Ryan,
On Wed, May 27, 2009 at 9:58 PM, Ryan Dewhurst <ryandewhu...@gmail.com> wrote:
> Hello,
> Im new to mailing lists so im not sure if this will be sent there.
It depends on the mailing list. This one is configured to accept attachments,
> I'll have a look into intergrating the script into w3af over the next
> couple of days and hopefully have a working version by the weekend.
Excellent, if you need ANY help, just let us know.
> The script is quite simple once you have the gathered the nesesary
> data. I went through versions 2.2 to 2.7.1 and manually found client
> side differences in most of them, I also used the official changelogs
> to help identify them.
Ohhh, you are the guy that wrote that blog post with the "diffs" of
different wordpress release packages?
> The client side differences are in files such as CSS, javascript and
> HTML. Some versions did not have any differences apart from having
> extra files, which can easliy be identified with HTTP response codes.
>
> It works as such...
>
> Starting from version 2.7.1 (latest), the script tries to find
> something that 2.7 doesnt have, if it finds that something then the
> script stops and echos the version number.
>
> If the script doesnt find the difference it moves onto identifying the
> next version, i.e. does 2.7 have something the earlier version doesnt
> have. and so on and so forth.
Ok, makes sense.
Some comments regarding your code:
- w3af uses PEP-8, with among other things says 4-spaces for
indentations. Your code has 1-space (?) indentations. Please correct
that.
- The code is pretty simple, but i think it could be done in a better
way. Having that many functions (wp22 to wp271) doesn't seem to be a
good option. Do you think that the code could be changed a little bit,
and create a database (which can be easily updated) and then use that
database to store the information? Example of the databse
self._wp_fingerprint =
[('/wp-includes/js/thickbox/thickbox.css','-ms-filter:'),('/wp-admin/css/farbtastic.css',
'farbtastic')]
- Also, by default wordpress publishes the version number in every
page head. Maybe it would be a good idea to parse that, and compare it
with the result of the fingerprinting. What do you think?
Cheers,
> Ryan
>
>
> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>:
>> Ryan,
>>
>> On Wed, May 27, 2009 at 5:07 PM, Ryan Dewhurst <ryandewhu...@gmail.com>
>> wrote:
>>> Hello,
>>> I have developed a python script that can detect the version of a
>>> wordpress installation. I think it would fit well within w3af,
>>
>> Yes, it seems that it's something good to have in the framework.
>>
>> I have like a ton of questions about how it works, could you please
>> send the script (as it is) to this mailing list for us to read it?
>>
>>> the
>>> only problem being is that I have been unable to find a plugin
>>> development manual to be able to implement my script.
>>
>> There is no development manual :(
>>
>> For the type of feature that you want to add, the correct thing is to
>> use a discovery plugin. discovery plugins are simple, they follow
>> these rules:
>>
>> - the entry point is the discover method
>>
>> - the discover method takes a fuzzable request object as a parameter,
>> and returns a list of fuzzable requests
>> (fuzzable requests are representations of GET/POST requests, which
>> represent links, and forms)
>>
>> - the discover method is called several times in the same scan, with
>> the different links that (for example) the webSpider finds.
>>
>> I think that the best thing you can do is to read one or two discovery
>> plugins (my recommendations are discovery.crossDomain and
>> discovery.userDir), and start building your own plugin based on one of
>> those.
>>
>>> Is there a dev manual out there?
>>
>> No
>>
>>> Does any one have some tips/advice on writting a plugin?
>>
>> Yes, see above,
>>
>>> Does any one want me to send them the script for them to develop the plugin?
>>
>> You should develop the plugin yourself, is fun and good for the project =)
>>
>> Cheers,
>>
>>> Thank you,
>>> Ryan
>>>
>>> ------------------------------------------------------------------------------
>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
>>> is a gathering of tech-side developers & brand creativity professionals.
>>> Meet
>>> the minds behind Google Creative Lab, Visual Complexity, Processing, &
>>> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3af-develop@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
