Skip to content

Instantly share code, notes, and snippets.

@m3nu
Last active February 7, 2017 04:57
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save m3nu/1c1545905e2cd50a01ea3efe2dda558e to your computer and use it in GitHub Desktop.
Find sites vulnerable to Wordpress Content Injection Vulnerability. For background see http://blog.snapdragon.cc/2017/02/07/find-sites-vulnerable-to-wordpress-content-injection-vulnerability/
import xml.etree.ElementTree as ET
import requests
import re
import logging as log
log.basicConfig(level=log.ERROR)
log.getLogger("requests").setLevel(log.WARNING)
# USAGE:
# 1. Run Nmap on your hosts. This will already match some versions.
# nmap -Pn --script 'http-wordpress-info' -phttp,https -iL wordpress-domains.txt -oX output.xml
# 2. Run this script on the `output.xml` file to find versions.
VERSION_REX = [
'comment\-reply\.min\.js\?ver=([\d\.]+)',
'wp\-embed\.min\.js\?ver=([\d\.]+)',
'content="WordPress ([\d\.]+)'
]
user_agent = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36'}
tree = ET.parse('output.xml')
hosts = tree.findall('.//host')
for h in hosts:
hostname = h.find('hostnames/hostname[@type="user"]').attrib['name']
wp_version = None
try:
resp = requests.get('http://%s' % hostname, timeout=20, headers=user_agent)
for rex in VERSION_REX:
if re.findall(rex, resp.text):
wp_version = re.findall(rex, resp.text)[0]
break
except Exception as e:
log.error(e)
log.error('Site timed out %s', hostname)
print('{} runs on {}'.format(hostname, wp_version))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment