wpscan 3.0

data/app/finders/plugin_version/w3_total_cache/headers.rb

@@ -0,0 +1,28 @@
+module WPScan
+  module Finders
+    module PluginVersion
+      module W3TotalCache
+        # Version from Headers
+        class Headers < CMSScanner::Finders::Finder
+          PATTERN = %r{W3 Total Cache/([0-9.]+)}i
+
+          # @param [ Hash ] opts
+          #
+          # @return [ Version ]
+          def passive(_opts = {})
+            headers = target.target.headers
+
+            return unless headers && headers['X-Powered-By'].to_s =~ PATTERN
+
+            WPScan::Version.new(
+              Regexp.last_match[1],
+              found_by: found_by,
+              confidence: 80,
+              interesting_entries: ["#{target.target.url}, Match: '#{Regexp.last_match}'"]
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins.rb

@@ -0,0 +1,24 @@
+require_relative 'plugins/urls_in_homepage'
+require_relative 'plugins/headers'
+require_relative 'plugins/comments'
+require_relative 'plugins/known_locations'
+
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Plugins::UrlsInHomepage.new(target) <<
+            Plugins::Headers.new(target) <<
+            Plugins::Comments.new(target) <<
+            Plugins::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/comments.rb

@@ -0,0 +1,31 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins from Comments Finder
+      class Comments < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :unique Default: true
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found         = []
+          opts[:unique] = true unless opts.key?(:unique)
+
+          target.homepage_res.html.xpath('//comment()').each do |node|
+            comment = node.text.to_s.strip
+
+            DB::DynamicPluginFinders.comments.each do |name, config|
+              next unless comment =~ config['pattern']
+
+              plugin = WPScan::Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 70))
+
+              found << plugin unless opts[:unique] && found.include?(plugin)
+            end
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/headers.rb

@@ -0,0 +1,36 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins from Headers Finder
+      class Headers < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          plugin_names_from_headers(opts).reduce([]) do |a, e|
+            a << WPScan::Plugin.new(e, target, opts.merge(found_by: found_by, confidence: 60))
+          end
+        end
+
+        # X-Powered-By: W3 Total Cache/0.9.2.5
+        # WP-Super-Cache: Served supercache file from PHP
+        #
+        # @return [ Array<String> ]
+        def plugin_names_from_headers(_opts = {})
+          found   = []
+          headers = target.homepage_res.headers
+
+          if headers
+            powered_by     = headers['X-Powered-By'].to_s
+            wp_super_cache = headers['wp-super-cache'].to_s
+
+            found << 'w3-total-cache' if powered_by =~ Finders::PluginVersion::W3TotalCache::Headers::PATTERN
+            found << 'wp-super-cache' if wp_super_cache =~ /supercache/i
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/known_locations.rb

@@ -0,0 +1,48 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Known Locations Plugins Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<Plugin> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts) do |res, name|
+            # TODO: follow the location (from enumerate()) and remove the 301 here ?
+            # As a result, it might remove false positive due to redirection to the homepage
+            next unless [200, 401, 403, 301].include?(res.code)
+
+            found << WPScan::Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          names       = opts[:list] || DB::Plugins.vulnerable_slugs
+          urls        = {}
+          plugins_url = target.plugins_url
+
+          names.each do |name|
+            urls["#{plugins_url}#{URI.encode(name)}/"] = name
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/urls_in_homepage.rb

@@ -0,0 +1,29 @@
+module WPScan
+  module Finders
+    module Plugins
+      # URLs In Homepage Finder
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::URLsInHomepage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found = []
+
+          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |name|
+            found << Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          DB::DynamicPluginFinders.urls_in_page.each do |name, config|
+            next unless target.homepage_res.html.xpath(config['xpath']).any?
+
+            found << Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 100))
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

data/app/finders/theme_version.rb

@@ -0,0 +1,41 @@
+require_relative 'theme_version/style'
+require_relative 'theme_version/woo_framework_meta_generator'
+
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ WPScan::Theme ] theme
+        def initialize(theme)
+          finders <<
+            ThemeVersion::Style.new(theme) <<
+            ThemeVersion::WooFrameworkMetaGenerator.new(theme)
+
+          load_specific_finders(theme)
+        end
+
+        # Load the finders associated with the theme
+        #
+        # @param [ WPScan::Theme ] theme
+        def load_specific_finders(theme)
+          module_name = theme.classify_name.to_sym
+
+          return unless Finders::ThemeVersion.constants.include?(module_name)
+
+          mod = Finders::ThemeVersion.const_get(module_name)
+
+          mod.constants.each do |constant|
+            c = mod.const_get(constant)
+
+            next unless c.is_a?(Class)
+
+            finders << c.new(theme)
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/theme_version/style.rb

@@ -0,0 +1,43 @@
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder from the style.css file
+      class Style < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def passive(_opts = {})
+          return unless cached_style?
+
+          style_version
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          return if cached_style?
+
+          style_version
+        end
+
+        # @return [ Boolean ]
+        def cached_style?
+          Typhoeus::Config.cache.get(browser.forge_request(target.style_url)) ? true : false
+        end
+
+        # @return [ Version ]
+        def style_version
+          return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
+
+          WPScan::Version.new(
+            Regexp.last_match[1],
+            found_by: found_by,
+            confidence: 80,
+            interesting_entries: ["#{target.style_url}, Match: '#{Regexp.last_match}'"]
+          )
+        end
+      end
+    end
+  end
+end

data/app/finders/theme_version/woo_framework_meta_generator.rb

@@ -0,0 +1,19 @@
+module WPScan
+  module Finders
+    module ThemeVersion
+      # Theme Version Finder from the WooFramework generators
+      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Version ]
+        def passive(_opts = {})
+          return unless target.target.homepage_res.body =~ Finders::MainTheme::WooFrameworkMetaGenerator::PATTERN
+
+          return unless Regexp.last_match[1] == target.name
+
+          WPScan::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
+        end
+      end
+    end
+  end
+end

data/app/finders/themes.rb

@@ -0,0 +1,20 @@
+require_relative 'themes/urls_in_homepage'
+require_relative 'themes/known_locations'
+
+module WPScan
+  module Finders
+    module Themes
+      # themes Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Themes::UrlsInHomepage.new(target) <<
+            Themes::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

data/app/finders/themes/known_locations.rb

@@ -0,0 +1,48 @@
+module WPScan
+  module Finders
+    module Themes
+      # Known Locations Themes Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<Theme> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts) do |res, name|
+            # TODO: follow the location (from enumerate()) and remove the 301 here ?
+            # As a result, it might remove false positive due to redirection to the homepage
+            next unless [200, 401, 403, 301].include?(res.code)
+
+            found << WPScan::Theme.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          names       = opts[:list] || DB::Themes.vulnerable_slugs
+          urls        = {}
+          themes_url  = target.url('wp-content/themes/')
+
+          names.each do |name|
+            urls["#{themes_url}#{URI.encode(name)}/"] = name
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

data/app/finders/themes/urls_in_homepage.rb

@@ -0,0 +1,23 @@
+module WPScan
+  module Finders
+    module Themes
+      # URLs In Homepage Finder
+      class UrlsInHomepage < CMSScanner::Finders::Finder
+        include WpItems::URLsInHomepage
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Theme> ]
+        def passive(opts = {})
+          found = []
+
+          (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |name|
+            found << WPScan::Theme.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

data/app/finders/timthumb_version.rb

@@ -0,0 +1,17 @@
+require_relative 'timthumb_version/bad_request'
+
+module WPScan
+  module Finders
+    module TimthumbVersion
+      # Timthumb Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ WPScan::Timthumb ] target
+        def initialize(target)
+          finders << TimthumbVersion::BadRequest.new(target)
+        end
+      end
+    end
+  end
+end

data/app/finders/timthumb_version/bad_request.rb

@@ -0,0 +1,21 @@
+module WPScan
+  module Finders
+    module TimthumbVersion
+      # Timthumb Version Finder from the body of a bad request
+      # See https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#435
+      class BadRequest < CMSScanner::Finders::Finder
+        # @return [ Version ]
+        def aggressive(_opts = {})
+          return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/
+
+          WPScan::Version.new(
+            Regexp.last_match[2],
+            found_by: 'Bad Request (Aggressive Detection)',
+            confidence: 90,
+            interesting_entries: ["#{target.url}, Match: '#{Regexp.last_match[1]}'"]
+          )
+        end
+      end
+    end
+  end
+end