Last active
February 7, 2017 04:57
-
-
Save m3nu/1c1545905e2cd50a01ea3efe2dda558e to your computer and use it in GitHub Desktop.
Find sites vulnerable to Wordpress Content Injection Vulnerability. For background see http://blog.snapdragon.cc/2017/02/07/find-sites-vulnerable-to-wordpress-content-injection-vulnerability/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import xml.etree.ElementTree as ET | |
import requests | |
import re | |
import logging as log | |
log.basicConfig(level=log.ERROR) | |
log.getLogger("requests").setLevel(log.WARNING) | |
# USAGE: | |
# 1. Run Nmap on your hosts. This will already match some versions. | |
# nmap -Pn --script 'http-wordpress-info' -phttp,https -iL wordpress-domains.txt -oX output.xml | |
# 2. Run this script on the `output.xml` file to find versions. | |
VERSION_REX = [ | |
'comment\-reply\.min\.js\?ver=([\d\.]+)', | |
'wp\-embed\.min\.js\?ver=([\d\.]+)', | |
'content="WordPress ([\d\.]+)' | |
] | |
user_agent = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36'} | |
tree = ET.parse('output.xml') | |
hosts = tree.findall('.//host') | |
for h in hosts: | |
hostname = h.find('hostnames/hostname[@type="user"]').attrib['name'] | |
wp_version = None | |
try: | |
resp = requests.get('http://%s' % hostname, timeout=20, headers=user_agent) | |
for rex in VERSION_REX: | |
if re.findall(rex, resp.text): | |
wp_version = re.findall(rex, resp.text)[0] | |
break | |
except Exception as e: | |
log.error(e) | |
log.error('Site timed out %s', hostname) | |
print('{} runs on {}'.format(hostname, wp_version)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment