-
Notifications
You must be signed in to change notification settings - Fork 0
/
wpscan.rb
executable file
·404 lines (331 loc) · 12.5 KB
/
wpscan.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
#!/usr/bin/env ruby
# encoding: UTF-8
$: << '.'
require File.dirname(__FILE__) + '/lib/wpscan/wpscan_helper'
def main
# delete old logfile, check if it is a symlink first.
File.delete(LOG_FILE) if File.exist?(LOG_FILE) and !File.symlink?(LOG_FILE)
banner()
begin
wpscan_options = WpscanOptions.load_from_arguments
unless wpscan_options.has_options?
# first parameter only url?
if ARGV.length == 1
wpscan_options.url = ARGV[0]
else
usage()
raise('No argument supplied')
end
end
# Define a global variable
$COLORSWITCH = wpscan_options.no_color
if wpscan_options.help
help()
usage()
exit(0)
end
if wpscan_options.version
puts "Current version: #{WPSCAN_VERSION}"
exit(0)
end
# Initialize the browser to allow the db update
# to be done over a proxy if set
Browser.instance(
wpscan_options.to_h.merge(max_threads: wpscan_options.threads)
)
if wpscan_options.update || missing_db_file?
puts "#{notice('[i]')} Updating the Database ..."
DbUpdater.new(DATA_DIR).update(wpscan_options.verbose)
puts "#{notice('[i]')} Update completed."
# Exit program if only option --update is used
exit(0) unless wpscan_options.url
end
unless wpscan_options.url
raise 'The URL is mandatory, please supply it with --url or -u'
end
wp_target = WpTarget.new(wpscan_options.url, wpscan_options.to_h)
# Remote website up?
unless wp_target.online?
raise "The WordPress URL supplied '#{wp_target.uri}' seems to be down."
end
if wpscan_options.proxy
proxy_response = Browser.get(wp_target.url)
unless WpTarget::valid_response_codes.include?(proxy_response.code)
raise "Proxy Error :\r\n#{proxy_response.headers}"
end
end
# Remote website has a redirection?
if (redirection = wp_target.redirection)
if wpscan_options.follow_redirection
puts "Following redirection #{redirection}"
else
puts "#{notice('[i]')} The remote host tried to redirect to: #{redirection}"
print '[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]'
end
if wpscan_options.follow_redirection || !wpscan_options.batch
if wpscan_options.follow_redirection || (input = Readline.readline) =~ /^y/i
wpscan_options.url = redirection
wp_target = WpTarget.new(redirection, wpscan_options.to_h)
else
if input =~ /^a/i
puts 'Scan aborted'
exit(0)
end
end
end
end
if wp_target.has_basic_auth? && wpscan_options.basic_auth.nil?
raise 'Basic authentication is required, please provide it with --basic-auth <login:password>'
end
# Remote website is wordpress?
unless wpscan_options.force
unless wp_target.wordpress?
raise "#{critical('[!]')} The remote website is up, but does not seem to be running WordPress."
end
end
unless wp_target.wp_content_dir
raise 'The wp_content_dir has not been found, please supply it with --wp-content-dir'
end
unless wp_target.wp_plugins_dir_exists?
puts "The plugins directory '#{wp_target.wp_plugins_dir}' does not exist."
puts 'You can specify one per command line option (don\'t forget to include the wp-content directory if needed)'
puts '[?] Continue? [Y]es [N]o, default: [N]'
if wpscan_options.batch || Readline.readline !~ /^y/i
exit(0)
end
end
# Output runtime data
start_time = Time.now
start_memory = get_memory_usage
puts "#{info('[+]')} URL: #{wp_target.url}"
puts "#{info('[+]')} Started: #{start_time.asctime}"
puts
if wp_target.wordpress_hosted?
puts "#{critical('[!]')} We do not support scanning *.wordpress.com hosted blogs"
end
if wp_target.has_robots?
puts "#{info('[+]')} robots.txt available under: '#{wp_target.robots_url}'"
wp_target.parse_robots_txt.each do |dir|
puts "#{info('[+]')} Interesting entry from robots.txt: #{dir}"
end
end
if wp_target.has_readme?
puts "#{warning('[!]')} The WordPress '#{wp_target.readme_url}' file exists"
end
if wp_target.has_full_path_disclosure?
puts "#{warning('[!]')} Full Path Disclosure (FPD) in: '#{wp_target.full_path_disclosure_url}'"
end
if wp_target.has_debug_log?
puts "#{critical('[!]')} Debug log file found: #{wp_target.debug_log_url}"
end
wp_target.config_backup.each do |file_url|
puts "#{critical('[!]')} A wp-config.php backup file has been found in: '#{file_url}'"
end
if wp_target.search_replace_db_2_exists?
puts "#{critical('[!]')} searchreplacedb2.php has been found in: '#{wp_target.search_replace_db_2_url}'"
end
wp_target.interesting_headers.each do |header|
output = "#{info('[+]')} Interesting header: "
if header[1].class == Array
header[1].each do |value|
puts output + "#{header[0]}: #{value}"
end
else
puts output + "#{header[0]}: #{header[1]}"
end
end
if wp_target.multisite?
puts "#{info('[+]')} This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)"
end
if wp_target.has_must_use_plugins?
puts "#{info('[+]')} This site has must use plugins (http://codex.wordpress.org/Must_Use_Plugins)"
end
if wp_target.registration_enabled?
puts "#{warning('[+]')} Registration is enabled: #{wp_target.registration_url}"
end
if wp_target.has_xml_rpc?
puts "#{info('[+]')} XML-RPC Interface available under: #{wp_target.xml_rpc_url}"
end
if wp_target.upload_directory_listing_enabled?
puts "#{warning('[!]')} Upload directory has directory listing enabled: #{wp_target.upload_dir_url}"
end
if wp_target.has_malwares?
malwares = wp_target.malwares
puts "#{critical('[!]')} #{malwares.size} malware(s) found:"
malwares.each do |malware_url|
puts
puts ' | ' + critical("#{malware_url}")
end
puts
end
enum_options = {
show_progression: true,
exclude_content: wpscan_options.exclude_content_based
}
if wp_version = wp_target.version(WP_VERSIONS_FILE)
wp_version.output(wpscan_options.verbose)
else
puts
puts "#{notice('[i]')} WordPress version can not be detected"
end
if wp_theme = wp_target.theme
puts
# Theme version is handled in #to_s
puts "#{info('[+]')} WordPress theme in use: #{wp_theme}"
wp_theme.output(wpscan_options.verbose)
# Check for parent Themes
while wp_theme.is_child_theme?
parent = wp_theme.get_parent_theme
puts
puts "#{info('[+]')} Detected parent theme: #{parent}"
parent.output(wpscan_options.verbose)
wp_theme = parent
end
end
if wpscan_options.enumerate_plugins == nil and wpscan_options.enumerate_only_vulnerable_plugins == nil
puts
puts "#{info('[+]')} Enumerating plugins from passive detection ..."
wp_plugins = WpPlugins.passive_detection(wp_target)
if !wp_plugins.empty?
puts " | #{wp_plugins.size} plugins found:"
wp_plugins.output(wpscan_options.verbose)
else
puts "#{info('[+]')} No plugins found"
end
end
# Enumerate the installed plugins
if wpscan_options.enumerate_plugins or wpscan_options.enumerate_only_vulnerable_plugins or wpscan_options.enumerate_all_plugins
puts
puts "#{info('[+]')} Enumerating installed plugins #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_plugins} ..."
puts
wp_plugins = WpPlugins.aggressive_detection(wp_target,
enum_options.merge(
file: wpscan_options.enumerate_all_plugins ? PLUGINS_FULL_FILE : PLUGINS_FILE,
only_vulnerable: wpscan_options.enumerate_only_vulnerable_plugins || false
)
)
puts
if !wp_plugins.empty?
puts "#{info('[+]')} We found #{wp_plugins.size} plugins:"
wp_plugins.output(wpscan_options.verbose)
else
puts "#{info('[+]')} No plugins found"
end
end
# Enumerate installed themes
if wpscan_options.enumerate_themes or wpscan_options.enumerate_only_vulnerable_themes or wpscan_options.enumerate_all_themes
puts
puts "#{info('[+]')} Enumerating installed themes #{'(only vulnerable ones)' if wpscan_options.enumerate_only_vulnerable_themes} ..."
puts
wp_themes = WpThemes.aggressive_detection(wp_target,
enum_options.merge(
file: wpscan_options.enumerate_all_themes ? THEMES_FULL_FILE : THEMES_FILE,
only_vulnerable: wpscan_options.enumerate_only_vulnerable_themes || false
)
)
puts
if !wp_themes.empty?
puts "#{info('[+]')} We found #{wp_themes.size} themes:"
wp_themes.output(wpscan_options.verbose)
else
puts "#{info('[+]')} No themes found"
end
end
if wpscan_options.enumerate_timthumbs
puts
puts "#{info('[+]')} Enumerating timthumb files ..."
puts
wp_timthumbs = WpTimthumbs.aggressive_detection(wp_target,
enum_options.merge(
file: DATA_DIR + '/timthumbs.txt',
theme_name: wp_theme ? wp_theme.name : nil
)
)
puts
if !wp_timthumbs.empty?
puts "#{info('[+]')} We found #{wp_timthumbs.size} timthumb file/s:"
wp_timthumbs.output(wpscan_options.verbose)
else
puts "#{info('[+]')} No timthumb files found"
end
end
# If we haven't been supplied a username, enumerate them...
if !wpscan_options.username and wpscan_options.wordlist or wpscan_options.enumerate_usernames
puts
puts "#{info('[+]')} Enumerating usernames ..."
if wp_target.has_plugin?('stop-user-enumeration')
puts "#{warning('[!]')} Stop User Enumeration plugin detected, results might be empty. " \
"However a bypass exists, see stop_user_enumeration_bypass.rb in #{File.expand_path(File.dirname(__FILE__))}"
end
wp_users = WpUsers.aggressive_detection(wp_target,
enum_options.merge(
range: wpscan_options.enumerate_usernames_range,
show_progression: false
)
)
if wp_users.empty?
puts "#{info('[+]')} We did not enumerate any usernames"
if wpscan_options.wordlist
puts 'Try supplying your own username with the --username option'
puts
exit(1)
end
else
puts "#{info('[+]')} Identified the following #{wp_users.size} user/s:"
wp_users.output(margin_left: ' ' * 4)
end
else
# FIXME : Change the .username to .login (and also the --username in the CLI)
wp_users = WpUsers.new << WpUser.new(wp_target.uri, login: wpscan_options.username)
end
# Start the brute forcer
bruteforce = true
if wpscan_options.wordlist
if wp_target.has_login_protection?
protection_plugin = wp_target.login_protection_plugin()
puts
puts "#{warning('[!]')} The plugin #{protection_plugin.name} has been detected. It might record the IP and timestamp of every failed login and/or prevent brute forcing altogether. Not a good idea for brute forcing!"
puts '[?] Do you want to start the brute force anyway ? [Y]es [N]o, default: [N]'
bruteforce = false if wpscan_options.batch || Readline.readline !~ /^y/i
end
if bruteforce
puts "#{info('[+]')} Starting the password brute forcer"
begin
wp_users.brute_force(
wpscan_options.wordlist,
show_progression: true,
verbose: wpscan_options.verbose
)
ensure
puts
wp_users.output(show_password: true, margin_left: ' ' * 2)
end
else
puts "#{critical('[!]')} Brute forcing aborted"
end
end
stop_time = Time.now
elapsed = stop_time - start_time
used_memory = get_memory_usage - start_memory
puts
puts info("[+] Finished: #{stop_time.asctime}")
puts info("[+] Memory used: #{used_memory.bytes_to_human}")
puts info("[+] Elapsed time: #{Time.at(elapsed).utc.strftime('%H:%M:%S')}")
exit(0) # must exit!
rescue SystemExit, Interrupt
rescue => e
puts
puts critical(e.message)
if wpscan_options && wpscan_options.verbose
puts critical('Trace:')
puts critical(e.backtrace.join("\n"))
end
exit(1)
ensure
# Ensure a clean abort of Hydra
# See https://github.com/wpscanteam/wpscan/issues/461#issuecomment-42735615
Browser.instance.hydra.abort
Browser.instance.hydra.run
end
end
main()