Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
wpscanteam
GitHub Repository: wpscanteam/wpscan
 Path: blob/master/app/finders/db_exports/known_locations.rb
485 views
1
# frozen_string_literal: true

2


3
module WPScan

4
  module Finders

5
    module DbExports

6
      # DB Exports finder

7
      class KnownLocations < CMSScanner::Finders::Finder

8
        include CMSScanner::Finders::Finder::Enumerator

9


10
        def valid_response_codes

11
          @valid_response_codes ||= [200, 206].freeze

12
        end

13


14
        SQL_PATTERN = /(?:DROP|(?:UN)?LOCK|CREATE|ALTER) (?:TABLE|DATABASE)|INSERT INTO/.freeze

15


16
        # @param [ Hash ] opts

17
        # @option opts [ String ] :list

18
        # @option opts [ Boolean ] :show_progression

19
        #

20
        # @return [ Array<DBExport> ]

21
        def aggressive(opts = {})

22
          found = []

23


24
          enumerate(potential_urls(opts), opts.merge(check_full_response: valid_response_codes)) do |res|

25
            if res.effective_url.end_with?('.zip')

26
              next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])

27
            else

28
              next unless SQL_PATTERN.match?(res.body)

29
            end

30


31
            found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)

32
          end

33


34
          found

35
        end

36


37
        def full_request_params

38
          @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } }

39
        end

40


41
        # @param [ Hash ] opts

42
        # @option opts [ String ] :list Mandatory

43
        #

44
        # @return [ Hash ]

45
        def potential_urls(opts = {})

46
          urls = {}

47
          index = 0

48


49
          File.open(opts[:list]).each do |path|

50
            path.chomp!

51


52
            if path.include?('{domain_name}')

53
              urls[target.url(path.gsub('{domain_name}', domain_name))] = index

54


55
              if domain_name != domain_name_with_sub

56
                urls[target.url(path.gsub('{domain_name}', domain_name_with_sub))] = index + 1

57


58
                index += 1

59
              end

60
            else

61
              urls[target.url(path)] = index

62
            end

63


64
            index += 1

65
          end

66


67
          urls

68
        end

69


70
        def domain_name

71
          @domain_name ||= if Resolv::AddressRegex.match?(target.uri.host)

72
                             target.uri.host

73
                           else

74
                             (PublicSuffix.domain(target.uri.host) || target.uri.host)[/(^[\w|-]+)/, 1]

75
                           end

76
        end

77


78
        def domain_name_with_sub

79
          @domain_name_with_sub ||=

80
            if Resolv::AddressRegex.match?(target.uri.host)

81
              target.uri.host

82
            else

83
              parsed = PublicSuffix.parse(target.uri.host)

84


85
              if parsed.subdomain

86
                parsed.subdomain.gsub(".#{parsed.tld}", '')

87
              elsif parsed.domain

88
                parsed.domain.gsub(".#{parsed.tld}", '')

89
              else

90
                target.uri.host

91
              end

92
            end

93
        rescue PublicSuffix::DomainNotAllowed

94
          @domain_name_with_sub = target.uri.host

95
        end

96


97
        def create_progress_bar(opts = {})

98
          super(opts.merge(title: ' Checking DB Exports -'))

99
        end

100
      end

101
    end

102
  end

103
end

104


105