RubyGems - wpscan - Versions diffs - 3.8.28 → 4.0.0 - Mend

wpscan 3.8.28 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

checksums.yaml +4 -4
data/README.md +104 -30
data/app/app.rb +26 -0
data/app/controllers/aliases.rb +2 -2
data/app/controllers/authenticated_inventory.rb +43 -0
data/app/controllers/core/cli_options.rb +151 -0
data/app/controllers/core.rb +200 -25
data/app/controllers/custom_directories.rb +1 -1
data/app/controllers/enumeration/cli_options.rb +21 -31
data/app/controllers/enumeration/enum_methods.rb +145 -38
data/app/controllers/enumeration.rb +26 -3
data/app/controllers/interesting_findings.rb +25 -0
data/app/controllers/main_theme.rb +1 -1
data/app/controllers/password_attack.rb +14 -6
data/app/controllers/vuln_api.rb +9 -3
data/app/controllers/wp_version.rb +1 -1
data/app/controllers.rb +1 -0
data/app/finders/backup_folders/known_locations.rb +66 -0
data/app/finders/backup_folders.rb +19 -0
data/app/finders/config_backups/known_filenames.rb +6 -4
data/app/finders/config_backups.rb +1 -1
data/app/finders/db_exports/known_locations.rb +16 -14
data/app/finders/db_exports.rb +1 -1
data/app/finders/interesting_findings/backup_db.rb +1 -1
data/app/finders/interesting_findings/debug_log.rb +1 -1
data/app/finders/interesting_findings/duplicator_installer_log.rb +1 -1
data/app/finders/interesting_findings/emergency_pwd_reset_script.rb +1 -1
data/app/finders/interesting_findings/fantastico_fileslist.rb +21 -0
data/app/finders/interesting_findings/full_path_disclosure.rb +1 -1
data/app/finders/interesting_findings/headers.rb +17 -0
data/app/finders/interesting_findings/mu_plugins.rb +1 -1
data/app/finders/interesting_findings/multisite.rb +1 -1
data/app/finders/interesting_findings/php_disabled.rb +2 -2
data/app/finders/interesting_findings/readme.rb +1 -1
data/app/finders/interesting_findings/registration.rb +1 -1
data/app/finders/interesting_findings/robots_txt.rb +20 -0
data/app/finders/interesting_findings/search_replace_db_2.rb +19 -0
data/app/finders/interesting_findings/tmm_db_migrate.rb +1 -1
data/app/finders/interesting_findings/upload_directory_listing.rb +1 -1
data/app/finders/interesting_findings/upload_sql_dump.rb +2 -2
data/app/finders/interesting_findings/wp_cron.rb +1 -1
data/app/finders/interesting_findings/xml_rpc.rb +61 -0
data/app/finders/interesting_findings.rb +13 -4
data/app/finders/main_theme/css_style_in_homepage.rb +1 -1
data/app/finders/main_theme/urls_in_homepage.rb +3 -7
data/app/finders/main_theme/woo_framework_meta_generator.rb +4 -4
data/app/finders/main_theme.rb +1 -1
data/app/finders/medias/attachment_brute_forcing.rb +2 -2
data/app/finders/medias.rb +1 -1
data/app/finders/passwords/wp_login.rb +2 -2
data/app/finders/passwords/xml_rpc.rb +2 -2
data/app/finders/passwords/xml_rpc_multicall.rb +1 -1
data/app/finders/plugin_version/readme.rb +1 -1
data/app/finders/plugin_version.rb +1 -1
data/app/finders/plugins/known_locations.rb +17 -7
data/app/finders/plugins/urls_in_homepage.rb +3 -7
data/app/finders/plugins/wp_json_api.rb +85 -0
data/app/finders/plugins.rb +2 -1
data/app/finders/theme_version/style.rb +1 -1
data/app/finders/theme_version/woo_framework_meta_generator.rb +1 -1
data/app/finders/theme_version.rb +1 -1
data/app/finders/themes/known_locations.rb +12 -6
data/app/finders/themes/urls_in_homepage.rb +3 -7
data/app/finders/themes/wp_json_api.rb +74 -0
data/app/finders/themes.rb +2 -1
data/app/finders/timthumb_version/bad_request.rb +1 -1
data/app/finders/timthumb_version.rb +1 -1
data/app/finders/timthumbs/known_locations.rb +6 -4
data/app/finders/timthumbs.rb +1 -1
data/app/finders/users/author_id_brute_forcing.rb +11 -7
data/app/finders/users/author_posts.rb +1 -1
data/app/finders/users/author_sitemap.rb +1 -1
data/app/finders/users/login_error_messages.rb +1 -1
data/app/finders/users/oembed_api.rb +3 -1
data/app/finders/users/wp_json_api.rb +11 -7
data/app/finders/users.rb +1 -1
data/app/finders/wp_version/atom_generator.rb +1 -1
data/app/finders/wp_version/rdf_generator.rb +1 -1
data/app/finders/wp_version/readme.rb +1 -1
data/app/finders/wp_version/rss_generator.rb +1 -1
data/app/finders/wp_version/unique_fingerprinting.rb +2 -2
data/app/finders/wp_version.rb +1 -1
data/app/finders.rb +1 -0
data/app/formatters/cli.rb +79 -0
data/app/formatters/cli_no_color.rb +9 -0
data/app/formatters/cli_no_colour.rb +17 -0
data/app/formatters/json.rb +14 -0
data/app/formatters/jsonl.rb +29 -0
data/app/formatters/sarif.rb +311 -0
data/app/models/backup_folder.rb +39 -0
data/app/models/fantastico_fileslist.rb +34 -0
data/app/models/headers.rb +44 -0
data/app/models/interesting_finding.rb +41 -2
data/app/models/plugin.rb +8 -2
data/app/models/robots_txt.rb +31 -0
data/app/models/search_replace_db_2.rb +17 -0
data/app/models/theme.rb +9 -2
data/app/models/timthumb.rb +2 -2
data/app/models/user.rb +35 -0
data/app/models/version.rb +49 -0
data/app/models/wp_item/wordpress_org_data.rb +55 -0
data/app/models/wp_item.rb +109 -9
data/app/models/wp_version.rb +2 -2
data/app/models/xml_rpc.rb +73 -3
data/app/models.rb +2 -1
data/app/user_agents.txt +46 -0
data/app/views/cli/core/banner.erb +3 -3
data/app/views/cli/core/finished.erb +15 -0
data/app/views/cli/core/help.erb +4 -0
data/app/views/cli/core/started.erb +11 -0
data/app/views/cli/enumeration/backup_folders.erb +11 -0
data/app/views/cli/enumeration/plugin.erb +13 -0
data/app/views/cli/enumeration/plugins.erb +1 -12
data/app/views/cli/enumeration/theme.erb +4 -0
data/app/views/cli/enumeration/themes.erb +1 -3
data/app/views/cli/enumeration/user.erb +4 -0
data/app/views/cli/enumeration/users.erb +1 -3
data/app/views/cli/finding.erb +1 -1
data/app/views/cli/interesting_findings/_array.erb +10 -0
data/app/views/cli/interesting_findings/findings.erb +23 -0
data/app/views/cli/scan_aborted.erb +5 -0
data/app/views/cli/update_aborted.erb +5 -0
data/app/views/cli/vuln_api/status.erb +2 -0
data/app/views/cli/vulnerability.erb +6 -0
data/app/views/cli/wp_item.erb +4 -1
data/app/views/json/core/banner.erb +2 -8
data/app/views/json/core/finished.erb +13 -0
data/app/views/json/core/help.erb +4 -0
data/app/views/json/core/started.erb +10 -0
data/app/views/json/enumeration/backup_folders.erb +11 -0
data/app/views/json/enumeration/plugin.erb +15 -0
data/app/views/json/enumeration/theme.erb +5 -0
data/app/views/json/enumeration/user.erb +6 -0
data/app/views/json/finding.erb +8 -2
data/app/views/json/interesting_findings/findings.erb +24 -0
data/app/views/json/notice.erb +1 -0
data/app/views/json/scan_aborted.erb +5 -0
data/app/views/json/update_aborted.erb +5 -0
data/app/views/json/vuln_api/status.erb +2 -0
data/app/views/json/wp_item.erb +4 -1
data/bin/wpscan +1 -0
data/lib/opt_parse_validator/config_files_loader_merger/base.rb +26 -0
data/lib/opt_parse_validator/config_files_loader_merger/json.rb +17 -0
data/lib/opt_parse_validator/config_files_loader_merger/yml.rb +17 -0
data/lib/opt_parse_validator/config_files_loader_merger.rb +62 -0
data/lib/opt_parse_validator/errors.rb +9 -0
data/lib/opt_parse_validator/hacks.rb +19 -0
data/lib/opt_parse_validator/opts/alias.rb +28 -0
data/lib/opt_parse_validator/opts/array.rb +34 -0
data/lib/opt_parse_validator/opts/base.rb +142 -0
data/lib/opt_parse_validator/opts/boolean.rb +19 -0
data/lib/opt_parse_validator/opts/choice.rb +43 -0
data/lib/opt_parse_validator/opts/credentials.rb +15 -0
data/lib/opt_parse_validator/opts/directory_path.rb +17 -0
data/lib/opt_parse_validator/opts/file_path.rb +34 -0
data/lib/opt_parse_validator/opts/headers.rb +33 -0
data/lib/opt_parse_validator/opts/integer.rb +15 -0
data/lib/opt_parse_validator/opts/integer_range.rb +37 -0
data/lib/opt_parse_validator/opts/multi_choices.rb +135 -0
data/lib/opt_parse_validator/opts/path.rb +78 -0
data/lib/opt_parse_validator/opts/positive_integer.rb +16 -0
data/lib/opt_parse_validator/opts/proxy.rb +7 -0
data/lib/opt_parse_validator/opts/regexp.rb +14 -0
data/lib/opt_parse_validator/opts/smart_list.rb +30 -0
data/lib/opt_parse_validator/opts/string.rb +8 -0
data/lib/opt_parse_validator/opts/uri.rb +41 -0
data/lib/opt_parse_validator/opts/url.rb +11 -0
data/lib/opt_parse_validator/opts.rb +9 -0
data/lib/opt_parse_validator/version.rb +6 -0
data/lib/opt_parse_validator.rb +161 -0
data/lib/wpscan/browser/actions.rb +48 -0
data/lib/wpscan/browser/options.rb +92 -0
data/lib/wpscan/browser.rb +87 -2
data/lib/wpscan/browser_authenticator.rb +64 -0
data/lib/wpscan/cache/file_store.rb +77 -0
data/lib/wpscan/cache/typhoeus.rb +25 -0
data/lib/wpscan/controller.rb +100 -4
data/lib/wpscan/controllers.rb +78 -3
data/lib/wpscan/db/dynamic_finders/base.rb +3 -7
data/lib/wpscan/db/dynamic_finders/plugin.rb +2 -2
data/lib/wpscan/db/dynamic_finders/wordpress.rb +1 -1
data/lib/wpscan/db/fingerprints.rb +2 -2
data/lib/wpscan/db/updater.rb +23 -13
data/lib/wpscan/db/vuln_api.rb +19 -7
data/lib/wpscan/db/wp_item.rb +2 -2
data/lib/wpscan/errors/enumeration.rb +4 -4
data/lib/wpscan/errors/http.rb +82 -3
data/lib/wpscan/errors/saml.rb +28 -0
data/lib/wpscan/errors/scan.rb +14 -0
data/lib/wpscan/errors/update.rb +11 -3
data/lib/wpscan/errors/vuln_api.rb +24 -0
data/lib/wpscan/errors/wordpress.rb +2 -2
data/lib/wpscan/errors/wp_auth.rb +37 -0
data/lib/wpscan/errors.rb +4 -3
data/lib/wpscan/exit_code.rb +25 -0
data/lib/wpscan/finders/base_finders.rb +45 -0
data/lib/wpscan/finders/dynamic_finder/finder.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/body_pattern.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/comment.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/header_pattern.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/javascript_var.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +3 -5
data/lib/wpscan/finders/dynamic_finder/version/xpath.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/wp_items/finder.rb +3 -3
data/lib/wpscan/finders/dynamic_finder/wp_version.rb +1 -1
data/lib/wpscan/finders/finder/breadth_first_dictionary_attack.rb +257 -0
data/lib/wpscan/finders/finder/enumerator.rb +77 -0
data/lib/wpscan/finders/finder/fingerprinter.rb +48 -0
data/lib/wpscan/finders/finder/smart_url_checker/findings.rb +33 -0
data/lib/wpscan/finders/finder/smart_url_checker.rb +60 -0
data/lib/wpscan/finders/finder/wp_version/smart_url_checker.rb +1 -1
data/lib/wpscan/finders/finder.rb +78 -0
data/lib/wpscan/finders/finding.rb +54 -0
data/lib/wpscan/finders/findings.rb +33 -0
data/lib/wpscan/finders/independent_finder.rb +33 -0
data/lib/wpscan/finders/independent_finders.rb +26 -0
data/lib/wpscan/finders/same_type_finder.rb +19 -0
data/lib/wpscan/finders/same_type_finders.rb +28 -0
data/lib/wpscan/finders/unique_finder.rb +19 -0
data/lib/wpscan/finders/unique_finders.rb +47 -0
data/lib/wpscan/finders.rb +11 -12
data/lib/wpscan/formatter/buffer.rb +17 -0
data/lib/wpscan/formatter.rb +152 -0
data/lib/wpscan/helper.rb +7 -1
data/lib/wpscan/http_status_tracking.rb +128 -0
data/lib/wpscan/numeric.rb +13 -0
data/lib/wpscan/parsed_cli.rb +31 -2
data/lib/wpscan/progressbar_null_output.rb +23 -0
data/lib/wpscan/public_suffix/domain.rb +44 -0
data/lib/wpscan/references.rb +118 -4
data/lib/wpscan/scan.rb +127 -0
data/lib/wpscan/target/hashes.rb +45 -0
data/lib/wpscan/target/platform/php.rb +124 -0
data/lib/wpscan/target/platform/wordpress/custom_directories.rb +3 -3
data/lib/wpscan/target/platform/wordpress.rb +7 -8
data/lib/wpscan/target/platform.rb +3 -0
data/lib/wpscan/target/scope.rb +103 -0
data/lib/wpscan/target/server/apache.rb +27 -0
data/lib/wpscan/target/server/generic.rb +72 -0
data/lib/wpscan/target/server/iis.rb +29 -0
data/lib/wpscan/target/server/nginx.rb +27 -0
data/lib/wpscan/target/server.rb +6 -0
data/lib/wpscan/target.rb +129 -9
data/lib/wpscan/typhoeus/hydra.rb +12 -0
data/lib/wpscan/typhoeus/response.rb +24 -1
data/lib/wpscan/version.rb +1 -1
data/lib/wpscan/vulnerability.rb +49 -3
data/lib/wpscan/vulnerability_filter.rb +68 -0
data/lib/wpscan/vulnerable.rb +13 -1
data/lib/wpscan/web_site.rb +152 -0
data/lib/wpscan.rb +126 -29
metadata +362 -20

data/app/finders/interesting_findings/duplicator_installer_log.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # DuplicatorInstallerLog finder
-      class DuplicatorInstallerLog < CMSScanner::Finders::Finder
+      class DuplicatorInstallerLog < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           path = 'installer-log.txt'

data/app/finders/interesting_findings/emergency_pwd_reset_script.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Emergency Password Reset Script finder
-      class EmergencyPwdResetScript < CMSScanner::Finders::Finder
+      class EmergencyPwdResetScript < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           path = 'emergency.php'

data/app/finders/interesting_findings/fantastico_fileslist.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module InterestingFindings
+      # FantasticoFileslist finder
+      class FantasticoFileslist < Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'fantastico_fileslist.txt'
+          res  = target.head_and_get(path)
+          return if res.body.strip.empty?
+          return unless res.headers && res.headers['Content-Type']&.start_with?('text/plain')
+          WPScan::Model::FantasticoFileslist.new(target.url(path), confidence: 70, found_by: found_by)
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/full_path_disclosure.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Full Path Disclosure finder
-      class FullPathDisclosure < CMSScanner::Finders::Finder
+      class FullPathDisclosure < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           path        = 'wp-includes/rss-functions.php'

data/app/finders/interesting_findings/headers.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Interesting Headers finder
+      class Headers < Finder
+        # @return [ InterestingFinding ]
+        def passive(_opts = {})
+          r = WPScan::Model::Headers.new(target.homepage_url, confidence: 100, found_by: found_by)
+          r.interesting_entries.empty? ? nil : r
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/mu_plugins.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Must Use Plugins Directory checker
-      class MuPlugins < CMSScanner::Finders::Finder
+      class MuPlugins < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def passive(_opts = {})
           pattern = %r{#{target.content_dir}/mu-plugins/}i

data/app/finders/interesting_findings/multisite.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Multisite checker
-      class Multisite < CMSScanner::Finders::Finder
+      class Multisite < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           url      = target.url('wp-signup.php')

data/app/finders/interesting_findings/php_disabled.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module WPScan
   module Finders
     module InterestingFindings
       # See https://github.com/wpscanteam/wpscan/issues/1593
-      class PHPDisabled < CMSScanner::Finders::Finder
-        PATTERN = /\$wp_version =/.freeze
+      class PHPDisabled < WPScan::Finders::Finder
+        PATTERN = /\$wp_version =/
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})

data/app/finders/interesting_findings/readme.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Readme.html finder
-      class Readme < CMSScanner::Finders::Finder
+      class Readme < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           potential_files.each do |path|

data/app/finders/interesting_findings/registration.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Registration Enabled checker
-      class Registration < CMSScanner::Finders::Finder
+      class Registration < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def passive(_opts = {})
           # Maybe check in the homepage if there is the registration url ?

data/app/finders/interesting_findings/robots_txt.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module InterestingFindings
+      # Robots.txt finder
+      class RobotsTxt < Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'robots.txt'
+          res  = target.head_and_get(path)
+          return unless res&.code == 200 && res.body =~ /(?:user-agent|(?:dis)?allow):/i
+          WPScan::Model::RobotsTxt.new(target.url(path), confidence: 100, found_by: found_by)
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/search_replace_db_2.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module InterestingFindings
+      # SearchReplaceDB2 finder
+      class SearchReplaceDB2 < Finder
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'searchreplacedb2.php'
+          return unless /by interconnect/i.match?(target.head_and_get(path).body)
+          WPScan::Model::SearchReplaceDB2.new(target.url(path), confidence: 100, found_by: found_by)
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings/tmm_db_migrate.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # Tmm DB Migrate finder
-      class TmmDbMigrate < CMSScanner::Finders::Finder
+      class TmmDbMigrate < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           path = 'wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip'

data/app/finders/interesting_findings/upload_directory_listing.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # UploadDirectoryListing finder
-      class UploadDirectoryListing < CMSScanner::Finders::Finder
+      class UploadDirectoryListing < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           path = 'wp-content/uploads/'

data/app/finders/interesting_findings/upload_sql_dump.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module WPScan
   module Finders
     module InterestingFindings
       # UploadSQLDump finder
-      class UploadSQLDump < CMSScanner::Finders::Finder
-        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/.freeze
+      class UploadSQLDump < WPScan::Finders::Finder
+        SQL_PATTERN = /(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO/
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})

data/app/finders/interesting_findings/wp_cron.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module InterestingFindings
       # wp-cron.php finder
-      class WPCron < CMSScanner::Finders::Finder
+      class WPCron < WPScan::Finders::Finder
         # @return [ InterestingFinding ]
         def aggressive(_opts = {})
           res = Browser.get(wp_cron_url)

data/app/finders/interesting_findings/xml_rpc.rb ADDED Viewed

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module InterestingFindings
+      # XML RPC finder
+      class XMLRPC < Finder
+        # @return [ Array<String> ] The potential urls to the XMl RPC file
+        def potential_urls
+          @potential_urls ||= []
+        end
+        # @return [ Array<XMLRPC> ]
+        def passive(opts = {})
+          [passive_headers(opts), passive_body(opts)].compact
+        end
+        # @return [ XMLRPC ]
+        def passive_headers(_opts = {})
+          url = target.homepage_res.headers['X-Pingback']
+          return unless target.in_scope?(url)
+          potential_urls << url
+          WPScan::Model::XMLRPC.new(url, confidence: 30, found_by: 'Headers (Passive Detection)')
+        end
+        # @return [ XMLRPC ]
+        def passive_body(_opts = {})
+          target.homepage_res.html.css('link[rel="pingback"]').each do |tag|
+            url = tag.attribute('href').to_s
+            next unless target.in_scope?(url)
+            potential_urls << url
+            return WPScan::Model::XMLRPC.new(url, confidence: 30, found_by: 'Link Tag (Passive Detection)')
+          end
+          nil
+        end
+        # @return [ XMLRPC ]
+        def aggressive(_opts = {})
+          potential_urls << target.url('xmlrpc.php')
+          potential_urls.uniq.each do |potential_url|
+            next unless target.in_scope?(potential_url)
+            res = WPScan::Browser.post(potential_url, body: Digest::MD5.hexdigest(rand(999_999).to_s[0..5]))
+            next unless /<methodResponse>/i.match?(res&.body)
+            return WPScan::Model::XMLRPC.new(potential_url, confidence: 100, found_by: DIRECT_ACCESS)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/app/finders/interesting_findings.rb CHANGED Viewed

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
+require_relative 'interesting_findings/headers'
+require_relative 'interesting_findings/robots_txt'
+require_relative 'interesting_findings/fantastico_fileslist'
+require_relative 'interesting_findings/search_replace_db_2'
+require_relative 'interesting_findings/xml_rpc'
 require_relative 'interesting_findings/readme'
 require_relative 'interesting_findings/wp_cron'
 require_relative 'interesting_findings/multisite'
@@ -18,18 +23,22 @@ require_relative 'interesting_findings/emergency_pwd_reset_script'
 module WPScan
   module Finders
     module InterestingFindings
-      # Interesting Files Finder
-      class Base < CMSScanner::Finders::InterestingFindings::Base
+      # Interesting Files Finder (base + WordPress-specific finders).
+      class Base
+        include IndependentFinder
         # @param [ WPScan::Target ] target
         def initialize(target)
-          super(target)
+          %w[Headers RobotsTxt FantasticoFileslist SearchReplaceDB2 XMLRPC].each do |f|
+            finders << WPScan::Finders::InterestingFindings.const_get(f).new(target)
+          end
           %w[
             Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
             Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
             UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
           ].each do |f|
-            finders << InterestingFindings.const_get(f).new(target)
+            finders << WPScan::Finders::InterestingFindings.const_get(f).new(target)
           end
         end
       end

data/app/finders/main_theme/css_style_in_homepage.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module MainTheme
       # From the CSS style in the homepage
-      class CssStyleInHomepage < CMSScanner::Finders::Finder
+      class CssStyleInHomepage < WPScan::Finders::Finder
         include Finders::WpItems::UrlsInPage # To have the item_code_pattern method available here
         def create_theme(slug, style_url, opts)

data/app/finders/main_theme/urls_in_homepage.rb CHANGED Viewed

@@ -4,22 +4,18 @@ module WPScan
   module Finders
     module MainTheme
       # URLs In Homepage Finder
-      class UrlsInHomepage < CMSScanner::Finders::Finder
+      class UrlsInHomepage < WPScan::Finders::Finder
         include WpItems::UrlsInPage
         # @param [ Hash ] opts
         #
         # @return [ Array<Theme> ]
         def passive(opts = {})
-          found = []
           slugs = items_from_links('themes', uniq: false) + items_from_codes('themes', uniq: false)
-          slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
-            found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
+          slugs.tally.map do |slug, occurences|
+            Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
           end
-          found
         end
         # @return [ Typhoeus::Response ]

data/app/finders/main_theme/woo_framework_meta_generator.rb CHANGED Viewed

@@ -4,10 +4,10 @@ module WPScan
   module Finders
     module MainTheme
       # From the WooFramework meta generators
-      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
-        THEME_PATTERN     = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}.freeze
-        FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}.freeze
-        PATTERN           = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i.freeze
+      class WooFrameworkMetaGenerator < WPScan::Finders::Finder
+        THEME_PATTERN     = %r{<meta name="generator" content="([^\s"]+)\s?([^"]+)?"\s+/?>}
+        FRAMEWORK_PATTERN = %r{<meta name="generator" content="WooFramework\s?([^"]+)?"\s+/?>}
+        PATTERN           = /#{THEME_PATTERN}\s+#{FRAMEWORK_PATTERN}/i
         def passive(opts = {})
           return unless target.homepage_res.body =~ PATTERN || target.error_404_res.body =~ PATTERN

data/app/finders/main_theme.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module WPScan
     module MainTheme
       # Main Theme Finder
       class Base
-        include CMSScanner::Finders::UniqueFinder
+        include WPScan::Finders::UniqueFinder
         # @param [ WPScan::Target ] target
         def initialize(target)

data/app/finders/medias/attachment_brute_forcing.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module WPScan
   module Finders
     module Medias
       # Medias Finder, see https://github.com/wpscanteam/wpscan/issues/172
-      class AttachmentBruteForcing < CMSScanner::Finders::Finder
-        include CMSScanner::Finders::Finder::Enumerator
+      class AttachmentBruteForcing < WPScan::Finders::Finder
+        include WPScan::Finders::Finder::Enumerator
         # @param [ Hash ] opts
         # @option opts [ Range ] :range Mandatory

data/app/finders/medias.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module WPScan
     module Medias
       # Medias Finder
       class Base
-        include CMSScanner::Finders::SameTypeFinder
+        include WPScan::Finders::SameTypeFinder
         # @param [ WPScan::Target ] target
         def initialize(target)

data/app/finders/passwords/wp_login.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module WPScan
   module Finders
     module Passwords
       # Password attack against the wp-login.php
-      class WpLogin < CMSScanner::Finders::Finder
-        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+      class WpLogin < WPScan::Finders::Finder
+        include WPScan::Finders::Finder::BreadthFirstDictionaryAttack
         def login_request(username, password)
           target.login_request(username, password)

data/app/finders/passwords/xml_rpc.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module WPScan
   module Finders
     module Passwords
       # Password attack against the XMLRPC interface
-      class XMLRPC < CMSScanner::Finders::Finder
-        include CMSScanner::Finders::Finder::BreadthFirstDictionaryAttack
+      class XMLRPC < WPScan::Finders::Finder
+        include WPScan::Finders::Finder::BreadthFirstDictionaryAttack
         def login_request(username, password)
           target.method_call('wp.getUsersBlogs', [username, password], cache_ttl: 0)

data/app/finders/passwords/xml_rpc_multicall.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module WPScan
     module Passwords
       # Password attack against the XMLRPC interface with the multicall method
       # WP < 4.4 is vulnerable to such attack
-      class XMLRPCMulticall < CMSScanner::Finders::Finder
+      class XMLRPCMulticall < WPScan::Finders::Finder
         # @param [ Array<User> ] users
         # @param [ Array<String> ] passwords
         #

data/app/finders/plugin_version/readme.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module PluginVersion
       # Plugin Version Finder from the readme.txt file
-      class Readme < CMSScanner::Finders::Finder
+      class Readme < WPScan::Finders::Finder
         # @return [ Version ]
         def aggressive(_opts = {})
           found_by_msg = 'Readme - %s (Aggressive Detection)'

data/app/finders/plugin_version.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module WPScan
     module PluginVersion
       # Plugin Version Finder
       class Base
-        include CMSScanner::Finders::UniqueFinder
+        include WPScan::Finders::UniqueFinder
         # @param [ Model::Plugin ] plugin
         def initialize(plugin)

data/app/finders/plugins/known_locations.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module WPScan
   module Finders
     module Plugins
       # Known Locations Plugins Finder
-      class KnownLocations < CMSScanner::Finders::Finder
-        include CMSScanner::Finders::Finder::Enumerator
+      class KnownLocations < WPScan::Finders::Finder
+        include WPScan::Finders::Finder::Enumerator
         # @return [ Array<Integer> ]
         def valid_response_codes
@@ -14,22 +14,32 @@ module WPScan
         # @param [ Hash ] opts
         # @option opts [ String ] :list
+        # @option opts [ Findings ] :found Shared findings collection passed by
+        #   BaseFinders#run_finder. We append directly into it as each plugin
+        #   is detected so that Findings#on_append fires during the hydra run,
+        #   enabling streaming output. Falls back to a local array when called
+        #   outside the framework (e.g. directly from specs).
         #
-        # @return [ Array<Plugin> ]
+        # @return [ Array<Plugin> ] Items appended this call (empty when
+        #   already streamed into opts[:found] to avoid double-appending).
         def aggressive(opts = {})
-          found = []
+          shared = opts[:found]
+          local  = shared ? nil : []
+          count  = 0
           enumerate(target_urls(opts), opts.merge(check_full_response: true)) do |res, slug|
             finding_opts = opts.merge(found_by: found_by,
                                       confidence: 80,
                                       interesting_entries: ["#{res.effective_url}, status: #{res.code}"])
-            found << Model::Plugin.new(slug, target, finding_opts)
+            plugin = Model::Plugin.new(slug, target, finding_opts)
+            (shared || local) << plugin
+            count += 1
-            raise Error::PluginsThresholdReached if opts[:threshold].positive? && found.size >= opts[:threshold]
+            raise Error::PluginsThresholdReached if opts[:threshold].positive? && count >= opts[:threshold]
           end
-          found
+          local || []
         end
         # @param [ Hash ] opts

data/app/finders/plugins/urls_in_homepage.rb CHANGED Viewed

@@ -5,20 +5,16 @@ module WPScan
     module Plugins
       # URLs In Homepage Finder
       # Typically, the items detected from URLs like /wp-content/plugins/<slug>/
-      class UrlsInHomepage < CMSScanner::Finders::Finder
+      class UrlsInHomepage < WPScan::Finders::Finder
         include WpItems::UrlsInPage
         # @param [ Hash ] opts
         #
         # @return [ Array<Plugin> ]
         def passive(opts = {})
-          found = []
-          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.each do |slug|
-            found << Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
+          (items_from_links('plugins') + items_from_codes('plugins')).uniq.sort.map do |slug|
+            Model::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
-          found
         end
         # @return [ Typhoeus::Response ]

data/app/finders/plugins/wp_json_api.rb ADDED Viewed

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module Plugins
+      # Authenticated plugin inventory via the WordPress REST API
+      # endpoint /wp-json/wp/v2/plugins (WP >= 5.5).
+      #
+      # Requires admin credentials with the install_plugins / activate_plugins
+      # capability. An Application Password (WP >= 5.6) is the recommended
+      # secret as it bypasses 2FA and is colon-free by construction.
+      class WpJsonApi < WPScan::Finders::Finder
+        FOUND_BY = 'WP REST API (Authenticated)'
+        # @param [ Hash ] opts
+        # @option opts [ String ] :userpwd "user:password" credentials for Basic Auth
+        #
+        # @return [ Array<Model::Plugin> ]
+        def aggressive(opts = {})
+          response = Browser.get(api_url, userpwd: opts[:userpwd], headers: { 'Accept' => 'application/json' })
+          raise Error::WpAuthFailed.new(response.code, api_url) if [401, 403].include?(response.code)
+          raise Error::WpAuthEndpointUnavailable.new(response.code, api_url) unless response.code == 200
+          plugins_from_response(response)
+        rescue JSON::ParserError, TypeError
+          []
+        end
+        # @param [ Typhoeus::Response ] response
+        #
+        # @return [ Array<Model::Plugin> ]
+        def plugins_from_response(response)
+          json = JSON.parse(response.body)
+          return [] unless json.is_a?(Enumerable)
+          json.filter_map { |entry| build_plugin(entry, response.effective_url) }
+        end
+        # @return [ String ] The REST API URL for the plugins endpoint
+        def api_url
+          @api_url ||= target.url('wp-json/wp/v2/plugins')
+        end
+        private
+        # @param [ Hash ] entry
+        # @param [ String ] effective_url
+        #
+        # @return [ Model::Plugin, nil ]
+        def build_plugin(entry, effective_url)
+          slug = slug_from_entry(entry)
+          return nil if slug.nil? || slug.empty?
+          plugin = Model::Plugin.new(
+            slug,
+            target,
+            confidence: 100,
+            found_by: FOUND_BY,
+            interesting_entries: [effective_url]
+          )
+          version = entry['version']
+          plugin.instance_variable_set(
+            :@version,
+            version && !version.to_s.empty? ? Model::Version.new(version, confidence: 100, found_by: FOUND_BY) : false
+          )
+          plugin
+        end
+        # @param [ Hash ] entry
+        #
+        # @return [ String, nil ]
+        # WP REST returns "plugin" as e.g. "akismet/akismet" or just "hello" for the legacy single-file plugin.
+        def slug_from_entry(entry)
+          raw = entry['plugin'] || entry['textdomain']
+          return nil unless raw.is_a?(String)
+          raw.split('/').first
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins.rb CHANGED Viewed

@@ -11,13 +11,14 @@ require_relative 'plugins/body_pattern'
 require_relative 'plugins/javascript_var'
 require_relative 'plugins/query_parameter'
 require_relative 'plugins/config_parser' # Not loaded below as not implemented
+require_relative 'plugins/wp_json_api'   # Authenticated, used by AuthenticatedInventory controller
 module WPScan
   module Finders
     module Plugins
       # Plugins Finder
       class Base
-        include CMSScanner::Finders::SameTypeFinder
+        include WPScan::Finders::SameTypeFinder
         # @param [ WPScan::Target ] target
         def initialize(target)

data/app/finders/theme_version/style.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module ThemeVersion
       # Theme Version Finder from the style.css file
-      class Style < CMSScanner::Finders::Finder
+      class Style < WPScan::Finders::Finder
         # @param [ Hash ] opts
         #
         # @return [ Version ]

data/app/finders/theme_version/woo_framework_meta_generator.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module WPScan
   module Finders
     module ThemeVersion
       # Theme Version Finder from the WooFramework generators
-      class WooFrameworkMetaGenerator < CMSScanner::Finders::Finder
+      class WooFrameworkMetaGenerator < WPScan::Finders::Finder
         # @param [ Hash ] opts
         #
         # @return [ Version ]

data/app/finders/theme_version.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module WPScan
     module ThemeVersion
       # Theme Version Finder
       class Base
-        include CMSScanner::Finders::UniqueFinder
+        include WPScan::Finders::UniqueFinder
         # @param [ Model::Theme ] theme
         def initialize(theme)