backbone, On Thu, May 28, 2009 at 5:06 PM, <backbon...@gmail.com> wrote: > Sorry to bump in just like that in the discussion, about the meta tag that > displays > the WordPress version. > > Only since version 2.7 the generator function is in the core of WordPress, > on > earlier versions it was only in the theme. > > Just wanted to mention that. :)
Thanks for the comment =) > --- > http://insanesecurity.info > > > On Thu, May 28, 2009 at 10:53 PM, Ryan Dewhurst <ryandewhu...@gmail.com> > wrote: >> >> Yes, I dont see why not. Should be easy enough tro implement. >> >> You mentioned during our email conversation that wordpress echos its >> version number in the page head. I managed to find an example of it. >> Your right I do have a security plugin installed which must have >> removed it from my blog. >> >> Here is an example: >> <meta name="generator" content="WordPress 2.7.1" /> >> >> >> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>: >> > Ryan, >> > >> > On Wed, May 27, 2009 at 10:18 PM, Andres Riancho >> > <andres.rian...@gmail.com> wrote: >> >> Ryan, >> >> >> >> On Wed, May 27, 2009 at 9:58 PM, Ryan Dewhurst <ryandewhu...@gmail.com> >> >> wrote: >> >>> Hello, >> >>> Im new to mailing lists so im not sure if this will be sent there. >> >> >> >> It depends on the mailing list. This one is configured to accept >> >> attachments, >> >> >> >>> I'll have a look into intergrating the script into w3af over the next >> >>> couple of days and hopefully have a working version by the weekend. >> >> >> >> Excellent, if you need ANY help, just let us know. >> >> >> >>> The script is quite simple once you have the gathered the nesesary >> >>> data. I went through versions 2.2 to 2.7.1 and manually found client >> >>> side differences in most of them, I also used the official changelogs >> >>> to help identify them. >> >> >> >> Ohhh, you are the guy that wrote that blog post with the "diffs" of >> >> different wordpress release packages? >> >> >> >>> The client side differences are in files such as CSS, javascript and >> >>> HTML. Some versions did not have any differences apart from having >> >>> extra files, which can easliy be identified with HTTP response codes. >> >>> >> >>> It works as such... >> >>> >> >>> Starting from version 2.7.1 (latest), the script tries to find >> >>> something that 2.7 doesnt have, if it finds that something then the >> >>> script stops and echos the version number. >> >>> >> >>> If the script doesnt find the difference it moves onto identifying the >> >>> next version, i.e. does 2.7 have something the earlier version doesnt >> >>> have. and so on and so forth. >> >> >> >> Ok, makes sense. >> >> >> >> Some comments regarding your code: >> >> >> >> - w3af uses PEP-8, with among other things says 4-spaces for >> >> indentations. Your code has 1-space (?) indentations. Please correct >> >> that. >> >> >> >> - The code is pretty simple, but i think it could be done in a better >> >> way. Having that many functions (wp22 to wp271) doesn't seem to be a >> >> good option. Do you think that the code could be changed a little bit, >> >> and create a database (which can be easily updated) and then use that >> >> database to store the information? Example of the databse >> >> >> >> self._wp_fingerprint = >> >> >> >> [('/wp-includes/js/thickbox/thickbox.css','-ms-filter:'),('/wp-admin/css/farbtastic.css', >> >> 'farbtastic')] >> >> >> >> - Also, by default wordpress publishes the version number in every >> >> page head. Maybe it would be a good idea to parse that, and compare it >> >> with the result of the fingerprinting. What do you think? >> > >> > A good idea would be to have a first step, before all the version >> > specific checks, that verifies something that's true for all wordpress >> > installations (some X file has to be present) before even starting the >> > fingerprinting. Could this be done? >> > >> >> Cheers, >> >> >> >>> Ryan >> >>> >> >>> >> >>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>: >> >>>> Ryan, >> >>>> >> >>>> On Wed, May 27, 2009 at 5:07 PM, Ryan Dewhurst >> >>>> <ryandewhu...@gmail.com> wrote: >> >>>>> Hello, >> >>>>> I have developed a python script that can detect the version of a >> >>>>> wordpress installation. I think it would fit well within w3af, >> >>>> >> >>>> Yes, it seems that it's something good to have in the framework. >> >>>> >> >>>> I have like a ton of questions about how it works, could you please >> >>>> send the script (as it is) to this mailing list for us to read it? >> >>>> >> >>>>> the >> >>>>> only problem being is that I have been unable to find a plugin >> >>>>> development manual to be able to implement my script. >> >>>> >> >>>> There is no development manual :( >> >>>> >> >>>> For the type of feature that you want to add, the correct thing is to >> >>>> use a discovery plugin. discovery plugins are simple, they follow >> >>>> these rules: >> >>>> >> >>>> - the entry point is the discover method >> >>>> >> >>>> - the discover method takes a fuzzable request object as a parameter, >> >>>> and returns a list of fuzzable requests >> >>>> (fuzzable requests are representations of GET/POST requests, which >> >>>> represent links, and forms) >> >>>> >> >>>> - the discover method is called several times in the same scan, with >> >>>> the different links that (for example) the webSpider finds. >> >>>> >> >>>> I think that the best thing you can do is to read one or two >> >>>> discovery >> >>>> plugins (my recommendations are discovery.crossDomain and >> >>>> discovery.userDir), and start building your own plugin based on one >> >>>> of >> >>>> those. >> >>>> >> >>>>> Is there a dev manual out there? >> >>>> >> >>>> No >> >>>> >> >>>>> Does any one have some tips/advice on writting a plugin? >> >>>> >> >>>> Yes, see above, >> >>>> >> >>>>> Does any one want me to send them the script for them to develop the >> >>>>> plugin? >> >>>> >> >>>> You should develop the plugin yourself, is fun and good for the >> >>>> project =) >> >>>> >> >>>> Cheers, >> >>>> >> >>>>> Thank you, >> >>>>> Ryan >> >>>>> >> >>>>> >> >>>>> ------------------------------------------------------------------------------ >> >>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >> >>>>> is a gathering of tech-side developers & brand creativity >> >>>>> professionals. Meet >> >>>>> the minds behind Google Creative Lab, Visual Complexity, Processing, >> >>>>> & >> >>>>> iPhoneDevCamp as they present alongside digital heavyweights like >> >>>>> Barbarian >> >>>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >> >>>>> _______________________________________________ >> >>>>> W3af-develop mailing list >> >>>>> W3af-develop@lists.sourceforge.net >> >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >>>>> >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Andrés Riancho >> >>>> Founder, Bonsai - Information Security >> >>>> http://www.bonsai-sec.com/ >> >>>> http://w3af.sf.net/ >> >>>> >> >>> >> >> >> >> >> >> >> >> -- >> >> Andrés Riancho >> >> Founder, Bonsai - Information Security >> >> http://www.bonsai-sec.com/ >> >> http://w3af.sf.net/ >> >> >> > >> > >> > >> > -- >> > Andrés Riancho >> > Founder, Bonsai - Information Security >> > http://www.bonsai-sec.com/ >> > http://w3af.sf.net/ >> > >> >> >> ------------------------------------------------------------------------------ >> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >> is a gathering of tech-side developers & brand creativity professionals. >> Meet >> the minds behind Google Creative Lab, Visual Complexity, Processing, & >> iPhoneDevCamp as they present alongside digital heavyweights like >> Barbarian >> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
