RubyGems - wpscan - Versions diffs - 3.8.28 → 4.0.0 - Mend

wpscan 3.8.28 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

checksums.yaml +4 -4
data/README.md +104 -30
data/app/app.rb +26 -0
data/app/controllers/aliases.rb +2 -2
data/app/controllers/authenticated_inventory.rb +43 -0
data/app/controllers/core/cli_options.rb +151 -0
data/app/controllers/core.rb +200 -25
data/app/controllers/custom_directories.rb +1 -1
data/app/controllers/enumeration/cli_options.rb +21 -31
data/app/controllers/enumeration/enum_methods.rb +145 -38
data/app/controllers/enumeration.rb +26 -3
data/app/controllers/interesting_findings.rb +25 -0
data/app/controllers/main_theme.rb +1 -1
data/app/controllers/password_attack.rb +14 -6
data/app/controllers/vuln_api.rb +9 -3
data/app/controllers/wp_version.rb +1 -1
data/app/controllers.rb +1 -0
data/app/finders/backup_folders/known_locations.rb +66 -0
data/app/finders/backup_folders.rb +19 -0
data/app/finders/config_backups/known_filenames.rb +6 -4
data/app/finders/config_backups.rb +1 -1
data/app/finders/db_exports/known_locations.rb +16 -14
data/app/finders/db_exports.rb +1 -1
data/app/finders/interesting_findings/backup_db.rb +1 -1
data/app/finders/interesting_findings/debug_log.rb +1 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +1 -1
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +1 -1
data/app/finders/interesting_findings/fantastico_fileslist.rb +21 -0
data/app/finders/interesting_findings/full_path_disclosure.rb +1 -1
data/app/finders/interesting_findings/headers.rb +17 -0
data/app/finders/interesting_findings/mu_plugins.rb +1 -1
data/app/finders/interesting_findings/multisite.rb +1 -1
data/app/finders/interesting_findings/php_disabled.rb +2 -2
data/app/finders/interesting_findings/readme.rb +1 -1
data/app/finders/interesting_findings/registration.rb +1 -1
data/app/finders/interesting_findings/robots_txt.rb +20 -0
data/app/finders/interesting_findings/search_replace_db_2.rb +19 -0
data/app/finders/interesting_findings/tmm_db_migrate.rb +1 -1
data/app/finders/interesting_findings/upload_directory_listing.rb +1 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +2 -2
data/app/finders/interesting_findings/wp_cron.rb +1 -1
data/app/finders/interesting_findings/xml_rpc.rb +61 -0
data/app/finders/interesting_findings.rb +13 -4
data/app/finders/main_theme/css_style_in_homepage.rb +1 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -7
data/app/finders/main_theme/woo_framework_meta_generator.rb +4 -4
data/app/finders/main_theme.rb +1 -1
data/app/finders/medias/attachment_brute_forcing.rb +2 -2
data/app/finders/medias.rb +1 -1
data/app/finders/passwords/wp_login.rb +2 -2
data/app/finders/passwords/xml_rpc.rb +2 -2
data/app/finders/passwords/xml_rpc_multicall.rb +1 -1
data/app/finders/plugin_version/readme.rb +1 -1
data/app/finders/plugin_version.rb +1 -1
data/app/finders/plugins/known_locations.rb +17 -7
data/app/finders/plugins/urls_in_homepage.rb +3 -7
data/app/finders/plugins/wp_json_api.rb +85 -0
data/app/finders/plugins.rb +2 -1
data/app/finders/theme_version/style.rb +1 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +1 -1
data/app/finders/theme_version.rb +1 -1
data/app/finders/themes/known_locations.rb +12 -6
data/app/finders/themes/urls_in_homepage.rb +3 -7
data/app/finders/themes/wp_json_api.rb +74 -0
data/app/finders/themes.rb +2 -1
data/app/finders/timthumb_version/bad_request.rb +1 -1
data/app/finders/timthumb_version.rb +1 -1
data/app/finders/timthumbs/known_locations.rb +6 -4
data/app/finders/timthumbs.rb +1 -1
data/app/finders/users/author_id_brute_forcing.rb +11 -7
data/app/finders/users/author_posts.rb +1 -1
data/app/finders/users/author_sitemap.rb +1 -1
data/app/finders/users/login_error_messages.rb +1 -1
data/app/finders/users/oembed_api.rb +3 -1
data/app/finders/users/wp_json_api.rb +11 -7
data/app/finders/users.rb +1 -1
data/app/finders/wp_version/atom_generator.rb +1 -1
data/app/finders/wp_version/rdf_generator.rb +1 -1
data/app/finders/wp_version/readme.rb +1 -1
data/app/finders/wp_version/rss_generator.rb +1 -1
data/app/finders/wp_version/unique_fingerprinting.rb +2 -2
data/app/finders/wp_version.rb +1 -1
data/app/finders.rb +1 -0
data/app/formatters/cli.rb +79 -0
data/app/formatters/cli_no_color.rb +9 -0
data/app/formatters/cli_no_colour.rb +17 -0
data/app/formatters/json.rb +14 -0
data/app/formatters/jsonl.rb +29 -0
data/app/formatters/sarif.rb +311 -0
data/app/models/backup_folder.rb +39 -0
data/app/models/fantastico_fileslist.rb +34 -0
data/app/models/headers.rb +44 -0
data/app/models/interesting_finding.rb +41 -2
data/app/models/plugin.rb +8 -2
data/app/models/robots_txt.rb +31 -0
data/app/models/search_replace_db_2.rb +17 -0
data/app/models/theme.rb +9 -2
data/app/models/timthumb.rb +2 -2
data/app/models/user.rb +35 -0
data/app/models/version.rb +49 -0
data/app/models/wp_item/wordpress_org_data.rb +55 -0
data/app/models/wp_item.rb +109 -9
data/app/models/wp_version.rb +2 -2
data/app/models/xml_rpc.rb +73 -3
data/app/models.rb +2 -1
data/app/user_agents.txt +46 -0
data/app/views/cli/core/banner.erb +3 -3
data/app/views/cli/core/finished.erb +15 -0
data/app/views/cli/core/help.erb +4 -0
data/app/views/cli/core/started.erb +11 -0
data/app/views/cli/enumeration/backup_folders.erb +11 -0
data/app/views/cli/enumeration/plugin.erb +13 -0
data/app/views/cli/enumeration/plugins.erb +1 -12
data/app/views/cli/enumeration/theme.erb +4 -0
data/app/views/cli/enumeration/themes.erb +1 -3
data/app/views/cli/enumeration/user.erb +4 -0
data/app/views/cli/enumeration/users.erb +1 -3
data/app/views/cli/finding.erb +1 -1
data/app/views/cli/interesting_findings/_array.erb +10 -0
data/app/views/cli/interesting_findings/findings.erb +23 -0
data/app/views/cli/scan_aborted.erb +5 -0
data/app/views/cli/update_aborted.erb +5 -0
data/app/views/cli/vuln_api/status.erb +2 -0
data/app/views/cli/vulnerability.erb +6 -0
data/app/views/cli/wp_item.erb +4 -1
data/app/views/json/core/banner.erb +2 -8
data/app/views/json/core/finished.erb +13 -0
data/app/views/json/core/help.erb +4 -0
data/app/views/json/core/started.erb +10 -0
data/app/views/json/enumeration/backup_folders.erb +11 -0
data/app/views/json/enumeration/plugin.erb +15 -0
data/app/views/json/enumeration/theme.erb +5 -0
data/app/views/json/enumeration/user.erb +6 -0
data/app/views/json/finding.erb +8 -2
data/app/views/json/interesting_findings/findings.erb +24 -0
data/app/views/json/notice.erb +1 -0
data/app/views/json/scan_aborted.erb +5 -0
data/app/views/json/update_aborted.erb +5 -0
data/app/views/json/vuln_api/status.erb +2 -0
data/app/views/json/wp_item.erb +4 -1
data/bin/wpscan +1 -0
data/lib/opt_parse_validator/config_files_loader_merger/base.rb +26 -0
data/lib/opt_parse_validator/config_files_loader_merger/json.rb +17 -0
data/lib/opt_parse_validator/config_files_loader_merger/yml.rb +17 -0
data/lib/opt_parse_validator/config_files_loader_merger.rb +62 -0
data/lib/opt_parse_validator/errors.rb +9 -0
data/lib/opt_parse_validator/hacks.rb +19 -0
data/lib/opt_parse_validator/opts/alias.rb +28 -0
data/lib/opt_parse_validator/opts/array.rb +34 -0
data/lib/opt_parse_validator/opts/base.rb +142 -0
data/lib/opt_parse_validator/opts/boolean.rb +19 -0
data/lib/opt_parse_validator/opts/choice.rb +43 -0
data/lib/opt_parse_validator/opts/credentials.rb +15 -0
data/lib/opt_parse_validator/opts/directory_path.rb +17 -0
data/lib/opt_parse_validator/opts/file_path.rb +34 -0
data/lib/opt_parse_validator/opts/headers.rb +33 -0
data/lib/opt_parse_validator/opts/integer.rb +15 -0
data/lib/opt_parse_validator/opts/integer_range.rb +37 -0
data/lib/opt_parse_validator/opts/multi_choices.rb +135 -0
data/lib/opt_parse_validator/opts/path.rb +78 -0
data/lib/opt_parse_validator/opts/positive_integer.rb +16 -0
data/lib/opt_parse_validator/opts/proxy.rb +7 -0
data/lib/opt_parse_validator/opts/regexp.rb +14 -0
data/lib/opt_parse_validator/opts/smart_list.rb +30 -0
data/lib/opt_parse_validator/opts/string.rb +8 -0
data/lib/opt_parse_validator/opts/uri.rb +41 -0
data/lib/opt_parse_validator/opts/url.rb +11 -0
data/lib/opt_parse_validator/opts.rb +9 -0
data/lib/opt_parse_validator/version.rb +6 -0
data/lib/opt_parse_validator.rb +161 -0
data/lib/wpscan/browser/actions.rb +48 -0
data/lib/wpscan/browser/options.rb +92 -0
data/lib/wpscan/browser.rb +87 -2
data/lib/wpscan/browser_authenticator.rb +64 -0
data/lib/wpscan/cache/file_store.rb +77 -0
data/lib/wpscan/cache/typhoeus.rb +25 -0
data/lib/wpscan/controller.rb +100 -4
data/lib/wpscan/controllers.rb +78 -3
data/lib/wpscan/db/dynamic_finders/base.rb +3 -7
data/lib/wpscan/db/dynamic_finders/plugin.rb +2 -2
data/lib/wpscan/db/dynamic_finders/wordpress.rb +1 -1
data/lib/wpscan/db/fingerprints.rb +2 -2
data/lib/wpscan/db/updater.rb +23 -13
data/lib/wpscan/db/vuln_api.rb +19 -7
data/lib/wpscan/db/wp_item.rb +2 -2
data/lib/wpscan/errors/enumeration.rb +4 -4
data/lib/wpscan/errors/http.rb +82 -3
data/lib/wpscan/errors/saml.rb +28 -0
data/lib/wpscan/errors/scan.rb +14 -0
data/lib/wpscan/errors/update.rb +11 -3
data/lib/wpscan/errors/vuln_api.rb +24 -0
data/lib/wpscan/errors/wordpress.rb +2 -2
data/lib/wpscan/errors/wp_auth.rb +37 -0
data/lib/wpscan/errors.rb +4 -3
data/lib/wpscan/exit_code.rb +25 -0
data/lib/wpscan/finders/base_finders.rb +45 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +3 -5
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +3 -3
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +1 -1
data/lib/wpscan/finders/finder/breadth_first_dictionary_attack.rb +257 -0
data/lib/wpscan/finders/finder/enumerator.rb +77 -0
data/lib/wpscan/finders/finder/fingerprinter.rb +48 -0
data/lib/wpscan/finders/finder/smart_url_checker/findings.rb +33 -0
data/lib/wpscan/finders/finder/smart_url_checker.rb +60 -0
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +1 -1
data/lib/wpscan/finders/finder.rb +78 -0
data/lib/wpscan/finders/finding.rb +54 -0
data/lib/wpscan/finders/findings.rb +33 -0
data/lib/wpscan/finders/independent_finder.rb +33 -0
data/lib/wpscan/finders/independent_finders.rb +26 -0
data/lib/wpscan/finders/same_type_finder.rb +19 -0
data/lib/wpscan/finders/same_type_finders.rb +28 -0
data/lib/wpscan/finders/unique_finder.rb +19 -0
data/lib/wpscan/finders/unique_finders.rb +47 -0
data/lib/wpscan/finders.rb +11 -12
data/lib/wpscan/formatter/buffer.rb +17 -0
data/lib/wpscan/formatter.rb +152 -0
data/lib/wpscan/helper.rb +7 -1
data/lib/wpscan/http_status_tracking.rb +128 -0
data/lib/wpscan/numeric.rb +13 -0
data/lib/wpscan/parsed_cli.rb +31 -2
data/lib/wpscan/progressbar_null_output.rb +23 -0
data/lib/wpscan/public_suffix/domain.rb +44 -0
data/lib/wpscan/references.rb +118 -4
data/lib/wpscan/scan.rb +127 -0
data/lib/wpscan/target/hashes.rb +45 -0
data/lib/wpscan/target/platform/php.rb +124 -0
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +3 -3
data/lib/wpscan/target/platform/wordpress.rb +7 -8
data/lib/wpscan/target/platform.rb +3 -0
data/lib/wpscan/target/scope.rb +103 -0
data/lib/wpscan/target/server/apache.rb +27 -0
data/lib/wpscan/target/server/generic.rb +72 -0
data/lib/wpscan/target/server/iis.rb +29 -0
data/lib/wpscan/target/server/nginx.rb +27 -0
data/lib/wpscan/target/server.rb +6 -0
data/lib/wpscan/target.rb +129 -9
data/lib/wpscan/typhoeus/hydra.rb +12 -0
data/lib/wpscan/typhoeus/response.rb +24 -1
data/lib/wpscan/version.rb +1 -1
data/lib/wpscan/vulnerability.rb +49 -3
data/lib/wpscan/vulnerability_filter.rb +68 -0
data/lib/wpscan/vulnerable.rb +13 -1
data/lib/wpscan/web_site.rb +152 -0
data/lib/wpscan.rb +126 -29
metadata +362 -20

data/lib/wpscan/references.rb CHANGED Viewed

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 module WPScan
-  # References module (which should be included along with the CMSScanner::References)
-  # to allow the use of the wpvulndb reference.
+  # References related to a vulnerability / finding.
   module References
     extend ActiveSupport::Concern
@@ -10,22 +9,137 @@ module WPScan
     module ClassMethods
       # @return [ Array<Symbol> ]
       def references_keys
-        @references_keys ||= super << :wpvulndb
+        @references_keys ||= %i[cve exploitdb url metasploit packetstorm securityfocus youtube wpvulndb]
       end
     end
+    # @param [ Hash ] refs
+    def references=(refs)
+      @references = {}
+      self.class.references_keys.each do |key|
+        next unless refs.key?(key)
+        @references[key] = if key == :youtube
+                             Array(refs[:youtube]).map { |id| youtube_url(id) }
+                           else
+                             Array(refs[key]).map(&:to_s)
+                           end
+      end
+    end
+    # @return [ Hash ]
+    def references
+      @references ||= {}
+    end
+    # @return [ Array<String> ] All the references URLs
     def references_urls
-      wpvulndb_urls + super
+      wpvulndb_urls + cve_urls + exploitdb_urls + urls + msf_urls +
+        packetstorm_urls + securityfocus_urls + youtube_urls
+    end
+    # @return [ Array<String> ] The CVEs
+    def cves
+      references[:cve] || []
+    end
+    # @return [ Array<String> ]
+    def cve_urls
+      cves.reduce([]) { |acc, elem| acc << cve_url(elem) }
+    end
+    # @return [ String ] The URL to the CVE
+    def cve_url(cve)
+      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-#{cve}"
+    end
+    # @return [ Array<String> ] The ExploitDB ID
+    def exploitdb_ids
+      references[:exploitdb] || []
+    end
+    # @return [ Array<String> ]
+    def exploitdb_urls
+      exploitdb_ids.reduce([]) { |acc, elem| acc << exploitdb_url(elem) }
+    end
+    # @return [ String ]
+    def exploitdb_url(id)
+      "https://www.exploit-db.com/exploits/#{id}/"
+    end
+    # @return [ Array<String> ]
+    def urls
+      references[:url] || []
+    end
+    # @return [ Array<String> ] The metasploit modules
+    def msf_modules
+      references[:metasploit] || []
+    end
+    # @return [ Array<String> ]
+    def msf_urls
+      msf_modules.reduce([]) { |acc, elem| acc << msf_url(elem) }
+    end
+    # @return [ String ] The URL to the metasploit module page
+    def msf_url(mod)
+      "https://www.rapid7.com/db/modules/#{mod.sub(%r{^/}, '')}/"
+    end
+    # @return [ Array<String> ] The Packetstormsecurity IDs
+    def packetstorm_ids
+      @packetstorm_ids ||= references[:packetstorm] || []
+    end
+    # @return [ Array<String> ]
+    def packetstorm_urls
+      packetstorm_ids.reduce([]) { |acc, elem| acc << packetstorm_url(elem) }
+    end
+    # @return [ String ]
+    def packetstorm_url(id)
+      "https://packetstormsecurity.com/files/#{id}/"
+    end
+    # @return [ Array<String> ] The Security Focus IDs
+    def securityfocus_ids
+      references[:securityfocus] || []
+    end
+    # @return [ Array<String> ]
+    def securityfocus_urls
+      securityfocus_ids.reduce([]) { |acc, elem| acc << securityfocus_url(elem) }
+    end
+    # @return [ String ]
+    def securityfocus_url(id)
+      "https://www.securityfocus.com/bid/#{id}/"
+    end
+    # @return [ Array<String> ]
+    def youtube_urls
+      references[:youtube] || []
+    end
+    # @return [ String ]
+    def youtube_url(id)
+      "https://www.youtube.com/watch?v=#{id}"
     end
+    # @return [ Array<String> ] wpvulndb (now WPScan) reference IDs
     def wpvulndb_ids
       references[:wpvulndb] || []
     end
+    # @return [ Array<String> ]
     def wpvulndb_urls
       wpvulndb_ids.reduce([]) { |acc, elem| acc << wpvulndb_url(elem) }
     end
+    # @return [ String ]
     def wpvulndb_url(id)
       "https://wpscan.com/vulnerability/#{id}"
     end

data/lib/wpscan/scan.rb ADDED Viewed

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+module WPScan
+  # Scan
+  class Scan
+    attr_reader :run_error
+    def initialize
+      WPScan.start_memory = GetProcessMem.new.bytes
+      # Capture the original command line arguments with sensitive data masked
+      WPScan.command_line = mask_sensitive_arguments(ARGV)
+      controllers << WPScan::Controller::Core.new
+      exit_hook
+      yield self if block_given?
+    end
+    # Masks sensitive arguments in the command line to prevent exposing secrets
+    # @param [ Array<String> ] args The command line arguments
+    # @return [ String ] The sanitized command line string
+    def mask_sensitive_arguments(args)
+      # List of sensitive arguments that contain actual secrets (not file paths)
+      # File paths like --passwords and --cookie-jar are not masked as they're
+      # not secrets themselves, just references to files
+      sensitive_args = %w[
+        --api-token
+        --http-auth
+        --proxy-auth
+        --cookie-string
+        --wp-auth
+      ]
+      masked_args = args.dup
+      args.each_with_index do |arg, index|
+        # Check if this argument is sensitive
+        if sensitive_args.include?(arg)
+          # Mask the next argument (the value)
+          masked_args[index + 1] = '[REDACTED]' if index + 1 < args.length
+        elsif arg.start_with?('--') && arg.include?('=')
+          # Handle --arg=value format
+          arg_name = arg.split('=').first
+          masked_args[index] = "#{arg_name}=[REDACTED]" if sensitive_args.include?(arg_name)
+        end
+      end
+      masked_args.join(' ')
+    end
+    # @return [ Controllers ]
+    def controllers
+      @controllers ||= WPScan::Controllers.new
+    end
+    def run
+      controllers.run
+    rescue OptParseValidator::NoRequiredOption => e
+      @run_error = e
+      formatter.output('@usage', msg: e.message)
+    rescue NoMemoryError, ScriptError, SecurityError, SignalException, StandardError, SystemStackError => e
+      @run_error = e
+      output_params = {
+        reason: e.is_a?(Interrupt) ? 'Canceled by User' : e.message,
+        trace: e.backtrace,
+        verbose: WPScan::ParsedCli.verbose || run_error_exit_code == WPScan::ExitCode::EXCEPTION
+      }
+      output_params[:url] = controllers.first.target.url if WPScan::ParsedCli.url
+      formatter.output(aborted_view, output_params)
+    ensure
+      formatter.beautify
+    end
+    # Used for convenience
+    # @See Formatter
+    def formatter
+      controllers.first.formatter
+    end
+    # @return [ String ] The global view to render when the run is aborted
+    def aborted_view
+      core = controllers.first
+      core.respond_to?(:updating_db?) && core.updating_db? ? '@update_aborted' : '@scan_aborted'
+    end
+    # @return [ Hash ]
+    def datastore
+      controllers.first.datastore
+    end
+    # Hook to be able to have an exit code returned
+    # depending on the findings / errors
+    # :nocov:
+    def exit_hook
+      # Avoid hooking the exit when rspec is running, otherwise it will always return 0
+      # and Travis won't detect failed builds. Couldn't find a better way, even though
+      # some people managed to https://github.com/rspec/rspec-core/pull/410
+      return if defined?(RSpec)
+      at_exit do
+        exit(run_error_exit_code) if run_error
+        # The parsed_option[:url] must be checked to avoid raising erros when only -h/-v are given
+        exit(WPScan::ExitCode::VULNERABLE) if WPScan::ParsedCli.url && controllers.first.target.vulnerable?
+        exit(WPScan::ExitCode::OK)
+      end
+    end
+    # :nocov:
+    # @return [ Integer ] The exit code related to the run_error
+    def run_error_exit_code
+      return WPScan::ExitCode::CLI_OPTION_ERROR if run_error.is_a?(OptParseValidator::Error) ||
+                                                   run_error.is_a?(OptionParser::ParseError)
+      return WPScan::ExitCode::INTERRUPTED if run_error.is_a?(Interrupt)
+      return WPScan::ExitCode::ERROR if run_error.is_a?(WPScan::Error::Standard)
+      WPScan::ExitCode::EXCEPTION
+    end
+  end
+end

data/lib/wpscan/target/hashes.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+module WPScan
+  # Scope system logic
+  class Target < WebSite
+    # @note Comments are deleted to avoid cache generation details
+    #
+    # @param [ Typhoeus::Response, String ] page
+    #
+    # @return [ String ] The md5sum of the page
+    def self.page_hash(page)
+      page = WPScan::Browser.get(page, followlocation: true, maxredirs: 10) unless page.is_a?(Typhoeus::Response)
+      # Removes comments and script tags before computing the hash
+      # to remove any potential cached stuff
+      html = Nokogiri::HTML(page.body)
+      html.xpath('//script|//comment()').each(&:remove)
+      Digest::MD5.hexdigest(html)
+    end
+    # @return [ String ] The hash of the homepage
+    def homepage_hash
+      @homepage_hash ||= self.class.page_hash(url)
+    end
+    # @note This is used to detect potential custom 404 responding with a 200
+    # @return [ String ] The hash of a 404
+    def error_404_hash
+      @error_404_hash ||= self.class.page_hash(error_404_res)
+    end
+    # @param [ Typhoeus::Response, String ] page
+    # @return [ Boolean ] Wether or not the page is a the homepage or a 404 based on its md5sum
+    def homepage_or_404?(page)
+      homepage_and_404_hashes.include?(self.class.page_hash(page))
+    end
+    protected
+    def homepage_and_404_hashes
+      @homepage_and_404_hashes ||= [homepage_hash, error_404_hash].freeze
+    end
+  end
+end

data/lib/wpscan/target/platform/php.rb ADDED Viewed

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+module WPScan
+  class Target < WebSite
+    module Platform
+      # Some PHP specific implementation
+      module PHP
+        DEBUG_LOG_PATTERN = /(?:\[\d{2}-[a-zA-Z]{3}-\d{4}\s\d{2}:\d{2}:\d{2}\s[A-Z]{3}\]|
+                              PHP\s(?:Fatal|Warning|Strict|Error|Notice):)/x
+        FPD_PATTERN       = /Fatal error:.+? in (.+?) on/
+        ERROR_LOG_PATTERN = /PHP Fatal error/i
+        # @param [ String ] path
+        # @param [ Regexp ] pattern
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ]
+        def log_file?(path, pattern, params = {})
+          max_mib  = WPScan::ParsedCli.max_log_file_size.to_i
+          max_size = max_mib.positive? ? max_mib * 1024 * 1024 : nil
+          head_res = WPScan::Browser.forge_request(url(path), head_or_get_params).run
+          return false unless head_res.code == 200
+          if max_size
+            content_length = head_res.headers&.[]('Content-Length').to_i
+            return false if content_length > max_size
+          end
+          body = stream_capped_body(path, params, max_size)
+          return false if body.nil?
+          body.match?(pattern) || false
+        end
+        # Performs a streaming GET of `path` and returns the body as a String, capped at
+        # `max_size` bytes. Returns nil if the transfer was aborted because it exceeded the cap.
+        #
+        # Only the first 700 bytes of the file are needed to match log-file patterns. Servers may
+        # ignore the Range header, and libcurl's maxfilesize is a no-op when the response has no
+        # Content-Length (chunked transfer encoding), so an on_body callback is used to abort the
+        # transfer once the accumulated body exceeds the configured limit. Streaming via on_body
+        # also keeps Typhoeus::Response#body empty, so the response cache cannot Marshal-dump a
+        # huge payload.
+        #
+        # @param [ String ]       path
+        # @param [ Hash ]         params The base request params
+        # @param [ Integer, nil ] max_size Size cap in bytes, or nil to disable
+        #
+        # @return [ String, nil ]
+        def stream_capped_body(path, params, max_size)
+          get_params = params.merge(
+            headers: { 'Range' => 'bytes=0-700' },
+            method: :get,
+            cache_ttl: 0
+          )
+          get_params[:maxfilesize] = max_size if max_size
+          req  = WPScan::Browser.forge_request(url(path), get_params)
+          body = +''
+          aborted = install_body_cap(req, body, max_size)
+          req.run
+          aborted.call ? nil : body
+        end
+        # Installs an on_body callback on `req` that appends chunks to `body`. If `max_size` is
+        # set, the transfer is aborted once the buffer exceeds it. Returns a callable that
+        # reports whether the transfer was aborted.
+        def install_body_cap(req, body, max_size)
+          aborted = false
+          if max_size
+            req.on_body do |chunk|
+              body << chunk
+              next if body.bytesize <= max_size
+              aborted = true
+              :abort
+            end
+          else
+            req.on_body { |chunk| body << chunk }
+          end
+          -> { aborted }
+        end
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if  url(path) is a debug log, false otherwise
+        def debug_log?(path, params = {})
+          log_file?(path, DEBUG_LOG_PATTERN, params)
+        end
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] Wether or not url(path) is an error log file
+        def error_log?(path, params = {})
+          log_file?(path, ERROR_LOG_PATTERN, params)
+        end
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Boolean ] true if url(path) contains a FPD, false otherwise
+        def full_path_disclosure?(path = nil, params = {})
+          !full_path_disclosure_entries(path, params).empty?
+        end
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Array<String> ] The FPD found, or an empty array if none
+        def full_path_disclosure_entries(path = nil, params = {})
+          res = WPScan::Browser.get(url(path), params)
+          res.body.scan(FPD_PATTERN).flatten
+        end
+      end
+    end
+  end
+end

data/lib/wpscan/target/platform/wordpress/custom_directories.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module WPScan
-  class Target < CMSScanner::Target
+  class Target
     module Platform
       # wp-content & plugins directory implementation
       module WordPress
@@ -16,7 +16,7 @@ module WPScan
         # @return [ String ] The wp-content directory
         def content_dir
           unless @content_dir
-            # scope_url_pattern is from CMSScanner::Target
+            # scope_url_pattern is from WPScan::Target
             pattern = %r{#{scope_url_pattern}([\w\s\-/]+?)\\?/(?:themes|plugins|uploads|cache)\\?/}i
             [homepage_res, error_404_res].each do |page_res|
@@ -103,7 +103,7 @@ module WPScan
         def sub_dir
           return @sub_dir unless @sub_dir.nil?
-          # url_pattern is from CMSScanner::Target
+          # url_pattern is from WPScan::Target
           pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp-includes/)}i
           xpath = '(//@src|//@href|//@data-src)[contains(., "xmlrpc.php") or contains(., "wp-includes/")]'

data/lib/wpscan/target/platform/wordpress.rb CHANGED Viewed

@@ -5,16 +5,16 @@
 end
 module WPScan
-  class Target < CMSScanner::Target
+  class Target
     module Platform
       # Some WordPress specific implementation
       module WordPress
-        include CMSScanner::Target::Platform::PHP
+        include WPScan::Target::Platform::PHP
-        WORDPRESS_PATTERN        = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
-        WORDPRESS_HOSTED_PATTERN = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
-        WP_JSON_OEMBED_PATTERN   = %r{/wp-json/oembed/}i.freeze
-        WP_ADMIN_AJAX_PATTERN    = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
+        WORDPRESS_PATTERN        = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i
+        WORDPRESS_HOSTED_PATTERN = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i
+        WP_JSON_OEMBED_PATTERN   = %r{/wp-json/oembed/}i
+        WP_ADMIN_AJAX_PATTERN    = %r{\\?/wp-admin\\?/admin-ajax\.php}i
         # These methods are used in the associated interesting_findings finders
         # to keep the boolean state of the finding rather than re-check the whole thing again
@@ -87,8 +87,7 @@ module WPScan
             # Force recheck of the homepage when retying wordpress?
             # No need to clear the cache, as the request (which will contain the cookies)
             # will be different
-            @homepage_res = nil
-            @homepage_url = nil
+            reset_homepage_cache!
             break
           end

data/lib/wpscan/target/platform.rb ADDED Viewed

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+require 'wpscan/target/platform/php'

data/lib/wpscan/target/scope.rb ADDED Viewed

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+module WPScan
+  # Scope system logic
+  class Target < WebSite
+    # @return [ Array<PublicSuffix::Domain, String> ]
+    def scope
+      @scope ||= Scope.new
+    end
+    # @param [ String, Addressable::URI ] url An absolute URL or URI
+    #
+    # @return [ Boolean ] true if the url given is in scope
+    def in_scope?(url_or_uri)
+      url_or_uri = Addressable::URI.parse(url_or_uri.strip) unless url_or_uri.is_a?(Addressable::URI)
+      scope.include?(url_or_uri.host)
+    rescue StandardError
+      false
+    end
+    # @param [ Typhoeus::Response ] res
+    # @param [ String ] xpath
+    #
+    # @yield [ Addressable::URI, Nokogiri::XML::Element ] The in scope url and its associated tag
+    #
+    # @return [ Array<Addressable::URI> ] The in scope absolute URIs detected in the response's body
+    #
+    # @note It is highly recommended to use the xpath parameter to focus on the uris needed, as this method can be quite
+    #       time consuming when there are a lof of uris to check
+    def in_scope_uris(res, xpath = '//@href|//@src|//@data-src')
+      found = []
+      uris_from_page(res, xpath) do |uri, tag|
+        next unless in_scope?(uri)
+        yield uri, tag if block_given?
+        found << uri
+      end
+      found
+    end
+    # Similar to Target#url_pattern but considering the in scope domains as well
+    #
+    # @return [ Regexp ] The pattern related to the target url and in scope domains,
+    #                    it also matches escaped /, such as in JSON JS data: http:\/\/t.com\/
+    # rubocop:disable Metrics/AbcSize
+    def scope_url_pattern
+      return @scope_url_pattern if @scope_url_pattern
+      domains = [uri.host + uri.path]
+      domains += if scope.domains.empty?
+                   Array(scope.invalid_domains[1..])
+                 else
+                   Array(scope.domains[1..]).map(&:to_s) + scope.invalid_domains
+                 end
+      domains.map! { |d| Regexp.escape(d.delete_suffix('/')).gsub('\*', '.*').gsub('/', '\\\\\?/') }
+      domains[0].gsub!(Regexp.escape(uri.host), "#{Regexp.escape(uri.host)}(?::\\d+)?") if uri.port
+      @scope_url_pattern = %r{https?:\\?/\\?/(?:#{domains.join('|')})\\?/?}i
+    end
+    # rubocop:enable Metrics/AbcSize
+    # Scope Implementation
+    class Scope
+      # @return [ Array<PublicSuffix::Domain> ] The valid domains in scope
+      def domains
+        @domains ||= []
+      end
+      # @return [ Array<String> ] The invalid domains in scope (such as IP addresses etc)
+      def invalid_domains
+        @invalid_domains ||= []
+      end
+      def <<(element)
+        if PublicSuffix.valid?(element, ignore_private: true)
+          domains << PublicSuffix.parse(element, ignore_private: true)
+        else
+          invalid_domains << element
+        end
+      end
+      # @return [ Boolean ] Wether or not the host is in the scope
+      def include?(host)
+        if PublicSuffix.valid?(host, ignore_private: true)
+          domain = PublicSuffix.parse(host, ignore_private: true)
+          domains.each { |d| return true if domain.match(d) }
+        else
+          invalid_domains.each { |d| return true if host == d }
+        end
+        false
+      end
+    end
+  end
+end

data/lib/wpscan/target/server/apache.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+module WPScan
+  class Target < WebSite
+    module Server
+      # Some Apche specific implementation
+      module Apache
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Symbol ] :Apache
+        def server(_path = nil, _params = {})
+          :Apache
+        end
+        # @param [ String ] path
+        # @param [ Hash ] params The request params
+        #
+        # @return [ Array<String> ] The first level of directories/files listed,
+        #                           or an empty array if none
+        def directory_listing_entries(path = nil, params = {})
+          super(path, params, 'td a')
+        end
+      end
+    end
+  end
+end