Basic fuzzing - themes/plugins/components

2017-06-10 18:14:44 +02:00 · 2017-06-10 18:14:44 +02:00 · f47d402c8d
parent 7361c3cea9
commit f47d402c8d
5 changed files with 135 additions and 7 deletions
--- a/engine/fuzz.py
+++ b/engine/fuzz.py
@ -0,0 +1,118 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+import requests
+import re
+import json
+
+from tornado import ioloop, httpclient
+from core import *
+from wordpress import *
+from lxml import etree
+from multiprocessing import Process, Pool
+
+class Fuzz_Engine:
+	def __init__(self, wordpress, fuzz):
+		if fuzz != False:
+			self.fuzzing_component_aggressive(wordpress)
+			self.fuzzing_themes_aggressive(wordpress)
+			self.fuzzing_plugins_aggressive(wordpress)
+			exit()
+
+
+	"""
+	name        : fuzzing_component_aggressive(self, wordpress)
+	description : fuzz every component used by the wordpress
+	"""
+	def fuzzing_component_aggressive(self, wordpress):
+		print notice("Enumerating components from aggressive fuzzing ...")
+
+		# Load json file
+		with open('fuzz/wordpress.fuzz') as data_file:
+			data = data_file.readlines()
+
+			# Run through every component
+			global iter_aggressive
+			iter_aggressive = 0
+			http_client = httpclient.AsyncHTTPClient()
+
+			for component in data:
+				component = component.strip()
+				iter_aggressive += 1
+				http_client.fetch(wordpress.url + component, aggressive_request_component, method='HEAD') == True
+			ioloop.IOLoop.instance().start()
+
+
+	"""
+	name        : fuzzing_themes_aggressive(self, wordpress)
+	description : fuzz every themes used by the wordpress
+	"""
+	def fuzzing_themes_aggressive(self, wordpress):
+		print notice("Enumerating themes from aggressive fuzzing ...")
+
+		# Load json file
+		with open('fuzz/wp_themes.fuzz') as data_file:
+			data = data_file.readlines()
+
+			# Run through every themes
+			global iter_aggressive
+			iter_aggressive = 0
+			http_client = httpclient.AsyncHTTPClient()
+
+			for theme in data:
+				theme = theme.strip()
+				iter_aggressive += 1
+				http_client.fetch(wordpress.url + theme + "style.css", aggressive_request_plugins, method='HEAD') == True
+			ioloop.IOLoop.instance().start()
+
+
+	"""
+	name        : fuzzing_plugins_aggressive(self, wordpress)
+	description : fuzz every plugins used by the wordpress
+	"""
+	def fuzzing_plugins_aggressive(self, wordpress):
+		print notice("Enumerating plugins from aggressive fuzzing ...")
+
+		# Load json file
+		with open('fuzz/wp_plugins.fuzz') as data_file:
+			data = data_file.readlines()
+
+			# Run through every plugin
+			global iter_aggressive
+			iter_aggressive = 0
+			http_client = httpclient.AsyncHTTPClient()
+			for plugin in data:
+				plugin = plugin.strip()
+				iter_aggressive += 1
+				http_client.fetch(wordpress.url + plugin, aggressive_request_plugins, method='HEAD') == True
+			ioloop.IOLoop.instance().start()
+
+
+def aggressive_request_plugins(response):
+	if (response.code) == 200:
+		display_vulnerable_component(response.effective_url.split('/')[-2], "Unknown", "plugins")
+
+	global iter_aggressive
+	iter_aggressive-= 1
+	if iter_aggressive == 0:
+		ioloop.IOLoop.instance().stop()
+
+def aggressive_request_themes(response):
+	if (response.code) == 200:
+		display_vulnerable_component(response.effective_url.split('/')[-2], "Unknown", "themes")
+
+	global iter_aggressive
+	iter_aggressive-= 1
+	if iter_aggressive == 0:
+		ioloop.IOLoop.instance().stop()
+
+def aggressive_request_component(response):
+	if (response.code) == 200:
+		if "reauth" in response.effective_url:
+			print "[i] Authentication Needed: " + response.effective_url+ " - found"
+		else:
+			print "[i] File: " + response.effective_url+ " - found"
+
+	global iter_aggressive
+	iter_aggressive-= 1
+	if iter_aggressive == 0:
+		ioloop.IOLoop.instance().stop()
--- a/engine/scan.py
+++ b/engine/scan.py
@ -10,7 +10,6 @@ from wordpress import *
 from lxml import etree
 from multiprocessing import Process, Pool

-# aggressive = fuzz
 class Scan_Engine:
 	def __init__(self, wordpress, aggressive):
 		self.fingerprint_wp_version(wordpress)
@ -199,7 +198,7 @@ class Scan_Engine:
 		print notice("Enumerating themes from aggressive detection ...")

 		# Load json file
-		with open('database/plugins.json') as data_file:
+		with open('database/themes.json') as data_file:
 			data = json.load(data_file)

 			# Run through every themes
@ -208,7 +207,7 @@ class Scan_Engine:
 			http_client = httpclient.AsyncHTTPClient()
 			for plugin in data.keys():
 				iter_aggressive += 1
-				http_client.fetch('http://localhost/wordpress/wp-content/themes/' + plugin, aggressive_request_plugins, method='HEAD') == True
+				http_client.fetch(wordpress.url+'/wp-content/themes/' + plugin, aggressive_request_themes, method='HEAD') == True
 			ioloop.IOLoop.instance().start()


@ -229,7 +228,7 @@ class Scan_Engine:
 			http_client = httpclient.AsyncHTTPClient()
 			for plugin in data.keys():
 				iter_aggressive += 1
-				http_client.fetch('http://localhost/wordpress/wp-content/plugins/' + plugin, aggressive_request_plugins, method='HEAD') == True
+				http_client.fetch(wordpress.url+'/wp-content/plugins/' + plugin, aggressive_request_plugins, method='HEAD') == True
 			ioloop.IOLoop.instance().start()


--- a/fuzz/wp_plugins.fuzz
+++ b/fuzz/wp_plugins.fuzz
@ -9221,6 +9221,7 @@ wp-content/plugins/simpletwitter-modified/
 wp-content/plugins/simpletwitter/
 wp-content/plugins/simpletwitterbox/
 wp-content/plugins/simply-exclude/
+wp-content/plugins/simply-poll/
 wp-content/plugins/simply-feed/
 wp-content/plugins/simply-picasaweb/
 wp-content/plugins/simply-rss-fetcher/
--- a/fuzz/wp_themes.fuzz
+++ b/fuzz/wp_themes.fuzz
@ -1,5 +1,6 @@
 themes/default
 themes/default/
+wp-content/themes/twentysixteen/
 wp-content/themes/08-rainbow-feather-v3-english-version/
 wp-content/themes/1-blog-theme/
 wp-content/themes/1024px/
--- a/main.py
+++ b/main.py
@ -6,6 +6,7 @@ from engine.core import *
 from engine.load_plugins import *
 from engine.wordpress import *
 from engine.scan import *
+from engine.fuzz import *

 if __name__ == "__main__":

@ -25,6 +26,7 @@ if __name__ == "__main__":
 	parser.add_argument('-u', action ='store', dest='url', help="Wordpress URL")
 	parser.add_argument('--update', action ='store_const', const='update', dest='update', help="Update the database")
 	parser.add_argument('--aggressive', action ='store_const', const='aggressive', dest='aggressive', default=False, help="Update the database")
+	parser.add_argument('--fuzz', action ='store_const', const='fuzz', dest='fuzz', default=False, help="Fuzz the files")
 	parser.add_argument('--random-agent', action ='store_const', const='random_agent', dest='random_agent', default=False, help="Random User-Agent")
 	results = parser.parse_args()

@ -37,7 +39,14 @@ if __name__ == "__main__":

 		# Build a new wordpress object
 		wp = Wordpress(results.url, results.random_agent)
+
+		# Launch fuzzing
+		Fuzz_Engine(wp, results.fuzz)
+
+		# Launch scans
 		Scan_Engine(wp, results.aggressive)
+
+		# Load plugins for more functions
 		Load_Plugins(wp)

 	else: