Ryan, On Sat, Jun 6, 2009 at 10:59 AM, Ryan Dewhurst <ryandewhu...@gmail.com> wrote: > Hello, > Sorry its been so long with the wrodpress version checker plugin, had > some life problems.
No problem man, I hope things are going better now. > Anyway... > > I have come to a logic problem which I cannot seem to solve and was > wondering if any one could give me some pointers... > > Versions '2.5', '2.3.1, 2.3.2 or 2.3.3' and '2.2' are detected by a > file/image being present i.e status 200 > > I cannot figure out how to check for this while using the > self._wp_fingerprint array. The for loop that works with the array looks like this: for data in self._wp_fingerprint: # Complete URL to test, url+file test_URL = urlParser.urlJoin( base_url, self._wp_fingerprint[0] ) if self._wp_fingerprint[1] in response: version = self._wp_fingerprint[2] break else: version = 'Version lower than 2.2' But there are some parts missing, like actually requesting to the server the test_URL. On the other part, the "200" logic could be easily done like this: if self._wp_fingerprint[1] == 200 and not is_404(response): # it was found! elif self._wp_fingerprint[1] in response: version = self._wp_fingerprint[2] break else: version = 'Version lower than 2.2' To make this work, you should change the '' in the fingerprint array by a 200, and it should all work. > Here is the code so far, I have not yet tested it out, but should give > you a basic idea of how it will run. Yes, and it makes much more sense to me this way. The older version was "ugly" :) > I was also thinking of > implementing a plugin version checker as there are many plugins with > vulns. Sure, but lets go step by step, lets finish this plugin, test it a little bit, and then we can go for the next one. > Thank you, > Ryan > > P.S. To test it through w3af, do I just pop the py file into the > plugin folder or is there any other code to be changed? Yes, you have to move this file to the discovery directory and that's it. > 2009/5/31 Ryan Dewhurst <ryandewhu...@gmail.com>: >> Just to let everyone know where I am with the plugin. >> >> I'm a complete n00b at re and couldnt get backbone's code to work, so >> I read a couple of manuals and finally got it working with: >> <meta name="generator" content="[Ww]ord[Pp]ress (\d\.\d\.?\d?)" /> >> >> An explanation of what the plugin will do: >> ----------------------------------------------------------- >> >> It will first check to see if the server has the following file >> "/wp-admin/index.php". >> >> If it does >> >> It will check to see whether or not the version is in the index header. >> >> If it finds the version it will store it in a variable. >> >> It will then run through the checks from my original code to try and >> guess the version. >> >> >> The output will be as follows: >> ------------------------------------------ >> >> If the version is not in the index and not found with the data = >> "version under 2.2" >> If the version is in the index and in the data are the same = >> "whatever version was found" >> If the version is in the index and in the data are different = >> ""Version shows as $version in index header however the data shows >> $version" >> >> I still need to implement the data checks however my girlfriend has >> fallen ill and has been admitted to hospital for an emergency >> operation. I don't think I will be able to finish the plugin this >> weekend as promised earlier however will still be working on it next >> week. >> >> I was also thinking on listing the vulnerabilitys for each version (if >> any) on the output. >> >> Ryan >> >> >> 2009/5/29 Andres Riancho <andres.rian...@gmail.com>: >>> Ryan, >>> >>> On Thu, May 28, 2009 at 10:11 PM, Ryan Dewhurst <ryandewhu...@gmail.com> >>> wrote: >>>> Im loooking into searching the response html of the index page for the >>>> following string: >>>> <meta name="generator" content="WordPress $version" /> >>>> >>>> Ive tried with regular expressions and am unable to get it to work, >>> >>> backbone sent you a solution, >>> >>>> Ive read that re is bad for parsing HTML and that BeautifulSoup >>>> should be used. >>>> >>>> Does w3af already have BeautifulSoup in its dependency list? >>> >>> Yes, it's in the dependency list, but we aren't using it "for that". >>> Long story short, please use the re =) >>> >>>> Ryan >>>> >>>> P.S. Thanks for the advice backbone46, I'll have a look into that once >>>> Ive sorted this out. >>>> >>>> >>>> 2009/5/28 <backbon...@gmail.com>: >>>>> Sorry to bump in just like that in the discussion, about the meta tag that >>>>> displays >>>>> the WordPress version. >>>>> >>>>> Only since version 2.7 the generator function is in the core of WordPress, >>>>> on >>>>> earlier versions it was only in the theme. >>>>> >>>>> Just wanted to mention that. :) >>>>> >>>>> --- >>>>> http://insanesecurity.info >>>>> >>>>> >>>>> On Thu, May 28, 2009 at 10:53 PM, Ryan Dewhurst <ryandewhu...@gmail.com> >>>>> wrote: >>>>>> >>>>>> Yes, I dont see why not. Should be easy enough tro implement. >>>>>> >>>>>> You mentioned during our email conversation that wordpress echos its >>>>>> version number in the page head. I managed to find an example of it. >>>>>> Your right I do have a security plugin installed which must have >>>>>> removed it from my blog. >>>>>> >>>>>> Here is an example: >>>>>> <meta name="generator" content="WordPress 2.7.1" /> >>>>>> >>>>>> >>>>>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>: >>>>>> > Ryan, >>>>>> > >>>>>> > On Wed, May 27, 2009 at 10:18 PM, Andres Riancho >>>>>> > <andres.rian...@gmail.com> wrote: >>>>>> >> Ryan, >>>>>> >> >>>>>> >> On Wed, May 27, 2009 at 9:58 PM, Ryan Dewhurst >>>>>> >> <ryandewhu...@gmail.com> >>>>>> >> wrote: >>>>>> >>> Hello, >>>>>> >>> Im new to mailing lists so im not sure if this will be sent there. >>>>>> >> >>>>>> >> It depends on the mailing list. This one is configured to accept >>>>>> >> attachments, >>>>>> >> >>>>>> >>> I'll have a look into intergrating the script into w3af over the next >>>>>> >>> couple of days and hopefully have a working version by the weekend. >>>>>> >> >>>>>> >> Excellent, if you need ANY help, just let us know. >>>>>> >> >>>>>> >>> The script is quite simple once you have the gathered the nesesary >>>>>> >>> data. I went through versions 2.2 to 2.7.1 and manually found client >>>>>> >>> side differences in most of them, I also used the official changelogs >>>>>> >>> to help identify them. >>>>>> >> >>>>>> >> Ohhh, you are the guy that wrote that blog post with the "diffs" of >>>>>> >> different wordpress release packages? >>>>>> >> >>>>>> >>> The client side differences are in files such as CSS, javascript and >>>>>> >>> HTML. Some versions did not have any differences apart from having >>>>>> >>> extra files, which can easliy be identified with HTTP response codes. >>>>>> >>> >>>>>> >>> It works as such... >>>>>> >>> >>>>>> >>> Starting from version 2.7.1 (latest), the script tries to find >>>>>> >>> something that 2.7 doesnt have, if it finds that something then the >>>>>> >>> script stops and echos the version number. >>>>>> >>> >>>>>> >>> If the script doesnt find the difference it moves onto identifying >>>>>> >>> the >>>>>> >>> next version, i.e. does 2.7 have something the earlier version doesnt >>>>>> >>> have. and so on and so forth. >>>>>> >> >>>>>> >> Ok, makes sense. >>>>>> >> >>>>>> >> Some comments regarding your code: >>>>>> >> >>>>>> >> - w3af uses PEP-8, with among other things says 4-spaces for >>>>>> >> indentations. Your code has 1-space (?) indentations. Please correct >>>>>> >> that. >>>>>> >> >>>>>> >> - The code is pretty simple, but i think it could be done in a better >>>>>> >> way. Having that many functions (wp22 to wp271) doesn't seem to be a >>>>>> >> good option. Do you think that the code could be changed a little bit, >>>>>> >> and create a database (which can be easily updated) and then use that >>>>>> >> database to store the information? Example of the databse >>>>>> >> >>>>>> >> self._wp_fingerprint = >>>>>> >> >>>>>> >> [('/wp-includes/js/thickbox/thickbox.css','-ms-filter:'),('/wp-admin/css/farbtastic.css', >>>>>> >> 'farbtastic')] >>>>>> >> >>>>>> >> - Also, by default wordpress publishes the version number in every >>>>>> >> page head. Maybe it would be a good idea to parse that, and compare it >>>>>> >> with the result of the fingerprinting. What do you think? >>>>>> > >>>>>> > A good idea would be to have a first step, before all the version >>>>>> > specific checks, that verifies something that's true for all wordpress >>>>>> > installations (some X file has to be present) before even starting the >>>>>> > fingerprinting. Could this be done? >>>>>> > >>>>>> >> Cheers, >>>>>> >> >>>>>> >>> Ryan >>>>>> >>> >>>>>> >>> >>>>>> >>> 2009/5/28 Andres Riancho <andres.rian...@gmail.com>: >>>>>> >>>> Ryan, >>>>>> >>>> >>>>>> >>>> On Wed, May 27, 2009 at 5:07 PM, Ryan Dewhurst >>>>>> >>>> <ryandewhu...@gmail.com> wrote: >>>>>> >>>>> Hello, >>>>>> >>>>> I have developed a python script that can detect the version of a >>>>>> >>>>> wordpress installation. I think it would fit well within w3af, >>>>>> >>>> >>>>>> >>>> Yes, it seems that it's something good to have in the framework. >>>>>> >>>> >>>>>> >>>> I have like a ton of questions about how it works, could you please >>>>>> >>>> send the script (as it is) to this mailing list for us to read it? >>>>>> >>>> >>>>>> >>>>> the >>>>>> >>>>> only problem being is that I have been unable to find a plugin >>>>>> >>>>> development manual to be able to implement my script. >>>>>> >>>> >>>>>> >>>> There is no development manual :( >>>>>> >>>> >>>>>> >>>> For the type of feature that you want to add, the correct thing is >>>>>> >>>> to >>>>>> >>>> use a discovery plugin. discovery plugins are simple, they follow >>>>>> >>>> these rules: >>>>>> >>>> >>>>>> >>>> - the entry point is the discover method >>>>>> >>>> >>>>>> >>>> - the discover method takes a fuzzable request object as a >>>>>> >>>> parameter, >>>>>> >>>> and returns a list of fuzzable requests >>>>>> >>>> (fuzzable requests are representations of GET/POST requests, which >>>>>> >>>> represent links, and forms) >>>>>> >>>> >>>>>> >>>> - the discover method is called several times in the same scan, with >>>>>> >>>> the different links that (for example) the webSpider finds. >>>>>> >>>> >>>>>> >>>> I think that the best thing you can do is to read one or two >>>>>> >>>> discovery >>>>>> >>>> plugins (my recommendations are discovery.crossDomain and >>>>>> >>>> discovery.userDir), and start building your own plugin based on one >>>>>> >>>> of >>>>>> >>>> those. >>>>>> >>>> >>>>>> >>>>> Is there a dev manual out there? >>>>>> >>>> >>>>>> >>>> No >>>>>> >>>> >>>>>> >>>>> Does any one have some tips/advice on writting a plugin? >>>>>> >>>> >>>>>> >>>> Yes, see above, >>>>>> >>>> >>>>>> >>>>> Does any one want me to send them the script for them to develop >>>>>> >>>>> the >>>>>> >>>>> plugin? >>>>>> >>>> >>>>>> >>>> You should develop the plugin yourself, is fun and good for the >>>>>> >>>> project =) >>>>>> >>>> >>>>>> >>>> Cheers, >>>>>> >>>> >>>>>> >>>>> Thank you, >>>>>> >>>>> Ryan >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>>> >>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. >>>>>> >>>>> CaT >>>>>> >>>>> is a gathering of tech-side developers & brand creativity >>>>>> >>>>> professionals. Meet >>>>>> >>>>> the minds behind Google Creative Lab, Visual Complexity, >>>>>> >>>>> Processing, >>>>>> >>>>> & >>>>>> >>>>> iPhoneDevCamp as they present alongside digital heavyweights like >>>>>> >>>>> Barbarian >>>>>> >>>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >>>>>> >>>>> _______________________________________________ >>>>>> >>>>> W3af-develop mailing list >>>>>> >>>>> W3af-develop@lists.sourceforge.net >>>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>>> >>>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> -- >>>>>> >>>> Andrés Riancho >>>>>> >>>> Founder, Bonsai - Information Security >>>>>> >>>> http://www.bonsai-sec.com/ >>>>>> >>>> http://w3af.sf.net/ >>>>>> >>>> >>>>>> >>> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> -- >>>>>> >> Andrés Riancho >>>>>> >> Founder, Bonsai - Information Security >>>>>> >> http://www.bonsai-sec.com/ >>>>>> >> http://w3af.sf.net/ >>>>>> >> >>>>>> > >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > Andrés Riancho >>>>>> > Founder, Bonsai - Information Security >>>>>> > http://www.bonsai-sec.com/ >>>>>> > http://w3af.sf.net/ >>>>>> > >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >>>>>> is a gathering of tech-side developers & brand creativity professionals. >>>>>> Meet >>>>>> the minds behind Google Creative Lab, Visual Complexity, Processing, & >>>>>> iPhoneDevCamp as they present alongside digital heavyweights like >>>>>> Barbarian >>>>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >>>>>> _______________________________________________ >>>>>> W3af-develop mailing list >>>>>> W3af-develop@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>> >>>>> >>>> >>> >>> >>> >>> -- >>> Andrés Riancho >>> Founder, Bonsai - Information Security >>> http://www.bonsai-sec.com/ >>> http://w3af.sf.net/ >>> >> > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop