diff --git a/app/controllers/password_attack.rb b/app/controllers/password_attack.rb index 7a72644b4..cc478edc1 100644 --- a/app/controllers/password_attack.rb +++ b/app/controllers/password_attack.rb @@ -88,8 +88,8 @@ def attacker_from_cli_options def xmlrpc_get_users_blogs_enabled? if xmlrpc&.enabled? && xmlrpc.available_methods.include?('wp.getUsersBlogs') && - xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]]) - .run.body !~ /XML-RPC services are disabled/ + !xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]]) + .run.body.match?(/>\s*405\s*</) true else diff --git a/spec/app/controllers/password_attack_spec.rb b/spec/app/controllers/password_attack_spec.rb index 59d1a5527..98d1037b3 100644 --- a/spec/app/controllers/password_attack_spec.rb +++ b/spec/app/controllers/password_attack_spec.rb @@ -1,5 +1,24 @@ # frozen_string_literal: true +XMLRPC_FAILED_BODY = ' +<?xml version="1.0" encoding="UTF-8"?> +<methodResponse> + <fault> + <value> + <struct> + <member> + <name>faultCode</name> + <value><int>405</int></value> + </member> + <member> + <name>faultString</name> + <value><string>%s</string></value> + </member> + </struct> + </value> + </fault> +</methodResponse>' + describe WPScan::Controller::PasswordAttack do subject(:controller) { described_class.new } let(:target_url) { 'http://ex.lo/' } @@ -81,20 +100,34 @@ end context 'when wp.getUsersBlogs method listed' do - before { expect(xmlrpc).to receive(:available_methods).and_return(%w[wp.getUsersBlogs m2]) } + before do + expect(xmlrpc).to receive(:available_methods).and_return(%w[wp.getUsersBlogs m2]) + + stub_request(:post, xmlrpc.url).to_return(body: body) + end context 'when wp.getUsersBlogs method disabled' do - it 'returns false' do - stub_request(:post, xmlrpc.url).to_return(body: 'XML-RPC services are disabled on this site.') + context 'when blog is in EN' do + let(:body) { format(XMLRPC_FAILED_BODY, 'XML-RPC services are disabled on this site.') } - expect(controller.xmlrpc_get_users_blogs_enabled?).to be false + it 'returns false' do + expect(controller.xmlrpc_get_users_blogs_enabled?).to be false + end + end + + context 'when blog is in FR' do + let(:body) { format(XMLRPC_FAILED_BODY, 'Les services XML-RPC sont désactivés sur ce site.') } + + it 'returns false' do + expect(controller.xmlrpc_get_users_blogs_enabled?).to be false + end end end context 'when wp.getUsersBlogs method enabled' do - it 'returns true' do - stub_request(:post, xmlrpc.url).to_return(body: 'Incorrect username or password.') + let(:body) { 'Incorrect username or password.' } + it 'returns true' do expect(controller.xmlrpc_get_users_blogs_enabled?).to be true end end