Class: WPScan::Finders::Users::WpJsonApi

Inherits:
CMSScanner::Finders::Finder
  • Object
show all
Defined in:
app/finders/users/wp_json_api.rb

Overview

WP JSON API

Since 4.7 - Need more investigation as it seems WP 4.7.1 reduces the exposure, see github.com/wpscanteam/wpscan/issues/1038) For the pagination, see github.com/wpscanteam/wpscan/issues/1285

Constant Summary collapse

MAX_PER_PAGE =
100

Instance Method Summary collapse

Instance Method Details

#aggressive(_opts = {}) ⇒ Array<User>

Parameters:

  • opts (Hash)

Returns:

  • (Array<User>)


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'app/finders/users/wp_json_api.rb', line 17

def aggressive(_opts = {})
  found        = []
  current_page = 0

  loop do
    current_page += 1

    res = Browser.get(api_url, params: { per_page: MAX_PER_PAGE, page: current_page })

    total_pages ||= res.headers['X-WP-TotalPages'].to_i

    users_in_page = users_from_response(res)
    found        += users_in_page

    break if current_page >= total_pages || users_in_page.empty?
  end

  found
rescue JSON::ParserError, TypeError
  found
end

#api_urlString

Returns The URL of the API listing the Users.

Returns:

  • (String)

    The URL of the API listing the Users



57
58
59
60
61
62
63
64
65
# File 'app/finders/users/wp_json_api.rb', line 57

def api_url
  return @api_url if @api_url

  target.in_scope_uris(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |uri|
    return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json')
  end

  @api_url = target.url('wp-json/wp/v2/users/')
end

#users_from_response(response) ⇒ Array<User>

Returns The users from the response.

Parameters:

Returns:

  • (Array<User>)

    The users from the response



42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'app/finders/users/wp_json_api.rb', line 42

def users_from_response(response)
  found = []

  JSON.parse(response.body)&.each do |user|
    found << Model::User.new(user['slug'],
                             id: user['id'],
                             found_by: found_by,
                             confidence: 100,
                             interesting_entries: [response.effective_url])
  end

  found
end