wpscan 3.3.2 → 3.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/enumeration/cli_options.rb +13 -13
- data/app/finders/interesting_findings/backup_db.rb +1 -1
- data/app/finders/interesting_findings/debug_log.rb +1 -1
- data/app/finders/interesting_findings/duplicator_installer_log.rb +1 -1
- data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +1 -1
- data/app/finders/interesting_findings/full_path_disclosure.rb +1 -1
- data/app/finders/interesting_findings/mu_plugins.rb +2 -2
- data/app/finders/interesting_findings/multisite.rb +1 -1
- data/app/finders/interesting_findings/readme.rb +1 -1
- data/app/finders/interesting_findings/registration.rb +1 -1
- data/app/finders/interesting_findings/tmm_db_migrate.rb +1 -1
- data/app/finders/interesting_findings/upload_directory_listing.rb +1 -1
- data/app/finders/interesting_findings/upload_sql_dump.rb +2 -2
- data/app/finders/main_theme/woo_framework_meta_generator.rb +3 -3
- data/app/finders/users.rb +2 -0
- data/app/finders/users/yoast_seo_author_sitemap.rb +34 -0
- data/app/models/interesting_finding.rb +39 -0
- data/lib/wpscan/db/updater.rb +3 -4
- data/lib/wpscan/target/platform/wordpress.rb +2 -2
- data/lib/wpscan/version.rb +1 -1
- metadata +7 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ffec7e5575986f44b69b35726856004fa2940ecf
|
|
4
|
+
data.tar.gz: 98693ec1db3bbf8f8198b99ee6aeece4312ce782
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5952cf3e2d834995600a67cb5b57a1a5404b61a81ea7ec70efb40bc3d4047075d5b148c71efcf9a57efe3cce6b1323cc4ac7a619c1541f0ba01c836c7c293134
|
|
7
|
+
data.tar.gz: b6e7ab1f1e0d158bcabf23599bc4c65399a275a7b063b91e9c1826d88b2032af47ebaf34bc7a0d8ceefa9b41160c762b49c7a821c4366a301af8fc8e8503abcb
|
|
@@ -15,20 +15,20 @@ module WPScan
|
|
|
15
15
|
OptMultiChoices.new(
|
|
16
16
|
['-e', '--enumerate [OPTS]', 'Enumeration Process'],
|
|
17
17
|
choices: {
|
|
18
|
-
vp:
|
|
19
|
-
ap:
|
|
20
|
-
p:
|
|
21
|
-
vt:
|
|
22
|
-
at:
|
|
23
|
-
t:
|
|
24
|
-
tt:
|
|
25
|
-
cb:
|
|
18
|
+
vp: OptBoolean.new(['--vulnerable-plugins']),
|
|
19
|
+
ap: OptBoolean.new(['--all-plugins']),
|
|
20
|
+
p: OptBoolean.new(['--plugins']),
|
|
21
|
+
vt: OptBoolean.new(['--vulnerable-themes']),
|
|
22
|
+
at: OptBoolean.new(['--all-themes']),
|
|
23
|
+
t: OptBoolean.new(['--themes']),
|
|
24
|
+
tt: OptBoolean.new(['--timthumbs']),
|
|
25
|
+
cb: OptBoolean.new(['--config-backups']),
|
|
26
26
|
dbe: OptBoolean.new(['--db-exports']),
|
|
27
|
-
u:
|
|
28
|
-
m:
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
27
|
+
u: OptIntegerRange.new(['--users', 'User IDs range. e.g: u1-5'], value_if_empty: '1-10'),
|
|
28
|
+
m: OptIntegerRange.new(['--medias',
|
|
29
|
+
'Media IDs range. e.g m1-15',
|
|
30
|
+
'Note: Permalink setting must be set to "Plain" for those to be detected'],
|
|
31
|
+
value_if_empty: '1-100')
|
|
32
32
|
},
|
|
33
33
|
value_if_empty: 'vp,vt,tt,cb,dbe,u,m',
|
|
34
34
|
incompatible: [%i[vp ap p], %i[vt at t]],
|
|
@@ -12,7 +12,7 @@ module WPScan
|
|
|
12
12
|
|
|
13
13
|
url = target.url('wp-content/mu-plugins/')
|
|
14
14
|
|
|
15
|
-
return WPScan::
|
|
15
|
+
return WPScan::MuPlugins.new(
|
|
16
16
|
url,
|
|
17
17
|
confidence: 70,
|
|
18
18
|
found_by: 'URLs In Homepage (Passive Detection)',
|
|
@@ -35,7 +35,7 @@ module WPScan
|
|
|
35
35
|
|
|
36
36
|
target.mu_plugins = true
|
|
37
37
|
|
|
38
|
-
WPScan::
|
|
38
|
+
WPScan::MuPlugins.new(
|
|
39
39
|
url,
|
|
40
40
|
confidence: 80,
|
|
41
41
|
found_by: DIRECT_ACCESS,
|
|
@@ -10,7 +10,7 @@ module WPScan
|
|
|
10
10
|
res = Browser.get(url)
|
|
11
11
|
|
|
12
12
|
if res.code == 200 && res.body =~ /wordpress/i
|
|
13
|
-
return WPScan::
|
|
13
|
+
return WPScan::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
16
16
|
nil
|
|
@@ -3,7 +3,7 @@ module WPScan
|
|
|
3
3
|
module InterestingFindings
|
|
4
4
|
# UploadSQLDump finder
|
|
5
5
|
class UploadSQLDump < CMSScanner::Finders::Finder
|
|
6
|
-
SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)
|
|
6
|
+
SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
|
|
7
7
|
|
|
8
8
|
# @return [ InterestingFinding ]
|
|
9
9
|
def aggressive(_opts = {})
|
|
@@ -12,7 +12,7 @@ module WPScan
|
|
|
12
12
|
|
|
13
13
|
return unless res.code == 200 && res.body =~ SQL_PATTERN
|
|
14
14
|
|
|
15
|
-
WPScan::
|
|
15
|
+
WPScan::UploadSQLDump.new(
|
|
16
16
|
url,
|
|
17
17
|
confidence: 100,
|
|
18
18
|
found_by: DIRECT_ACCESS
|
|
@@ -3,9 +3,9 @@ module WPScan
|
|
|
3
3
|
module MainTheme
|
|
4
4
|
# From the WooFramework meta generators
|
|
5
5
|
class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
|
|
6
|
-
THEME_PATTERN = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}
|
|
7
|
-
FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}
|
|
8
|
-
PATTERN = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i
|
|
6
|
+
THEME_PATTERN = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}.freeze
|
|
7
|
+
FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}.freeze
|
|
8
|
+
PATTERN = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
|
|
9
9
|
|
|
10
10
|
def passive(opts = {})
|
|
11
11
|
return unless target.homepage_res.body =~ PATTERN
|
data/app/finders/users.rb
CHANGED
|
@@ -4,6 +4,7 @@ require_relative 'users/oembed_api'
|
|
|
4
4
|
require_relative 'users/rss_generator'
|
|
5
5
|
require_relative 'users/author_id_brute_forcing'
|
|
6
6
|
require_relative 'users/login_error_messages'
|
|
7
|
+
require_relative 'users/yoast_seo_author_sitemap.rb'
|
|
7
8
|
|
|
8
9
|
module WPScan
|
|
9
10
|
module Finders
|
|
@@ -19,6 +20,7 @@ module WPScan
|
|
|
19
20
|
Users::WpJsonApi.new(target) <<
|
|
20
21
|
Users::OembedApi.new(target) <<
|
|
21
22
|
Users::RSSGenerator.new(target) <<
|
|
23
|
+
Users::YoastSeoAuthorSitemap.new(target) <<
|
|
22
24
|
Users::AuthorIdBruteForcing.new(target) <<
|
|
23
25
|
Users::LoginErrorMessages.new(target)
|
|
24
26
|
end
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
module WPScan
|
|
2
|
+
module Finders
|
|
3
|
+
module Users
|
|
4
|
+
# The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
|
|
5
|
+
# See https://github.com/wpscanteam/wpscan/issues/1228
|
|
6
|
+
class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
|
|
7
|
+
# @param [ Hash ] opts
|
|
8
|
+
#
|
|
9
|
+
# @return [ Array<User> ]
|
|
10
|
+
def aggressive(_opts = {})
|
|
11
|
+
found = []
|
|
12
|
+
|
|
13
|
+
Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
|
|
14
|
+
username = user_tag.text.to_s[%r{/author/([^\/]+)/}, 1]
|
|
15
|
+
|
|
16
|
+
next unless username && !username.strip.empty?
|
|
17
|
+
|
|
18
|
+
found << CMSScanner::User.new(username,
|
|
19
|
+
found_by: found_by,
|
|
20
|
+
confidence: 100,
|
|
21
|
+
interesting_entries: [sitemap_url])
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
found
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
# @return [ String ] The URL of the author-sitemap
|
|
28
|
+
def sitemap_url
|
|
29
|
+
@sitemap_url ||= target.url('author-sitemap.xml')
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -3,4 +3,43 @@ module WPScan
|
|
|
3
3
|
class InterestingFinding < CMSScanner::InterestingFinding
|
|
4
4
|
include References
|
|
5
5
|
end
|
|
6
|
+
|
|
7
|
+
#
|
|
8
|
+
# Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent)
|
|
9
|
+
#
|
|
10
|
+
class BackupDB < InterestingFinding
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
class DebugLog < InterestingFinding
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
class DuplicatorInstallerLog < InterestingFinding
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
class EmergencyPwdResetScript < InterestingFinding
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
class FullPathDisclosure < InterestingFinding
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
class MuPlugins < InterestingFinding
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
class Multisite < InterestingFinding
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
class Readme < InterestingFinding
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
class Registration < InterestingFinding
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
class TmmDbMigrate < InterestingFinding
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
class UploadDirectoryListing < InterestingFinding
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
class UploadSQLDump < InterestingFinding
|
|
44
|
+
end
|
|
6
45
|
end
|
data/lib/wpscan/db/updater.rb
CHANGED
|
@@ -60,12 +60,11 @@ module WPScan
|
|
|
60
60
|
end
|
|
61
61
|
|
|
62
62
|
# @return [ Hash ] The params for Typhoeus::Request
|
|
63
|
+
# @note Those params can't be overriden by CLI options
|
|
63
64
|
def request_params
|
|
64
65
|
{
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
timeout: 300,
|
|
68
|
-
connecttimeout: 120,
|
|
66
|
+
timeout: 600,
|
|
67
|
+
connecttimeout: 300,
|
|
69
68
|
accept_encoding: 'gzip, deflate',
|
|
70
69
|
cache_ttl: 0
|
|
71
70
|
}
|
|
@@ -9,7 +9,7 @@ module WPScan
|
|
|
9
9
|
module WordPress
|
|
10
10
|
include CMSScanner::Target::Platform::PHP
|
|
11
11
|
|
|
12
|
-
WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i
|
|
12
|
+
WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i.freeze
|
|
13
13
|
|
|
14
14
|
# These methods are used in the associated interesting_findings finders
|
|
15
15
|
# to keep the boolean state of the finding rather than re-check the whole thing again
|
|
@@ -41,7 +41,7 @@ module WPScan
|
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
def wordpress_hosted?
|
|
44
|
-
uri.host =~
|
|
44
|
+
uri.host =~ /\.wordpress\.com$/i ? true : false
|
|
45
45
|
end
|
|
46
46
|
|
|
47
47
|
# @param [ String ] username
|
data/lib/wpscan/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wpscan
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.3.
|
|
4
|
+
version: 3.3.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- WPScanTeam
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-11-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: cms_scanner
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.0.40.
|
|
19
|
+
version: 0.0.40.3
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.0.40.
|
|
26
|
+
version: 0.0.40.3
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activesupport
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -128,14 +128,14 @@ dependencies:
|
|
|
128
128
|
requirements:
|
|
129
129
|
- - "~>"
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 0.
|
|
131
|
+
version: 0.60.0
|
|
132
132
|
type: :development
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - "~>"
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 0.
|
|
138
|
+
version: 0.60.0
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: simplecov
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -242,6 +242,7 @@ files:
|
|
|
242
242
|
- app/finders/users/oembed_api.rb
|
|
243
243
|
- app/finders/users/rss_generator.rb
|
|
244
244
|
- app/finders/users/wp_json_api.rb
|
|
245
|
+
- app/finders/users/yoast_seo_author_sitemap.rb
|
|
245
246
|
- app/finders/wp_items.rb
|
|
246
247
|
- app/finders/wp_items/urls_in_homepage.rb
|
|
247
248
|
- app/finders/wp_version.rb
|