RubyGems - wpscan - Versions diffs - 3.4.5 → 3.5.0 - Mend

wpscan 3.4.5 → 3.5.0

Files changed (140) hide show

checksums.yaml +5 -5
data/README.md +21 -14
data/app/app.rb +2 -0
data/app/controllers.rb +2 -0
data/app/controllers/aliases.rb +2 -0
data/app/controllers/core.rb +6 -4
data/app/controllers/custom_directories.rb +3 -1
data/app/controllers/enumeration.rb +6 -0
data/app/controllers/enumeration/cli_options.rb +2 -0
data/app/controllers/enumeration/enum_methods.rb +2 -0
data/app/controllers/main_theme.rb +2 -0
data/app/controllers/password_attack.rb +6 -4
data/app/controllers/wp_version.rb +2 -0
data/app/finders.rb +2 -0
data/app/finders/config_backups.rb +2 -0
data/app/finders/config_backups/known_filenames.rb +4 -3
data/app/finders/db_exports.rb +2 -0
data/app/finders/db_exports/known_locations.rb +15 -3
data/app/finders/interesting_findings.rb +2 -0
data/app/finders/interesting_findings/backup_db.rb +5 -4
data/app/finders/interesting_findings/debug_log.rb +3 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +6 -5
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +6 -4
data/app/finders/interesting_findings/full_path_disclosure.rb +3 -1
data/app/finders/interesting_findings/mu_plugins.rb +4 -2
data/app/finders/interesting_findings/multisite.rb +3 -1
data/app/finders/interesting_findings/readme.rb +8 -6
data/app/finders/interesting_findings/registration.rb +3 -1
data/app/finders/interesting_findings/tmm_db_migrate.rb +4 -2
data/app/finders/interesting_findings/upload_directory_listing.rb +3 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +8 -10
data/app/finders/interesting_findings/wp_cron.rb +3 -1
data/app/finders/main_theme.rb +2 -0
data/app/finders/main_theme/css_style.rb +3 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -1
data/app/finders/main_theme/woo_framework_meta_generator.rb +3 -1
data/app/finders/medias.rb +2 -0
data/app/finders/medias/attachment_brute_forcing.rb +3 -1
data/app/finders/passwords.rb +2 -0
data/app/finders/passwords/wp_login.rb +4 -1
data/app/finders/passwords/xml_rpc.rb +2 -0
data/app/finders/passwords/xml_rpc_multicall.rb +4 -2
data/app/finders/plugin_version.rb +4 -2
data/app/finders/plugin_version/readme.rb +9 -5
data/app/finders/plugins.rb +2 -0
data/app/finders/plugins/body_pattern.rb +3 -1
data/app/finders/plugins/comment.rb +3 -1
data/app/finders/plugins/config_parser.rb +3 -1
data/app/finders/plugins/header_pattern.rb +3 -1
data/app/finders/plugins/javascript_var.rb +3 -1
data/app/finders/plugins/known_locations.rb +10 -8
data/app/finders/plugins/query_parameter.rb +2 -0
data/app/finders/plugins/urls_in_homepage.rb +3 -1
data/app/finders/plugins/xpath.rb +3 -1
data/app/finders/theme_version.rb +4 -2
data/app/finders/theme_version/style.rb +3 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +3 -1
data/app/finders/themes.rb +2 -0
data/app/finders/themes/known_locations.rb +12 -10
data/app/finders/themes/urls_in_homepage.rb +3 -1
data/app/finders/timthumb_version.rb +3 -1
data/app/finders/timthumb_version/bad_request.rb +3 -1
data/app/finders/timthumbs.rb +2 -0
data/app/finders/timthumbs/known_locations.rb +12 -3
data/app/finders/users.rb +2 -0
data/app/finders/users/author_id_brute_forcing.rb +3 -1
data/app/finders/users/author_posts.rb +3 -1
data/app/finders/users/login_error_messages.rb +3 -1
data/app/finders/users/oembed_api.rb +6 -4
data/app/finders/users/rss_generator.rb +7 -5
data/app/finders/users/wp_json_api.rb +16 -6
data/app/finders/users/yoast_seo_author_sitemap.rb +6 -4
data/app/finders/wp_items.rb +2 -0
data/app/finders/wp_items/urls_in_homepage.rb +2 -0
data/app/finders/wp_version.rb +2 -0
data/app/finders/wp_version/atom_generator.rb +2 -0
data/app/finders/wp_version/rdf_generator.rb +2 -0
data/app/finders/wp_version/readme.rb +4 -2
data/app/finders/wp_version/rss_generator.rb +2 -0
data/app/finders/wp_version/unique_fingerprinting.rb +3 -1
data/app/models.rb +8 -0
data/app/models/config_backup.rb +6 -2
data/app/models/db_export.rb +6 -2
data/app/models/interesting_finding.rb +36 -32
data/app/models/media.rb +6 -2
data/app/models/plugin.rb +25 -17
data/app/models/theme.rb +83 -75
data/app/models/timthumb.rb +58 -54
data/app/models/wp_item.rb +140 -128
data/app/models/wp_version.rb +47 -44
data/app/models/xml_rpc.rb +18 -14
data/app/views/cli/wp_item.erb +0 -3
data/app/views/json/wp_item.erb +0 -1
data/bin/wpscan +1 -0
data/lib/wpscan.rb +2 -0
data/lib/wpscan/browser.rb +2 -0
data/lib/wpscan/controller.rb +2 -0
data/lib/wpscan/controllers.rb +2 -0
data/lib/wpscan/db.rb +2 -0
data/lib/wpscan/db/dynamic_finders/base.rb +2 -0
data/lib/wpscan/db/dynamic_finders/plugin.rb +4 -5
data/lib/wpscan/db/dynamic_finders/theme.rb +2 -0
data/lib/wpscan/db/dynamic_finders/wordpress.rb +2 -0
data/lib/wpscan/db/fingerprints.rb +2 -0
data/lib/wpscan/db/plugin.rb +2 -0
data/lib/wpscan/db/plugins.rb +2 -0
data/lib/wpscan/db/theme.rb +2 -0
data/lib/wpscan/db/themes.rb +2 -0
data/lib/wpscan/db/updater.rb +4 -2
data/lib/wpscan/db/wp_item.rb +2 -0
data/lib/wpscan/db/wp_items.rb +2 -0
data/lib/wpscan/db/wp_version.rb +2 -0
data/lib/wpscan/errors.rb +7 -1
data/lib/wpscan/errors/http.rb +27 -23
data/lib/wpscan/errors/update.rb +8 -4
data/lib/wpscan/errors/wordpress.rb +24 -14
data/lib/wpscan/errors/xmlrpc.rb +8 -4
data/lib/wpscan/finders.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/config_parser.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +4 -2
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +4 -2
data/lib/wpscan/helper.rb +2 -0
data/lib/wpscan/references.rb +2 -0
data/lib/wpscan/target.rb +12 -1
data/lib/wpscan/target/platform/wordpress.rb +15 -1
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +23 -3
data/lib/wpscan/version.rb +3 -1
data/lib/wpscan/vulnerability.rb +2 -0
data/lib/wpscan/vulnerable.rb +2 -0
metadata +35 -8

data/app/finders/plugins/query_parameter.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Plugins

data/app/finders/plugins/urls_in_homepage.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Plugins
@@ -14,7 +16,7 @@ module WPScan
           found = []
           (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
-            found << Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
           found

data/app/finders/plugins/xpath.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Plugins
@@ -16,7 +18,7 @@ module WPScan
           response.html.xpath(config['xpath']).each do |node|
             next if config['pattern'] && !node.text.match(config['pattern'])
-            return Plugin.new(
+            return Model::Plugin.new(
               slug,
               target,
               opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)

data/app/finders/theme_version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'theme_version/style'
 require_relative 'theme_version/woo_framework_meta_generator'
@@ -8,7 +10,7 @@ module WPScan
       class Base
         include CMSScanner::Finders::UniqueFinder
-        # @param [ WPScan::Theme ] theme
+        # @param [ Model::Theme ] theme
         def initialize(theme)
           finders <<
             ThemeVersion::Style.new(theme) <<
@@ -19,7 +21,7 @@ module WPScan
         # Load the finders associated with the theme
         #
-        # @param [ WPScan::Theme ] theme
+        # @param [ Model::Theme ] theme
         def load_specific_finders(theme)
           module_name = theme.classify

data/app/finders/theme_version/style.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module ThemeVersion
@@ -30,7 +32,7 @@ module WPScan
         def style_version
           return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
-          WPScan::Version.new(
+          Model::Version.new(
             Regexp.last_match[1],
             found_by: found_by,
             confidence: 80,

data/app/finders/theme_version/woo_framework_meta_generator.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module ThemeVersion
@@ -11,7 +13,7 @@ module WPScan
           return unless Regexp.last_match[1] == target.slug
-          WPScan::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
+          Model::Version.new(Regexp.last_match[2], found_by: found_by, confidence: 80)
         end
       end
     end

data/app/finders/themes.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'themes/urls_in_homepage'
 require_relative 'themes/known_locations'

data/app/finders/themes/known_locations.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Themes
@@ -5,6 +7,11 @@ module WPScan
       class KnownLocations < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
+        end
         # @param [ Hash ] opts
         # @option opts [ String ] :list
         #
@@ -12,12 +19,8 @@ module WPScan
         def aggressive(opts = {})
           found = []
-          enumerate(target_urls(opts), opts) do |res, slug|
-            # TODO: follow the location (from enumerate()) and remove the 301 here ?
-            # As a result, it might remove false positive due to redirection to the homepage
-            next unless [200, 401, 403, 301].include?(res.code)
-            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
           found
@@ -28,12 +31,11 @@ module WPScan
         #
         # @return [ Hash ]
         def target_urls(opts = {})
-          slugs       = opts[:list] || DB::Themes.vulnerable_slugs
-          urls        = {}
-          themes_url  = target.url('wp-content/themes/')
+          slugs = opts[:list] || DB::Themes.vulnerable_slugs
+          urls  = {}
           slugs.each do |slug|
-            urls["#{themes_url}#{URI.encode(slug)}/"] = slug
+            urls[target.theme_url(slug)] = slug
           end
           urls

data/app/finders/themes/urls_in_homepage.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Themes
@@ -12,7 +14,7 @@ module WPScan
           found = []
           (items_from_links('themes') + items_from_codes('themes')).uniq.sort.each do |slug|
-            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
           found

data/app/finders/timthumb_version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'timthumb_version/bad_request'
 module WPScan
@@ -7,7 +9,7 @@ module WPScan
       class Base
         include CMSScanner::Finders::UniqueFinder
-        # @param [ WPScan::Timthumb ] target
+        # @param [ Model::Timthumb ] target
         def initialize(target)
           finders << TimthumbVersion::BadRequest.new(target)
         end

data/app/finders/timthumb_version/bad_request.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module TimthumbVersion
@@ -8,7 +10,7 @@ module WPScan
         def aggressive(_opts = {})
           return unless Browser.get(target.url).body =~ /(TimThumb version\s*: ([^<]+))/
-          WPScan::Version.new(
+          Model::Version.new(
             Regexp.last_match[2],
             found_by: 'Bad Request (Aggressive Detection)',
             confidence: 90,

data/app/finders/timthumbs.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'timthumbs/known_locations'
 module WPScan

data/app/finders/timthumbs/known_locations.rb CHANGED Viewed

@@ -1,10 +1,19 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Timthumbs
       # Known Locations Timthumbs Finder
+      # Note: A vulnerable version, 2.8.13 can be found here:
+      # https://github.com/GabrielGil/TimThumb/blob/980c3d6a823477761570475e8b83d3e9fcd2d7ae/timthumb.php
       class KnownLocations < CMSScanner::Finders::Finder
         include CMSScanner::Finders::Finder::Enumerator
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [400]
+        end
         # @param [ Hash ] opts
         # @option opts [ String ] :list Mandatory
         #
@@ -12,10 +21,10 @@ module WPScan
         def aggressive(opts = {})
           found = []
-          enumerate(target_urls(opts), opts) do |res|
-            next unless res.code == 400 && res.body =~ /no image specified/i
+          enumerate(target_urls(opts), opts.merge(check_full_response: 400)) do |res|
+            next unless res.body =~ /no image specified/i
-            found << WPScan::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
+            found << Model::Timthumb.new(res.request.url, opts.merge(found_by: found_by, confidence: 100))
           end
           found

data/app/finders/users.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'users/author_posts'
 require_relative 'users/wp_json_api'
 require_relative 'users/oembed_api'

data/app/finders/users/author_id_brute_forcing.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -18,7 +20,7 @@ module WPScan
             next unless username
-            found << CMSScanner::User.new(
+            found << Model::User.new(
               username,
               id: id,
               found_by: format(found_by_msg, found_by),

data/app/finders/users/author_posts.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -10,7 +12,7 @@ module WPScan
           found_by_msg = 'Author Posts - %s (Passive Detection)'
           usernames(opts).reduce([]) do |a, e|
-            a << CMSScanner::User.new(
+            a << Model::User.new(
               e[0],
               found_by: format(found_by_msg, e[1]),
               confidence: e[2]

data/app/finders/users/login_error_messages.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -24,7 +26,7 @@ module WPScan
             next unless error =~ /The password you entered for the username|Incorrect Password/i
-            found << CMSScanner::User.new(username, found_by: found_by, confidence: 100)
+            found << Model::User.new(username, found_by: found_by, confidence: 100)
           end
           found

data/app/finders/users/oembed_api.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -21,10 +23,10 @@ module WPScan
           return [] unless details
-          [CMSScanner::User.new(details[0],
-                                found_by: format(found_by_msg, details[1]),
-                                confidence: details[2],
-                                interesting_entries: [api_url])]
+          [Model::User.new(details[0],
+                           found_by: format(found_by_msg, details[1]),
+                           confidence: details[2],
+                           interesting_entries: [api_url])]
         rescue JSON::ParserError
           []
         end

data/app/finders/users/rss_generator.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -17,20 +19,20 @@ module WPScan
             begin
               res.xml.xpath('//item/dc:creator').each do |node|
-                potential_username = node.text.to_s
+                username = node.text.to_s
                 # Ignoring potential username longer than 60 characters and containing accents
                 # as they are considered invalid. See https://github.com/wpscanteam/wpscan/issues/1215
-                next if potential_username.length > 60 || potential_username =~ /[^\x00-\x7F]/
+                next if username.strip.empty? || username.length > 60 || username =~ /[^\x00-\x7F]/
-                potential_usernames << potential_username
+                potential_usernames << username
               end
             rescue Nokogiri::XML::XPath::SyntaxError
               next
             end
-            potential_usernames.uniq.each do |potential_username|
-              found << CMSScanner::User.new(potential_username, found_by: found_by, confidence: 50)
+            potential_usernames.uniq.each do |username|
+              found << Model::User.new(username, found_by: found_by, confidence: 50)
             end
             break

data/app/finders/users/wp_json_api.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -41,11 +43,11 @@ module WPScan
           found = []
           JSON.parse(response.body)&.each do |user|
-            found << CMSScanner::User.new(user['slug'],
-                                          id: user['id'],
-                                          found_by: found_by,
-                                          confidence: 100,
-                                          interesting_entries: [response.effective_url])
+            found << Model::User.new(user['slug'],
+                                     id: user['id'],
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [response.effective_url])
           end
           found
@@ -53,7 +55,15 @@ module WPScan
         # @return [ String ] The URL of the API listing the Users
         def api_url
-          @api_url ||= target.url('wp-json/wp/v2/users/')
+          return @api_url if @api_url
+          target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag|
+            uri = Addressable::URI.parse(url.strip)
+            return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
+          end
+          @api_url = target.url('wp-json/wp/v2/users/')
         end
       end
     end

data/app/finders/users/yoast_seo_author_sitemap.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module Users
@@ -15,10 +17,10 @@ module WPScan
             next unless username && !username.strip.empty?
-            found << CMSScanner::User.new(username,
-                                          found_by: found_by,
-                                          confidence: 100,
-                                          interesting_entries: [sitemap_url])
+            found << Model::User.new(username,
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [sitemap_url])
           end
           found

data/app/finders/wp_items.rb CHANGED Viewed

@@ -1 +1,3 @@
+# frozen_string_literal: true
 require_relative 'wp_items/urls_in_homepage'

data/app/finders/wp_items/urls_in_homepage.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module WpItems

data/app/finders/wp_version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'wp_version/rss_generator'
 require_relative 'wp_version/atom_generator'
 require_relative 'wp_version/rdf_generator'

data/app/finders/wp_version/atom_generator.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module WpVersion

data/app/finders/wp_version/rdf_generator.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module WpVersion

data/app/finders/wp_version/readme.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module WpVersion
@@ -13,9 +15,9 @@ module WPScan
           number = Regexp.last_match(1)
-          return unless WPScan::WpVersion.valid?(number)
+          return unless Model::WpVersion.valid?(number)
-          WPScan::WpVersion.new(
+          Model::WpVersion.new(
             number,
             found_by: 'Readme (Aggressive Detection)',
             # Since WP 4.7, the Readme only contains the major version (ie 4.7, 4.8 etc)