wpscan 3.0.3 → 3.0.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (22) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/core.rb +2 -2
  3. data/app/controllers/enumeration.rb +2 -2
  4. data/app/controllers/enumeration/cli_options.rb +7 -7
  5. data/app/controllers/enumeration/enum_methods.rb +1 -1
  6. data/app/controllers/main_theme.rb +1 -1
  7. data/app/controllers/wp_version.rb +1 -1
  8. data/app/finders/interesting_findings.rb +2 -2
  9. data/app/finders/interesting_findings/readme.rb +1 -1
  10. data/app/finders/plugin_version/layer_slider/translation_file.rb +1 -1
  11. data/app/finders/timthumbs/known_locations.rb +2 -2
  12. data/app/finders/users/author_posts.rb +1 -1
  13. data/app/finders/wp_version/atom_generator.rb +1 -1
  14. data/app/finders/wp_version/rss_generator.rb +1 -1
  15. data/app/models/timthumb.rb +3 -3
  16. data/app/models/wp_item.rb +3 -3
  17. data/app/models/wp_version.rb +0 -1
  18. data/lib/wpscan/db/updater.rb +2 -2
  19. data/lib/wpscan/db/wp_items.rb +1 -1
  20. data/lib/wpscan/target/platform/wordpress.rb +1 -1
  21. data/lib/wpscan/version.rb +1 -1
  22. metadata +30 -16
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4d9052417cae5d1b8c68bd2992c2e0c8ce035475
4
- data.tar.gz: 0bb18cca39de608eda80347745bc5e287574a0bf
3
+ metadata.gz: aec6c21b96dc11fe0d1de37121edb9d4cce6580e
4
+ data.tar.gz: 9dfc21c798b02915e4e06815d6bc0808b0567f5a
5
5
  SHA512:
6
- metadata.gz: 8246a24671367caf940874b35f4f08ce3bca6c381a857e45084630294799835d5ef9e7f425b662321aebcaaeb9c2100008707b153db071c7cc1d66a3560cfb5a
7
- data.tar.gz: bbbc9906b96ff16e5a964342ff8cedab63c1b00ad25be29208bd0939df9abd53507da40b2899e474cf72f44f9d69a35af5641b6e4115888e8bedb0631dbe7883
6
+ metadata.gz: 7dea9f1e9a2afc8240533a355690381b33f360aa658b3fd1135b94b25ccca86bfd60585dee81110147592737c060e13f4935112d5194b19b6af06d64e8870b20
7
+ data.tar.gz: f79944aec35413d122216f01100e1d13e1ed3f575935bd4a4dac2331b2dc94a1fcb9dbbb4f230674ed815a5d358753c22e1cb4f5cb59eef3fe366c9ee8ba88df
data/app/controllers/core.rb CHANGED
@@ -8,8 +8,8 @@ module WPScan
8
8
  super.drop(1) + # delete the --url from CMSScanner
9
9
  [
10
10
  OptChoice.new(['--server SERVER', 'Force the supplied server module to be loaded'],
11
- choices: %w(apache iis nginx),
12
- normalize: [:downcase, :to_sym]),
11
+ choices: %w[apache iis nginx],
12
+ normalize: %i[downcase to_sym]),
13
13
  OptBoolean.new(['--force', 'Do not check if the target is running WordPress']),
14
14
  OptBoolean.new(['--[no-]update', 'Wether or not to update the Database'], required_unless: :url)
15
15
  ]
data/app/controllers/enumeration.rb CHANGED
@@ -8,7 +8,7 @@ module WPScan
8
8
  def before_scan
9
9
  # Create the Dynamic Finders
10
10
  DB::DynamicPluginFinders.db_data.each do |name, config|
11
- %w(Comments).each do |klass|
11
+ %w[Comments].each do |klass|
12
12
  next unless config[klass] && config[klass]['version']
13
13
 
14
14
  constant_name = name.tr('-', '_').camelize
@@ -42,7 +42,7 @@ module WPScan
42
42
  enum_plugins if enum_plugins?(enum)
43
43
  enum_themes if enum_themes?(enum)
44
44
 
45
- [:timthumbs, :config_backups, :medias].each do |key|
45
+ %i[timthumbs config_backups medias].each do |key|
46
46
  send("enum_#{key}".to_sym) if enum.key?(key)
47
47
  end
48
48
 
data/app/controllers/enumeration/cli_options.rb CHANGED
@@ -26,7 +26,7 @@ module WPScan
26
26
  m: OptIntegerRange.new(['--medias', 'Media ids range. e.g m1-15'], value_if_empty: '1-100')
27
27
  },
28
28
  value_if_empty: 'vp,vt,tt,cb,u,m',
29
- incompatible: [[:vp, :ap, :p], [:vt, :at, :t]]
29
+ incompatible: [%i[vp ap p], %i[vt at t]]
30
30
  ),
31
31
  OptRegexp.new(
32
32
  [
@@ -46,7 +46,7 @@ module WPScan
46
46
  OptChoice.new(
47
47
  ['--plugins-detection MODE',
48
48
  'Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.'],
49
- choices: %w(mixed passive aggressive), normalize: :to_sym
49
+ choices: %w[mixed passive aggressive], normalize: :to_sym
50
50
  ),
51
51
  OptBoolean.new(['--plugins-version-all', 'Check all the plugins version locations'])
52
52
  ]
@@ -59,7 +59,7 @@ module WPScan
59
59
  OptChoice.new(
60
60
  ['--themes-detection MODE',
61
61
  'Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.'],
62
- choices: %w(mixed passive aggressive), normalize: :to_sym
62
+ choices: %w[mixed passive aggressive], normalize: :to_sym
63
63
  ),
64
64
  OptBoolean.new(['--themes-version-all', 'Check all the themes version locations'])
65
65
  ]
@@ -75,7 +75,7 @@ module WPScan
75
75
  OptChoice.new(
76
76
  ['--timthumbs-detection MODE',
77
77
  'Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.'],
78
- choices: %w(mixed passive aggressive), normalize: :to_sym
78
+ choices: %w[mixed passive aggressive], normalize: :to_sym
79
79
  )
80
80
  ]
81
81
  end
@@ -90,7 +90,7 @@ module WPScan
90
90
  OptChoice.new(
91
91
  ['--config-backups-detection MODE',
92
92
  'Use the supplied mode to enumerate Configs, instead of the global (--detection-mode) mode.'],
93
- choices: %w(mixed passive aggressive), normalize: :to_sym
93
+ choices: %w[mixed passive aggressive], normalize: :to_sym
94
94
  )
95
95
  ]
96
96
  end
@@ -101,7 +101,7 @@ module WPScan
101
101
  OptChoice.new(
102
102
  ['--medias-detection MODE',
103
103
  'Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.'],
104
- choices: %w(mixed passive aggressive), normalize: :to_sym
104
+ choices: %w[mixed passive aggressive], normalize: :to_sym
105
105
  )
106
106
  ]
107
107
  end
@@ -117,7 +117,7 @@ module WPScan
117
117
  OptChoice.new(
118
118
  ['--users-detection MODE',
119
119
  'Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.'],
120
- choices: %w(mixed passive aggressive), normalize: :to_sym
120
+ choices: %w[mixed passive aggressive], normalize: :to_sym
121
121
  )
122
122
  ]
123
123
  end
data/app/controllers/enumeration/enum_methods.rb CHANGED
@@ -6,7 +6,7 @@ module WPScan
6
6
  #
7
7
  # @return [ String ] The related enumration message depending on the parsed_options and type supplied
8
8
  def enum_message(type)
9
- return unless type == 'plugins' || type == 'themes'
9
+ return unless %w[plugins themes].include?(type)
10
10
 
11
11
  details = if parsed_options[:enumerate][:"vulnerable_#{type}"]
12
12
  'Vulnerable'
data/app/controllers/main_theme.rb CHANGED
@@ -7,7 +7,7 @@ module WPScan
7
7
  OptChoice.new(
8
8
  ['--main-theme-detection MODE',
9
9
  'Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.'],
10
- choices: %w(mixed passive aggressive),
10
+ choices: %w[mixed passive aggressive],
11
11
  normalize: :to_sym
12
12
  )
13
13
  ]
data/app/controllers/wp_version.rb CHANGED
@@ -9,7 +9,7 @@ module WPScan
9
9
  ['--wp-version-detection MODE',
10
10
  'Use the supplied mode for the WordPress version detection, ' \
11
11
  'instead of the global (--detection-mode) mode.'],
12
- choices: %w(mixed passive aggressive),
12
+ choices: %w[mixed passive aggressive],
13
13
  normalize: :to_sym
14
14
  )
15
15
  ]
data/app/finders/interesting_findings.rb CHANGED
@@ -19,11 +19,11 @@ module WPScan
19
19
  def initialize(target)
20
20
  super(target)
21
21
 
22
- %w(
22
+ %w[
23
23
  Readme DebugLog FullPathDisclosure BackupDB DuplicatorInstallerLog
24
24
  Multisite MuPlugins Registration UploadDirectoryListing TmmDbMigrate
25
25
  UploadSQLDump
26
- ).each do |f|
26
+ ].each do |f|
27
27
  finders << InterestingFindings.const_get(f).new(target)
28
28
  end
29
29
  end
data/app/finders/interesting_findings/readme.rb CHANGED
@@ -18,7 +18,7 @@ module WPScan
18
18
 
19
19
  # @retun [ Array<String> ] The list of potential readme files
20
20
  def potential_files
21
- %w(readme.html olvasdel.html lisenssi.html liesmich.html)
21
+ %w[readme.html olvasdel.html lisenssi.html liesmich.html]
22
22
  end
23
23
  end
24
24
  end
data/app/finders/plugin_version/layer_slider/translation_file.rb CHANGED
@@ -29,7 +29,7 @@ module WPScan
29
29
  def potential_urls
30
30
  # Recent versions seem to use the 'locales' directory instead of the 'languages' one.
31
31
  # Maybe also check other locales ?
32
- %w(locales languages).reduce([]) do |a, e|
32
+ %w[locales languages].reduce([]) do |a, e|
33
33
  a << target.url("#{e}/LayerSlider-en_US.po")
34
34
  end
35
35
  end
data/app/finders/timthumbs/known_locations.rb CHANGED
@@ -43,8 +43,8 @@ module WPScan
43
43
  end
44
44
 
45
45
  def main_theme_timthumbs_paths
46
- %w(timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
47
- scripts/timthumb.php tools/timthumb.php functions/timthumb.php)
46
+ %w[timthumb.php lib/timthumb.php inc/timthumb.php includes/timthumb.php
47
+ scripts/timthumb.php tools/timthumb.php functions/timthumb.php]
48
48
  end
49
49
 
50
50
  def create_progress_bar(opts = {})
data/app/finders/users/author_posts.rb CHANGED
@@ -43,7 +43,7 @@ module WPScan
43
43
  def potential_usernames(res)
44
44
  usernames = []
45
45
 
46
- target.in_scope_urls(res, '//a', %w(href)) do |url, node|
46
+ target.in_scope_urls(res, '//a', %w[href]) do |url, node|
47
47
  uri = Addressable::URI.parse(url)
48
48
 
49
49
  if uri.path =~ %r{/author/([^/\b]+)/?\z}i
data/app/finders/wp_version/atom_generator.rb CHANGED
@@ -30,7 +30,7 @@ module WPScan
30
30
  end
31
31
 
32
32
  def aggressive_urls(_opts = {})
33
- %w(feed/atom/ ?feed=atom).reduce([]) do |a, uri|
33
+ %w[feed/atom/ ?feed=atom].reduce([]) do |a, uri|
34
34
  a << target.url(uri)
35
35
  end
36
36
  end
data/app/finders/wp_version/rss_generator.rb CHANGED
@@ -33,7 +33,7 @@ module WPScan
33
33
  end
34
34
 
35
35
  def aggressive_urls(_opts = {})
36
- %w(feed/ comments/feed/ feed/rss/ feed/rss2/).reduce([]) do |a, uri|
36
+ %w[feed/ comments/feed/ feed/rss/ feed/rss2/].reduce([]) do |a, uri|
37
37
  a << target.url(uri)
38
38
  end
39
39
  end
data/app/models/timthumb.rb CHANGED
@@ -30,8 +30,8 @@ module WPScan
30
30
  def vulnerabilities
31
31
  vulns = []
32
32
 
33
- vulns << rce_webshot_vuln if false == version || version > '1.35' && version < '2.8.14' && webshot_enabled?
34
- vulns << rce_132_vuln if false == version || version < '1.33'
33
+ vulns << rce_webshot_vuln if version == false || version > '1.35' && version < '2.8.14' && webshot_enabled?
34
+ vulns << rce_132_vuln if version == false || version < '1.33'
35
35
 
36
36
  vulns
37
37
  end
@@ -68,7 +68,7 @@ module WPScan
68
68
 
69
69
  # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
70
70
  def default_allowed_domains
71
- %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
71
+ %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
72
72
  end
73
73
  end
74
74
  end
data/app/models/wp_item.rb CHANGED
@@ -6,8 +6,8 @@ module WPScan
6
6
  include CMSScanner::Target::Platform::PHP
7
7
  include CMSScanner::Target::Server::Generic
8
8
 
9
- READMES = %w(readme.txt README.txt Readme.txt ReadMe.txt README.TXT readme.TXT).freeze
10
- CHANGELOGS = %w(changelog.txt Changelog.txt ChangeLog.txt CHANGELOG.txt).freeze
9
+ READMES = %w[readme.txt README.txt Readme.txt ReadMe.txt README.TXT readme.TXT].freeze
10
+ CHANGELOGS = %w[changelog.txt Changelog.txt ChangeLog.txt CHANGELOG.txt].freeze
11
11
 
12
12
  attr_reader :uri, :name, :detection_opts, :target, :db_data
13
13
 
@@ -50,7 +50,7 @@ module WPScan
50
50
  def vulnerable_to?(vuln)
51
51
  return true unless version && vuln && vuln.fixed_in && !vuln.fixed_in.empty?
52
52
 
53
- version < vuln.fixed_in ? true : false
53
+ version < vuln.fixed_in
54
54
  end
55
55
 
56
56
  # @return [ String ]
data/app/models/wp_version.rb CHANGED
@@ -2,7 +2,6 @@ module WPScan
2
2
  # WP Version
3
3
  class WpVersion < CMSScanner::Version
4
4
  include Vulnerable
5
- attr_reader :db_data
6
5
 
7
6
  def initialize(number, opts = {})
8
7
  raise InvalidWordPressVersion unless WpVersion.valid?(number.to_s)
data/lib/wpscan/db/updater.rb CHANGED
@@ -4,11 +4,11 @@ module WPScan
4
4
  # :nocov:
5
5
  class Updater
6
6
  # /!\ Might want to also update the Enumeration#cli_options when some filenames are changed here
7
- FILES = %w(
7
+ FILES = %w[
8
8
  plugins.json themes.json wordpresses.json
9
9
  timthumbs-v3.txt user-agents.txt config_backups.txt
10
10
  dynamic_finders.yml wordpress.db LICENSE
11
- ).freeze
11
+ ].freeze
12
12
 
13
13
  attr_reader :repo_directory
14
14
 
data/lib/wpscan/db/wp_items.rb CHANGED
@@ -14,7 +14,7 @@ module WPScan
14
14
 
15
15
  # @return [ Array<String> ] The slug of all vulnerable items
16
16
  def self.vulnerable_slugs
17
- db.select { |_key, item| !item['vulnerabilities'].empty? }.keys
17
+ db.reject { |_key, item| item['vulnerabilities'].empty? }.keys
18
18
  end
19
19
  end
20
20
  end
data/lib/wpscan/target/platform/wordpress.rb CHANGED
@@ -1,4 +1,4 @@
1
- %w(custom_directories).each do |required|
1
+ %w[custom_directories].each do |required|
2
2
  require "wpscan/target/platform/wordpress/#{required}"
3
3
  end
4
4
 
data/lib/wpscan/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  # Version
2
2
  module WPScan
3
- VERSION = '3.0.3'.freeze
3
+ VERSION = '3.0.4'.freeze
4
4
  end
metadata CHANGED
@@ -1,57 +1,57 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: wpscan
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.3
4
+ version: 3.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - WPScanTeam
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-02-23 00:00:00.000000000 Z
11
+ date: 2017-09-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
- name: yajl-ruby
14
+ name: cms_scanner
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: 1.3.0
19
+ version: 0.0.37.10
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: 1.3.0
26
+ version: 0.0.37.10
27
27
  - !ruby/object:Gem::Dependency
28
- name: cms_scanner
28
+ name: yajl-ruby
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: 0.0.37.8
33
+ version: '1.3'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: 0.0.37.8
40
+ version: '1.3'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: activesupport
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: 5.0.1.0
47
+ version: '5.1'
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: 5.0.1.0
54
+ version: '5.1'
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: dm-core
57
57
  requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: 3.5.0
131
+ version: 3.6.0
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - "~>"
137
137
  - !ruby/object:Gem::Version
138
- version: 3.5.0
138
+ version: 3.6.0
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: rspec-its
141
141
  requirement: !ruby/object:Gem::Requirement
@@ -170,14 +170,14 @@ dependencies:
170
170
  requirements:
171
171
  - - "~>"
172
172
  - !ruby/object:Gem::Version
173
- version: 0.47.1
173
+ version: 0.50.0
174
174
  type: :development
175
175
  prerelease: false
176
176
  version_requirements: !ruby/object:Gem::Requirement
177
177
  requirements:
178
178
  - - "~>"
179
179
  - !ruby/object:Gem::Version
180
- version: 0.47.1
180
+ version: 0.50.0
181
181
  - !ruby/object:Gem::Dependency
182
182
  name: webmock
183
183
  requirement: !ruby/object:Gem::Requirement
@@ -198,14 +198,28 @@ dependencies:
198
198
  requirements:
199
199
  - - "~>"
200
200
  - !ruby/object:Gem::Version
201
- version: 0.12.0
201
+ version: 0.14.0
202
+ type: :development
203
+ prerelease: false
204
+ version_requirements: !ruby/object:Gem::Requirement
205
+ requirements:
206
+ - - "~>"
207
+ - !ruby/object:Gem::Version
208
+ version: 0.14.0
209
+ - !ruby/object:Gem::Dependency
210
+ name: coveralls
211
+ requirement: !ruby/object:Gem::Requirement
212
+ requirements:
213
+ - - "~>"
214
+ - !ruby/object:Gem::Version
215
+ version: 0.8.0
202
216
  type: :development
203
217
  prerelease: false
204
218
  version_requirements: !ruby/object:Gem::Requirement
205
219
  requirements:
206
220
  - - "~>"
207
221
  - !ruby/object:Gem::Version
208
- version: 0.12.0
222
+ version: 0.8.0
209
223
  description: WPScan is a black box WordPress vulnerability scanner.
210
224
  email:
211
225
  - team@wpscan.org