Class: WPScan::Controller::AuthenticatedInventory

Inherits:

Base

Object
Base
WPScan::Controller::AuthenticatedInventory

show all

Defined in:: app/controllers/authenticated_inventory.rb

Overview

Fetches an authoritative inventory of installed plugins and themes from the WordPress REST API using admin credentials (–wp-auth). Pre-populates the target’s @plugins / @themes / @main_theme so the regular enumeration controllers skip detection for those items.

Constant Summary

Constants included from OptParseValidator

OptParseValidator::VERSION

Instance Method Summary collapse

#run ⇒ Object

Methods inherited from Base

#==, #after_scan, #before_scan, #cli_options, #datastore, #formatter, #option_parser, option_parser=, #output, #render, reset, #target, #tmp_directory, #user_interaction?

Instance Method Details

#run ⇒ `Object`

# File 'app/controllers/authenticated_inventory.rb', line 10

def run
  return unless ParsedCli.wp_auth

  output('@info', msg: 'Fetching authoritative inventory via WP REST API (/wp-json/wp/v2/)') if user_interaction?

  plugins = plugins_finder.aggressive(userpwd: userpwd)
  themes  = themes_finder.aggressive(userpwd: userpwd)

  target.instance_variable_set(:@plugins, plugins)
  target.instance_variable_set(:@themes, themes)

  active = themes.find { |t| t.instance_variable_get(:@wp_json_active) }
  target.instance_variable_set(:@main_theme, active) if active

  formatter.output('plugins', { plugins: plugins, verbose: ParsedCli.verbose }, 'enumeration')
  formatter.output('themes',  { themes: themes, verbose: ParsedCli.verbose }, 'enumeration')
end