RubyGems - wpscan - Versions diffs - 3.4.5 → 3.5.0 - Mend

wpscan 3.4.5 → 3.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (140) hide show

checksums.yaml +5 -5
data/README.md +21 -14
data/app/app.rb +2 -0
data/app/controllers.rb +2 -0
data/app/controllers/aliases.rb +2 -0
data/app/controllers/core.rb +6 -4
data/app/controllers/custom_directories.rb +3 -1
data/app/controllers/enumeration.rb +6 -0
data/app/controllers/enumeration/cli_options.rb +2 -0
data/app/controllers/enumeration/enum_methods.rb +2 -0
data/app/controllers/main_theme.rb +2 -0
data/app/controllers/password_attack.rb +6 -4
data/app/controllers/wp_version.rb +2 -0
data/app/finders.rb +2 -0
data/app/finders/config_backups.rb +2 -0
data/app/finders/config_backups/known_filenames.rb +4 -3
data/app/finders/db_exports.rb +2 -0
data/app/finders/db_exports/known_locations.rb +15 -3
data/app/finders/interesting_findings.rb +2 -0
data/app/finders/interesting_findings/backup_db.rb +5 -4
data/app/finders/interesting_findings/debug_log.rb +3 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +6 -5
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +6 -4
data/app/finders/interesting_findings/full_path_disclosure.rb +3 -1
data/app/finders/interesting_findings/mu_plugins.rb +4 -2
data/app/finders/interesting_findings/multisite.rb +3 -1
data/app/finders/interesting_findings/readme.rb +8 -6
data/app/finders/interesting_findings/registration.rb +3 -1
data/app/finders/interesting_findings/tmm_db_migrate.rb +4 -2
data/app/finders/interesting_findings/upload_directory_listing.rb +3 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +8 -10
data/app/finders/interesting_findings/wp_cron.rb +3 -1
data/app/finders/main_theme.rb +2 -0
data/app/finders/main_theme/css_style.rb +3 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -1
data/app/finders/main_theme/woo_framework_meta_generator.rb +3 -1
data/app/finders/medias.rb +2 -0
data/app/finders/medias/attachment_brute_forcing.rb +3 -1
data/app/finders/passwords.rb +2 -0
data/app/finders/passwords/wp_login.rb +4 -1
data/app/finders/passwords/xml_rpc.rb +2 -0
data/app/finders/passwords/xml_rpc_multicall.rb +4 -2
data/app/finders/plugin_version.rb +4 -2
data/app/finders/plugin_version/readme.rb +9 -5
data/app/finders/plugins.rb +2 -0
data/app/finders/plugins/body_pattern.rb +3 -1
data/app/finders/plugins/comment.rb +3 -1
data/app/finders/plugins/config_parser.rb +3 -1
data/app/finders/plugins/header_pattern.rb +3 -1
data/app/finders/plugins/javascript_var.rb +3 -1
data/app/finders/plugins/known_locations.rb +10 -8
data/app/finders/plugins/query_parameter.rb +2 -0
data/app/finders/plugins/urls_in_homepage.rb +3 -1
data/app/finders/plugins/xpath.rb +3 -1
data/app/finders/theme_version.rb +4 -2
data/app/finders/theme_version/style.rb +3 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +3 -1
data/app/finders/themes.rb +2 -0
data/app/finders/themes/known_locations.rb +12 -10
data/app/finders/themes/urls_in_homepage.rb +3 -1
data/app/finders/timthumb_version.rb +3 -1
data/app/finders/timthumb_version/bad_request.rb +3 -1
data/app/finders/timthumbs.rb +2 -0
data/app/finders/timthumbs/known_locations.rb +12 -3
data/app/finders/users.rb +2 -0
data/app/finders/users/author_id_brute_forcing.rb +3 -1
data/app/finders/users/author_posts.rb +3 -1
data/app/finders/users/login_error_messages.rb +3 -1
data/app/finders/users/oembed_api.rb +6 -4
data/app/finders/users/rss_generator.rb +7 -5
data/app/finders/users/wp_json_api.rb +16 -6
data/app/finders/users/yoast_seo_author_sitemap.rb +6 -4
data/app/finders/wp_items.rb +2 -0
data/app/finders/wp_items/urls_in_homepage.rb +2 -0
data/app/finders/wp_version.rb +2 -0
data/app/finders/wp_version/atom_generator.rb +2 -0
data/app/finders/wp_version/rdf_generator.rb +2 -0
data/app/finders/wp_version/readme.rb +4 -2
data/app/finders/wp_version/rss_generator.rb +2 -0
data/app/finders/wp_version/unique_fingerprinting.rb +3 -1
data/app/models.rb +8 -0
data/app/models/config_backup.rb +6 -2
data/app/models/db_export.rb +6 -2
data/app/models/interesting_finding.rb +36 -32
data/app/models/media.rb +6 -2
data/app/models/plugin.rb +25 -17
data/app/models/theme.rb +83 -75
data/app/models/timthumb.rb +58 -54
data/app/models/wp_item.rb +140 -128
data/app/models/wp_version.rb +47 -44
data/app/models/xml_rpc.rb +18 -14
data/app/views/cli/wp_item.erb +0 -3
data/app/views/json/wp_item.erb +0 -1
data/bin/wpscan +1 -0
data/lib/wpscan.rb +2 -0
data/lib/wpscan/browser.rb +2 -0
data/lib/wpscan/controller.rb +2 -0
data/lib/wpscan/controllers.rb +2 -0
data/lib/wpscan/db.rb +2 -0
data/lib/wpscan/db/dynamic_finders/base.rb +2 -0
data/lib/wpscan/db/dynamic_finders/plugin.rb +4 -5
data/lib/wpscan/db/dynamic_finders/theme.rb +2 -0
data/lib/wpscan/db/dynamic_finders/wordpress.rb +2 -0
data/lib/wpscan/db/fingerprints.rb +2 -0
data/lib/wpscan/db/plugin.rb +2 -0
data/lib/wpscan/db/plugins.rb +2 -0
data/lib/wpscan/db/theme.rb +2 -0
data/lib/wpscan/db/themes.rb +2 -0
data/lib/wpscan/db/updater.rb +4 -2
data/lib/wpscan/db/wp_item.rb +2 -0
data/lib/wpscan/db/wp_items.rb +2 -0
data/lib/wpscan/db/wp_version.rb +2 -0
data/lib/wpscan/errors.rb +7 -1
data/lib/wpscan/errors/http.rb +27 -23
data/lib/wpscan/errors/update.rb +8 -4
data/lib/wpscan/errors/wordpress.rb +24 -14
data/lib/wpscan/errors/xmlrpc.rb +8 -4
data/lib/wpscan/finders.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/config_parser.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb +2 -0
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +4 -2
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +4 -2
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +4 -2
data/lib/wpscan/helper.rb +2 -0
data/lib/wpscan/references.rb +2 -0
data/lib/wpscan/target.rb +12 -1
data/lib/wpscan/target/platform/wordpress.rb +15 -1
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +23 -3
data/lib/wpscan/version.rb +3 -1
data/lib/wpscan/vulnerability.rb +2 -0
data/lib/wpscan/vulnerable.rb +2 -0
metadata +35 -8

data/app/views/json/wp_item.erb CHANGED Viewed

@@ -4,6 +4,5 @@
 "last_updated": <%= @wp_item.last_updated.to_json %>,
 "outdated": <%= @wp_item.outdated?.to_json %>,
 "readme_url": <%= @wp_item.readme_url.to_json %>,
-"changelog_url": <%= @wp_item.changelog_url.to_json %>,
 "directory_listing": <%= @wp_item.directory_listing?.to_json %>,
 "error_log_url": <% if @wp_item.error_log? %><%= @wp_item.url('error_log').to_json %><% else %>null<% end %>

data/bin/wpscan CHANGED Viewed

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 require 'wpscan'

data/lib/wpscan.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # Gems
 # Believe it or not, active_support MUST be the first one,
 # otherwise encoding issues can happen when using JSON format.

data/lib/wpscan/browser.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   # Custom Browser
   class Browser < CMSScanner::Browser

data/lib/wpscan/controller.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   # Needed to load at least the Core controller
   # Otherwise, the following error will be raised:

data/lib/wpscan/controllers.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   # Override to set the OptParser's summary width to 45 (instead of 40 from the CMSScanner)
   class Controllers < CMSScanner::Controllers

data/lib/wpscan/db.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'db/wp_item'
 require_relative 'db/updater'
 require_relative 'db/wp_items'

data/lib/wpscan/db/dynamic_finders/base.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     module DynamicFinders

data/lib/wpscan/db/dynamic_finders/plugin.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     module DynamicFinders
@@ -60,7 +62,7 @@ module WPScan
         # @param [ String ] slug
         # @return [ Constant ]
-        def self.maybe_create_modudle(slug)
+        def self.maybe_create_module(slug)
           # What about slugs such as js_composer which will be done as JsComposer, just like js-composer
           constant_name = classify_slug(slug)
@@ -73,10 +75,7 @@ module WPScan
         def self.create_versions_finders
           versions_finders_configs.each do |slug, finders|
-            # Kind of an issue here, module is created even if there is no valid classes
-            # Could put the #maybe_ directly in the #send() BUT it would be checked everytime,
-            # which is kind of a waste
-            mod = maybe_create_modudle(slug)
+            mod = maybe_create_module(slug)
             finders.each do |finder_class, config|
               klass = config['class'] || finder_class

data/lib/wpscan/db/dynamic_finders/theme.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     module DynamicFinders

data/lib/wpscan/db/dynamic_finders/wordpress.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     module DynamicFinders

data/lib/wpscan/db/fingerprints.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # Fingerprints class

data/lib/wpscan/db/plugin.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # Plugin DB

data/lib/wpscan/db/plugins.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # WP Plugins

data/lib/wpscan/db/theme.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # Theme DB

data/lib/wpscan/db/themes.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # WP Themes

data/lib/wpscan/db/updater.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # Class used to perform DB updates
@@ -80,7 +82,7 @@ module WPScan
         url = "#{remote_file_url(filename)}.sha512"
         res = Browser.get(url, request_params)
-        raise DownloadError, res if res.timed_out? || res.code != 200
+        raise Error::Download, res if res.timed_out? || res.code != 200
         res.body.chomp
       end
@@ -121,7 +123,7 @@ module WPScan
         file_url  = remote_file_url(filename)
         res = Browser.get(file_url, request_params)
-        raise DownloadError, res if res.timed_out? || res.code != 200
+        raise Error::Download, res if res.timed_out? || res.code != 200
         File.open(file_path, 'wb') { |f| f.write(res.body) }

data/lib/wpscan/db/wp_item.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # WpItem - super DB class for Plugin, Theme and Version

data/lib/wpscan/db/wp_items.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # WP Items

data/lib/wpscan/db/wp_version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module DB
     # WP Version

data/lib/wpscan/errors.rb CHANGED Viewed

@@ -1,5 +1,11 @@
+# frozen_string_literal: true
 module WPScan
-  class Error < StandardError
+  module Error
+    include CMSScanner::Error
+    class Standard < StandardError
+    end
   end
 end

data/lib/wpscan/errors/http.rb CHANGED Viewed

@@ -1,34 +1,38 @@
+# frozen_string_literal: true
 module WPScan
-  # HTTP Error
-  class HTTPError < Error
-    attr_reader :response
+  module Error
+    # HTTP Error
+    class HTTP < Standard
+      attr_reader :response
-    # @param [ Typhoeus::Response ] res
-    def initialize(response)
-      @response = response
-    end
+      # @param [ Typhoeus::Response ] res
+      def initialize(response)
+        @response = response
+      end
-    def failure_details
-      msg = response.effective_url
+      def failure_details
+        msg = response.effective_url
-      msg += if response.code.zero? || response.timed_out?
-               " (#{response.return_message})"
-             else
-               " (status: #{response.code})"
-             end
+        msg += if response.code.zero? || response.timed_out?
+                 " (#{response.return_message})"
+               else
+                 " (status: #{response.code})"
+               end
-      msg
-    end
+        msg
+      end
-    def to_s
-      "HTTP Error: #{failure_details}"
+      def to_s
+        "HTTP Error: #{failure_details}"
+      end
     end
-  end
-  # Used in the Updater
-  class DownloadError < HTTPError
-    def to_s
-      "Unable to get #{failure_details}"
+    # Used in the Updater
+    class Download < HTTP
+      def to_s
+        "Unable to get #{failure_details}"
+      end
     end
   end
 end

data/lib/wpscan/errors/update.rb CHANGED Viewed

@@ -1,8 +1,12 @@
+# frozen_string_literal: true
 module WPScan
-  # Error raised when there is a missing  DB file and --no-update supplied
-  class MissingDatabaseFile < Error
-    def to_s
-      'Update required, you can not run a scan if a database file is missing.'
+  module Error
+    # Error raised when there is a missing  DB file and --no-update supplied
+    class MissingDatabaseFile < Standard
+      def to_s
+        'Update required, you can not run a scan if a database file is missing.'
+      end
     end
   end
 end

data/lib/wpscan/errors/wordpress.rb CHANGED Viewed

@@ -1,22 +1,32 @@
+# frozen_string_literal: true
 module WPScan
-  # WordPress hosted (*.wordpress.com)
-  class WordPressHostedError < Error
-    def to_s
-      'Scanning *.wordpress.com hosted blogs is not supported.'
+  module Error
+    # WordPress hosted (*.wordpress.com)
+    class WordPressHosted < Standard
+      def to_s
+        'Scanning *.wordpress.com hosted blogs is not supported.'
+      end
     end
-  end
-  # Not WordPress Error
-  class NotWordPressError < Error
-    def to_s
-      'The remote website is up, but does not seem to be running WordPress.'
+    # Not WordPress Error
+    class NotWordPress < Standard
+      def to_s
+        'The remote website is up, but does not seem to be running WordPress.'
+      end
+    end
+    # Invalid Wp Version (used in the WpVersion#new)
+    class InvalidWordPressVersion < Standard
+      def to_s
+        'The WordPress version is invalid'
+      end
     end
-  end
-  # Invalid Wp Version (used in the WpVersion#new)
-  class InvalidWordPressVersion < Error
-    def to_s
-      'The WordPress version is invalid'
+    class WpContentDirNotDetected < Standard
+      def to_s
+        'Unable to identify the wp-content dir, please supply it with --wp-content-dir'
+      end
     end
   end
 end

data/lib/wpscan/errors/xmlrpc.rb CHANGED Viewed

@@ -1,8 +1,12 @@
+# frozen_string_literal: true
 module WPScan
-  # XML-RPC Not Detected
-  class XMLRPCNotDetected < Error
-    def to_s
-      'The XML-RPC Interface was not detected.'
+  module Error
+    # XML-RPC Not Detected
+    class XMLRPCNotDetected < Standard
+      def to_s
+        'The XML-RPC Interface was not detected.'
+      end
     end
   end
 end

data/lib/wpscan/finders.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'wpscan/finders/finder/wp_version/smart_url_checker'
 require 'wpscan/finders/dynamic_finder/finder'

data/lib/wpscan/finders/dynamic_finder/finder.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/comment.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/config_parser.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/finder.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder
@@ -9,9 +11,9 @@ module WPScan
           # @param [ String ] number
           # @param [ Hash ] finding_opts
-          # @return [ WPScan::Version ]
+          # @return [ Model::Version ]
           def create_version(number, finding_opts)
-            WPScan::Version.new(number, version_finding_opts(finding_opts))
+            Model::Version.new(number, version_finding_opts(finding_opts))
           end
           # @param [ Hash ] opts

data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/version/xpath.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/wp_item_version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder

data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module WPScan
   module Finders
     module DynamicFinder
@@ -31,7 +33,7 @@ module WPScan
               configs.each do |klass, config|
                 item = process_response(opts, target.homepage_res, slug, klass, config)
-                found << item if item.is_a?(WpItem)
+                found << item if item.is_a?(Model::WpItem)
               end
             end
@@ -70,7 +72,7 @@ module WPScan
                 item = process_response(opts, response, slug, klass, config)
-                found << item if item.is_a?(WpItem)
+                found << item if item.is_a?(Model::WpItem)
               end
             end