wpscan 3.8.28 → 4.0.0

data/lib/wpscan/db/updater.rb

@@ -8,7 +8,7 @@ module WPScan
       # /!\ Might want to also update the Enumeration#cli_options when some filenames are changed here
       FILES = %w[
         metadata.json wp_fingerprints.json
-        timthumbs-v3.txt config_backups.txt db_exports.txt
+        timthumbs-v3.txt config_backups.txt db_exports.txt backup_folders.txt
         dynamic_finders.yml LICENSE sponsor.txt
       ].freeze
 
@@ -22,7 +22,7 @@ module WPScan
       def initialize(repo_directory)
         @repo_directory = Pathname.new(repo_directory).expand_path
 
-        FileUtils.mkdir_p(repo_directory.to_s) unless Dir.exist?(repo_directory.to_s)
+        FileUtils.mkdir_p(repo_directory.to_s)
 
         # When --no-update is passed, return to avoid raising an error if the directory is not writable
         # Mainly there for Homebrew: https://github.com/wpscanteam/wpscan/pull/1455
@@ -73,13 +73,22 @@ module WPScan
       # @return [ Hash ] The params for Typhoeus::Request
       # @note Those params can't be overriden by CLI options
       def request_params
-        @request_params ||= Browser.instance.default_request_params.merge(
-          timeout: 600,
-          connecttimeout: 300,
-          accept_encoding: 'gzip, deflate',
-          cache_ttl: 0,
-          headers: { 'User-Agent' => Browser.instance.default_user_agent }
-        )
+        @request_params ||= begin
+          params = Browser.instance.default_request_params.merge(
+            timeout: 600,
+            connecttimeout: 300,
+            accept_encoding: 'gzip, deflate',
+            cache_ttl: 0,
+            headers: { 'User-Agent' => Browser.instance.default_user_agent }
+          )
+
+          if ParsedCli.proxy_target_only
+            params.delete(:proxy)
+            params.delete(:proxyuserpwd)
+          end
+
+          params
+        end
       end
 
       # @return [ String ] The raw file URL associated with the given filename
@@ -127,7 +136,8 @@ module WPScan
         FileUtils.rm(backup_file_path(filename))
       end
 
-      # @return [ String ] The checksum of the downloaded file
+      # @return [ Array(String, String) ] The checksum of the downloaded file and the
+      #                                    Cloudflare Ray ID of the response (or nil)
       def download(filename)
         file_path = local_file_path(filename)
         file_url  = remote_file_url(filename)
@@ -137,7 +147,7 @@ module WPScan
 
         File.binwrite(file_path, res.body)
 
-        local_file_checksum(filename)
+        [local_file_checksum(filename), res.headers && res.headers['CF-Ray']]
       end
 
       # @return [ Array<String> ] The filenames updated
@@ -151,9 +161,9 @@ module WPScan
           next if File.exist?(local_file_path(filename)) && db_checksum == local_file_checksum(filename)
 
           create_backup(filename)
-          dl_checksum = download(filename)
+          dl_checksum, cf_ray = download(filename)
 
-          raise Error::ChecksumsMismatch, filename unless dl_checksum == db_checksum
+          raise Error::ChecksumsMismatch.new(filename, cf_ray: cf_ray) unless dl_checksum == db_checksum
 
           updated << filename
         rescue StandardError => e

data/lib/wpscan/db/vuln_api.rb

@@ -26,7 +26,7 @@ module WPScan
         # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
         res = Typhoeus.get(uri.join(path), default_request_params.merge(params))
 
-        return {} if res.code == 404 || res.code == 429
+        return {} if [404, 429].include?(res.code)
         return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
 
         raise Error::HTTP, res
@@ -41,6 +41,9 @@ module WPScan
         end
 
         { 'http_error' => e }
+      rescue JSON::ParserError => e
+        # API returned non-JSON response (HTML, plain text, etc.)
+        { 'parse_error' => e }
       end
 
       # @return [ Hash ]
@@ -70,12 +73,21 @@ module WPScan
       # @return [ Hash ]
       # @note Those params can not be overriden by CLI options
       def self.default_request_params
-        @default_request_params ||= Browser.instance.default_request_params.merge(
-          headers: {
-            'User-Agent' => Browser.instance.default_user_agent,
-            'Authorization' => "Token token=#{token}"
-          }
-        )
+        @default_request_params ||= begin
+          params = Browser.instance.default_request_params.merge(
+            headers: {
+              'User-Agent' => Browser.instance.default_user_agent,
+              'Authorization' => "Token token=#{token}"
+            }
+          )
+
+          if ParsedCli.proxy_target_only
+            params.delete(:proxy)
+            params.delete(:proxyuserpwd)
+          end
+
+          params
+        end
       end
     end
   end

data/lib/wpscan/db/wp_item.rb

@@ -16,9 +16,9 @@ module WPScan
         @metadata ||= read_json_file(metadata_file)
       end
 
-      # @return [ String ]
+      # @return [ Pathname ]
       def self.metadata_file
-        @metadata_file ||= DB_DIR.join('metadata.json').to_s
+        @metadata_file ||= DB_DIR.join('metadata.json')
       end
     end
   end

data/lib/wpscan/errors/enumeration.rb

@@ -5,16 +5,16 @@ module WPScan
     class PluginsThresholdReached < Standard
       def to_s
         "The number of plugins detected reached the threshold of #{ParsedCli.plugins_threshold} " \
-          'which might indicate False Positive. It would be recommended to use the --exclude-content-based ' \
-          'option to ignore the bad responses.'
+          'which might indicate False Positive. You can use --plugins-threshold to increase or disable ' \
+          'this limit (set to 0 to disable), or use --exclude-content-based to ignore bad responses.'
       end
     end
 
     class ThemesThresholdReached < Standard
       def to_s
         "The number of themes detected reached the threshold of #{ParsedCli.themes_threshold} " \
-          'which might indicate False Positive. It would be recommended to use the --exclude-content-based ' \
-          'option to ignore the bad responses.'
+          'which might indicate False Positive. You can use --themes-threshold to increase or disable ' \
+          'this limit (set to 0 to disable), or use --exclude-content-based to ignore bad responses.'
       end
     end
   end

data/lib/wpscan/errors/http.rb

@@ -2,11 +2,11 @@
 
 module WPScan
   module Error
-    # HTTP Error
+    # Generic HTTP Error
     class HTTP < Standard
       attr_reader :response
 
-      # @param [ Typhoeus::Response ] res
+      # @param [ Typhoeus::Response ] response
       def initialize(response)
         @response = response
       end
@@ -31,7 +31,86 @@ module WPScan
     # Used in the Updater
     class Download < HTTP
       def to_s
-        "Unable to get #{failure_details}"
+        msg = "Unable to get #{failure_details}"
+
+        if response.effective_url.to_s.include?('data.wpscan.org')
+          cf_ray = response.headers && response.headers['CF-Ray']
+          msg += "\nCloudflare Ray ID: #{cf_ray}" if cf_ray
+          msg += "\nIf this issue persists, you can:\n  " \
+                 "- Check our status page at https://status.wpscan.com/\n  " \
+                 "- Contact us via https://wpscan.com/contact/ (please include the Ray ID above if any)\n  " \
+                 '- Or open a GitHub issue at https://github.com/wpscanteam/wpscan/issues'
+        end
+
+        msg
+      end
+    end
+
+    # Target Down Error
+    class TargetDown < Standard
+      attr_reader :response
+
+      def initialize(response)
+        @response = response
+      end
+
+      def to_s
+        "The url supplied '#{response.request.url}' seems to be down (#{response.return_message})"
+      end
+    end
+
+    # HTTP Authentication Required Error
+    class HTTPAuthRequired < Standard
+      # :nocov:
+      def to_s
+        'HTTP authentication required (or was invalid), please provide it with --http-auth'
+      end
+      # :nocov:
+    end
+
+    # Proxy Authentication Required Error
+    class ProxyAuthRequired < Standard
+      # :nocov:
+      def to_s
+        'Proxy authentication required (or was invalid), please provide it with --proxy-auth'
+      end
+      # :nocov:
+    end
+
+    # Access Forbidden Error
+    class AccessForbidden < Standard
+      attr_reader :random_user_agent_used
+
+      # @param [ Boolean ] random_user_agent_used
+      def initialize(random_user_agent_used)
+        @random_user_agent_used = random_user_agent_used
+      end
+
+      def to_s
+        msg = if random_user_agent_used
+                'Well... --random-user-agent didn\'t work, use --force to skip this check if needed.'
+              else
+                'Please re-try with --random-user-agent'
+              end
+
+        "The target is responding with a 403, this might be due to a WAF. #{msg}"
+      end
+    end
+
+    # HTTP Redirect Error
+    class HTTPRedirect < Standard
+      attr_reader :redirect_uri
+
+      # @param [ String ] url
+      def initialize(url)
+        @redirect_uri = Addressable::URI.parse(url).normalize
+      end
+
+      def to_s
+        "The URL supplied redirects to #{redirect_uri}. Use the --follow-redirect " \
+          'option to automatically scan the redirected URL, the --ignore-main-redirect ' \
+          'option to ignore the redirection and scan the target, or change the --url option ' \
+          'value to the redirected URL.'
       end
     end
   end

data/lib/wpscan/errors/saml.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Error
+    # SAML Authentication Required Error
+    class SAMLAuthenticationRequired < Standard
+      def initialize(message = 'SAML authentication is required to access this resource, consider using --expect-saml.')
+        super
+      end
+    end
+
+    # SAML Authentication Failed Error
+    class SAMLAuthenticationFailed < Standard
+      def initialize(message = 'SAML authentication is required to access this resource. ' \
+                               'Please ensure correct authentication credentials.')
+        super
+      end
+    end
+
+    # Ferrum Browser Error. Callers should pass a context-specific message
+    # (missing Chrome binary, non-interactive terminal, browser closed mid-auth, ...).
+    class BrowserFailed < Standard
+      def initialize(message = 'The browser was closed or failed before SAML authentication could be completed.')
+        super
+      end
+    end
+  end
+end

data/lib/wpscan/errors/scan.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Error
+    # Used instead of the Timeout::Error
+    class MaxScanDurationReached < Standard
+      # :nocov:
+      def to_s
+        'Max Scan Duration Reached'
+      end
+      # :nocov:
+    end
+  end
+end

data/lib/wpscan/errors/update.rb

@@ -10,14 +10,22 @@ module WPScan
     end
 
     class ChecksumsMismatch < Standard
-      attr_reader :db_file
+      attr_reader :db_file, :cf_ray
 
-      def initialize(db_file)
+      def initialize(db_file, cf_ray: nil)
         @db_file = db_file
+        @cf_ray  = cf_ray
+        super()
       end
 
       def to_s
-        "#{db_file}: checksums do not match. Please try again in a few minutes."
+        msg = "#{db_file}: checksums do not match. Please try again in a few minutes."
+        msg += "\nCloudflare Ray ID: #{cf_ray}" if cf_ray
+        msg += "\nIf this issue persists, you can:\n  " \
+               "- Check our status page at https://status.wpscan.com/\n  " \
+               "- Contact us via https://wpscan.com/contact/ (please include the Ray ID above if any)\n  " \
+               '- Or open a GitHub issue at https://github.com/wpscanteam/wpscan/issues'
+        msg
       end
     end
   end

data/lib/wpscan/errors/vuln_api.rb

@@ -16,5 +16,29 @@ module WPScan
         'Your API limit has been reached'
       end
     end
+
+    # Error raised when trying to enumerate vulnerable plugins/themes without an API token
+    class ApiTokenRequiredForVulnerableEnumeration < Standard
+      def to_s
+        'An API token is required for vulnerable plugin/theme enumeration. ' \
+          'You can get a free API token with 25 daily requests by registering at https://wpscan.com/register. ' \
+          'Provide it via --api-token TOKEN or the WPSCAN_API_TOKEN environment variable.'
+      end
+    end
+
+    # Error raised when there's a connection issue with the WPScan API
+    class ApiConnectionError < Standard
+      attr_reader :original_error
+
+      def initialize(original_error)
+        @original_error = original_error
+        super()
+      end
+
+      def to_s
+        "Unable to connect to the WPScan API: #{original_error}. " \
+          'Please check https://status.wpscan.com/ for service status.'
+      end
+    end
   end
 end

data/lib/wpscan/errors/wordpress.rb

@@ -25,8 +25,8 @@ module WPScan
 
     class WpContentDirNotDetected < Standard
       def to_s
-        'Unable to identify the wp-content dir, please supply it with --wp-content-dir,' \
-          ' use the --scope option or make sure the --url value given is the correct one'
+        'Unable to identify the wp-content dir, please supply it with --wp-content-dir, ' \
+          'use the --scope option or make sure the --url value given is the correct one'
       end
     end
 

data/lib/wpscan/errors/wp_auth.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Error
+    # Raised when authenticated requests to the WP REST API are rejected.
+    class WpAuthFailed < Standard
+      def initialize(code, url)
+        super()
+        @code = code
+        @url  = url
+      end
+
+      def to_s
+        "Authenticated REST API request to #{@url} returned HTTP #{@code}. " \
+          'WordPress core does NOT accept regular account passwords on /wp-json over Basic Auth. ' \
+          'The password passed to --wp-auth must be a WordPress Application Password ' \
+          '(WP >= 5.6): in wp-admin go to Users -> Profile -> Application Passwords, ' \
+          'create one, and use the generated 24-character string (keep the spaces) as the password.'
+      end
+    end
+
+    # Raised when the WP REST plugins/themes endpoint is unreachable for reasons
+    # other than authentication (404, 5xx, security plugins blocking /wp-json, ...).
+    class WpAuthEndpointUnavailable < Standard
+      def initialize(code, url)
+        super()
+        @code = code
+        @url  = url
+      end
+
+      def to_s
+        "Authenticated REST API endpoint #{@url} returned HTTP #{@code}. " \
+          'The endpoint may be disabled, blocked, or require WordPress 5.5+.'
+      end
+    end
+  end
+end

data/lib/wpscan/errors.rb

@@ -2,16 +2,17 @@
 
 module WPScan
   module Error
-    include CMSScanner::Error
-
     class Standard < StandardError
     end
   end
 end
 
-require_relative 'errors/enumeration'
 require_relative 'errors/http'
+require_relative 'errors/scan'
+require_relative 'errors/enumeration'
 require_relative 'errors/update'
 require_relative 'errors/vuln_api'
 require_relative 'errors/wordpress'
+require_relative 'errors/wp_auth'
 require_relative 'errors/xmlrpc'
+require_relative 'errors/saml'

data/lib/wpscan/exit_code.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module WPScan
+  # Exit Code Values
+  module ExitCode
+    # No error, scan finished w/o any vulnerabilies found
+    OK               = 0
+
+    # All exceptions raised by OptParseValidator and OptionParser
+    CLI_OPTION_ERROR = 1
+
+    # Interrupt received
+    INTERRUPTED      = 2
+
+    # Unhandled/unexpected Exception occured
+    EXCEPTION        = 3
+
+    # Error, scan did not finish
+    ERROR            = 4
+
+    # The target has at least one vulnerability.
+    # Currently, the interesting findings do not count as vulnerable things
+    VULNERABLE       = 5
+  end
+end

data/lib/wpscan/finders/base_finders.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    # Base class container for the Finders (i.e IndependentFinders etc)
+    class BaseFinders < Array
+      # @return [ Findings ]
+      def findings
+        @findings ||= WPScan::Finders::Findings.new
+      end
+
+      # Should be implemented in child classes
+      def run; end
+
+      protected
+
+      # @param [ Symbol ] mode :mixed, :passive or :aggressive
+      # @return [ Array<Symbol> ] The symbols to call for the mode
+      def symbols_from_mode(mode)
+        symbols = %i[passive aggressive]
+
+        return symbols if mode.nil? || mode == :mixed
+
+        symbols.include?(mode) ? Array(mode) : []
+      end
+
+      # @param [ WPScan::Finders::Finder ] finder
+      # @param [ Symbol ] symbol See return values of #symbols_from_mode
+      # @param [ Hash ] opts
+      def run_finder(finder, symbol, opts)
+        Array(finder.send(symbol, opts.merge(found: findings))).compact.each do |found|
+          findings << found
+        end
+      end
+
+      # Allow child classes to filter the findings, such as return the best one
+      # or remove the low confidence ones.
+      #
+      # @return [ Findings ]
+      def filter_findings
+        findings
+      end
+    end
+  end
+end

data/lib/wpscan/finders/dynamic_finder/finder.rb

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module DynamicFinder
       # To be used as a base when creating a dynamic finder
-      class Finder < CMSScanner::Finders::Finder
+      class Finder < WPScan::Finders::Finder
         # @param [ Array ] args
         def self.child_class_constant(*args)
           args.each do |arg|

data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb

@@ -9,7 +9,7 @@ module WPScan
         class BodyPattern < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(PATTERN: nil, CONFIDENCE: 60)
+            @child_class_constants ||= super.merge(PATTERN: nil, CONFIDENCE: 60)
           end
 
           # @param [ Typhoeus::Response ] response

data/lib/wpscan/finders/dynamic_finder/version/comment.rb

@@ -9,7 +9,7 @@ module WPScan
         class Comment < Finders::DynamicFinder::Version::Xpath
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(PATTERN: nil, XPATH: '//comment()')
+            @child_class_constants ||= super.merge(PATTERN: nil, XPATH: '//comment()')
           end
         end
       end

data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb

@@ -8,7 +8,7 @@ module WPScan
         class HeaderPattern < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(HEADER: nil, PATTERN: nil, CONFIDENCE: 60)
+            @child_class_constants ||= super.merge(HEADER: nil, PATTERN: nil, CONFIDENCE: 60)
           end
 
           # @param [ Typhoeus::Response ] response

data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb

@@ -8,7 +8,7 @@ module WPScan
         class JavascriptVar < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(
+            @child_class_constants ||= super.merge(
               XPATH: '//script[not(@src)]', VERSION_KEY: nil,
               PATTERN: nil, CONFIDENCE: 60
             )

data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb

@@ -8,7 +8,7 @@ module WPScan
         class QueryParameter < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(
+            @child_class_constants ||= super.merge(
               XPATH: nil, FILES: nil, PATTERN: /(?:v|ver|version)=(?<v>\d+\.[.\d]+)/i, CONFIDENCE_PER_OCCURENCE: 10
             )
           end
@@ -17,10 +17,8 @@ module WPScan
           # @param [ Hash ] opts
           # @return [ Array<Version>, nil ]
           def find(response, _opts = {})
-            found = []
-
-            scan_response(response).each do |version_number, occurences|
-              found << create_version(
+            found = scan_response(response).map do |version_number, occurences|
+              create_version(
                 version_number,
                 confidence: self.class::CONFIDENCE_PER_OCCURENCE * occurences.size,
                 interesting_entries: occurences

data/lib/wpscan/finders/dynamic_finder/version/xpath.rb

@@ -8,7 +8,7 @@ module WPScan
         class Xpath < Finders::DynamicFinder::Version::Finder
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(
+            @child_class_constants ||= super.merge(
               XPATH: nil, PATTERN: /\A(?<v>\d+\.[.\d]+)/, CONFIDENCE: 60
             )
           end

data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb

@@ -11,14 +11,14 @@ module WPScan
         # Also used to factorise some code used between such finders.
         # The #process_response should be implemented in each child class, or the
         # #passive and #aggressive overriden
-        class Finder < CMSScanner::Finders::Finder
+        class Finder < WPScan::Finders::Finder
           # @return [ Hash ] The related dynamic finder passive configurations
           #                  for the current class (all its usefullness comes from child classes)
           def passive_configs
             # So far only the Plugins have dynamic finders so using DB:: DynamicFinders::Plugin
             # is ok. However, when Themes have some, will need to create other child classes for them
 
-            method = "passive_#{self.class.to_s.demodulize.underscore}_finder_configs".to_sym
+            method = :"passive_#{self.class.to_s.demodulize.underscore}_finder_configs"
 
             DB::DynamicFinders::Plugin.public_send(method)
           end
@@ -51,7 +51,7 @@ module WPScan
             # So far only the Plugins have dynamic finders so using DB:: DynamicFinders::Plugin
             # is ok. However, when Themes have some, will need to create other child classes for them
 
-            method = "aggressive_#{self.class.to_s.demodulize.underscore}_finder_configs".to_sym
+            method = :"aggressive_#{self.class.to_s.demodulize.underscore}_finder_configs"
 
             DB::DynamicFinders::Plugin.public_send(method)
           end

data/lib/wpscan/finders/dynamic_finder/wp_version.rb

@@ -33,7 +33,7 @@ module WPScan
 
           # @return [ Hash ]
           def self.child_class_constants
-            @child_class_constants ||= super().merge(PATTERN: /ver=(?<v>\d+\.[.\d]+)/i)
+            @child_class_constants ||= super.merge(PATTERN: /ver=(?<v>\d+\.[.\d]+)/i)
           end
         end