swisskyrepo
/
Wordpresscan
mirror of https://github.com/swisskyrepo/Wordpresscan.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Random User-Agent added with 'random-agent' param

pull/4/head
Swissky 2017-03-05 16:58:15 +01:00
parent ec7dfaf558
commit fb2560f329
7 changed files with 40 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -19,11 +19,12 @@ Install
```bash
git clone https://github.com/swisskyrepo/Wordpresscan.git
cd Wordpresscan
python main.py -u "http://localhost/wordpress" --update
python main.py -u "http://localhost/wordpress" --update --random-agent
-u : Url of the WordPress
--update : Update the wpscan database
--aggressive : Launch an aggressive version to scan for plugins/themes
--random-agent : Use a random user-agent for this session
```
## Output example from a test environment

2
database/plugins.json
View File

File diff suppressed because one or more lines are too long

2
database/themes.json
View File

File diff suppressed because one or more lines are too long

5
engine/core.py
View File

@ -36,6 +36,7 @@ def display(msg):
"""
name : database_update()
description : download and update the database from wpscan website
warning : user-agents.txt and timthumbs.txt are zip files
"""
def database_update():
print "\033[93mUpdating database\033[92m - Last update: \033[0m" + database_last_date('database/local_vulnerable_files.xml')
@ -55,6 +56,8 @@ description : get the date of the last update through file modification date
return : string
"""
def database_last_date(filename):
if not os.path.isfile(filename):
return "Never"
(mode, ino, dev, nlink, uid, gid, size, atime, mtime, ctime) = os.stat(filename)
return time.ctime(mtime)
@ -70,7 +73,7 @@ def download_raw_file(url, filename, verbosity):
source = requests.get( url, stream=True).raw
# Write the file
with open( filename, 'wb' ) as ddl_file:
with open( filename, 'wb+' ) as ddl_file:
progress = 0
while True:
length = 16*1024

2
engine/scan.py
View File

@ -41,7 +41,7 @@ class Scan_Engine:
description : detect the version of WordPress based on the generator tag in index.php/feed/
"""
def fingerprint_wp_version_feed_based(self, wordpress):
r = requests.get(wordpress.url + "index.php/feed").text
r = requests.get(wordpress.url + "index.php/feed", headers={"User-Agent":wordpress.agent}).text
regex = re.compile('generator>https://wordpress.org/\?v=(.*?)<\/generator')
match = regex.findall(r)
if match != []:

39
engine/wordpress.py
View File

@ -11,10 +11,13 @@ class Wordpress:
plugins = {}
themes = {}
index = None
agent = False
def __init__(self, url):
def __init__(self, url, user_agent):
print info("URL: %s" % url)
self.url = url
self.agent = user_agent
self.random_agent()
self.clean_url()
self.is_up_and_installed()
self.is_wordpress()
@ -36,12 +39,24 @@ class Wordpress:
if self.url[-1] != '/':
self.url = self.url + '/'
"""
name : random_agent()
description : give a random user agent
todo : user-agent.txt -> unzip -> random line
"""
def random_agent(self):
if self.agent != "random_agent":
self.agent = "Wordpresscan - For educational purpose only !"
else:
self.agent = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36"
"""
name : is_wordpress()
description : detect a WordPress instance
"""
def is_wordpress(self):
self.index = requests.get(self.url)
self.index = requests.get(self.url, headers={"User-Agent":self.agent})
if not "wp-" in self.index.text:
print critical("Not a WordPress !")
exit()
@ -52,7 +67,7 @@ class Wordpress:
"""
def is_up_and_installed(self):
try:
r = requests.get(self.url, allow_redirects=False)
r = requests.get(self.url, allow_redirects=False, headers={"User-Agent":self.agent} )
if 'location' in r.headers:
@ -73,6 +88,7 @@ class Wordpress:
exit()
except Exception as e:
print e
print critical("Website down!")
exit()
@ -82,7 +98,7 @@ class Wordpress:
description : get the readme file and extract the version is there is any
"""
def is_readme(self):
r = requests.get(self.url + 'readme.html')
r = requests.get(self.url + 'readme.html', headers={"User-Agent":self.agent})
if "200" in str(r):
@ -100,7 +116,7 @@ class Wordpress:
description : determine if there is a debug.log file
"""
def is_debug_log(self):
r = requests.get(self.url + 'debug.log')
r = requests.get(self.url + 'debug.log', headers={"User-Agent":self.agent})
if "200" in str(r) and not "404" in r.text :
print critical( "Debug log file found: %s" % (self.url + 'debug.log') )
@ -112,7 +128,7 @@ class Wordpress:
def is_backup_file(self):
backup = ['wp-config.php~', 'wp-config.php.save', '.wp-config.php.swp', 'wp-config.php.swp', '.wp-config.php.swp', 'wp-config.php.swp', 'wp-config.php.swo', 'wp-config.php_bak', 'wp-config.bak', 'wp-config.php.bak', 'wp-config.save', 'wp-config.old', 'wp-config.php.old', 'wp-config.php.orig', 'wp-config.orig', 'wp-config.php.original', 'wp-config.original', 'wp-config.txt']
for b in backup:
r = requests.get(self.url + b)
r = requests.get(self.url + b, headers={"User-Agent":self.agent})
if "200" in str(r) and not "404" in r.text :
print critical("A wp-config.php backup file has been found in: %s" % (self.url + b) )
@ -122,7 +138,7 @@ class Wordpress:
description : determine if there is an xml rpc interface
"""
def is_xml_rpc(self):
r = requests.get(self.url + "xmlrpc.php")
r = requests.get(self.url + "xmlrpc.php", headers={"User-Agent":self.agent})
if "200" in str(r) and "404" in r.text :
print info("XML-RPC Interface available under: %s " % (self.url+"xmlrpc.php") )
@ -136,7 +152,7 @@ class Wordpress:
dir_name = ["Uploads", "Includes"]
for directory, name in zip(directories,dir_name):
r = requests.get(self.url + directory)
r = requests.get(self.url + directory, headers={"User-Agent":self.agent})
if "Index of" in r.text:
print warning("%s directory has directory listing enabled : %s" % (name, self.url + directory))
@ -146,7 +162,7 @@ class Wordpress:
description : detect if a robots.txt file
"""
def is_robots_text(self):
r = requests.get(self.url + "robots.txt")
r = requests.get(self.url + "robots.txt", headers={"User-Agent":self.agent})
if "200" in str(r) and not "404" in r.text :
print info("robots.txt available under: %s " % (self.url+"robots.txt") )
lines = r.text.split('\n')
@ -160,7 +176,7 @@ class Wordpress:
description : detect a full path disclosure
"""
def full_path_disclosure(self):
r = requests.get(self.url + "wp-includes/rss-functions.php").text
r = requests.get(self.url + "wp-includes/rss-functions.php", headers={"User-Agent":self.agent}).text
regex = re.compile("Fatal error:.*? in (.*?) on", re.S)
matches = regex.findall(r)
@ -173,7 +189,7 @@ class Wordpress:
description : enumerate every users of the wordpress
"""
def enum_wordpress_users(self):
r = requests.get(self.url + "wp-json/wp/v2/users" )
r = requests.get(self.url + "wp-json/wp/v2/users", headers={"User-Agent":self.agent} )
if "200" in str(r):
print notice("Enumerating Wordpress users")
@ -192,4 +208,5 @@ class Wordpress:
print "Version : %s" % self.version
print "Plugins : %s" % self.plugins
print "Themes : %s" % self.themes
print "Agent : %s" % self.agent
print "---------------------------"

3
main.py
View File

@ -25,6 +25,7 @@ if __name__ == "__main__":
parser.add_argument('-u', action ='store', dest='url', help="Wordpress URL")
parser.add_argument('--update', action ='store_const', const='update', dest='update', help="Update the database")
parser.add_argument('--aggressive', action ='store_const', const='aggressive', dest='aggressive', default=False, help="Update the database")
parser.add_argument('--random-agent', action ='store_const', const='random_agent', dest='random_agent', default=False, help="Random User-Agent")
results = parser.parse_args()
# Check wordpress url
@ -35,7 +36,7 @@ if __name__ == "__main__":
database_update()
# Build a new wordpress object
wp = Wordpress(results.url)
wp = Wordpress(results.url, results.random_agent)
Scan_Engine(wp, results.aggressive)
else: