wpscan 3.2.1 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5faff8eba24f5f7d0ea97833dfb2200f23c1414b
-  data.tar.gz: 905e1d1dec28cea9d51d094ed7af626233f131fa
+  metadata.gz: 5eac3c3174f8ae7798069fddfc45fd67f837b388
+  data.tar.gz: 626cfade1aeb099be9bfc1fbadf68a319a25fa55
 SHA512:
-  metadata.gz: 10b9dc665fb06f2d3f422a02f432a64921bb855662627abf548aca9b9f45ee3cb6aa9f6e97edc71ba58f759f7eedebce90628849aa79f259e0ea1f1effba9049
-  data.tar.gz: ae7fc0b48cd53132fd2c0d2e4212b05a798afbbbb7aac9737d0cddb79b164885431b49b786b02eca0ae228926e71c60f5b6dd7f4699e4e607a71832202ef6db7
+  metadata.gz: 031efaee33293d3ee7f0ff05a0a7100b8cf87b8b3f1429c513a6cb5ddd7d0a015fb6d7d462fb7fcc8cfbf18fd15c6ffe7db2428cb2ea77fed577c18055d975b4
+  data.tar.gz: b010b70018627700aa90cfebb98adf0f5f3de157690e1baa56885405725f1e16fa96c2d1b65bc19d73fbd6707146e2ab1c712ad283cf388753a26218a0bdd5a4

data/README.md

@@ -3,7 +3,79 @@
 [![Gem Version](https://badge.fury.io/rb/wpscan.svg)](https://badge.fury.io/rb/wpscan)
 [![Build Status](https://travis-ci.org/wpscanteam/wpscan-v3.svg?branch=master)](https://travis-ci.org/wpscanteam/wpscan-v3)
 [![Code Climate](https://codeclimate.com/github/wpscanteam/wpscan-v3/badges/gpa.svg)](https://codeclimate.com/github/wpscanteam/wpscan-v3)
-[![Dependency Status](https://img.shields.io/gemnasium/wpscanteam/wpscan-v3.svg)](https://gemnasium.com/wpscanteam/wpscan-v3)
+[![Patreon Donate](https://img.shields.io/badge/patreon-donate-green.svg)](https://www.patreon.com/wpscan)
+
+# INSTALL
+
+## Prerequisites:
+
+- Ruby >= 2.2.2 - Recommended: 2.3.3
+- Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
+- RubyGems      - Recommended: latest
+
+### From RubyGems:
+
+```
+gem install wpscan
+```
+
+### From sources:
+
+Prerequisites: Git
+
+```
+git clone https://github.com/wpscanteam/wpscan-v3 wpscan
+
+cd wpscan/
+
+bundle install && rake install
+```
+
+# Docker
+
+Pull the repo with ```docker pull wpscanteam/wpscan-v3```
+
+# Usage
+
+```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
+As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
+
+For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
+
+The DB is located at ~/.wpscan/db
+
+WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
+
+* ~/.wpscan/cli_options.json
+* ~/.wpscan/cli_options.yml
+* pwd/.wpscan/cli_options.json
+* pwd/.wpscan/cli_options.yml
+
+If those files exist, options from them will be loaded and overridden if found twice.
+
+e.g:
+
+~/.wpscan/cli_options.yml:
+```
+proxy: 'http://127.0.0.1:8080'
+verbose: true
+```
+
+pwd/.wpscan/cli_options.yml:
+```
+proxy: 'socks5://127.0.0.1:9090'
+url: 'http://target.tld'
+```
+
+Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
+
+# PROJECT HOME
+
+[https://wpscan.org](https://wpscan.org)
+
+# VULNERABILITY DATABASE
+
+[https://wpvulndb.com](https://wpvulndb.com)
 
 # LICENSE
 
@@ -83,72 +155,3 @@ Running WPScan against websites without prior mutual consent may be illegal in y
 ### 11. Trademark
 
 The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.
-
-# INSTALL
-
-## Prerequisites:
-
-- Ruby >= 2.2.2 - Recommended: 2.3.3
-- Curl >= 7.21  - Recommended: latest - FYI the 7.29 has a segfault
-- RubyGems      - Recommended: latest
-
-
-### From RubyGems:
-
-```gem install wpscan```
-
-### From sources:
-
-Prerequisites: Git
-
-```git clone https://github.com/wpscanteam/wpscan-v3```
-
-```cd wpscan```
-
-```bundle install && rake install```
-
-# Docker
-
-Pull the repo with ```docker pull wpscanteam/wpscan-v3```
-
-# Usage
-
-```wpscan --url blog.tld``` This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then ```wpscan --stealthy --url blog.tld``` can be used.
-As a result, when using the ```--enumerate``` option, don't forget to set the ```--plugins-detection``` accordingly, as its default is 'passive'.
-
-For more options, open a terminal and type ```wpscan --help``` (if you built wpscan from the source, you should type the command outside of the git repo)
-
-The DB is located at ~/.wpscan/db
-
-WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):
-
-* ~/.wpscan/cli_options.json
-* ~/.wpscan/cli_options.yml
-* pwd/.wpscan/cli_options.json
-* pwd/.wpscan/cli_options.yml
-
-If those files exist, options from them will be loaded and overridden if found twice.
-
-e.g:
-
-~/.wpscan/cli_options.yml:
-```
-proxy: 'http://127.0.0.1:8080'
-verbose: true
-```
-
-pwd/.wpscan/cli_options.yml:
-```
-proxy: 'socks5://127.0.0.1:9090'
-url: 'http://target.tld'
-```
-
-Running ```wpscan``` in the current directory (pwd), is the same as ```wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld```
-
-# PROJECT HOME
-
-[https://wpscan.org](https://wpscan.org)
-
-# VULNERABILITY DATABASE
-
-[https://wpvulndb.com](https://wpvulndb.com)

data/app/controllers.rb

@@ -3,5 +3,5 @@ require_relative 'controllers/custom_directories'
 require_relative 'controllers/wp_version'
 require_relative 'controllers/main_theme'
 require_relative 'controllers/enumeration'
-require_relative 'controllers/brute_force'
+require_relative 'controllers/password_attack'
 require_relative 'controllers/aliases'

data/app/controllers/enumeration.rb

@@ -16,7 +16,7 @@ module WPScan
         enum_plugins if enum_plugins?(enum)
         enum_themes  if enum_themes?(enum)
 
-        %i[timthumbs config_backups medias].each do |key|
+        %i[timthumbs config_backups db_exports medias].each do |key|
           send("enum_#{key}".to_sym) if enum.key?(key)
         end
 

data/app/controllers/enumeration/cli_options.rb

@@ -4,7 +4,8 @@ module WPScan
     class Enumeration < CMSScanner::Controller::Base
       def cli_options
         cli_enum_choices + cli_plugins_opts + cli_themes_opts +
-          cli_timthumbs_opts + cli_config_backups_opts + cli_medias_opts + cli_users_opts
+          cli_timthumbs_opts + cli_config_backups_opts + cli_db_exports_opts +
+          cli_medias_opts + cli_users_opts
       end
 
       # @return [ Array<OptParseValidator::OptBase> ]
@@ -14,26 +15,27 @@ module WPScan
           OptMultiChoices.new(
             ['--enumerate [OPTS]', '-e', 'Enumeration Process'],
             choices: {
-              vp: OptBoolean.new(['--vulnerable-plugins']),
-              ap: OptBoolean.new(['--all-plugins']),
-              p:  OptBoolean.new(['--plugins']),
-              vt: OptBoolean.new(['--vulnerable-themes']),
-              at: OptBoolean.new(['--all-themes']),
-              t:  OptBoolean.new(['--themes']),
-              tt: OptBoolean.new(['--timthumbs']),
-              cb: OptBoolean.new(['--config-backups']),
-              u:  OptIntegerRange.new(['--users', 'User ids range. e.g: u1-5'], value_if_empty: '1-10'),
-              m:  OptIntegerRange.new(['--medias', 'Media ids range. e.g m1-15'], value_if_empty: '1-100')
+              vp:  OptBoolean.new(['--vulnerable-plugins']),
+              ap:  OptBoolean.new(['--all-plugins']),
+              p:   OptBoolean.new(['--plugins']),
+              vt:  OptBoolean.new(['--vulnerable-themes']),
+              at:  OptBoolean.new(['--all-themes']),
+              t:   OptBoolean.new(['--themes']),
+              tt:  OptBoolean.new(['--timthumbs']),
+              cb:  OptBoolean.new(['--config-backups']),
+              dbe: OptBoolean.new(['--db-exports']),
+              u:   OptIntegerRange.new(['--users', 'User IDs range. e.g: u1-5'], value_if_empty: '1-10'),
+              m:   OptIntegerRange.new(['--medias', 'Media IDs range. e.g m1-15'], value_if_empty: '1-100')
             },
-            value_if_empty: 'vp,vt,tt,cb,u,m',
+            value_if_empty: 'vp,vt,tt,cb,dbe,u,m',
             incompatible: [%i[vp ap p], %i[vt at t]],
             default: { all_plugins: true, config_backups: true }
           ),
           OptRegexp.new(
             [
               '--exclude-content-based REGEXP_OR_STRING',
-              'Exclude all responses having their body matching (case insensitive) during parts of the enumeration.',
-              'Regexp delimiters are not required.'
+              'Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.',
+              'Both the headers and body are checked. Regexp delimiters are not required.'
             ], options: Regexp::IGNORECASE
           )
         ]
@@ -110,7 +112,22 @@ module WPScan
           ),
           OptChoice.new(
             ['--config-backups-detection MODE',
-             'Use the supplied mode to enumerate Configs, instead of the global (--detection-mode) mode.'],
+             'Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.'],
+            choices: %w[mixed passive aggressive], normalize: :to_sym
+          )
+        ]
+      end
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_db_exports_opts
+        [
+          OptFilePath.new(
+            ['--db-exports-list FILE-PATH', 'List of DB exports\' paths to use'],
+            exists: true, default: File.join(DB_DIR, 'db_exports.txt')
+          ),
+          OptChoice.new(
+            ['--db-exports-detection MODE',
+             'Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.'],
             choices: %w[mixed passive aggressive], normalize: :to_sym
           )
         ]

data/app/controllers/enumeration/enum_methods.rb

@@ -136,6 +136,13 @@ module WPScan
         output('config_backups', config_backups: target.config_backups(opts))
       end
 
+      def enum_db_exports
+        opts = default_opts('db_exports').merge(list: parsed_options[:db_exports_list])
+
+        output('@info', msg: 'Enumerating DB Exports') if user_interaction?
+        output('db_exports', db_exports: target.db_exports(opts))
+      end
+
       def enum_medias
         opts = default_opts('medias').merge(range: parsed_options[:enumerate][:medias])
 

data/app/controllers/password_attack.rb

@@ -0,0 +1,108 @@
+module WPScan
+  module Controller
+    # Password Attack Controller
+    class PasswordAttack < CMSScanner::Controller::Base
+      def cli_options
+        [
+          OptFilePath.new(
+            ['--passwords FILE-PATH', '-P',
+             'List of passwords to use during the password attack.',
+             'If no --username/s option supplied, user enumeration will be run.'],
+            exists: true
+          ),
+          OptSmartList.new(['--usernames LIST', '-U', 'List of usernames to use during the password attack.']),
+          OptInteger.new(['--multicall-max-passwords MAX_PWD',
+                          'Maximum number of passwords to send by request with XMLRPC multicall'],
+                         default: 500),
+          OptChoice.new(['--password-attack ATTACK',
+                         'Force the supplied attack to be used rather than automatically determining one.'],
+                        choices: %w[wp-login xmlrpc xmlrpc-multicall],
+                        normalize: %i[downcase underscore to_sym])
+        ]
+      end
+
+      def run
+        return unless parsed_options[:passwords]
+
+        if user_interaction?
+          output('@info',
+                 msg: "Performing password attack on #{attacker.titleize} against #{users.size} user/s")
+        end
+
+        attack_opts = {
+          show_progression: user_interaction?,
+          multicall_max_passwords: parsed_options[:multicall_max_passwords]
+        }
+
+        begin
+          found = []
+
+          attacker.attack(users, passwords(parsed_options[:passwords]), attack_opts) do |user|
+            found << user
+
+            attacker.progress_bar.log("[SUCCESS] - #{user.username} / #{user.password}")
+          end
+        ensure
+          output('users', users: found)
+        end
+      end
+
+      # @return [ CMSScanner::Finders::Finder ] The finder used to perform the attack
+      def attacker
+        @attacker ||= attacker_from_cli_options || attacker_from_automatic_detection
+      end
+
+      # @return [ WPScan::XMLRPC ]
+      def xmlrpc
+        @xmlrpc ||= target.xmlrpc
+      end
+
+      # @return [ CMSScanner::Finders::Finder ]
+      def attacker_from_cli_options
+        return unless parsed_options[:password_attack]
+
+        case parsed_options[:password_attack]
+        when :wp_login
+          WPScan::Finders::Passwords::WpLogin.new(target)
+        when :xmlrpc
+          WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+        when :xmlrpc_multicall
+          WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+        end
+      end
+
+      # @return [ CMSScanner::Finders::Finder ]
+      def attacker_from_automatic_detection
+        if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs')
+          wp_version = target.wp_version
+
+          if wp_version && wp_version < '4.4'
+            WPScan::Finders::Passwords::XMLRPCMulticall.new(xmlrpc)
+          else
+            WPScan::Finders::Passwords::XMLRPC.new(xmlrpc)
+          end
+        else
+          WPScan::Finders::Passwords::WpLogin.new(target)
+        end
+      end
+
+      # @return [ Array<Users> ] The users to brute force
+      def users
+        return target.users unless parsed_options[:usernames]
+
+        parsed_options[:usernames].reduce([]) do |acc, elem|
+          acc << CMSScanner::User.new(elem.chomp)
+        end
+      end
+
+      # @param [ String ] wordlist_path
+      #
+      # @return [ Array<String> ]
+      def passwords(wordlist_path)
+        @passwords ||= File.open(wordlist_path).reduce([]) do |acc, elem|
+          acc << elem.chomp
+        end
+      end
+    end
+  end
+end

data/app/finders.rb

@@ -5,9 +5,11 @@ require_relative 'finders/main_theme'
 require_relative 'finders/timthumb_version'
 require_relative 'finders/timthumbs'
 require_relative 'finders/config_backups'
+require_relative 'finders/db_exports'
 require_relative 'finders/medias'
 require_relative 'finders/users'
 require_relative 'finders/plugins'
 require_relative 'finders/plugin_version'
 require_relative 'finders/theme_version'
 require_relative 'finders/themes'
+require_relative 'finders/passwords'

data/app/finders/config_backups/known_filenames.rb

@@ -9,7 +9,7 @@ module WPScan
         # @option opts [ String ] :list
         # @option opts [ Boolean ] :show_progression
         #
-        # @return [ Array<InterestingFinding> ]
+        # @return [ Array<ConfigBackup> ]
         def aggressive(opts = {})
           found = []
 

data/app/finders/db_exports.rb

@@ -0,0 +1,17 @@
+require_relative 'db_exports/known_locations'
+
+module WPScan
+  module Finders
+    module DbExports
+      # DB Exports Finder
+      class Base
+        include CMSScanner::Finders::SameTypeFinder
+
+        # @param [ WPScan::Target ] target
+        def initialize(target)
+          finders << DbExports::KnownLocations.new(target)
+        end
+      end
+    end
+  end
+end

data/app/finders/db_exports/known_locations.rb

@@ -0,0 +1,49 @@
+module WPScan
+  module Finders
+    module DbExports
+      # DB Exports finder
+      # See https://github.com/wpscanteam/wpscan-v3/issues/62
+      class KnownLocations < CMSScanner::Finders::Finder
+        include CMSScanner::Finders::Finder::Enumerator
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list
+        # @option opts [ Boolean ] :show_progression
+        #
+        # @return [ Array<DBExport> ]
+        def aggressive(opts = {})
+          found = []
+
+          enumerate(potential_urls(opts), opts) do |res|
+            next unless res.code == 200 && res.body =~ /INSERT INTO/
+
+            found << WPScan::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
+          end
+
+          found
+        end
+
+        # @param [ Hash ] opts
+        # @option opts [ String ] :list Mandatory
+        #
+        # @return [ Hash ]
+        def potential_urls(opts = {})
+          urls        = {}
+          domain_name = target.uri.host[/(^[\w|-]+)/, 1]
+
+          File.open(opts[:list]).each_with_index do |path, index|
+            path.gsub!('{domain_name}', domain_name)
+
+            urls[target.url(path.chomp)] = index
+          end
+
+          urls
+        end
+
+        def create_progress_bar(opts = {})
+          super(opts.merge(title: ' Checking DB Exports -'))
+        end
+      end
+    end
+  end
+end