wpscan 3.8.8 → 3.8.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0167c94236ac89c5e2cd38cf9c7dfe439f6ec103b85202a16726a7fb81f98cfd
-  data.tar.gz: e804466f9f762ea8e3500cc5725b909101ba5bbe832961f397498c3923f1816a
+  metadata.gz: 1b15205abaabe9c5d311ec5cbb471948a4c385f56bf22166800abecfa071b57a
+  data.tar.gz: f97caad190b0ceff2a35338989f701363fc33bf3ebdf65b722043b03656ac7fd
 SHA512:
-  metadata.gz: e124205e040569aa3c2c47e4baea08d013d7cd3d359c1e531195af3f6d413d12547f46dbbb24d63c585ed0196b41e58e17b7b5c4b6183789ed5e482a94338b19
-  data.tar.gz: d382d043729a8ca55facf66058209c2c51ae2617bc59b071b03c30ce21997bd92ed43ec4c099261717d6b6e86b287dc5664450e52c6ce5c243a3dc3ad6c97910
+  metadata.gz: b77be4cc33ec3c6c7f34cf4a89cd2528dd6f0dd8dde66352f10a96ec085a760282343401e1e75d7247a2e8671257e63894752cf0174025524e0702ed8e890cab
+  data.tar.gz: 801bf830858b01d41c819cd2ebb55b9927b429be71ef661895fde00afe3e1fd2823cc70034d30769842942d173579a363c49dea295873a98f5c95d7c0d00a88f

data/LICENSE

@@ -27,7 +27,7 @@ Example cases which do not require a commercial license, and thus fall under the
  - Using WPScan to test your own systems.
  - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
 
 Free-use Terms and Conditions;
 

data/README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://wpscan.org/">
+  <a href="https://wpscan.com/">
     <img src="https://raw.githubusercontent.com/wpscanteam/wpscan/gh-pages/images/wpscan_logo.png" alt="WPScan logo">
   </a>
 </p>
@@ -176,7 +176,7 @@ Example cases which do not require a commercial license, and thus fall under the
 - Using WPScan to test your own systems.
 - Any non-commercial use of WPScan.
 
-If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - contact@wpscan.com.
 
 Free-use Terms and Conditions;
 

data/app/controllers/core.rb

@@ -8,13 +8,13 @@ module WPScan
       def cli_options
         [OptURL.new(['--url URL', 'The URL of the blog to scan'],
                     required_unless: %i[update help hh version], default_protocol: 'http')] +
-          super.drop(1) + # delete the --url from CMSScanner
+          super.drop(2) + # delete the --url and --force from CMSScanner
           [
             OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
                           choices: %w[apache iis nginx],
                           normalize: %i[downcase to_sym],
                           advanced: true),
-            OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
+            OptBoolean.new(['--force', 'Do not check if the target is running WordPress or returns a 403']),
             OptBoolean.new(['--[no-]update', 'Whether or not to update the Database'])
           ]
       end

data/app/controllers/password_attack.rb

@@ -19,7 +19,8 @@ module WPScan
           OptChoice.new(['--password-attack ATTACK',
                          'Force the supplied attack to be used rather than automatically determining one.'],
                         choices: %w[wp-login xmlrpc xmlrpc-multicall],
-                        normalize: %i[downcase underscore to_sym])
+                        normalize: %i[downcase underscore to_sym]),
+          OptString.new(['--login-uri URI', 'The URI of the login page if different from /wp-login.php'])
         ]
       end
 

data/app/controllers/vuln_api.rb

@@ -8,7 +8,10 @@ module WPScan
 
       def cli_options
         [
-          OptString.new(['--api-token TOKEN', 'The WPVulnDB API Token to display vulnerability data'])
+          OptString.new(
+            ['--api-token TOKEN',
+             'The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile']
+          )
         ]
       end
 
@@ -19,7 +22,7 @@ module WPScan
 
         api_status = DB::VulnApi.status
 
-        raise Error::InvalidApiToken if api_status['error']
+        raise Error::InvalidApiToken if api_status['status'] == 'forbidden'
         raise Error::ApiLimitReached if api_status['requests_remaining'] == 0
         raise api_status['http_error'] if api_status['http_error']
       end

data/app/finders/interesting_findings.rb

@@ -6,6 +6,7 @@ require_relative 'interesting_findings/multisite'
 require_relative 'interesting_findings/debug_log'
 require_relative 'interesting_findings/backup_db'
 require_relative 'interesting_findings/mu_plugins'
+require_relative 'interesting_findings/php_disabled'
 require_relative 'interesting_findings/registration'
 require_relative 'interesting_findings/tmm_db_migrate'
 require_relative 'interesting_findings/upload_sql_dump'
@@ -26,7 +27,7 @@ module WPScan
           %w[
             Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
             Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
-            UploadSQLDump EmergencyPwdResetScript WPCron
+            UploadSQLDump EmergencyPwdResetScript WPCron PHPDisabled
           ].each do |f|
             finders << InterestingFindings.const_get(f).new(target)
           end

data/app/finders/interesting_findings/php_disabled.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Finders
+    module InterestingFindings
+      # See https://github.com/wpscanteam/wpscan/issues/1593
+      class PHPDisabled < CMSScanner::Finders::Finder
+        PATTERN = /\$wp_version =/.freeze
+
+        # @return [ InterestingFinding ]
+        def aggressive(_opts = {})
+          path = 'wp-includes/version.php'
+
+          return unless PATTERN.match?(target.head_and_get(path).body)
+
+          Model::PHPDisabled.new(target.url(path), confidence: 100, found_by: DIRECT_ACCESS)
+        end
+      end
+    end
+  end
+end

data/app/models/interesting_finding.rb

@@ -132,5 +132,19 @@ module WPScan
         }
       end
     end
+
+    class PHPDisabled < InterestingFinding
+      # @return [ String ]
+      def to_s
+        @to_s ||= 'PHP seems to be disabled'
+      end
+
+      # @return [ Hash ]
+      def references
+        @references ||= {
+          url: ['https://github.com/wpscanteam/wpscan/issues/1593']
+        }
+      end
+    end
   end
 end

data/app/views/cli/vuln_api/status.erb

@@ -1,13 +1,13 @@
 <% unless @status.empty? -%>
 <% if @status['http_error'] -%>
-<%= critical_icon %> WPVulnDB API, <%= @status['http_error'].to_s %>
+<%= critical_icon %> WPScan DB API, <%= @status['http_error'].to_s %>
 <% else -%>
-<%= info_icon %> WPVulnDB API OK
+<%= info_icon %> WPScan DB API OK
  | Plan: <%= @status['plan'] %>
  | Requests Done (during the scan): <%= @api_requests %>
  | Requests Remaining: <%= @status['requests_remaining'] %>
 <% end -%>
 <% else -%>
-<%= warning_icon %> No WPVulnDB API Token given, as a result vulnerability data has not been output.
+<%= warning_icon %> No WPScan API Token given, as a result vulnerability data has not been output.
 <%= warning_icon %> You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
 <% end -%>

data/app/views/json/vuln_api/status.erb

@@ -8,6 +8,6 @@
 "requests_remaining": <%= @status['requests_remaining'].to_json %>
 <% end -%>
 <% else -%>
-"error": "No WPVulnDB API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
+"error": "No WPScan API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 50 daily requests by registering at https://wpscan.com/register"
 <% end -%>
 },

data/lib/wpscan/browser.rb

@@ -7,7 +7,7 @@ module WPScan
 
     # @return [ String ]
     def default_user_agent
-      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.org/)"
+      @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.com/wordpress-security-scanner)"
     end
   end
 end

data/lib/wpscan/db/vuln_api.rb

@@ -4,7 +4,7 @@ module WPScan
   module DB
     # WPVulnDB API
     class VulnApi
-      NON_ERROR_CODES = [200, 401].freeze
+      NON_ERROR_CODES = [200, 403].freeze
 
       class << self
         attr_accessor :token
@@ -26,7 +26,7 @@ module WPScan
         # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
         res = Typhoeus.get(uri.join(path), default_request_params.merge(params))
 
-        return {} if res.code == 404 # This is for API inconsistencies when dots in path
+        return {} if res.code == 404 || res.code == 429
         return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
 
         raise Error::HTTP, res
@@ -34,6 +34,8 @@ module WPScan
         retries ||= 0
 
         if (retries += 1) <= 3
+          @default_request_params[:headers]['X-Retry'] = retries
+
           sleep(1)
           retry
         end
@@ -68,7 +70,7 @@ module WPScan
       # @return [ Hash ]
       # @note Those params can not be overriden by CLI options
       def self.default_request_params
-        Browser.instance.default_connect_request_params.merge(
+        @default_request_params ||= Browser.instance.default_connect_request_params.merge(
           headers: {
             'User-Agent' => Browser.instance.default_user_agent,
             'Authorization' => "Token token=#{token}"

data/lib/wpscan/references.rb

@@ -27,7 +27,7 @@ module WPScan
     end
 
     def wpvulndb_url(id)
-      "https://wpscan.com/vulnerabilities/#{id}"
+      "https://wpscan.com/vulnerability/#{id}"
     end
   end
 end

data/lib/wpscan/target/platform/wordpress.rb

@@ -11,9 +11,10 @@ module WPScan
       module WordPress
         include CMSScanner::Target::Platform::PHP
 
-        WORDPRESS_PATTERN      = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
-        WP_JSON_OEMBED_PATTERN = %r{/wp-json/oembed/}i.freeze
-        WP_ADMIN_AJAX_PATTERN  = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
+        WORDPRESS_PATTERN        = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
+        WORDPRESS_HOSTED_PATTERN = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
+        WP_JSON_OEMBED_PATTERN   = %r{/wp-json/oembed/}i.freeze
+        WP_ADMIN_AJAX_PATTERN    = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
 
         # These methods are used in the associated interesting_findings finders
         # to keep the boolean state of the finding rather than re-check the whole thing again
@@ -103,11 +104,8 @@ module WPScan
           return true if /\.wordpress\.com$/i.match?(uri.host)
 
           unless content_dir
-            pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze
-            xpath   = '(//@href|//@src)[contains(., "wp.com")]'
-
-            uris_from_page(homepage_res, xpath) do |uri|
-              return true if uri.to_s.match?(pattern)
+            uris_from_page(homepage_res, '(//@href|//@src)[contains(., "wp.com")]') do |uri|
+              return true if uri.to_s.match?(WORDPRESS_HOSTED_PATTERN)
             end
           end
 
@@ -139,11 +137,14 @@ module WPScan
         # the first time the method is called, and the effective_url is then used
         # if suitable, otherwise the default wp-login will be.
         #
+        # If the login_uri CLI option has been provided, it will be returne w/o redirection check.
+        #
         # @return [ String, false ] The URL to the login page or false if not detected
         def login_url
           return @login_url unless @login_url.nil?
+          return @login_url = url(ParsedCli.login_uri) if ParsedCli.login_uri
 
-          @login_url = url('wp-login.php') # TODO: url(ParsedCli.login_uri)
+          @login_url = url('wp-login.php')
 
           res = Browser.get_and_follow_location(@login_url)
 

data/lib/wpscan/typhoeus/response.rb

@@ -7,7 +7,8 @@ module Typhoeus
     #
     # @return [ Boolean ]
     def from_vuln_api?
-      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) && !effective_url.include?('/status')
+      effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) &&
+        !effective_url.start_with?(WPScan::DB::VulnApi.uri.join('status').to_s)
     end
   end
 end

data/lib/wpscan/version.rb

@@ -2,5 +2,5 @@
 
 # Version
 module WPScan
-  VERSION = '3.8.8'
+  VERSION = '3.8.13'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wpscan
 version: !ruby/object:Gem::Version
-  version: 3.8.8
+  version: 3.8.13
 platform: ruby
 authors:
 - WPScanTeam
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-09 00:00:00.000000000 Z
+date: 2021-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cms_scanner
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.13.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.13
+        version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.13
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.10.0
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
@@ -100,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.9.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.21.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.21.0
 - !ruby/object:Gem::Dependency
   name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
@@ -170,17 +170,17 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.11.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: 3.11.0
 description: WPScan is a black box WordPress vulnerability scanner.
 email:
-- team@wpscan.org
+- contact@wpscan.com
 executables:
 - wpscan
 extensions: []
@@ -213,6 +213,7 @@ files:
 - app/finders/interesting_findings/full_path_disclosure.rb
 - app/finders/interesting_findings/mu_plugins.rb
 - app/finders/interesting_findings/multisite.rb
+- app/finders/interesting_findings/php_disabled.rb
 - app/finders/interesting_findings/readme.rb
 - app/finders/interesting_findings/registration.rb
 - app/finders/interesting_findings/tmm_db_migrate.rb
@@ -377,7 +378,7 @@ files:
 - lib/wpscan/version.rb
 - lib/wpscan/vulnerability.rb
 - lib/wpscan/vulnerable.rb
-homepage: https://wpscan.org/
+homepage: https://wpscan.com/wordpress-security-scanner
 licenses:
 - Dual
 metadata: {}