wpscan 3.8.28 → 4.0.0

data/lib/wpscan/finders/finder/breadth_first_dictionary_attack.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    class Finder
+      # Module to provide an easy way to perform password attacks
+      module BreadthFirstDictionaryAttack
+        # Tracks progress for password attack
+        class ProgressTracker
+          attr_reader :progress_bar
+
+          def initialize(progress_bar:, total_passwords:)
+            @progress_bar = progress_bar
+            @total_passwords = total_passwords
+            @user_requests_count = Hash.new(0)
+          end
+
+          def record_request(username)
+            @user_requests_count[username] += 1
+          end
+
+          def requests_for_user(username)
+            @user_requests_count[username]
+          end
+
+          def update_title(username, password, retry_count, max_retries)
+            retry_info = retry_count.positive? ? " (retry #{retry_count}/#{max_retries})" : ''
+            @progress_bar.title = "Trying #{username} / #{password}#{retry_info}"
+          end
+
+          def increment
+            @progress_bar.increment unless @progress_bar.progress == @progress_bar.total
+          end
+
+          def adjust_total_on_success(username)
+            @progress_bar.total -= @total_passwords - @user_requests_count[username]
+          rescue ProgressBar::InvalidProgressError
+            # Due to Typhoeus threads, progress bar might be in invalid state
+          end
+
+          def log(message)
+            @progress_bar.log(message)
+          end
+
+          def stop
+            @progress_bar.stop
+          end
+        end
+
+        # Configuration bundle for LoginAttempt
+        LoginConfig = Struct.new(:tracker, :request_builder, :credentials_validator,
+                                 :error_checker, :error_handler, :hydra, :opts,
+                                 keyword_init: true)
+
+        # Handles a single login attempt with retry support
+        class LoginAttempt
+          attr_reader :user, :password, :max_retries
+          attr_accessor :retry_count
+
+          def initialize(user:, password:, max_retries:, config:)
+            @user = user
+            @password = password
+            @max_retries = max_retries
+            @retry_count = 0
+            @config = config
+          end
+
+          def execute(&block)
+            request = @config.request_builder.call(@user.username, @password)
+            @config.tracker.record_request(@user.username) if @retry_count.zero?
+
+            request.on_complete do |response|
+              handle_response(response, &block)
+            end
+
+            @config.hydra.queue(request)
+          end
+
+          private
+
+          def handle_response(response, &)
+            @config.tracker.update_title(@user.username, @password, @retry_count, @max_retries)
+
+            if @config.credentials_validator.call(response)
+              handle_success(&)
+            elsif @config.error_checker.call(response)
+              handle_error(response, &)
+            else
+              handle_invalid_credentials
+            end
+          end
+
+          def handle_success
+            @config.tracker.increment
+            @user.password = @password
+            @config.tracker.adjust_total_on_success(@user.username)
+
+            yield @user if block_given?
+          end
+
+          def handle_error(response, &)
+            if @user.password
+              @config.tracker.increment
+              return
+            end
+
+            if should_retry?
+              retry_attempt(&)
+            else
+              finalize_failed_attempt(response)
+            end
+          end
+
+          def should_retry?
+            @retry_count < @max_retries
+          end
+
+          def retry_attempt(&)
+            @retry_count += 1
+
+            if @config.opts[:show_progression] && WPScan::ParsedCli.verbose?
+              @config.tracker.log("[RETRY #{@retry_count}/#{@max_retries}] #{@user.username} / #{@password}")
+            end
+
+            execute(&)
+          end
+
+          def finalize_failed_attempt(response)
+            @config.error_handler.call(response)
+            @config.tracker.increment
+          end
+
+          def handle_invalid_credentials
+            @config.tracker.increment
+          end
+        end
+
+        # @param [ Array<WPScan::Model::User> ] users
+        # @param [ String ] wordlist_path
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression
+        # @option opts [ Integer ] :wordlist_skip Number of passwords to skip from the beginning
+        # @option opts [ Integer ] :max_retries Maximum retry attempts for failed requests
+        #
+        # @yield [ WPScan::User ] When a valid combination is found
+        #
+        # Due to Typhoeus threads shenanigans, in rare cases the progress-bar might
+        # be incorrectly updated, hence the 'rescue ProgressBar::InvalidProgressError'
+        #
+        # TODO: Make rubocop happy about metrics etc
+        #
+        # rubocop:disable all
+        def attack(users, wordlist_path, opts = {})
+          wordlist = File.open(wordlist_path)
+          skip_count = opts[:wordlist_skip] || 0
+          max_retries = opts[:max_retries] || 0
+
+          # Calculate total, accounting for skipped passwords
+          total_passwords = wordlist.count
+          effective_passwords = [total_passwords - skip_count, 0].max
+
+          create_progress_bar(total: users.size * effective_passwords, show_progression: opts[:show_progression])
+          tracker = ProgressTracker.new(progress_bar: progress_bar, total_passwords: effective_passwords)
+          config = create_login_config(tracker, opts)
+
+          # Show skip progress if skipping
+          if skip_count.positive? && opts[:show_progression]
+            tracker.log("[INFO] Skipping first #{skip_count} password(s) from wordlist...")
+          end
+
+          queue_count = 0
+
+          File.foreach(wordlist, chomp: true).lazy.drop(skip_count).each do |password|
+            remaining_users = users.select { |u| u.password.nil? }
+            break if remaining_users.empty?
+
+            remaining_users.each do |user|
+              attempt = LoginAttempt.new(user: user, password: password, max_retries: max_retries, config: config)
+              attempt.execute { |found_user| yield found_user if block_given? }
+              queue_count += 1
+
+              if queue_count >= hydra.max_concurrency
+                hydra.run
+                queue_count = 0
+              end
+            end
+          end
+
+          hydra.run
+          tracker.stop
+        end
+        # rubocop:enable all
+
+        # Create login configuration with all dependencies
+        #
+        # @param [ ProgressTracker ] tracker
+        # @param [ Hash ] opts
+        #
+        # @return [ LoginConfig ]
+        #
+        def create_login_config(tracker, opts)
+          LoginConfig.new(
+            tracker: tracker,
+            request_builder: method(:login_request).to_proc,
+            credentials_validator: method(:valid_credentials?).to_proc,
+            error_checker: method(:errored_response?).to_proc,
+            error_handler: method(:output_error).to_proc,
+            hydra: hydra,
+            opts: opts
+          )
+        end
+
+        # @param [ String ] username
+        # param [ String ] password
+        #
+        # @return [ Typhoeus::Request ]
+        def login_request(username, password)
+          # To Implement in the finder related to the attack
+        end
+
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Boolean ] Whether or not credentials related to the request are valid
+        def valid_credentials?(response)
+          # To Implement in the finder related to the attack
+        end
+
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Boolean ] Whether or not something wrong happened
+        #                     other than wrong credentials
+        def errored_response?(response)
+          # To Implement in the finder related to the attack
+        end
+
+        protected
+
+        # @param [ Typhoeus::Response ] response
+        def output_error(response)
+          error = if response.timed_out?
+                    'Request timed out.'
+                  elsif response.code.zero?
+                    "No response from remote server. WAF/IPS? (#{response.return_message})"
+                  elsif response.code.to_s.start_with?('50')
+                    'Server error, try reducing the number of threads.'
+                  elsif WPScan::ParsedCli.verbose?
+                    "Unknown response received Code: #{response.code}\nBody: #{response.body}"
+                  else
+                    "Unknown response received Code: #{response.code}"
+                  end
+
+          progress_bar.log("Error: #{error}")
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finder/enumerator.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    class Finder
+      # Module to provide an easy way to enumerate items such as plugins, themes etc
+      module Enumerator
+        # @return [ Hash ]
+        def head_or_get_request_params
+          # Disabling the cache, as it causes a 'stack level too deep' exception
+          # with a large number of requests.
+          # See https://github.com/typhoeus/typhoeus/issues/408
+          @head_or_get_request_params ||= target.head_or_get_params.merge(cache_ttl: 0)
+        end
+
+        # @return [ Array<Integer> ]
+        def valid_response_codes
+          @valid_response_codes ||= [200]
+        end
+
+        # @param [ Hash ] The target urls
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression Wether or not to display the progress bar
+        # @option opts [ Regexp ] :exclude_content
+        # @option opts [ Boolean, Array, String ] :check_full_response
+        #
+        # @yield [ Typhoeus::Response, String ]
+        def enumerate(urls, opts = {})
+          create_progress_bar(opts.merge(total: urls.size))
+
+          urls.each do |url, id|
+            request = browser.forge_request(url, head_or_get_request_params)
+
+            request.on_complete do |head_res|
+              progress_bar.increment
+
+              next unless valid_response_codes.include?(head_res.code)
+
+              next if opts[:exclude_content] && head_res.response_headers&.match(opts[:exclude_content])
+
+              head_or_full_res = maybe_get_full_response(head_res, opts)
+
+              yield head_or_full_res, id if head_or_full_res
+            end
+
+            hydra.queue(request)
+          end
+
+          hydra.run
+        end
+
+        # @param [ Typhoeus::Response ] head_res
+        # @param [ Hash ] opts
+        #
+        # @return [ Typhoeus::Response, nil ]
+        def maybe_get_full_response(head_res, opts)
+          return head_res unless opts[:check_full_response] == true ||
+                                 Array(opts[:check_full_response]).include?(head_res.code)
+
+          full_res = WPScan::Browser.get(head_res.effective_url, full_request_params)
+
+          return unless valid_response_codes.include?(full_res.code)
+
+          return if target.homepage_or_404?(full_res) ||
+                    (opts[:exclude_content] && full_res.body&.match(opts[:exclude_content]))
+
+          full_res
+        end
+
+        # @return [ Hash ]
+        def full_request_params
+          @full_request_params ||= {}
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finder/fingerprinter.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    class Finder
+      # Module to provide an easy way to fingerprint things such as versions
+      module Fingerprinter
+        include Enumerator
+
+        # @param [ Hash ] fingerprints The fingerprints
+        # Format should be like the following:
+        # {
+        #   file_path_1: {
+        #     md5_hash_1: version_1,
+        #     md5_hash_2: [version_2]
+        #   },
+        #   file_path_2: {
+        #     md5_hash_3: [version_1, version_2],
+        #     md5_hash_4: version_3
+        #   }
+        # }
+        # Note that the version can either be an array or a string
+        #
+        # @param [ Hash ] opts
+        # @option opts [ Boolean ] :show_progression Wether or not to display the progress bar
+        #
+        # @yield [ Mixed, String, String ] version/s, url, hash The version associated to the
+        #                                                       fingerprint of the url
+        def fingerprint(fingerprints, opts = {})
+          enum_opts = opts.merge(check_full_response: 200)
+
+          enumerate(fingerprints.transform_keys { |k| target.url(k) }, enum_opts) do |res, fingerprint|
+            md5sum = hexdigest(res.body)
+
+            next unless fingerprint.key?(md5sum)
+
+            yield fingerprint[md5sum], res.effective_url, md5sum
+          end
+        end
+
+        # @return [ String ] The hashed value for the given body
+        def hexdigest(body)
+          Digest::MD5.hexdigest(body)
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finder/smart_url_checker/findings.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    class Finder
+      module SmartURLChecker
+        # Findings
+        class Findings < Array
+          def <<(finding)
+            return self unless finding
+
+            each do |f|
+              next unless f == finding && f.found_by == finding.found_by
+
+              # This makes sure entries added are unique
+              # and prevent pages redirecting to the same one to be added twice
+              entries_to_add = finding.interesting_entries - f.interesting_entries
+              return self if entries_to_add.empty?
+
+              entries_to_add.each { |entry| f.interesting_entries << entry }
+
+              f.confidence += finding.confidence
+
+              return self
+            end
+
+            super
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finder/smart_url_checker.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'wpscan/finders/finder/smart_url_checker/findings'
+
+module WPScan
+  module Finders
+    class Finder
+      # Smart URL Checker
+      # Typically used when some URLs are potentially in the homepage. If they are found
+      # in it, they will be checked in the #passive (like a browser/client would do when loading the page).
+      # Otherwise they will be checked in the #aggressive
+      module SmartURLChecker
+        # @param [ Array<String> ] urls
+        # @param [ Hash ] opts
+        #
+        # @return []
+        def process_urls(_urls, _opts = {})
+          raise NotImplementedError
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Finding> ]
+        def passive(opts = {})
+          process_urls(passive_urls(opts), opts)
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<String> ]
+        def passive_urls(_opts = {})
+          target.in_scope_uris(target.homepage_res, passive_urls_xpath).map(&:to_s)
+        end
+
+        # @return [ String ]
+        def passive_urls_xpath
+          raise NotImplementedError
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Finding> ]
+        def aggressive(opts = {})
+          # To avoid scanning the same twice
+          urls = aggressive_urls(opts)
+          urls -= passive_urls(opts) if opts[:mode] == :mixed
+
+          process_urls(urls, opts)
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<String> ]
+        def aggressive_urls(_opts = {})
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb

@@ -6,7 +6,7 @@ module WPScan
       module WpVersion
         # SmartURLChecker specific for the WP Version
         module SmartURLChecker
-          include CMSScanner::Finders::Finder::SmartURLChecker
+          include WPScan::Finders::Finder::SmartURLChecker
 
           def create_version(number, opts = {})
             Model::WpVersion.new(

data/lib/wpscan/finders/finder.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'wpscan/finders/finder/smart_url_checker'
+require 'wpscan/finders/finder/enumerator'
+require 'wpscan/finders/finder/fingerprinter'
+require 'wpscan/finders/finder/breadth_first_dictionary_attack'
+
+module WPScan
+  module Finders
+    # Finder
+    class Finder
+      # Constants for common found_by
+      DIRECT_ACCESS = 'Direct Access (Aggressive Detection)'
+
+      attr_accessor :target, :progress_bar
+
+      def initialize(target)
+        @target = target
+      end
+
+      # @return [ String ] The titleized name of the finder
+      def titleize
+        # Put a _ char before any digits except those at the end, which will be replaced by a space
+        # Otherwise, class such as Error404Page are returned as Error404 Page instead of Error 404 page
+        # The keep_id_suffix is to concevert classes such as CssId to Css Id instead of Css
+
+        @titleize ||= self.class.to_s.demodulize.gsub(/(\d+)[a-z]+/i, '_\0').titleize(keep_id_suffix: true)
+      end
+
+      # @param [ Hash ] _opts
+      def passive(_opts = {}); end
+
+      # @param [ Hash ] _opts
+      def aggressive(_opts = {}); end
+
+      # @param [ Hash ] opts See https://github.com/jfelchner/ruby-progressbar/wiki/Options
+      # @option opts [ Boolean ] :show_progression
+      #
+      # @return [ ProgressBar::Base ]
+      def create_progress_bar(opts = {})
+        bar_opts          = { format: '%t %a <%B> (%c / %C) %P%% %e' }
+        bar_opts[:output] = ProgressBarNullOutput unless opts[:show_progression]
+
+        @progress_bar = ::ProgressBar.create(bar_opts.merge(opts))
+      end
+
+      # @return [ Browser ]
+      def browser
+        @browser ||= WPScan::Browser.instance
+      end
+
+      # @return [ Typhoeus::Hydra ]
+      def hydra
+        @hydra ||= browser.hydra
+      end
+
+      # @param [String, Class ] klass
+      # @return [ String ]
+      def found_by(klass = self.class)
+        labels = %w[aggressive passive]
+
+        caller_locations.each do |call|
+          label = call.label
+          # Since ruby 3.4, the label contains the full name, including module and class
+          # rather than just the method like in ruby < 3.4
+          label = label[/#(.*)/i, 1] if label.include?('#')
+
+          next unless labels.include? label
+
+          title = klass.to_s.demodulize.gsub(/(\d+)[a-z]+/i, '_\0').titleize(keep_id_suffix: true)
+
+          return "#{title} (#{label.capitalize} Detection)"
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/wpscan/finders/finding.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    # Finding
+    module Finding
+      # Fix for "Double/Dynamic Inclusion Problem"
+      def self.included(base)
+        base.include References
+        super
+      end
+
+      FINDING_OPTS = %i[confidence confirmed_by references found_by interesting_entries].freeze
+
+      attr_accessor(*FINDING_OPTS)
+
+      # @return [ Array ]
+      def confirmed_by
+        @confirmed_by ||= []
+      end
+
+      # Should be overriden in child classes
+      # @return [ Array ]
+      def interesting_entries
+        @interesting_entries ||= []
+      end
+
+      # @return [ Integer ]
+      def confidence
+        @confidence ||= 0
+      end
+
+      # @param [ Integer ] value
+      def confidence=(value)
+        @confidence = [value, 100].min
+      end
+
+      # @param [ Hash ] opts
+      def parse_finding_options(opts = {})
+        FINDING_OPTS.each { |opt| send("#{opt}=", opts[opt]) if opts.key?(opt) }
+      end
+
+      # TODO: maybe also check for interesting_entries and confirmed_by ?
+      # So far this is used in specs only
+      def eql?(other)
+        self == other && confidence == other.confidence && found_by == other.found_by
+      end
+
+      def <=>(other)
+        to_s.downcase <=> other.to_s.downcase
+      end
+    end
+  end
+end

data/lib/wpscan/finders/findings.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    # Findings container
+    class Findings < Array
+      # Optional callable invoked with each newly-appended finding (not invoked
+      # when a duplicate is merged into an existing one via confirmed_by). Used
+      # by enumeration controllers to stream findings as they are discovered.
+      attr_accessor :on_append
+
+      # Override to include the confirmed_by logic
+      #
+      # @param [ Finding ] finding
+      def <<(finding)
+        return self unless finding
+
+        each do |found|
+          next unless found == finding
+
+          found.confirmed_by << finding
+          found.confidence += finding.confidence
+
+          return self
+        end
+
+        super
+        @on_append&.call(finding)
+        self
+      end
+    end
+  end
+end

data/lib/wpscan/finders/independent_finder.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    # Independent Finder
+    module IndependentFinder
+      extend ActiveSupport::Concern
+
+      # See ActiveSupport::Concern
+      module ClassMethods
+        def find(target, opts = {}, &)
+          new(target).find(opts, &)
+        end
+      end
+
+      # @param [ Hash ] opts
+      # @option opts [ Symbol ] mode (:mixed, :passive, :aggressive)
+      # @yield [ Finding ] Optional block called for each finding the moment
+      #                   it is first appended to the result set (used to
+      #                   stream enumeration findings as they are discovered).
+      #
+      # @return [ Findings ]
+      def find(opts = {}, &)
+        finders.run(opts, &)
+      end
+
+      # @return [ Array ]
+      def finders
+        @finders ||= WPScan::Finders::IndependentFinders.new
+      end
+    end
+  end
+end