Yes, I dont see why not. Should be easy enough tro implement. You mentioned during our email conversation that wordpress echos its version number in the page head. I managed to find an example of it. Your right I do have a security plugin installed which must have removed it from my blog.
Here is an example: <meta name="generator" content="WordPress 2.7.1" /> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>: > Ryan, > > On Wed, May 27, 2009 at 10:18 PM, Andres Riancho > <andres.rian...@gmail.com> wrote: >> Ryan, >> >> On Wed, May 27, 2009 at 9:58 PM, Ryan Dewhurst <ryandewhu...@gmail.com> >> wrote: >>> Hello, >>> Im new to mailing lists so im not sure if this will be sent there. >> >> It depends on the mailing list. This one is configured to accept attachments, >> >>> I'll have a look into intergrating the script into w3af over the next >>> couple of days and hopefully have a working version by the weekend. >> >> Excellent, if you need ANY help, just let us know. >> >>> The script is quite simple once you have the gathered the nesesary >>> data. I went through versions 2.2 to 2.7.1 and manually found client >>> side differences in most of them, I also used the official changelogs >>> to help identify them. >> >> Ohhh, you are the guy that wrote that blog post with the "diffs" of >> different wordpress release packages? >> >>> The client side differences are in files such as CSS, javascript and >>> HTML. Some versions did not have any differences apart from having >>> extra files, which can easliy be identified with HTTP response codes. >>> >>> It works as such... >>> >>> Starting from version 2.7.1 (latest), the script tries to find >>> something that 2.7 doesnt have, if it finds that something then the >>> script stops and echos the version number. >>> >>> If the script doesnt find the difference it moves onto identifying the >>> next version, i.e. does 2.7 have something the earlier version doesnt >>> have. and so on and so forth. >> >> Ok, makes sense. >> >> Some comments regarding your code: >> >> - w3af uses PEP-8, with among other things says 4-spaces for >> indentations. Your code has 1-space (?) indentations. Please correct >> that. >> >> - The code is pretty simple, but i think it could be done in a better >> way. Having that many functions (wp22 to wp271) doesn't seem to be a >> good option. Do you think that the code could be changed a little bit, >> and create a database (which can be easily updated) and then use that >> database to store the information? Example of the databse >> >> self._wp_fingerprint = >> [('/wp-includes/js/thickbox/thickbox.css','-ms-filter:'),('/wp-admin/css/farbtastic.css', >> 'farbtastic')] >> >> - Also, by default wordpress publishes the version number in every >> page head. Maybe it would be a good idea to parse that, and compare it >> with the result of the fingerprinting. What do you think? > > A good idea would be to have a first step, before all the version > specific checks, that verifies something that's true for all wordpress > installations (some X file has to be present) before even starting the > fingerprinting. Could this be done? > >> Cheers, >> >>> Ryan >>> >>> >>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>: >>>> Ryan, >>>> >>>> On Wed, May 27, 2009 at 5:07 PM, Ryan Dewhurst <ryandewhu...@gmail.com> >>>> wrote: >>>>> Hello, >>>>> I have developed a python script that can detect the version of a >>>>> wordpress installation. I think it would fit well within w3af, >>>> >>>> Yes, it seems that it's something good to have in the framework. >>>> >>>> I have like a ton of questions about how it works, could you please >>>> send the script (as it is) to this mailing list for us to read it? >>>> >>>>> the >>>>> only problem being is that I have been unable to find a plugin >>>>> development manual to be able to implement my script. >>>> >>>> There is no development manual :( >>>> >>>> For the type of feature that you want to add, the correct thing is to >>>> use a discovery plugin. discovery plugins are simple, they follow >>>> these rules: >>>> >>>> - the entry point is the discover method >>>> >>>> - the discover method takes a fuzzable request object as a parameter, >>>> and returns a list of fuzzable requests >>>> (fuzzable requests are representations of GET/POST requests, which >>>> represent links, and forms) >>>> >>>> - the discover method is called several times in the same scan, with >>>> the different links that (for example) the webSpider finds. >>>> >>>> I think that the best thing you can do is to read one or two discovery >>>> plugins (my recommendations are discovery.crossDomain and >>>> discovery.userDir), and start building your own plugin based on one of >>>> those. >>>> >>>>> Is there a dev manual out there? >>>> >>>> No >>>> >>>>> Does any one have some tips/advice on writting a plugin? >>>> >>>> Yes, see above, >>>> >>>>> Does any one want me to send them the script for them to develop the >>>>> plugin? >>>> >>>> You should develop the plugin yourself, is fun and good for the project =) >>>> >>>> Cheers, >>>> >>>>> Thank you, >>>>> Ryan >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >>>>> is a gathering of tech-side developers & brand creativity professionals. >>>>> Meet >>>>> the minds behind Google Creative Lab, Visual Complexity, Processing, & >>>>> iPhoneDevCamp as they present alongside digital heavyweights like >>>>> Barbarian >>>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >>>>> _______________________________________________ >>>>> W3af-develop mailing list >>>>> W3af-develop@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>> >>>> >>>> >>>> >>>> -- >>>> Andrés Riancho >>>> Founder, Bonsai - Information Security >>>> http://www.bonsai-sec.com/ >>>> http://w3af.sf.net/ >>>> >>> >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop