Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
Ryan, On Mon, Jun 8, 2009 at 8:26 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: 2009/6/8 Andres Riancho andres.rian...@gmail.com: Ryan, On Mon, Jun 8, 2009 at 4:50 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: I have implemented the re and data checker, to compare them both and output as appropriate. That part seems to be ok, Seems to be working however in KB the request/response windows are incorrect. Could you elaborate more on this? If you look at the kb info the request/response windows after the plugin has run it shows inacurate HTTP request/responses. i.e. the version was found from the regular expression in the index.php header, the request/response window will show the http request/response for one of the files in the database rather than the correct index.php. Im finding the above hard to explain, ill take a screenshot to elaborate more. Or just tell me a URL where I can run w3af on with your plugin enabled, and I'll be able to verify this by myself. Related: - You didn't used the version in the SVN to create the new version, they are some inconsistencies. Please use the SVN version to build from it. I did use the SVN version. No you didn't, SVN version has something like: self._version = None Which is a modification I introduced, and you sent a version that has the old: self._version = 'None' Also, please remember to use the correct settings regarding indentation, the plugin you sent on Mon, Jun 8, 2009 at 4:50 PM uses tabs for indentations in some sections, and 4-spaces in some other sections. - It doesn't make sense to check for index.php instead of wp-login.php , the index.php would be a match for almost every web application running PHP. The idea is to check for wp-login.php to be able to be more performant and don't request all files in the fingerprint database for every directory in the web application. Cheers, It does check for wp-login.php rather than index.php. # Main scan URL passed from w3af + unique wp file wp_unique_url = urlParser.getDomainPath( fuzzableRequest.getURL() ) + '/wp-login.php' response = self._urlOpener.GET( wp_unique_url, useCache=True ) # If wp_unique_url is not 404, wordpress = true if not is_404( response ): Am I missing the point? No, sorry, I was wrong, I read the plugin code too fast. Cheers, Ryan Ryan -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] W3AF Proxy tool - dev status
Taras, On Tue, Jun 9, 2009 at 1:25 AM, Tarasta...@securityaudit.ru wrote: Andres, * More convenient History navigation and presentation - in progress (Let's moving from hacker's search with SQL syntax to more convenient search by URL in main text entry + hidden advanced options bar for options (e.g code = 404 and id5) like in Google.) I'm trying to understand this, as far as I can see without reading the code, the advanced part will be like a wizard for the user to create a new search string, right? 1. There will be no any wizards =). See screenshot [0] 2. By default advanced search options will be hidden and will showed after Advanced button will be clicked 3. Main search entry will ne search only by URL - because it is most common task [0] http://picasaweb.google.ru/lh/photo/lvLn5jKcrQyG-FzibaH8JA?feat=directlink Is this feature 100% completed? -- Taras Software is like sex: it's better when it's free. - Linus Torvalds -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
2009/6/10 Andres Riancho andres.rian...@gmail.com: Stefano, All, On Mon, Jun 8, 2009 at 12:36 PM, Stefano Di Paolawi...@wisec.it wrote: Guys, Sorry for getting into the middle of this thread without knocking... Inline since I hate bottom posting :) Il giorno lun, 08/06/2009 alle 12.05 -0300, Andres Riancho ha scritto: Ryan, First of all, I would like to congratulate you for a job well done. The wordpress_fingerprint plugin is now part of w3af. I just commited it [0] to the trunk with a couple of changes (please review those changes, they are important). On the other hand, we still need to work a little more on this plugin. One of the features that I think should be implemented is the comparison between the fingerprinted version, and the version that's retrieved with the regular expression, could you do that? I know is a bit out of scope with the actual implementation of the wordpress_fingerprint plugin, but I just finished reading this interesting post: Web App Version detection using fingerprinting http://sucuri.net/?page=docstitle=webapp-version-detection Also related, and from the same guys: http://sucuri.net/index.php?page=docstitle=state-wordpress-security Here he says that the readme.html bears the wordpress version, however this is not always true. http://sucuri.net/?page=docstitle=wordpress-hardening Here is what I found: 2.7.1 shows 2.7 2.7 shows 2.7 2.6.5 shows 2.6.1 2.6.3 shows 2.6.1 2.6.2 shows 2.6.1 2.6.1 shows 2.6.1 2.6 shows 2.6 2.5.1 shows 2.5 2.5 shows 2.5 2.3.3 shows 2.3 2.3.2 shows 2.3 2.3.1 shows 2.3 2.3 shows 2.3 2.2.3 shows 2.2 As you can see it is not a reliable source for fingerprinting the wordpress version. in particular: 2- Wordpress Version Detection 3- Wordpress version fingerprinting - Comparing files which I think is on topic at least to some extent. It should not be too difficult to add a txt file and check for the existence of those files to get a double check confirmation of the WP version. Also related, I just twitted about this [1] [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup [1] http://twitter.com/w3af Cheers, Cheers, -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
2009/6/10 Andres Riancho andres.rian...@gmail.com: Ryan, On Tue, Jun 9, 2009 at 9:39 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: 2009/6/10 Andres Riancho andres.rian...@gmail.com: Stefano, All, On Mon, Jun 8, 2009 at 12:36 PM, Stefano Di Paolawi...@wisec.it wrote: Guys, Sorry for getting into the middle of this thread without knocking... Inline since I hate bottom posting :) Il giorno lun, 08/06/2009 alle 12.05 -0300, Andres Riancho ha scritto: Ryan, First of all, I would like to congratulate you for a job well done. The wordpress_fingerprint plugin is now part of w3af. I just commited it [0] to the trunk with a couple of changes (please review those changes, they are important). On the other hand, we still need to work a little more on this plugin. One of the features that I think should be implemented is the comparison between the fingerprinted version, and the version that's retrieved with the regular expression, could you do that? I know is a bit out of scope with the actual implementation of the wordpress_fingerprint plugin, but I just finished reading this interesting post: Web App Version detection using fingerprinting http://sucuri.net/?page=docstitle=webapp-version-detection Also related, and from the same guys: http://sucuri.net/index.php?page=docstitle=state-wordpress-security Here he says that the readme.html bears the wordpress version, however this is not always true. http://sucuri.net/?page=docstitle=wordpress-hardening Here is what I found: 2.7.1 shows 2.7 2.7 shows 2.7 2.6.5 shows 2.6.1 2.6.3 shows 2.6.1 2.6.2 shows 2.6.1 2.6.1 shows 2.6.1 2.6 shows 2.6 2.5.1 shows 2.5 2.5 shows 2.5 2.3.3 shows 2.3 2.3.2 shows 2.3 2.3.1 shows 2.3 2.3 shows 2.3 2.2.3 shows 2.2 As you can see it is not a reliable source for fingerprinting the wordpress version. But it's one more source of version information, I think it should be added and properly documented in the same way that you explain in this email. In the best case scenario, the user would have three information objects in the kb: - One with the fingerprinted version that says 2.7.1 - One with the readme.html version that says 2.7 - One with the index.php header information that says 2.7.1 If in one case we see something like readme.html==2.6 and fingerprinted version==2.7.1, maybe we can report to the user that this is a 2.6 version that was upgraded to 2.7.1? Just ideas that should be researched a little more and maybe implemented into code. Cheers, Aye, I see what you mean. I'll have a look into it over the weekend. I like the way sucuri's information gathering tool finds the wordpress installation path from server errors also. in particular: 2- Wordpress Version Detection 3- Wordpress version fingerprinting - Comparing files which I think is on topic at least to some extent. It should not be too difficult to add a txt file and check for the existence of those files to get a double check confirmation of the WP version. Also related, I just twitted about this [1] [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup [1] http://twitter.com/w3af Cheers, Cheers, -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
Ryan, On Tue, Jun 9, 2009 at 9:39 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: 2009/6/10 Andres Riancho andres.rian...@gmail.com: Stefano, All, On Mon, Jun 8, 2009 at 12:36 PM, Stefano Di Paolawi...@wisec.it wrote: Guys, Sorry for getting into the middle of this thread without knocking... Inline since I hate bottom posting :) Il giorno lun, 08/06/2009 alle 12.05 -0300, Andres Riancho ha scritto: Ryan, First of all, I would like to congratulate you for a job well done. The wordpress_fingerprint plugin is now part of w3af. I just commited it [0] to the trunk with a couple of changes (please review those changes, they are important). On the other hand, we still need to work a little more on this plugin. One of the features that I think should be implemented is the comparison between the fingerprinted version, and the version that's retrieved with the regular expression, could you do that? I know is a bit out of scope with the actual implementation of the wordpress_fingerprint plugin, but I just finished reading this interesting post: Web App Version detection using fingerprinting http://sucuri.net/?page=docstitle=webapp-version-detection Also related, and from the same guys: http://sucuri.net/index.php?page=docstitle=state-wordpress-security Here he says that the readme.html bears the wordpress version, however this is not always true. http://sucuri.net/?page=docstitle=wordpress-hardening Here is what I found: 2.7.1 shows 2.7 2.7 shows 2.7 2.6.5 shows 2.6.1 2.6.3 shows 2.6.1 2.6.2 shows 2.6.1 2.6.1 shows 2.6.1 2.6 shows 2.6 2.5.1 shows 2.5 2.5 shows 2.5 2.3.3 shows 2.3 2.3.2 shows 2.3 2.3.1 shows 2.3 2.3 shows 2.3 2.2.3 shows 2.2 As you can see it is not a reliable source for fingerprinting the wordpress version. But it's one more source of version information, I think it should be added and properly documented in the same way that you explain in this email. In the best case scenario, the user would have three information objects in the kb: - One with the fingerprinted version that says 2.7.1 - One with the readme.html version that says 2.7 - One with the index.php header information that says 2.7.1 If in one case we see something like readme.html==2.6 and fingerprinted version==2.7.1, maybe we can report to the user that this is a 2.6 version that was upgraded to 2.7.1? Just ideas that should be researched a little more and maybe implemented into code. Cheers, in particular: 2- Wordpress Version Detection 3- Wordpress version fingerprinting - Comparing files which I think is on topic at least to some extent. It should not be too difficult to add a txt file and check for the existence of those files to get a double check confirmation of the WP version. Also related, I just twitted about this [1] [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup [1] http://twitter.com/w3af Cheers, Cheers, -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop