Class: WPScan::Finders::DbExports::KnownLocations

Inherits:

Finder

• Object
• Finder
• WPScan::Finders::DbExports::KnownLocations

Includes:

Finder::Enumerator

Defined in:

app/finders/db_exports/known_locations.rb

Overview

DB Exports finder

Constant Summary

SQL_PATTERN =

/(?:DROP|(?:UN)?LOCK|CREATE|ALTER) (?:TABLE|DATABASE)|INSERT INTO/

Constants inherited from Finder

Finder::DIRECT_ACCESS

Instance Attribute Summary

Attributes inherited from Finder

#progress_bar, #target

Instance Method Summary

• #aggressive(opts = {}) ⇒ Array<DBExport>
• #create_progress_bar(opts = {}) ⇒ Object
• #domain_name ⇒ Object
• #domain_name_with_sub ⇒ Object
• #full_request_params ⇒ Object
• #potential_urls(opts = {}) ⇒ Hash
• #valid_response_codes ⇒ Object

Methods included from Finder::Enumerator

#enumerate, #head_or_get_request_params, #maybe_get_full_response

Methods inherited from Finder

#browser, #found_by, #hydra, #initialize, #passive, #titleize

Constructor Details

This class inherits a constructor from WPScan::Finders::Finder

Instance Method Details

#aggressive(opts = {}) ⇒ Array<DBExport>

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :list (String)
• :show_progression (Boolean)

Returns:

• (Array<DBExport>)

# File 'app/finders/db_exports/known_locations.rb', line 21

def aggressive(opts = {})
  found = []

  enumerate(potential_urls(opts), opts.merge(check_full_response: valid_response_codes)) do |res|
    if res.effective_url.end_with?('.zip')
      next unless %r{\Aapplication/zip}i.match?(res.headers['Content-Type'])
    else
      next unless SQL_PATTERN.match?(res.body)
    end

    found << Model::DbExport.new(res.request.url, found_by: DIRECT_ACCESS, confidence: 100)
  end

  found
end

#create_progress_bar(opts = {}) ⇒ Object

# File 'app/finders/db_exports/known_locations.rb', line 99

def create_progress_bar(opts = {})
  super(opts.merge(title: ' Checking DB Exports -'))
end

#domain_name ⇒ Object

# File 'app/finders/db_exports/known_locations.rb', line 72

def domain_name
  @domain_name ||= if Resolv::AddressRegex.match?(target.uri.host)
                     target.uri.host
                   else
                     (PublicSuffix.domain(target.uri.host) || target.uri.host)[/(^[\w|-]+)/, 1]
                   end
end

#domain_name_with_sub ⇒ Object

# File 'app/finders/db_exports/known_locations.rb', line 80

def domain_name_with_sub
  @domain_name_with_sub ||=
    if Resolv::AddressRegex.match?(target.uri.host)
      target.uri.host
    else
      parsed = PublicSuffix.parse(target.uri.host)

      if parsed.subdomain
        parsed.subdomain.gsub(".#{parsed.tld}", '')
      elsif parsed.domain
        parsed.domain.gsub(".#{parsed.tld}", '')
      else
        target.uri.host
      end
    end
rescue PublicSuffix::DomainNotAllowed
  @domain_name_with_sub = target.uri.host
end

#full_request_params ⇒ Object

# File 'app/finders/db_exports/known_locations.rb', line 37

def full_request_params
  @full_request_params ||= { headers: { 'Range' => 'bytes=0-3000' } }
end

#potential_urls(opts = {}) ⇒ Hash

Parameters:

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :list (String) —

  Mandatory

Returns:

• (Hash)

# File 'app/finders/db_exports/known_locations.rb', line 45

def potential_urls(opts = {})
  urls = {}
  index = 0

  File.open(opts[:list]) do |f|
    f.each do |path|
      path.chomp!

      if path.include?('{domain_name}')
        urls[target.url(path.gsub('{domain_name}', domain_name))] = index

        if domain_name != domain_name_with_sub
          urls[target.url(path.gsub('{domain_name}', domain_name_with_sub))] = index + 1

          index += 1
        end
      else
        urls[target.url(path)] = index
      end

      index += 1
    end
  end

  urls
end

#valid_response_codes ⇒ Object

# File 'app/finders/db_exports/known_locations.rb', line 10

def valid_response_codes
  @valid_response_codes ||= [200, 206].freeze
end