Ryan,
On Wed, May 27, 2009 at 10:18 PM, Andres Riancho
<andres.rian...@gmail.com> wrote:
> Ryan,
>
> On Wed, May 27, 2009 at 9:58 PM, Ryan Dewhurst <ryandewhu...@gmail.com> wrote:
>> Hello,
>> Im new to mailing lists so im not sure if this will be sent there.
>
> It depends on the mailing list. This one is configured to accept attachments,
>
>> I'll have a look into intergrating the script into w3af over the next
>> couple of days and hopefully have a working version by the weekend.
>
> Excellent, if you need ANY help, just let us know.
>
>> The script is quite simple once you have the gathered the nesesary
>> data. I went through versions 2.2 to 2.7.1 and manually found client
>> side differences in most of them, I also used the official changelogs
>> to help identify them.
>
> Ohhh, you are the guy that wrote that blog post with the "diffs" of
> different wordpress release packages?
>
>> The client side differences are in files such as CSS, javascript and
>> HTML. Some versions did not have any differences apart from having
>> extra files, which can easliy be identified with HTTP response codes.
>>
>> It works as such...
>>
>> Starting from version 2.7.1 (latest), the script tries to find
>> something that 2.7 doesnt have, if it finds that something then the
>> script stops and echos the version number.
>>
>> If the script doesnt find the difference it moves onto identifying the
>> next version, i.e. does 2.7 have something the earlier version doesnt
>> have. and so on and so forth.
>
> Ok, makes sense.
>
> Some comments regarding your code:
>
> - w3af uses PEP-8, with among other things says 4-spaces for
> indentations. Your code has 1-space (?) indentations. Please correct
> that.
>
> - The code is pretty simple, but i think it could be done in a better
> way. Having that many functions (wp22 to wp271) doesn't seem to be a
> good option. Do you think that the code could be changed a little bit,
> and create a database (which can be easily updated) and then use that
> database to store the information? Example of the databse
>
> self._wp_fingerprint =
> [('/wp-includes/js/thickbox/thickbox.css','-ms-filter:'),('/wp-admin/css/farbtastic.css',
> 'farbtastic')]
>
> - Also, by default wordpress publishes the version number in every
> page head. Maybe it would be a good idea to parse that, and compare it
> with the result of the fingerprinting. What do you think?
A good idea would be to have a first step, before all the version
specific checks, that verifies something that's true for all wordpress
installations (some X file has to be present) before even starting the
fingerprinting. Could this be done?
> Cheers,
>
>> Ryan
>>
>>
>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>:
>>> Ryan,
>>>
>>> On Wed, May 27, 2009 at 5:07 PM, Ryan Dewhurst <ryandewhu...@gmail.com>
>>> wrote:
>>>> Hello,
>>>> I have developed a python script that can detect the version of a
>>>> wordpress installation. I think it would fit well within w3af,
>>>
>>> Yes, it seems that it's something good to have in the framework.
>>>
>>> I have like a ton of questions about how it works, could you please
>>> send the script (as it is) to this mailing list for us to read it?
>>>
>>>> the
>>>> only problem being is that I have been unable to find a plugin
>>>> development manual to be able to implement my script.
>>>
>>> There is no development manual :(
>>>
>>> For the type of feature that you want to add, the correct thing is to
>>> use a discovery plugin. discovery plugins are simple, they follow
>>> these rules:
>>>
>>> - the entry point is the discover method
>>>
>>> - the discover method takes a fuzzable request object as a parameter,
>>> and returns a list of fuzzable requests
>>> (fuzzable requests are representations of GET/POST requests, which
>>> represent links, and forms)
>>>
>>> - the discover method is called several times in the same scan, with
>>> the different links that (for example) the webSpider finds.
>>>
>>> I think that the best thing you can do is to read one or two discovery
>>> plugins (my recommendations are discovery.crossDomain and
>>> discovery.userDir), and start building your own plugin based on one of
>>> those.
>>>
>>>> Is there a dev manual out there?
>>>
>>> No
>>>
>>>> Does any one have some tips/advice on writting a plugin?
>>>
>>> Yes, see above,
>>>
>>>> Does any one want me to send them the script for them to develop the
>>>> plugin?
>>>
>>> You should develop the plugin yourself, is fun and good for the project =)
>>>
>>> Cheers,
>>>
>>>> Thank you,
>>>> Ryan
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
>>>> is a gathering of tech-side developers & brand creativity professionals.
>>>> Meet
>>>> the minds behind Google Creative Lab, Visual Complexity, Processing, &
>>>> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
>>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
>>>> _______________________________________________
>>>> W3af-develop mailing list
>>>> W3af-develop@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Founder, Bonsai - Information Security
>>> http://www.bonsai-sec.com/
>>> http://w3af.sf.net/
>>>
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
