wpscan 3.2.1 → 3.3.0

data/lib/wpscan/browser.rb

@@ -10,7 +10,7 @@ module WPScan
 
     # @return [ String ]
     def default_user_agent
-      "WPScan v#{VERSION} (http://wpscan.org/)"
+      "WPScan v#{VERSION} (https://wpscan.org/)"
     end
   end
 end

data/lib/wpscan/db/dynamic_finders/plugin.rb

@@ -28,7 +28,7 @@ module WPScan
                  end
 
             fs.each do |finder_name, config|
-              klass = config['class'] ? config['class'] : finder_name
+              klass = config['class'] || finder_name
 
               next unless klass.to_sym == finder_class
 
@@ -79,7 +79,7 @@ module WPScan
             mod = maybe_create_modudle(slug)
 
             finders.each do |finder_class, config|
-              klass = config['class'] ? config['class'] : finder_class
+              klass = config['class'] || finder_class
 
               # Instead of raising exceptions, skip unallowed/already defined finders
               # So that, when new DF configs are put in the .yml

data/lib/wpscan/db/dynamic_finders/wordpress.rb

@@ -34,7 +34,7 @@ module WPScan
                     end
 
           finders.each do |finder_name, config|
-            klass = config['class'] ? config['class'] : finder_name
+            klass = config['class'] || finder_name
 
             next unless klass.to_sym == finder_class
 
@@ -51,7 +51,7 @@ module WPScan
 
         def self.create_versions_finders
           versions_finders_configs.each do |finder_class, config|
-            klass = config['class'] ? config['class'] : finder_class
+            klass = config['class'] || finder_class
 
             # Instead of raising exceptions, skip unallowed/already defined finders
             # So that, when new DF configs are put in the .yml

data/lib/wpscan/db/fingerprints.rb

@@ -33,7 +33,7 @@ module WPScan
 
       # @return [ String ]
       def self.wp_fingerprints_path
-        @wp_unique_fingerprints_path ||= File.join(DB_DIR, 'wp_fingerprints.json')
+        @wp_fingerprints_path ||= File.join(DB_DIR, 'wp_fingerprints.json')
       end
 
       # @return [ Hash ]

data/lib/wpscan/db/updater.rb

@@ -7,7 +7,7 @@ module WPScan
       FILES = %w[
         plugins.json themes.json wordpresses.json
         timthumbs-v3.txt user-agents.txt config_backups.txt
-        dynamic_finders.yml wp_fingerprints.json LICENSE
+        db_exports.txt dynamic_finders.yml wp_fingerprints.json LICENSE
       ].freeze
 
       OLD_FILES = %w[wordpress.db dynamic_finders_01.yml].freeze
@@ -82,6 +82,7 @@ module WPScan
 
         res = Browser.get(url, request_params)
         raise DownloadError, res if res.timed_out? || res.code != 200
+
         res.body.chomp
       end
 
@@ -99,11 +100,13 @@ module WPScan
 
       def create_backup(filename)
         return unless File.exist?(local_file_path(filename))
+
         FileUtils.cp(local_file_path(filename), backup_file_path(filename))
       end
 
       def restore_backup(filename)
         return unless File.exist?(backup_file_path(filename))
+
         FileUtils.cp(backup_file_path(filename), local_file_path(filename))
       end
 

data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb

@@ -37,6 +37,7 @@ module WPScan
               uri = Addressable::URI.parse(url)
 
               next unless uri.path =~ path_pattern && uri.query&.match(self.class::PATTERN)
+
               version = Regexp.last_match[:v].to_s
 
               found[version] ||= []
@@ -48,7 +49,7 @@ module WPScan
 
           # @return [ String ]
           def xpath
-            @xpath ||= self.class::XPATH || '//link[@href]|//script[@src]'
+            @xpath ||= self.class::XPATH || '//link[@href]/@href|//script[@src]/@src'
           end
 
           # @return [ Regexp ]

data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb

@@ -30,7 +30,8 @@ module WPScan
 
           def xpath
             @xpath ||= self.class::XPATH ||
-                       "//link[contains(@href,'#{target.slug}')]|//script[contains(@src,'#{target.slug}')]"
+                       "//link[contains(@href,'#{target.slug}')]/@href" \
+                       "|//script[contains(@src,'#{target.slug}')]/@src"
           end
         end
 

data/lib/wpscan/finders/dynamic_finder/wp_version.rb

@@ -37,13 +37,14 @@ module WPScan
 
         class WpItemQueryParameter < QueryParameter
           def xpath
-            @xpath ||= self.class::XPATH ||
-                       "//link[contains(@href,'#{target.plugins_dir}') or contains(@href,'#{target.themes_dir}')]|" \
-                       "//script[contains(@src,'#{target.plugins_dir}') or contains(@src,'#{target.themes_dir}')]"
+            @xpath ||=
+              self.class::XPATH ||
+              "//link[contains(@href,'#{target.plugins_dir}') or contains(@href,'#{target.themes_dir}')]/@href" \
+              "|//script[contains(@src,'#{target.plugins_dir}') or contains(@src,'#{target.themes_dir}')]/@src"
           end
 
           def path_pattern
-            @pattern ||= %r{
+            @path_pattern ||= %r{
               (?:#{Regexp.escape(target.plugins_dir)}|#{Regexp.escape(target.themes_dir)})/
               [^/]+/
               .*\.(?:css|js)\z

data/lib/wpscan/target.rb

@@ -12,12 +12,18 @@ module WPScan
       end
 
       return true unless [*@config_backups].empty?
+      return true unless [*@db_exports].empty?
 
       [*@users].each { |u| return true if u.password }
 
       false
     end
 
+    # @return [ XMLRPC, nil ]
+    def xmlrpc
+      @xmlrpc ||= interesting_findings&.select { |f| f.is_a?(WPScan::XMLRPC) }&.first
+    end
+
     # @param [ Hash ] opts
     #
     # @return [ WpVersion, false ] The WpVersion found or false if not detected
@@ -64,6 +70,13 @@ module WPScan
       @config_backups ||= Finders::ConfigBackups::Base.find(self, opts)
     end
 
+    # @param [ Hash ] opts
+    #
+    # @return [ Array<DBExport> ]
+    def db_exports(opts = {})
+      @db_exports ||= Finders::DbExports::Base.find(self, opts)
+    end
+
     # @param [ Hash ] opts
     #
     # @return [ Array<Media> ]

data/lib/wpscan/target/platform/wordpress/custom_directories.rb

@@ -15,7 +15,7 @@ module WPScan
         def content_dir
           unless @content_dir
             escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
-            pattern     = %r{#{escaped_url}(.+?)\/(?:themes|plugins|uploads)\/}i
+            pattern     = %r{#{escaped_url}(.+?)\/(?:themes|plugins|uploads|cache)\/}i
 
             in_scope_urls(homepage_res) do |url|
               return @content_dir = Regexp.last_match[1] if url.match(pattern)

data/lib/wpscan/version.rb

@@ -1,4 +1,4 @@
 # Version
 module WPScan
-  VERSION = '3.2.1'.freeze
+  VERSION = '3.3.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.2.1
+  version: 3.3.0
 platform: ruby
 authors:
 - WPScanTeam
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-04 00:00:00.000000000 Z
+date: 2018-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.39.1
+        version: 0.0.40
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.39.1
+        version: 0.0.40
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '5.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '5.2'
 - !ruby/object:Gem::Dependency
   name: yajl-ruby
   requirement: !ruby/object:Gem::Requirement
@@ -86,28 +86,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.0
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
@@ -128,42 +128,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.52.0
+        version: 0.59.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.52.0
+        version: 0.59.2
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.14.0
+        version: 0.16.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.14.0
+        version: 0.16.1
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.3.0
+        version: 3.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.3.0
+        version: 3.4.2
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
 - team@wpscan.org
@@ -177,17 +177,19 @@ files:
 - app/app.rb
 - app/controllers.rb
 - app/controllers/aliases.rb
-- app/controllers/brute_force.rb
 - app/controllers/core.rb
 - app/controllers/custom_directories.rb
 - app/controllers/enumeration.rb
 - app/controllers/enumeration/cli_options.rb
 - app/controllers/enumeration/enum_methods.rb
 - app/controllers/main_theme.rb
+- app/controllers/password_attack.rb
 - app/controllers/wp_version.rb
 - app/finders.rb
 - app/finders/config_backups.rb
 - app/finders/config_backups/known_filenames.rb
+- app/finders/db_exports.rb
+- app/finders/db_exports/known_locations.rb
 - app/finders/interesting_findings.rb
 - app/finders/interesting_findings/backup_db.rb
 - app/finders/interesting_findings/debug_log.rb
@@ -207,6 +209,10 @@ files:
 - app/finders/main_theme/woo_framework_meta_generator.rb
 - app/finders/medias.rb
 - app/finders/medias/attachment_brute_forcing.rb
+- app/finders/passwords.rb
+- app/finders/passwords/wp_login.rb
+- app/finders/passwords/xml_rpc.rb
+- app/finders/passwords/xml_rpc_multicall.rb
 - app/finders/plugin_version.rb
 - app/finders/plugin_version/readme.rb
 - app/finders/plugins.rb
@@ -234,6 +240,7 @@ files:
 - app/finders/users/author_posts.rb
 - app/finders/users/login_error_messages.rb
 - app/finders/users/oembed_api.rb
+- app/finders/users/rss_generator.rb
 - app/finders/users/wp_json_api.rb
 - app/finders/wp_items.rb
 - app/finders/wp_items/urls_in_homepage.rb
@@ -245,24 +252,22 @@ files:
 - app/finders/wp_version/unique_fingerprinting.rb
 - app/models.rb
 - app/models/config_backup.rb
+- app/models/db_export.rb
 - app/models/interesting_finding.rb
 - app/models/media.rb
 - app/models/plugin.rb
 - app/models/theme.rb
 - app/models/timthumb.rb
-- app/models/user.rb
 - app/models/wp_item.rb
 - app/models/wp_version.rb
 - app/models/xml_rpc.rb
-- app/views/cli/brute_force/error.erb
-- app/views/cli/brute_force/found.erb
-- app/views/cli/brute_force/users.erb
 - app/views/cli/core/banner.erb
 - app/views/cli/core/db_update_finished.erb
 - app/views/cli/core/db_update_started.erb
 - app/views/cli/core/not_fully_configured.erb
 - app/views/cli/core/version.erb
 - app/views/cli/enumeration/config_backups.erb
+- app/views/cli/enumeration/db_exports.erb
 - app/views/cli/enumeration/medias.erb
 - app/views/cli/enumeration/plugins.erb
 - app/views/cli/enumeration/themes.erb
@@ -272,18 +277,19 @@ files:
 - app/views/cli/info.erb
 - app/views/cli/main_theme/theme.erb
 - app/views/cli/notice.erb
+- app/views/cli/password_attack/users.erb
 - app/views/cli/theme.erb
 - app/views/cli/usage.erb
 - app/views/cli/vulnerability.erb
 - app/views/cli/wp_item.erb
 - app/views/cli/wp_version/version.erb
-- app/views/json/brute_force/users.erb
 - app/views/json/core/banner.erb
 - app/views/json/core/db_update_finished.erb
 - app/views/json/core/db_update_started.erb
 - app/views/json/core/not_fully_configured.erb
 - app/views/json/core/version.erb
 - app/views/json/enumeration/config_backups.erb
+- app/views/json/enumeration/db_exports.erb
 - app/views/json/enumeration/medias.erb
 - app/views/json/enumeration/plugins.erb
 - app/views/json/enumeration/themes.erb
@@ -291,6 +297,7 @@ files:
 - app/views/json/enumeration/users.erb
 - app/views/json/finding.erb
 - app/views/json/main_theme/theme.erb
+- app/views/json/password_attack/users.erb
 - app/views/json/theme.erb
 - app/views/json/wp_item.erb
 - app/views/json/wp_version/version.erb

data/app/controllers/brute_force.rb

@@ -1,116 +0,0 @@
-module WPScan
-  module Controller
-    # Brute Force Controller
-    class BruteForce < CMSScanner::Controller::Base
-      def cli_options
-        [
-          OptFilePath.new(
-            ['--passwords FILE-PATH', '-P',
-             'List of passwords to use during the brute forcing.',
-             'If no --username/s option supplied, user enumeration will be run'],
-            exists: true
-          ),
-          OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the brute forcing'])
-        ]
-      end
-
-      def run
-        return unless parsed_options[:passwords]
-
-        begin
-          found = []
-
-          brute_force(users, passwords(parsed_options[:passwords])) do |user|
-            found << user
-
-            output('found', user: user) if user_interaction?
-          end
-        ensure
-          output('users', users: found)
-        end
-      end
-
-      # @return [ Array<Users> ] The users to brute force
-      def users
-        return target.users unless parsed_options[:usernames]
-
-        parsed_options[:usernames].reduce([]) do |acc, elem|
-          acc << User.new(elem.chomp)
-        end
-      end
-
-      # the iteration should be on the passwords to be more efficient
-      # however, it's not that simple expecially when a combination is found:
-      #  - the estimated number of requests (for the progressbar) has to be updated.
-      #  - the user found has to be deleted from the loop
-      #
-      # @param [ Array<User> ] users
-      # @param [ Array<String> ] passwords
-      #
-      # @yield [ User ] when a valid combination is found
-      def brute_force(users, passwords)
-        hydra = Browser.instance.hydra
-
-        users.each do |user|
-          bar = progress_bar(passwords.size, user.username) if user_interaction?
-
-          passwords.each do |password|
-            request = target.login_request(user.username, password)
-
-            request.on_complete do |res|
-              bar.progress += 1 if user_interaction?
-
-              if res.code == 302
-                user.password = password
-                hydra.abort
-
-                yield user
-                next
-              elsif user_interaction? && res.code != 200
-                # Errors not displayed when using formats other than cli/cli-no-colour
-                output_error(res)
-              end
-            end
-
-            hydra.queue(request)
-          end
-          hydra.run
-        end
-      end
-
-      def progress_bar(size, username)
-        ProgressBar.create(
-          format: '%t %a <%B> (%c / %C) %P%% %e',
-          title: "Brute Forcing #{username} -",
-          total: size
-        )
-      end
-
-      # @param [ String ] wordlist_path
-      #
-      # @return [ Array<String> ]
-      def passwords(wordlist_path)
-        @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
-          acc << elem.chomp
-        end
-      end
-
-      # @param [ Typhoeus::Response ] response
-      def output_error(response)
-        return if response.body =~ /login_error/i
-
-        error = if response.timed_out?
-                  'Request timed out.'
-                elsif response.code.zero?
-                  "No response from remote server. WAF/IPS? (#{response.return_message})"
-                elsif response.code.to_s =~ /^50/
-                  'Server error, try reducing the number of threads.'
-                else
-                  "Unknown response received Code: #{response.code}\n Body: #{response.body}"
-                end
-
-        output('error', msg: error)
-      end
-    end
-  end
-end