wpscan 3.0

data/app/finders/timthumbs.rb

@@ -0,0 +1,17 @@
+require_relative 'timthumbs/known_locations'
+
+module WPScan
+  module Finders
+    module Timthumbs
+      # Timthumbs Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << Timthumbs::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

data/app/finders/timthumbs/known_locations.rb

@@ -0,0 +1,56 @@
+module WPScan
+  module Finders
+    module Timthumbs
+      # Known Locations Timthumbs Finder
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Array<Timthumb> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(target_urls(opts), opts) do |res|
+            next unless res.code == 400 && res.body =~ /no image specified/i
+
+            found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          File.open(opts[:list]).each_with_index do |path, index|
+            urls[target.url(path.chomp)] = index
+          end
+
+          # Add potential timthumbs located in the main theme
+          if target.main_theme
+            main_theme_timthumbs_paths.each do |path|
+              urls[target.main_theme.url(path)] = 1 # index not important there
+            end
+          end
+
+          urls
+        end
+
+        def main_theme_timthumbs_paths
+          %w(timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
+             scripts/timthumb.php tools/timthumb.php functions/timthumb.php)
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking Known Locations -'))
+        end
+      end
+    end
+  end
+end

data/app/finders/users.rb

@@ -0,0 +1,24 @@
+require_relative 'users/author_posts'
+require_relative 'users/wp_json_api'
+require_relative 'users/author_id_brute_forcing'
+require_relative 'users/login_error_messages'
+
+module WPScan
+  module Finders
+    module Users
+      # Users Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            Users::AuthorPosts.new(target) <<
+            Users::WpJsonApi.new(target) <<
+            Users::AuthorIdBruteForcing.new(target) <<
+            Users::LoginErrorMessages.new(target)
+        end
+      end
+    end
+  end
+end

data/app/finders/users/author_id_brute_forcing.rb

@@ -0,0 +1,111 @@
+module WPScan
+  module Finders
+    module Users
+      # Author Id Brute Forcing
+      class AuthorIdBruteForcing < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range Mandatory
+        #
+        # @return [ Array<User> ]
+        def aggressive(opts = {})
+          found = []
+          found_by_msg = 'Author Id Brute Forcing - %s (Aggressive Detection)'
+
+          enumerate(target_urls(opts), opts) do |res, id|
+            username, found_by, confidence = potential_username(res)
+
+            next unless username
+
+            found << WPScan::User.new(
+              username,
+              id: id,
+              found_by: format(found_by_msg, found_by),
+              confidence: confidence
+            )
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ Range ] :range
+        #
+        # @return [ Hash ]
+        def target_urls(opts = {})
+          urls = {}
+
+          opts[:range].each do |id|
+            urls[target.uri.join("?author=#{id}").to_s] = id
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Brute Forcing Author Ids -'))
+        end
+
+        def request_params
+          { followlocation: true }
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ Array<String, String, Integer>, nil ] username, found_by, confidence
+        def potential_username(res)
+          username = username_from_author_url(res.effective_url) || username_from_response(res)
+
+          return username, 'Author Pattern', 100 if username
+
+          username = display_name_from_body(res.body)
+
+          return username, 'Display Name', 50 if username
+        end
+
+        # @param [ String ] url
+        #
+        # @return [ String, nil ]
+        def username_from_author_url(url)
+          url[%r{/author/([^/\b]+)/?}i, 1]
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ String, nil ] The username found
+        def username_from_response(res)
+          # Permalink enabled
+          target.in_scope_urls(res, '//link|//a') do |url|
+            username = username_from_author_url(url)
+            return username if username
+          end
+
+          # No permalink
+          res.body[/<body class="archive author author-([^\s]+)[ "]/i, 1]
+        end
+
+        # @param [ String ] body
+        #
+        # @return [ String, nil ]
+        def display_name_from_body(body)
+          page = Nokogiri::HTML.parse(body)
+          # WP >= 3.0
+          page.css('h1.page-title span').each do |node|
+            return node.text.to_s
+          end
+
+          # WP < 3.0
+          page.xpath('//link[@rel="alternate" and @type="application/rss+xml"]').each do |node|
+            title = node['title']
+
+            next unless title =~ /Posts by (.*) Feed\z/i
+
+            return Regexp.last_match[1] unless Regexp.last_match[1].empty?
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/app/finders/users/author_posts.rb

@@ -0,0 +1,61 @@
+module WPScan
+  module Finders
+    module Users
+      # Author Posts
+      class AuthorPosts < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def passive(opts = {})
+          found_by_msg = 'Author Posts - %s (Passive Detection)'
+
+          usernames(opts).reduce([]) do |a, e|
+            a << WPScan::User.new(
+              e[0],
+              found_by: format(found_by_msg, e[1]),
+              confidence: e[2]
+            )
+          end
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Array>> ]
+        def usernames(_opts = {})
+          found = potential_usernames(target.homepage_res)
+
+          return found unless found.empty?
+
+          target.homepage_res.html.css('header.entry-header a').each do |post_url_node|
+            url = post_url_node['href']
+
+            next if url.nil? || url.empty?
+
+            found += potential_usernames(Browser.get(url))
+          end
+
+          found.compact.uniq
+        end
+
+        # @param [ Typhoeus::Response ] res
+        #
+        # @return [ Array<Array> ]
+        def potential_usernames(res)
+          usernames = []
+
+          target.in_scope_urls(res, '//a', %w(href)) do |url, node|
+            uri = Addressable::URI.parse(url)
+
+            if uri.path =~ %r{/author/([^/\b]+)/?\z}i
+              usernames << [Regexp.last_match[1], 'Author Pattern', 100]
+            elsif uri.query =~ /author=[0-9]+/
+              usernames << [node.text.to_s.strip, 'Display Name', 30]
+            end
+          end
+
+          usernames.uniq
+        end
+      end
+    end
+  end
+end

data/app/finders/users/login_error_messages.rb

@@ -0,0 +1,50 @@
+module WPScan
+  module Finders
+    module Users
+      # Login Error Messages
+      #
+      # Existing username:
+      #   WP < 3.1 - Incorrect password.
+      #   WP >= 3.1 - The password you entered for the username admin is incorrect.
+      # Non existent username: Invalid username.
+      #
+      class LoginErrorMessages < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        #
+        # @return [ Array<User> ]
+        def aggressive(opts = {})
+          found = []
+
+          usernames(opts).each do |username|
+            res = target.do_login(username, SecureRandom.hex[0, 8])
+
+            return found unless res.code == 200
+
+            error = res.html.css('div#login_error').text.strip
+
+            return found if error.empty? # Protection plugin / error disabled
+
+            next unless error =~ /The password you entered for the username|Incorrect Password/i
+
+            found << WPScan::User.new(username, found_by: found_by, confidence: 100)
+          end
+
+          found
+        end
+
+        # @return [ Array<String> ] List of usernames to check
+        def usernames(opts = {})
+          # usernames from the potential Users found
+          unames = opts[:found].map(&:username)
+
+          if opts[:list]
+            File.open(opts[:list]).each { |uname| unames << uname.chomp }
+          end
+
+          unames.uniq
+        end
+      end
+    end
+  end
+end

data/app/finders/users/wp_json_api.rb

@@ -0,0 +1,31 @@
+module WPScan
+  module Finders
+    module Users
+      # WP JSON API
+      #
+      # Since 4.7 - Need more investigation as it seems WP 4.7.1 reduces the exposure, see https://github.com/wpscanteam/wpscan/issues/1038)
+      #
+      class WpJsonApi < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          found = []
+
+          JSON.parse(Browser.get(api_url).body).each do |user|
+            found << WPScan::User.new(user['slug'], id: user['id'], found_by: found_by, confidence: 100)
+          end
+
+          found
+        rescue JSON::ParserError
+          found
+        end
+
+        # @return [ String ] The URL of the API listing the Users
+        def api_url
+          @api_url ||= target.url('wp-json/wp/v2/users/')
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_items.rb

@@ -0,0 +1 @@
+require_relative 'wp_items/urls_in_homepage'

data/app/finders/wp_items/urls_in_homepage.rb

@@ -0,0 +1,68 @@
+module WPScan
+  module Finders
+    module WpItems
+      # URLs In Homepage Module to use in plugins & themes finders
+      module URLsInHomepage
+        # @param [ String ] type plugins / themes
+        # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
+        #
+        # @return [Array<String> ] The plugins/themes detected in the href, src attributes of the homepage
+        def items_from_links(type, uniq = true)
+          found = []
+
+          target.in_scope_urls(target.homepage_res) do |url|
+            next unless url =~ item_attribute_pattern(type)
+
+            found << Regexp.last_match[1]
+          end
+
+          uniq ? found.uniq.sort : found.sort
+        end
+
+        # @param [ String ] type plugins / themes
+        # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
+        #
+        # @return [Array<String> ] The plugins/themes detected in the javascript/style of the homepage
+        def items_from_codes(type, uniq = true)
+          found = []
+
+          target.homepage_res.html.css('script,style').each do |tag|
+            code = tag.text.to_s
+            next if code.empty?
+
+            code.scan(item_code_pattern(type)).flatten.uniq.each { |name| found << name }
+          end
+
+          uniq ? found.uniq.sort : found.sort
+        end
+
+        # @param [ String ] type
+        #
+        # @return [ Regexp ]
+        def item_attribute_pattern(type)
+          @item_attribute_pattern ||= %r{\A#{item_url_pattern(type)}([^/]+)/}i
+        end
+
+        # @param [ String ] type
+        #
+        # @return [ Regexp ]
+        def item_code_pattern(type)
+          @item_code_pattern ||= %r{["'\( ]#{item_url_pattern(type)}([^\\\/\)"']+)}i
+        end
+
+        # @param [ String ] type
+        #
+        # @return [ Regexp ]
+        def item_url_pattern(type)
+          item_dir = type == 'plugins' ? target.plugins_dir : target.content_dir
+          item_url = type == 'plugins' ? target.plugins_url : target.content_url
+
+          url = /#{item_url.gsub(/\A(?:http|https)/i, 'https?').gsub('/', '\\\\\?\/')}/i
+          item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
+
+          type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version.rb

@@ -0,0 +1,34 @@
+require_relative 'wp_version/meta_generator'
+require_relative 'wp_version/rss_generator'
+require_relative 'wp_version/atom_generator'
+require_relative 'wp_version/rdf_generator'
+require_relative 'wp_version/readme'
+require_relative 'wp_version/sitemap_generator'
+require_relative 'wp_version/opml_generator'
+require_relative 'wp_version/stylesheets'
+require_relative 'wp_version/unique_fingerprinting'
+
+module WPScan
+  module Finders
+    module WpVersion
+      # Wp Version Finder
+      class Base
+        include CMSScanner::Finders::UniqueFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders <<
+            WpVersion::MetaGenerator.new(target) <<
+            WpVersion::RSSGenerator.new(target) <<
+            WpVersion::AtomGenerator.new(target) <<
+            WpVersion::Stylesheets.new(target) <<
+            WpVersion::RDFGenerator.new(target) <<
+            WpVersion::Readme.new(target) <<
+            WpVersion::SitemapGenerator.new(target) <<
+            WpVersion::OpmlGenerator.new(target) <<
+            WpVersion::UniqueFingerprinting.new(target)
+        end
+      end
+    end
+  end
+end