w00t w00t!
All tested and working!
Thanks to everyone for their help especially Andres for putting up
with my noobness. I will look into implementing the vulns for each
version and then eventually a wp plugin version finder.
Feedback and suggestions welcome! :-)
2009/6/7 Andres Riancho <andres.rian...@gmail.com>:
> Ryan,
>
> On Sat, Jun 6, 2009 at 10:20 PM, Ryan Dewhurst<ryandewhu...@gmail.com> wrote:
>> I decided to move over to my Linux box for the development of the
>> plugin. One of the reasons I could not get the plugin to run through
>> w3af was that the plugin file name was not the same as the class name.
>
> Ok, makes sense,
>
>> It now runs through w3af with out any errors. The only thing is that
>> the info output is not showing in kb.
>
> Are you saving it to the kb?
>
>> Im using this which I found in another plugin:
>>
>> # Save it to the kb!
>> i = info.info()
>> i.setName('WordPress version')
>> i.setURL( wp_index_url )
>> i.setId( http_response.id )
>> i.setDesc( 'WordPress version "'+ self._version +'" found in the
>> index header.' )
>> kb.kb.append( self, 'WordPress version', i )
>> om.out.information( i.getDesc() )
>
> That seems to be enough to save the version to the kb,
>
>> Attached is the latest version.
>
> I applied some minor changes:
>
> - Changed the name of the plugin to wordpress_plugin, because
> wpvChecker is cryptic to users.
> - The code has some serious errors, that are possibly the reason you
> don't see anything:
>
> ...@brick:~/w3af/w3af/trunk$ pylint
> --rcfile=../extras/misc/pylint.rc /tmp/wordpress_version.py -e
> ************* Module wordpress_version
> E: 98:wordpress_version.discover: Undefined variable 're'
> E:109:wordpress_version.discover: Undefined variable 'http_response'
> E:150:wordpress_version.discover: Undefined variable 'http_response'
>
> Have you tested the plugin? Do you get a big traceback when running it?
>
> - This line in the fingerprint DB:
>
> ('/wp-admin/async-upload.php','200','2.5'),
>
> Doesn't match this line:
>
> if self._wp_fingerprint[1] == 200 and not is_404(response):
>
> '200' and 200 aren't equal in python:
>
> >>> '200' == 200
> False
>
> You should change your database to 200, instead of '200' where necessary.
>
> - One more detail, is that it would be nice to compare the version in
> the HTML header, with the fingerprinted version, and report if they
> differ.
>
> You're on the right path, I think that with these recommendations
> you'll be able to complete the development of your first w3af plugin
> =)
>
> PS: You should answer inline.
>
>> Ryan
>>
>> 2009/6/6 Andres Riancho <andres.rian...@gmail.com>:
>>> Ryan,
>>>
>>> On Sat, Jun 6, 2009 at 6:22 PM, Ryan Dewhurst<ryandewhu...@gmail.com> wrote:
>>>>>Also delete the .pyc file, and no reinstall is needed.
>>>>
>>>> There was none.
>>>>
>>>>> Yes, many.
>>>>> You are missing some required methods, like setOptions, getOptions,
>>>>> getLongDescription, etc. Please see other plugins for a complete list,
>>>>
>>>> They are already in the code:
>>>>
>>>> # W3af options and output
>>>> def getOptions( self ):
>>>> '''
>>>> �...@return: A list of option objects for this plugin.
>>>> '''
>>>> ol = optionList()
>>>> return ol
>>>>
>>>> def setOptions( self, OptionList ):
>>>> '''
>>>> This method sets all the options that are configured using the
>>>> user interface
>>>> generated by the framework using the result of getOptions().
>>>>
>>>> �...@parameter OptionList: A dictionary with the options for the
>>>> plugin.
>>>> �...@return: No value is returned.
>>>> '''
>>>> pass
>>>>
>>>> def getPluginDeps( self ):
>>>> '''
>>>> �...@return: A list with the names of the plugins that should be
>>>> runned before the
>>>> current one.
>>>> '''
>>>> return []
>>>>
>>>> def getLongDesc( self ):
>>>> '''
>>>> �...@return: A DETAILED description of the plugin functions and
>>>> features.
>>>> '''
>>>> return '''
>>>> This plugin searches for client side differences between
>>>> different versions of WordPress.
>>>> '''
>>>
>>> Then try to run w3af from a console:
>>>
>>> in cmd.exe run python w3af_console.py
>>>
>>>>
>>>> 2009/6/6 Andres Riancho <andres.rian...@gmail.com>:
>>>>> Ryan,
>>>>>
>>>>> On Sat, Jun 6, 2009 at 1:57 PM, Ryan Dewhurst <ryandewhu...@gmail.com>
>>>>> wrote:
>>>>>> I moved the wpvchecker.py file into the /plugin/discovery folder. When
>>>>>> I try to launch w3af I get an error (screenshot attached), the prompt
>>>>>> only lasts a few seconds so could not copy/paste the full error
>>>>>> output.
>>>>>>
>>>>>> When I remove the wpvchecker.py file out of the dir the error persists
>>>>>> and I have to un/re install w3af to get it working again.
>>>>>
>>>>> Also delete the .pyc file, and no reinstall is needed.
>>>>>
>>>>>> Any ideas?
>>>>>
>>>>> Yes, many.
>>>>> You are missing some required methods, like setOptions, getOptions,
>>>>> getLongDescription, etc. Please see other plugins for a complete list,
>>>>>
>>>>>> Thanks again,
>>>>>> Ryan
>>>>>>
>>>>>> 2009/6/6 Andres Riancho <andres.rian...@gmail.com>:
>>>>>>> Ryan,
>>>>>>>
>>>>>>> On Sat, Jun 6, 2009 at 10:59 AM, Ryan Dewhurst <ryandewhu...@gmail.com>
>>>>>>> wrote:
>>>>>>>> Hello,
>>>>>>>> Sorry its been so long with the wrodpress version checker plugin, had
>>>>>>>> some life problems.
>>>>>>>
>>>>>>> No problem man, I hope things are going better now.
>>>>>>>
>>>>>>>> Anyway...
>>>>>>>>
>>>>>>>> I have come to a logic problem which I cannot seem to solve and was
>>>>>>>> wondering if any one could give me some pointers...
>>>>>>>>
>>>>>>>> Versions '2.5', '2.3.1, 2.3.2 or 2.3.3' and '2.2' are detected by a
>>>>>>>> file/image being present i.e status 200
>>>>>>>>
>>>>>>>> I cannot figure out how to check for this while using the
>>>>>>>> self._wp_fingerprint array.
>>>>>>>
>>>>>>> The for loop that works with the array looks like this:
>>>>>>>
>>>>>>> for data in self._wp_fingerprint:
>>>>>>>
>>>>>>> # Complete URL to test, url+file
>>>>>>> test_URL = urlParser.urlJoin( base_url,
>>>>>>> self._wp_fingerprint[0] )
>>>>>>>
>>>>>>> if self._wp_fingerprint[1] in response:
>>>>>>> version = self._wp_fingerprint[2]
>>>>>>> break
>>>>>>> else:
>>>>>>> version = 'Version lower than 2.2'
>>>>>>>
>>>>>>> But there are some parts missing, like actually requesting to the
>>>>>>> server the test_URL. On the other part, the "200" logic could be
>>>>>>> easily done like this:
>>>>>>>
>>>>>>> if self._wp_fingerprint[1] == 200 and not
>>>>>>> is_404(response):
>>>>>>> # it was found!
>>>>>>> elif self._wp_fingerprint[1] in response:
>>>>>>> version = self._wp_fingerprint[2]
>>>>>>> break
>>>>>>> else:
>>>>>>> version = 'Version lower than 2.2'
>>>>>>>
>>>>>>> To make this work, you should change the '' in the fingerprint array
>>>>>>> by a 200, and it should all work.
>>>>>>>
>>>>>>>> Here is the code so far, I have not yet tested it out, but should give
>>>>>>>> you a basic idea of how it will run.
>>>>>>>
>>>>>>> Yes, and it makes much more sense to me this way. The older version
>>>>>>> was "ugly" :)
>>>>>>>
>>>>>>>> I was also thinking of
>>>>>>>> implementing a plugin version checker as there are many plugins with
>>>>>>>> vulns.
>>>>>>>
>>>>>>> Sure, but lets go step by step, lets finish this plugin, test it a
>>>>>>> little bit, and then we can go for the next one.
>>>>>>>
>>>>>>>> Thank you,
>>>>>>>> Ryan
>>>>>>>>
>>>>>>>> P.S. To test it through w3af, do I just pop the py file into the
>>>>>>>> plugin folder or is there any other code to be changed?
>>>>>>>
>>>>>>> Yes, you have to move this file to the discovery directory and that's
>>>>>>> it.
>>>>>>>
>>>>>>>> 2009/5/31 Ryan Dewhurst <ryandewhu...@gmail.com>:
>>>>>>>>> Just to let everyone know where I am with the plugin.
>>>>>>>>>
>>>>>>>>> I'm a complete n00b at re and couldnt get backbone's code to work, so
>>>>>>>>> I read a couple of manuals and finally got it working with:
>>>>>>>>> <meta name="generator" content="[Ww]ord[Pp]ress (\d\.\d\.?\d?)" />
>>>>>>>>>
>>>>>>>>> An explanation of what the plugin will do:
>>>>>>>>> -----------------------------------------------------------
>>>>>>>>>
>>>>>>>>> It will first check to see if the server has the following file
>>>>>>>>> "/wp-admin/index.php".
>>>>>>>>>
>>>>>>>>> If it does
>>>>>>>>>
>>>>>>>>> It will check to see whether or not the version is in the index
>>>>>>>>> header.
>>>>>>>>>
>>>>>>>>> If it finds the version it will store it in a variable.
>>>>>>>>>
>>>>>>>>> It will then run through the checks from my original code to try and
>>>>>>>>> guess the version.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The output will be as follows:
>>>>>>>>> ------------------------------------------
>>>>>>>>>
>>>>>>>>> If the version is not in the index and not found with the data =
>>>>>>>>> "version under 2.2"
>>>>>>>>> If the version is in the index and in the data are the same =
>>>>>>>>> "whatever version was found"
>>>>>>>>> If the version is in the index and in the data are different =
>>>>>>>>> ""Version shows as $version in index header however the data shows
>>>>>>>>> $version"
>>>>>>>>>
>>>>>>>>> I still need to implement the data checks however my girlfriend has
>>>>>>>>> fallen ill and has been admitted to hospital for an emergency
>>>>>>>>> operation. I don't think I will be able to finish the plugin this
>>>>>>>>> weekend as promised earlier however will still be working on it next
>>>>>>>>> week.
>>>>>>>>>
>>>>>>>>> I was also thinking on listing the vulnerabilitys for each version (if
>>>>>>>>> any) on the output.
>>>>>>>>>
>>>>>>>>> Ryan
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2009/5/29 Andres Riancho <andres.rian...@gmail.com>:
>>>>>>>>>> Ryan,
>>>>>>>>>>
>>>>>>>>>> On Thu, May 28, 2009 at 10:11 PM, Ryan Dewhurst
>>>>>>>>>> <ryandewhu...@gmail.com> wrote:
>>>>>>>>>>> Im loooking into searching the response html of the index page for
>>>>>>>>>>> the
>>>>>>>>>>> following string:
>>>>>>>>>>> <meta name="generator" content="WordPress $version" />
>>>>>>>>>>>
>>>>>>>>>>> Ive tried with regular expressions and am unable to get it to work,
>>>>>>>>>>
>>>>>>>>>> backbone sent you a solution,
>>>>>>>>>>
>>>>>>>>>>> Ive read that re is bad for parsing HTML and that BeautifulSoup
>>>>>>>>>>> should be used.
>>>>>>>>>>>
>>>>>>>>>>> Does w3af already have BeautifulSoup in its dependency list?
>>>>>>>>>>
>>>>>>>>>> Yes, it's in the dependency list, but we aren't using it "for that".
>>>>>>>>>> Long story short, please use the re =)
>>>>>>>>>>
>>>>>>>>>>> Ryan
>>>>>>>>>>>
>>>>>>>>>>> P.S. Thanks for the advice backbone46, I'll have a look into that
>>>>>>>>>>> once
>>>>>>>>>>> Ive sorted this out.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2009/5/28 <backbon...@gmail.com>:
>>>>>>>>>>>> Sorry to bump in just like that in the discussion, about the meta
>>>>>>>>>>>> tag that
>>>>>>>>>>>> displays
>>>>>>>>>>>> the WordPress version.
>>>>>>>>>>>>
>>>>>>>>>>>> Only since version 2.7 the generator function is in the core of
>>>>>>>>>>>> WordPress,
>>>>>>>>>>>> on
>>>>>>>>>>>> earlier versions it was only in the theme.
>>>>>>>>>>>>
>>>>>>>>>>>> Just wanted to mention that. :)
>>>>>>>>>>>>
>>>>>>>>>>>> ---
>>>>>>>>>>>> http://insanesecurity.info
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, May 28, 2009 at 10:53 PM, Ryan Dewhurst
>>>>>>>>>>>> <ryandewhu...@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes, I dont see why not. Should be easy enough tro implement.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You mentioned during our email conversation that wordpress echos
>>>>>>>>>>>>> its
>>>>>>>>>>>>> version number in the page head. I managed to find an example of
>>>>>>>>>>>>> it.
>>>>>>>>>>>>> Your right I do have a security plugin installed which must have
>>>>>>>>>>>>> removed it from my blog.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is an example:
>>>>>>>>>>>>> <meta name="generator" content="WordPress 2.7.1" />
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>:
>>>>>>>>>>>>> > Ryan,
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > On Wed, May 27, 2009 at 10:18 PM, Andres Riancho
>>>>>>>>>>>>> > <andres.rian...@gmail.com> wrote:
>>>>>>>>>>>>> >> Ryan,
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> On Wed, May 27, 2009 at 9:58 PM, Ryan Dewhurst
>>>>>>>>>>>>> >> <ryandewhu...@gmail.com>
>>>>>>>>>>>>> >> wrote:
>>>>>>>>>>>>> >>> Hello,
>>>>>>>>>>>>> >>> Im new to mailing lists so im not sure if this will be sent
>>>>>>>>>>>>> >>> there.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> It depends on the mailing list. This one is configured to
>>>>>>>>>>>>> >> accept
>>>>>>>>>>>>> >> attachments,
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>> I'll have a look into intergrating the script into w3af over
>>>>>>>>>>>>> >>> the next
>>>>>>>>>>>>> >>> couple of days and hopefully have a working version by the
>>>>>>>>>>>>> >>> weekend.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> Excellent, if you need ANY help, just let us know.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>> The script is quite simple once you have the gathered the
>>>>>>>>>>>>> >>> nesesary
>>>>>>>>>>>>> >>> data. I went through versions 2.2 to 2.7.1 and manually found
>>>>>>>>>>>>> >>> client
>>>>>>>>>>>>> >>> side differences in most of them, I also used the official
>>>>>>>>>>>>> >>> changelogs
>>>>>>>>>>>>> >>> to help identify them.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> Ohhh, you are the guy that wrote that blog post with the
>>>>>>>>>>>>> >> "diffs" of
>>>>>>>>>>>>> >> different wordpress release packages?
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>> The client side differences are in files such as CSS,
>>>>>>>>>>>>> >>> javascript and
>>>>>>>>>>>>> >>> HTML. Some versions did not have any differences apart from
>>>>>>>>>>>>> >>> having
>>>>>>>>>>>>> >>> extra files, which can easliy be identified with HTTP
>>>>>>>>>>>>> >>> response codes.
>>>>>>>>>>>>> >>>
>>>>>>>>>>>>> >>> It works as such...
>>>>>>>>>>>>> >>>
>>>>>>>>>>>>> >>> Starting from version 2.7.1 (latest), the script tries to find
>>>>>>>>>>>>> >>> something that 2.7 doesnt have, if it finds that something
>>>>>>>>>>>>> >>> then the
>>>>>>>>>>>>> >>> script stops and echos the version number.
>>>>>>>>>>>>> >>>
>>>>>>>>>>>>> >>> If the script doesnt find the difference it moves onto
>>>>>>>>>>>>> >>> identifying the
>>>>>>>>>>>>> >>> next version, i.e. does 2.7 have something the earlier
>>>>>>>>>>>>> >>> version doesnt
>>>>>>>>>>>>> >>> have. and so on and so forth.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> Ok, makes sense.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> Some comments regarding your code:
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> - w3af uses PEP-8, with among other things says 4-spaces for
>>>>>>>>>>>>> >> indentations. Your code has 1-space (?) indentations. Please
>>>>>>>>>>>>> >> correct
>>>>>>>>>>>>> >> that.
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> - The code is pretty simple, but i think it could be done in a
>>>>>>>>>>>>> >> better
>>>>>>>>>>>>> >> way. Having that many functions (wp22 to wp271) doesn't seem
>>>>>>>>>>>>> >> to be a
>>>>>>>>>>>>> >> good option. Do you think that the code could be changed a
>>>>>>>>>>>>> >> little bit,
>>>>>>>>>>>>> >> and create a database (which can be easily updated) and then
>>>>>>>>>>>>> >> use that
>>>>>>>>>>>>> >> database to store the information? Example of the databse
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> self._wp_fingerprint =
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> [('/wp-includes/js/thickbox/thickbox.css','-ms-filter:'),('/wp-admin/css/farbtastic.css',
>>>>>>>>>>>>> >> 'farbtastic')]
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> - Also, by default wordpress publishes the version number in
>>>>>>>>>>>>> >> every
>>>>>>>>>>>>> >> page head. Maybe it would be a good idea to parse that, and
>>>>>>>>>>>>> >> compare it
>>>>>>>>>>>>> >> with the result of the fingerprinting. What do you think?
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > A good idea would be to have a first step, before all the
>>>>>>>>>>>>> > version
>>>>>>>>>>>>> > specific checks, that verifies something that's true for all
>>>>>>>>>>>>> > wordpress
>>>>>>>>>>>>> > installations (some X file has to be present) before even
>>>>>>>>>>>>> > starting the
>>>>>>>>>>>>> > fingerprinting. Could this be done?
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >> Cheers,
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>> Ryan
>>>>>>>>>>>>> >>>
>>>>>>>>>>>>> >>>
>>>>>>>>>>>>> >>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>:
>>>>>>>>>>>>> >>>> Ryan,
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> On Wed, May 27, 2009 at 5:07 PM, Ryan Dewhurst
>>>>>>>>>>>>> >>>> <ryandewhu...@gmail.com> wrote:
>>>>>>>>>>>>> >>>>> Hello,
>>>>>>>>>>>>> >>>>> I have developed a python script that can detect the
>>>>>>>>>>>>> >>>>> version of a
>>>>>>>>>>>>> >>>>> wordpress installation. I think it would fit well within
>>>>>>>>>>>>> >>>>> w3af,
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> Yes, it seems that it's something good to have in the
>>>>>>>>>>>>> >>>> framework.
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> I have like a ton of questions about how it works, could you
>>>>>>>>>>>>> >>>> please
>>>>>>>>>>>>> >>>> send the script (as it is) to this mailing list for us to
>>>>>>>>>>>>> >>>> read it?
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>> the
>>>>>>>>>>>>> >>>>> only problem being is that I have been unable to find a
>>>>>>>>>>>>> >>>>> plugin
>>>>>>>>>>>>> >>>>> development manual to be able to implement my script.
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> There is no development manual :(
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> For the type of feature that you want to add, the correct
>>>>>>>>>>>>> >>>> thing is to
>>>>>>>>>>>>> >>>> use a discovery plugin. discovery plugins are simple, they
>>>>>>>>>>>>> >>>> follow
>>>>>>>>>>>>> >>>> these rules:
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> - the entry point is the discover method
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> - the discover method takes a fuzzable request object as a
>>>>>>>>>>>>> >>>> parameter,
>>>>>>>>>>>>> >>>> and returns a list of fuzzable requests
>>>>>>>>>>>>> >>>> (fuzzable requests are representations of GET/POST requests,
>>>>>>>>>>>>> >>>> which
>>>>>>>>>>>>> >>>> represent links, and forms)
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> - the discover method is called several times in the same
>>>>>>>>>>>>> >>>> scan, with
>>>>>>>>>>>>> >>>> the different links that (for example) the webSpider finds.
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> I think that the best thing you can do is to read one or two
>>>>>>>>>>>>> >>>> discovery
>>>>>>>>>>>>> >>>> plugins (my recommendations are discovery.crossDomain and
>>>>>>>>>>>>> >>>> discovery.userDir), and start building your own plugin based
>>>>>>>>>>>>> >>>> on one
>>>>>>>>>>>>> >>>> of
>>>>>>>>>>>>> >>>> those.
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>> Is there a dev manual out there?
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> No
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>> Does any one have some tips/advice on writting a plugin?
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> Yes, see above,
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>> Does any one want me to send them the script for them to
>>>>>>>>>>>>> >>>>> develop the
>>>>>>>>>>>>> >>>>> plugin?
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> You should develop the plugin yourself, is fun and good for
>>>>>>>>>>>>> >>>> the
>>>>>>>>>>>>> >>>> project =)
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> Cheers,
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>> Thank you,
>>>>>>>>>>>>> >>>>> Ryan
>>>>>>>>>>>>> >>>>>
>>>>>>>>>>>>> >>>>>
>>>>>>>>>>>>> >>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>> >>>>> Register Now for Creativity and Technology (CaT), June 3rd,
>>>>>>>>>>>>> >>>>> NYC. CaT
>>>>>>>>>>>>> >>>>> is a gathering of tech-side developers & brand creativity
>>>>>>>>>>>>> >>>>> professionals. Meet
>>>>>>>>>>>>> >>>>> the minds behind Google Creative Lab, Visual Complexity,
>>>>>>>>>>>>> >>>>> Processing,
>>>>>>>>>>>>> >>>>> &
>>>>>>>>>>>>> >>>>> iPhoneDevCamp as they present alongside digital
>>>>>>>>>>>>> >>>>> heavyweights like
>>>>>>>>>>>>> >>>>> Barbarian
>>>>>>>>>>>>> >>>>> Group, R/GA, & Big Spaceship.
>>>>>>>>>>>>> >>>>> http://p.sf.net/sfu/creativitycat-com
>>>>>>>>>>>>> >>>>> _______________________________________________
>>>>>>>>>>>>> >>>>> W3af-develop mailing list
>>>>>>>>>>>>> >>>>> W3af-develop@lists.sourceforge.net
>>>>>>>>>>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>> >>>>>
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>> --
>>>>>>>>>>>>> >>>> Andrés Riancho
>>>>>>>>>>>>> >>>> Founder, Bonsai - Information Security
>>>>>>>>>>>>> >>>> http://www.bonsai-sec.com/
>>>>>>>>>>>>> >>>> http://w3af.sf.net/
>>>>>>>>>>>>> >>>>
>>>>>>>>>>>>> >>>
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >> --
>>>>>>>>>>>>> >> Andrés Riancho
>>>>>>>>>>>>> >> Founder, Bonsai - Information Security
>>>>>>>>>>>>> >> http://www.bonsai-sec.com/
>>>>>>>>>>>>> >> http://w3af.sf.net/
>>>>>>>>>>>>> >>
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> >
>>>>>>>>>>>>> > --
>>>>>>>>>>>>> > Andrés Riancho
>>>>>>>>>>>>> > Founder, Bonsai - Information Security
>>>>>>>>>>>>> > http://www.bonsai-sec.com/
>>>>>>>>>>>>> > http://w3af.sf.net/
>>>>>>>>>>>>> >
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC.
>>>>>>>>>>>>> CaT
>>>>>>>>>>>>> is a gathering of tech-side developers & brand creativity
>>>>>>>>>>>>> professionals.
>>>>>>>>>>>>> Meet
>>>>>>>>>>>>> the minds behind Google Creative Lab, Visual Complexity,
>>>>>>>>>>>>> Processing, &
>>>>>>>>>>>>> iPhoneDevCamp as they present alongside digital heavyweights like
>>>>>>>>>>>>> Barbarian
>>>>>>>>>>>>> Group, R/GA, & Big Spaceship.
>>>>>>>>>>>>> http://p.sf.net/sfu/creativitycat-com
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>> W3af-develop@lists.sourceforge.net
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Andrés Riancho
>>>>>>>>>> Founder, Bonsai - Information Security
>>>>>>>>>> http://www.bonsai-sec.com/
>>>>>>>>>> http://w3af.sf.net/
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Founder, Bonsai - Information Security
>>>>>>> http://www.bonsai-sec.com/
>>>>>>> http://w3af.sf.net/
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Founder, Bonsai - Information Security
>>>>> http://www.bonsai-sec.com/
>>>>> http://w3af.sf.net/
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Founder, Bonsai - Information Security
>>> http://www.bonsai-sec.com/
>>> http://w3af.sf.net/
>>>
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
'''
wordpress_plugin.py
Copyright 2006 Andres Riancho
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
import core.controllers.outputManager as om
# Import options
import re
from core.data.options.option import option
from core.data.options.optionList import optionList
from core.controllers.basePlugin.baseDiscoveryPlugin import baseDiscoveryPlugin
import core.data.kb.knowledgeBase as kb
import core.data.kb.vuln as vuln
import core.data.kb.info as info
import core.data.constants.severity as severity
import core.data.parsers.urlParser as urlParser
from core.controllers.w3afException import w3afException, w3afRunOnce
# Main class
class wordpress_plugin(baseDiscoveryPlugin):
'''
Finds the version of a WordPress installation.
@author: Ryan Dewhurst ( ryandewhu...@gmail.com ) www.ethicalhack3r.co.uk
'''
def __init__(self):
baseDiscoveryPlugin.__init__(self)
# Internal variables
self._exec = True
self._version = 'None'
def discover(self, fuzzableRequest ):
'''
Finds the version of a WordPress installation.
@parameter fuzzableRequest: A fuzzableRequest instance that contains
(among other things) the URL to test.
'''
dirs = []
if not self._exec :
# This will remove the plugin from the discovery plugins to be runned.
raise w3afRunOnce()
else:
# Only run once
self._exec = False
#########################
## Check if the server is running wp ##
#########################
# 404 error messages
is_404 = kb.kb.getData( 'error404page', '404' )
self._fuzzableRequests = []
# Main scan URL passed from w3af
base_url = urlParser.baseUrl( fuzzableRequest.getURL() )
wp_unique_url = urlParser.urlJoin( base_url , '/wp-login.php' )
response = self._urlOpener.GET( wp_unique_url, useCache=True )
# If wp_unique_url is not 404, wordpress = true
if not is_404( response ):
dirs.extend( self._createFuzzableRequests( response ) )
##############################
## Check if the wp version is in index header ##
##############################
# Main scan URL passed from w3af
base_url = urlParser.baseUrl( fuzzableRequest.getURL() )
wp_index_url = urlParser.urlJoin( base_url , '/index.php' )
response = self._urlOpener.GET( base_url, useCache=True )
# Find the string in the response html
find = '<meta name="generator" content="[Ww]ord[Pp]ress (\d\.\d\.?\d?)" />'
m = re.search(find, response.getBody())
# If string found, group version
if m:
m = m.group(1)
self._version = m
# Save it to the kb!
i = info.info()
i.setName('WordPress version')
i.setURL( wp_index_url )
i.setId( response.id )
i.setDesc( 'WordPress version "'+ self._version +'" found in the index header.' )
kb.kb.append( self, 'info', i )
om.out.information( i.getDesc() )
#########################
## Find wordpress version from data ##
#########################
# Wordpress version unique data, file/data/version
self._wp_fingerprint = [['/wp-includes/js/thickbox/thickbox.css','-ms-filter:','2.7.1'],
['/wp-admin/css/farbtastic.css','farbtastic','2.7'],
['/wp-includes/js/tinymce/wordpress.css','-khtml-border-radius:','2.6.1, 2.6.2, 2.6.3 or 2.6.5'],
['/wp-includes/js/tinymce/tiny_mce.js','0.7','2.5.1'],
['/wp-admin/async-upload.php',200,'2.5'],
['/wp-includes/images/rss.png',200,'2.3.1, 2.3.2 or 2.3.3'],
['/readme.html','2.3','2.3'],
['/wp-includes/rtl.css','#adminmenu a','2.2.3'],
['/wp-includes/js/wp-ajax.js','var a = $H();','2.2.1'],
['/wp-app.php',200,'2.2']]
for row in self._wp_fingerprint:
target_domain = urlParser.baseUrl( fuzzableRequest.getURL() )
test_URL = target_domain + row[0]
response = self._urlOpener.GET( test_URL, useCache=True )
if row[1] == 200 and not is_404(response):
self._version = row[2]
break
elif row[1] in response:
self._version = row[2]
break
else:
self._version = 'lower than 2.2'
# Save it to the kb!
i = info.info()
i.setName('WordPress version')
i.setURL( test_URL )
i.setId( response.id )
i.setDesc( 'WordPress version "'+ self._version +'" found from data.' )
kb.kb.append( self, 'info', i )
om.out.information( i.getDesc() )
return self._version
# W3af options and output
def getOptions( self ):
'''
@return: A list of option objects for this plugin.
'''
ol = optionList()
return ol
def setOptions( self, OptionList ):
'''
This method sets all the options that are configured using the user interface
generated by the framework using the result of getOptions().
@parameter OptionList: A dictionary with the options for the plugin.
@return: No value is returned.
'''
pass
def getPluginDeps( self ):
'''
@return: A list with the names of the plugins that should be runned before the
current one.
'''
return []
def getLongDesc( self ):
'''
@return: A DETAILED description of the plugin functions and features.
'''
return '''
This plugin finds the version of a WordPress installation.
It first check whether or not the version is in the index header and then it checks for the version through client side differences.
'''
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
