nil?
+
+        return false unless user_interaction? && local_db.outdated?
+
+        output('@notice', msg: 'It seems like you have not updated the database for some time.')
+        print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
+
+        Readline.readline =~ /^y/i ? true : false
+      end
+
+      def update_db
+        output('db_update_started')
+        output('db_update_finished', updated: local_db.update, verbose: parsed_options[:verbose])
+
+        exit(0) unless parsed_options[:url]
+      end
+
+      def before_scan
+        output('banner')
+
+        update_db if update_db_required?
+
+        super(false) # disable banner output
+
+        DB.init_db
+
+        load_server_module
+
+        check_wordpress_state
+      end
+
+      # Raises errors if the target is hosted on wordpress.com or is not running WordPress
+      # Also check if the homepage_url is still the install url
+      def check_wordpress_state
+        raise WordPressHostedError if target.wordpress_hosted?
+
+        if Addressable::URI.parse(target.homepage_url).path =~ %r{/wp-admin/install.php$}i
+
+          output('not_fully_configured', url: target.homepage_url)
+
+          exit(WPScan::ExitCode::VULNERABLE)
+        end
+
+        raise NotWordPressError unless target.wordpress? || parsed_options[:force]
+      end
+
+      # Loads the related server module in the target
+      # and includes it in the WpItem class which will be needed
+      # to check if directory listing is enabled etc
+      #
+      # @return [ Symbol ] The server module loaded
+      def load_server_module
+        server = target.server || :Apache # Tries to auto detect the server
+
+        # Force a specific server module to be loaded if supplied
+        case parsed_options[:server]
+        when :apache
+          server = :Apache
+        when :iis
+          server = :IIS
+        when :nginx
+          server = :Nginx
+        end
+
+        mod = CMSScanner::Target::Server.const_get(server)
+
+        target.extend mod
+        WPScan::WpItem.include mod
+
+        server
+      end
+    end
+  end
+end

data/app/controllers/custom_directories.rb

@@ -0,0 +1,23 @@
+module WPScan
+  module Controller
+    # Controller to ensure that the wp-content and wp-plugins
+    # directories are found
+    class CustomDirectories < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptString.new(['--wp-content-dir DIR']),
+          OptString.new(['--wp-plugins-dir DIR'])
+        ]
+      end
+
+      def before_scan
+        target.content_dir = parsed_options[:wp_content_dir] if parsed_options[:wp_content_dir]
+        target.plugins_dir = parsed_options[:wp_plugins_dir] if parsed_options[:wp_plugins_dir]
+
+        return if target.content_dir
+
+        raise 'Unable to identify the wp-content dir, please supply it with --wp-content-dir'
+      end
+    end
+  end
+end

data/app/controllers/enumeration.rb

@@ -0,0 +1,53 @@
+require_relative 'enumeration/cli_options'
+require_relative 'enumeration/enum_methods'
+
+module WPScan
+  module Controller
+    # Enumeration Controller
+    class Enumeration < CMSScanner::Controller::Base
+      def before_scan
+        # Create the Dynamic Finders
+        DB::DynamicPluginFinders.db_data.each do |name, config|
+          %w(Comments).each do |klass|
+            next unless config[klass] && config[klass]['version']
+
+            constant_name = name.tr('-', '_').camelize
+
+            unless Finders::PluginVersion.constants.include?(constant_name.to_sym)
+              Finders::PluginVersion.const_set(constant_name, Module.new)
+            end
+
+            mod = WPScan::Finders::PluginVersion.const_get(constant_name)
+
+            raise "#{mod} has already a #{klass} class" if mod.constants.include?(klass.to_sym)
+
+            case klass
+            when 'Comments' then create_plugins_comments_finders(mod, config[klass])
+            end
+          end
+        end
+      end
+
+      def create_plugins_comments_finders(mod, config)
+        mod.const_set(
+          :Comments, Class.new(Finders::Finder::PluginVersion::Comments) do
+            const_set(:PATTERN, Regexp.new(config['pattern'], Regexp::IGNORECASE))
+          end
+        )
+      end
+
+      def run
+        enum = parsed_options[:enumerate] || {}
+
+        enum_plugins if enum_plugins?(enum)
+        enum_themes  if enum_themes?(enum)
+
+        [:timthumbs, :config_backups, :medias].each do |key|
+          send("enum_#{key}".to_sym) if enum.key?(key)
+        end
+
+        enum_users if enum_users?(enum)
+      end
+    end
+  end
+end

data/app/controllers/enumeration/cli_options.rb

@@ -0,0 +1,126 @@
+module WPScan
+  module Controller
+    # Enumeration CLI Options
+    class Enumeration < CMSScanner::Controller::Base
+      def cli_options
+        cli_enum_choices + cli_plugins_opts + cli_themes_opts +
+          cli_timthumbs_opts + cli_config_backups_opts + cli_medias_opts + cli_users_opts
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      # rubocop:disable Metrics/MethodLength
+      def cli_enum_choices
+        [
+          OptMultiChoices.new(
+            ['--enumerate [OPTS]', '-e', 'Enumeration Process'],
+            choices: {
+              vp: OptBoolean.new(['--vulnerable-plugins']),
+              ap: OptBoolean.new(['--all-plugins']),
+              p:  OptBoolean.new(['--plugins']),
+              vt: OptBoolean.new(['--vulnerable-themes']),
+              at: OptBoolean.new(['--all-themes']),
+              t:  OptBoolean.new(['--themes']),
+              tt: OptBoolean.new(['--timthumbs']),
+              cb: OptBoolean.new(['--config-backups']),
+              u:  OptIntegerRange.new(['--users', 'User ids range. e.g: u1-5'], value_if_empty: '1-10'),
+              m:  OptIntegerRange.new(['--medias', 'Media ids range. e.g m1-15'], value_if_empty: '1-100')
+            },
+            value_if_empty: 'vp,vt,tt,cb,u,m',
+            incompatible: [[:vp, :ap, :p], [:vt, :at, :t]]
+          ),
+          OptRegexp.new(
+            [
+              '--exclude-content-based REGEXP_OR_STRING',
+              'Exclude all responses having their body matching (case insensitive) during parts of the enumeration.',
+              'Regexp delimiters are not required.'
+            ], options: Regexp::IGNORECASE
+          )
+        ]
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_plugins_opts
+        [
+          OptFilePath.new(['--plugins-list FILE-PATH', 'List of plugins\' location to use'], exists: true),
+          OptChoice.new(
+            ['--plugins-detection MODE',
+             'Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.'],
+            choices: %w(mixed passive aggressive), normalize: :to_sym
+          ),
+          OptBoolean.new(['--plugins-version-all', 'Check all the plugins version locations'])
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_themes_opts
+        [
+          OptFilePath.new(['--themes-list FILE-PATH', 'List of themes\' location to use'], exists: true),
+          OptChoice.new(
+            ['--themes-detection MODE',
+             'Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.'],
+            choices: %w(mixed passive aggressive), normalize: :to_sym
+          ),
+          OptBoolean.new(['--themes-version-all', 'Check all the themes version locations'])
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_timthumbs_opts
+        [
+          OptFilePath.new(
+            ['--timthumbs-list FILE-PATH', 'List of timthumbs\' location to use'],
+            exists: true, default: File.join(DB_DIR, 'timthumbs-v3.txt')
+          ),
+          OptChoice.new(
+            ['--timthumbs-detection MODE',
+             'Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.'],
+            choices: %w(mixed passive aggressive), normalize: :to_sym
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_config_backups_opts
+        [
+          OptFilePath.new(
+            ['--config-backups-list FILE-PATH', 'List of config backups\' filenames to use'],
+            exists: true, default: File.join(DB_DIR, 'config_backups.txt')
+          ),
+          OptChoice.new(
+            ['--config-backups-detection MODE',
+             'Use the supplied mode to enumerate Configs, instead of the global (--detection-mode) mode.'],
+            choices: %w(mixed passive aggressive), normalize: :to_sym
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_medias_opts
+        [
+          OptChoice.new(
+            ['--medias-detection MODE',
+             'Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.'],
+            choices: %w(mixed passive aggressive), normalize: :to_sym
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_users_opts
+        [
+          OptFilePath.new(
+            ['--users-list FILE-PATH',
+             'List of users to check during the users enumeration from the Login Error Messages'],
+            exists: true
+          ),
+          OptChoice.new(
+            ['--users-detection MODE',
+             'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'],
+            choices: %w(mixed passive aggressive), normalize: :to_sym
+          )
+        ]
+      end
+    end
+  end
+end

data/app/controllers/enumeration/enum_methods.rb

@@ -0,0 +1,157 @@
+module WPScan
+  module Controller
+    # Enumeration Methods
+    class Enumeration < CMSScanner::Controller::Base
+      # @param [ String ] type (plugins or themes)
+      #
+      # @return [ String ] The related enumration message depending on the parsed_options and type supplied
+      def enum_message(type)
+        return unless type == 'plugins' || type == 'themes'
+
+        details = if parsed_options[:enumerate][:"vulnerable_#{type}"]
+                    'Vulnerable'
+                  elsif parsed_options[:enumerate][:"all_#{type}"]
+                    'All'
+                  else
+                    'Most Popular'
+                  end
+
+        "Enumerating #{details} #{type.capitalize}"
+      end
+
+      # @param [ String ] type (plugins, themes etc)
+      #
+      # @return [ Hash ]
+      def default_opts(type)
+        {
+          mode: parsed_options[:"#{type}_detection"] || parsed_options[:detection_mode],
+          exclude_content: parsed_options[:exclude_content_based],
+          show_progression: user_interaction?
+        }
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the plugins
+      def enum_plugins?(opts)
+        opts[:plugins] || opts[:all_plugins] || opts[:vulnerable_plugins]
+      end
+
+      def enum_plugins
+        opts = default_opts('plugins').merge(
+          list: plugins_list_from_opts(parsed_options),
+          version_all: parsed_options[:plugins_version_all],
+          sort: true
+        )
+
+        output('@info', msg: enum_message('plugins')) if user_interaction?
+        # Enumerate the plugins & find their versions to avoid doing that when #version
+        # is called in the view
+        plugins = target.plugins(opts).each(&:version)
+        plugins.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_plugins]
+
+        output('plugins', plugins: plugins)
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Array<String> ] The plugins list associated to the cli options
+      def plugins_list_from_opts(opts)
+        # List file provided by the user via the cli
+        return File.open(opts[:plugins_list]).map(&:chomp) if opts[:plugins_list]
+
+        if opts[:enumerate][:all_plugins]
+          DB::Plugins.all_slugs
+        elsif opts[:enumerate][:plugins]
+          DB::Plugins.popular_slugs
+        else
+          DB::Plugins.vulnerable_slugs
+        end
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the themes
+      def enum_themes?(opts)
+        opts[:themes] || opts[:all_themes] || opts[:vulnerable_themes]
+      end
+
+      def enum_themes
+        opts = default_opts('themes').merge(
+          list: themes_list_from_opts(parsed_options),
+          version_all: parsed_options[:themes_version_all],
+          sort: true
+        )
+
+        output('@info', msg: enum_message('themes')) if user_interaction?
+        # Enumerate the themes & find their versions to avoid doing that when #version
+        # is called in the view
+        themes = target.themes(opts).each(&:version)
+        themes.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_themes]
+
+        output('themes', themes: themes)
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Array<String> ] The themes list associated to the cli options
+      def themes_list_from_opts(opts)
+        # List file provided by the user via the cli
+        return File.open(opts[:themes_list]).map(&:chomp) if opts[:themes_list]
+
+        if opts[:enumerate][:all_themes]
+          DB::Themes.all_slugs
+        elsif opts[:enumerate][:themes]
+          DB::Themes.popular_slugs
+        else
+          DB::Themes.vulnerable_slugs
+        end
+      end
+
+      def enum_timthumbs
+        opts = default_opts('timthumbs').merge(list: parsed_options[:timthumbs_list])
+
+        output('@info', msg: 'Enumerating Timthumbs') if user_interaction?
+        output('timthumbs', timthumbs: target.timthumbs(opts))
+      end
+
+      def enum_config_backups
+        opts = default_opts('config_baclups').merge(list: parsed_options[:config_backups_list])
+
+        output('@info', msg: 'Enumerating Config Backups') if user_interaction?
+        output('config_backups', config_backups: target.config_backups(opts))
+      end
+
+      def enum_medias
+        opts = default_opts('medias').merge(range: parsed_options[:enumerate][:medias])
+
+        output('@info', msg: 'Enumerating Medias') if user_interaction?
+        output('medias', medias: target.medias(opts))
+      end
+
+      # @param [ Hash ] opts
+      #
+      # @return [ Boolean ] Wether or not to enumerate the users
+      def enum_users?(opts)
+        opts[:users] || (parsed_options[:passwords] && !parsed_options[:username] && !parsed_options[:usernames])
+      end
+
+      def enum_users
+        opts = default_opts('users').merge(
+          range: enum_users_range,
+          list: parsed_options[:users_list]
+        )
+
+        output('@info', msg: 'Enumerating Users') if user_interaction?
+        output('users', users: target.users(opts))
+      end
+
+      # @return [ Range ] The user ids range to enumerate
+      # If the --enumerate is used, the default value is handled by the Option
+      # However, when using --passwords alone, the default has to be set by the code below
+      def enum_users_range
+        parsed_options[:enumerate] ? parsed_options[:enumerate][:users] : cli_enum_choices[0].choices[:u].validate(nil)
+      end
+    end
+  end
+end