Module: WPScan::Target::Platform::WordPress

Includes:

CMSScanner::Target::Platform::PHP

Included in:

WPScan::Target

Defined in:

lib/wpscan/target/platform/wordpress.rb,
lib/wpscan/target/platform/wordpress/custom_directories.rb

Overview

wp-content & plugins directory implementation

Constant Summary

WORDPRESS_PATTERN =

%r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i.freeze

Instance Attribute Summary

• #mu_plugins ⇒ Object (also: #mu_plugins?)

  These methods are used in the associated interesting_findings finders to keep the boolean state of the finding rather than re-check the whole thing again.

• #multisite ⇒ Object (also: #multisite?)

  These methods are used in the associated interesting_findings finders to keep the boolean state of the finding rather than re-check the whole thing again.

• #registration_enabled ⇒ Object (also: #registration_enabled?)

  These methods are used in the associated interesting_findings finders to keep the boolean state of the finding rather than re-check the whole thing again.

Instance Method Summary

• #content_dir ⇒ String

  The wp-content directory.

• #content_dir=(dir) ⇒ Object
• #content_uri ⇒ Addressable::URI
• #content_url ⇒ String
• #do_login(username, password) ⇒ Typhoeus::Response
• #login_request(username, password) ⇒ Typhoeus::Request
• #login_url ⇒ String

  The URL to the login page.

• #plugins_dir ⇒ String
• #plugins_dir=(dir) ⇒ Object
• #plugins_uri ⇒ Addressable::URI
• #plugins_url ⇒ String
• #registration_url ⇒ String
• #sub_dir ⇒ String, False

  TODO: Factorise the code and the content_dir one ? @note: nil can not be returned here, otherwise if there is no sub_dir the check would be done each time.

• #themes_dir ⇒ String
• #themes_uri ⇒ Addressable::URI
• #themes_url ⇒ String
• #url(path = nil) ⇒ String

  Override of the WebSite#url to consider the custom WP directories.

• #wordpress? ⇒ Boolean
• #wordpress_hosted? ⇒ Boolean

Instance Attribute Details

#mu_plugins ⇒ Object Also known as: mu_plugins?

These methods are used in the associated interesting_findings finders to keep the boolean state of the finding rather than re-check the whole thing again

# File 'lib/wpscan/target/platform/wordpress.rb', line 16

def mu_plugins
  @mu_plugins
end

#multisite ⇒ Object Also known as: multisite?

These methods are used in the associated interesting_findings finders to keep the boolean state of the finding rather than re-check the whole thing again

# File 'lib/wpscan/target/platform/wordpress.rb', line 16

def multisite
  @multisite
end

#registration_enabled ⇒ Object Also known as: registration_enabled?

These methods are used in the associated interesting_findings finders to keep the boolean state of the finding rather than re-check the whole thing again

# File 'lib/wpscan/target/platform/wordpress.rb', line 16

def registration_enabled
  @registration_enabled
end

Instance Method Details

#content_dir ⇒ String

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 15

def content_dir
  unless @content_dir
    escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
    pattern     = %r{#{escaped_url}(.+?)\/(?:themes|plugins|uploads|cache)\/}i

    in_scope_urls(homepage_res) do |url|
      return @content_dir = Regexp.last_match[1] if url.match(pattern)
    end
  end

  @content_dir
end

#content_dir=(dir) ⇒ Object

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 6

def content_dir=(dir)
  @content_dir = dir.chomp('/')
end

#content_uri ⇒ Addressable::URI

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 29

def content_uri
  uri.join("#{content_dir}/")
end

#content_url ⇒ String

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 34

def content_url
  content_uri.to_s
end

#do_login(username, password) ⇒ Typhoeus::Response

# File 'lib/wpscan/target/platform/wordpress.rb', line 51

def do_login(username, password)
  login_request(username, password).run
end

#login_request(username, password) ⇒ Typhoeus::Request

# File 'lib/wpscan/target/platform/wordpress.rb', line 59

def login_request(username, password)
  Browser.instance.forge_request(
    login_url,
    method: :post,
    body: { log: username, pwd: password }
  )
end

#login_url ⇒ String

# File 'lib/wpscan/target/platform/wordpress.rb', line 68

def login_url
  url('wp-login.php')
end

#plugins_dir ⇒ String

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 39

def plugins_dir
  @plugins_dir ||= "#{content_dir}/plugins"
end

#plugins_dir=(dir) ⇒ Object

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 10

def plugins_dir=(dir)
  @plugins_dir = dir.chomp('/')
end

#plugins_uri ⇒ Addressable::URI

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 44

def plugins_uri
  uri.join("#{plugins_dir}/")
end

#plugins_url ⇒ String

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 49

def plugins_url
  plugins_uri.to_s
end

#registration_url ⇒ String

# File 'lib/wpscan/target/platform/wordpress.rb', line 39

def registration_url
  multisite? ? url('wp-signup.php') : url('wp-login.php?action=register')
end

#sub_dir ⇒ String, False

TODO: Factorise the code and the content_dir one ? @note: nil can not be returned here, otherwise if there is no sub_dir

the check would be done each time

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 72

def sub_dir
  unless @sub_dir
    escaped_url = Regexp.escape(url).gsub(/https?/i, 'https?')
    pattern     = %r{#{escaped_url}(.+?)\/(?:xmlrpc\.php|wp\-includes\/)}i

    in_scope_urls(homepage_res) do |url|
      return @sub_dir = Regexp.last_match[1] if url.match(pattern)
    end

    @sub_dir = false
  end

  @sub_dir
end

#themes_dir ⇒ String

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 54

def themes_dir
  @themes_dir ||= "#{content_dir}/themes"
end

#themes_uri ⇒ Addressable::URI

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 59

def themes_uri
  uri.join("#{themes_dir}/")
end

#themes_url ⇒ String

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 64

def themes_url
  themes_uri.to_s
end

#url(path = nil) ⇒ String

Override of the WebSite#url to consider the custom WP directories

# File 'lib/wpscan/target/platform/wordpress/custom_directories.rb', line 92

def url(path = nil)
  return @uri.to_s unless path

  if path =~ %r{wp\-content/plugins}i
    path.gsub!('wp-content/plugins', plugins_dir)
  elsif path =~ /wp\-content/i
    path.gsub!('wp-content', content_dir)
  elsif path[0] != '/' && sub_dir
    path = "#{sub_dir}/#{path}"
  end

  super(path)
end

#wordpress? ⇒ Boolean

# File 'lib/wpscan/target/platform/wordpress.rb', line 22

def wordpress?
  # res = Browser.get(url)

  in_scope_urls(homepage_res) do |url|
    return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN)
  end

  homepage_res.html.css('meta[name="generator"]').each do |node|
    return true if node['content'] =~ /wordpress/i
  end

  return true unless comments_from_page(/wordpress/i, homepage_res).empty?

  false
end

#wordpress_hosted? ⇒ Boolean

# File 'lib/wpscan/target/platform/wordpress.rb', line 43

def wordpress_hosted?
  uri.host =~ /\.wordpress\.com$/i ? true : false
end