RubyGems - wpscan - Versions diffs - 3.4.5 → 3.5.0 - Mend

wpscan 3.4.5 → 3.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (140) hide show

checksums.yaml +5 -5
data/README.md +21 -14
data/app/app.rb +2 -0
data/app/controllers.rb +2 -0
data/app/controllers/aliases.rb +2 -0
data/app/controllers/core.rb +6 -4
data/app/controllers/custom_directories.rb +3 -1
data/app/controllers/enumeration.rb +6 -0
data/app/controllers/enumeration/cli_options.rb +2 -0
data/app/controllers/enumeration/enum_methods.rb +2 -0
data/app/controllers/main_theme.rb +2 -0
data/app/controllers/password_attack.rb +6 -4
data/app/controllers/wp_version.rb +2 -0
data/app/finders.rb +2 -0
data/app/finders/config_backups.rb +2 -0
data/app/finders/config_backups/known_filenames.rb +4 -3
data/app/finders/db_exports.rb +2 -0
data/app/finders/db_exports/known_locations.rb +15 -3
data/app/finders/interesting_findings.rb +2 -0
data/app/finders/interesting_findings/backup_db.rb +5 -4
data/app/finders/interesting_findings/debug_log.rb +3 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +6 -5
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +6 -4
data/app/finders/interesting_findings/full_path_disclosure.rb +3 -1
data/app/finders/interesting_findings/mu_plugins.rb +4 -2
data/app/finders/interesting_findings/multisite.rb +3 -1
data/app/finders/interesting_findings/readme.rb +8 -6
data/app/finders/interesting_findings/registration.rb +3 -1
data/app/finders/interesting_findings/tmm_db_migrate.rb +4 -2
data/app/finders/interesting_findings/upload_directory_listing.rb +3 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +8 -10
data/app/finders/interesting_findings/wp_cron.rb +3 -1
data/app/finders/main_theme.rb +2 -0
data/app/finders/main_theme/css_style.rb +3 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -1
data/app/finders/main_theme/woo_framework_meta_generator.rb +3 -1
data/app/finders/medias.rb +2 -0
data/app/finders/medias/attachment_brute_forcing.rb +3 -1
data/app/finders/passwords.rb +2 -0
data/app/finders/passwords/wp_login.rb +4 -1
data/app/finders/passwords/xml_rpc.rb +2 -0
data/app/finders/passwords/xml_rpc_multicall.rb +4 -2
data/app/finders/plugin_version.rb +4 -2
data/app/finders/plugin_version/readme.rb +9 -5
data/app/finders/plugins.rb +2 -0
data/app/finders/plugins/body_pattern.rb +3 -1
data/app/finders/plugins/comment.rb +3 -1
data/app/finders/plugins/config_parser.rb +3 -1
data/app/finders/plugins/header_pattern.rb +3 -1
data/app/finders/plugins/javascript_var.rb +3 -1
data/app/finders/plugins/known_locations.rb +10 -8
data/app/finders/plugins/query_parameter.rb +2 -0
data/app/finders/plugins/urls_in_homepage.rb +3 -1
data/app/finders/plugins/xpath.rb +3 -1
data/app/finders/theme_version.rb +4 -2
data/app/finders/theme_version/style.rb +3 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +3 -1
data/app/finders/themes.rb +2 -0
data/app/finders/themes/known_locations.rb +12 -10
data/app/finders/themes/urls_in_homepage.rb +3 -1
data/app/finders/timthumb_version.rb +3 -1
data/app/finders/timthumb_version/bad_request.rb +3 -1
data/app/finders/timthumbs.rb +2 -0
data/app/finders/timthumbs/known_locations.rb +12 -3
data/app/finders/users.rb +2 -0
data/app/finders/users/author_id_brute_forcing.rb +3 -1
data/app/finders/users/author_posts.rb +3 -1
data/app/finders/users/login_error_messages.rb +3 -1
data/app/finders/users/oembed_api.rb +6 -4
data/app/finders/users/rss_generator.rb +7 -5
data/app/finders/users/wp_json_api.rb +16 -6
data/app/finders/users/yoast_seo_author_sitemap.rb +6 -4
data/app/finders/wp_items.rb +2 -0
data/app/finders/wp_items/urls_in_homepage.rb +2 -0
data/app/finders/wp_version.rb +2 -0
data/app/finders/wp_version/atom_generator.rb +2 -0
data/app/finders/wp_version/rdf_generator.rb +2 -0
data/app/finders/wp_version/readme.rb +4 -2
data/app/finders/wp_version/rss_generator.rb +2 -0
data/app/finders/wp_version/unique_fingerprinting.rb +3 -1
data/app/models.rb +8 -0
data/app/models/config_backup.rb +6 -2
data/app/models/db_export.rb +6 -2
data/app/models/interesting_finding.rb +36 -32
data/app/models/media.rb +6 -2
data/app/models/plugin.rb +25 -17
data/app/models/theme.rb +83 -75
data/app/models/timthumb.rb +58 -54
data/app/models/wp_item.rb +140 -128
data/app/models/wp_version.rb +47 -44
data/app/models/xml_rpc.rb +18 -14
data/app/views/cli/wp_item.erb +0 -3
data/app/views/json/wp_item.erb +0 -1
data/bin/wpscan +1 -0
data/lib/wpscan.rb +2 -0
data/lib/wpscan/browser.rb +2 -0
data/lib/wpscan/controller.rb +2 -0
data/lib/wpscan/controllers.rb +2 -0
data/lib/wpscan/db.rb +2 -0
data/lib/wpscan/db/dynamic_finders/base.rb +2 -0
data/lib/wpscan/db/dynamic_finders/plugin.rb +4 -5
data/lib/wpscan/db/dynamic_finders/theme.rb +2 -0
data/lib/wpscan/db/dynamic_finders/wordpress.rb +2 -0
data/lib/wpscan/db/fingerprints.rb +2 -0
data/lib/wpscan/db/plugin.rb +2 -0
data/lib/wpscan/db/plugins.rb +2 -0
data/lib/wpscan/db/theme.rb +2 -0
data/lib/wpscan/db/themes.rb +2 -0
data/lib/wpscan/db/updater.rb +4 -2
data/lib/wpscan/db/wp_item.rb +2 -0
data/lib/wpscan/db/wp_items.rb +2 -0
data/lib/wpscan/db/wp_version.rb +2 -0
data/lib/wpscan/errors.rb +7 -1
data/lib/wpscan/errors/http.rb +27 -23
data/lib/wpscan/errors/update.rb +8 -4
data/lib/wpscan/errors/wordpress.rb +24 -14
data/lib/wpscan/errors/xmlrpc.rb +8 -4
data/lib/wpscan/finders.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/config_parser.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +4 -2
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +4 -2
data/lib/wpscan/helper.rb +2 -0
data/lib/wpscan/references.rb +2 -0
data/lib/wpscan/target.rb +12 -1
data/lib/wpscan/target/platform/wordpress.rb +15 -1
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +23 -3
data/lib/wpscan/version.rb +3 -1
data/lib/wpscan/vulnerability.rb +2 -0
data/lib/wpscan/vulnerable.rb +2 -0
metadata +35 -8

data/app/models/wp_item.rb CHANGED Viewed

@@ -1,158 +1,170 @@
+# frozen_string_literal: true
 module WPScan
-  # WpItem (superclass of Plugin & Theme)
-  class WpItem
-    include Vulnerable
-    include Finders::Finding
-    include CMSScanner::Target::Platform::PHP
-    include CMSScanner::Target::Server::Generic
-    READMES    = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
-    CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze
-    attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data
-    delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog
-    # @param [ String ] slug The plugin/theme slug
-    # @param [ Target ] blog The targeted blog
-    # @param [ Hash ] opts
-    # @option opts [ Symbol ] :mode The detection mode to use
-    # @option opts [ Hash ]   :version_detection The options to use when looking for the version
-    # @option opts [ String ] :url The URL of the item
-    def initialize(slug, blog, opts = {})
-      @slug  = URI.decode(slug)
-      @blog  = blog
-      @uri   = Addressable::URI.parse(opts[:url]) if opts[:url]
-      @detection_opts         = { mode: opts[:mode] }
-      @version_detection_opts = opts[:version_detection] || {}
-      parse_finding_options(opts)
-    end
+  module Model
+    # WpItem (superclass of Plugin & Theme)
+    class WpItem
+      include Vulnerable
+      include Finders::Finding
+      include CMSScanner::Target::Platform::PHP
+      include CMSScanner::Target::Server::Generic
+      READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
+      attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
+      delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog
+      # @param [ String ] slug The plugin/theme slug
+      # @param [ Target ] blog The targeted blog
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] :mode The detection mode to use
+      # @option opts [ Hash ]   :version_detection The options to use when looking for the version
+      # @option opts [ String ] :url The URL of the item
+      def initialize(slug, blog, opts = {})
+        @slug  = URI.decode(slug)
+        @blog  = blog
+        @uri   = Addressable::URI.parse(opts[:url]) if opts[:url]
+        @detection_opts         = { mode: opts[:mode] }
+        @version_detection_opts = opts[:version_detection] || {}
+        parse_finding_options(opts)
+      end
-    # @return [ Array<Vulnerabily> ]
-    def vulnerabilities
-      return @vulnerabilities if @vulnerabilities
+      # @return [ Array<Vulnerabily> ]
+      def vulnerabilities
+        return @vulnerabilities if @vulnerabilities
-      @vulnerabilities = []
+        @vulnerabilities = []
+        [*db_data['vulnerabilities']].each do |json_vuln|
+          vulnerability = Vulnerability.load_from_json(json_vuln)
+          @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
+        end
-      [*db_data['vulnerabilities']].each do |json_vuln|
-        vulnerability = Vulnerability.load_from_json(json_vuln)
-        @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
+        @vulnerabilities
       end
-      @vulnerabilities
-    end
+      # Checks if the wp_item is vulnerable to a specific vulnerability
+      #
+      # @param [ Vulnerability ] vuln Vulnerability to check the item against
+      #
+      # @return [ Boolean ]
+      def vulnerable_to?(vuln)
+        return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
-    # Checks if the wp_item is vulnerable to a specific vulnerability
-    #
-    # @param [ Vulnerability ] vuln Vulnerability to check the item against
-    #
-    # @return [ Boolean ]
-    def vulnerable_to?(vuln)
-      return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
+        version < vuln.fixed_in
+      end
-      version < vuln.fixed_in
-    end
+      # @return [ String ]
+      def latest_version
+        @latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil
+      end
-    # @return [ String ]
-    def latest_version
-      @latest_version ||= db_data['latest_version'] ? WPScan::Version.new(db_data['latest_version']) : nil
-    end
+      # Not used anywhere ATM
+      # @return [ Boolean ]
+      def popular?
+        @popular ||= db_data['popular']
+      end
-    # Not used anywhere ATM
-    # @return [ Boolean ]
-    def popular?
-      @popular ||= db_data['popular']
-    end
+      # @return [ String ]
+      def last_updated
+        @last_updated ||= db_data['last_updated']
+      end
-    # @return [ String ]
-    def last_updated
-      @last_updated ||= db_data['last_updated']
-    end
+      # @return [ Boolean ]
+      def outdated?
+        @outdated ||= if version && latest_version
+                        version < latest_version
+                      else
+                        false
+                      end
+      end
-    # @return [ Boolean ]
-    def outdated?
-      @outdated ||= if version && latest_version
-                      version < latest_version
-                    else
-                      false
-                    end
-    end
+      # URI.encode is preferered over Addressable::URI.encode as it will encode
+      # leading # character:
+      # URI.encode('#t#') => %23t%23
+      # Addressable::URI.encode('#t#') => #t%23
+      #
+      # @param [ String ] path Optional path to merge with the uri
+      #
+      # @return [ String ]
+      def url(path = nil)
+        return unless @uri
+        return @uri.to_s unless path
+        @uri.join(URI.encode(path)).to_s
+      end
-    # URI.encode is preferered over Addressable::URI.encode as it will encode
-    # leading # character:
-    # URI.encode('#t#') => %23t%23
-    # Addressable::URI.encode('#t#') => #t%23
-    #
-    # @param [ String ] path Optional path to merge with the uri
-    #
-    # @return [ String ]
-    def url(path = nil)
-      return unless @uri
-      return @uri.to_s unless path
-      @uri.join(URI.encode(path)).to_s
-    end
+      # @return [ Boolean ]
+      def ==(other)
+        self.class == other.class && slug == other.slug
+      end
-    # @return [ Boolean ]
-    def ==(other)
-      self.class == other.class && slug == other.slug
-    end
+      def to_s
+        slug
+      end
-    def to_s
-      slug
-    end
+      # @return [ Symbol ] The Class symbol associated to the item
+      def classify
+        @classify ||= classify_slug(slug)
+      end
-    # @return [ Symbol ] The Class symbol associated to the item
-    def classify
-      @classify ||= classify_slug(slug)
-    end
+      # @return [ String, False ] The readme url if found, false otherwise
+      def readme_url
+        return if detection_opts[:mode] == :passive
-    # @return [ String ] The readme url if found
-    def readme_url
-      return if detection_opts[:mode] == :passive
+        return @readme_url unless @readme_url.nil?
-      if @readme_url.nil?
         READMES.each do |path|
-          return @readme_url = url(path) if Browser.get(url(path)).code == 200
-        end
-      end
+          t_url = url(path)
-      @readme_url
-    end
-    # @return [ String, false ] The changelog urr if found
-    def changelog_url
-      return if detection_opts[:mode] == :passive
-      if @changelog_url.nil?
-        CHANGELOGS.each do |path|
-          return @changelog_url = url(path) if Browser.get(url(path)).code == 200
+          return @readme_url = t_url if Browser.forge_request(t_url, blog.head_or_get_params).run.code == 200
         end
+        @readme_url = false
       end
-      @changelog_url
-    end
+      # @param [ String ] path
+      # @param [ Hash ] params The request params
+      #
+      # @return [ Boolean ]
+      def directory_listing?(path = nil, params = {})
+        return if detection_opts[:mode] == :passive
-    # @param [ String ] path
-    # @param [ Hash ] params The request params
-    #
-    # @return [ Boolean ]
-    def directory_listing?(path = nil, params = {})
-      return if detection_opts[:mode] == :passive
+        super(path, params)
+      end
-      super(path, params)
-    end
+      # @param [ String ] path
+      # @param [ Hash ] params The request params
+      #
+      # @return [ Boolean ]
+      def error_log?(path = 'error_log', params = {})
+        return if detection_opts[:mode] == :passive
-    # @param [ String ] path
-    # @param [ Hash ] params The request params
-    #
-    # @return [ Boolean ]
-    def error_log?(path = 'error_log', params = {})
-      return if detection_opts[:mode] == :passive
+        super(path, params)
+      end
-      super(path, params)
+      # See CMSScanner::Target#head_and_get
+      #
+      # This is used by the error_log? above in the super()
+      # to have the correct path (ie readme.txt checked from the plugin/theme location
+      # and not from the blog root). Could also be used in finders
+      #
+      # @param [ String ] path
+      # @param [ Array<String> ] codes
+      # @param [ Hash ] params The requests params
+      # @option params [ Hash ] :head Request params for the HEAD
+      # @option params [ hash ] :get Request params for the GET
+      #
+      # @return [ Typhoeus::Response ]
+      def head_and_get(path, codes = [200], params = {})
+        final_path = +@path_from_blog
+        final_path << URI.encode(path) unless path.nil?
+        blog.head_and_get(final_path, codes, params)
+      end
     end
   end
 end

data/app/models/wp_version.rb CHANGED Viewed

@@ -1,64 +1,67 @@
+# frozen_string_literal: true
 module WPScan
-  # WP Version
-  class WpVersion < CMSScanner::Version
-    include Vulnerable
+  module Model
+    # WP Version
+    class WpVersion < CMSScanner::Model::Version
+      include Vulnerable
-    def initialize(number, opts = {})
-      raise InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
+      def initialize(number, opts = {})
+        raise Error::InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
-      super(number, opts)
-    end
+        super(number, opts)
+      end
-    # @param [ String ] number
-    #
-    # @return [ Boolean ] true if the number is a valid WP version, false otherwise
-    def self.valid?(number)
-      all.include?(number)
-    end
+      # @param [ String ] number
+      #
+      # @return [ Boolean ] true if the number is a valid WP version, false otherwise
+      def self.valid?(number)
+        all.include?(number)
+      end
-    # @return [ Array<String> ] All the version numbers
-    def self.all
-      return @all_numbers if @all_numbers
+      # @return [ Array<String> ] All the version numbers
+      def self.all
+        return @all_numbers if @all_numbers
-      @all_numbers = []
+        @all_numbers = []
-      DB::Fingerprints.wp_fingerprints.each_value do |fp|
-        fp.each_value do |versions|
-          versions.each do |version|
-            @all_numbers << version unless @all_numbers.include?(version)
-          end
+        DB::Fingerprints.wp_fingerprints.each_value do |fp|
+          @all_numbers << fp.values
         end
+        # @all_numbers.flatten.uniq.sort! {} doesn't produce the same result here.
+        @all_numbers.flatten!
+        @all_numbers.uniq!
+        @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
       end
-      @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
-    end
+      # @return [ JSON ]
+      def db_data
+        @db_data ||= DB::Version.db_data(number)
+      end
-    # @return [ JSON ]
-    def db_data
-      DB::Version.db_data(number)
-    end
+      # @return [ Array<Vulnerability> ]
+      def vulnerabilities
+        return @vulnerabilities if @vulnerabilities
-    # @return [ Array<Vulnerability> ]
-    def vulnerabilities
-      return @vulnerabilities if @vulnerabilities
+        @vulnerabilities = []
-      @vulnerabilities = []
+        [*db_data['vulnerabilities']].each do |json_vuln|
+          @vulnerabilities << Vulnerability.load_from_json(json_vuln)
+        end
-      [*db_data['vulnerabilities']].each do |json_vuln|
-        @vulnerabilities << Vulnerability.load_from_json(json_vuln)
+        @vulnerabilities
       end
-      @vulnerabilities
-    end
-    # @return [ String ]
-    def release_date
-      @release_date ||= db_data['release_date'] || 'Unknown'
-    end
+      # @return [ String ]
+      def release_date
+        @release_date ||= db_data['release_date'] || 'Unknown'
+      end
-    # @return [ String ]
-    def status
-      @status ||= db_data['status'] || 'Unknown'
+      # @return [ String ]
+      def status
+        @status ||= db_data['status'] || 'Unknown'
+      end
     end
   end
 end

data/app/models/xml_rpc.rb CHANGED Viewed

@@ -1,19 +1,23 @@
+# frozen_string_literal: true
 module WPScan
-  # Override of the CMSScanner::XMLRPC to include the references
-  class XMLRPC < CMSScanner::XMLRPC
-    include References # To be able to use the :wpvulndb reference if needed
+  module Model
+    # Override of the CMSScanner::XMLRPC to include the references
+    class XMLRPC < CMSScanner::Model::XMLRPC
+      include References # To be able to use the :wpvulndb reference if needed
-    # @return [ Hash ]
-    def references
-      {
-        url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
-        metasploit: [
-          'auxiliary/scanner/http/wordpress_ghost_scanner',
-          'auxiliary/dos/http/wordpress_xmlrpc_dos',
-          'auxiliary/scanner/http/wordpress_xmlrpc_login',
-          'auxiliary/scanner/http/wordpress_pingback_access'
-        ]
-      }
+      # @return [ Hash ]
+      def references
+        {
+          url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
+          metasploit: [
+            'auxiliary/scanner/http/wordpress_ghost_scanner',
+            'auxiliary/dos/http/wordpress_xmlrpc_dos',
+            'auxiliary/scanner/http/wordpress_xmlrpc_login',
+            'auxiliary/scanner/http/wordpress_pingback_access'
+          ]
+        }
+      end
     end
   end
 end

data/app/views/cli/wp_item.erb CHANGED Viewed

@@ -8,9 +8,6 @@
 <% if @wp_item.readme_url -%>
  | Readme: <%= @wp_item.readme_url %>
 <% end -%>
-<% if @wp_item.changelog_url -%>
- | Changelog: <%= @wp_item.changelog_url %>
-<% end -%>
 <% if @wp_item.latest_version && @wp_item.outdated? -%>
  | <%= warning_icon %> The version is out of date, the latest version is <%= @wp_item.latest_version %>
 <% end -%>