class wplisting:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Checking dir listing...')
dir = [
'/wp-admin', '/wp-includes', '/wp-content/uploads',
'/wp-content/plugins', '/wp-content/themes'
]
for i in dir:
try:
url = self.check.checkurl(self.url, i)
resp = self.req.send(url)
html = resp.read()
if html and resp.getcode() == 200:
if re.search('Index of', html):
self.printf.plus('dir %s listing enabled under: %s' %
(i, url))
else:
self.printf.erro('dir %s not listing enabled' % (i))
else:
self.printf.erro('dir %s not listing enabled' % (i))
except Exception as error:
pass
class wpxss:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url, method, payload):
self.url = url
self.method = method
self.payload = payload
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Testing XSS vulns...")
print ""
params = dict([x.split("=") for x in self.payload.split("&")])
param = {}
db = open("data/wpxss.txt", "rb")
file = [x.split("\n") for x in db]
try:
for item in params.items():
for x in file:
param[item[0]] = item[1].replace(item[1], x[0])
enparam = urllib.urlencode(param)
url = self.check.checkurl(self.url, "")
resp = self.req.send(url, self.method, enparam)
if re.search(x[0], resp.read()) and resp.getcode() == 200:
self.printf.erro(
"[%s][%s][vuln] %s" %
(resp.getcode(), self.method, resp.geturl()))
else:
self.printf.plus(
"[%s][%s][not vuln] %s" %
(resp.getcode(), self.method, resp.geturl()))
except Exception as error:
pass
class wpusers:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
self.usersFeed = []
self.usersJson = []
self.usersAuthor = []
def wayjson(self):
# Enumeration users via wp-json
# https://www.exploit-db.com/exploits/41497/
try:
url = self.check.checkurl(self.url, "/wp-json/wp/v2/users")
self.printf.ipri(" %s" % (url), color="g")
resp = self.req.send(url)
if resp.getcode() == 200:
html = resp.read()
user = json.loads(html, "utf-8")
for x in range(len(user)):
self.usersJson.append(user[x]["name"])
# print self.usersJson
except Exception, e:
pass
class wpconfig:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Checking wp-config...')
try:
url = self.check.checkurl(self.url, '/wp-config.php')
resp = self.req.send(url)
html = resp.read()
if html and resp.getcode() == 200:
if re.search('\S+define(\S+,*)', html):
self.printf.plus('wp-config available under: %s' % (url))
else:
self.printf.erro('wp-config not available')
else:
self.printf.erro('wp-config not available')
self.wpconfigsample()
self.backup()
except Exception as error:
pass
def backup(self):
self.printf.test('Checking wp-config backup...')
ext = [
'.php~', '.backup', '.bck', '.old', '.save', '.bak', '.copy',
'.tmp', '.txt', '.zip', '.db', '.dat', '.tar.gz', '.back', '.test',
'.temp', '.orig'
]
for x in ext:
try:
url = self.check.checkurl(self.url, '/wp-config' + x)
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.plus('wp-config backup available under: %s' %
(url))
else:
self.printf.erro('wp-config%s backup not available' % x)
except Exception as error:
pass
def wpconfigsample(self):
self.printf.test('Checking wp-config-sample...')
try:
url = self.check.checkurl(self.url, 'wp-config-sample.php')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 500:
self.printf.plus('wp-config-sample available under: %s' %
(url))
else:
self.printf.erro('wp-config-sample not available')
except Exception as error:
pass
class wpchangelog:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self,theme):
files = ['changelog.txt','changelog.md','CHANGELOG.md','CHANGELOG.txt']
for i in files:
try:
url = self.check.checkurl(self.url,'/wp-content/themes/%s/%s'%(theme,i))
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.ipri('Changelog: %s'%(url),color="g")
except Exception as error:
pass
class wpfpd:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self):
self.printf.test('Checking Full Path Disclosure...')
try:
url = self.check.checkurl(self.url,'/wp-includes/rss-functions.php')
resp = self.req.send(url)
if re.search('Fatal error',resp.read()):
self.printf.erro('Full Path Disclosure: %s'%(url))
else:
self.printf.erro('Full Path Disclosure not available')
except Exception as error:
pass
class wpcrossdomain:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self):
self.printf.test('Checking crossdomain...')
try:
url = self.check.checkurl(self.url,'crossdomain.xml')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.plus('crossdomain.xml available under: %s'%(url))
else:
self.printf.erro('crossdomain.xml not available')
except Exception as error:
pass
class wpxmlrpc:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self):
self.printf.test("Checking xmlrpc...")
try:
url = self.check.checkurl(self.url,'/xmlrpc.php')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 405:
self.printf.plus('XML-RPC Interface available under: %s'%(url))
else:
self.printf.erro('XML-RPC not available')
except Exception as error:
pass
class wpusers:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Enumeration usernames...")
l = []
for x in range(0, 15):
try:
url = self.check.checkurl(self.url, '/?author=%s' % x)
resp = self.req.send(url)
if resp.getcode() == 200:
html = resp.read()
login = re.findall('/author/(.+?)/', html)
l.append(login)
except Exception as error:
print error
login_new = []
for i in l:
if i not in login_new:
login_new.append(i)
##################
try:
if login_new != []:
for a in range(len(login_new)):
if "%20" in login_new[a][0]:
self.printf.ipri(
" ID: %s | Login: %s" %
(a, login_new[a][0].replace('%20', ' ')),
color="g")
else:
self.printf.ipri(" ID: %s | Login: %s" %
(a, login_new[a][0]),
color="g")
print ""
if login_new == []:
self.printf.ipri("Not found usernames", color="r")
except Exception as error:
self.printf.ipri("Not found usernames", color="r")
class wplicense:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self, plugin):
files = ['license.txt', 'license.md', 'LICENSE.md', 'LICENSE.txt']
for i in files:
try:
url = self.check.checkurl(
self.url, 'wp-content/plugins/%s/%s' % (plugin, i))
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.ipri('License: %s' % (url), color="g")
except Exception as error:
pass
class wplicense:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Checking license...")
try:
url = self.check.checkurl(self.url, '/license.txt')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.plus('license.txt available under: %s' % (url))
else:
self.printf.erro('license.txt not available')
except Exception as error:
pass
class wpxmlrpc:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url, cookie, wordlist, user):
self.url = url
self.cookie = cookie
self.wordlist = wordlist
self.user = user
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Starting bruteforce login via xmlrpc...')
print ""
passwd = open(self.wordlist, "rb")
for x in passwd:
payload = (
"""<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value><string>""" + self.user + """</string></value></param>
<param><value><string>""" + str(x.split('\n')[0]) +
"""</string></value></param></params></methodCall>""")
self.printf.test("Trying Credentials: \"%s\" - \"%s\"" %
(self.user, x.split('\n')[0]))
try:
url = self.check.checkurl(self.url, 'xmlrpc.php')
resp = self.req.send(url, method="POST", payload=payload)
html = resp.read()
if re.search('<name>isAdmin</name><value><boolean>0</boolean>',
html, re.I):
self.printf.plus('Valid Credentials: \"%s\" - \"%s\"' %
(self.user, x.split('\n')[0]))
elif re.search(
'<name>isAdmin</name><value><boolean>1</boolean>',
html, re.I):
self.printf.plus(
'Valid ADMIN Credentials: \"%s\" - \"%s\"' %
(self.user, x.split('\n')[0]))
break
else:
self.printf.erro('Invalid Credentials: \"%s\" - \"%s\"' %
(self.user, x.split('\n')[0]))
except Exception as error:
pass
class wploginprotection:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Checking wp-login protection...')
try:
url = self.check.checkurl(self.url, 'wp-login.php')
resp = self.req.send(url)
if resp.getcode() == 200:
self.printf.plus('wp-login not detect protection')
elif resp.getcode() == 404:
self.printf.erro('wp-login detect protection')
except Exception as error:
pass
class wpwaf:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Checking WAF...')
try:
url = self.check.checkurl(self.url, "")
resp = self.req.send(url)
html = resp.read()
if re.search('/wp-content/plugins/wordfence/', html):
self.printf.plus('Firewall Detection: Wordfence Security')
elif re.search('/wp-content/plugins/bulletproof-security/', html):
self.printf.plus('Firewall Detection: BulletProof Security')
elif re.search('/wp-content/plugins/sucuri-scanner/', html):
self.printf.plus('Firewall Detection: Sucuri Security')
elif re.search('/wp-content/plugins/better-wp-security/', html):
self.printf.plus('Firewall Detection: Better WP Security')
elif re.search('/wp-content/plugins/wp-security-scan/', html):
self.printf.plus(
'Firewall Detection: Acunetix WP SecurityScan')
elif re.search(
'/wp-content/plugins/all-in-one-wp-security-and-firewall/',
html):
self.printf.plus(
'Firewall Detection: All In One WP Security & Firewall')
elif re.search('/wp-content/plugins/6scan-protection', html):
self.printf.plus('Firewall Detection: 6Scan Security')
elif re.search('cloudflare-nginx',
resp.info().getheader('server'), re.I):
self.printf.plus('Firewall Detection: CloudFlare')
elif re.search('__cfduid', resp.info().getheader('cookie'), re.I):
self.printf.plus('Firewall Detection: CloudFlare')
else:
self.printf.erro('No Firewall Detected')
except Exception as error:
pass
class wprobots:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Checking robots...")
try:
url = self.check.checkurl(self.url, '/robots.txt')
resp = self.req.send(url)
html = resp.read()
if html and resp.getcode() == 200:
self.printf.plus('robots.txt available under: %s' % (url))
print "\r\n%s\n" % (html)
elif html == "":
self.printf.erro('robots.txt not available')
except Exception as error:
pass
class wplisting:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self, plugin):
files = [
"/js", "/css", "/images", "/inc", "/admin", "/src", "/widgets",
"/lib", "/assets", "/includes", "/logs", "/vendor", "/core"
]
for i in files:
try:
url = self.check.checkurl(
self.url, 'wp-content/plugins/%s/%s' % (plugin, i))
resp = self.req.send(url)
if re.search('Index of', resp.read()):
self.printf.ipri('Listing: %s' % (url), color="g")
except Exception as error:
pass
class wpfpd:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self, theme):
file = [
"/404.php", "/archive.php", "/author.php", "/comments.php",
"/footer.php", "/functions.php", "/header.php", "/image.php",
"/page.php", "/search.php", "/single.php", "/archive.php"
]
for i in file:
try:
url = self.check.checkurl(
self.url, "/wp-content/themes/%s%s" % (theme, i))
resp = self.req.send(url)
if re.search('Fatal error', resp.read()):
self.printf.ipri('Full Path Disclosure: %s' % (url),
color="r")
except Exception as error:
pass
class wpversion:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, redirect=redirect, proxy=proxy)
def run(self):
self.printf.test('Checking wordpress version...')
try:
url = self.check.checkurl(self.url, 'wp-links-opml.php')
resp = self.req.send(url)
vers = re.findall('\S+WordPress/(\d+.\d+[.\d+]*)', resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' % (vers[0]))
wpvuln().run(vers)
except Exception as error:
print error
try:
url = self.check.checkurl(self.url, 'feed')
resp = self.req.send(url)
vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url, '/feed/atom')
resp = self.req.send(url)
vers = re.findall(
'<generator uri="http://wordpress.org/" version="(\d+\.\d+[\.\d+]*)"',
resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url, '/feed/rdf')
resp = self.req.send(url)
vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)',
resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url,
'/comments/feed')
resp = self.req.send(url)
vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)',
resp.read())
if vers:
self.printf.plus(
'Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(
self.url, 'readme.html')
resp = self.req.send(url)
vers = re.findall(
'.*wordpress-logo.png" /></a>\n.*<br />.* (\d+\.\d+[\.\d+]*)\n</h1>',
resp.read())
if vers:
self.printf.plus(
'Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url, '')
resp = self.req.send(url)
vers = re.findall(
'<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"',
resp.read())
if vers:
self.printf.plus(
'Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
self.printf.erro(
'Not found running WordPress version')
class wpplugin:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpchangelog = wpchangelog.wpchangelog(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wplicense = wplicense.wplicense(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wplisting = wplisting.wplisting(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpreadme = wpreadme.wpreadme(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
def run(self):
self.printf.test('Enumeration plugins...')
try:
url = self.check.checkurl(self.url, '')
resp = self.req.send(url)
plugin = re.findall('/wp-content/plugins/(.+?)/', resp.read())
new = []
for i in plugin:
if i not in new:
new.append(i)
if new != []:
for c in range(len(new)):
print ""
self.printf.ipri('Name: %s - %s' %
(new[c], self.version(new[c])),
color="g")
self.wpchangelog.run(new[c])
self.wplicense.run(new[c])
self.wplisting.run(new[c])
self.wpreadme.run(new[c])
wpvuln().run(new[c])
print ""
else:
self.printf.ipri('Not found plugins')
except Exception as error:
pass
def version(self, plugin):
try:
url = self.check.checkurl(self.url, '')
resp = self.req.send(url)
ver = re.findall(
'/wp-content/plugins/%s\S+?ver=(\d+.\d+[.\d+]*)' % (plugin),
resp.read())
if len(ver) >= 2:
return ver[0]
elif len(ver) == 1:
return ver[0]
else:
return None
except Exception as error:
pass
class WPSeku(object):
"""docstring for WPSeku"""
r = wpcolor.wpcolor().red(1)
w = wpcolor.wpcolor().white(0)
y = wpcolor.wpcolor().yellow(4)
e = wpcolor.wpcolor().reset()
xss = False
sql = False
lfi = False
brute = False
agent = ""
proxy = None
redirect = True
cookie = None
user = None
method = None
query = None
wordlist = None
check = wphttp.check()
printf = wpprint.wpprint()
_ = wpall.wpall()
def __init__(self, kwargs):
self.kwargs = kwargs
def Banner(self):
print self.r + r"__ ______ ____ _ " + self.e
print self.r + r"\ \ / / _ \/ ___| ___| | ___ _ " + self.e
print self.r + r" \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |" + self.e
print self.r + r" \ V V / | __/ ___) | __/ <| |_| |" + self.e
print self.r + r" \_/\_/ |_| |____/ \___|_|\_\\__,_|" + self.e
print self.w + " " + self.e
print self.w + "|| WPSeku - Wordpress Security Scanner " + self.e
print self.w + "|| Version 0.2.1 " + self.e
print self.w + "|| Momo Outaadi (M4ll0k) " + self.e
print self.w + "|| %shttps://github.com/m4ll0k/WPSeku%s\n" % (self.y,
self.e)
def Usage(self, ext=False):
path = os.path.basename(sys.argv[0])
self.Banner()
print "Usage: ./%s [--target|-t] http://localhost\n" % path
print "\t-t --target\tTarget URL (eg: http://localhost)"
print "\t-x --xss\tTesting XSS vulns"
print "\t-s --sql\tTesting SQL vulns"
print "\t-l --lfi\tTesting LFI vulns"
print "\t-q --query\tTestable parameters (eg: \"id=1&test=1\")"
print "\t-b --brute\tBruteforce login via xmlrpc"
print "\t-u --user\tSet username, default=admin"
print "\t-p --proxy\tSet proxy, (host:port)"
print "\t-m --method\tSet method (GET/POST)"
print "\t-c --cookie\tSet cookies"
print "\t-w --wordlist\tSet wordlist"
print "\t-a --agent\tSet user-agent"
print "\t-r --redirect\tRedirect target url, default=True"
print "\t-h --help\tShow this help and exit\n"
print "Examples:"
print "\t%s --target http://localhost" % path
print "\t%s -t http://localhost/wp-admin/post.php -m GET -q \"post=49&action=edit\" [-x,-s,-l]" % path
print "\t%s --target http://localhost --brute --wordlist dict.txt" % path
print "\t%s --target http://localhost --brute --user test --wordlist dict.txt\n" % path
if ext == True:
sys.exit()
def CheckTarget(self, url):
scheme = urlparse.urlsplit(url).scheme
netloc = urlparse.urlsplit(url).netloc
path = urlparse.urlsplit(url).path
if scheme not in ['http', 'https', '']:
sys.exit(self.printf.erro('Schme %s not supported' % (scheme)))
if netloc == "":
return "http://" + path
else:
return scheme + "://" + netloc + path
def Main(self):
if len(sys.argv) <= 2:
self.Usage(True)
try:
opts, args = getopt.getopt(
self.kwargs, "t:x=:s=:l=:b=:h=:q:u:p:m:c:w:a:r:", [
'target=', 'xss', 'sql', 'lfi', 'query=', 'brute', 'user='******'proxy=', 'method=', 'cookie=', 'wordlist=', 'agent=',
'redirect=', 'help'
])
except getopt.error as error:
pass
for o, a in opts:
if o in ('-t', '--target'):
self.target = self.CheckTarget(a)
if o in ('-x', '--xss'):
self.xss = True
if o in ('-s', '--sql'):
self.sql = True
if o in ('-l', '--lfi'):
self.lfi = True
if o in ('-q', '--query'):
self.query = a
if o in ('-b', '--brute'):
self.brute = True
if o in ('-u', '--user'):
self.user = a
if o in ('-p', '--proxy'):
self.proxy = a
if o in ('-m', '--method'):
self.method = a
if o in ('-c', '--cookie'):
self.cookie = a
if o in ('-w', '--wordlist'):
self.wordlist = a
if o in ('-a', '--agent'):
self.agent = a
if o in ('-r', '--redirect'):
self.redirect = a
if o in ('-h', '--help'):
self.Usage(True)
self.Banner()
self.printf.plus('Target: %s' % self.target)
self.printf.plus('Starting: %s\n' %
(time.strftime('%d/%m/%Y %H:%M:%S')))
print self.agent
if not self.agent: self.agent = 'Mozilla/5.0'
if not self.proxy: self.proxy = None
if not self.cookie: self.cookie = None
if not self.redirect: self.redirect = False
if not self.user: self.user = "******"
# xss attack
if self.xss == True:
if not self.method:
sys.exit(self.printf.erro('Method not exisits!'))
if not self.query: sys.exit(self.printf.erro('Not found query'))
wpxss.wpxss(self.agent, self.proxy, self.redirect, self.target,
self.method, self.query).run()
sys.exit()
# sql attack
if self.sql == True:
if not self.method:
sys.exit(self.printf.erro('Method not exisits!'))
if not self.query: sys.exit(self.printf.erro('Not found query'))
wpsql.wpsql(self.agent, self.proxy, self.redirect, self.target,
self.method, self.query).run()
sys.exit()
# lfi attack
if self.lfi == True:
if not self.method:
sys.exit(self.printf.erro('Method not exisits!'))
if not self.query: sys.exit(self.printf.erro('Not found query'))
wplfi.wplfi(self.agent, self.proxy, self.redirect, self.target,
self.method, self.query).run()
sys.exit()
# attack bruteforce
if self.brute == True:
if not self.wordlist:
sys.exit(self.printf.erro('Not found wordlist!'))
wpxmlrpc.wpxmlrpc(self.agent, self.proxy, self.redirect,
self.target, self.cookie, self.wordlist,
self.user).run()
sys.exit()
# discovery
if self.target:
self._.run(self.agent, self.proxy, self.redirect, self.target)
class wpheaders:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Interesting headers...")
print ""
try:
url = self.check.checkurl(self.url, '')
r = self.req.send(url)
if r.info().getheader('accept-charset'):
print 'Accept-Charset: %s' % (
r.info().getheader('accept-charset'))
if r.info().getheader('accept-encoding'):
print 'Accept-Encoding: %s' % (
r.info().getheader('accept-encoding'))
if r.info().getheader('accept-language'):
print 'accept-language: %s' % (
r.info().getheader('accept-language'))
if r.info().getheader('accept-ranges'):
print 'Accept-Ranges: %s' % (
r.info().getheader('accept-ranges'))
if r.info().getheader('access-control-allow-credentials'):
print 'Access-Control-Allow-Credentials: %s' % (
r.info().getheader('access-control-allow-credentials'))
if r.info().getheader('access-control-allow-headers'):
print 'Access-Control-Allow-Headers: %s' % (
r.info().getheader('access-control-allow-headers'))
if r.info().getheader('access-control-allow-methods'):
print 'Access-Control-Allow-Methods: %s' % (
r.info().getheader('access-control-allow-methods'))
if r.info().getheader('access-control-allow-origin'):
print 'Access-Control-Allow-Origin: %s' % (
r.info().getheader('access-control-allow-origin'))
if r.info().getheader('access-control-expose-headers'):
print 'Access-Control-Expose-Headers: %s' % (
r.info().getheader('access-control-expose-headers'))
if r.info().getheader('access-control-max-age'):
print 'Access-Control-Max-Age: %s' % (
r.info().getheader('access-control-max-age'))
if r.info().getheader('age'):
print 'Age: %s' % (r.info().getheader('age'))
if r.info().getheader('allow'):
print 'Allow: %s' % (r.info().getheader('allow'))
if r.info().getheader('alternates'):
print 'Alternates: %s' % (r.info().getheader('alternates'))
if r.info().getheader('authorization'):
print 'Authorization: %s' % (
r.info().getheader('authorization'))
if r.info().getheader('cache-control'):
print 'Cache-Control: %s' % (
r.info().getheader('cache-control'))
if r.info().getheader('connection'):
print 'Connection: %s' % (r.info().getheader('connection'))
if r.info().getheader('content-encoding'):
print 'Content-Encoding: %s' % (
r.info().getheader('content-encoding'))
if r.info().getheader('content-language'):
print 'Content-Language: %s' % (
r.info().getheader('content-language'))
if r.info().getheader('content-length'):
print 'Content-Length: %s' % (
r.info().getheader('content-length'))
if r.info().getheader('content-location'):
print 'Content-Location: %s' % (
r.info().getheader('content-location'))
if r.info().getheader('content-md5'):
print 'Content-md5: %s' % (r.info().getheader('content-md5'))
if r.info().getheader('content-range'):
print 'Content-Range: %s' % (
r.info().getheader('content-range'))
if r.info().getheader('content-security-policy'):
print 'Content-Security-Policy: %s' % (
r.info().getheader('content-security-policy'))
if r.info().getheader('content-security-policy-report-only'):
print 'Content-Security-Policy-Report-Only: %s' % (
r.info().getheader('content-security-policy-report-only'))
if r.info().getheader('content-type'):
print 'Content-Type: %s' % (r.info().getheader('content-type'))
if r.info().getheader('dasl'):
print 'Dasl: %s' % (r.info().getheader('dasl'))
if r.info().getheader('date'):
print 'Date: %s' % (r.info().getheader('date'))
if r.info().getheader('dav'):
print 'Dav: %s' % r.info().getheader('dav')
if r.info().getheader('etag'):
print 'Etag: %s' % (r.info().getheader('etag'))
if r.info().getheader('from'):
print 'From: %s' % (r.info().getheader('from'))
if r.info().getheader('host'):
print 'Host: %s' % (r.info().getheader('host'))
if r.info().getheader('keep-alive'):
print 'Keep-Alive: %s' % (r.info().getheader('keep-alive'))
if r.info().getheader('last-modified'):
print 'Last-Modified: %s' % (
r.info().getheader('last-modified'))
if r.info().getheader('location'):
print 'Location: %s' % (r.info().getheader('location'))
if r.info().getheader('max-forwards'):
print 'Max-Forwards: %s' % (r.info().getheader('max-forwards'))
if r.info().getheader('persistent-auth'):
print 'Persistent-Auth: %s' % (
r.info().getheader('persistent-auth'))
if r.info().getheader('pragma'):
print 'Pragma: %s' % (r.info().getheader('pragma'))
if r.info().getheader('proxy-authenticate'):
print 'Proxy-Authenticate: %s' % (
r.info().getheader('proxy-authenticate'))
if r.info().getheader('proxy-authorization'):
print 'Proxy-Authorization: %s' % (
r.info().getheader('proxy-authorization'))
if r.info().getheader('proxy-connection'):
print 'Proxy-Connection: %s' % (
r.info().getheader('proxy-connection'))
if r.info().getheader('public'):
print 'Public: %s' % (r.info().getheader('public'))
if r.info().getheader('range'):
print 'Range: %s' % (r.info().getheader('range'))
if r.info().getheader('referer'):
print 'Referer: %s' % (r.info().getheader('referer'))
if r.info().getheader('server'):
print 'Server: %s' % (r.info().getheader('server'))
if r.info().getheader('set-cookie'):
print 'Set-Cookie: %s' % (r.info().getheader('set-cookie'))
if r.info().getheader('status'):
print 'Status: %s' % (r.info().getheader('status'))
if r.info().getheader('strict-transport-security'):
print 'Strict-Transport-Security: %s' % (
r.info().getheader('strict-transport-security'))
if r.info().getheader('transfer-encoding'):
print 'Transfer-Encoding: %s' % (
r.info().getheader('transfer-encoding'))
if r.info().getheader('upgrade'):
print 'Upgrade: %s' % (r.info().getheader('upgrade'))
if r.info().getheader('vary'):
print 'Vary: %s' % (r.info().getheader('vary'))
if r.info().getheader('via'):
print 'Via: %s' % (r.info().getheader('via'))
if r.info().getheader('warning'):
print 'Warning: %s' % (r.info().getheader('warning'))
if r.info().getheader('www-authenticate'):
print 'www-Authenticate: %s' % (
r.info().getheader('www-authenticate'))
if r.info().getheader('x-content-security-policy'):
print 'X-Content-Security-Policy: %s' % (
r.info().getheader('x-content-security-policy'))
if r.info().getheader('x-content-type-options'):
print 'X-Content-Type-Options: %s' % (
r.info().getheader('x-content-type-options'))
if r.info().getheader('x-frame-options'):
print 'X-Frame-Options: %s' % (
r.info().getheader('x-frame-options'))
if r.info().getheader('x-id'):
print 'X-Id: %s' % (r.info().getheader('x-id'))
if r.info().getheader('x-mod-pagespeed'):
print 'X-Mod-Pagespeed: %s' % (
r.info().getheader('x-mod-pagespeed'))
if r.info().getheader('x-pad'):
print 'X-Pad: %s' % (r.info().getheader('x-pad'))
if r.info().getheader('x-page-speed'):
print 'X-Page-Speed: %s' % (r.info().getheader('x-page-speed'))
if r.info().getheader('x-permitted-cross-domain-policies'):
print 'X-Permitted-Cross-Domain-Policies: %s' % (
r.info().getheader('x-permitted-cross-domain-policies'))
if r.info().getheader('x-pingback'):
print 'X-Pingback: %s' % (r.info().getheader('x-pingback'))
if r.info().getheader('x-powered-by'):
print 'X-Powered-By: %s' % (r.info().getheader('x-powered-by'))
if r.info().getheader('x-robots-tag'):
print 'X-Robots-Tag: %s' % (r.info().getheader('x-robots-tag'))
if r.info().getheader('x-ua-compatible'):
print 'X-UA-Compatible: %s' % (
r.info().getheader('x-ua-compatible'))
if r.info().getheader('x-varnish'):
print 'X-Varnish: %s' % (r.info().getheader('x-varnish'))
if r.info().getheader('x-xss-protection'):
print 'X-XSS-Protection: %s' % (
r.info().getheader('x-xss-protection'))
except Exception as error:
pass
print ""
class wptheme:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpch = wpchangelog.wpchangelog(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpfpd = wpfpd.wpfpd(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpli = wplicense.wplicense(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wplis = wplisting.wplisting(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wprea = wpreadme.wpreadme(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpst = wpstyle.wpstyle(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
def run(self):
self.printf.test('Enumeration themes...')
try:
url = self.check.checkurl(self.url, '')
resp = self.req.send(url)
theme = re.findall('/wp-content/themes/(.+?)/', resp.read())
new = []
for i in theme:
if i not in new:
new.append(i)
if new != []:
for c in range(len(new)):
print ""
self.printf.ipri('Name: %s' % (new[c]), color="g")
self.info(new[c])
self.wpst.run(new[c])
self.wpch.run(new[c])
self.wpfpd.run(new[c])
self.wpli.run(new[c])
self.wplis.run(new[c])
self.wprea.run(new[c])
wpvuln().run(new[c])
print ""
else:
self.printf.ipri('Not found themes', color="g")
except Exception as error:
pass
def info(self, theme):
try:
url = self.check.checkurl(
self.url, "/wp-content/themes/%s/%s" % (theme, "style.css"))
resp = self.req.send(url)
html = resp.read()
self.printf.ipri('Theme Name: %s' %
(re.findall("Theme Name: (\w+)", html)[0]),
color="g")
self.printf.ipri('Theme URL: %s' %
(re.findall("Theme URI: (\S+)", html)[0]),
color="g")
self.printf.ipri('Author: %s' %
(re.findall("Author: (\S+)", html)[0]),
color="g")
self.printf.ipri('Author URL: %s' %
(re.findall("Author URI: (\S+)", html)[0]),
color="g")
self.printf.ipri(
'Version: %s' %
(re.findall("Version: (\d+.\d+[.\d+]*)", html)[0]),
color="g")
except Exception as error:
pass
class wpsql:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url, method, payload):
self.url = url
self.method = method
self.payload = payload
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def dberror(self, data):
if re.search("You have an error in your SQL syntax", data):
return "MySQL Injection"
if re.search("supplied argument is not a valid MySQL", data):
return "MySQL Injection"
if re.search("Microsoft ODBC Microsoft Access Driver", data):
return "Access-Based SQL Injection"
if re.search(
'Microsoft OLE DB Provider for ODBC Drivers</font> <font size="2" face="Arial">error',
data):
return "MSSQL-Based Injection"
if re.search("Microsoft OLE DB Provider for ODBC Drivers", data):
return "MSSQL-Based Injection"
if re.search("java.sql.SQLException: Syntax error or access violation",
data):
return "Java.SQL Injection"
if re.search("PostgreSQL query failed: ERROR: parser:", data):
return "PostgreSQL Injection"
if re.search("XPathException", data):
return "XPath Injection"
if re.search(
"supplied argument is not a valid ldap", data) or re.search(
"javax.naming.NameNotFoundException", data):
return "LDAP Injection"
if re.search("DB2 SQL error", data):
return "DB2 Injection"
if re.search("Dynamic SQL Error", data):
return "Interbase Injection"
if re.search("Sybase message:", data):
return "Sybase Injection"
oracle = re.search('ORA-[0-9]', data)
if oracle != None:
return "Oracle Injection" + " " + oracle.group(0)
return ""
def run(self):
self.printf.test("Testing SQL vulns...")
print ""
params = dict([x.split("=") for x in self.payload.split("&")])
param = {}
db = open("data/wpsql.txt", "rb")
file = [x.split("\n") for x in db]
try:
for item in params.items():
for x in file:
param[item[0]] = item[1].replace(item[1], x[0])
enparam = urllib.urlencode(param)
url = self.check.checkurl(self.url, "")
resp = self.req.send(url, self.method, enparam)
data = self.dberror(resp.read())
if data != "":
self.printf.erro(
"[%s][%s][%s] %s" %
(resp.getcode(), self.method, data, resp.geturl()))
else:
self.printf.plus(
"[%s][%s][not vuln] %s" %
(resp.getcode(), self.method, resp.geturl()))
param[item[0]] = item[1].replace(x[0], item[1])
except Exception as error:
pass
