wpscan 3.0.8 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 27668feb03359084f981bac99a0fdc0951835c33
-  data.tar.gz: da0d1d819410d5d08d1455c7ffc55320a95d19cc
+  metadata.gz: 247fd91f253010fbefa767737b15d9abce9abdc5
+  data.tar.gz: bf4527c1501a3b641a4a242043baf8d302e0e5e8
 SHA512:
-  metadata.gz: 607686c500d2f27f1136dce37e2ffb8987db83f100c10442a7f7519678d2f0d612680a8c8830a589af412f1425a28ee66f2036d748e472b6247630a6659376a5
-  data.tar.gz: 852cf5b4f174e9288c2b91f06df5e10468f9a687dadc23efb73ce9fd2bd51141e41e2525687cb86880827d96314bf2bf1ec09520acbb969c586ba0e2e05b61f6
+  metadata.gz: 6f7ae471f65c4abab39653e95153a10c5893f7995f64b403bb9e4bac6748e93394daa4db9e4e2175293165dee60813a168af7f8043cbd249232a1b6abec00cfd
+  data.tar.gz: 86c27e7770b2674f286fcf55d49fe6b0cb2540d0a24a790e80c268b9901ab00cfd0d0e793ae294aebda586f414212a5077a1f58b489b272413c672833118dcab

data/LICENSE

@@ -1,6 +1,6 @@
 WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2017 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2018 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 

data/README.md

@@ -9,7 +9,7 @@
 
 ## WPScan Public Source License
 
-The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2017 WPScan Team.
+The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2018 WPScan Team.
 
 Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.
 

data/app/controllers.rb

@@ -4,3 +4,4 @@ require_relative 'controllers/wp_version'
 require_relative 'controllers/main_theme'
 require_relative 'controllers/enumeration'
 require_relative 'controllers/brute_force'
+require_relative 'controllers/aliases'

data/app/controllers/aliases.rb

@@ -0,0 +1,12 @@
+module WPScan
+  module Controller
+    # Controller to add the aliases in the CLI
+    class Aliases < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptAlias.new(['--stealthy'], alias_for: '--random-user-agent --detection-mode passive')
+        ]
+      end
+    end
+  end
+end

data/app/controllers/core.rb

@@ -46,14 +46,12 @@ module WPScan
       end
 
       def before_scan
-        output('banner')
+        output('banner') unless parsed_options[:banner] == false
 
         update_db if update_db_required?
-
-        super(false) # disable banner output
-
+        setup_cache
+        check_target_availability
         load_server_module
-
         check_wordpress_state
       end
 

data/app/controllers/enumeration.rb

@@ -6,34 +6,8 @@ module WPScan
     # Enumeration Controller
     class Enumeration < CMSScanner::Controller::Base
       def before_scan
-        # Create the Dynamic PluginVersion Finders
-        DB::DynamicPluginFinders.db_data.each do |name, config|
-          %w[Comments].each do |klass|
-            next unless config[klass] && config[klass]['version']
-
-            constant_name = name.tr('-', '_').camelize
-
-            unless Finders::PluginVersion.constants.include?(constant_name.to_sym)
-              Finders::PluginVersion.const_set(constant_name, Module.new)
-            end
-
-            mod = WPScan::Finders::PluginVersion.const_get(constant_name)
-
-            raise "#{mod} has already a #{klass} class" if mod.constants.include?(klass.to_sym)
-
-            case klass
-            when 'Comments' then create_plugins_comments_finders(mod, config[klass])
-            end
-          end
-        end
-      end
-
-      def create_plugins_comments_finders(mod, config)
-        mod.const_set(
-          :Comments, Class.new(Finders::Finder::PluginVersion::Comments) do
-            const_set(:PATTERN, config['pattern'])
-          end
-        )
+        DB::DynamicFinders::Plugin.create_versions_finders
+        DB::DynamicFinders::Theme.create_versions_finders
       end
 
       def run

data/app/controllers/enumeration/enum_methods.rb

@@ -52,7 +52,12 @@ module WPScan
         output('@info', msg: enum_message('plugins')) if user_interaction?
         # Enumerate the plugins & find their versions to avoid doing that when #version
         # is called in the view
-        plugins = target.plugins(opts).each(&:version)
+        plugins = target.plugins(opts)
+
+        output('@info', msg: 'Checking Plugin Versions') if user_interaction? && !plugins.empty?
+
+        plugins.each(&:version)
+
         plugins.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_plugins]
 
         output('plugins', plugins: plugins)
@@ -90,7 +95,12 @@ module WPScan
         output('@info', msg: enum_message('themes')) if user_interaction?
         # Enumerate the themes & find their versions to avoid doing that when #version
         # is called in the view
-        themes = target.themes(opts).each(&:version)
+        themes = target.themes(opts)
+
+        output('@info', msg: 'Checking Theme Versions') if user_interaction? && !themes.empty?
+
+        themes.each(&:version)
+
         themes.select!(&:vulnerable?) if parsed_options[:enumerate][:vulnerable_themes]
 
         output('themes', themes: themes)

data/app/controllers/wp_version.rb

@@ -15,6 +15,10 @@ module WPScan
         ]
       end
 
+      def before_scan
+        WPScan::DB::DynamicFinders::Wordpress.create_versions_finders
+      end
+
       def run
         output(
           'version',

data/app/finders/main_theme/css_style.rb

@@ -5,9 +5,9 @@ module WPScan
       class CssStyle < CMSScanner::Finders::Finder
         include Finders::WpItems::URLsInHomepage
 
-        def create_theme(name, style_url, opts)
+        def create_theme(slug, style_url, opts)
           WPScan::Theme.new(
-            name,
+            slug,
             target,
             opts.merge(found_by: found_by, confidence: 70, style_url: style_url)
           )

data/app/finders/main_theme/urls_in_homepage.rb

@@ -11,10 +11,10 @@ module WPScan
         def passive(opts = {})
           found = []
 
-          names = items_from_links('themes', false) + items_from_codes('themes', false)
+          slugs = items_from_links('themes', false) + items_from_codes('themes', false)
 
-          names.each_with_object(Hash.new(0)) { |name, counts| counts[name] += 1 }.each do |name, occurences|
-            found << WPScan::Theme.new(name, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
+          slugs.each_with_object(Hash.new(0)) { |slug, counts| counts[slug] += 1 }.each do |slug, occurences|
+            found << WPScan::Theme.new(slug, target, opts.merge(found_by: found_by, confidence: 2 * occurences))
           end
 
           found

data/app/finders/plugin_version.rb

@@ -1,11 +1,4 @@
 require_relative 'plugin_version/readme'
-# Plugins Specific
-require_relative 'plugin_version/layer_slider/translation_file'
-require_relative 'plugin_version/revslider/release_log'
-require_relative 'plugin_version/sitepress_multilingual_cms/version_parameter'
-require_relative 'plugin_version/sitepress_multilingual_cms/meta_generator'
-require_relative 'plugin_version/w3_total_cache/headers'
-require_relative 'plugin_version/shareaholic/meta_tag'
 
 module WPScan
   module Finders
@@ -25,7 +18,7 @@ module WPScan
         #
         # @param [ WPScan::Plugin ] plugin
         def load_specific_finders(plugin)
-          module_name = plugin.classify_name.to_sym
+          module_name = plugin.classify
 
           return unless Finders::PluginVersion.constants.include?(module_name)
 

data/app/finders/plugins.rb

@@ -1,7 +1,13 @@
 require_relative 'plugins/urls_in_homepage'
-require_relative 'plugins/headers'
-require_relative 'plugins/comments'
 require_relative 'plugins/known_locations'
+# From the DynamicFinders
+require_relative 'plugins/comment'
+require_relative 'plugins/xpath'
+require_relative 'plugins/header_pattern'
+require_relative 'plugins/body_pattern'
+require_relative 'plugins/javascript_var'
+require_relative 'plugins/query_parameter'
+require_relative 'plugins/config_parser' # Not loaded below as not implemented
 
 module WPScan
   module Finders
@@ -14,8 +20,11 @@ module WPScan
         def initialize(target)
           finders <<
             Plugins::UrlsInHomepage.new(target) <<
-            Plugins::Headers.new(target) <<
-            Plugins::Comments.new(target) <<
+            Plugins::HeaderPattern.new(target) <<
+            Plugins::Comment.new(target) <<
+            Plugins::Xpath.new(target) <<
+            Plugins::BodyPattern.new(target) <<
+            Plugins::JavascriptVar.new(target) <<
             Plugins::KnownLocations.new(target)
         end
       end

data/app/finders/plugins/body_pattern.rb

@@ -0,0 +1,27 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'BodyPattern'
+      class BodyPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          return unless response.body =~ config['pattern']
+
+          Plugin.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+          )
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/comment.rb

@@ -0,0 +1,31 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'Comment'
+      class Comment < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath'] || '//comment()').each do |node|
+            comment = node.text.to_s.strip
+
+            next unless comment =~ config['pattern']
+
+            return Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/config_parser.rb

@@ -0,0 +1,31 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'ConfigParser'
+      class ConfigParser < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 40
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def _process_response(_opts, _response, slug, klass, config)
+          #
+          # TODO. Currently not implemented, and not even loaded by the Finders, as this
+          # finder only has an aggressive method, which has been disabled (globally)
+          # when checking for plugins
+          #
+
+          Plugin.new(
+            slug,
+            target,
+            opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+          )
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/header_pattern.rb

@@ -0,0 +1,41 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'HeaderPattern'
+      class HeaderPattern < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 30
+
+        # @param [ Hash ] opts
+        #
+        # @return [ Array<Plugin> ]
+        def passive(opts = {})
+          found = []
+          headers = target.homepage_res.headers
+
+          return found if headers.empty?
+
+          DB::DynamicFinders::Plugin.passive_header_pattern_finder_configs.each do |slug, configs|
+            configs.each do |klass, config|
+              next unless headers[config['header']] && headers[config['header']].to_s =~ config['pattern']
+
+              found << Plugin.new(
+                slug,
+                target,
+                opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+              )
+            end
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        #
+        # @return [ nil ]
+        def aggressive(_opts = {})
+          # None
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/javascript_var.rb

@@ -0,0 +1,29 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from the Dynamic Finder 'JavascriptVar'
+      class JavascriptVar < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 60
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          response.html.xpath(config['xpath'] || '//script[not(@src)]').each do |node|
+            next if config['pattern'] && !node.text.match(config['pattern'])
+
+            return Plugin.new(
+              slug,
+              target,
+              opts.merge(found_by: found_by(klass), confidence: config['confidence'] || DEFAULT_CONFIDENCE)
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/finders/plugins/known_locations.rb

@@ -12,12 +12,12 @@ module WPScan
         def aggressive(opts = {})
           found = []
 
-          enumerate(target_urls(opts), opts) do |res, name|
+          enumerate(target_urls(opts), opts) do |res, slug|
             # TODO: follow the location (from enumerate()) and remove the 301 here ?
             # As a result, it might remove false positive due to redirection to the homepage
             next unless [200, 401, 403, 301].include?(res.code)
 
-            found << WPScan::Plugin.new(name, target, opts.merge(found_by: found_by, confidence: 80))
+            found << WPScan::Plugin.new(slug, target, opts.merge(found_by: found_by, confidence: 80))
           end
 
           found
@@ -28,12 +28,12 @@ module WPScan
         #
         # @return [ Hash ]
         def target_urls(opts = {})
-          names       = opts[:list] || DB::Plugins.vulnerable_slugs
+          slugs       = opts[:list] || DB::Plugins.vulnerable_slugs
           urls        = {}
           plugins_url = target.plugins_url
 
-          names.each do |name|
-            urls["#{plugins_url}#{URI.encode(name)}/"] = name
+          slugs.each do |slug|
+            urls["#{plugins_url}#{URI.encode(slug)}/"] = slug
           end
 
           urls

data/app/finders/plugins/query_parameter.rb

@@ -0,0 +1,25 @@
+module WPScan
+  module Finders
+    module Plugins
+      # Plugins finder from Dynamic Finder 'QueryParameter'
+      class QueryParameter < WPScan::Finders::DynamicFinder::WpItems::Finder
+        DEFAULT_CONFIDENCE = 10
+
+        def passive(_opts = {})
+          # Handled by UrlsInHomePage, so no need to check this twice
+        end
+
+        # @param [ Hash ] opts The options from the #passive, #aggressive methods
+        # @param [ Typhoeus::Response ] response
+        # @param [ String ] slug
+        # @param [ String ] klass
+        # @param [ Hash ] config The related dynamic finder config hash
+        #
+        # @return [ Plugin ] The detected plugin in the response, related to the config
+        def process_response(opts, response, slug, klass, config)
+          # TODO: when a real case will be found
+        end
+      end
+    end
+  end
+end