From 142cdc79a85df52f1f7997eaccf9b2fd9bd3fd02 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 11 Jun 2017 16:48:13 +0200 Subject: [PATCH] BUGFIX - nocheck index wasn't set + renamed plugin TY --- engine/brute.py | 10 +++++----- engine/wordpress.py | 20 ++++++++++---------- main.py | 3 +++ plugins/git-files.py | 2 +- plugins/svn-files.py | 2 +- plugins/{zexample.py => thank-you.py} | 0 6 files changed, 20 insertions(+), 17 deletions(-) rename plugins/{zexample.py => thank-you.py} (100%) diff --git a/engine/brute.py b/engine/brute.py index abb1eb8..75c94ae 100644 --- a/engine/brute.py +++ b/engine/brute.py @@ -30,9 +30,9 @@ class Brute_Engine: print notice("Bruteforcing " + brute) print info("User found "+ brute) self.bruteforcing_pass(wordpress, brute) - - # Exit after the bruteforce - exit() + + # Exit the bruteforce + exit() """ name : bruteforcing_user(self, wordpress) @@ -47,7 +47,7 @@ class Brute_Engine: for user in data: user = user.strip() data = {"log":user, "pwd":"wordpresscan"} - if not "Invalid username" in requests.post(wordpress.url + "wp-login.php", data=data).text: + if not "Invalid username" in requests.post(wordpress.url + "wp-login.php", data=data, verify=False).text: print info("User found "+ user) self.bruteforcing_pass(wordpress, user) @@ -69,6 +69,6 @@ class Brute_Engine: print 'Bruteforcing - {}{}\r'.format( percent*"▓", (100-percent)*'░' ) , - if not "The password you entered" in requests.post(wordpress.url + "wp-login.php", data=data).text: + if not "The password you entered" in requests.post(wordpress.url + "wp-login.php", data=data, verify=False).text: print warning("Password found for {} : {}{}".format(user,pwd, ' '*100)) break diff --git a/engine/wordpress.py b/engine/wordpress.py index 04818b0..5a18d10 100644 --- a/engine/wordpress.py +++ b/engine/wordpress.py @@ -57,8 +57,8 @@ class Wordpress: description : detect a WordPress instance """ def is_wordpress(self, nocheck): + self.index = requests.get(self.url, headers={"User-Agent":self.agent}, verify=False) if nocheck == False: - self.index = requests.get(self.url, headers={"User-Agent":self.agent}) if not "wp-" in self.index.text: print critical("Not a WordPress !") exit() @@ -69,7 +69,7 @@ class Wordpress: """ def is_up_and_installed(self): try: - r = requests.get(self.url, allow_redirects=False, headers={"User-Agent":self.agent} ) + r = requests.get(self.url, allow_redirects=False, headers={"User-Agent":self.agent} , verify=False) if 'location' in r.headers: @@ -100,7 +100,7 @@ class Wordpress: description : get the readme file and extract the version is there is any """ def is_readme(self): - r = requests.get(self.url + 'readme.html', headers={"User-Agent":self.agent}) + r = requests.get(self.url + 'readme.html', headers={"User-Agent":self.agent}, verify=False) if "200" in str(r): @@ -118,7 +118,7 @@ class Wordpress: description : determine if there is a debug.log file """ def is_debug_log(self): - r = requests.get(self.url + 'debug.log', headers={"User-Agent":self.agent}) + r = requests.get(self.url + 'debug.log', headers={"User-Agent":self.agent}, verify=False) if "200" in str(r) and not "404" in r.text : print critical( "Debug log file found: %s" % (self.url + 'debug.log') ) @@ -130,7 +130,7 @@ class Wordpress: def is_backup_file(self): backup = ['wp-config.php~', 'wp-config.php.save', '.wp-config.php.swp', 'wp-config.php.swp', '.wp-config.php.swp', 'wp-config.php.swp', 'wp-config.php.swo', 'wp-config.php_bak', 'wp-config.bak', 'wp-config.php.bak', 'wp-config.save', 'wp-config.old', 'wp-config.php.old', 'wp-config.php.orig', 'wp-config.orig', 'wp-config.php.original', 'wp-config.original', 'wp-config.txt'] for b in backup: - r = requests.get(self.url + b, headers={"User-Agent":self.agent}) + r = requests.get(self.url + b, headers={"User-Agent":self.agent}, verify=False) if "200" in str(r) and not "404" in r.text : print critical("A wp-config.php backup file has been found in: %s" % (self.url + b) ) @@ -140,7 +140,7 @@ class Wordpress: description : determine if there is an xml rpc interface """ def is_xml_rpc(self): - r = requests.get(self.url + "xmlrpc.php", headers={"User-Agent":self.agent}) + r = requests.get(self.url + "xmlrpc.php", headers={"User-Agent":self.agent}, verify=False) if "200" in str(r) and "404" in r.text : print info("XML-RPC Interface available under: %s " % (self.url+"xmlrpc.php") ) @@ -154,7 +154,7 @@ class Wordpress: dir_name = ["Uploads", "Includes"] for directory, name in zip(directories,dir_name): - r = requests.get(self.url + directory, headers={"User-Agent":self.agent}) + r = requests.get(self.url + directory, headers={"User-Agent":self.agent}, verify=False) if "Index of" in r.text: print warning("%s directory has directory listing enabled : %s" % (name, self.url + directory)) @@ -164,7 +164,7 @@ class Wordpress: description : detect if a robots.txt file """ def is_robots_text(self): - r = requests.get(self.url + "robots.txt", headers={"User-Agent":self.agent}) + r = requests.get(self.url + "robots.txt", headers={"User-Agent":self.agent}, verify=False) if "200" in str(r) and not "404" in r.text : print info("robots.txt available under: %s " % (self.url+"robots.txt") ) lines = r.text.split('\n') @@ -178,7 +178,7 @@ class Wordpress: description : detect a full path disclosure """ def full_path_disclosure(self): - r = requests.get(self.url + "wp-includes/rss-functions.php", headers={"User-Agent":self.agent}).text + r = requests.get(self.url + "wp-includes/rss-functions.php", headers={"User-Agent":self.agent}, verify=False).text regex = re.compile("Fatal error:.*? in (.*?) on", re.S) matches = regex.findall(r) @@ -191,7 +191,7 @@ class Wordpress: description : enumerate every users of the wordpress """ def enum_wordpress_users(self): - r = requests.get(self.url + "wp-json/wp/v2/users", headers={"User-Agent":self.agent} ) + r = requests.get(self.url + "wp-json/wp/v2/users", headers={"User-Agent":self.agent} , verify=False) if "200" in str(r): print notice("Enumerating Wordpress users") diff --git a/main.py b/main.py index f56f258..473614f 100644 --- a/main.py +++ b/main.py @@ -8,6 +8,7 @@ from engine.wordpress import * from engine.scan import * from engine.fuzz import * from engine.brute import * +from requests.packages.urllib3.exceptions import InsecureRequestWarning if __name__ == "__main__": @@ -35,6 +36,8 @@ if __name__ == "__main__": # Check wordpress url if results.url != None: + # Disable warning for ssl verify=False + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # Update scripts if results.update != None: diff --git a/plugins/git-files.py b/plugins/git-files.py index bdcc39c..5fdb2d1 100644 --- a/plugins/git-files.py +++ b/plugins/git-files.py @@ -11,7 +11,7 @@ name = "GIT configuration files" def __init__(wordpress): payload = ".git/logs/HEAD" - r = requests.get(wordpress.url + payload, headers={"User-Agent":wordpress.agent}) + r = requests.get(wordpress.url + payload, headers={"User-Agent":wordpress.agent}, verify=False) if "200" in str(r): print "[+] Wordpress configuration found from GIT !" diff --git a/plugins/svn-files.py b/plugins/svn-files.py index 46060b9..2e3e682 100644 --- a/plugins/svn-files.py +++ b/plugins/svn-files.py @@ -11,7 +11,7 @@ name = "SVN configuration files" def __init__(wordpress): payload = ".svn/text-base/wp-config.php.svn-base" - r = requests.get(wordpress.url + payload, headers={"User-Agent":wordpress.agent}) + r = requests.get(wordpress.url + payload, headers={"User-Agent":wordpress.agent}, verify=False) if "200" in str(r): print "[+] Wordpress configuration found from SVN !" diff --git a/plugins/zexample.py b/plugins/thank-you.py similarity index 100% rename from plugins/zexample.py rename to plugins/thank-you.py