def start(id, url, ua, ga, source, detection_method): ''' id = ID of the cms url = URL of target ua = User Agent ga = [0/1] is GENERATOR meta tag available source = source code ''' ## Do shits later [update from later: i forgot what shit i had to do ;___;] if id == "wp": # referenced before assignment fix vulnss = version = wpvdbres = result = plugins_found = usernames = usernamesgen = '0' cmseek.statement('Starting WordPress DeepScan') # Check if site really is WordPress if detection_method == 'source': # well most of the wordpress false positives are from source detections. cmseek.statement('Checking if the detection is false positive') temp_domain = re.findall( '^(?:https?:\/\/)?(?:[^@\n]+@)?(?:www\.)?([^:\/\n\?\=]+)', url)[0] wp_match_pattern = temp_domain + '\/wp-(content|include|admin)\/' if not re.search(wp_match_pattern, source): cmseek.error( 'Detection was false positive! CMSeeK is quitting!') cmseek.success( 'Run CMSeeK with {0}{1}{2} argument next time'.format( cmseek.fgreen, '--ignore-cms wp', cmseek.cln)) #cmseek.handle_quit() return # Version detection version = wordpress_version_detect.start(id, url, ua, ga, source) ## Check for minor stuffs like licesnse readme and some open directory checks cmseek.statement("Initiating open directory and files check") ## Readme.html readmesrc = cmseek.getsource(url + '/readme.html', ua) if readmesrc[ 0] != '1': ## something went wrong while getting the source codes cmseek.statement( "Couldn't get readme file's source code most likely it's not present" ) readmefile = '0' # Error Getting Readme file elif 'Welcome. WordPress is a very special project to me.' in readmesrc[ 1]: readmefile = '1' # Readme file present else: readmefile = '2' # Readme file found but most likely it's not of wordpress ## license.txt licsrc = cmseek.getsource(url + '/license.txt', ua) if licsrc[0] != '1': cmseek.statement('license file not found') licfile = '0' elif 'WordPress - Web publishing software' in licsrc[1]: licfile = '1' else: licfile = '2' ## wp-content/uploads/ folder wpupsrc = cmseek.getsource(url + '/wp-content/uploads/', ua) if wpupsrc[0] != '1': wpupdir = '0' elif 'Index of /wp-content/uploads' in wpupsrc[1]: wpupdir = '1' else: wpupdir = '2' ## xmlrpc xmlrpcsrc = cmseek.getsource(url + '/xmlrpc.php', ua) if xmlrpcsrc[0] != '1': cmseek.statement('XML-RPC interface not available') xmlrpc = '0' elif 'XML-RPC server accepts POST requests only.' in xmlrpcsrc[1]: xmlrpc = '1' else: xmlrpc = '2' ## Path disclosure cmseek.statement('Looking for potential path disclosure') path = path_disclosure.start(url, ua) if path != "": cmseek.success('Path disclosure detected, path: ' + cmseek.bold + path + cmseek.cln) ## Check for user registration usereg = check_reg.start(url, ua) reg_found = usereg[0] reg_url = usereg[1] ## Plugins Enumeration plug_enum = wp_plugins_enum.start(source) plugins_found = plug_enum[0] plugins = plug_enum[1] ## Themes Enumeration theme_enum = wp_theme_enum.start(source, url, ua) themes_found = theme_enum[0] themes = theme_enum[1] ## User enumeration uenum = wp_user_enum.start(id, url, ua, ga, source) usernamesgen = uenum[0] usernames = uenum[1] ## Version Vulnerability Detection if version != '0': version_vuln = wp_vuln_scan.start(version, ua) wpvdbres = version_vuln[0] result = version_vuln[1] if wpvdbres != '0' and version != '0': vulnss = len(result['vulnerabilities']) vfc = version_vuln[2] ### Deep Scan Results comes here comptime = round(time.time() - cmseek.cstart, 2) log_file = os.path.join(cmseek.log_dir, 'cms.json') cmseek.clearscreen() cmseek.banner("Deep Scan Results") sresult.target(url) sresult.cms('WordPress', version, 'https://wordpress.org') #cmseek.result("Detected CMS: ", 'WordPress') cmseek.update_log('cms_name', 'WordPress') # update log #cmseek.result("CMS URL: ", "https://wordpress.org") cmseek.update_log('cms_url', "https://wordpress.org") # update log sresult.menu('[WordPress Deepscan]') item_initiated = False item_ended = False if readmefile == '1': sresult.init_item("Readme file found: " + cmseek.fgreen + url + '/readme.html' + cmseek.cln) cmseek.update_log('wp_readme_file', url + '/readme.html') item_initiated = True if licfile == '1': cmseek.update_log('wp_license', url + '/license.txt') if item_initiated == False: sresult.init_item("License file: " + cmseek.fgreen + url + '/license.txt' + cmseek.cln) else: sresult.item("License file: " + cmseek.fgreen + url + '/license.txt' + cmseek.cln) if wpvdbres == '1': if item_initiated == False: sresult.init_item('Changelog: ' + cmseek.fgreen + str(result['changelog_url']) + cmseek.cln) else: sresult.item('Changelog: ' + cmseek.fgreen + str(result['changelog_url']) + cmseek.cln) cmseek.update_log('wp_changelog_file', str(result['changelog_url'])) if wpupdir == '1': cmseek.update_log('wp_uploads_directory', url + '/wp-content/uploads') if item_initiated == False: sresult.init_item("Uploads directory has listing enabled: " + cmseek.fgreen + url + '/wp-content/uploads' + cmseek.cln) else: sresult.item("Uploads directory has listing enabled: " + cmseek.fgreen + url + '/wp-content/uploads' + cmseek.cln) if xmlrpc == '1': cmseek.update_log('xmlrpc', url + '/xmlrpc.php') if item_initiated == False: sresult.init_item("XML-RPC interface: " + cmseek.fgreen + url + '/xmlrpc.php' + cmseek.cln) else: sresult.item("XML-RPC interface: " + cmseek.fgreen + url + '/xmlrpc.php' + cmseek.cln) if reg_found == '1': sresult.item('User registration enabled: ' + cmseek.bold + cmseek.fgreen + reg_url + cmseek.cln) cmseek.update_log('user_registration', reg_url) if path != "": sresult.item('Path disclosure: ' + cmseek.bold + cmseek.orange + path + cmseek.cln) cmseek.update_log('path', path) if plugins_found != 0: plugs_count = len(plugins) sresult.init_item("Plugins Enumerated: " + cmseek.bold + cmseek.fgreen + str(plugs_count) + cmseek.cln) wpplugs = "" for i, plugin in enumerate(plugins): plug = plugin.split(':') wpplugs = wpplugs + plug[0] + ' Version ' + plug[1] + ',' if i == 0 and i != plugs_count - 1: sresult.init_sub('Plugin: ' + cmseek.bold + cmseek.fgreen + plug[0] + cmseek.cln) sresult.init_subsub('Version: ' + cmseek.bold + cmseek.fgreen + plug[1] + cmseek.cln) sresult.end_subsub('URL: ' + cmseek.fgreen + url + '/wp-content/plugins/' + plug[0] + cmseek.cln) elif i == plugs_count - 1: sresult.empty_sub() sresult.end_sub('Plugin: ' + cmseek.bold + cmseek.fgreen + plug[0] + cmseek.cln) sresult.init_subsub( 'Version: ' + cmseek.bold + cmseek.fgreen + plug[1] + cmseek.cln, True, False) sresult.end_subsub( 'URL: ' + cmseek.fgreen + url + '/wp-content/plugins/' + plug[0] + cmseek.cln, True, False) else: sresult.empty_sub() sresult.sub_item('Plugin: ' + cmseek.bold + cmseek.fgreen + plug[0] + cmseek.cln) sresult.init_subsub('Version: ' + cmseek.bold + cmseek.fgreen + plug[1] + cmseek.cln) sresult.end_subsub('URL: ' + cmseek.fgreen + url + '/wp-content/plugins/' + plug[0] + cmseek.cln) cmseek.update_log('wp_plugins', wpplugs) sresult.empty_item() if themes_found != 0: thms_count = len(themes) sresult.init_item("Themes Enumerated: " + cmseek.bold + cmseek.fgreen + str(thms_count) + cmseek.cln) wpthms = "" for i, theme in enumerate(themes): thm = theme.split(':') thmz = thm[1].split('|') wpthms = wpthms + thm[0] + ' Version ' + thmz[0] + ',' if i == 0 and i != thms_count - 1: sresult.init_sub('Theme: ' + cmseek.bold + cmseek.fgreen + thm[0] + cmseek.cln) sresult.init_subsub('Version: ' + cmseek.bold + cmseek.fgreen + thmz[0] + cmseek.cln) if thmz[1] != '': sresult.subsub('Theme Zip: ' + cmseek.bold + cmseek.fgreen + url + thmz[1] + cmseek.cln) sresult.end_subsub('URL: ' + cmseek.fgreen + url + '/wp-content/themes/' + thm[0] + cmseek.cln) elif i == thms_count - 1: sresult.empty_sub(True) sresult.end_sub('Theme: ' + cmseek.bold + cmseek.fgreen + thm[0] + cmseek.cln) sresult.init_subsub( 'Version: ' + cmseek.bold + cmseek.fgreen + thmz[0] + cmseek.cln, True, False) if thmz[1] != '': sresult.subsub( 'Theme Zip: ' + cmseek.bold + cmseek.fgreen + url + thmz[1] + cmseek.cln, True, False) sresult.end_subsub( 'URL: ' + cmseek.fgreen + url + '/wp-content/themes/' + thm[0] + cmseek.cln, True, False) else: sresult.sub_item('Theme: ' + cmseek.bold + cmseek.fgreen + thm[0] + cmseek.cln) sresult.init_subsub('Version: ' + cmseek.bold + cmseek.fgreen + thmz[0] + cmseek.cln) if thmz[1] != '': sresult.subsub('Theme Zip: ' + cmseek.bold + cmseek.fgreen + url + thmz[1] + cmseek.cln) sresult.end_subsub('URL: ' + cmseek.fgreen + url + '/wp-content/themes/' + thm[0] + cmseek.cln) cmseek.update_log('wp_themes', wpthms) sresult.empty_item() if usernamesgen == '1': user_count = len(usernames) sresult.init_item("Usernames harvested: " + cmseek.bold + cmseek.fgreen + str(user_count) + cmseek.cln) wpunames = "" for i, u in enumerate(usernames): wpunames = wpunames + u + "," if i == 0 and i != user_count - 1: sresult.init_sub(cmseek.bold + cmseek.fgreen + u + cmseek.cln) elif i == user_count - 1: sresult.end_sub(cmseek.bold + cmseek.fgreen + u + cmseek.cln) else: sresult.sub_item(cmseek.bold + cmseek.fgreen + u + cmseek.cln) cmseek.update_log('wp_users', wpunames) sresult.empty_item() if version != '0': # cmseek.result("Version: ", version) cmseek.update_log('wp_version', version) if wpvdbres == '1': sresult.end_item('Version vulnerabilities: ' + cmseek.bold + cmseek.fgreen + str(vulnss) + cmseek.cln) cmseek.update_log('wp_vuln_count', str(vulnss)) if vulnss > 0: for i, vuln in enumerate(result['vulnerabilities']): if i == 0 and i != vulnss - 1: sresult.empty_sub(False) sresult.init_sub( cmseek.bold + cmseek.fgreen + str(vuln['title']) + cmseek.cln, False) sresult.init_subsub( "Type: " + cmseek.bold + cmseek.fgreen + str(vuln['vuln_type']) + cmseek.cln, False, True) sresult.subsub( "Link: " + cmseek.bold + cmseek.fgreen + "http://wpvulndb.com/vulnerabilities/" + str(vuln['id']) + cmseek.cln, False, True) strvuln = str(vuln) if 'cve' in strvuln: for ref in vuln['references']['cve']: sresult.subsub( "CVE: " + cmseek.fgreen + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-" + str(ref) + cmseek.cln, False, True) if 'exploitdb' in strvuln: for ref in vuln['references']['exploitdb']: sresult.subsub( "ExploitDB Link: " + cmseek.fgreen + "http://www.exploit-db.com/exploits/" + str(ref) + cmseek.cln, False, True) if 'metasploit' in strvuln: for ref in vuln['references']['metasploit']: sresult.subsub( "Metasploit Module: " + cmseek.fgreen + "http://www.metasploit.com/modules/" + str(ref) + cmseek.cln, False, True) if 'osvdb' in strvuln: for ref in vuln['references']['osvdb']: sresult.subsub( "OSVDB Link: " + cmseek.fgreen + "http://osvdb.org/" + str(ref) + cmseek.cln, False, True) if 'secunia' in strvuln: for ref in vuln['references']['secunia']: sresult.subsub( "Secunia Advisory: " + cmseek.fgreen + "http://secunia.com/advisories/" + str(ref) + cmseek.cln, False, True) if 'url' in strvuln: for ref in vuln['references']['url']: sresult.subsub( "Reference: " + cmseek.fgreen + str(ref) + cmseek.cln, False, True) sresult.end_subsub( "Fixed In Version: " + cmseek.bold + cmseek.fgreen + str(vuln['fixed_in']) + cmseek.cln, False, True) elif i == vulnss - 1: sresult.empty_sub(False) sresult.end_sub( cmseek.bold + cmseek.fgreen + str(vuln['title']) + cmseek.cln, False) sresult.init_subsub( "Type: " + cmseek.bold + cmseek.fgreen + str(vuln['vuln_type']) + cmseek.cln, False, False) sresult.subsub( "Link: " + cmseek.bold + cmseek.fgreen + "http://wpvulndb.com/vulnerabilities/" + str(vuln['id']) + cmseek.cln, False, False) strvuln = str(vuln) if 'cve' in strvuln: for ref in vuln['references']['cve']: sresult.subsub( "CVE: " + cmseek.fgreen + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-" + str(ref) + cmseek.cln, False, False) if 'exploitdb' in strvuln: for ref in vuln['references']['exploitdb']: sresult.subsub( "ExploitDB Link: " + cmseek.fgreen + "http://www.exploit-db.com/exploits/" + str(ref) + cmseek.cln, False, False) if 'metasploit' in strvuln: for ref in vuln['references']['metasploit']: sresult.subsub( "Metasploit Module: " + cmseek.fgreen + "http://www.metasploit.com/modules/" + str(ref) + cmseek.cln, False, False) if 'osvdb' in strvuln: for ref in vuln['references']['osvdb']: sresult.subsub( "OSVDB Link: " + cmseek.fgreen + "http://osvdb.org/" + str(ref) + cmseek.cln, False, False) if 'secunia' in strvuln: for ref in vuln['references']['secunia']: sresult.subsub( "Secunia Advisory: " + cmseek.fgreen + "http://secunia.com/advisories/" + str(ref) + cmseek.cln, False, False) if 'url' in strvuln: for ref in vuln['references']['url']: sresult.subsub( "Reference: " + cmseek.fgreen + str(ref) + cmseek.cln, False, False) sresult.end_subsub( "Fixed In Version: " + cmseek.bold + cmseek.fgreen + str(vuln['fixed_in']) + cmseek.cln, False, False) else: sresult.empty_sub(False) sresult.sub_item( cmseek.bold + cmseek.fgreen + str(vuln['title']) + cmseek.cln, False) sresult.init_subsub( "Type: " + cmseek.bold + cmseek.fgreen + str(vuln['vuln_type']) + cmseek.cln, False, True) sresult.subsub( "Link: " + cmseek.bold + cmseek.fgreen + "http://wpvulndb.com/vulnerabilities/" + str(vuln['id']) + cmseek.cln, False, True) strvuln = str(vuln) if 'cve' in strvuln: for ref in vuln['references']['cve']: sresult.subsub( "CVE: " + cmseek.fgreen + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-" + str(ref) + cmseek.cln, False, True) if 'exploitdb' in strvuln: for ref in vuln['references']['exploitdb']: sresult.subsub( "ExploitDB Link: " + cmseek.fgreen + "http://www.exploit-db.com/exploits/" + str(ref) + cmseek.cln, False, True) if 'metasploit' in strvuln: for ref in vuln['references']['metasploit']: sresult.subsub( "Metasploit Module: " + cmseek.fgreen + "http://www.metasploit.com/modules/" + str(ref) + cmseek.cln, False, True) if 'osvdb' in strvuln: for ref in vuln['references']['osvdb']: sresult.subsub( "OSVDB Link: " + cmseek.fgreen + "http://osvdb.org/" + str(ref) + cmseek.cln, False, True) if 'secunia' in strvuln: for ref in vuln['references']['secunia']: sresult.subsub( "Secunia Advisory: " + cmseek.fgreen + "http://secunia.com/advisories/" + str(ref) + cmseek.cln, False, True) if 'url' in strvuln: for ref in vuln['references']['url']: sresult.subsub( "Reference: " + cmseek.fgreen + str(ref) + cmseek.cln, False, True) sresult.end_subsub( "Fixed In Version: " + cmseek.bold + cmseek.fgreen + str(vuln['fixed_in']) + cmseek.cln, False, True) sresult.end(str(cmseek.total_requests), str(comptime), log_file) return return
def start( id, url, ua, ga, source ): ## ({ID of the cms}, {url of target}, {User Agent}, {is Generator Meta tag available [0/1]}, {Source code}) ## Do shits later [update from later: i forgot what shit i had to do ;___;] if id == "wp": # referenced before assignment fix version = wpvdbres = result = plugins_found = usernames = usernamesgen = '0' cmseek.statement('Starting WordPress DeepScan') # Version detection version = wordpress_version_detect.start(id, url, ua, ga, source) ## Check for minor stuffs like licesnse readme and some open directory checks cmseek.statement("Initiating open directory and files check") ## Readme.html readmesrc = cmseek.getsource(url + '/readme.html', ua) if readmesrc[ 0] != '1': ## something went wrong while getting the source codes cmseek.statement( "Couldn't get readme file's source code most likely it's not present" ) readmefile = '0' # Error Getting Readme file elif 'Welcome. WordPress is a very special project to me.' in readmesrc[ 1]: readmefile = '1' # Readme file present else: readmefile = '2' # Readme file found but most likely it's not of wordpress ## license.txt licsrc = cmseek.getsource(url + '/license.txt', ua) if licsrc[0] != '1': cmseek.statement('license file not found') licfile = '0' elif 'WordPress - Web publishing software' in licsrc[1]: licfile = '1' else: licfile = '2' ## wp-content/uploads/ folder wpupsrc = cmseek.getsource(url + '/wp-content/uploads/', ua) if wpupsrc[0] != '1': wpupdir = '0' elif 'Index of /wp-content/uploads' in wpupsrc[1]: wpupdir = '1' else: wpupdir = '2' ## xmlrpc xmlrpcsrc = cmseek.getsource(url + '/xmlrpc.php', ua) if xmlrpcsrc[0] != '1': cmseek.statement('XML-RPC interface not available') xmlrpc = '0' elif 'XML-RPC server accepts POST requests only.' in xmlrpcsrc[1]: xmlrpc = '1' else: xmlrpc = '2' ## Path disclosure cmseek.statement('Looking for potential path disclosure') path = path_disclosure.start(url, ua) if path != "": cmseek.success('Path disclosure detected, path: ' + cmseek.bold + path + cmseek.cln) ## Check for user registration usereg = check_reg.start(url, ua) reg_found = usereg[0] reg_url = usereg[1] ## Plugins Enumeration plug_enum = wp_plugins_enum.start(source) plugins_found = plug_enum[0] plugins = plug_enum[1] ## Themes Enumeration theme_enum = wp_theme_enum.start(source, url, ua) themes_found = theme_enum[0] themes = theme_enum[1] ## User enumeration uenum = wp_user_enum.start(id, url, ua, ga, source) usernamesgen = uenum[0] usernames = uenum[1] ## Version Vulnerability Detection version_vuln = wp_vuln_scan.start(version, ua) wpvdbres = version_vuln[0] result = version_vuln[1] vfc = version_vuln[2] ### Deep Scan Results comes here cmseek.clearscreen() cmseek.banner("Deep Scan Results") cmseek.result("Detected CMS: ", 'WordPress') cmseek.update_log('cms_name', 'WordPress') # update log cmseek.result("CMS URL: ", "https://wordpress.org") cmseek.update_log('cms_url', "https://wordpress.org") # update log if version != '0': cmseek.result("Version: ", version) cmseek.update_log('wp_version', version) if wpvdbres == '1': cmseek.result("Changelog URL: ", str(result['changelog_url'])) cmseek.update_log('wp_changelog_file', str(result['changelog_url'])) if reg_found == '1': cmseek.result('User registration enabled: ', reg_url) cmseek.update_log('user_registration', reg_url) if path != "": cmseek.result('Path disclosure: ', path) cmseek.update_log('path', path) if readmefile == '1': cmseek.result("Readme file found: ", url + '/readme.html') cmseek.update_log('wp_readme_file', url + '/readme.html') if licfile == '1': cmseek.result("License file found: ", url + '/license.txt') if wpupdir == '1': cmseek.result("Uploads directory has listing enabled: ", url + '/wp-content/uploads') cmseek.update_log('wp_uploads_directory', url + '/wp-content/uploads') if xmlrpc == '1': cmseek.result("XML-RPC interface available: ", url + '/xmlrpc.php') cmseek.update_log('wp_uploads_directory', url + '/xmlrpc.php') if plugins_found != 0: print('\n') cmseek.result("Plugins Enumerated: ", '') print(" |") wpplugs = "" for plugin in plugins: plug = plugin.split(':') wpplugs = wpplugs + plug[0] + ' Version ' + plug[1] + ',' cmseek.success(cmseek.bold + plug[0] + ' Version ' + plug[1] + cmseek.cln) cmseek.update_log('wp_plugins', wpplugs) if themes_found != 0: print('\n') cmseek.result("themes Enumerated: ", '') print(" |") wpthms = "" for theme in themes: thm = theme.split(':') thmz = thm[1].split('|') wpthms = wpthms + thm[0] + ' Version ' + thmz[0] + ',' cmseek.success(cmseek.bold + thm[0] + ' Version ' + thmz[0] + cmseek.cln) cmseek.result('Theme URL: ', url + '/wp-content/themes/' + thm[0] + '/') if thmz[1] != '': cmseek.result('Theme Zip URL: ', url + thmz[1]) cmseek.update_log('wp_themes', wpthms) if usernamesgen == '1': print('\n') cmseek.result("Usernames Harvested: ", '') print(" |") wpunames = "" for u in usernames: wpunames = wpunames + u + "," cmseek.success(cmseek.bold + u + cmseek.cln) print('\n') cmseek.update_log('wp_users', wpunames) if wpvdbres == '1': cmseek.result("Vulnerability Count: ", str(len(result['vulnerabilities']))) cmseek.update_log('wp_vuln_count', str(len(result['vulnerabilities']))) cmseek.update_log('wpvulndb_url', "https://wpvulndb.com/api/v2/wordpresses/" + vfc) if len(result['vulnerabilities']) > 0: cmseek.success("Displaying all the vulnerabilities") for vuln in result['vulnerabilities']: print("\n") cmseek.result("Title: ", str(vuln['title'])) cmseek.result("Type: ", str(vuln['vuln_type'])) cmseek.result("Fixed In Version: ", str(vuln['fixed_in'])) cmseek.result( "Link: ", "http://wpvulndb.com/vulnerabilities/" + str(vuln['id'])) strvuln = str(vuln) if 'cve' in strvuln: for ref in vuln['references']['cve']: cmseek.result( "CVE: ", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-" + str(ref)) if 'exploitdb' in strvuln: for ref in vuln['references']['exploitdb']: cmseek.result( "ExploitDB Link: ", "http://www.exploit-db.com/exploits/" + str(ref)) if 'metasploit' in strvuln: for ref in vuln['references']['metasploit']: cmseek.result( "Metasploit Module: ", "http://www.metasploit.com/modules/" + str(ref)) if 'osvdb' in strvuln: for ref in vuln['references']['osvdb']: cmseek.result("OSVDB Link: ", "http://osvdb.org/" + str(ref)) if 'secunia' in strvuln: for ref in vuln['references']['secunia']: cmseek.result( "Secunia Advisory: ", "http://secunia.com/advisories/" + str(ref)) if 'url' in strvuln: for ref in vuln['references']['url']: cmseek.result("Reference: ", str(ref)) else: cmseek.warning( 'No vulnerabilities discovered in this version yet!') return else: cmseek.error("Could not look up version vulnerabilities") return return