From 79864cae7b67e10151e31c293bcd07ac10c30b90 Mon Sep 17 00:00:00 2001
From: ethicalhack3r <ryandewhurst@gmail.com>
Date: Mon, 17 Jul 2017 20:56:38 +0200
Subject: [PATCH] Add emergency.php detection #1108

---
 lib/wpscan/wp_target.rb           | 15 +++++++++++++++
 spec/lib/wpscan/wp_target_spec.rb | 23 +++++++++++++++++++++++
 wpscan.rb                         |  4 ++++
 3 files changed, 42 insertions(+)

diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb
index a799ebfe9..9fa0325e0 100644
--- a/lib/wpscan/wp_target.rb
+++ b/lib/wpscan/wp_target.rb
@@ -155,6 +155,21 @@ def search_replace_db_2_exists?
     resp.code == 200 && resp.body[%r{by interconnect}i]
   end
 
+  # Script used to recover locked out admin users
+  # http://yoast.com/emergency-wordpress-access/
+  # https://codex.wordpress.org/User:MichaelH/Orphaned_Plugins_needing_Adoption/Emergency
+  #
+  # @return [ String ]
+  def emergency_url
+    @uri.merge('emergency.php').to_s
+  end
+
+  # @return [ Boolean ]
+  def emergency_exists?
+    resp = Browser.get(emergency_url)
+    resp.code == 200 && resp.body[%r{password}i]
+  end
+
   def upload_directory_listing_enabled?
     directory_listing_enabled?(upload_dir_url)
   end
diff --git a/spec/lib/wpscan/wp_target_spec.rb b/spec/lib/wpscan/wp_target_spec.rb
index bc6568482..640fba5f9 100644
--- a/spec/lib/wpscan/wp_target_spec.rb
+++ b/spec/lib/wpscan/wp_target_spec.rb
@@ -192,4 +192,27 @@
     end
   end
 
+  describe '#emergency_url' do
+    it 'returns the correct url' do
+      expect(wp_target.emergency_url).to eq 'http://example.localhost/emergency.php'
+    end
+  end
+
+  describe '#emergency_exists?' do
+    it 'returns true' do
+      stub_request(:any, wp_target.emergency_url).to_return(status: 200, body: 'enter your password here')
+      expect(wp_target.emergency_exists?).to be_truthy
+    end
+
+    it 'returns false' do
+      stub_request(:any, wp_target.emergency_url).to_return(status: 500)
+      expect(wp_target.emergency_exists?).to be_falsey
+    end
+
+    it 'returns false' do
+      stub_request(:any, wp_target.emergency_url).to_return(status: 500, body: 'enter your password here')
+      expect(wp_target.emergency_exists?).to be_falsey
+    end
+  end
+
 end
diff --git a/wpscan.rb b/wpscan.rb
index 969ad72a2..c792dc101 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -226,6 +226,10 @@ def main
       puts critical("searchreplacedb2.php has been found in: '#{wp_target.search_replace_db_2_url}'")
     end
 
+    if wp_target.emergency_exists?
+      puts critical("emergency.php has been found in: '#{wp_target.emergency_url}'")
+    end
+
     wp_target.interesting_headers.each do |header|
       output = info('Interesting header: ')