Re: [W3af-develop] Wordpress version discovery plugin
Sorry, I left some debug code in the last one and forgot to change some variables. 2009/6/8 Ryan Dewhurst ryandewhu...@gmail.com: 2009/6/7 Andres Riancho andres.rian...@gmail.com: Ryan, On Sun, Jun 7, 2009 at 12:31 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: Here is the final version. (I hope) I just tried your plugin with http://www.bonsai-sec.com/blog/ as a target, and it's failing to find anything. I think that the problem is in: base_url = urlParser.baseUrl( fuzzableRequest.getURL() ) wp_unique_url = urlParser.urlJoin( base_url , '/wp-login.php' ) Which will always return http://host.tld/wp-login.php , no matter what the fuzzableRequest.getURL() was: in my case it was http://www.bonsai-sec.com/blog/ . Fixed this with: wp_unique_url = fuzzableRequest.getURL() + '/wp-login.php' response = self._urlOpener.GET( wp_unique_url, useCache=True ) And also on the way that self._exec is ALWAYS set to false. I think that self._exec should be set to false only after actually finding a wordpress installation and fingerprinting it. Implemented this. Please test the plugin a little more with different wordpress installs, and then let us know how it worked out =) Tested on about 5 different installations so far, all working. PS: Please use inline for answering emails, top posting sucks. Sorry, always forget about this, lol. Any other changes/feedback let me know. Attached is the latest version. :) 2009/6/7 Ryan Dewhurst ryandewhu...@gmail.com: Found a bug that I am working on now. 2009/6/7 Ryan Dewhurst ryandewhu...@gmail.com: w00t w00t! All tested and working! Thanks to everyone for their help especially Andres for putting up with my noobness. I will look into implementing the vulns for each version and then eventually a wp plugin version finder. Feedback and suggestions welcome! :-) 2009/6/7 Andres Riancho andres.rian...@gmail.com: Ryan, On Sat, Jun 6, 2009 at 10:20 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: I decided to move over to my Linux box for the development of the plugin. One of the reasons I could not get the plugin to run through w3af was that the plugin file name was not the same as the class name. Ok, makes sense, It now runs through w3af with out any errors. The only thing is that the info output is not showing in kb. Are you saving it to the kb? Im using this which I found in another plugin: # Save it to the kb! i = info.info() i.setName('WordPress version') i.setURL( wp_index_url ) i.setId( http_response.id ) i.setDesc( 'WordPress version '+ self._version +' found in the index header.' ) kb.kb.append( self, 'WordPress version', i ) om.out.information( i.getDesc() ) That seems to be enough to save the version to the kb, Attached is the latest version. I applied some minor changes: - Changed the name of the plugin to wordpress_plugin, because wpvChecker is cryptic to users. - The code has some serious errors, that are possibly the reason you don't see anything: ...@brick:~/w3af/w3af/trunk$ pylint --rcfile=../extras/misc/pylint.rc /tmp/wordpress_version.py -e * Module wordpress_version E: 98:wordpress_version.discover: Undefined variable 're' E:109:wordpress_version.discover: Undefined variable 'http_response' E:150:wordpress_version.discover: Undefined variable 'http_response' Have you tested the plugin? Do you get a big traceback when running it? - This line in the fingerprint DB: ('/wp-admin/async-upload.php','200','2.5'), Doesn't match this line: if self._wp_fingerprint[1] == 200 and not is_404(response): '200' and 200 aren't equal in python: '200' == 200 False You should change your database to 200, instead of '200' where necessary. - One more detail, is that it would be nice to compare the version in the HTML header, with the fingerprinted version, and report if they differ. You're on the right path, I think that with these recommendations you'll be able to complete the development of your first w3af plugin =) PS: You should answer inline. Ryan 2009/6/6 Andres Riancho andres.rian...@gmail.com: Ryan, On Sat, Jun 6, 2009 at 6:22 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: Also delete the .pyc file, and no reinstall is needed. There was none. Yes, many. You are missing some required methods, like setOptions, getOptions, getLongDescription, etc. Please see other plugins for a complete list, They are already in the code: # W3af options and output def getOptions( self ): ''' �...@return: A list of option objects for this plugin. ''' ol = optionList() return ol def setOptions( self, OptionList ): ''' This method sets all the options that are configured using the user interface generated by the framework using the result of
Re: [W3af-develop] NTLM Authentication
m0ses, On Mon, Jun 8, 2009 at 10:24 AM, mOsestrklis...@networksamurai.org wrote: Andres and all members of the dev list, I was able to find a project took the original NTLMAPS and ported it to use urllib2. Excellent!! I was searching for that a long time ago, and failed! Thanks!! Could you please send us the link of the project? It comes with 2 types of python files, one compatible with 2.6 and one with 3.0. I am a novice at coding really so I looked very closely at the code and the way they implemented the authentication. It seems to be very similary to the specification. I then extracted the file into the following path: w3af/core/data/url. The correct path for new handlers would be w3af/core/data/url/handlers And you should use the 2.6 version. I want to reference this in some type of global manner, but there is not documentation on the development of this (yet). Where I was having a little trouble was looking for where the original basicAuthentication areas where this was defined (i.e. which .py file). To add a new handler, you'll need to copy it to the above location, and then reference it in core/data/url/urlOpenerSettings.py, examples on how to do this are the basicAuthentication handler. Don't hesitate to ask any questions here, I'm sure that someone will answer them =) Cheers, M. -- OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Wordpress version discovery plugin
2009/6/8 Andres Riancho andres.rian...@gmail.com: Ryan, On Mon, Jun 8, 2009 at 10:18 AM, Ryan Dewhurstryandewhu...@gmail.com wrote: 2009/6/7 Andres Riancho andres.rian...@gmail.com: Ryan, On Sun, Jun 7, 2009 at 12:31 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: Here is the final version. (I hope) I just tried your plugin with http://www.bonsai-sec.com/blog/ as a target, and it's failing to find anything. I think that the problem is in: base_url = urlParser.baseUrl( fuzzableRequest.getURL() ) wp_unique_url = urlParser.urlJoin( base_url , '/wp-login.php' ) Which will always return http://host.tld/wp-login.php , no matter what the fuzzableRequest.getURL() was: in my case it was http://www.bonsai-sec.com/blog/ . Fixed this with: wp_unique_url = fuzzableRequest.getURL() + '/wp-login.php' response = self._urlOpener.GET( wp_unique_url, useCache=True ) If the URL is http://www.bonsai-sec.com/blog/ and you perform that, you end up with http://www.bonsai-sec.com/blog//wp-login.php , which is not what you want. I think that the solution was this one: base_url = urlParser.getDomainPath( fuzzableRequest.getURL() ) wp_unique_url = urlParser.urlJoin( base_url , 'wp-login.php' ) But I'm not sure, you should test it. I tried this yesterday and had no luck however I will give it another go as I did not spend too much time on it. And also on the way that self._exec is ALWAYS set to false. I think that self._exec should be set to false only after actually finding a wordpress installation and fingerprinting it. Implemented this. Cool, Please test the plugin a little more with different wordpress installs, and then let us know how it worked out =) Tested on about 5 different installations so far, all working. Cool, PS: Please use inline for answering emails, top posting sucks. Sorry, always forget about this, lol. Any other changes/feedback let me know. Attached is the latest version. :) I think we're almost ready to put it in the trunk, what do you think? Yup! :-) As soon as I have fixed the URL issue I dont see why not. One thing I would like you to look at is the output, is it accurately worded to the w3af style? Does it have too little or too much output? 2009/6/7 Ryan Dewhurst ryandewhu...@gmail.com: Found a bug that I am working on now. 2009/6/7 Ryan Dewhurst ryandewhu...@gmail.com: w00t w00t! All tested and working! Thanks to everyone for their help especially Andres for putting up with my noobness. I will look into implementing the vulns for each version and then eventually a wp plugin version finder. Feedback and suggestions welcome! :-) 2009/6/7 Andres Riancho andres.rian...@gmail.com: Ryan, On Sat, Jun 6, 2009 at 10:20 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: I decided to move over to my Linux box for the development of the plugin. One of the reasons I could not get the plugin to run through w3af was that the plugin file name was not the same as the class name. Ok, makes sense, It now runs through w3af with out any errors. The only thing is that the info output is not showing in kb. Are you saving it to the kb? Im using this which I found in another plugin: # Save it to the kb! i = info.info() i.setName('WordPress version') i.setURL( wp_index_url ) i.setId( http_response.id ) i.setDesc( 'WordPress version '+ self._version +' found in the index header.' ) kb.kb.append( self, 'WordPress version', i ) om.out.information( i.getDesc() ) That seems to be enough to save the version to the kb, Attached is the latest version. I applied some minor changes: - Changed the name of the plugin to wordpress_plugin, because wpvChecker is cryptic to users. - The code has some serious errors, that are possibly the reason you don't see anything: ...@brick:~/w3af/w3af/trunk$ pylint --rcfile=../extras/misc/pylint.rc /tmp/wordpress_version.py -e * Module wordpress_version E: 98:wordpress_version.discover: Undefined variable 're' E:109:wordpress_version.discover: Undefined variable 'http_response' E:150:wordpress_version.discover: Undefined variable 'http_response' Have you tested the plugin? Do you get a big traceback when running it? - This line in the fingerprint DB: ('/wp-admin/async-upload.php','200','2.5'), Doesn't match this line: if self._wp_fingerprint[1] == 200 and not is_404(response): '200' and 200 aren't equal in python: '200' == 200 False You should change your database to 200, instead of '200' where necessary. - One more detail, is that it would be nice to compare the version in the HTML header, with the fingerprinted version, and report if they differ. You're on the right path, I think that with these recommendations you'll be able to complete the development of your first w3af plugin =) PS: You
[W3af-develop] Enhancements to wordpress_fingerprint.py
Ryan, First of all, I would like to congratulate you for a job well done. The wordpress_fingerprint plugin is now part of w3af. I just commited it [0] to the trunk with a couple of changes (please review those changes, they are important). On the other hand, we still need to work a little more on this plugin. One of the features that I think should be implemented is the comparison between the fingerprinted version, and the version that's retrieved with the regular expression, could you do that? Also related, I just twitted about this [1] [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup [1] http://twitter.com/w3af Cheers, -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] NTLM Authentication
Andres, On Jun 8, 2009, at 10:42 AM, Andres Riancho wrote: m0ses, On Mon, Jun 8, 2009 at 10:24 AM, mOsestrklis...@networksamurai.org wrote: Andres and all members of the dev list, I was able to find a project took the original NTLMAPS and ported it to use urllib2. Excellent!! I was searching for that a long time ago, and failed! Thanks!! Could you please send us the link of the project? this is the link I found: http://code.google.com/p/python-ntlm/ It comes with 2 types of python files, one compatible with 2.6 and one with 3.0. I am a novice at coding really so I looked very closely at the code and the way they implemented the authentication. It seems to be very similary to the specification. I then extracted the file into the following path: w3af/core/data/url. The correct path for new handlers would be w3af/core/data/url/ handlers And you should use the 2.6 version. I want to reference this in some type of global manner, but there is not documentation on the development of this (yet). Where I was having a little trouble was looking for where the original basicAuthentication areas where this was defined (i.e. which .py file). To add a new handler, you'll need to copy it to the above location, and then reference it in core/data/url/urlOpenerSettings.py, examples on how to do this are the basicAuthentication handler. Don't hesitate to ask any questions here, I'm sure that someone will answer them =) Cheers, Ok I am going to work on this today and hopefully have a skeleton of the code running soon! Thanks, I was hoping to find a way to contribute, the project is awesome! Moses Hernandez http://soon.ibreakapps.com M. -- OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
Guys, Sorry for getting into the middle of this thread without knocking... Inline since I hate bottom posting :) Il giorno lun, 08/06/2009 alle 12.05 -0300, Andres Riancho ha scritto: Ryan, First of all, I would like to congratulate you for a job well done. The wordpress_fingerprint plugin is now part of w3af. I just commited it [0] to the trunk with a couple of changes (please review those changes, they are important). On the other hand, we still need to work a little more on this plugin. One of the features that I think should be implemented is the comparison between the fingerprinted version, and the version that's retrieved with the regular expression, could you do that? I know is a bit out of scope with the actual implementation of the wordpress_fingerprint plugin, but I just finished reading this interesting post: Web App Version detection using fingerprinting http://sucuri.net/?page=docstitle=webapp-version-detection in particular: 2- Wordpress Version Detection 3- Wordpress version fingerprinting - Comparing files which I think is on topic at least to some extent. It should not be too difficult to add a txt file and check for the existence of those files to get a double check confirmation of the WP version. Also related, I just twitted about this [1] [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup [1] http://twitter.com/w3af Cheers, Cheers, -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
Ryan, On Mon, Jun 8, 2009 at 12:36 PM, Stefano Di Paolawi...@wisec.it wrote: Guys, Sorry for getting into the middle of this thread without knocking... hehehe Inline since I hate bottom posting :) ok, Il giorno lun, 08/06/2009 alle 12.05 -0300, Andres Riancho ha scritto: Ryan, First of all, I would like to congratulate you for a job well done. The wordpress_fingerprint plugin is now part of w3af. I just commited it [0] to the trunk with a couple of changes (please review those changes, they are important). On the other hand, we still need to work a little more on this plugin. One of the features that I think should be implemented is the comparison between the fingerprinted version, and the version that's retrieved with the regular expression, could you do that? I know is a bit out of scope with the actual implementation of the wordpress_fingerprint plugin, but I just finished reading this interesting post: Web App Version detection using fingerprinting http://sucuri.net/?page=docstitle=webapp-version-detection in particular: 2- Wordpress Version Detection 3- Wordpress version fingerprinting - Comparing files Ahhh! This is the blog post that I was talking about with Ryan! I failed to find it after reading it a couple of weeks ago! Thanks Stefano! which I think is on topic at least to some extent. It should not be too difficult to add a txt file and check for the existence of those files to get a double check confirmation of the WP version. I think that we could add this information to the plugin fingerprint database pretty easily. Thanks! Cheers, Also related, I just twitted about this [1] [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/discovery/wordpress_fingerprint.py?view=markup [1] http://twitter.com/w3af Cheers, Cheers, -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
I have implemented the re and data checker, to compare them both and output as appropriate. Seems to be working however in KB the request/response windows are incorrect. Ryan ''' wordpress_fingerprint.py Copyright 2006 Andres Riancho This file is part of w3af, w3af.sourceforge.net . w3af is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License. w3af is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with w3af; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ''' import core.controllers.outputManager as om # Import options import re from core.data.options.option import option from core.data.options.optionList import optionList from core.controllers.basePlugin.baseDiscoveryPlugin import baseDiscoveryPlugin import core.data.kb.knowledgeBase as kb import core.data.kb.vuln as vuln import core.data.kb.info as info import core.data.constants.severity as severity import core.data.parsers.urlParser as urlParser from core.controllers.w3afException import w3afException, w3afRunOnce # Main class class wordpress_fingerprint(baseDiscoveryPlugin): ''' Finds the version of a WordPress installation. @author: Ryan Dewhurst ( ryandewhu...@gmail.com ) www.ethicalhack3r.co.uk ''' def __init__(self): baseDiscoveryPlugin.__init__(self) # Internal variables self._exec = True self._data_version = 'None' self._re_version = 'None' def discover(self, fuzzableRequest ): ''' Finds the version of a WordPress installation. @parameter fuzzableRequest: A fuzzableRequest instance that contains (among other things) the URL to test. ''' dirs = [] if not self._exec : # This will remove the plugin from the discovery plugins to be runned. raise w3afRunOnce() else: # ## Check if the server is running wp ## # # 404 error messages is_404 = kb.kb.getData( 'error404page', '404' ) self._fuzzableRequests = [] # Main scan URL passed from w3af + unique wp file wp_unique_url = urlParser.getDomainPath( fuzzableRequest.getURL() ) + '/wp-login.php' response = self._urlOpener.GET( wp_unique_url, useCache=True ) # If wp_unique_url is not 404, wordpress = true if not is_404( response ): dirs.extend( self._createFuzzableRequests( response ) ) ## ## Check if the wp version is in index header ## ## # Main scan URL passed from w3af + wp index page wp_index_url = urlParser.getDomainPath( fuzzableRequest.getURL() ) + '/index.php' response = self._urlOpener.GET( wp_index_url, useCache=True ) # Find the string in the response html find = 'meta name=generator content=[Ww]ord[Pp]ress (\d\.\d\.?\d?) /' m = re.search(find, response.getBody()) # If string found, group version if m: m = m.group(1) self._re_version = m # ## Find wordpress version from data ## # # Wordpress version unique data, file/data/version self._wp_fingerprint = [['/wp-includes/js/thickbox/thickbox.css','-ms-filter:','2.7.1'], ['/wp-admin/css/farbtastic.css','.farbtastic','2.7'], ['/wp-includes/js/tinymce/wordpress.css','-khtml-border-radius:','2.6.1, 2.6.2, 2.6.3 or 2.6.5'], ['/wp-includes/js/tinymce/tiny_mce.js','0.7','2.5.1'], ['/wp-admin/async-upload.php','200','2.5'], ['/wp-includes/images/rss.png','200','2.3.1, 2.3.2 or 2.3.3'], ['/readme.html','2.3','2.3'], ['/wp-includes/rtl.css','#adminmenu a','2.2.3'], ['/wp-includes/js/wp-ajax.js','var a = $H();','2.2.1'], ['/wp-app.php','200','2.2']] # For each row in data, send a HTTP request for row in self._wp_fingerprint: test_url = urlParser.getDomainPath( fuzzableRequest.getURL() ) + row[0] response = self._urlOpener.GET( test_url, useCache=True ) if row[1] == '200' and not is_404(response): self._data_version = row[2] break
Re: [W3af-develop] W3AF Proxy tool - dev status
Taras, On Mon, Jun 8, 2009 at 5:36 PM, Tarasta...@securityaudit.ru wrote: Hello, list! I decided to inform you about current status of proxy tool improvement: Good, * Table presentation and editing of request/response data (headers) and so on - done * Table presentation of request params - in TODO (simple task) Ok, * Tabbed request/response GUI - done Seen it, looks and works great, except from some cases where the response has long lines, and the window grows *really* wide in order to show the line. I think that there is a problem with the ScrolledWindow configuration. * More convenient History navigation and presentation - in progress (Let's moving from hacker's search with SQL syntax to more convenient search by URL in main text entry + hidden advanced options bar for options (e.g code = 404 and id5) like in Google.) I'm trying to understand this, as far as I can see without reading the code, the advanced part will be like a wizard for the user to create a new search string, right? Also related, please see this [0], which is a bug fix that I implemented a couple of days ago, and is related with the type of data of the primary keys, and the way the information is stored. Maybe it's a good idea that you merge this into your branch before continuing to work. [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/core/data/db/persist.py?revision=2898view=markup * Audit plugins integration for manual checks - in TODO * HEX editor - in TODO Ok, * Options - separate tab - done That looks awful, but it's not your fault, it's the framework's fault. I'll work on the way that the options are displayed (I also talked with Achim about this). * More keyborad friendly navigation and common GUI improvements - done Cool, * Andres also recently added syntax highlight tab for response HTML data Yes, but this needs some work also, adding to my never ending TODO list ;) Any questions or comments? =) Not really, you are doing a great job and I know that at the end we'll have a perfect local proxy =) Thanks! Anyone else has comments? To be able to test this branch, you have to download the taras branch like this: svn co https://w3af.svn.sourceforge.net/svnroot/w3af/branches/taras w3af-taras And then just cd w3af-taras , and ./w3af_gui Cheers, -- Taras Software is like sex: it's better when it's free. - Linus Torvalds -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
Ryan, On Mon, Jun 8, 2009 at 4:50 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: I have implemented the re and data checker, to compare them both and output as appropriate. That part seems to be ok, Seems to be working however in KB the request/response windows are incorrect. Could you elaborate more on this? Related: - You didn't used the version in the SVN to create the new version, they are some inconsistencies. Please use the SVN version to build from it. - It doesn't make sense to check for index.php instead of wp-login.php , the index.php would be a match for almost every web application running PHP. The idea is to check for wp-login.php to be able to be more performant and don't request all files in the fingerprint database for every directory in the web application. Cheers, Ryan -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
I just noticed that even though a 404 occurs for the 2.5 check (I have autodetect 404's disabled) it still recognizes it as version 2.5 (added to the kb) AND the correct version as found in the index page (also added to the kb). Haven't looked deeper into the code yet. Apologies if this has already been identified as I did not get the chance to read the entire thread. GET http://www.example.com/wp-admin/async-upload.php HTTP/1.1 Host: www.example.com Cookie: bb2_screener_=1244499242+71.83.247.187; PHPSESSID=p74pi4kqt46qechqv124qr9qt6 Accept-encoding: identity Accept: */* User-agent: w3af.sourceforge.net HTTP/1.1 404 Not Found x-powered-by: PHP/5.2.6 transfer-encoding: chunked set-cookie: bb2_screener_=1244499243+71.83.247.187; path=/ expires: Wed, 11 Jan 1984 05:00:00 GMT vary: Accept-Encoding server: Apache/2.0.63 (Unix) PHP/4.4.7 mod_ssl/2.0.63 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2 last-modified: Mon, 08 Jun 2009 22:14:04 GMT pragma: no-cache cache-control: no-cache, must-revalidate, max-age=0 date: Mon, 08 Jun 2009 22:14:03 GMT content-type: text/html; charset=UTF-8 x-pingback: http://www.example.com/xmlrpc.php -Adam -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Enhancements to wordpress_fingerprint.py
2009/6/8 Andres Riancho andres.rian...@gmail.com: Ryan, On Mon, Jun 8, 2009 at 4:50 PM, Ryan Dewhurstryandewhu...@gmail.com wrote: I have implemented the re and data checker, to compare them both and output as appropriate. That part seems to be ok, Seems to be working however in KB the request/response windows are incorrect. Could you elaborate more on this? If you look at the kb info the request/response windows after the plugin has run it shows inacurate HTTP request/responses. i.e. the version was found from the regular expression in the index.php header, the request/response window will show the http request/response for one of the files in the database rather than the correct index.php. Im finding the above hard to explain, ill take a screenshot to elaborate more. Related: - You didn't used the version in the SVN to create the new version, they are some inconsistencies. Please use the SVN version to build from it. I did use the SVN version. - It doesn't make sense to check for index.php instead of wp-login.php , the index.php would be a match for almost every web application running PHP. The idea is to check for wp-login.php to be able to be more performant and don't request all files in the fingerprint database for every directory in the web application. Cheers, It does check for wp-login.php rather than index.php. # Main scan URL passed from w3af + unique wp file wp_unique_url = urlParser.getDomainPath( fuzzableRequest.getURL() ) + '/wp-login.php' response = self._urlOpener.GET( wp_unique_url, useCache=True ) # If wp_unique_url is not 404, wordpress = true if not is_404( response ): Am I missing the point? Ryan Ryan -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] W3AF Proxy tool - dev status
Andres, * More convenient History navigation and presentation - in progress (Let's moving from hacker's search with SQL syntax to more convenient search by URL in main text entry + hidden advanced options bar for options (e.g code = 404 and id5) like in Google.) I'm trying to understand this, as far as I can see without reading the code, the advanced part will be like a wizard for the user to create a new search string, right? 1. There will be no any wizards =). See screenshot [0] 2. By default advanced search options will be hidden and will showed after Advanced button will be clicked 3. Main search entry will ne search only by URL - because it is most common task [0] http://picasaweb.google.ru/lh/photo/lvLn5jKcrQyG-FzibaH8JA?feat=directlink -- Taras Software is like sex: it's better when it's free. - Linus Torvalds pgpsXZzeeFTaW.pgp Description: PGP signature -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop