wpscan 3.3.2 → 3.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/enumeration/cli_options.rb +13 -13
- data/app/finders/interesting_findings/backup_db.rb +1 -1
- data/app/finders/interesting_findings/debug_log.rb +1 -1
- data/app/finders/interesting_findings/duplicator_installer_log.rb +1 -1
- data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +1 -1
- data/app/finders/interesting_findings/full_path_disclosure.rb +1 -1
- data/app/finders/interesting_findings/mu_plugins.rb +2 -2
- data/app/finders/interesting_findings/multisite.rb +1 -1
- data/app/finders/interesting_findings/readme.rb +1 -1
- data/app/finders/interesting_findings/registration.rb +1 -1
- data/app/finders/interesting_findings/tmm_db_migrate.rb +1 -1
- data/app/finders/interesting_findings/upload_directory_listing.rb +1 -1
- data/app/finders/interesting_findings/upload_sql_dump.rb +2 -2
- data/app/finders/main_theme/woo_framework_meta_generator.rb +3 -3
- data/app/finders/users.rb +2 -0
- data/app/finders/users/yoast_seo_author_sitemap.rb +34 -0
- data/app/models/interesting_finding.rb +39 -0
- data/lib/wpscan/db/updater.rb +3 -4
- data/lib/wpscan/target/platform/wordpress.rb +2 -2
- data/lib/wpscan/version.rb +1 -1
- metadata +7 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ffec7e5575986f44b69b35726856004fa2940ecf
|
|
4
|
+
data.tar.gz: 98693ec1db3bbf8f8198b99ee6aeece4312ce782
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5952cf3e2d834995600a67cb5b57a1a5404b61a81ea7ec70efb40bc3d4047075d5b148c71efcf9a57efe3cce6b1323cc4ac7a619c1541f0ba01c836c7c293134
|
|
7
|
+
data.tar.gz: b6e7ab1f1e0d158bcabf23599bc4c65399a275a7b063b91e9c1826d88b2032af47ebaf34bc7a0d8ceefa9b41160c762b49c7a821c4366a301af8fc8e8503abcb
|
|
@@ -15,20 +15,20 @@ module WPScan
|
|
|
15
15
|
OptMultiChoices.new(
|
|
16
16
|
['-e', '--enumerate [OPTS]', 'Enumeration Process'],
|
|
17
17
|
choices: {
|
|
18
|
-
vp:
|
|
19
|
-
ap:
|
|
20
|
-
p:
|
|
21
|
-
vt:
|
|
22
|
-
at:
|
|
23
|
-
t:
|
|
24
|
-
tt:
|
|
25
|
-
cb:
|
|
18
|
+
vp: OptBoolean.new(['--vulnerable-plugins']),
|
|
19
|
+
ap: OptBoolean.new(['--all-plugins']),
|
|
20
|
+
p: OptBoolean.new(['--plugins']),
|
|
21
|
+
vt: OptBoolean.new(['--vulnerable-themes']),
|
|
22
|
+
at: OptBoolean.new(['--all-themes']),
|
|
23
|
+
t: OptBoolean.new(['--themes']),
|
|
24
|
+
tt: OptBoolean.new(['--timthumbs']),
|
|
25
|
+
cb: OptBoolean.new(['--config-backups']),
|
|
26
26
|
dbe: OptBoolean.new(['--db-exports']),
|
|
27
|
-
u:
|
|
28
|
-
m:
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
27
|
+
u: OptIntegerRange.new(['--users', 'User IDs range. e.g: u1-5'], value_if_empty: '1-10'),
|
|
28
|
+
m: OptIntegerRange.new(['--medias',
|
|
29
|
+
'Media IDs range. e.g m1-15',
|
|
30
|
+
'Note: Permalink setting must be set to "Plain" for those to be detected'],
|
|
31
|
+
value_if_empty: '1-100')
|
|
32
32
|
},
|
|
33
33
|
value_if_empty: 'vp,vt,tt,cb,dbe,u,m',
|
|
34
34
|
incompatible: [%i[vp ap p], %i[vt at t]],
|
|
@@ -12,7 +12,7 @@ module WPScan
|
|
|
12
12
|
|
|
13
13
|
url = target.url('wp-content/mu-plugins/')
|
|
14
14
|
|
|
15
|
-
return WPScan::
|
|
15
|
+
return WPScan::MuPlugins.new(
|
|
16
16
|
url,
|
|
17
17
|
confidence: 70,
|
|
18
18
|
found_by: 'URLs In Homepage (Passive Detection)',
|
|
@@ -35,7 +35,7 @@ module WPScan
|
|
|
35
35
|
|
|
36
36
|
target.mu_plugins = true
|
|
37
37
|
|
|
38
|
-
WPScan::
|
|
38
|
+
WPScan::MuPlugins.new(
|
|
39
39
|
url,
|
|
40
40
|
confidence: 80,
|
|
41
41
|
found_by: DIRECT_ACCESS,
|
|
@@ -10,7 +10,7 @@ module WPScan
|
|
|
10
10
|
res = Browser.get(url)
|
|
11
11
|
|
|
12
12
|
if res.code == 200 && res.body =~ /wordpress/i
|
|
13
|
-
return WPScan::
|
|
13
|
+
return WPScan::Readme.new(url, confidence: 100, found_by: DIRECT_ACCESS)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
16
16
|
nil
|
|
@@ -3,7 +3,7 @@ module WPScan
|
|
|
3
3
|
module InterestingFindings
|
|
4
4
|
# UploadSQLDump finder
|
|
5
5
|
class UploadSQLDump < CMSScanner::Finders::Finder
|
|
6
|
-
SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)
|
|
6
|
+
SQL_PATTERN = /(?:(?:(?:DROP|CREATE) TABLE)|INSERT INTO)/.freeze
|
|
7
7
|
|
|
8
8
|
# @return [ InterestingFinding ]
|
|
9
9
|
def aggressive(_opts = {})
|
|
@@ -12,7 +12,7 @@ module WPScan
|
|
|
12
12
|
|
|
13
13
|
return unless res.code == 200 && res.body =~ SQL_PATTERN
|
|
14
14
|
|
|
15
|
-
WPScan::
|
|
15
|
+
WPScan::UploadSQLDump.new(
|
|
16
16
|
url,
|
|
17
17
|
confidence: 100,
|
|
18
18
|
found_by: DIRECT_ACCESS
|
|
@@ -3,9 +3,9 @@ module WPScan
|
|
|
3
3
|
module MainTheme
|
|
4
4
|
# From the WooFramework meta generators
|
|
5
5
|
class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
|
|
6
|
-
THEME_PATTERN = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}
|
|
7
|
-
FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}
|
|
8
|
-
PATTERN = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i
|
|
6
|
+
THEME_PATTERN = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}.freeze
|
|
7
|
+
FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}.freeze
|
|
8
|
+
PATTERN = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
|
|
9
9
|
|
|
10
10
|
def passive(opts = {})
|
|
11
11
|
return unless target.homepage_res.body =~ PATTERN
|
data/app/finders/users.rb
CHANGED
|
@@ -4,6 +4,7 @@ require_relative 'users/oembed_api'
|
|
|
4
4
|
require_relative 'users/rss_generator'
|
|
5
5
|
require_relative 'users/author_id_brute_forcing'
|
|
6
6
|
require_relative 'users/login_error_messages'
|
|
7
|
+
require_relative 'users/yoast_seo_author_sitemap.rb'
|
|
7
8
|
|
|
8
9
|
module WPScan
|
|
9
10
|
module Finders
|
|
@@ -19,6 +20,7 @@ module WPScan
|
|
|
19
20
|
Users::WpJsonApi.new(target) <<
|
|
20
21
|
Users::OembedApi.new(target) <<
|
|
21
22
|
Users::RSSGenerator.new(target) <<
|
|
23
|
+
Users::YoastSeoAuthorSitemap.new(target) <<
|
|
22
24
|
Users::AuthorIdBruteForcing.new(target) <<
|
|
23
25
|
Users::LoginErrorMessages.new(target)
|
|
24
26
|
end
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
module WPScan
|
|
2
|
+
module Finders
|
|
3
|
+
module Users
|
|
4
|
+
# The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
|
|
5
|
+
# See https://github.com/wpscanteam/wpscan/issues/1228
|
|
6
|
+
class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
|
|
7
|
+
# @param [ Hash ] opts
|
|
8
|
+
#
|
|
9
|
+
# @return [ Array<User> ]
|
|
10
|
+
def aggressive(_opts = {})
|
|
11
|
+
found = []
|
|
12
|
+
|
|
13
|
+
Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
|
|
14
|
+
username = user_tag.text.to_s[%r{/author/([^\/]+)/}, 1]
|
|
15
|
+
|
|
16
|
+
next unless username && !username.strip.empty?
|
|
17
|
+
|
|
18
|
+
found << CMSScanner::User.new(username,
|
|
19
|
+
found_by: found_by,
|
|
20
|
+
confidence: 100,
|
|
21
|
+
interesting_entries: [sitemap_url])
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
found
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
# @return [ String ] The URL of the author-sitemap
|
|
28
|
+
def sitemap_url
|
|
29
|
+
@sitemap_url ||= target.url('author-sitemap.xml')
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -3,4 +3,43 @@ module WPScan
|
|
|
3
3
|
class InterestingFinding < CMSScanner::InterestingFinding
|
|
4
4
|
include References
|
|
5
5
|
end
|
|
6
|
+
|
|
7
|
+
#
|
|
8
|
+
# Empty classes for the #type to be correctly displayed (as taken from the self.class from the parent)
|
|
9
|
+
#
|
|
10
|
+
class BackupDB < InterestingFinding
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
class DebugLog < InterestingFinding
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
class DuplicatorInstallerLog < InterestingFinding
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
class EmergencyPwdResetScript < InterestingFinding
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
class FullPathDisclosure < InterestingFinding
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
class MuPlugins < InterestingFinding
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
class Multisite < InterestingFinding
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
class Readme < InterestingFinding
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
class Registration < InterestingFinding
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
class TmmDbMigrate < InterestingFinding
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
class UploadDirectoryListing < InterestingFinding
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
class UploadSQLDump < InterestingFinding
|
|
44
|
+
end
|
|
6
45
|
end
|
data/lib/wpscan/db/updater.rb
CHANGED
|
@@ -60,12 +60,11 @@ module WPScan
|
|
|
60
60
|
end
|
|
61
61
|
|
|
62
62
|
# @return [ Hash ] The params for Typhoeus::Request
|
|
63
|
+
# @note Those params can't be overriden by CLI options
|
|
63
64
|
def request_params
|
|
64
65
|
{
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
timeout: 300,
|
|
68
|
-
connecttimeout: 120,
|
|
66
|
+
timeout: 600,
|
|
67
|
+
connecttimeout: 300,
|
|
69
68
|
accept_encoding: 'gzip, deflate',
|
|
70
69
|
cache_ttl: 0
|
|
71
70
|
}
|
|
@@ -9,7 +9,7 @@ module WPScan
|
|
|
9
9
|
module WordPress
|
|
10
10
|
include CMSScanner::Target::Platform::PHP
|
|
11
11
|
|
|
12
|
-
WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i
|
|
12
|
+
WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i.freeze
|
|
13
13
|
|
|
14
14
|
# These methods are used in the associated interesting_findings finders
|
|
15
15
|
# to keep the boolean state of the finding rather than re-check the whole thing again
|
|
@@ -41,7 +41,7 @@ module WPScan
|
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
def wordpress_hosted?
|
|
44
|
-
uri.host =~
|
|
44
|
+
uri.host =~ /\.wordpress\.com$/i ? true : false
|
|
45
45
|
end
|
|
46
46
|
|
|
47
47
|
# @param [ String ] username
|
data/lib/wpscan/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wpscan
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.3.
|
|
4
|
+
version: 3.3.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- WPScanTeam
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-11-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: cms_scanner
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.0.40.
|
|
19
|
+
version: 0.0.40.3
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.0.40.
|
|
26
|
+
version: 0.0.40.3
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: activesupport
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -128,14 +128,14 @@ dependencies:
|
|
|
128
128
|
requirements:
|
|
129
129
|
- - "~>"
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 0.
|
|
131
|
+
version: 0.60.0
|
|
132
132
|
type: :development
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - "~>"
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 0.
|
|
138
|
+
version: 0.60.0
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: simplecov
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -242,6 +242,7 @@ files:
|
|
|
242
242
|
- app/finders/users/oembed_api.rb
|
|
243
243
|
- app/finders/users/rss_generator.rb
|
|
244
244
|
- app/finders/users/wp_json_api.rb
|
|
245
|
+
- app/finders/users/yoast_seo_author_sitemap.rb
|
|
245
246
|
- app/finders/wp_items.rb
|
|
246
247
|
- app/finders/wp_items/urls_in_homepage.rb
|
|
247
248
|
- app/finders/wp_version.rb
|