wpscan 3.8.12 → 3.8.17
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +20 -5
- data/app/controllers/core.rb +3 -3
- data/app/controllers/enumeration/cli_options.rb +6 -0
- data/app/finders/db_exports/known_locations.rb +1 -1
- data/app/finders/interesting_findings.rb +2 -1
- data/app/finders/interesting_findings/php_disabled.rb +21 -0
- data/app/finders/users.rb +14 -0
- data/app/finders/wp_version.rb +1 -1
- data/app/models/interesting_finding.rb +14 -0
- data/app/models/timthumb.rb +1 -1
- data/app/models/wp_item.rb +3 -1
- data/app/views/cli/vuln_api/status.erb +1 -1
- data/app/views/json/vuln_api/status.erb +1 -1
- data/lib/wpscan/version.rb +1 -1
- data/lib/wpscan/vulnerability.rb +1 -0
- metadata +11 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8fd0e8ef31b7a0ec70d1b93c3c70a2e2d62278e7f8e1fd5bdf01ddcc86056a34
|
|
4
|
+
data.tar.gz: c6309c4e33474ad9b8f27db9c8fe7ac11439dbd131bf5931fd21457b8477e390
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7d647b59ec39d73f08bd72cf090ae324c91a28e9799d6e65070f3c97bdd279f007ccf561bd23787553770bd49957ddc133592484a79cac9bc99b53049f8e4d90
|
|
7
|
+
data.tar.gz: ac0aa133d13b5365b25714222fa46684a6380cd9dc25832ba90c27e28303d18d133adf768f11777af9eb653e4ee4fbd945e56982943798135a77cf232e218802
|
data/README.md
CHANGED
|
@@ -24,10 +24,11 @@
|
|
|
24
24
|
## Prerequisites
|
|
25
25
|
|
|
26
26
|
- (Optional but highly recommended: [RVM](https://rvm.io/rvm/install))
|
|
27
|
-
- Ruby >= 2.
|
|
27
|
+
- Ruby >= 2.5 - Recommended: latest
|
|
28
28
|
- Ruby 2.5.0 to 2.5.3 can cause an 'undefined symbol: rmpd_util_str_to_d' error in some systems, see [#1283](https://github.com/wpscanteam/wpscan/issues/1283)
|
|
29
|
-
- Curl >= 7.
|
|
29
|
+
- Curl >= 7.72 - Recommended: latest
|
|
30
30
|
- The 7.29 has a segfault
|
|
31
|
+
- The < 7.72 could result in `Stream error in the HTTP/2 framing layer` in some cases
|
|
31
32
|
- RubyGems - Recommended: latest
|
|
32
33
|
- Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
|
|
33
34
|
|
|
@@ -35,6 +36,10 @@
|
|
|
35
36
|
|
|
36
37
|
When using a pentesting distubution (such as Kali Linux), it is recommended to install/update wpscan via the package manager if available.
|
|
37
38
|
|
|
39
|
+
### In macOSX via Homebrew
|
|
40
|
+
|
|
41
|
+
`brew install wpscanteam/tap/wpscan`
|
|
42
|
+
|
|
38
43
|
### From RubyGems
|
|
39
44
|
|
|
40
45
|
```shell
|
|
@@ -47,7 +52,7 @@ On MacOSX, if a ```Gem::FilePermissionError``` is raised due to the Apple's Syst
|
|
|
47
52
|
|
|
48
53
|
You can update the local database by using ```wpscan --update```
|
|
49
54
|
|
|
50
|
-
Updating WPScan itself is either done via ```gem update wpscan``` or the packages manager (this is quite important for distributions such as in Kali Linux: ```apt-get update && apt-get upgrade```) depending how WPScan was (pre)installed
|
|
55
|
+
Updating WPScan itself is either done via ```gem update wpscan``` or the packages manager (this is quite important for distributions such as in Kali Linux: ```apt-get update && apt-get upgrade```) depending on how WPScan was (pre)installed
|
|
51
56
|
|
|
52
57
|
# Docker
|
|
53
58
|
|
|
@@ -80,9 +85,19 @@ For more options, open a terminal and type ```wpscan --help``` (if you built wps
|
|
|
80
85
|
|
|
81
86
|
The DB is located at ~/.wpscan/db
|
|
82
87
|
|
|
83
|
-
## Vulnerability Database
|
|
88
|
+
## Optional: WordPress Vulnerability Database API
|
|
89
|
+
|
|
90
|
+
The WPScan CLI tool uses the [WordPress Vulnerability Database API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https://wpscan.com/register).
|
|
91
|
+
|
|
92
|
+
Up to 25 API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. When the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPScan.com](https://wpscan.com/).
|
|
93
|
+
|
|
94
|
+
#### The Free plan allows 25 API requests per day. View the different [available API plans](https://wpscan.com/api).
|
|
95
|
+
|
|
96
|
+
### How many API requests do you need?
|
|
84
97
|
|
|
85
|
-
|
|
98
|
+
- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
|
|
99
|
+
- On average, a WordPress website has 22 installed plugins.
|
|
100
|
+
- The Free plan should cover around 50% of all WordPress websites.
|
|
86
101
|
|
|
87
102
|
## Load CLI options from file/s
|
|
88
103
|
|
data/app/controllers/core.rb
CHANGED
|
@@ -8,13 +8,13 @@ module WPScan
|
|
|
8
8
|
def cli_options
|
|
9
9
|
[OptURL.new(['--url URL', 'The URL of the blog to scan'],
|
|
10
10
|
required_unless: %i[update help hh version], default_protocol: 'http')] +
|
|
11
|
-
super.drop(
|
|
11
|
+
super.drop(2) + # delete the --url and --force from CMSScanner
|
|
12
12
|
[
|
|
13
13
|
OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
|
|
14
14
|
choices: %w[apache iis nginx],
|
|
15
15
|
normalize: %i[downcase to_sym],
|
|
16
16
|
advanced: true),
|
|
17
|
-
OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
|
|
17
|
+
OptBoolean.new(['--force', 'Do not check if the target is running WordPress or returns a 403']),
|
|
18
18
|
OptBoolean.new(['--[no-]update', 'Whether or not to update the Database'])
|
|
19
19
|
]
|
|
20
20
|
end
|
|
@@ -39,7 +39,7 @@ module WPScan
|
|
|
39
39
|
output('@notice', msg: 'It seems like you have not updated the database for some time.')
|
|
40
40
|
print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
|
|
41
41
|
|
|
42
|
-
/^y/i.match?(Readline.readline)
|
|
42
|
+
/^y/i.match?(Readline.readline)
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
def update_db
|
|
@@ -170,6 +170,12 @@ module WPScan
|
|
|
170
170
|
['--users-detection MODE',
|
|
171
171
|
'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'],
|
|
172
172
|
choices: %w[mixed passive aggressive], normalize: :to_sym, advanced: true
|
|
173
|
+
),
|
|
174
|
+
OptRegexp.new(
|
|
175
|
+
[
|
|
176
|
+
'--exclude-usernames REGEXP_OR_STRING',
|
|
177
|
+
'Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.'
|
|
178
|
+
], options: Regexp::IGNORECASE
|
|
173
179
|
)
|
|
174
180
|
]
|
|
175
181
|
end
|
|
@@ -7,7 +7,7 @@ module WPScan
|
|
|
7
7
|
class KnownLocations < CMSScanner::Finders::Finder
|
|
8
8
|
include CMSScanner::Finders::Finder::Enumerator
|
|
9
9
|
|
|
10
|
-
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
|
|
10
|
+
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE|ALTER) (?:TABLE|DATABASE)|INSERT INTO/.freeze
|
|
11
11
|
|
|
12
12
|
# @param [ Hash ] opts
|
|
13
13
|
# @option opts [ String ] :list
|
|
@@ -6,6 +6,7 @@ require_relative 'interesting_findings/multisite'
|
|
|
6
6
|
require_relative 'interesting_findings/debug_log'
|
|
7
7
|
require_relative 'interesting_findings/backup_db'
|
|
8
8
|
require_relative 'interesting_findings/mu_plugins'
|
|
9
|
+
require_relative 'interesting_findings/php_disabled'
|
|
9
10
|
require_relative 'interesting_findings/registration'
|
|
10
11
|
require_relative 'interesting_findings/tmm_db_migrate'
|
|
11
12
|
require_relative 'interesting_findings/upload_sql_dump'
|
|
@@ -26,7 +27,7 @@ module WPScan
|
|
|
26
27
|
%w[
|
|
27
28
|
Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
|
|
28
29
|
Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
|
|
29
|
-
UploadSQLDump EmergencyPwdResetScript WPCron
|
|
30
|
+
UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
|
|
30
31
|
].each do |f|
|
|
31
32
|
finders << InterestingFindings.const_get(f).new(target)
|
|
32
33
|
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module WPScan
|
|
4
|
+
module Finders
|
|
5
|
+
module InterestingFindings
|
|
6
|
+
# See https://github.com/wpscanteam/wpscan/issues/1593
|
|
7
|
+
class PHPDisabled < CMSScanner::Finders::Finder
|
|
8
|
+
PATTERN = /\$wp_version =/.freeze
|
|
9
|
+
|
|
10
|
+
# @return [ InterestingFinding ]
|
|
11
|
+
def aggressive(_opts = {})
|
|
12
|
+
path = 'wp-includes/version.php'
|
|
13
|
+
|
|
14
|
+
return unless PATTERN.match?(target.head_and_get(path).body)
|
|
15
|
+
|
|
16
|
+
Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
data/app/finders/users.rb
CHANGED
|
@@ -11,6 +11,16 @@ require_relative 'users/yoast_seo_author_sitemap'
|
|
|
11
11
|
|
|
12
12
|
module WPScan
|
|
13
13
|
module Finders
|
|
14
|
+
# Specific Finders container to filter the usernames found
|
|
15
|
+
# and remove the ones matching ParsedCli.exclude_username if supplied
|
|
16
|
+
class UsersFinders < SameTypeFinders
|
|
17
|
+
def filter_findings
|
|
18
|
+
findings.delete_if { |user| ParsedCli.exclude_usernames.match?(user.username) } if ParsedCli.exclude_usernames
|
|
19
|
+
|
|
20
|
+
findings
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
14
24
|
module Users
|
|
15
25
|
# Users Finder
|
|
16
26
|
class Base
|
|
@@ -28,6 +38,10 @@ module WPScan
|
|
|
28
38
|
Users::AuthorIdBruteForcing.new(target) <<
|
|
29
39
|
Users::LoginErrorMessages.new(target)
|
|
30
40
|
end
|
|
41
|
+
|
|
42
|
+
def finders
|
|
43
|
+
@finders ||= Finders::UsersFinders.new
|
|
44
|
+
end
|
|
31
45
|
end
|
|
32
46
|
end
|
|
33
47
|
end
|
data/app/finders/wp_version.rb
CHANGED
|
@@ -10,7 +10,7 @@ module WPScan
|
|
|
10
10
|
module Finders
|
|
11
11
|
# Specific Finders container to filter the version detected
|
|
12
12
|
# and remove the one with low confidence to avoid false
|
|
13
|
-
# positive when there is not
|
|
13
|
+
# positive when there is not enough information to accurately
|
|
14
14
|
# determine it.
|
|
15
15
|
class WpVersionFinders < UniqueFinders
|
|
16
16
|
def filter_findings
|
|
@@ -132,5 +132,19 @@ module WPScan
|
|
|
132
132
|
}
|
|
133
133
|
end
|
|
134
134
|
end
|
|
135
|
+
|
|
136
|
+
class PHPDisabled < InterestingFinding
|
|
137
|
+
# @return [ String ]
|
|
138
|
+
def to_s
|
|
139
|
+
@to_s ||= 'PHP seems to be disabled'
|
|
140
|
+
end
|
|
141
|
+
|
|
142
|
+
# @return [ Hash ]
|
|
143
|
+
def references
|
|
144
|
+
@references ||= {
|
|
145
|
+
url: ['https://github.com/wpscanteam/wpscan/issues/1593']
|
|
146
|
+
}
|
|
147
|
+
end
|
|
148
|
+
end
|
|
135
149
|
end
|
|
136
150
|
end
|
data/app/models/timthumb.rb
CHANGED
|
@@ -63,7 +63,7 @@ module WPScan
|
|
|
63
63
|
def webshot_enabled?
|
|
64
64
|
res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
|
|
65
65
|
|
|
66
|
-
|
|
66
|
+
!/WEBSHOT_ENABLED == true/.match?(res.body)
|
|
67
67
|
end
|
|
68
68
|
|
|
69
69
|
# @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
|
data/app/models/wp_item.rb
CHANGED
|
@@ -53,7 +53,9 @@ module WPScan
|
|
|
53
53
|
#
|
|
54
54
|
# @return [ Boolean ]
|
|
55
55
|
def vulnerable_to?(vuln)
|
|
56
|
-
return
|
|
56
|
+
return false if version && vuln&.introduced_in && version < vuln.introduced_in
|
|
57
|
+
|
|
58
|
+
return true unless version && vuln&.fixed_in && !vuln.fixed_in.empty?
|
|
57
59
|
|
|
58
60
|
version < vuln.fixed_in
|
|
59
61
|
end
|
|
@@ -9,5 +9,5 @@
|
|
|
9
9
|
<% end -%>
|
|
10
10
|
<% else -%>
|
|
11
11
|
<%= warning_icon %> No WPScan API Token given, as a result vulnerability data has not been output.
|
|
12
|
-
<%= warning_icon %> You can get a free API token with
|
|
12
|
+
<%= warning_icon %> You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
|
|
13
13
|
<% end -%>
|
|
@@ -8,6 +8,6 @@
|
|
|
8
8
|
"requests_remaining": <%= @status['requests_remaining'].to_json %>
|
|
9
9
|
<% end -%>
|
|
10
10
|
<% else -%>
|
|
11
|
-
"error": "No WPScan API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with
|
|
11
|
+
"error": "No WPScan API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 25 daily requests by registering at https://wpscan.com/register"
|
|
12
12
|
<% end -%>
|
|
13
13
|
},
|
data/lib/wpscan/version.rb
CHANGED
data/lib/wpscan/vulnerability.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wpscan
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.8.
|
|
4
|
+
version: 3.8.17
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- WPScanTeam
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-03-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: cms_scanner
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.13.3
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.13.3
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: bundler
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -100,28 +100,28 @@ dependencies:
|
|
|
100
100
|
requirements:
|
|
101
101
|
- - "~>"
|
|
102
102
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 1.
|
|
103
|
+
version: 1.11.0
|
|
104
104
|
type: :development
|
|
105
105
|
prerelease: false
|
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
107
|
requirements:
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 1.
|
|
110
|
+
version: 1.11.0
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: rubocop-performance
|
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
|
114
114
|
requirements:
|
|
115
115
|
- - "~>"
|
|
116
116
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: 1.
|
|
117
|
+
version: 1.10.0
|
|
118
118
|
type: :development
|
|
119
119
|
prerelease: false
|
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
121
|
requirements:
|
|
122
122
|
- - "~>"
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: 1.
|
|
124
|
+
version: 1.10.0
|
|
125
125
|
- !ruby/object:Gem::Dependency
|
|
126
126
|
name: simplecov
|
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -170,14 +170,14 @@ dependencies:
|
|
|
170
170
|
requirements:
|
|
171
171
|
- - "~>"
|
|
172
172
|
- !ruby/object:Gem::Version
|
|
173
|
-
version: 3.
|
|
173
|
+
version: 3.12.0
|
|
174
174
|
type: :development
|
|
175
175
|
prerelease: false
|
|
176
176
|
version_requirements: !ruby/object:Gem::Requirement
|
|
177
177
|
requirements:
|
|
178
178
|
- - "~>"
|
|
179
179
|
- !ruby/object:Gem::Version
|
|
180
|
-
version: 3.
|
|
180
|
+
version: 3.12.0
|
|
181
181
|
description: WPScan is a black box WordPress vulnerability scanner.
|
|
182
182
|
email:
|
|
183
183
|
- contact@wpscan.com
|
|
@@ -213,6 +213,7 @@ files:
|
|
|
213
213
|
- app/finders/interesting_findings/full_path_disclosure.rb
|
|
214
214
|
- app/finders/interesting_findings/mu_plugins.rb
|
|
215
215
|
- app/finders/interesting_findings/multisite.rb
|
|
216
|
+
- app/finders/interesting_findings/php_disabled.rb
|
|
216
217
|
- app/finders/interesting_findings/readme.rb
|
|
217
218
|
- app/finders/interesting_findings/registration.rb
|
|
218
219
|
- app/finders/interesting_findings/tmm_db_migrate.rb
|