wpscan 3.2.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2cd042a221b0b46139937c959bd6428d4bedd1a2
-  data.tar.gz: dd5575dbaf1929427b82e8fa85496941eb3da313
+  metadata.gz: 5faff8eba24f5f7d0ea97833dfb2200f23c1414b
+  data.tar.gz: 905e1d1dec28cea9d51d094ed7af626233f131fa
 SHA512:
-  metadata.gz: ebe332bbc3f165474bfef341caf390d9ade882270ebaf68a901a4a8379decdc482cba640461aa8ff545b9ee05f9d2b84c6cec29a6f11129b2a50363eaf416f95
-  data.tar.gz: 225ef4a7706c4a44bd70a5c5da2b420a8d0f73d1bae8b52f613d1eb054fb469a86c60860189324a1e1f2505e129038b2bb521315485dd366830a86d8536556bd
+  metadata.gz: 10b9dc665fb06f2d3f422a02f432a64921bb855662627abf548aca9b9f45ee3cb6aa9f6e97edc71ba58f759f7eedebce90628849aa79f259e0ea1f1effba9049
+  data.tar.gz: ae7fc0b48cd53132fd2c0d2e4212b05a798afbbbb7aac9737d0cddb79b164885431b49b786b02eca0ae228926e71c60f5b6dd7f4699e4e607a71832202ef6db7

data/README.md

@@ -114,6 +114,7 @@ Pull the repo with ```docker pull wpscanteam/wpscan-v3```
 # Usage
 
 ```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
+As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
 
 For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
 

data/app/controllers/core.rb

@@ -4,14 +4,16 @@ module WPScan
     class Core < CMSScanner::Controller::Core
       # @return [ Array<OptParseValidator::Opt> ]
       def cli_options
-        [OptURL.new(['--url URL', 'The URL of the blog to scan'], required_unless: :update, default_protocol: 'http')] +
+        [OptURL.new(['--url URL', 'The URL of the blog to scan'],
+                    required_unless: %i[update help version], default_protocol: 'http')] +
           super.drop(1) + # delete the --url from CMSScanner
           [
             OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
                           choices: %w[apache iis nginx],
                           normalize: %i[downcase to_sym]),
             OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
-            OptBoolean.new(['--[no-]update', 'Wether or not to update the Database'], required_unless: :url)
+            OptBoolean.new(['--[no-]update', 'Wether or not to update the Database'],
+                           required_unless: %i[url help version])
           ]
       end
 
@@ -46,7 +48,9 @@ module WPScan
       end
 
       def before_scan
-        output('banner') unless parsed_options[:banner] == false
+        @last_update = local_db.last_update
+
+        maybe_output_banner_help_and_version # From CMS Scanner
 
         update_db if update_db_required?
         setup_cache

data/app/finders/wp_version.rb

@@ -25,8 +25,9 @@ module WPScan
 
         # @param [ WPScan::Target ] target
         def initialize(target)
-          (WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
-            %w[RSSGenerator AtomGenerator RDFGenerator Readme UniqueFingerprinting]
+          (%w[RSSGenerator AtomGenerator RDFGenerator] +
+           WPScan::DB::DynamicFinders::Wordpress.versions_finders_configs.keys +
+           %w[Readme UniqueFingerprinting]
           ).each do |finder_name|
             finders << WpVersion.const_get(finder_name.to_sym).new(target)
           end

data/app/views/cli/core/version.erb

@@ -0,0 +1,5 @@
+Current Version: <%= WPScan::VERSION %>
+<% if @last_update -%>
+Last DB Update: <%= @last_update.strftime('%Y-%m-%d') %>
+<% end -%>
+

data/app/views/json/core/version.erb

@@ -0,0 +1,2 @@
+"version": <%= WPScan::VERSION.to_json %>,
+"last_db_update": <%= @last_update.to_json %>,

data/lib/wpscan/finders/dynamic_finder/version/config_parser.rb

@@ -22,13 +22,13 @@ module WPScan
               begin
                 parsed = parser.respond_to?(:safe_load) ? parser.safe_load(body) : parser.load(body)
 
-                return parsed if parsed.is_a?(Hash)
+                return parsed if parsed.is_a?(Hash) || parsed.is_a?(Array)
               rescue StandardError
                 next
               end
             end
 
-            nil # Make sure nil is returned in case none of the parsers manage to parse the body correctly
+            nil # Make sure nil is returned in case none of the parsers managed to parse the body correctly
           end
 
           # No Passive way
@@ -39,8 +39,10 @@ module WPScan
           # @return [ Version ]
           def find(response, _opts = {})
             parsed_body = parse(response.body)
+            # Create indexes for the #dig, digits are converted to integers
+            indexes     = self.class::KEY.split(':').map { |e| e == e.to_i.to_s ? e.to_i : e }
 
-            return unless (data = parsed_body&.dig(*self.class::KEY.split(':'))) && data =~ self.class::PATTERN
+            return unless (data = parsed_body&.dig(*indexes)) && data =~ self.class::PATTERN
 
             create_version(
               Regexp.last_match[:v],

data/lib/wpscan/version.rb

@@ -1,4 +1,4 @@
 # Version
 module WPScan
-  VERSION = '3.2.0'.freeze
+  VERSION = '3.2.1'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.2.1
 platform: ruby
 authors:
 - WPScanTeam
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-09 00:00:00.000000000 Z
+date: 2018-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.39.0
+        version: 0.0.39.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.39.0
+        version: 0.0.39.1
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -38,20 +38,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.1'
-- !ruby/object:Gem::Dependency
-  name: opt_parse_validator
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.0.15.2
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.0.15.2
 - !ruby/object:Gem::Dependency
   name: yajl-ruby
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 3.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 3.3.0
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
 - team@wpscan.org
@@ -275,6 +261,7 @@ files:
 - app/views/cli/core/db_update_finished.erb
 - app/views/cli/core/db_update_started.erb
 - app/views/cli/core/not_fully_configured.erb
+- app/views/cli/core/version.erb
 - app/views/cli/enumeration/config_backups.erb
 - app/views/cli/enumeration/medias.erb
 - app/views/cli/enumeration/plugins.erb
@@ -295,6 +282,7 @@ files:
 - app/views/json/core/db_update_finished.erb
 - app/views/json/core/db_update_started.erb
 - app/views/json/core/not_fully_configured.erb
+- app/views/json/core/version.erb
 - app/views/json/enumeration/config_backups.erb
 - app/views/json/enumeration/medias.erb
 - app/views/json/enumeration/plugins.erb