class wplisting: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): paths = [ '/wp-admin', '/wp-includes', '/wp-content/uploads', '/wp-content/plugins', '/wp-content/themes' ] try: for path in paths: url = wplisting.chk.path(self.url, path) resp = self.req.send(url, c=self.cookie) if resp.status_code == 200 and resp._content != None: if resp.url == url: wplisting.out.plus( 'Dir {} listing enabled under: {}'.format( path, resp.url)) except Exception, e: pass
class wplogin: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: url = wplogin.chk.path(self.url, '/wp-login.php') resp = self.req.send(url, c=self.cookie) if resp.status_code == 200: if resp.url == url: wplogin.out.plus( 'wp-login not detect protection under: {}'.format( resp.url)) elif resp.status_code == 404: if resp.url == url: wplogin.out.plus( 'wp-login detect protection under: {}'.format( resp.url)) except Exception, e: pass
class wpconfig: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: url = wpconfig.chk.path(self.url, '/wp-config.php') resp = self.req.send(url, c=self.cookie) if resp.status_code == 200 and resp._content != None: if resp.url == url: if re.search(r'\S+define(\S+,*)', resp._content): wpconfig.out.plus( 'wp-config available under: {}'.format(resp.url)) self.wpbk() except Exception, e: pass
class wpfile: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): db = open('db/common_file.txt', 'rb') dbfiles = [file.split('\n') for file in db] try: for file in dbfiles: url = wpfile.chk.path(self.url, file[0]) resp = self.req.send(url, c=self.cookie) if resp.status_code == 200 and resp._content != None: if resp.url == url: wpfile.out.plus('Found {} file under: {}'.format( file[0], resp.url)) except Exception, e: pass
class wprobots: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie, result): self.url = url self.result = result self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: url = wprobots.chk.path(self.url, '/robots.txt') resp = self.req.send(url, c=self.cookie) if resp.status_code == 200 and resp._content != None: if resp.url == url: self.result.robots = resp.url wprobots.out.plus('Robots available under: {}'.format( resp.url)) print "-------------------------\r\n{}\n-------------------------".format( resp._content) except Exception, e: pass
class wpversion: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self,agent,proxy,redir,time,url,cookie): self.url = url self.agent = agent self.cookie = cookie self.req = wphttp.wphttp( agent=agent,proxy=proxy, redir=redir,time=time ) def run(self): try: url = wpversion.chk.path(self.url,'/wp-links-opml.php') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: vers = re.findall(r'\S+WordPress/(\d+.\d+[.\d+]*)',resp._content) if vers: wpversion.out.plus('Running WordPress version: {}'.format(vers[0])) self.dbwpscan(vers[0]) except Exception,e: try: url = wpversion.chk.path(self.url,'/feed') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: vers = re.findall(r'\S+?v=(\d+.\d+[.\d+]*)',resp._content) if vers: wpversion.out.plus('Running WordPress version: {}'.format(vers[0])) self.dbwpscan(vers[0]) except Exception,e: try: url = wpversion.chk.path(self.url,'/feed/atom') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: vers = re.findall(r'<generator uri="http://wordpress.org/" version="(\d+\.\d+[\.\d+]*)"',resp._content) if vers: wpversion.out.plus('Running WordPress version: {}'.format(vers[0])) self.dbwpscan(vers[0]) except Exception,e: try: url = wpversion.chk.path(self.url,'readme.html') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: vers = re.findall(r'.*wordpress-logo.png" /></a>\n.*<br />.* (\d+\.\d+[\.\d+]*)\n</h1>',resp._content) if vers: wpversion.out.plus('Running WordPress version: {}'.format(vers[0])) self.dbwpscan(vers[0]) except Exception,e: try: url = wpversion.chk.path(self.url,'') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: vers = re.findall(r'<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"',resp._content) if vers: wpversion.out.plus('Running WordPress version: {}'.format(vers[0])) self.dbwpscan(vers[0]) except Exception,e: pass
class wpplugin: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self,agent,proxy,redir,time,url,cookie,result): self.url = url self.result = result self.cookie = cookie self.agent = agent self.req = wphttp.wphttp( agent=agent,proxy=proxy, redir=redir,time=time ) def run(self): wpplugin.out.test('Passive enumerate plugins..') try: url = wpplugin.chk.path(self.url,'') resp = self.req.send(url,c=self.cookie) plugins = re.findall(r'/wp-content/plugins/(.+?)/',resp.content) plugin = [] self.result.plugins = [] for pl in plugins: if pl not in plugin: plugin.append(pl) if plugin != []: if len(plugin) == 1: wpplugin.out.plus('Name: {}'.format(plugin[0])) obj = type('', (), {})() obj.name = plugin[0] self.changelog(plugin[0], obj) self.fullpathdisc(plugin[0]) self.license(plugin[0]) self.listing(plugin[0]) self.readme(plugin[0], obj) self.dbwpscan(plugin[0], obj) self.result.plugins.append(vars(obj)) elif len(plugin) > 1: for pl in plugin: wpplugin.out.plus('Name: {}'.format(pl)) obj = type('', (), {})() obj.name = pl self.changelog(pl, obj) self.fullpathdisc(pl) self.license(pl) self.listing(pl) self.readme(pl, obj) self.dbwpscan(pl, obj) self.result.plugins.append(vars(obj)) else: wpplugin.out.warning('Not found plugins..') except Exception,e: pass
class wptheme: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.agent = agent self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): wptheme.out.test('Passive enumerate themes..') try: url = wptheme.chk.path(self.url, '') resp = self.req.send(url, c=self.cookie) theme = re.findall(r'/wp-content/themes/(.+?)/', resp.content) themes = [] for th in theme: if th not in themes: themes.append(th) if themes != []: if len(themes) == 1: wptheme.out.plus('Name: {}'.format(themes[0])) self.info(themes[0]) self.style(themes[0]) self.changelog(themes[0]) self.fullpathdisc(themes[0]) self.license(themes[0]) self.listing(themes[0]) self.readme(themes[0]) self.dbwpscan(themes[0]) elif len(themes) > 1: for theme in themes: wptheme.out.plus('Name: {}'.format(theme)) self.info(theme) self.style(theme) self.changelog(theme) self.fullpathdisc(theme) self.license(theme) self.listing(theme) self.readme(theme) self.dbwpscan(theme) elif themes == None: wptheme.out.warning('Not found themes..') except Exception, e: print e
class wpusers: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie, result): self.url = url self.result = result self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): wpusers.out.test('Enumerate users..') users = [] df_users = [] self.result.users = [] # From the version 4.7 the REST API is enabled by default if self.result.version and (StrictVersion(self.result.version) >= StrictVersion("4.7")): try: url = wpusers.chk.path( self.url, "/?rest_route=/wp/v2/users&per_page=100") resp = self.req.send(url, c=self.cookie) if resp.status_code == 200: authors = resp.json() for author in authors: df_users.append(author['slug']) except Exception, e: pass # Use the normal enumeration method for x in range(1, 15): path = "/?author={}".format(str(x)) try: url = wpusers.chk.path(self.url, path) resp = self.req.send(url, c=self.cookie) if resp.status_code == 200: author = re.findall(r'/author/(.+?)/', resp.content) if len(author) == 1: if author[0] not in df_users: df_users.append(author[0]) elif len(author) > 1: for i in author: if i[0] not in df_users: df_users.append(author[0]) except Exception, e: pass
class wpusers: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): wpusers.out.test('Enumerate users..') users = [] df_users = [] for x in range(0, 15): path = "/?author={}".format(str(x)) try: url = wpusers.chk.path(self.url, path) resp = self.req.send(url, c=self.cookie) if resp.status_code == 200: author = re.findall(r'/author/(.+?)/', resp.content) if len(author) == 1: if author[0] not in df_users: df_users.append(author[0]) elif len(author) > 1: for i in author: if i[0] not in df_users: df_users.append(author[0]) except Exception, e: pass for i in df_users: if i not in users: users.append(i) if users != []: for user in xrange(len(users)): if '%20' in users[user][0]: wpusers.out.more(' ID: {} - Login: {}'.format( user, users[user].replace('%20', ' '))) else: wpusers.out.more(' ID: {} - Login: {}'.format( user, users[user])) elif users == None: wpusers.out.warning('Not found users :(')
class wpxmlrpc: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie, wlist, user): self.url = url self.cookie = cookie self.wlist = wlist self.user = user self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: wpxmlrpc.out.plus('Bruteforcing login via xmlrpc..') try: db = open(self.wlist, 'rb') except Exception, e: wpxmlrpc.out.warning(e) dbfiles = [file.split('\n') for file in db] for passwd in dbfiles: payload = """<methodCall><methodName>wp.getUsersBlogs</methodName><params> <param><value><string>""" + self.user + """</string></value></param> <param><value><string>""" + str( passwd[0]) + """</string></value></param></params> </methodCall>""" url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php') resp = self.req.send(url, m="POST", p=payload, c=self.cookie) if re.search('<name>isAdmin</name><value><boolean>0</boolean>', resp._content): wpxmlrpc.out.plus( 'Valid credentials: \"{}\" - \"{}\"'.format( self.user, passwd[0])) elif re.search( '<name>isAdmin</name><value><boolean>1</boolean>', resp.content): wpxmlrpc.out.plus( 'Valid admin credentials: \"{}\" - \"{}\"'.format( self.user, passwd[0])) wpxmlrpc.out.passs() except Exception, e: pass
class wpfpd: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self,agent,proxy,redir,time,url,cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp( agent=agent,proxy=proxy, redir=redir,time=time ) def run(self): try: url = wpfpd.chk.path(self.url,'/wp-includes/rss-functions.php') resp = self.req.send(url,c=self.cookie) if resp.status_code == 200 and resp._content != None: if re.search(r'Fatal error',resp._content): wpfpd.out.plus('Full Path Disclosure: {}'.format(resp.url)) except Exception,e: pass
class fingerprint: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: resp = self.req.send(self.url, c=self.cookie) server.wpserver().run(resp.headers) waf.wpwaf().run(resp._content) headers.wpheaders().run(resp.headers) wpprint.wpprint().passs() except Exception, e: pass
class wpxmlrpc: chk = wphttp.UCheck() out = wpprint.wpprint() def __init__(self, agent, proxy, redir, time, url, cookie): self.url = url self.cookie = cookie self.req = wphttp.wphttp(agent=agent, proxy=proxy, redir=redir, time=time) def run(self): try: url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php') resp = self.req.send(url, c=self.cookie) if resp.status_code == 405 and resp._content != None: if resp.url == url: wpxmlrpc.out.plus( 'XML-RPC Interface available under: {}'.format( resp.url)) except Exception, e: pass