wpscan 3.5.2 → 3.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/custom_directories.rb +5 -3
  3. data/app/finders/interesting_findings/mu_plugins.rb +2 -2
  4. data/app/finders/main_theme/css_style.rb +3 -3
  5. data/app/finders/plugins/known_locations.rb +2 -2
  6. data/app/finders/themes/known_locations.rb +2 -2
  7. data/app/finders/users/author_id_brute_forcing.rb +2 -2
  8. data/app/finders/users/author_posts.rb +1 -3
  9. data/app/finders/users/wp_json_api.rb +1 -3
  10. data/app/finders/wp_items/urls_in_homepage.rb +2 -2
  11. data/app/models/wp_item.rb +1 -1
  12. data/lib/wpscan/errors/wordpress.rb +3 -2
  13. data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +2 -4
  14. data/lib/wpscan/target/platform/wordpress/custom_directories.rb +22 -11
  15. data/lib/wpscan/target/platform/wordpress.rb +16 -5
  16. data/lib/wpscan/version.rb +1 -1
  17. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 248dcdf858b8942a71b8515687d143065c9d37acfb38fb194f84cc2df850559f
4
- data.tar.gz: db972ad0382352dba907c028c003635c045753bcf2b71f9da7759f70520761c7
3
+ metadata.gz: 9e44669757a1872794cbd7427372c477dbc9b44b1e59b3683175a6d5d365c749
4
+ data.tar.gz: 54aadf50c99206305fcfa920c2a6f150da4071089074b5a157aa28c92daede80
5
5
  SHA512:
6
- metadata.gz: a41f8a0b3526c48ad366004244643e40dc37e5c8ad510a9ac40c848ca9826d47e6e59e5332e29e004c9059b10314ead5751dc0318db72a8a6bcd7ad19c18254b
7
- data.tar.gz: 79b2f651165ed7189c94b1298a99ea7409a87f03eda56014dd418f2c9f5ef51c9d0d6fc0ac14c849a369b7f4a9bebc682364e389a7ba4fa1ff9b0763e1e6d26d
6
+ metadata.gz: 9c7b244ffd96125433c9aac5a2b2091241265e19f7bd0d15756615165deca18d72ea159374aa094b8cdafde83a416102b559fabae90ce49377c7093151f8e54a
7
+ data.tar.gz: c0b6f59ec952d80e7b566d9e4d91a7b6cdee8b7e08f59e76cc4376d79c709f981308d63c4fe13ccfb458fe042c1d4fd71c2c93d5ee95422fc58268eb2bcccef3
data/app/controllers/custom_directories.rb CHANGED
@@ -7,8 +7,10 @@ module WPScan
7
7
  class CustomDirectories < CMSScanner::Controller::Base
8
8
  def cli_options
9
9
  [
10
- OptString.new(['--wp-content-dir DIR']),
11
- OptString.new(['--wp-plugins-dir DIR'])
10
+ OptString.new(['--wp-content-dir DIR',
11
+ 'The wp-content directory if custom or not detected, such as "wp-content"']),
12
+ OptString.new(['--wp-plugins-dir DIR',
13
+ 'The plugins directory if custom or not detected, such as "wp-content/plugins"'])
12
14
  ]
13
15
  end
14
16
 
@@ -16,7 +18,7 @@ module WPScan
16
18
  target.content_dir = ParsedCli.wp_content_dir if ParsedCli.wp_content_dir
17
19
  target.plugins_dir = ParsedCli.wp_plugins_dir if ParsedCli.wp_plugins_dir
18
20
 
19
- return if target.content_dir
21
+ return if target.content_dir(ParsedCli.detection_mode)
20
22
 
21
23
  raise Error::WpContentDirNotDetected
22
24
  end
data/app/finders/interesting_findings/mu_plugins.rb CHANGED
@@ -9,8 +9,8 @@ module WPScan
9
9
  def passive(_opts = {})
10
10
  pattern = %r{#{target.content_dir}/mu\-plugins/}i
11
11
 
12
- target.in_scope_urls(target.homepage_res) do |url|
13
- next unless Addressable::URI.parse(url).path =~ pattern
12
+ target.in_scope_uris(target.homepage_res) do |uri|
13
+ next unless uri.path =~ pattern
14
14
 
15
15
  url = target.url('wp-content/mu-plugins/')
16
16
 
data/app/finders/main_theme/css_style.rb CHANGED
@@ -20,10 +20,10 @@ module WPScan
20
20
  end
21
21
 
22
22
  def passive_from_css_href(res, opts)
23
- target.in_scope_urls(res, '//style/@src|//link/@href') do |url|
24
- next unless Addressable::URI.parse(url).path =~ %r{/themes/([^\/]+)/style.css\z}i
23
+ target.in_scope_uris(res, '//style/@src|//link/@href') do |uri|
24
+ next unless uri.path =~ %r{/themes/([^\/]+)/style.css\z}i
25
25
 
26
- return create_theme(Regexp.last_match[1], url, opts)
26
+ return create_theme(Regexp.last_match[1], uri.to_s, opts)
27
27
  end
28
28
  nil
29
29
  end
data/app/finders/plugins/known_locations.rb CHANGED
@@ -9,7 +9,7 @@ module WPScan
9
9
 
10
10
  # @return [ Array<Integer> ]
11
11
  def valid_response_codes
12
- @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
12
+ @valid_response_codes ||= [200, 401, 403, 500].freeze
13
13
  end
14
14
 
15
15
  # @param [ Hash ] opts
@@ -19,7 +19,7 @@ module WPScan
19
19
  def aggressive(opts = {})
20
20
  found = []
21
21
 
22
- enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
22
+ enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
23
23
  found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
24
24
  end
25
25
 
data/app/finders/themes/known_locations.rb CHANGED
@@ -9,7 +9,7 @@ module WPScan
9
9
 
10
10
  # @return [ Array<Integer> ]
11
11
  def valid_response_codes
12
- @valid_response_codes ||= [200, 401, 403, 301, 500].freeze
12
+ @valid_response_codes ||= [200, 401, 403, 500].freeze
13
13
  end
14
14
 
15
15
  # @param [ Hash ] opts
@@ -19,7 +19,7 @@ module WPScan
19
19
  def aggressive(opts = {})
20
20
  found = []
21
21
 
22
- enumerate(target_urls(opts), opts.merge(check_full_response: [200, 401, 403, 500])) do |_res, slug|
22
+ enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |_res, slug|
23
23
  found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
24
24
  end
25
25
 
data/app/finders/users/author_id_brute_forcing.rb CHANGED
@@ -83,8 +83,8 @@ module WPScan
83
83
  # @return [ String, nil ] The username found
84
84
  def username_from_response(res)
85
85
  # Permalink enabled
86
- target.in_scope_urls(res, '//link/@href|//a/@href') do |url|
87
- username = username_from_author_url(url)
86
+ target.in_scope_uris(res, '//link/@href|//a/@href') do |uri|
87
+ username = username_from_author_url(uri.to_s)
88
88
  return username if username
89
89
  end
90
90
 
data/app/finders/users/author_posts.rb CHANGED
@@ -45,9 +45,7 @@ module WPScan
45
45
  def potential_usernames(res)
46
46
  usernames = []
47
47
 
48
- target.in_scope_urls(res, '//a/@href') do |url, node|
49
- uri = Addressable::URI.parse(url)
50
-
48
+ target.in_scope_uris(res, '//a/@href') do |uri, node|
51
49
  if uri.path =~ %r{/author/([^/\b]+)/?\z}i
52
50
  usernames << [Regexp.last_match[1], 'Author Pattern', 100]
53
51
  elsif /author=[0-9]+/.match?(uri.query)
data/app/finders/users/wp_json_api.rb CHANGED
@@ -57,9 +57,7 @@ module WPScan
57
57
  def api_url
58
58
  return @api_url if @api_url
59
59
 
60
- target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag|
61
- uri = Addressable::URI.parse(url.strip)
62
-
60
+ target.in_scope_uris(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |uri|
63
61
  return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
64
62
  end
65
63
 
data/app/finders/wp_items/urls_in_homepage.rb CHANGED
@@ -12,8 +12,8 @@ module WPScan
12
12
  def items_from_links(type, uniq = true)
13
13
  found = []
14
14
 
15
- target.in_scope_urls(target.homepage_res) do |url|
16
- next unless url =~ item_attribute_pattern(type)
15
+ target.in_scope_uris(target.homepage_res) do |uri|
16
+ next unless uri.to_s =~ item_attribute_pattern(type)
17
17
 
18
18
  found << Regexp.last_match[1]
19
19
  end
data/app/models/wp_item.rb CHANGED
@@ -13,7 +13,7 @@ module WPScan
13
13
 
14
14
  attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data
15
15
 
16
- delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog
16
+ delegate :homepage_res, :xpath_pattern_from_page, :in_scope_uris, :head_or_get_params, to: :blog
17
17
 
18
18
  # @param [ String ] slug The plugin/theme slug
19
19
  # @param [ Target ] blog The targeted blog
data/lib/wpscan/errors/wordpress.rb CHANGED
@@ -5,7 +5,7 @@ module WPScan
5
5
  # WordPress hosted (*.wordpress.com)
6
6
  class WordPressHosted < Standard
7
7
  def to_s
8
- 'Scanning *.wordpress.com hosted blogs is not supported.'
8
+ 'The target appears to be hosted on WordPress.com. Scanning such site is not supported.'
9
9
  end
10
10
  end
11
11
 
@@ -25,7 +25,8 @@ module WPScan
25
25
 
26
26
  class WpContentDirNotDetected < Standard
27
27
  def to_s
28
- 'Unable to identify the wp-content dir, please supply it with --wp-content-dir'
28
+ 'Unable to identify the wp-content dir, please supply it with --wp-content-dir,' \
29
+ ' use the --scope option or make sure the --url value given is the correct one'
29
30
  end
30
31
  end
31
32
  end
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb CHANGED
@@ -35,15 +35,13 @@ module WPScan
35
35
  def scan_response(response)
36
36
  found = {}
37
37
 
38
- target.in_scope_urls(response, xpath) do |url, _tag|
39
- uri = Addressable::URI.parse(url)
40
-
38
+ target.in_scope_uris(response, xpath) do |uri|
41
39
  next unless uri.path =~ path_pattern && uri.query&.match(self.class::PATTERN)
42
40
 
43
41
  version = Regexp.last_match[:v].to_s
44
42
 
45
43
  found[version] ||= []
46
- found[version] << url
44
+ found[version] << uri.to_s
47
45
  end
48
46
 
49
47
  found
data/lib/wpscan/target/platform/wordpress/custom_directories.rb CHANGED
@@ -13,24 +13,36 @@ module WPScan
13
13
  @plugins_dir = dir.chomp('/')
14
14
  end
15
15
 
16
+ # @param [ Symbol ] detection_mode
16
17
  # @return [ String ] The wp-content directory
17
- def content_dir
18
+ def content_dir(detection_mode = :mixed)
18
19
  unless @content_dir
19
- escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
20
- pattern = %r{#{escaped_url}([\w\s\-\/]+)\/(?:themes|plugins|uploads|cache)\/}i
20
+ # scope_url_pattern is from CMSScanner::Target
21
+ pattern = %r{#{scope_url_pattern}([\w\s\-/]+)\\?/(?:themes|plugins|uploads|cache)\\?/}i
21
22
 
22
- in_scope_urls(homepage_res) do |url|
23
- return @content_dir = Regexp.last_match[1] if url.match(pattern)
23
+ in_scope_uris(homepage_res) do |uri|
24
+ return @content_dir = Regexp.last_match[1] if uri.to_s.match(pattern)
24
25
  end
25
26
 
26
- xpath_pattern_from_page('//script[not(@src)]', pattern, homepage_res) do |match|
27
+ # Checks for the pattern in raw JS code, as well as @content attributes of meta tags
28
+ xpath_pattern_from_page('//script[not(@src)]|//meta/@content', pattern, homepage_res) do |match|
27
29
  return @content_dir = match[1]
28
30
  end
31
+
32
+ unless detection_mode == :passive
33
+ return @content_dir = 'wp-content' if default_content_dir_exists?
34
+ end
29
35
  end
30
36
 
31
37
  @content_dir
32
38
  end
33
39
 
40
+ def default_content_dir_exists?
41
+ # url('wp-content') can't be used here as the folder has not yet been identified
42
+ # and the method would try to replace it by nil which would raise an error
43
+ [200, 401, 403].include?(Browser.forge_request(uri.join('wp-content/').to_s, head_or_get_params).run.code)
44
+ end
45
+
34
46
  # @return [ Addressable::URI ]
35
47
  def content_uri
36
48
  uri.join("#{content_dir}/")
@@ -85,17 +97,16 @@ module WPScan
85
97
  themes_uri.join("#{URI.encode(slug)}/").to_s
86
98
  end
87
99
 
88
- # TODO: Factorise the code and the content_dir one ?
89
100
  # @return [ String, False ] String of the sub_dir found, false otherwise
90
101
  # @note: nil can not be returned here, otherwise if there is no sub_dir
91
102
  # the check would be done each time
92
103
  def sub_dir
93
104
  unless @sub_dir
94
- escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
95
- pattern = %r{#{escaped_url}(.+?)\/(?:xmlrpc\.php|wp\-includes\/)}i
105
+ # url_pattern is from CMSScanner::Target
106
+ pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp\-includes/)}i
96
107
 
97
- in_scope_urls(homepage_res) do |url|
98
- return @sub_dir = Regexp.last_match[1] if url.match(pattern)
108
+ in_scope_uris(homepage_res) do |uri|
109
+ return @sub_dir = Regexp.last_match[1] if uri.to_s.match(pattern)
99
110
  end
100
111
 
101
112
  @sub_dir = false
data/lib/wpscan/target/platform/wordpress.rb CHANGED
@@ -24,8 +24,8 @@ module WPScan
24
24
  #
25
25
  # @return [ Boolean ]
26
26
  def wordpress?(detection_mode)
27
- in_scope_urls(homepage_res) do |url|
28
- return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN)
27
+ in_scope_uris(homepage_res) do |uri|
28
+ return true if uri.path.match(WORDPRESS_PATTERN)
29
29
  end
30
30
 
31
31
  homepage_res.html.css('meta[name="generator"]').each do |node|
@@ -36,8 +36,8 @@ module WPScan
36
36
 
37
37
  if %i[mixed aggressive].include?(detection_mode)
38
38
  %w[wp-admin/install.php wp-login.php].each do |path|
39
- in_scope_urls(Browser.get_and_follow_location(url(path))).each do |url|
40
- return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN)
39
+ in_scope_uris(Browser.get_and_follow_location(url(path))).each do |uri|
40
+ return true if uri.path.match(WORDPRESS_PATTERN)
41
41
  end
42
42
  end
43
43
  end
@@ -78,8 +78,19 @@ module WPScan
78
78
  multisite? ? url('wp-signup.php') : url('wp-login.php?action=register')
79
79
  end
80
80
 
81
+ # @return [ Boolean ] Whether or not the target is hosted on wordpress.com
81
82
  def wordpress_hosted?
82
- /\.wordpress\.com$/i.match?(uri.host) ? true : false
83
+ return true if /\.wordpress\.com$/i.match?(uri.host)
84
+
85
+ unless content_dir(:passive)
86
+ pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
87
+
88
+ uris_from_page(homepage_res) do |uri|
89
+ return true if uri.to_s.match?(pattern)
90
+ end
91
+ end
92
+
93
+ false
83
94
  end
84
95
 
85
96
  # @param [ String ] username
data/lib/wpscan/version.rb CHANGED
@@ -2,5 +2,5 @@
2
2
 
3
3
  # Version
4
4
  module WPScan
5
- VERSION = '3.5.2'
5
+ VERSION = '3.5.3'
6
6
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: wpscan
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.2
4
+ version: 3.5.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - WPScanTeam
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-04-08 00:00:00.000000000 Z
11
+ date: 2019-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: 0.0.44.1
19
+ version: 0.5.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: 0.0.44.1
26
+ version: 0.5.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: bundler
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,28 +100,28 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 1.2.0
103
+ version: 1.3.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 1.2.0
110
+ version: 1.3.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: rubocop
113
113
  requirement: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 0.67.1
117
+ version: 0.67.2
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 0.67.1
124
+ version: 0.67.2
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: simplecov
127
127
  requirement: !ruby/object:Gem::Requirement