Contents

module WPScan
  module Finders
    module Users
      # Login Error Messages
      #
      # Existing username:
      #   WP < 3.1 - Incorrect password.
      #   WP >= 3.1 - The password you entered for the username admin is incorrect.
      # Non existent username: Invalid username.
      #
      class LoginErrorMessages < CMSScanner::Finders::Finder
        # @param [ Hash ] opts
        # @option opts [ String ] :list
        #
        # @return [ Array<User> ]
        def aggressive(opts = {})
          found = []

          usernames(opts).each do |username|
            res   = target.do_login(username, SecureRandom.hex[0, 8])
            error = res.html.css('div#login_error').text.strip

            return found if error.empty? # Protection plugin / error disabled

            next unless error =~ /The password you entered for the username|Incorrect Password/i

            found << CMSScanner::User.new(username, found_by: found_by, confidence: 100)
          end

          found
        end

        # @return [ Array<String> ] List of usernames to check
        def usernames(opts = {})
          # usernames from the potential Users found
          unames = opts[:found].map(&:username)

          [*opts[:list]].each { |uname| unames << uname.chomp }

          unames.uniq
        end
      end
    end
  end
end

Version data entries

10 entries across 10 versions & 1 rubygems

Version	Path
wpscan-3.4.5	app/finders/users/login_error_messages.rb
wpscan-3.4.4	app/finders/users/login_error_messages.rb
wpscan-3.4.3	app/finders/users/login_error_messages.rb
wpscan-3.4.2	app/finders/users/login_error_messages.rb
wpscan-3.4.1	app/finders/users/login_error_messages.rb
wpscan-3.4.0	app/finders/users/login_error_messages.rb
wpscan-3.3.3	app/finders/users/login_error_messages.rb
wpscan-3.3.2	app/finders/users/login_error_messages.rb
wpscan-3.3.1	app/finders/users/login_error_messages.rb
wpscan-3.3.0	app/finders/users/login_error_messages.rb