Expand wordpress_scanner to look for themes & plugins

[h00die]

Remember that time in #14419 where we added updates to wp-plugins.txt and wp-themes.txt? Yea, well:

me@kali:/metasploit-framework/modules$ grep -R 'wp-themes.txt' *
me@kali:/metasploit-framework/modules$ grep -R 'wp-plugins.txt' *

We have these files, which are huge, and aren't used. Instead of removing them, lets use them!

This PR updates wordpress_scanner to also enumerate themes and plugins. It also modifies the theme/plugin version wordpress lib to return the version in the details thanks to #14294 . Also a rubocop, and msftidy_docs.

Verification

• Install wordpress, add a theme or plugin if you wish
• Start msfconsole
• use auxiliary/scanner/http/wordpress_version
• set rhosts [ip]
• run
• Verify it still works to find the version
• Verify it now also finds plugins and themes

Is it worth adding a note? The version part does that, I was 50/50 if it was worth the effort, not sure many people actually use notes. I'll take input.

[smcintyre-r7]

Love it, you're using the new CheckCode details I added. Would it be better though to update this to details: {version: version} to allow additional keys to be added to the check code details in the future? It may make sense to include a list of plugins someday. Using a hash with a version key would mean that we wouldn't need to refactor a bunch of things and cross our fingers that we got them all if in the future we want to add more data.

[h00die]

should be good!
Ended up adding a note for each theme/plugin found as well

[h00die]

travis check this please as the results look like a github failure

[smcintyre-r7]

It looks like all the feedback has been addressed except for the details being the raw version string instead of a hash containing the version string per this comment.

[h00die]

sometimes you forget to git add files...

[smcintyre-r7]

So I was confused why the unit tests passed after the details was updated to a hash and I found out why:

>> Msf::Exploit::CheckCode::Safe(details: '0.0.9')
=> #<struct Msf::Exploit::CheckCode code="safe", message="The target is not exploitable.", reason=nil, details="0.0.9">
>> Msf::Exploit::CheckCode::Safe(details: '0.0.9') == Msf::Exploit::CheckCode::Safe(details: '0.0.9')
=> true
>> Msf::Exploit::CheckCode::Safe(details: '0.0.9') == Msf::Exploit::CheckCode::Safe()
=> true
>> Msf::Exploit::CheckCode::Safe(details: '0.0.9') == Msf::Exploit::CheckCode::Safe(details: {foo: :bar})
=> true
>>

Looks like the CheckCodes do not compare the details when it comes to equality checks. This makes sense so Safe always equals Safe even if the details contain different versions or whatever. What that means for this PR however is the specs should be updated to drop the details since they're not being compared. I'll go ahead and handle that after testing this.

[smcintyre-r7]

Well it took a couple of hours to run but this finished successfully and added all the proper notes. I'll go ahead and fix the unit tests, wait for travis to pass and then land this. Travis has been extra slow lately so it maybe 24 hours after I push the test changes but I'll handle it from here. Thanks a lot @h00die, this is an awesome improvement for the scanner.

Testing Output

msf6 auxiliary(scanner/http/wordpress_scanner) > show options 

Module options (auxiliary/scanner/http/wordpress_scanner):

   Name          Current Setting                                                                     Required  Description
   ----          ---------------                                                                     --------  -----------
   PLUGINS       true                                                                                no        Detect plugins
   PLUGINS_FILE  /home/smcintyre/Repositories/metasploit-framework.pr/data/wordlists/wp-plugins.txt  yes       File containing plugins to enumerate
   PROGRESS      1000                                                                                yes       how often to print progress
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        192.168.159.31                                                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         80                                                                                  yes       The target port (TCP)
   SSL           false                                                                               no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                                                                                   yes       The base path to the wordpress application
   THEMES        true                                                                                no        Detect themes
   THEMES_FILE   /home/smcintyre/Repositories/metasploit-framework.pr/data/wordlists/wp-themes.txt   yes       File containing themes to enumerate
   THREADS       1                                                                                   yes       The number of concurrent threads (max one per host)
   VHOST                                                                                             no        HTTP server virtual host

msf6 auxiliary(scanner/http/wordpress_scanner) > run
msf6 auxiliary(scanner/http/wordpress_scanner) > run

[*] Trying 192.168.159.31
[+] 192.168.159.31 - Detected Wordpress 5.5.3
[*] 192.168.159.31 - Enumerating Themes
[*] 192.168.159.31 - Progress      0/19226 (0.0%)
[*] 192.168.159.31 - Progress   1000/19226 (5.2%)
[*] 192.168.159.31 - Progress   2000/19226 (10.4%)
[*] 192.168.159.31 - Progress   3000/19226 (15.6%)
[*] 192.168.159.31 - Progress   4000/19226 (20.8%)
[*] 192.168.159.31 - Progress   5000/19226 (26.0%)
[*] 192.168.159.31 - Progress   6000/19226 (31.2%)
[*] 192.168.159.31 - Progress   7000/19226 (36.4%)
[*] 192.168.159.31 - Progress   8000/19226 (41.61%)
[*] 192.168.159.31 - Progress   9000/19226 (46.81%)
[*] 192.168.159.31 - Progress  10000/19226 (52.01%)
[*] 192.168.159.31 - Progress  11000/19226 (57.21%)
[*] 192.168.159.31 - Progress  12000/19226 (62.41%)
[*] 192.168.159.31 - Progress  13000/19226 (67.61%)
[*] 192.168.159.31 - Progress  14000/19226 (72.81%)
[*] 192.168.159.31 - Progress  15000/19226 (78.01%)
[*] 192.168.159.31 - Progress  16000/19226 (83.22%)
[*] 192.168.159.31 - Progress  17000/19226 (88.42%)
[+] 192.168.159.31 - Detected theme: twentynineteen version 1.7
[+] 192.168.159.31 - Detected theme: twentyseventeen version 2.4
[*] 192.168.159.31 - Progress  18000/19226 (93.62%)
[*] 192.168.159.31 - Progress  19000/19226 (98.82%)
[*] 192.168.159.31 - Finished scanning themes
[*] 192.168.159.31 - Enumerating plugins
[*] 192.168.159.31 - Progress      0/80624 (0.0%)
[*] 192.168.159.31 - Progress   1000/80624 (1.24%)
[*] 192.168.159.31 - Progress   2000/80624 (2.48%)
[*] 192.168.159.31 - Progress   3000/80624 (3.72%)
[+] 192.168.159.31 - Detected plugin: all-in-one-seo-pack version 3.7.1
[+] 192.168.159.31 - Detected plugin: all-in-one-wp-migration version 7.30
[+] 192.168.159.31 - Detected plugin: amp version 2.0.5
[*] 192.168.159.31 - Progress   4000/80624 (4.96%)
[*] 192.168.159.31 - Progress   5000/80624 (6.2%)
[*] 192.168.159.31 - Progress   6000/80624 (7.44%)
[*] 192.168.159.31 - Progress   7000/80624 (8.68%)
[*] 192.168.159.31 - Progress   8000/80624 (9.92%)
[*] 192.168.159.31 - Progress   9000/80624 (11.16%)
[*] 192.168.159.31 - Progress  10000/80624 (12.4%)
[*] 192.168.159.31 - Progress  11000/80624 (13.64%)
[*] 192.168.159.31 - Progress  12000/80624 (14.88%)
[*] 192.168.159.31 - Progress  13000/80624 (16.12%)
[*] 192.168.159.31 - Progress  14000/80624 (17.36%)
[*] 192.168.159.31 - Progress  15000/80624 (18.6%)
[*] 192.168.159.31 - Progress  16000/80624 (19.84%)
[*] 192.168.159.31 - Progress  17000/80624 (21.08%)
[*] 192.168.159.31 - Progress  18000/80624 (22.32%)
[*] 192.168.159.31 - Progress  19000/80624 (23.56%)
[*] 192.168.159.31 - Progress  20000/80624 (24.8%)
[*] 192.168.159.31 - Progress  21000/80624 (26.04%)
[*] 192.168.159.31 - Progress  22000/80624 (27.28%)
[*] 192.168.159.31 - Progress  23000/80624 (28.52%)
[*] 192.168.159.31 - Progress  24000/80624 (29.76%)
[*] 192.168.159.31 - Progress  25000/80624 (31.0%)
[*] 192.168.159.31 - Progress  26000/80624 (32.24%)
[+] 192.168.159.31 - Detected plugin: google-analytics-for-wordpress version 7.13.0
[*] 192.168.159.31 - Progress  27000/80624 (33.48%)
[*] 192.168.159.31 - Progress  28000/80624 (34.72%)
[*] 192.168.159.31 - Progress  29000/80624 (35.96%)
[*] 192.168.159.31 - Progress  30000/80624 (37.2%)
[*] 192.168.159.31 - Progress  31000/80624 (38.45%)
[*] 192.168.159.31 - Progress  32000/80624 (39.69%)
[+] 192.168.159.31 - Detected plugin: jetpack version 9.1
[*] 192.168.159.31 - Progress  33000/80624 (40.93%)
[*] 192.168.159.31 - Progress  34000/80624 (42.17%)
[*] 192.168.159.31 - Progress  35000/80624 (43.41%)
[*] 192.168.159.31 - Progress  36000/80624 (44.65%)
[*] 192.168.159.31 - Progress  37000/80624 (45.89%)
[*] 192.168.159.31 - Progress  38000/80624 (47.13%)
[*] 192.168.159.31 - Progress  39000/80624 (48.37%)
[*] 192.168.159.31 - Progress  40000/80624 (49.61%)
[*] 192.168.159.31 - Progress  41000/80624 (50.85%)
[*] 192.168.159.31 - Progress  42000/80624 (52.09%)
[*] 192.168.159.31 - Progress  43000/80624 (53.33%)
[*] 192.168.159.31 - Progress  44000/80624 (54.57%)
[*] 192.168.159.31 - Progress  45000/80624 (55.81%)
[*] 192.168.159.31 - Progress  46000/80624 (57.05%)
[*] 192.168.159.31 - Progress  47000/80624 (58.29%)
[*] 192.168.159.31 - Progress  48000/80624 (59.53%)
[*] 192.168.159.31 - Progress  49000/80624 (60.77%)
[*] 192.168.159.31 - Progress  50000/80624 (62.01%)
[*] 192.168.159.31 - Progress  51000/80624 (63.25%)
[*] 192.168.159.31 - Progress  52000/80624 (64.49%)
[*] 192.168.159.31 - Progress  53000/80624 (65.73%)
[*] 192.168.159.31 - Progress  54000/80624 (66.97%)
[*] 192.168.159.31 - Progress  55000/80624 (68.21%)
[+] 192.168.159.31 - Detected plugin: simple-file-list version 4.2.2
[*] 192.168.159.31 - Progress  56000/80624 (69.45%)
[+] 192.168.159.31 - Detected plugin: simple-tags version 2.62
[*] 192.168.159.31 - Progress  57000/80624 (70.69%)
[*] 192.168.159.31 - Progress  58000/80624 (71.93%)
[*] 192.168.159.31 - Progress  59000/80624 (73.17%)
[*] 192.168.159.31 - Progress  60000/80624 (74.41%)
[*] 192.168.159.31 - Progress  61000/80624 (75.65%)
[*] 192.168.159.31 - Progress  62000/80624 (76.9%)
[*] 192.168.159.31 - Progress  63000/80624 (78.14%)
[*] 192.168.159.31 - Progress  64000/80624 (79.38%)
[*] 192.168.159.31 - Progress  65000/80624 (80.62%)
[*] 192.168.159.31 - Progress  66000/80624 (81.86%)
[*] 192.168.159.31 - Progress  67000/80624 (83.1%)
[*] 192.168.159.31 - Progress  68000/80624 (84.34%)
[*] 192.168.159.31 - Progress  69000/80624 (85.58%)
[*] 192.168.159.31 - Progress  70000/80624 (86.82%)
[*] 192.168.159.31 - Progress  71000/80624 (88.06%)
[*] 192.168.159.31 - Progress  72000/80624 (89.3%)
[*] 192.168.159.31 - Progress  73000/80624 (90.54%)
[*] 192.168.159.31 - Progress  74000/80624 (91.78%)
[+] 192.168.159.31 - Detected plugin: wp-mail-smtp version 2.5.1
[*] 192.168.159.31 - Progress  75000/80624 (93.02%)
[*] 192.168.159.31 - Progress  76000/80624 (94.26%)
[*] 192.168.159.31 - Progress  77000/80624 (95.5%)
[*] 192.168.159.31 - Progress  78000/80624 (96.74%)
[*] 192.168.159.31 - Progress  79000/80624 (97.98%)
[*] 192.168.159.31 - Progress  80000/80624 (99.22%)
[*] 192.168.159.31 - Finished scanning plugins
[*] 192.168.159.31 - Finished all scans
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/wordpress_scanner) > hosts 

Hosts
=====

address         mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---  ----  -------  ---------  -----  -------  ----  --------
192.168.159.31             Unknown                    device         

msf6 auxiliary(scanner/http/wordpress_scanner) > notes 

Notes
=====

 Time                     Host            Service  Port  Protocol  Type                                                             Data
 ----                     ----            -------  ----  --------  ----                                                             ----
 2020-12-08 17:19:17 UTC  192.168.159.31  http     80    tcp       Wordpress 5.5.3                                                  "/"
 2020-12-08 17:40:22 UTC  192.168.159.31  http     80    tcp       Wordpress Theme: twentynineteen version 1.7                      {}
 2020-12-08 17:40:22 UTC  192.168.159.31  http     80    tcp       Wordpress Theme: twentyseventeen version 2.4                     {}
 2020-12-08 17:45:18 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: all-in-one-seo-pack version 3.7.1              {}
 2020-12-08 17:45:19 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: all-in-one-wp-migration version 7.30           {}
 2020-12-08 17:45:39 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: amp version 2.0.5                              {}
 2020-12-08 20:27:39 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: google-analytics-for-wordpress version 7.13.0  {}
 2020-12-08 20:32:08 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: jetpack version 9.1                            {}
 2020-12-08 20:52:14 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: simple-file-list version 4.2.2                 {}
 2020-12-08 20:52:51 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: simple-tags version 2.62                       {}
 2020-12-08 21:10:07 UTC  192.168.159.31  http     80    tcp       Wordpress Plugin: wp-mail-smtp version 2.5.1                     {}

msf6 auxiliary(scanner/http/wordpress_scanner) >

[h00die]

awesome! glad to hear its working

[smcintyre-r7]

Release Notes

Updated the Wordpress Scanner module to also identify common themes and plugins.