RubyGems - wpscan - Versions diffs - 3.8.3 → 3.8.8 - Mend

wpscan 3.8.3 → 3.8.8

Files changed (21) hide show

checksums.yaml +4 -4
data/README.md +2 -2
data/app/controllers/password_attack.rb +2 -2
data/app/finders/interesting_findings/duplicator_installer_log.rb +1 -1
data/app/finders/main_theme/urls_in_homepage.rb +1 -1
data/app/finders/users.rb +2 -0
data/app/finders/users/author_sitemap.rb +36 -0
data/app/finders/users/yoast_seo_author_sitemap.rb +1 -21
data/app/finders/wp_items/urls_in_page.rb +2 -2
data/app/models/interesting_finding.rb +22 -3
data/app/models/theme.rb +1 -1
data/app/views/cli/vuln_api/status.erb +1 -1
data/app/views/json/vuln_api/status.erb +1 -1
data/lib/wpscan/db/dynamic_finders/base.rb +1 -1
data/lib/wpscan/db/dynamic_finders/plugin.rb +1 -1
data/lib/wpscan/db/dynamic_finders/wordpress.rb +1 -1
data/lib/wpscan/db/vuln_api.rb +1 -1
data/lib/wpscan/finders/dynamic_finder/finder.rb +1 -3
data/lib/wpscan/references.rb +1 -1
data/lib/wpscan/version.rb +1 -1
metadata +13 -12

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 658d14ca9901acb16c2da34ed977e5ad75296c4c8aba3e66ba897ffb5dd55f86
-  data.tar.gz: 788c5a27c5bf10dba5b35e977c3efdfafca97944485cf605f03e34faf65ae68b
+  metadata.gz: 0167c94236ac89c5e2cd38cf9c7dfe439f6ec103b85202a16726a7fb81f98cfd
+  data.tar.gz: e804466f9f762ea8e3500cc5725b909101ba5bbe832961f397498c3923f1816a
 SHA512:
-  metadata.gz: be04200a71b1d710d47e0a8be2b914731803a48c94a8da7bfa1ad777de8f1e103fe9ac785589d70ca905c389c369bd4567118bae6d3585f88f7bf12c52c053af
-  data.tar.gz: 42f54d70d4aea2433c5b619abb5c516e731f7cfefafe9d4e0d8876956eb8470012e211b826c4790b1c7144ff091431906597b2e2a7c1cd63f25b07ab87013caf
+  metadata.gz: e124205e040569aa3c2c47e4baea08d013d7cd3d359c1e531195af3f6d413d12547f46dbbb24d63c585ed0196b41e58e17b7b5c4b6183789ed5e482a94338b19
+  data.tar.gz: d382d043729a8ca55facf66058209c2c51ae2617bc59b071b03c30ce21997bd92ed43ec4c099261717d6b6e86b287dc5664450e52c6ce5c243a3dc3ad6c97910

data/README.md CHANGED

@@ -10,7 +10,7 @@
   WordPress Security Scanner
   <br>
   <br>
-  <a href="https://wpscan.org/" title="homepage" target="_blank">Homepage</a> - <a href="https://wpscan.io/" title="wpscan.io" target="_blank">WPScan.io</a> - <a href="https://wpvulndb.com/" title="vulnerability database" target="_blank">Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
+  <a href="https://wpscan.com/" title="homepage" target="_blank">WPScan WordPress Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
 </p>
 <p align="center">
@@ -82,7 +82,7 @@ The DB is located at ~/.wpscan/db
 ## Vulnerability Database
-The WPScan CLI tool uses the [WPVulnDB API](https://wpvulndb.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPVulnDB](https://wpvulndb.com/users/sign_up). Up to 50 API requests per day are given free of charge to registered users. Once the 50 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPVulnDB](https://wpvulndb.com/).
+The WPScan CLI tool uses the [WPScan API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan](https://wpscan.com/register). Up to 50 API requests per day are given free of charge to registered users. Once the 50 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPScan](https://wpscan.com/).
 ## Load CLI options from file/s

data/app/controllers/password_attack.rb CHANGED

@@ -88,8 +88,8 @@ module WPScan
       def xmlrpc_get_users_blogs_enabled?
         if xmlrpc&.enabled? &&
            xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
-           xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
-                 .run.body !~ /XML-RPC services are disabled/
+           !xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
+                  .run.body.match?(/>\s*405\s*</)
           true
         else

data/app/finders/interesting_findings/duplicator_installer_log.rb CHANGED

@@ -9,7 +9,7 @@ module WPScan
         def aggressive(_opts = {})
           path = 'installer-log.txt'
-          return unless /DUPLICATOR INSTALL-LOG/.match?(target.head_and_get(path).body)
+          return unless /DUPLICATOR(-|\s)?(PRO|LITE)?:? INSTALL-LOG/i.match?(target.head_and_get(path).body)
           Model::DuplicatorInstallerLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
         end

data/app/finders/main_theme/urls_in_homepage.rb CHANGED

@@ -13,7 +13,7 @@ module WPScan
         def passive(opts = {})
           found = []
-          slugs = items_from_links('themes', false) + items_from_codes('themes', false)
+          slugs = items_from_links('themes', uniq: false) + items_from_codes('themes', uniq: false)
           slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
             found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))

data/app/finders/users.rb CHANGED

@@ -6,6 +6,7 @@ require_relative 'users/oembed_api'
 require_relative 'users/rss_generator'
 require_relative 'users/author_id_brute_forcing'
 require_relative 'users/login_error_messages'
+require_relative 'users/author_sitemap'
 require_relative 'users/yoast_seo_author_sitemap'
 module WPScan
@@ -22,6 +23,7 @@ module WPScan
             Users::WpJsonApi.new(target) <<
             Users::OembedApi.new(target) <<
             Users::RSSGenerator.new(target) <<
+            Users::AuthorSitemap.new(target) <<
             Users::YoastSeoAuthorSitemap.new(target) <<
             Users::AuthorIdBruteForcing.new(target) <<
             Users::LoginErrorMessages.new(target)

data/app/finders/users/author_sitemap.rb ADDED

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+module WPScan
+  module Finders
+    module Users
+      # Since WP 5.5, /wp-sitemap-users-1.xml is generated and contains
+      # the usernames of accounts who made a post
+      class AuthorSitemap < CMSScanner::Finders::Finder
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<User> ]
+        def aggressive(_opts = {})
+          found = []
+          Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
+            username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
+            next unless username && !username.strip.empty?
+            found << Model::User.new(username,
+                                     found_by: found_by,
+                                     confidence: 100,
+                                     interesting_entries: [sitemap_url])
+          end
+          found
+        end
+        # @return [ String ] The URL of the sitemap
+        def sitemap_url
+          @sitemap_url ||= target.url('wp-sitemap-users-1.xml')
+        end
+      end
+    end
+  end
+end

data/app/finders/users/yoast_seo_author_sitemap.rb CHANGED

@@ -5,27 +5,7 @@ module WPScan
     module Users
       # The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
       # See https://github.com/wpscanteam/wpscan/issues/1228
-      class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
-        # @param [ Hash ] opts
-        #
-        # @return [ Array<User> ]
-        def aggressive(_opts = {})
-          found = []
-          Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
-            username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
-            next unless username && !username.strip.empty?
-            found << Model::User.new(username,
-                                     found_by: found_by,
-                                     confidence: 100,
-                                     interesting_entries: [sitemap_url])
-          end
-          found
-        end
+      class YoastSeoAuthorSitemap < AuthorSitemap
         # @return [ String ] The URL of the author-sitemap
         def sitemap_url
           @sitemap_url ||= target.url('author-sitemap.xml')

data/app/finders/wp_items/urls_in_page.rb CHANGED

@@ -9,7 +9,7 @@ module WPScan
         # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
         #
         # @return [ Array<String> ] The plugins/themes detected in the href, src attributes of the page
-        def items_from_links(type, uniq = true)
+        def items_from_links(type, uniq: true)
           found = []
           xpath = format(
             '(//@href|//@src|//@data-src)[contains(., "%s")]',
@@ -31,7 +31,7 @@ module WPScan
         # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
         #
         # @return [Array<String> ] The plugins/themes detected in the javascript/style of the homepage
-        def items_from_codes(type, uniq = true)
+        def items_from_codes(type, uniq: true)
           found = []
           page_res.html.xpath('//script[not(@src)]|//style[not(@src)]').each do |tag|

data/app/models/interesting_finding.rb CHANGED

@@ -7,10 +7,11 @@ module WPScan
       include References
     end
-    #
-    # Some classes are empty for the #type to be correctly displayed (as taken from the self.class from the parent)
-    #
     class BackupDB < InterestingFinding
+      def to_s
+        @to_s ||= "A backup directory has been found: #{url}"
+      end
       # @return [ Hash ]
       def references
         @references ||= { url: ['https://github.com/wpscanteam/wpscan/issues/422'] }
@@ -18,6 +19,10 @@ module WPScan
     end
     class DebugLog < InterestingFinding
+      def to_s
+        @to_s ||= "Debug Log found: #{url}"
+      end
       # @ return [ Hash ]
       def references
         @references ||= { url: ['https://codex.wordpress.org/Debugging_in_WordPress'] }
@@ -40,6 +45,10 @@ module WPScan
     end
     class FullPathDisclosure < InterestingFinding
+      def to_s
+        @to_s ||= "Full Path Disclosure found: #{url}"
+      end
       # @return [ Hash ]
       def references
         @references ||= { url: ['https://www.owasp.org/index.php/Full_Path_Disclosure'] }
@@ -71,6 +80,9 @@ module WPScan
     end
     class Readme < InterestingFinding
+      def to_s
+        @to_s ||= "WordPress readme found: #{url}"
+      end
     end
     class Registration < InterestingFinding
@@ -81,6 +93,10 @@ module WPScan
     end
     class TmmDbMigrate < InterestingFinding
+      def to_s
+        @to_s ||= "ThemeMakers migration file found: #{url}"
+      end
       # @return [ Hash ]
       def references
         @references ||= { packetstorm: [131_957] }
@@ -95,6 +111,9 @@ module WPScan
     end
     class UploadSQLDump < InterestingFinding
+      def to_s
+        @to_s ||= "SQL Dump found: #{url}"
+      end
     end
     class WPCron < InterestingFinding

data/app/models/theme.rb CHANGED

@@ -101,7 +101,7 @@ module WPScan
       #
       # @return [ String ]
       def parse_style_tag(body, tag)
-        value = body[/#{Regexp.escape(tag)}:[\t ]*([^\r\n*]+)/i, 1]
+        value = body[/\b#{Regexp.escape(tag)}:[\t ]*([^\r\n*]+)/, 1]
         value && !value.strip.empty? ? value.strip : nil
       end

data/app/views/cli/vuln_api/status.erb CHANGED

@@ -9,5 +9,5 @@
 <% end -%>
 <% else -%>
 <%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
-<%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
+<%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
 <% end -%>

data/app/views/json/vuln_api/status.erb CHANGED

@@ -8,6 +8,6 @@
 "requests_remaining": <%= @status['requests_remaining'].to_json %>
 <% end -%>
 <% else -%>
-"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up"
+"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
 <% end -%>
 },

data/lib/wpscan/db/dynamic_finders/base.rb CHANGED

@@ -31,7 +31,7 @@ module WPScan
           finder_configs(
             finder_class,
-            Regexp.last_match[1] == 'aggressive'
+            aggressive: Regexp.last_match[1] == 'aggressive'
           )
         end

data/lib/wpscan/db/dynamic_finders/plugin.rb CHANGED

@@ -16,7 +16,7 @@ module WPScan
         # @param [ Symbol ] finder_class
         # @param [ Boolean ] aggressive
         # @return [ Hash ]
-        def self.finder_configs(finder_class, aggressive = false)
+        def self.finder_configs(finder_class, aggressive: false)
           configs = {}
           return configs unless allowed_classes.include?(finder_class)

data/lib/wpscan/db/dynamic_finders/wordpress.rb CHANGED

@@ -24,7 +24,7 @@ module WPScan
         # @param [ Symbol ] finder_class
         # @param [ Boolean ] aggressive
         # @return [ Hash ]
-        def self.finder_configs(finder_class, aggressive = false)
+        def self.finder_configs(finder_class, aggressive: false)
           configs = {}
           return configs unless allowed_classes.include?(finder_class)

data/lib/wpscan/db/vuln_api.rb CHANGED

@@ -12,7 +12,7 @@ module WPScan
       # @return [ Addressable::URI ]
       def self.uri
-        @uri ||= Addressable::URI.parse('https://wpvulndb.com/api/v3/')
+        @uri ||= Addressable::URI.parse('https://wpscan.com/api/v3/')
       end
       # @param [ String ] path

data/lib/wpscan/finders/dynamic_finder/finder.rb CHANGED

@@ -56,9 +56,7 @@ module WPScan
           homepage_result = find(target.homepage_res, opts)
-          if homepage_result
-            return homepage_result unless homepage_result.is_a?(Array) && homepage_result.empty?
-          end
+          return homepage_result unless homepage_result.nil? || homepage_result.is_a?(Array) && homepage_result&.empty?
           find(target.error_404_res, opts)
         end

data/lib/wpscan/references.rb CHANGED

@@ -27,7 +27,7 @@ module WPScan
     end
     def wpvulndb_url(id)
-      "https://wpvulndb.com/vulnerabilities/#{id}"
+      "https://wpscan.com/vulnerabilities/#{id}"
     end
   end
 end

data/lib/wpscan/version.rb CHANGED

@@ -2,5 +2,5 @@
 # Version
 module WPScan
-  VERSION = '3.8.3'
+  VERSION = '3.8.8'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.8.3
+  version: 3.8.8
 platform: ruby
 authors:
 - WPScanTeam
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-17 00:00:00.000000000 Z
+date: 2020-10-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.0
+        version: 0.12.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.0
+        version: 0.12.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -100,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.88.0
+        version: 0.93.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.88.0
+        version: 0.93.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.7.0
+        version: 1.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.7.0
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.18.2
+        version: 0.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.18.2
+        version: 0.19.0
 - !ruby/object:Gem::Dependency
   name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +170,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.0
+        version: 3.9.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.0
+        version: 3.9.0
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
 - team@wpscan.org
@@ -258,6 +258,7 @@ files:
 - app/finders/users.rb
 - app/finders/users/author_id_brute_forcing.rb
 - app/finders/users/author_posts.rb
+- app/finders/users/author_sitemap.rb
 - app/finders/users/login_error_messages.rb
 - app/finders/users/oembed_api.rb
 - app/finders/users/rss_generator.rb