search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.61k stars 1.27k forks source link

W3TotalCache passive detection #177

Closed firefart closed 11 years ago

firefart commented 11 years ago

The w3-total-cache plugin is not detected by passive detection, because it loads no files from it's directory. But there is a X-Powered-By: W3 Total Cache/0.9.2.5 HTTP Header and a comment at the end of the page

<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/

Page Caching using memcached
Database Caching 30/81 queries in 7.428 seconds using memcached
Object Caching 2356/2614 objects using memcached
Content Delivery Network via Amazon Web Services: S3: XXXXXX

Served from: XXXXX @ 2013-05-01 14:13:18 -->

This plugin is very popular and has 2 critical vulns so it would be great to have this on the "normal" run.

@erwanlr Is it possible to add a header and content based plugin detection with the new plugin system in wpscan? (Haven't had time to look over it :( )

erwanlr commented 11 years ago

Yes it's possible

The method should be in lib/common/collections/wp_plugins/detectable.rb And looks like this :

  def passive_detection(wp_target, options = {})
    detected = super(wp_target, options)

     # passive detection from header

     # passive detection from content

    detected.uniq.sort    
  end

I would do a method for each passive detection (header & content), and maybe include the SuperCache plugin detection into them also

erwanlr commented 11 years ago

I do not have the X-Powered-By header sets to the cache plugin :/ (tested with the w3-total-cache & wp-super-cache)

firefart commented 11 years ago

i think you must enable page caching(or any other feature) to get this header.

Edit: just saw that you already added a check for it :D was currently playing around with the new source code..looks like I'm too slow :)

erwanlr commented 11 years ago

Yep, I played a bit with, but don't like it :p

The page caching was enabled, the fact is I already have a x-powered-by header (value : PHP/php-version), wonder if the cache header is set only if there is no other header

The thing I don't like in my code is the duplication due to the creation of WpPlugin, I think I will add some code to the WpPlugins (or better, the WpItems) to be able to add a WpPlugin (or a WpItem) by :

instead of only its object like currently.

erwanlr commented 11 years ago

Btw, wp-super-cache has a custom header :

WP-Super-Cache  Served supercache file from PHP
X-Powered-By    PHP/5.3.16

Unfortunately, Typhoeus does not seem to retrieve this kind of header

Edit : Strange, on my BT5 Typhoeus retrieves it :o

firefart commented 11 years ago

Cool thx! Cant't wait to try it out :)