wpscan 3.0

data/app/models/timthumb.rb

@@ -0,0 +1,74 @@
+module WPScan
+  # Timthumb
+  class Timthumb < InterestingFinding
+    include Vulnerable
+
+    # Opts used to detect the version
+    attr_reader :detection_opts
+
+    # @param [ String ] url
+    # @param [ Hash ] opts
+    # @option opts [ String ] :detection_mode
+    def initialize(url, opts = {})
+      super(url, opts)
+
+      @detection_opts = { mode: opts[:mode] }
+    end
+
+    # @param [ Hash ] opts
+    #
+    # @return [ WPScan::Version, false ]
+    def version(opts = {})
+      if @version.nil?
+        @version = Finders::TimthumbVersion::Base.find(self, detection_opts.merge(opts))
+      end
+
+      @version
+    end
+
+    # @return [ Array<Vulnerability> ]
+    def vulnerabilities
+      vulns = []
+
+      vulns << rce_webshot_vuln if false == version || version > '1.35' && version < '2.8.14' && webshot_enabled?
+      vulns << rce_132_vuln if false == version || version < '1.33'
+
+      vulns
+    end
+
+    # @return [ Vulnerability ] The RCE in the <= 1.32
+    def rce_132_vuln
+      Vulnerability.new(
+        'Timthumb <= 1.32 Remote Code Execution',
+        { exploitdb: ['17602'] },
+        'RCE',
+        '1.33'
+      )
+    end
+
+    # @return [ Vulnerability ] The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13
+    def rce_webshot_vuln
+      Vulnerability.new(
+        'Timthumb <= 2.8.13 WebShot Remote Code Execution',
+        {
+          url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
+          cve: '2014-4663'
+        },
+        'RCE',
+        '2.8.14'
+      )
+    end
+
+    # @return [ Boolean ]
+    def webshot_enabled?
+      res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
+
+      res.body =~ /WEBSHOT_ENABLED == true/ ? false : true
+    end
+
+    # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
+    def default_allowed_domains
+      %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
+    end
+  end
+end

data/app/models/user.rb

@@ -0,0 +1,31 @@
+module WPScan
+  # WordPress User
+  class User
+    include Finders::Finding
+
+    attr_accessor :password
+    attr_reader :id, :username
+
+    # @param [ String ] username
+    # @param [ Hash ] opts
+    # @option opts [ Integer ] :id
+    # @option opts [ String ] :password
+    def initialize(username, opts = {})
+      @username = username
+      @password = opts[:password]
+      @id       = opts[:id]
+
+      parse_finding_options(opts)
+    end
+
+    def ==(other)
+      return false unless self.class == other.class
+
+      username == other.username
+    end
+
+    def to_s
+      username
+    end
+  end
+end

data/app/models/wp_item.rb

@@ -0,0 +1,142 @@
+module WPScan
+  # WpItem (superclass of Plugin & Theme)
+  class WpItem
+    include Vulnerable
+    include Finders::Finding
+    include CMSScanner::Target::Platform::PHP
+    include CMSScanner::Target::Server::Generic
+
+    READMES    = %w(readme.txt README.txt Readme.txt ReadMe.txt README.TXT readme.TXT).freeze
+    CHANGELOGS = %w(changelog.txt Changelog.txt ChangeLog.txt CHANGELOG.txt).freeze
+
+    attr_reader :uri, :name, :detection_opts, :target, :db_data
+
+    # @param [ String ] name The plugin/theme name
+    # @param [ Target ] target The targeted blog
+    # @param [ Hash ] opts
+    # @option opts [ String ] :detection_mode
+    # @option opts [ Boolean ] :version_all Wether or not to
+    # @option opts [ String ] :url The URL of the item
+    def initialize(name, target, opts = {})
+      @name           = URI.decode(name)
+      @target         = target
+      @uri            = Addressable::URI.parse(opts[:url]) if opts[:url]
+
+      # Options used to detect the version
+      @detection_opts = { mode: opts[:mode], confidence_threshold: opts[:version_all] ? 0 : 100 }
+
+      parse_finding_options(opts)
+    end
+
+    # @return [ Array<Vulnerabily> ]
+    def vulnerabilities
+      return @vulnerabilities if @vulnerabilities
+
+      @vulnerabilities = []
+
+      [*db_data['vulnerabilities']].each do |json_vuln|
+        vulnerability = Vulnerability.load_from_json(json_vuln)
+        @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
+      end
+
+      @vulnerabilities
+    end
+
+    # Checks if the wp_item is vulnerable to a specific vulnerability
+    #
+    # @param [ Vulnerability ] vuln Vulnerability to check the item against
+    #
+    # @return [ Boolean ]
+    def vulnerable_to?(vuln)
+      return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
+
+      version < vuln.fixed_in ? true : false
+    end
+
+    # @return [ String ]
+    def latest_version
+      @latest_version ||= db_data['latest_version']
+    end
+
+    # Not used anywhere ATM
+    # @return [ Boolean ]
+    def popular?
+      @popular ||= db_data['popular']
+    end
+
+    # URI.encode is preferered over Addressable::URI.encode as it will encode
+    # leading # character:
+    # URI.encode('#t#') => %23t%23
+    # Addressable::URI.encode('#t#') => #t%23
+    #
+    # @param [ String ] path Optional path to merge with the uri
+    #
+    # @return [ String ]
+    def url(path = nil)
+      return unless @uri
+      return @uri.to_s unless path
+
+      @uri.join(URI.encode(path)).to_s
+    end
+
+    # @return [ Boolean ]
+    def ==(other)
+      return false unless self.class == other.class
+
+      name == other.name
+    end
+
+    def to_s
+      name
+    end
+
+    # @return [ Symbol ] The Class name associated to the item name
+    def classify_name
+      name.to_s.tr('-', '_').camelize.to_s.to_sym
+    end
+
+    # @return [ String ] The readme url if found
+    def readme_url
+      return if detection_opts[:mode] == :passive
+
+      if @readme_url.nil?
+        READMES.each do |path|
+          return @readme_url = url(path) if Browser.get(url(path)).code == 200
+        end
+      end
+
+      @readme_url
+    end
+
+    # @return [ String, false ] The changelog urr if found
+    def changelog_url
+      return if detection_opts[:mode] == :passive
+
+      if @changelog_url.nil?
+        CHANGELOGS.each do |path|
+          return @changelog_url = url(path) if Browser.get(url(path)).code == 200
+        end
+      end
+
+      @changelog_url
+    end
+
+    # @param [ String ] path
+    # @param [ Hash ] params The request params
+    #
+    # @return [ Boolean ]
+    def directory_listing?(path = nil, params = {})
+      return if detection_opts[:mode] == :passive
+      super(path, params)
+    end
+
+    # @param [ String ] path
+    # @param [ Hash ] params The request params
+    #
+    # @return [ Boolean ]
+    def error_log?(path = 'error_log', params = {})
+      return if detection_opts[:mode] == :passive
+      super(path, params)
+    end
+  end
+end

data/app/models/wp_version.rb

@@ -0,0 +1,49 @@
+module WPScan
+  # WP Version
+  class WpVersion < CMSScanner::Version
+    include Vulnerable
+    attr_reader :db_data
+
+    def initialize(number, opts = {})
+      raise InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
+
+      super(number, opts)
+    end
+
+    # @param [ String ] number
+    #
+    # @return [ Boolean ] true if the number is a valid WP version, false otherwise
+    def self.valid?(number)
+      all.include?(number)
+    end
+
+    # @return [ Array<String> ] All the version numbers
+    def self.all
+      return @all_numbers if @all_numbers
+
+      @all_numbers = []
+
+      DB::Version.all.each { |v| @all_numbers << v.number }
+
+      @all_numbers
+    end
+
+    # @return [ JSON ]
+    def db_data
+      DB::Version.db_data(number)
+    end
+
+    # @return [ Array<Vulnerability> ]
+    def vulnerabilities
+      return @vulnerabilities if @vulnerabilities
+
+      @vulnerabilities = []
+
+      [*db_data['vulnerabilities']].each do |json_vuln|
+        @vulnerabilities << Vulnerability.load_from_json(json_vuln)
+      end
+
+      @vulnerabilities
+    end
+  end
+end

data/app/models/xml_rpc.rb

@@ -0,0 +1,19 @@
+module WPScan
+  # Override of the CMSScanner::XMLRPC to include the references
+  class XMLRPC < CMSScanner::XMLRPC
+    include References # To be able to use the :wpvulndb reference if needed
+
+    # @return [ Hash ]
+    def references
+      {
+        url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
+        metasploit: [
+          'auxiliary/scanner/http/wordpress_ghost_scanner',
+          'auxiliary/dos/http/wordpress_xmlrpc_dos',
+          'auxiliary/scanner/http/wordpress_xmlrpc_login',
+          'auxiliary/scanner/http/wordpress_pingback_access'
+        ]
+      }
+    end
+  end
+end

data/app/views/cli/brute_force/error.erb

@@ -0,0 +1 @@
+<%= red('ERROR:') %> <%= @msg %>

data/app/views/cli/brute_force/found.erb

@@ -0,0 +1,2 @@
+
+<%= green('[SUCCESS]') %> Username: <%= @user.username %> Password: <%= @user.password %>

data/app/views/cli/brute_force/users.erb

@@ -0,0 +1,9 @@
+
+<% if @users.empty? -%>
+<%= notice_icon %> No Valid Passwords Found.
+<% else -%>
+<%= notice_icon %> Valid Combinations Found:
+<% @users.each do |user| -%>
+ | Username: <%= user.username %>, Password: <%= user.password %>
+<% end -%>
+<% end %>

data/app/views/cli/core/banner.erb

@@ -0,0 +1,14 @@
+_______________________________________________________________
+        __          _______   _____
+        \ \        / /  __ \ / ____|
+         \ \  /\  / /| |__) | (___   ___  __ _ _ __
+          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
+           \  /\  /  | |     ____) | (__| (_| | | | |
+            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
+
+        WordPress Security Scanner by the WPScan Team
+                       Version <%= WPScan::VERSION %>
+          Sponsored by Sucuri - https://sucuri.net
+   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
+_______________________________________________________________
+

data/app/views/cli/core/db_update_finished.erb

@@ -0,0 +1,8 @@
+<% if @verbose && !@updated.empty? -%>
+<%= notice_icon %> File(s) Updated:
+<% @updated.each do |file| -%>
+ |  <%= file %>
+<% end -%>
+<% end -%>
+<%= notice_icon %> Update completed.
+

data/app/views/cli/core/db_update_started.erb

@@ -0,0 +1 @@
+<%= notice_icon %> Updating the Database ...

data/app/views/cli/core/not_fully_configured.erb

@@ -0,0 +1 @@
+<%= critical_icon %> The Website is not fully configured and currently in install mode. Create a new admin user at <%= @url %>

data/app/views/cli/enumeration/config_backups.erb

@@ -0,0 +1,11 @@
+
+<% if @config_backups.empty? -%>
+<%= notice_icon %> No Backups Found.
+<% else -%>
+<%= notice_icon %> Backup(s) Identified:
+<% @config_backups.each do |config_backup| -%>
+
+<%= info_icon %> <%= config_backup %>
+<%= render('@finding', item: config_backup) -%>
+<% end -%>
+<% end %>

data/app/views/cli/enumeration/medias.erb

@@ -0,0 +1,11 @@
+
+<% if @medias.empty? -%>
+<%= notice_icon %> No Medias Found.
+<% else -%>
+<%= notice_icon %> Medias(s) Identified:
+<% @medias.each do |media| -%>
+
+<%= info_icon %> <%= media %>
+<%= render('@finding', item: media) -%>
+<% end -%>
+<% end %>

data/app/views/cli/enumeration/plugins.erb

@@ -0,0 +1,35 @@
+
+<% if @plugins.empty? -%>
+<%= notice_icon %> No plugins Found.
+<% else -%>
+<%= notice_icon %> Plugin(s) Identified:
+<% @plugins.each do |plugin| -%>
+
+<%= info_icon %> <%= plugin %>
+ | Location: <%= plugin.url %>
+<% if plugin.latest_version -%>
+ | Latest Version: <%= plugin.latest_version %>
+<% end -%>
+<% if plugin.readme_url -%>
+ | Readme: <%= plugin.readme_url %>
+<% end -%>
+<% if plugin.changelog_url -%>
+ | Changelog: <%= plugin.changelog_url %>
+<% end -%>
+<% if plugin.directory_listing? -%>
+ | <%= critical_icon %> Directory listing is enabled
+<% end -%>
+<% if plugin.error_log? -%>
+ | <%= critical_icon %> An error log file has been found: <%= plugin.url('error_log') %>
+<% end -%>
+ |
+<%= render('@finding', item: plugin) -%>
+ |
+<% if plugin.version -%>
+ | Version: <%= plugin.version %> (<%= plugin.version.confidence %>% confidence)
+<%= render('@finding', item: plugin.version) -%>
+<% else -%>
+ | The version could not be determined.
+<% end -%>
+<% end -%>
+<% end %>

data/app/views/cli/enumeration/themes.erb

@@ -0,0 +1,11 @@
+
+<% if @themes.empty? -%>
+<%= notice_icon %> No themes Found.
+<% else -%>
+<%= notice_icon %> Theme(s) Identified:
+<% @themes.each do |theme| -%>
+
+<%= info_icon %> <%= theme %>
+<%= render('@theme', theme: theme, show_parents: false) -%>
+<% end -%>
+<% end %>

data/app/views/cli/enumeration/timthumbs.erb

@@ -0,0 +1,18 @@
+
+<% if @timthumbs.empty? -%>
+<%= notice_icon %> No Timthumbs Found.
+<% else -%>
+<%= notice_icon %> Timthumb(s) Identified:
+<% @timthumbs.each do |timthumb| -%>
+
+<%= info_icon %> <%= timthumb %>
+<%= render('@finding', item: timthumb) -%>
+ |
+<% if timthumb.version -%>
+ | Version: <%= timthumb.version %>
+<%= render('@finding', item: timthumb.version) -%>
+<% else -%>
+ | The version could not be determined.
+<% end -%>
+<% end -%>
+<% end %>