Basic fuzzing - themes/plugins/components

pull/4/head
Swissky 2017-06-10 18:14:44 +02:00
parent 7361c3cea9
commit f47d402c8d
5 changed files with 135 additions and 7 deletions

118
engine/fuzz.py Normal file
View File

@ -0,0 +1,118 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests
import re
import json
from tornado import ioloop, httpclient
from core import *
from wordpress import *
from lxml import etree
from multiprocessing import Process, Pool
class Fuzz_Engine:
def __init__(self, wordpress, fuzz):
if fuzz != False:
self.fuzzing_component_aggressive(wordpress)
self.fuzzing_themes_aggressive(wordpress)
self.fuzzing_plugins_aggressive(wordpress)
exit()
"""
name : fuzzing_component_aggressive(self, wordpress)
description : fuzz every component used by the wordpress
"""
def fuzzing_component_aggressive(self, wordpress):
print notice("Enumerating components from aggressive fuzzing ...")
# Load json file
with open('fuzz/wordpress.fuzz') as data_file:
data = data_file.readlines()
# Run through every component
global iter_aggressive
iter_aggressive = 0
http_client = httpclient.AsyncHTTPClient()
for component in data:
component = component.strip()
iter_aggressive += 1
http_client.fetch(wordpress.url + component, aggressive_request_component, method='HEAD') == True
ioloop.IOLoop.instance().start()
"""
name : fuzzing_themes_aggressive(self, wordpress)
description : fuzz every themes used by the wordpress
"""
def fuzzing_themes_aggressive(self, wordpress):
print notice("Enumerating themes from aggressive fuzzing ...")
# Load json file
with open('fuzz/wp_themes.fuzz') as data_file:
data = data_file.readlines()
# Run through every themes
global iter_aggressive
iter_aggressive = 0
http_client = httpclient.AsyncHTTPClient()
for theme in data:
theme = theme.strip()
iter_aggressive += 1
http_client.fetch(wordpress.url + theme + "style.css", aggressive_request_plugins, method='HEAD') == True
ioloop.IOLoop.instance().start()
"""
name : fuzzing_plugins_aggressive(self, wordpress)
description : fuzz every plugins used by the wordpress
"""
def fuzzing_plugins_aggressive(self, wordpress):
print notice("Enumerating plugins from aggressive fuzzing ...")
# Load json file
with open('fuzz/wp_plugins.fuzz') as data_file:
data = data_file.readlines()
# Run through every plugin
global iter_aggressive
iter_aggressive = 0
http_client = httpclient.AsyncHTTPClient()
for plugin in data:
plugin = plugin.strip()
iter_aggressive += 1
http_client.fetch(wordpress.url + plugin, aggressive_request_plugins, method='HEAD') == True
ioloop.IOLoop.instance().start()
def aggressive_request_plugins(response):
if (response.code) == 200:
display_vulnerable_component(response.effective_url.split('/')[-2], "Unknown", "plugins")
global iter_aggressive
iter_aggressive-= 1
if iter_aggressive == 0:
ioloop.IOLoop.instance().stop()
def aggressive_request_themes(response):
if (response.code) == 200:
display_vulnerable_component(response.effective_url.split('/')[-2], "Unknown", "themes")
global iter_aggressive
iter_aggressive-= 1
if iter_aggressive == 0:
ioloop.IOLoop.instance().stop()
def aggressive_request_component(response):
if (response.code) == 200:
if "reauth" in response.effective_url:
print "[i] Authentication Needed: " + response.effective_url+ " - found"
else:
print "[i] File: " + response.effective_url+ " - found"
global iter_aggressive
iter_aggressive-= 1
if iter_aggressive == 0:
ioloop.IOLoop.instance().stop()

View File

@ -10,7 +10,6 @@ from wordpress import *
from lxml import etree
from multiprocessing import Process, Pool
# aggressive = fuzz
class Scan_Engine:
def __init__(self, wordpress, aggressive):
self.fingerprint_wp_version(wordpress)
@ -199,7 +198,7 @@ class Scan_Engine:
print notice("Enumerating themes from aggressive detection ...")
# Load json file
with open('database/plugins.json') as data_file:
with open('database/themes.json') as data_file:
data = json.load(data_file)
# Run through every themes
@ -208,7 +207,7 @@ class Scan_Engine:
http_client = httpclient.AsyncHTTPClient()
for plugin in data.keys():
iter_aggressive += 1
http_client.fetch('http://localhost/wordpress/wp-content/themes/' + plugin, aggressive_request_plugins, method='HEAD') == True
http_client.fetch(wordpress.url+'/wp-content/themes/' + plugin, aggressive_request_themes, method='HEAD') == True
ioloop.IOLoop.instance().start()
@ -229,7 +228,7 @@ class Scan_Engine:
http_client = httpclient.AsyncHTTPClient()
for plugin in data.keys():
iter_aggressive += 1
http_client.fetch('http://localhost/wordpress/wp-content/plugins/' + plugin, aggressive_request_plugins, method='HEAD') == True
http_client.fetch(wordpress.url+'/wp-content/plugins/' + plugin, aggressive_request_plugins, method='HEAD') == True
ioloop.IOLoop.instance().start()

View File

@ -9221,6 +9221,7 @@ wp-content/plugins/simpletwitter-modified/
wp-content/plugins/simpletwitter/
wp-content/plugins/simpletwitterbox/
wp-content/plugins/simply-exclude/
wp-content/plugins/simply-poll/
wp-content/plugins/simply-feed/
wp-content/plugins/simply-picasaweb/
wp-content/plugins/simply-rss-fetcher/

View File

@ -1,5 +1,6 @@
themes/default
themes/default/
wp-content/themes/twentysixteen/
wp-content/themes/08-rainbow-feather-v3-english-version/
wp-content/themes/1-blog-theme/
wp-content/themes/1024px/

15
main.py
View File

@ -6,6 +6,7 @@ from engine.core import *
from engine.load_plugins import *
from engine.wordpress import *
from engine.scan import *
from engine.fuzz import *
if __name__ == "__main__":
@ -25,20 +26,28 @@ if __name__ == "__main__":
parser.add_argument('-u', action ='store', dest='url', help="Wordpress URL")
parser.add_argument('--update', action ='store_const', const='update', dest='update', help="Update the database")
parser.add_argument('--aggressive', action ='store_const', const='aggressive', dest='aggressive', default=False, help="Update the database")
parser.add_argument('--fuzz', action ='store_const', const='fuzz', dest='fuzz', default=False, help="Fuzz the files")
parser.add_argument('--random-agent', action ='store_const', const='random_agent', dest='random_agent', default=False, help="Random User-Agent")
results = parser.parse_args()
# Check wordpress url
if results.url != None:
# Update scripts
if results.update != None:
# Update scripts
if results.update != None:
database_update()
# Build a new wordpress object
wp = Wordpress(results.url, results.random_agent)
# Launch fuzzing
Fuzz_Engine(wp, results.fuzz)
# Launch scans
Scan_Engine(wp, results.aggressive)
# Load plugins for more functions
Load_Plugins(wp)
else:
parser.print_help()
parser.print_help()