Passive enumeration of theme and plugin + vulns

engine/core.py

@@ -14,10 +14,10 @@ def ask(msg):
   return "\033[1m[?] " + msg + "\033[0m"
 
 def notice(msg):
-  return "\033[1m[i] " + msg + "\033[0m"
+  return "\n\033[1m[i] " + msg + "\033[0m"
 
 def critical(msg):
-  return "\033[91m[!] " + msg + "\033[0m"
+  return "\n\033[91m[!] " + msg + "\033[0m"
 
 def warning(msg):
   return "\033[93m[i] " + msg + "\033[0m"
@@ -25,6 +25,12 @@ def warning(msg):
 def info(msg):
   return "\033[0m[+] " + msg + "\033[0m"
 
+def vulnerable(msg):
+  return "\033[91m[!]" + msg + "\033[0m"
+
+def display(msg):
+  return "\033[0m | " + msg + "\033[0m"
+
 
 """
 name        : database_update()
@@ -124,7 +130,7 @@ name        : is_lower(str_one, str_two)
 description : will compare two string version
 return      : boolean
 """ 
-def is_lower(str_one, str_two):
+def is_lower(str_one, str_two, equal):
   sum_one = 0
   sum_two = 0
 
@@ -147,4 +153,7 @@ def is_lower(str_one, str_two):
   if sum_one < sum_two:
     return True
 
+  if equal and sum_one == sum_two:
+    return True
+
   return False

engine/scan.py

@@ -14,6 +14,8 @@ class Scan_Engine:
 	def __init__(self, wordpress):
 		self.fingerprint_wp_version(wordpress)
 		self.list_wp_version_vulnerabilities(wordpress, "wordpresses")
+		self.enumerating_themes_passive(wordpress)
+		self.enumerating_plugins_passive(wordpress)
 
 	"""
 	name        : fingerprint_wp_version(wordpress)
@@ -26,7 +28,7 @@ class Scan_Engine:
 		
 		if match != []:
 			wordpress.version = match[0]
-			print info("WordPress version %s identified from advanced fingerprinting" % wordpress.version)
+			print critical("WordPress version %s identified from advanced fingerprinting" % wordpress.version)
 			return
 
 		# Hash based
@@ -54,7 +56,7 @@ class Scan_Engine:
 					# Detect the version
 					if ddl_hash == root[i][j].get('md5'): 
 						wordpress.version =  root[i][j][0].text
-						print info("WordPress version %s identified from advanced fingerprinting" % wordpress.version)
+						print critical("WordPress version %s identified from advanced fingerprinting" % wordpress.version)
 						return
 					
 
@@ -72,7 +74,7 @@ class Scan_Engine:
 		if data[wordpress.version]["vulnerabilities"] == []:
 			versions = data.keys()
 			for v in versions:
-				if v[:4] in wordpress.version and is_lower(wordpress.version, v):
+				if v[:4] in wordpress.version and is_lower(wordpress.version, v, False):
 					version = v
 
 		# Best accurate result
@@ -92,4 +94,92 @@ class Scan_Engine:
 					else:
 						print "\t\t - %s" %ref
 
-			print ""
+			print ""
+
+
+	"""
+	name        : display_vulnerable_component(self, name, version):
+	description : display info about vulnerability from the file
+	"""
+	def display_vulnerable_component(self, name, version, file):
+		# Load json file
+		with open('database/' + file + '.json') as data_file:
+			data = json.load(data_file)
+		
+		print warning("Name: %s - v%s" % (name, version))
+		if name in data.keys():
+
+			# Display the out of date info if the version is lower of the latest version
+			if is_lower(version, data[name]['latest_version'], False):	
+				print info("The version is out of date, the latest version is %s" % data[name]['latest_version'])			
+			
+			# Display the vulnerability if it's not patched version
+			for vuln in data[name]['vulnerabilities']:
+				if 'fixed_in' in vuln.keys() and (vuln['fixed_in'] == None or is_lower(version, vuln['fixed_in'], True)):
+
+					# Main informations
+					print "\t",vulnerable("%s : %s - ID:%s" % (vuln['vuln_type'], vuln['title'] , vuln['id']) )
+					print "\t",display("Fixed in %s"% vuln['fixed_in']) 
+
+					# Display references
+					print "\t",display("References:")
+					for refkey in vuln['references'].keys():
+						for ref in vuln['references'][refkey]:							
+							if refkey != 'url':
+								print "\t\t - %s %s" % (refkey.capitalize(), ref)
+							else:
+								print "\t\t - %s" %ref
+
+
+	"""
+	name        : enumerating_themes_passive(self, wordpress)
+	description : enumerate every theme used by the wordpress
+	"""
+	def enumerating_themes_passive(self, wordpress):
+		print notice("Enumerating themes from passive detection ...")
+		r = requests.get(wordpress.url).text
+	
+		# Theme name (css file)
+		regex = re.compile('wp-content/themes/(.*?)/.*?[css|js].*?ver=([0-9\.]*)') #.replace('min','')
+		match = regex.findall(r)
+		theme = {}
+
+		# Unique theme
+		for m in match:
+			
+			# Remove minified and github version
+			theme_name = m[0]
+			theme_name = theme_name.replace('-master','')
+			theme_name = theme_name.replace('.min','')
+			theme_version = m[1]
+
+			if m[0] not in theme.keys():
+				theme[m[0]] = m[1]
+				self.display_vulnerable_component(theme_name, theme_version, "themes")
+
+		
+	"""
+	name        : enumerating_plugins_passive(self, wordpress)
+	description : enumerate every plugins used by the wordpress
+	"""
+	def enumerating_plugins_passive(self, wordpress):
+		print notice("Enumerating plugins from passive detection ...")
+		r = requests.get(wordpress.url).text
+
+		# Plugin name (js file)
+		regex = re.compile('wp-content/plugins/(.*?)/.*?[css|js].*?ver=([0-9\.]*)') #.replace('min','')
+		match = regex.findall(r)
+		plugin = {}
+
+		# Unique plugin
+		for m in match:
+
+			# Remove minified and github version
+			plugin_name = m[0]
+			plugin_name = plugin_name.replace('-master','')
+			plugin_name = plugin_name.replace('.min','')
+			plugin_version = m[1]
+
+			if plugin_name not in plugin.keys():
+				plugin[plugin_name] = m[1]
+				self.display_vulnerable_component(plugin_name, plugin_version, "plugins")

engine/wordpress.py

@@ -13,7 +13,7 @@ class Wordpress:
 	robots  = False
 
 	def __init__(self, url):
-		print info("URL: %s \n" % url)
+		print info("URL: %s" % url)
 		self.url = url
 		self.clean_url()
 		self.is_up_and_installed()

main.py

@@ -36,7 +36,6 @@ if __name__ == "__main__":
 		# Build a new wordpress object
 		wp = Wordpress(results.url)
 		Scan_Engine(wp)
-		wp.to_string()
 
 	else:
 		parser.print_help()