search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.57k stars 1.26k forks source link

Way do force the scan to complete even if "Your API limit has been reached" #1483

Closed mircone closed 4 years ago

mircone commented 4 years ago

Hello wpscanteam,

According to the line in your Readme:

Vulnerability Database

..., WPScan will continue to work as normal but without any vulnerability data. ...

I would expect wpscan to run my scan without querying the API, instead it throws the "Your API limit has been reached" execption.

Could you maybe provide a flag that keeps the scan running instead of stopping it?

Im running on 3.7.11

Kind regards.

L0rdShrek commented 4 years ago

For me it doesn´t work on version 3.8 either. I run the following command. docker run --rm wpscanteam/wpscan -v --clear-cache --api-token ${WPVULNDB_API_KEY} --url ${URL}

FoxSca commented 4 years ago

i use kali where i can add my api key

ethicalhack3r commented 4 years ago

@mircone

The readme refers to if you do not supply an API token at all, then WPScan will work as normal, but without showing vulnerability data from wpvulndb. If you omit the token, your scan will complete. But, maybe we should also continue the scan when an API token is supplied, but the user's limit is reached?

@L0rdShrek

What doesn't work? Are you actually running that command with ${WPVULNDB_API_KEY} in it? Do you have Docker installed?

@BlAd373

Please refer to https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation#vulnerability-database

L0rdShrek commented 4 years ago

Hello @ethicalhack3r ,thanks for your reply. i have docker installed and run wpscan via Gitlab Pipeline. ${WPVULNDB_API_KEY} contains my API Key. If my API limit is reached the docker container exit with code 4 and the message Scan Aborted: Your API limit has been reached

 Trace: /usr/local/bundle/gems/wpscan-3.8.1/app/controllers/vuln_api.rb:23:in "before_scan"
 /usr/local/bundle/gems/cms_scanner-0.10.0/lib/cms_scanner/controllers.rb:46:in "each"
 /usr/local/bundle/gems/cms_scanner-0.10.0/lib/cms_scanner/controllers.rb:46:in "block in run"
 /usr/local/lib/ruby/2.6.0/timeout.rb:76:in "timeout"
 /usr/local/bundle/gems/cms_scanner-0.10.0/lib/cms_scanner/controllers.rb:45:in "run"
 /usr/local/bundle/gems/cms_scanner-0.10.0/lib/cms_scanner/scan.rb:24:in "run"
 /usr/local/bundle/gems/wpscan-3.8.1/bin/wpscan:17:in "block in <top (required)>"
 /usr/local/bundle/gems/cms_scanner-0.10.0/lib/cms_scanner/scan.rb:15:in "initialize"
 /usr/local/bundle/gems/wpscan-3.8.1/bin/wpscan:6:in "new"
 /usr/local/bundle/gems/wpscan-3.8.1/bin/wpscan:6:in "<top (required)>"
 /usr/local/bundle/bin/wpscan:23:in "load"
 /usr/local/bundle/bin/wpscan:23:in "<main>"
 ERROR: Job failed: exit code 4

PS: if there are some API Credits left, everything works fine - Big Thanks for that great work!

erwanlr commented 4 years ago

This is the expected behaviour. When you start a scan with an API token which has reached its limit already, it raises the API Limit error. If you want to scan w/o fetching vuln data, then simply remove the API token from the CLI.

tristanlatr commented 4 years ago

Hello,

A "solution" would be to programatically wait 24h if your API limit is reached and re-launch the scan afterwards. This behaviour can be obtained by using WPWatcher, a Python wrapper for wpscan. Just use the --api_limit_wait flag ;)