wpscan 3.2.1 → 3.3.0

data/app/finders/interesting_findings/mu_plugins.rb

@@ -30,6 +30,7 @@ module WPScan
 
           return unless [200, 401, 403].include?(res.code)
           return if target.homepage_or_404?(res)
+
           # TODO: add the check for --exclude-content once implemented ?
 
           target.mu_plugins = true

data/app/finders/main_theme/css_style.rb

@@ -18,7 +18,7 @@ module WPScan
         end
 
         def passive_from_css_href(res, opts)
-          target.in_scope_urls(res, '//style|//link') do |url|
+          target.in_scope_urls(res, '//style/@src|//link/@href') do |url|
             next unless Addressable::URI.parse(url).path =~ %r{/themes/([^\/]+)/style.css\z}i
 
             return create_theme(Regexp.last_match[1], url, opts)

data/app/finders/medias/attachment_brute_forcing.rb

@@ -36,7 +36,7 @@ module WPScan
         end
 
         def create_progress_bar(opts = {})
-          super(opts.merge(title: ' Brute Forcing Attachment Ids -'))
+          super(opts.merge(title: ' Brute Forcing Attachment IDs -'))
         end
       end
     end

data/app/finders/passwords.rb

@@ -0,0 +1,3 @@
+require_relative 'passwords/wp_login'
+require_relative 'passwords/xml_rpc'
+require_relative 'passwords/xml_rpc_multicall'

data/app/finders/passwords/wp_login.rb

@@ -0,0 +1,22 @@
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the wp-login.php
+      class WpLogin < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+
+        def login_request(username, password)
+          target.login_request(username, password)
+        end
+
+        def valid_credentials?(response)
+          response.code == 302
+        end
+
+        def errored_response?(response)
+          response.code != 200 && response.body !~ /login_error/i
+        end
+      end
+    end
+  end
+end

data/app/finders/passwords/xml_rpc.rb

@@ -0,0 +1,22 @@
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface
+      class XMLRPC < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+
+        def login_request(username, password)
+          target.method_call('wp.getUsersBlogs', [username, password])
+        end
+
+        def valid_credentials?(response)
+          response.code == 200 && response.body =~ /blogName/
+        end
+
+        def errored_response?(response)
+          response.code != 200 && response.body !~ /login_error/i
+        end
+      end
+    end
+  end
+end

data/app/finders/passwords/xml_rpc_multicall.rb

@@ -0,0 +1,102 @@
+module WPScan
+  module Finders
+    module Passwords
+      # Password attack against the XMLRPC interface with the multicall method
+      # WP < 4.4 is vulnerable to such attack
+      class XMLRPCMulticall < CMSScanner::Finders::Finder
+        # @param [ Array<User> ] users
+        # @param [ Array<String> ] passwords
+        #
+        # @return [ Typhoeus::Response ]
+        def do_multi_call(users, passwords)
+          methods = []
+
+          users.each do |user|
+            passwords.each do |password|
+              methods << ['wp.getUsersBlogs', user.username, password]
+            end
+          end
+
+          target.multi_call(methods).run
+        end
+
+        # @param [ Array<CMSScanner::User> ] users
+        # @param [ Array<String> ] passwords
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression
+        # @option opts [ Integer ] :multicall_max_passwords
+        #
+        # @yield [ CMSScanner::User ] When a valid combination is found
+        #
+        # TODO: Make rubocop happy about metrics etc
+        #
+        # rubocop:disable all
+        def attack(users, passwords, opts = {})
+          wordlist_index         = 0
+          max_passwords          = opts[:multicall_max_passwords]
+          current_passwords_size = passwords_size(max_passwords, users.size)
+
+          create_progress_bar(total: (passwords.size / current_passwords_size.round(1)).ceil,
+                              show_progression: opts[:show_progression])
+
+          loop do
+            current_users     = users.select { |user| user.password.nil? }
+            current_passwords = passwords[wordlist_index, current_passwords_size]
+            wordlist_index   += current_passwords_size
+
+            break if current_users.empty? || current_passwords.nil? || current_passwords.empty?
+
+            res = do_multi_call(current_users, current_passwords)
+
+            progress_bar.increment
+
+            check_and_output_errors(res)
+
+            # Avoid to parse the response and iterate over all the structs in the document
+            # if there isn't any tag matching a valid combination
+            next unless res.body =~ /isAdmin/ # maybe a better one ?
+
+            Nokogiri::XML(res.body).xpath('//struct').each_with_index do |struct, index|
+              next if struct.text =~ /faultCode/
+
+              user = current_users[index / current_passwords.size]
+              user.password = current_passwords[index % current_passwords.size]
+
+              yield user
+
+              # Updates the current_passwords_size and progress_bar#total
+              # given that less requests will be done due to a valid combination found.
+              current_passwords_size = passwords_size(max_passwords, current_users.size - 1)
+
+              if current_passwords_size == 0
+                progress_bar.log('All Found') # remove ?
+                progress_bar.stop
+                break
+              end
+
+              progress_bar.total = progress_bar.progress + ((passwords.size - wordlist_index) / current_passwords_size.round(1)).ceil
+            end
+          end
+          # Maybe a progress_bar.stop ?
+        end
+        # rubocop:disable all
+
+        def passwords_size(max_passwords, users_size)
+          return 1 if max_passwords < users_size
+          return 0 if users_size == 0
+
+          max_passwords / users_size
+        end
+
+        # @param [ Typhoeus::Response ] res
+        def check_and_output_errors(res)
+          progress_bar.log("Incorrect response: #{res.code} / #{res.return_message}") unless res.code == 200
+
+          progress_bar.log('Parsing error, might be caused by a too high --max-passwords value (such as >= 2k)') if res.body =~ /parse error. not well formed/i
+
+          progress_bar.log('The requested method is not supported') if res.body =~ /requested method [^ ]+ does not exist/i
+        end
+      end
+    end
+  end
+end

data/app/finders/users.rb

@@ -1,6 +1,7 @@
 require_relative 'users/author_posts'
 require_relative 'users/wp_json_api'
 require_relative 'users/oembed_api'
+require_relative 'users/rss_generator'
 require_relative 'users/author_id_brute_forcing'
 require_relative 'users/login_error_messages'
 
@@ -17,6 +18,7 @@ module WPScan
             Users::AuthorPosts.new(target) <<
             Users::WpJsonApi.new(target) <<
             Users::OembedApi.new(target) <<
+            Users::RSSGenerator.new(target) <<
             Users::AuthorIdBruteForcing.new(target) <<
             Users::LoginErrorMessages.new(target)
         end

data/app/finders/users/author_id_brute_forcing.rb

@@ -18,7 +18,7 @@ module WPScan
 
             next unless username
 
-            found << WPScan::User.new(
+            found << CMSScanner::User.new(
               username,
               id: id,
               found_by: format(found_by_msg, found_by),
@@ -44,7 +44,7 @@ module WPScan
         end
 
         def create_progress_bar(opts = {})
-          super(opts.merge(title: ' Brute Forcing Author Ids -'))
+          super(opts.merge(title: ' Brute Forcing Author IDs -'))
         end
 
         def request_params
@@ -76,7 +76,7 @@ module WPScan
         # @return [ String, nil ] The username found
         def username_from_response(res)
           # Permalink enabled
-          target.in_scope_urls(res, '//link|//a') do |url|
+          target.in_scope_urls(res, '//link/@href|//a/@href') do |url|
             username = username_from_author_url(url)
             return username if username
           end

data/app/finders/users/author_posts.rb

@@ -10,7 +10,7 @@ module WPScan
           found_by_msg = 'Author Posts - %s (Passive Detection)'
 
           usernames(opts).reduce([]) do |a, e|
-            a << WPScan::User.new(
+            a << CMSScanner::User.new(
               e[0],
               found_by: format(found_by_msg, e[1]),
               confidence: e[2]
@@ -43,7 +43,7 @@ module WPScan
         def potential_usernames(res)
           usernames = []
 
-          target.in_scope_urls(res, '//a', %w[href]) do |url, node|
+          target.in_scope_urls(res, '//a/@href') do |url, node|
             uri = Addressable::URI.parse(url)
 
             if uri.path =~ %r{/author/([^/\b]+)/?\z}i

data/app/finders/users/login_error_messages.rb

@@ -24,7 +24,7 @@ module WPScan
 
             next unless error =~ /The password you entered for the username|Incorrect Password/i
 
-            found << WPScan::User.new(username, found_by: found_by, confidence: 100)
+            found << CMSScanner::User.new(username, found_by: found_by, confidence: 100)
           end
 
           found

data/app/finders/users/oembed_api.rb

@@ -31,10 +31,10 @@ module WPScan
 
           return unless details
 
-          found << WPScan::User.new(details[0],
-                                    found_by: format(found_by_msg, details[1]),
-                                    confidence: details[2],
-                                    interesting_entries: [api_url])
+          found << CMSScanner::User.new(details[0],
+                                        found_by: format(found_by_msg, details[1]),
+                                        confidence: details[2],
+                                        interesting_entries: [api_url])
         rescue JSON::ParserError
           found
         end

data/app/finders/users/rss_generator.rb

@@ -0,0 +1,38 @@
+module WPScan
+  module Finders
+    module Users
+      # Users disclosed from the dc:creator field in the RSS
+      # The names disclosed are display names, however depending on the configuration of the blog,
+      # they can be the same than usernames
+      class RSSGenerator < WPScan::Finders::WpVersion::RSSGenerator
+        def process_urls(urls, _opts = {})
+          found = []
+
+          urls.each do |url|
+            res = Browser.get_and_follow_location(url)
+
+            next unless res.code == 200 && res.body =~ /<dc\:creator>/i
+
+            potential_usernames = []
+
+            begin
+              res.xml.xpath('//item/dc:creator').each do |node|
+                potential_usernames << node.text.to_s unless node.text.to_s.length > 40
+              end
+            rescue Nokogiri::XML::XPath::SyntaxError
+              next
+            end
+
+            potential_usernames.uniq.each do |potential_username|
+              found << CMSScanner::User.new(potential_username, found_by: found_by, confidence: 50)
+            end
+
+            break
+          end
+
+          found
+        end
+      end
+    end
+  end
+end

data/app/finders/users/wp_json_api.rb

@@ -13,11 +13,11 @@ module WPScan
           found = []
 
           JSON.parse(Browser.get(api_url).body)&.each do |user|
-            found << WPScan::User.new(user['slug'],
-                                      id: user['id'],
-                                      found_by: found_by,
-                                      confidence: 100,
-                                      interesting_entries: [api_url])
+            found << CMSScanner::User.new(user['slug'],
+                                          id: user['id'],
+                                          found_by: found_by,
+                                          confidence: 100,
+                                          interesting_entries: [api_url])
           end
 
           found

data/app/finders/wp_version/atom_generator.rb

@@ -26,7 +26,7 @@ module WPScan
         end
 
         def passive_urls_xpath
-          '//link[@rel="alternate" and @type="application/atom+xml"]'
+          '//link[@rel="alternate" and @type="application/atom+xml"]/@href'
         end
 
         def aggressive_urls(_opts = {})

data/app/finders/wp_version/rdf_generator.rb

@@ -26,7 +26,7 @@ module WPScan
         end
 
         def passive_urls_xpath
-          '//a[contains(@href, "rdf")]'
+          '//a[contains(@href, "rdf")]/@href'
         end
 
         def aggressive_urls(_opts = {})

data/app/finders/wp_version/rss_generator.rb

@@ -29,7 +29,7 @@ module WPScan
         end
 
         def passive_urls_xpath
-          '//link[@rel="alternate" and @type="application/rss+xml"]'
+          '//link[@rel="alternate" and @type="application/rss+xml"]/@href'
         end
 
         def aggressive_urls(_opts = {})

data/app/models.rb

@@ -4,7 +4,7 @@ require_relative 'models/xml_rpc'
 require_relative 'models/wp_item'
 require_relative 'models/timthumb'
 require_relative 'models/media'
-require_relative 'models/user'
 require_relative 'models/plugin'
 require_relative 'models/theme'
 require_relative 'models/config_backup'
+require_relative 'models/db_export'

data/app/models/db_export.rb

@@ -0,0 +1,5 @@
+module WPScan
+  # DB Export
+  class DbExport < InterestingFinding
+  end
+end

data/app/models/wp_item.rb

@@ -141,6 +141,7 @@ module WPScan
     # @return [ Boolean ]
     def directory_listing?(path = nil, params = {})
       return if detection_opts[:mode] == :passive
+
       super(path, params)
     end
 
@@ -150,6 +151,7 @@ module WPScan
     # @return [ Boolean ]
     def error_log?(path = 'error_log', params = {})
       return if detection_opts[:mode] == :passive
+
       super(path, params)
     end
   end

data/app/views/cli/core/banner.erb

@@ -9,6 +9,6 @@ _______________________________________________________________
         WordPress Security Scanner by the WPScan Team
                        Version <%= WPScan::VERSION %>
           Sponsored by Sucuri - https://sucuri.net
-   @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
+      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
 _______________________________________________________________
 

data/app/views/cli/enumeration/db_exports.erb

@@ -0,0 +1,11 @@
+
+<% if @db_exports.empty? -%>
+<%= notice_icon %> No DB Exports Found.
+<% else -%>
+<%= notice_icon %> Db Export(s) Identified:
+<% @db_exports.each do |db_export| -%>
+
+<%= info_icon %> <%= db_export %>
+<%= render('@finding', item: db_export) -%>
+<% end -%>
+<% end %>

data/app/views/json/enumeration/db_exports.erb

@@ -0,0 +1,10 @@
+"db_exports": {
+<% unless @db_exports.empty? -%>
+<% last_index = @db_exports.size - 1 -%>
+<% @db_exports.each_with_index do |db_export, index| -%>
+  <%= db_export.url.to_json %>: {
+    <%= render('@finding', item: db_export) -%>
+  }<% unless index == last_index -%>,<% end -%>
+<% end -%>
+<% end -%>
+},

data/app/views/json/{brute_force → password_attack}/users.erb

@@ -1,4 +1,4 @@
-"brute_force": {
+"password_attack": {
 <% unless @users.empty? -%>
 <% last_index = @users.size - 1 -%>
 <% @users.each_with_index do |user, index| -%>

data/bin/wpscan

@@ -9,7 +9,7 @@ WPScan::Scan.new do |s|
     WPScan::Controller::WpVersion.new <<
     WPScan::Controller::MainTheme.new <<
     WPScan::Controller::Enumeration.new <<
-    WPScan::Controller::BruteForce.new <<
+    WPScan::Controller::PasswordAttack.new <<
     WPScan::Controller::Aliases.new
 
   s.run