wpscan 3.8.3 → 3.8.8

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 658d14ca9901acb16c2da34ed977e5ad75296c4c8aba3e66ba897ffb5dd55f86
4
- data.tar.gz: 788c5a27c5bf10dba5b35e977c3efdfafca97944485cf605f03e34faf65ae68b
3
+ metadata.gz: 0167c94236ac89c5e2cd38cf9c7dfe439f6ec103b85202a16726a7fb81f98cfd
4
+ data.tar.gz: e804466f9f762ea8e3500cc5725b909101ba5bbe832961f397498c3923f1816a
5
5
  SHA512:
6
- metadata.gz: be04200a71b1d710d47e0a8be2b914731803a48c94a8da7bfa1ad777de8f1e103fe9ac785589d70ca905c389c369bd4567118bae6d3585f88f7bf12c52c053af
7
- data.tar.gz: 42f54d70d4aea2433c5b619abb5c516e731f7cfefafe9d4e0d8876956eb8470012e211b826c4790b1c7144ff091431906597b2e2a7c1cd63f25b07ab87013caf
6
+ metadata.gz: e124205e040569aa3c2c47e4baea08d013d7cd3d359c1e531195af3f6d413d12547f46dbbb24d63c585ed0196b41e58e17b7b5c4b6183789ed5e482a94338b19
7
+ data.tar.gz: d382d043729a8ca55facf66058209c2c51ae2617bc59b071b03c30ce21997bd92ed43ec4c099261717d6b6e86b287dc5664450e52c6ce5c243a3dc3ad6c97910
data/README.md CHANGED
@@ -10,7 +10,7 @@
10
10
  WordPress Security Scanner
11
11
  <br>
12
12
  <br>
13
- <a href="https://wpscan.org/" title="homepage" target="_blank">Homepage</a> - <a href="https://wpscan.io/" title="wpscan.io" target="_blank">WPScan.io</a> - <a href="https://wpvulndb.com/" title="vulnerability database" target="_blank">Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
13
+ <a href="https://wpscan.com/" title="homepage" target="_blank">WPScan WordPress Vulnerability Database</a> - <a href="https://wordpress.org/plugins/wpscan/" title="wordpress security plugin" target="_blank">WordPress Security Plugin</a>
14
14
  </p>
15
15
 
16
16
  <p align="center">
@@ -82,7 +82,7 @@ The DB is located at ~/.wpscan/db
82
82
 
83
83
  ## Vulnerability Database
84
84
 
85
- The WPScan CLI tool uses the [WPVulnDB API](https://wpvulndb.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPVulnDB](https://wpvulndb.com/users/sign_up). Up to 50 API requests per day are given free of charge to registered users. Once the 50 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPVulnDB](https://wpvulndb.com/).
85
+ The WPScan CLI tool uses the [WPScan API](https://wpscan.com/api) to retrieve WordPress vulnerability data in real time. For WPScan to retrieve the vulnerability data an API token must be supplied via the `--api-token` option, or via a configuration file, as discussed below. An API token can be obtained by registering an account on [WPScan](https://wpscan.com/register). Up to 50 API requests per day are given free of charge to registered users. Once the 50 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data. Users can upgrade to paid API usage to increase their API limits within their user profile on [WPScan](https://wpscan.com/).
86
86
 
87
87
  ## Load CLI options from file/s
88
88
 
@@ -88,8 +88,8 @@ module WPScan
88
88
  def xmlrpc_get_users_blogs_enabled?
89
89
  if xmlrpc&.enabled? &&
90
90
  xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
91
- xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
92
- .run.body !~ /XML-RPC services are disabled/
91
+ !xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
92
+ .run.body.match?(/>\s*405\s*</)
93
93
 
94
94
  true
95
95
  else
@@ -9,7 +9,7 @@ module WPScan
9
9
  def aggressive(_opts = {})
10
10
  path = 'installer-log.txt'
11
11
 
12
- return unless /DUPLICATOR INSTALL-LOG/.match?(target.head_and_get(path).body)
12
+ return unless /DUPLICATOR(-|\s)?(PRO|LITE)?:? INSTALL-LOG/i.match?(target.head_and_get(path).body)
13
13
 
14
14
  Model::DuplicatorInstallerLog.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
15
15
  end
@@ -13,7 +13,7 @@ module WPScan
13
13
  def passive(opts = {})
14
14
  found = []
15
15
 
16
- slugs = items_from_links('themes', false) + items_from_codes('themes', false)
16
+ slugs = items_from_links('themes', uniq: false) + items_from_codes('themes', uniq: false)
17
17
 
18
18
  slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
19
19
  found << Model::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
@@ -6,6 +6,7 @@ require_relative 'users/oembed_api'
6
6
  require_relative 'users/rss_generator'
7
7
  require_relative 'users/author_id_brute_forcing'
8
8
  require_relative 'users/login_error_messages'
9
+ require_relative 'users/author_sitemap'
9
10
  require_relative 'users/yoast_seo_author_sitemap'
10
11
 
11
12
  module WPScan
@@ -22,6 +23,7 @@ module WPScan
22
23
  Users::WpJsonApi.new(target) <<
23
24
  Users::OembedApi.new(target) <<
24
25
  Users::RSSGenerator.new(target) <<
26
+ Users::AuthorSitemap.new(target) <<
25
27
  Users::YoastSeoAuthorSitemap.new(target) <<
26
28
  Users::AuthorIdBruteForcing.new(target) <<
27
29
  Users::LoginErrorMessages.new(target)
@@ -0,0 +1,36 @@
1
+ # frozen_string_literal: true
2
+
3
+ module WPScan
4
+ module Finders
5
+ module Users
6
+ # Since WP 5.5, /wp-sitemap-users-1.xml is generated and contains
7
+ # the usernames of accounts who made a post
8
+ class AuthorSitemap < CMSScanner::Finders::Finder
9
+ # @param [ Hash ] opts
10
+ #
11
+ # @return [ Array<User> ]
12
+ def aggressive(_opts = {})
13
+ found = []
14
+
15
+ Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
16
+ username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
17
+
18
+ next unless username && !username.strip.empty?
19
+
20
+ found << Model::User.new(username,
21
+ found_by: found_by,
22
+ confidence: 100,
23
+ interesting_entries: [sitemap_url])
24
+ end
25
+
26
+ found
27
+ end
28
+
29
+ # @return [ String ] The URL of the sitemap
30
+ def sitemap_url
31
+ @sitemap_url ||= target.url('wp-sitemap-users-1.xml')
32
+ end
33
+ end
34
+ end
35
+ end
36
+ end
@@ -5,27 +5,7 @@ module WPScan
5
5
  module Users
6
6
  # The YOAST SEO plugin has an author-sitemap.xml which can leak usernames
7
7
  # See https://github.com/wpscanteam/wpscan/issues/1228
8
- class YoastSeoAuthorSitemap < CMSScanner::Finders::Finder
9
- # @param [ Hash ] opts
10
- #
11
- # @return [ Array<User> ]
12
- def aggressive(_opts = {})
13
- found = []
14
-
15
- Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
16
- username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
17
-
18
- next unless username && !username.strip.empty?
19
-
20
- found << Model::User.new(username,
21
- found_by: found_by,
22
- confidence: 100,
23
- interesting_entries: [sitemap_url])
24
- end
25
-
26
- found
27
- end
28
-
8
+ class YoastSeoAuthorSitemap < AuthorSitemap
29
9
  # @return [ String ] The URL of the author-sitemap
30
10
  def sitemap_url
31
11
  @sitemap_url ||= target.url('author-sitemap.xml')
@@ -9,7 +9,7 @@ module WPScan
9
9
  # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
10
10
  #
11
11
  # @return [ Array<String> ] The plugins/themes detected in the href, src attributes of the page
12
- def items_from_links(type, uniq = true)
12
+ def items_from_links(type, uniq: true)
13
13
  found = []
14
14
  xpath = format(
15
15
  '(//@href|//@src|//@data-src)[contains(., "%s")]',
@@ -31,7 +31,7 @@ module WPScan
31
31
  # @param [ Boolean ] uniq Wether or not to apply the #uniq on the results
32
32
  #
33
33
  # @return [Array<String> ] The plugins/themes detected in the javascript/style of the homepage
34
- def items_from_codes(type, uniq = true)
34
+ def items_from_codes(type, uniq: true)
35
35
  found = []
36
36
 
37
37
  page_res.html.xpath('//script[not(@src)]|//style[not(@src)]').each do |tag|
@@ -7,10 +7,11 @@ module WPScan
7
7
  include References
8
8
  end
9
9
 
10
- #
11
- # Some classes are empty for the #type to be correctly displayed (as taken from the self.class from the parent)
12
- #
13
10
  class BackupDB < InterestingFinding
11
+ def to_s
12
+ @to_s ||= "A backup directory has been found: #{url}"
13
+ end
14
+
14
15
  # @return [ Hash ]
15
16
  def references
16
17
  @references ||= { url: ['https://github.com/wpscanteam/wpscan/issues/422'] }
@@ -18,6 +19,10 @@ module WPScan
18
19
  end
19
20
 
20
21
  class DebugLog < InterestingFinding
22
+ def to_s
23
+ @to_s ||= "Debug Log found: #{url}"
24
+ end
25
+
21
26
  # @ return [ Hash ]
22
27
  def references
23
28
  @references ||= { url: ['https://codex.wordpress.org/Debugging_in_WordPress'] }
@@ -40,6 +45,10 @@ module WPScan
40
45
  end
41
46
 
42
47
  class FullPathDisclosure < InterestingFinding
48
+ def to_s
49
+ @to_s ||= "Full Path Disclosure found: #{url}"
50
+ end
51
+
43
52
  # @return [ Hash ]
44
53
  def references
45
54
  @references ||= { url: ['https://www.owasp.org/index.php/Full_Path_Disclosure'] }
@@ -71,6 +80,9 @@ module WPScan
71
80
  end
72
81
 
73
82
  class Readme < InterestingFinding
83
+ def to_s
84
+ @to_s ||= "WordPress readme found: #{url}"
85
+ end
74
86
  end
75
87
 
76
88
  class Registration < InterestingFinding
@@ -81,6 +93,10 @@ module WPScan
81
93
  end
82
94
 
83
95
  class TmmDbMigrate < InterestingFinding
96
+ def to_s
97
+ @to_s ||= "ThemeMakers migration file found: #{url}"
98
+ end
99
+
84
100
  # @return [ Hash ]
85
101
  def references
86
102
  @references ||= { packetstorm: [131_957] }
@@ -95,6 +111,9 @@ module WPScan
95
111
  end
96
112
 
97
113
  class UploadSQLDump < InterestingFinding
114
+ def to_s
115
+ @to_s ||= "SQL Dump found: #{url}"
116
+ end
98
117
  end
99
118
 
100
119
  class WPCron < InterestingFinding
@@ -101,7 +101,7 @@ module WPScan
101
101
  #
102
102
  # @return [ String ]
103
103
  def parse_style_tag(body, tag)
104
- value = body[/#{Regexp.escape(tag)}:[\t ]*([^\r\n*]+)/i, 1]
104
+ value = body[/\b#{Regexp.escape(tag)}:[\t ]*([^\r\n*]+)/, 1]
105
105
 
106
106
  value && !value.strip.empty? ? value.strip : nil
107
107
  end
@@ -9,5 +9,5 @@
9
9
  <% end -%>
10
10
  <% else -%>
11
11
  <%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
12
- <%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
12
+ <%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
13
13
  <% end -%>
@@ -8,6 +8,6 @@
8
8
  "requests_remaining": <%= @status['requests_remaining'].to_json %>
9
9
  <% end -%>
10
10
  <% else -%>
11
- "error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up"
11
+ "error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
12
12
  <% end -%>
13
13
  },
@@ -31,7 +31,7 @@ module WPScan
31
31
 
32
32
  finder_configs(
33
33
  finder_class,
34
- Regexp.last_match[1] == 'aggressive'
34
+ aggressive: Regexp.last_match[1] == 'aggressive'
35
35
  )
36
36
  end
37
37
 
@@ -16,7 +16,7 @@ module WPScan
16
16
  # @param [ Symbol ] finder_class
17
17
  # @param [ Boolean ] aggressive
18
18
  # @return [ Hash ]
19
- def self.finder_configs(finder_class, aggressive = false)
19
+ def self.finder_configs(finder_class, aggressive: false)
20
20
  configs = {}
21
21
 
22
22
  return configs unless allowed_classes.include?(finder_class)
@@ -24,7 +24,7 @@ module WPScan
24
24
  # @param [ Symbol ] finder_class
25
25
  # @param [ Boolean ] aggressive
26
26
  # @return [ Hash ]
27
- def self.finder_configs(finder_class, aggressive = false)
27
+ def self.finder_configs(finder_class, aggressive: false)
28
28
  configs = {}
29
29
 
30
30
  return configs unless allowed_classes.include?(finder_class)
@@ -12,7 +12,7 @@ module WPScan
12
12
 
13
13
  # @return [ Addressable::URI ]
14
14
  def self.uri
15
- @uri ||= Addressable::URI.parse('https://wpvulndb.com/api/v3/')
15
+ @uri ||= Addressable::URI.parse('https://wpscan.com/api/v3/')
16
16
  end
17
17
 
18
18
  # @param [ String ] path
@@ -56,9 +56,7 @@ module WPScan
56
56
 
57
57
  homepage_result = find(target.homepage_res, opts)
58
58
 
59
- if homepage_result
60
- return homepage_result unless homepage_result.is_a?(Array) && homepage_result.empty?
61
- end
59
+ return homepage_result unless homepage_result.nil? || homepage_result.is_a?(Array) && homepage_result&.empty?
62
60
 
63
61
  find(target.error_404_res, opts)
64
62
  end
@@ -27,7 +27,7 @@ module WPScan
27
27
  end
28
28
 
29
29
  def wpvulndb_url(id)
30
- "https://wpvulndb.com/vulnerabilities/#{id}"
30
+ "https://wpscan.com/vulnerabilities/#{id}"
31
31
  end
32
32
  end
33
33
  end
@@ -2,5 +2,5 @@
2
2
 
3
3
  # Version
4
4
  module WPScan
5
- VERSION = '3.8.3'
5
+ VERSION = '3.8.8'
6
6
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: wpscan
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.8.3
4
+ version: 3.8.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - WPScanTeam
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-07-17 00:00:00.000000000 Z
11
+ date: 2020-10-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: 0.12.0
19
+ version: 0.12.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: 0.12.0
26
+ version: 0.12.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: bundler
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,42 +100,42 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 0.88.0
103
+ version: 0.93.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 0.88.0
110
+ version: 0.93.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: rubocop-performance
113
113
  requirement: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 1.7.0
117
+ version: 1.8.0
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 1.7.0
124
+ version: 1.8.0
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: simplecov
127
127
  requirement: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: 0.18.2
131
+ version: 0.19.0
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - "~>"
137
137
  - !ruby/object:Gem::Version
138
- version: 0.18.2
138
+ version: 0.19.0
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: simplecov-lcov
141
141
  requirement: !ruby/object:Gem::Requirement
@@ -170,14 +170,14 @@ dependencies:
170
170
  requirements:
171
171
  - - "~>"
172
172
  - !ruby/object:Gem::Version
173
- version: 3.8.0
173
+ version: 3.9.0
174
174
  type: :development
175
175
  prerelease: false
176
176
  version_requirements: !ruby/object:Gem::Requirement
177
177
  requirements:
178
178
  - - "~>"
179
179
  - !ruby/object:Gem::Version
180
- version: 3.8.0
180
+ version: 3.9.0
181
181
  description: WPScan is a black box WordPress vulnerability scanner.
182
182
  email:
183
183
  - team@wpscan.org
@@ -258,6 +258,7 @@ files:
258
258
  - app/finders/users.rb
259
259
  - app/finders/users/author_id_brute_forcing.rb
260
260
  - app/finders/users/author_posts.rb
261
+ - app/finders/users/author_sitemap.rb
261
262
  - app/finders/users/login_error_messages.rb
262
263
  - app/finders/users/oembed_api.rb
263
264
  - app/finders/users/rss_generator.rb