wpscan 3.0

data/app/finders/wp_version/atom_generator.rb

@@ -0,0 +1,40 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Atom Generator Version Finder
+      class AtomGenerator < CMSScanner::Finders::Finder
+        include Finder::WpVersion::SmartURLChecker
+
+        def process_urls(urls, _opts = {})
+          found = Findings.new
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            res.html.css('generator').each do |node|
+              next unless node.text.to_s.strip.casecmp('wordpress').zero?
+
+              found << create_version(
+                node['version'],
+                found_by: found_by,
+                entries: ["#{res.effective_url}, #{node}"]
+              )
+            end
+          end
+
+          found
+        end
+
+        def passive_urls_xpath
+          '//link[@rel="alternate" and @type="application/atom+xml"]'
+        end
+
+        def aggressive_urls(_opts = {})
+          %w(feed/atom/ ?feed=atom).reduce([]) do |a, uri|
+            a << target.url(uri)
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/meta_generator.rb

@@ -0,0 +1,27 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Meta Generator Version Finder
+      class MetaGenerator < CMSScanner::Finders::Finder
+        # @return [ WpVersion ]
+        def passive(_opts = {})
+          target.homepage_res.html.css('meta[name="generator"]').each do |node|
+            next unless node.attribute('content').to_s =~ /wordpress ([0-9\.]+)/i
+
+            number = Regexp.last_match(1)
+
+            next unless WPScan::WpVersion.valid?(number)
+
+            return WPScan::WpVersion.new(
+              number,
+              found_by: 'Meta Generator (Passive detection)',
+              confidence: 80,
+              interesting_entries: ["#{target.url}, Match: '#{node}'"]
+            )
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/opml_generator.rb

@@ -0,0 +1,23 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Sitemap Generator Version Finder
+      class OpmlGenerator < CMSScanner::Finders::Finder
+        # @return [ WpVersion ]
+        def aggressive(_opts = {})
+          target.comments_from_page(%r{\Agenerator="wordpress/([^"]+)"\z}i, 'wp-links-opml.php') do |match, node|
+            next unless WPScan::WpVersion.valid?(match[1])
+
+            return WPScan::WpVersion.new(
+              match[1],
+              found_by: 'OPML Generator (Aggressive Detection)',
+              confidence: 80,
+              interesting_entries: ["#{target.url('wp-links-opml.php')}, Match: '#{node}'"]
+            )
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/rdf_generator.rb

@@ -0,0 +1,38 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # RDF Generator Version Finder
+      class RDFGenerator < CMSScanner::Finders::Finder
+        include Finder::WpVersion::SmartURLChecker
+
+        def process_urls(urls, _opts = {})
+          found = Findings.new
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            res.html.xpath('//generatoragent').each do |node|
+              next unless node['rdf:resource'] =~ %r{\Ahttps?://wordpress\.(?:[a-z.]+)/\?v=(.*)\z}i
+
+              found << create_version(
+                Regexp.last_match[1],
+                found_by: found_by,
+                entries: ["#{res.effective_url}, #{node}"]
+              )
+            end
+          end
+
+          found
+        end
+
+        def passive_urls_xpath
+          '//a[contains(@href, "rdf")]'
+        end
+
+        def aggressive_urls(_opts = {})
+          [target.url('feed/rdf/')]
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/readme.rb

@@ -0,0 +1,28 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Readme Version Finder
+      class Readme < CMSScanner::Finders::Finder
+        # @return [ WpVersion ]
+        def aggressive(_opts = {})
+          readme_url = target.url('readme.html') # Maybe move this into the Target ?
+
+          node = Browser.get(readme_url).html.css('h1#logo').last
+
+          return unless node && node.text.to_s.strip =~ /\AVersion (.*)\z/i
+
+          number = Regexp.last_match(1)
+
+          return unless WPScan::WpVersion.valid?(number)
+
+          WPScan::WpVersion.new(
+            number,
+            found_by: 'Readme (Aggressive Detection)',
+            confidence: 90,
+            interesting_entries: ["#{readme_url}, Match: '#{node.text.to_s.strip}'"]
+          )
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/rss_generator.rb

@@ -0,0 +1,43 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # RSS Generator Version Finder
+      class RSSGenerator < CMSScanner::Finders::Finder
+        include Finder::WpVersion::SmartURLChecker
+
+        def process_urls(urls, _opts = {})
+          found = Findings.new
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            res.html.xpath('//comment()[contains(., "wordpress")] | //generator').each do |node|
+              node_text = node.text.to_s.strip
+
+              next unless node_text =~ %r{\Ahttps?://wordpress\.(?:[a-z]+)/\?v=(.*)\z}i ||
+                          node_text =~ %r{\Agenerator="wordpress/([^"]+)"\z}i
+
+              found << create_version(
+                Regexp.last_match[1],
+                found_by: found_by,
+                entries: ["#{res.effective_url}, #{node}"]
+              )
+            end
+          end
+
+          found
+        end
+
+        def passive_urls_xpath
+          '//link[@rel="alternate" and @type="application/rss+xml"]'
+        end
+
+        def aggressive_urls(_opts = {})
+          %w(feed/ comments/feed/ feed/rss/ feed/rss2/).reduce([]) do |a, uri|
+            a << target.url(uri)
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/sitemap_generator.rb

@@ -0,0 +1,23 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Sitemap Generator Version Finder
+      class SitemapGenerator < CMSScanner::Finders::Finder
+        # @return [ WpVersion ]
+        def aggressive(_opts = {})
+          target.comments_from_page(%r{\Agenerator="wordpress/([^"]+)"\z}i, 'sitemap.xml') do |match, node|
+            next unless WPScan::WpVersion.valid?(match[1])
+
+            return WPScan::WpVersion.new(
+              match[1],
+              found_by: 'Sitemap Generator (Aggressive Detection)',
+              confidence: 80,
+              interesting_entries: ["#{target.url('sitemap.xml')}, #{node}"]
+            )
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/stylesheets.rb

@@ -0,0 +1,55 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Stylesheets Version Finder
+      class Stylesheets < CMSScanner::Finders::Finder
+        # @return [ WpVersion ]
+        def passive(_opts = {})
+          found = []
+
+          scan_page(target.homepage_url).each do |version_number, occurences|
+            next unless WPScan::WpVersion.valid?(version_number) # Skip invalid versions
+
+            found << WPScan::WpVersion.new(
+              version_number,
+              found_by: 'Stylesheet Numbers (Passive Detection)',
+              confidence: 5 * occurences,
+              interesting_entries: [target.homepage_url]
+            )
+          end
+
+          found
+        end
+
+        protected
+
+        # TODO: use target.in_scope_urls to get the URLs
+        # @param [ String ] url
+        #
+        # @return [ Hash ]
+        def scan_page(url)
+          found   = {}
+          pattern = /\bver=([0-9\.]+)/i
+
+          Browser.get(url).html.css('link,script').each do |tag|
+            %w(href src).each do |attribute|
+              attr_value = tag.attribute(attribute).to_s
+
+              next if attr_value.nil? || attr_value.empty?
+
+              uri = Addressable::URI.parse(attr_value)
+              next unless uri.query && uri.query.match(pattern)
+
+              version = Regexp.last_match[1].to_s
+
+              found[version] ||= 0
+              found[version] += 1
+            end
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

data/app/finders/wp_version/unique_fingerprinting.rb

@@ -0,0 +1,64 @@
+module WPScan
+  module Finders
+    module WpVersion
+      # Unique Fingerprinting Version Finder
+      class UniqueFingerprinting < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Fingerprinter
+
+        QUERY = 'SELECT md5_hash, path_id, version_id, ' \
+                'versions.number AS version,' \
+                'paths.value AS path ' \
+                'FROM fingerprints ' \
+                'LEFT JOIN versions ON version_id = versions.id ' \
+                'LEFT JOIN paths on path_id = paths.id ' \
+                'WHERE md5_hash IN ' \
+                '(SELECT md5_hash FROM fingerprints GROUP BY md5_hash HAVING COUNT(*) = 1) ' \
+                'ORDER BY version DESC'.freeze
+
+        # @return [ WpVersion ]
+        def aggressive(opts = {})
+          fingerprint(unique_fingerprints, opts) do |version_number, url, md5sum|
+            hydra.abort
+            progress_bar.finish
+
+            return WPScan::WpVersion.new(
+              version_number,
+              found_by: 'Unique Fingerprinting (Aggressive Detection)',
+              confidence: 100,
+              interesting_entries: ["#{url} md5sum is #{md5sum}"]
+            )
+          end
+          nil
+        end
+
+        # @return [ Hash ] The unique fingerprints across all versions in the DB
+        #
+        # Format returned:
+        # {
+        #   file_path_1: {
+        #     md5_hash_1: version_1,
+        #     md5_hash_2: version_2
+        #   },
+        #   file_path_2: {
+        #     md5_hash_3: version_1,
+        #     md5_hash_4: version_3
+        #   }
+        # }
+        def unique_fingerprints
+          fingerprints = {}
+
+          repository(:default).adapter.select(QUERY).each do |f|
+            fingerprints[f.path] ||= {}
+            fingerprints[f.path][f.md5_hash] = f.version
+          end
+
+          fingerprints
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: 'Fingerprinting the version -'))
+        end
+      end
+    end
+  end
+end

data/app/models.rb

@@ -0,0 +1,10 @@
+require_relative 'models/interesting_finding'
+require_relative 'models/wp_version'
+require_relative 'models/xml_rpc'
+require_relative 'models/wp_item'
+require_relative 'models/timthumb'
+require_relative 'models/media'
+require_relative 'models/user'
+require_relative 'models/plugin'
+require_relative 'models/theme'
+require_relative 'models/config_backup'

data/app/models/config_backup.rb

@@ -0,0 +1,5 @@
+module WPScan
+  # Config Backup
+  class ConfigBackup < InterestingFinding
+  end
+end

data/app/models/interesting_finding.rb

@@ -0,0 +1,6 @@
+module WPScan
+  # Custom class to include the WPScan::References module
+  class InterestingFinding < CMSScanner::InterestingFinding
+    include References
+  end
+end

data/app/models/media.rb

@@ -0,0 +1,5 @@
+module WPScan
+  # Media
+  class Media < InterestingFinding
+  end
+end

data/app/models/plugin.rb

@@ -0,0 +1,25 @@
+module WPScan
+  # WordPress Plugin
+  class Plugin < WpItem
+    # See WpItem
+    def initialize(name, target, opts = {})
+      super(name, target, opts)
+
+      @uri = Addressable::URI.parse(target.url("wp-content/plugins/#{name}/"))
+    end
+
+    # @return [ JSON ]
+    def db_data
+      DB::Plugin.db_data(name)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ WPScan::Version, false ]
+    def version(opts = {})
+      @version = Finders::PluginVersion::Base.find(self, detection_opts.merge(opts)) if @version.nil?
+
+      @version
+    end
+  end
+end

data/app/models/theme.rb

@@ -0,0 +1,99 @@
+module WPScan
+  # WordPress Theme
+  class Theme < WpItem
+    attr_reader :style_url, :style_name, :style_uri, :author, :author_uri, :template, :description,
+                :license, :license_uri, :tags, :text_domain
+
+    # See WpItem
+    def initialize(name, target, opts = {})
+      super(name, target, opts)
+
+      @uri       = Addressable::URI.parse(target.url("wp-content/themes/#{name}/"))
+      @style_url = opts[:style_url] || url('style.css')
+
+      parse_style
+    end
+
+    # @return [ JSON ]
+    def db_data
+      DB::Theme.db_data(name)
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ WPScan::Version, false ]
+    def version(opts = {})
+      @version = Finders::ThemeVersion::Base.find(self, detection_opts.merge(opts)) if @version.nil?
+
+      @version
+    end
+
+    # @return [ Theme ]
+    def parent_theme
+      return unless template
+      return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i
+
+      opts = detection_opts.merge(
+        style_url: url(Regexp.last_match[1]),
+        found_by: 'Parent Themes (Passive Detection)',
+        confidence: 100
+      )
+
+      self.class.new(template, target, opts)
+    end
+
+    # @param [ Integer ] depth
+    #
+    # @retun [ Array<Theme> ]
+    def parent_themes(depth = 3)
+      theme  = self
+      found  = []
+
+      (1..depth).each do |_|
+        parent = theme.parent_theme
+
+        break unless parent
+
+        found << parent
+        theme = parent
+      end
+
+      found
+    end
+
+    def style_body
+      @style_body ||= Browser.get(style_url).body
+    end
+
+    def parse_style
+      {
+        style_name: 'Theme Name',
+        style_uri: 'Theme URI',
+        author: 'Author',
+        author_uri: 'Author URI',
+        template: 'Template',
+        description: 'Description',
+        license: 'License',
+        license_uri: 'License URI',
+        tags: 'Tags',
+        text_domain: 'Text Domain'
+      }.each do |attribute, tag|
+        instance_variable_set(:"@#{attribute}", parse_style_tag(style_body, tag))
+      end
+    end
+
+    # @param [ String ] bofy
+    # @param [ String ] tag
+    #
+    # @return [ String ]
+    def parse_style_tag(body, tag)
+      value = body[/^\s*#{Regexp.escape(tag)}:[\t ]*([^\r\n]+)/i, 1]
+
+      value && !value.strip.empty? ? value.strip : nil
+    end
+
+    def ==(other)
+      super(other) && style_url == other.style_url
+    end
+  end
+end