wpscan 3.8.13 → 3.8.14
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +19 -4
- data/app/controllers/core.rb +1 -1
- data/app/finders/db_exports/known_locations.rb +1 -1
- data/app/models/timthumb.rb +1 -1
- data/lib/wpscan/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d92987a79ce81cfccb4da098cda4a6a59c2e6e121f89f9f12e5419ea78abcdf9
|
|
4
|
+
data.tar.gz: b3f4cdf6692be6bafcab1438b0c53c85ea7b3fe12793170fa0b0321e855766e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5172e4e451cb1d8e114a5d36d430ffc16a9136398e07f1f48c7394b96b75eb239cbbe669436ebbc39701c5e9f083450558718a1543e383203a9b48888c60b801
|
|
7
|
+
data.tar.gz: 6da75bbfe51b69955b445f4043e233167924e6657ef1ec954b6cc037777d71c97b682f96505626ae795286b7a1641fbe2cfaf2fc231de482d871f04b86d1ce60
|
data/README.md
CHANGED
|
@@ -24,10 +24,11 @@
|
|
|
24
24
|
## Prerequisites
|
|
25
25
|
|
|
26
26
|
- (Optional but highly recommended: [RVM](https://rvm.io/rvm/install))
|
|
27
|
-
- Ruby >= 2.
|
|
27
|
+
- Ruby >= 2.5 - Recommended: latest
|
|
28
28
|
- Ruby 2.5.0 to 2.5.3 can cause an 'undefined symbol: rmpd_util_str_to_d' error in some systems, see [#1283](https://github.com/wpscanteam/wpscan/issues/1283)
|
|
29
|
-
- Curl >= 7.
|
|
29
|
+
- Curl >= 7.72 - Recommended: latest
|
|
30
30
|
- The 7.29 has a segfault
|
|
31
|
+
- The < 7.72 could result in `Stream error in the HTTP/2 framing layer` in some cases
|
|
31
32
|
- RubyGems - Recommended: latest
|
|
32
33
|
- Nokogiri might require packages to be installed via your package manager depending on your OS, see https://nokogiri.org/tutorials/installing_nokogiri.html
|
|
33
34
|
|
|
@@ -35,6 +36,10 @@
|
|
|
35
36
|
|
|
36
37
|
When using a pentesting distubution (such as Kali Linux), it is recommended to install/update wpscan via the package manager if available.
|
|
37
38
|
|
|
39
|
+
### In macOSX via Homebrew
|
|
40
|
+
|
|
41
|
+
`brew install wpscanteam/tap/wpscan`
|
|
42
|
+
|
|
38
43
|
### From RubyGems
|
|
39
44
|
|
|
40
45
|
```shell
|
|
@@ -80,9 +85,19 @@ For more options, open a terminal and type ```wpscan --help``` (if you built wps
|
|
|
80
85
|
|
|
81
86
|
The DB is located at ~/.wpscan/db
|
|
82
87
|
|
|
83
|
-
## Vulnerability Database
|
|
88
|
+
## Optional: WordPress Vulnerability Database API
|
|
89
|
+
|
|
90
|
+
The WPScan CLI tool uses the [WordPress Vulnerability Database API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan.com](https://wpscan.com/register).
|
|
91
|
+
|
|
92
|
+
Up to 25 API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. When the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPScan.com](https://wpscan.com/).
|
|
93
|
+
|
|
94
|
+
#### The Free plan allows 25 API requests per day. View the different [available API plans](https://wpscan.com/api).
|
|
95
|
+
|
|
96
|
+
### How many API requests do you need?
|
|
84
97
|
|
|
85
|
-
|
|
98
|
+
- Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
|
|
99
|
+
- On average, a WordPress website has 22 installed plugins.
|
|
100
|
+
- The Free plan should cover around 50% of all WordPress websites.
|
|
86
101
|
|
|
87
102
|
## Load CLI options from file/s
|
|
88
103
|
|
data/app/controllers/core.rb
CHANGED
|
@@ -39,7 +39,7 @@ module WPScan
|
|
|
39
39
|
output('@notice', msg: 'It seems like you have not updated the database for some time.')
|
|
40
40
|
print '[?] Do you want to update now? [Y]es [N]o, default: [N]'
|
|
41
41
|
|
|
42
|
-
/^y/i.match?(Readline.readline)
|
|
42
|
+
/^y/i.match?(Readline.readline)
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
def update_db
|
|
@@ -7,7 +7,7 @@ module WPScan
|
|
|
7
7
|
class KnownLocations < CMSScanner::Finders::Finder
|
|
8
8
|
include CMSScanner::Finders::Finder::Enumerator
|
|
9
9
|
|
|
10
|
-
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE) TABLE|INSERT INTO/.freeze
|
|
10
|
+
SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE|ALTER) (?:TABLE|DATABASE)|INSERT INTO/.freeze
|
|
11
11
|
|
|
12
12
|
# @param [ Hash ] opts
|
|
13
13
|
# @option opts [ String ] :list
|
data/app/models/timthumb.rb
CHANGED
|
@@ -63,7 +63,7 @@ module WPScan
|
|
|
63
63
|
def webshot_enabled?
|
|
64
64
|
res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })
|
|
65
65
|
|
|
66
|
-
|
|
66
|
+
!/WEBSHOT_ENABLED == true/.match?(res.body)
|
|
67
67
|
end
|
|
68
68
|
|
|
69
69
|
# @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
|
data/lib/wpscan/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wpscan
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.8.
|
|
4
|
+
version: 3.8.14
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- WPScanTeam
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-01
|
|
11
|
+
date: 2021-02-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: cms_scanner
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.13.
|
|
19
|
+
version: 0.13.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.13.
|
|
26
|
+
version: 0.13.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: bundler
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -100,14 +100,14 @@ dependencies:
|
|
|
100
100
|
requirements:
|
|
101
101
|
- - "~>"
|
|
102
102
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 1.
|
|
103
|
+
version: 1.9.0
|
|
104
104
|
type: :development
|
|
105
105
|
prerelease: false
|
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
107
|
requirements:
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 1.
|
|
110
|
+
version: 1.9.0
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: rubocop-performance
|
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|