RubyGems - wpscan - Versions diffs - 3.4.5 → 3.5.0 - Mend

wpscan 3.4.5 → 3.5.0

Files changed (140) hide show

checksums.yaml +5 -5
data/README.md +21 -14
data/app/app.rb +2 -0
data/app/controllers.rb +2 -0
data/app/controllers/aliases.rb +2 -0
data/app/controllers/core.rb +6 -4
data/app/controllers/custom_directories.rb +3 -1
data/app/controllers/enumeration.rb +6 -0
data/app/controllers/enumeration/cli_options.rb +2 -0
data/app/controllers/enumeration/enum_methods.rb +2 -0
data/app/controllers/main_theme.rb +2 -0
data/app/controllers/password_attack.rb +6 -4
data/app/controllers/wp_version.rb +2 -0
data/app/finders.rb +2 -0
data/app/finders/config_backups.rb +2 -0
data/app/finders/config_backups/known_filenames.rb +4 -3
data/app/finders/db_exports.rb +2 -0
data/app/finders/db_exports/known_locations.rb +15 -3
data/app/finders/interesting_findings.rb +2 -0
data/app/finders/interesting_findings/backup_db.rb +5 -4
data/app/finders/interesting_findings/debug_log.rb +3 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +6 -5
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +6 -4
data/app/finders/interesting_findings/full_path_disclosure.rb +3 -1
data/app/finders/interesting_findings/mu_plugins.rb +4 -2
data/app/finders/interesting_findings/multisite.rb +3 -1
data/app/finders/interesting_findings/readme.rb +8 -6
data/app/finders/interesting_findings/registration.rb +3 -1
data/app/finders/interesting_findings/tmm_db_migrate.rb +4 -2
data/app/finders/interesting_findings/upload_directory_listing.rb +3 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +8 -10
data/app/finders/interesting_findings/wp_cron.rb +3 -1
data/app/finders/main_theme.rb +2 -0
data/app/finders/main_theme/css_style.rb +3 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -1
data/app/finders/main_theme/woo_framework_meta_generator.rb +3 -1
data/app/finders/medias.rb +2 -0
data/app/finders/medias/attachment_brute_forcing.rb +3 -1
data/app/finders/passwords.rb +2 -0
data/app/finders/passwords/wp_login.rb +4 -1
data/app/finders/passwords/xml_rpc.rb +2 -0
data/app/finders/passwords/xml_rpc_multicall.rb +4 -2
data/app/finders/plugin_version.rb +4 -2
data/app/finders/plugin_version/readme.rb +9 -5
data/app/finders/plugins.rb +2 -0
data/app/finders/plugins/body_pattern.rb +3 -1
data/app/finders/plugins/comment.rb +3 -1
data/app/finders/plugins/config_parser.rb +3 -1
data/app/finders/plugins/header_pattern.rb +3 -1
data/app/finders/plugins/javascript_var.rb +3 -1
data/app/finders/plugins/known_locations.rb +10 -8
data/app/finders/plugins/query_parameter.rb +2 -0
data/app/finders/plugins/urls_in_homepage.rb +3 -1
data/app/finders/plugins/xpath.rb +3 -1
data/app/finders/theme_version.rb +4 -2
data/app/finders/theme_version/style.rb +3 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +3 -1
data/app/finders/themes.rb +2 -0
data/app/finders/themes/known_locations.rb +12 -10
data/app/finders/themes/urls_in_homepage.rb +3 -1
data/app/finders/timthumb_version.rb +3 -1
data/app/finders/timthumb_version/bad_request.rb +3 -1
data/app/finders/timthumbs.rb +2 -0
data/app/finders/timthumbs/known_locations.rb +12 -3
data/app/finders/users.rb +2 -0
data/app/finders/users/author_id_brute_forcing.rb +3 -1
data/app/finders/users/author_posts.rb +3 -1
data/app/finders/users/login_error_messages.rb +3 -1
data/app/finders/users/oembed_api.rb +6 -4
data/app/finders/users/rss_generator.rb +7 -5
data/app/finders/users/wp_json_api.rb +16 -6
data/app/finders/users/yoast_seo_author_sitemap.rb +6 -4
data/app/finders/wp_items.rb +2 -0
data/app/finders/wp_items/urls_in_homepage.rb +2 -0
data/app/finders/wp_version.rb +2 -0
data/app/finders/wp_version/atom_generator.rb +2 -0
data/app/finders/wp_version/rdf_generator.rb +2 -0
data/app/finders/wp_version/readme.rb +4 -2
data/app/finders/wp_version/rss_generator.rb +2 -0
data/app/finders/wp_version/unique_fingerprinting.rb +3 -1
data/app/models.rb +8 -0
data/app/models/config_backup.rb +6 -2
data/app/models/db_export.rb +6 -2
data/app/models/interesting_finding.rb +36 -32
data/app/models/media.rb +6 -2
data/app/models/plugin.rb +25 -17
data/app/models/theme.rb +83 -75
data/app/models/timthumb.rb +58 -54
data/app/models/wp_item.rb +140 -128
data/app/models/wp_version.rb +47 -44
data/app/models/xml_rpc.rb +18 -14
data/app/views/cli/wp_item.erb +0 -3
data/app/views/json/wp_item.erb +0 -1
data/bin/wpscan +1 -0
data/lib/wpscan.rb +2 -0
data/lib/wpscan/browser.rb +2 -0
data/lib/wpscan/controller.rb +2 -0
data/lib/wpscan/controllers.rb +2 -0
data/lib/wpscan/db.rb +2 -0
data/lib/wpscan/db/dynamic_finders/base.rb +2 -0
data/lib/wpscan/db/dynamic_finders/plugin.rb +4 -5
data/lib/wpscan/db/dynamic_finders/theme.rb +2 -0
data/lib/wpscan/db/dynamic_finders/wordpress.rb +2 -0
data/lib/wpscan/db/fingerprints.rb +2 -0
data/lib/wpscan/db/plugin.rb +2 -0
data/lib/wpscan/db/plugins.rb +2 -0
data/lib/wpscan/db/theme.rb +2 -0
data/lib/wpscan/db/themes.rb +2 -0
data/lib/wpscan/db/updater.rb +4 -2
data/lib/wpscan/db/wp_item.rb +2 -0
data/lib/wpscan/db/wp_items.rb +2 -0
data/lib/wpscan/db/wp_version.rb +2 -0
data/lib/wpscan/errors.rb +7 -1
data/lib/wpscan/errors/http.rb +27 -23
data/lib/wpscan/errors/update.rb +8 -4
data/lib/wpscan/errors/wordpress.rb +24 -14
data/lib/wpscan/errors/xmlrpc.rb +8 -4
data/lib/wpscan/finders.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/config_parser.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +4 -2
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +4 -2
data/lib/wpscan/helper.rb +2 -0
data/lib/wpscan/references.rb +2 -0
data/lib/wpscan/target.rb +12 -1
data/lib/wpscan/target/platform/wordpress.rb +15 -1
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +23 -3
data/lib/wpscan/version.rb +3 -1
data/lib/wpscan/vulnerability.rb +2 -0
data/lib/wpscan/vulnerable.rb +2 -0
metadata +35 -8

data/app/models/wp_item.rb CHANGED Viewed

@@ -1,158 +1,170 @@
+# frozen_string_literal: true
 module WPScan
-  # WpItem (superclass of Plugin & Theme)
-  class WpItem
-    include Vulnerable
-    include Finders::Finding
-    include CMSScanner::Target::Platform::PHP
-    include CMSScanner::Target::Server::Generic
-    READMES    = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
-    CHANGELOGS = %w[changelog.txt CHANGELOG.md changelog.md].freeze
-    attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :db_data
-    delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, to: :blog
-    # @param [ String ] slug The plugin/theme slug
-    # @param [ Target ] blog The targeted blog
-    # @param [ Hash ] opts
-    # @option opts [ Symbol ] :mode The detection mode to use
-    # @option opts [ Hash ]   :version_detection The options to use when looking for the version
-    # @option opts [ String ] :url The URL of the item
-    def initialize(slug, blog, opts = {})
-      @slug  = URI.decode(slug)
-      @blog  = blog
-      @uri   = Addressable::URI.parse(opts[:url]) if opts[:url]
-      @detection_opts         = { mode: opts[:mode] }
-      @version_detection_opts = opts[:version_detection] || {}
-      parse_finding_options(opts)
-    end
+  module Model
+    # WpItem (superclass of Plugin & Theme)
+    class WpItem
+      include Vulnerable
+      include Finders::Finding
+      include CMSScanner::Target::Platform::PHP
+      include CMSScanner::Target::Server::Generic
+      READMES = %w[readme.txt README.txt README.md readme.md Readme.txt].freeze
+      attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
+      delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog
+      # @param [ String ] slug The plugin/theme slug
+      # @param [ Target ] blog The targeted blog
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] :mode The detection mode to use
+      # @option opts [ Hash ]   :version_detection The options to use when looking for the version
+      # @option opts [ String ] :url The URL of the item
+      def initialize(slug, blog, opts = {})
+        @slug  = URI.decode(slug)
+        @blog  = blog
+        @uri   = Addressable::URI.parse(opts[:url]) if opts[:url]
+        @detection_opts         = { mode: opts[:mode] }
+        @version_detection_opts = opts[:version_detection] || {}
+        parse_finding_options(opts)
+      end
-    # @return [ Array<Vulnerabily> ]
-    def vulnerabilities
-      return @vulnerabilities if @vulnerabilities
+      # @return [ Array<Vulnerabily> ]
+      def vulnerabilities
+        return @vulnerabilities if @vulnerabilities
-      @vulnerabilities = []
+        @vulnerabilities = []
+        [*db_data['vulnerabilities']].each do |json_vuln|
+          vulnerability = Vulnerability.load_from_json(json_vuln)
+          @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
+        end
-      [*db_data['vulnerabilities']].each do |json_vuln|
-        vulnerability = Vulnerability.load_from_json(json_vuln)
-        @vulnerabilities << vulnerability if vulnerable_to?(vulnerability)
+        @vulnerabilities
       end
-      @vulnerabilities
-    end
+      # Checks if the wp_item is vulnerable to a specific vulnerability
+      #
+      # @param [ Vulnerability ] vuln Vulnerability to check the item against
+      #
+      # @return [ Boolean ]
+      def vulnerable_to?(vuln)
+        return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
-    # Checks if the wp_item is vulnerable to a specific vulnerability
-    #
-    # @param [ Vulnerability ] vuln Vulnerability to check the item against
-    #
-    # @return [ Boolean ]
-    def vulnerable_to?(vuln)
-      return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
+        version < vuln.fixed_in
+      end
-      version < vuln.fixed_in
-    end
+      # @return [ String ]
+      def latest_version
+        @latest_version ||= db_data['latest_version'] ? Model::Version.new(db_data['latest_version']) : nil
+      end
-    # @return [ String ]
-    def latest_version
-      @latest_version ||= db_data['latest_version'] ? WPScan::Version.new(db_data['latest_version']) : nil
-    end
+      # Not used anywhere ATM
+      # @return [ Boolean ]
+      def popular?
+        @popular ||= db_data['popular']
+      end
-    # Not used anywhere ATM
-    # @return [ Boolean ]
-    def popular?
-      @popular ||= db_data['popular']
-    end
+      # @return [ String ]
+      def last_updated
+        @last_updated ||= db_data['last_updated']
+      end
-    # @return [ String ]
-    def last_updated
-      @last_updated ||= db_data['last_updated']
-    end
+      # @return [ Boolean ]
+      def outdated?
+        @outdated ||= if version && latest_version
+                        version < latest_version
+                      else
+                        false
+                      end
+      end
-    # @return [ Boolean ]
-    def outdated?
-      @outdated ||= if version && latest_version
-                      version < latest_version
-                    else
-                      false
-                    end
-    end
+      # URI.encode is preferered over Addressable::URI.encode as it will encode
+      # leading # character:
+      # URI.encode('#t#') => %23t%23
+      # Addressable::URI.encode('#t#') => #t%23
+      #
+      # @param [ String ] path Optional path to merge with the uri
+      #
+      # @return [ String ]
+      def url(path = nil)
+        return unless @uri
+        return @uri.to_s unless path
+        @uri.join(URI.encode(path)).to_s
+      end
-    # URI.encode is preferered over Addressable::URI.encode as it will encode
-    # leading # character:
-    # URI.encode('#t#') => %23t%23
-    # Addressable::URI.encode('#t#') => #t%23
-    #
-    # @param [ String ] path Optional path to merge with the uri
-    #
-    # @return [ String ]
-    def url(path = nil)
-      return unless @uri
-      return @uri.to_s unless path
-      @uri.join(URI.encode(path)).to_s
-    end
+      # @return [ Boolean ]
+      def ==(other)
+        self.class == other.class && slug == other.slug
+      end
-    # @return [ Boolean ]
-    def ==(other)
-      self.class == other.class && slug == other.slug
-    end
+      def to_s
+        slug
+      end
-    def to_s
-      slug
-    end
+      # @return [ Symbol ] The Class symbol associated to the item
+      def classify
+        @classify ||= classify_slug(slug)
+      end
-    # @return [ Symbol ] The Class symbol associated to the item
-    def classify
-      @classify ||= classify_slug(slug)
-    end
+      # @return [ String, False ] The readme url if found, false otherwise
+      def readme_url
+        return if detection_opts[:mode] == :passive
-    # @return [ String ] The readme url if found
-    def readme_url
-      return if detection_opts[:mode] == :passive
+        return @readme_url unless @readme_url.nil?
-      if @readme_url.nil?
         READMES.each do |path|
-          return @readme_url = url(path) if Browser.get(url(path)).code == 200
-        end
-      end
+          t_url = url(path)
-      @readme_url
-    end
-    # @return [ String, false ] The changelog urr if found
-    def changelog_url
-      return if detection_opts[:mode] == :passive
-      if @changelog_url.nil?
-        CHANGELOGS.each do |path|
-          return @changelog_url = url(path) if Browser.get(url(path)).code == 200
+          return @readme_url = t_url if Browser.forge_request(t_url, blog.head_or_get_params).run.code == 200
         end
+        @readme_url = false
       end
-      @changelog_url
-    end
+      # @param [ String ] path
+      # @param [ Hash ] params The request params
+      #
+      # @return [ Boolean ]
+      def directory_listing?(path = nil, params = {})
+        return if detection_opts[:mode] == :passive
-    # @param [ String ] path
-    # @param [ Hash ] params The request params
-    #
-    # @return [ Boolean ]
-    def directory_listing?(path = nil, params = {})
-      return if detection_opts[:mode] == :passive
+        super(path, params)
+      end
-      super(path, params)
-    end
+      # @param [ String ] path
+      # @param [ Hash ] params The request params
+      #
+      # @return [ Boolean ]
+      def error_log?(path = 'error_log', params = {})
+        return if detection_opts[:mode] == :passive
-    # @param [ String ] path
-    # @param [ Hash ] params The request params
-    #
-    # @return [ Boolean ]
-    def error_log?(path = 'error_log', params = {})
-      return if detection_opts[:mode] == :passive
+        super(path, params)
+      end
-      super(path, params)
+      # See CMSScanner::Target#head_and_get
+      #
+      # This is used by the error_log? above in the super()
+      # to have the correct path (ie readme.txt checked from the plugin/theme location
+      # and not from the blog root). Could also be used in finders
+      #
+      # @param [ String ] path
+      # @param [ Array<String> ] codes
+      # @param [ Hash ] params The requests params
+      # @option params [ Hash ] :head Request params for the HEAD
+      # @option params [ hash ] :get Request params for the GET
+      #
+      # @return [ Typhoeus::Response ]
+      def head_and_get(path, codes = [200], params = {})
+        final_path = +@path_from_blog
+        final_path << URI.encode(path) unless path.nil?
+        blog.head_and_get(final_path, codes, params)
+      end
     end
   end
 end

data/app/models/wp_version.rb CHANGED Viewed

@@ -1,64 +1,67 @@
+# frozen_string_literal: true
 module WPScan
-  # WP Version
-  class WpVersion < CMSScanner::Version
-    include Vulnerable
+  module Model
+    # WP Version
+    class WpVersion < CMSScanner::Model::Version
+      include Vulnerable
-    def initialize(number, opts = {})
-      raise InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
+      def initialize(number, opts = {})
+        raise Error::InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
-      super(number, opts)
-    end
+        super(number, opts)
+      end
-    # @param [ String ] number
-    #
-    # @return [ Boolean ] true if the number is a valid WP version, false otherwise
-    def self.valid?(number)
-      all.include?(number)
-    end
+      # @param [ String ] number
+      #
+      # @return [ Boolean ] true if the number is a valid WP version, false otherwise
+      def self.valid?(number)
+        all.include?(number)
+      end
-    # @return [ Array<String> ] All the version numbers
-    def self.all
-      return @all_numbers if @all_numbers
+      # @return [ Array<String> ] All the version numbers
+      def self.all
+        return @all_numbers if @all_numbers
-      @all_numbers = []
+        @all_numbers = []
-      DB::Fingerprints.wp_fingerprints.each_value do |fp|
-        fp.each_value do |versions|
-          versions.each do |version|
-            @all_numbers << version unless @all_numbers.include?(version)
-          end
+        DB::Fingerprints.wp_fingerprints.each_value do |fp|
+          @all_numbers << fp.values
         end
+        # @all_numbers.flatten.uniq.sort! {} doesn't produce the same result here.
+        @all_numbers.flatten!
+        @all_numbers.uniq!
+        @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
       end
-      @all_numbers.sort! { |a, b| Gem::Version.new(b) <=> Gem::Version.new(a) }
-    end
+      # @return [ JSON ]
+      def db_data
+        @db_data ||= DB::Version.db_data(number)
+      end
-    # @return [ JSON ]
-    def db_data
-      DB::Version.db_data(number)
-    end
+      # @return [ Array<Vulnerability> ]
+      def vulnerabilities
+        return @vulnerabilities if @vulnerabilities
-    # @return [ Array<Vulnerability> ]
-    def vulnerabilities
-      return @vulnerabilities if @vulnerabilities
+        @vulnerabilities = []
-      @vulnerabilities = []
+        [*db_data['vulnerabilities']].each do |json_vuln|
+          @vulnerabilities << Vulnerability.load_from_json(json_vuln)
+        end
-      [*db_data['vulnerabilities']].each do |json_vuln|
-        @vulnerabilities << Vulnerability.load_from_json(json_vuln)
+        @vulnerabilities
       end
-      @vulnerabilities
-    end
-    # @return [ String ]
-    def release_date
-      @release_date ||= db_data['release_date'] || 'Unknown'
-    end
+      # @return [ String ]
+      def release_date
+        @release_date ||= db_data['release_date'] || 'Unknown'
+      end
-    # @return [ String ]
-    def status
-      @status ||= db_data['status'] || 'Unknown'
+      # @return [ String ]
+      def status
+        @status ||= db_data['status'] || 'Unknown'
+      end
     end
   end
 end

data/app/models/xml_rpc.rb CHANGED Viewed

@@ -1,19 +1,23 @@
+# frozen_string_literal: true
 module WPScan
-  # Override of the CMSScanner::XMLRPC to include the references
-  class XMLRPC < CMSScanner::XMLRPC
-    include References # To be able to use the :wpvulndb reference if needed
+  module Model
+    # Override of the CMSScanner::XMLRPC to include the references
+    class XMLRPC < CMSScanner::Model::XMLRPC
+      include References # To be able to use the :wpvulndb reference if needed
-    # @return [ Hash ]
-    def references
-      {
-        url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
-        metasploit: [
-          'auxiliary/scanner/http/wordpress_ghost_scanner',
-          'auxiliary/dos/http/wordpress_xmlrpc_dos',
-          'auxiliary/scanner/http/wordpress_xmlrpc_login',
-          'auxiliary/scanner/http/wordpress_pingback_access'
-        ]
-      }
+      # @return [ Hash ]
+      def references
+        {
+          url: ['http://codex.wordpress.org/XML-RPC_Pingback_API'],
+          metasploit: [
+            'auxiliary/scanner/http/wordpress_ghost_scanner',
+            'auxiliary/dos/http/wordpress_xmlrpc_dos',
+            'auxiliary/scanner/http/wordpress_xmlrpc_login',
+            'auxiliary/scanner/http/wordpress_pingback_access'
+          ]
+        }
+      end
     end
   end
 end

data/app/views/cli/wp_item.erb CHANGED Viewed

@@ -8,9 +8,6 @@
 <% if @wp_item.readme_url -%>
  | Readme: <%= @wp_item.readme_url %>
 <% end -%>
-<% if @wp_item.changelog_url -%>
- | Changelog: <%= @wp_item.changelog_url %>
-<% end -%>
 <% if @wp_item.latest_version && @wp_item.outdated? -%>
  | <%= warning_icon %> The version is out of date, the latest version is <%= @wp_item.latest_version %>
 <% end -%>