installed plugin WPScan version 1.15.1

2021-05-13 11:27:50 +00:00
parent 2b403ab680
commit e0e2392c3c
193 changed files with 30878 additions and 0 deletions
--- a/wp-content/plugins/wpscan/security-checks/weak-passwords/assets/passwords.txt
+++ b/wp-content/plugins/wpscan/security-checks/weak-passwords/assets/passwords.txt
@ -0,0 +1,208 @@
+123456
+password
+123456789
+12345678
+12345
+qwerty
+123123
+111111
+abc123
+1234567
+dragon
+1q2w3e4r
+sunshine
+654321
+master
+1234
+football
+1234567890
+000000
+computer
+666666
+superman
+michael
+internet
+iloveyou
+daniel
+1qaz2wsx
+monkey
+shadow
+jessica
+letmein
+baseball
+whatever
+princess
+abcd1234
+123321
+starwars
+121212
+thomas
+zxcvbnm
+trustno1
+killer
+welcome
+jordan
+aaaaaa
+123qwe
+freedom
+password1
+charlie
+batman
+jennifer
+7777777
+michelle
+diamond
+oliver
+mercedes
+benjamin
+11111111
+snoopy
+samantha
+victoria
+matrix
+george
+alexander
+secret
+cookie
+asdfgh
+987654321
+123abc
+orange
+fuckyou
+asdf1234
+pepper
+hunter
+silver
+joshua
+banana
+1q2w3e
+chelsea
+1234qwer
+summer
+qwertyuiop
+phoenix
+andrew
+q1w2e3r4
+elephant
+rainbow
+mustang
+merlin
+london
+garfield
+robert
+chocolate
+112233
+samsung
+qazwsx
+matthew
+buster
+jonathan
+ginger
+flower
+555555
+test
+caroline
+amanda
+maverick
+midnight
+martin
+junior
+88888888
+anthony
+jasmine
+creative
+patrick
+mickey
+123
+qwerty123
+cocacola
+chicken
+passw0rd
+forever
+william
+nicole
+hello
+yellow
+nirvana
+justin
+friends
+cheese
+tigger
+mother
+liverpool
+blink182
+asdfghjkl
+andrea
+spider
+scooter
+richard
+soccer
+rachel
+purple
+morgan
+melissa
+jackson
+arsenal
+222222
+qwe123
+gabriel
+ferrari
+jasper
+danielle
+bandit
+angela
+scorpion
+prince
+maggie
+austin
+veronica
+nicholas
+monster
+dexter
+carlos
+thunder
+success
+hannah
+ashley
+131313
+stella
+brandon
+pokemon
+joseph
+asdfasdf
+999999
+metallica
+december
+chester
+taylor
+sophie
+samuel
+rabbit
+crystal
+barney
+xxxxxx
+steven
+ranger
+patricia
+christian
+asshole
+spiderman
+sandra
+hockey
+angels
+security
+parker
+heather
+888888
+victor
+harley
+333333
+system
+slipknot
+november
+jordan23
+canada
+tennis
+qwertyui
+casper
+admin
--- a/wp-content/plugins/wpscan/security-checks/weak-passwords/check.php
+++ b/wp-content/plugins/wpscan/security-checks/weak-passwords/check.php
@ -0,0 +1,96 @@
+<?php
+
+/**
+ * Classname: WPScan\Checks\weakPasswords
+ */
+
+namespace WPScan\Checks;
+
+// Exit if accessed directly.
+defined( 'ABSPATH' ) || exit;
+
+/**
+ * WeakPasswords.
+ *
+ * Checks if privileged users are using weak passwords.
+ *
+ * @since 1.14.0
+ */
+class weakPasswords extends Check {
+  /**
+   * Title.
+   *
+   * @since 1.14.0
+   * @access public
+   * @return string
+   */
+  public function title() {
+    return __( 'Weak Passwords', 'wpscan' );
+  }
+
+  /**
+   * Description.
+   *
+   * @since 1.14.0
+   * @access public
+   * @return string
+   */
+  public function description() {
+      return __( 'Checks if privileged users are using any passwords from our weak password list.', 'wpscan' );
+  }
+
+  /**
+   * Success message.
+   *
+   * @since 1.14.0
+   * @access public
+   * @return string
+   */
+  public function success_message() {
+      return __( 'We were not able to brute force the password of any privileged user', 'wpscan' );
+  }
+
+  /**
+   * Perform the check and save the results.
+   *
+   * @since 1.14.0
+   * @access public
+   * @return void
+   */
+  public function perform() {
+    $vulnerabilities = $this->get_vulnerabilities();
+
+    // Password list from: https://github.com/danielmiessler/SecLists/blob/master/Passwords/probable-v2-top207.txt.
+    $users     = get_users( array( 'role__in' => array( 'super_admin', 'administrator', 'editor', 'author', 'contributor' ) ) );
+    $passwords = file( $this->dir . '/assets/passwords.txt', FILE_IGNORE_NEW_LINES );
+    $found     = array();
+
+    foreach ( $users as $user ) {
+      $username = $user->user_login;
+      
+      foreach ( $passwords as $password ) {
+        if ( wp_check_password( $password, $user->data->user_pass, $user->ID ) ) {
+          array_push( $found, $username );
+          break;
+        }
+      }
+    }
+
+    if ( ! empty( $found ) ) {
+        if ( 1 === count( $found ) ) {
+          $text = sprintf(
+            __( 'The %s user was found to have a weak password. The user\'s password should be updated immediately.', 'wpscan' ),
+            esc_html( $found[0] )
+          );
+        } else {
+          $found = implode( ', ', $found );
+          $text  = sprintf(
+            __( 'The %s users were found to have weak passwords. The users\' passwords should be updated immediately.', 'wpscan' ),
+            esc_html( $found )
+          );
+        }
+
+        $this->add_vulnerability( $text, 'high', 'weak-passwords', 'https://blog.wpscan.com/wpscan/2019/09/17/wpscan-brute-force.html' );
+    }
+  }
+}