diff --git a/scripts/http-wordpress-plugins.nse b/scripts/http-wordpress-plugins.nse deleted file mode 100644 index 2cf4fc583..000000000 --- a/scripts/http-wordpress-plugins.nse +++ /dev/null @@ -1,170 +0,0 @@ -local coroutine = require "coroutine" -local http = require "http" -local io = require "io" -local nmap = require "nmap" -local shortport = require "shortport" -local stdnse = require "stdnse" -local string = require "string" -local table = require "table" - -description = [[ -Tries to obtain a list of installed WordPress plugins by brute force -testing for known plugins. - -The script will brute force the /wp-content/plugins/ folder with a dictionary -of 14K (and counting) known WP plugins. Anything but a 404 means that a given -plugin directory probably exists, so the plugin probably also does. - -The available plugins for Wordpress is huge and despite the efforts of Nmap to -parallelize the queries, a whole search could take an hour or so. That's why -the plugin list is sorted by popularity and by default the script will only -check the first 100 ones. Users can tweak this with an option (see below). -]] - ---- --- @args http-wordpress-plugins.root If set, points to the blog root directory on the website. If not, the script will try to find a WP directory installation or fall back to root. --- @args http-wordpress-plugins.search As the plugins list contains tens of thousand of plugins, this script will only search the 100 most popular ones by default. --- Use this option with a number or "all" as an argument for a more comprehensive brute force. --- --- @usage --- nmap --script=http-wordpress-plugins --script-args http-wordpress-plugins.root="/blog/",http-wordpress-plugins.search=500 --- ---@output --- Interesting ports on my.woot.blog (123.123.123.123): --- PORT STATE SERVICE REASON --- 80/tcp open http syn-ack --- | http-wordpress-plugins: --- | search amongst the 500 most popular plugins --- | akismet --- | wp-db-backup --- | all-in-one-seo-pack --- | stats --- |_ wp-to-twitter - -author = "Ange Gutek" - -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" - -categories = {"discovery", "intrusive"} - - -local DEFAULT_PLUGINS_SEARCH = 100 - - -portrule = shortport.service("http") - -local function read_data_file(file) - return coroutine.wrap(function() - for line in file:lines() do - if not line:match("^%s*#") and not line:match("^%s*$") then - coroutine.yield(line) - end - end - end) -end - -action = function(host, port) - - local result = {} - local all = {} - local bfqueries = {} - - --Check if the wp plugins list exists - local wp_plugins_file = nmap.fetchfile("nselib/data/wp-plugins.lst") - if not wp_plugins_file then - return false, "Couldn't find wp-plugins.lst (should be in nselib/data)" - end - - local file = io.open(wp_plugins_file, "r") - if not file then - return false, "Couldn't find wp-plugins.lst (should be in nselib/data)" - end - - local wp_autoroot - local wp_root = stdnse.get_script_args("http-wordpress-plugins.root") - local plugins_search = DEFAULT_PLUGINS_SEARCH - local plugins_search_arg = stdnse.get_script_args("http-wordpress-plugins.search") - - if plugins_search_arg == "all" then - plugins_search = nil - elseif plugins_search_arg then - plugins_search = tonumber(plugins_search_arg) - end - - stdnse.debug1("plugins search range: %s", plugins_search or "unlimited") - - - -- search the website root for evidences of a Wordpress path - if not wp_root then - local target_index = http.get(host,port, "/") - - if target_index.status and target_index.body then - wp_autoroot = string.match(target_index.body, "http://[%w%-%.]-/([%w%-%./]-)wp%-content") - if wp_autoroot then - wp_autoroot = "/" .. wp_autoroot - stdnse.debug1("WP root directory: %s", wp_autoroot) - else - stdnse.debug1("WP root directory: wp_autoroot was unable to find a WP content dir (root page returns %d).", target_index.status) - end - end - end - - - --identify the 404 - local status_404, result_404, body_404 = http.identify_404(host, port) - if not status_404 then - return stdnse.format_output(false, SCRIPT_NAME .. " unable to handle 404 pages (" .. result_404 .. ")") - end - - - --build a table of both directories to brute force and the corresponding WP plugins' name - local plugin_count = 0 - for line in read_data_file(file) do - if plugins_search and plugin_count >= plugins_search then - break - end - - local target - if wp_root then - -- Give user-supplied argument the priority - target = wp_root .. "/wp-content/plugins/" .. line .. "/" - elseif wp_autoroot then - -- Maybe the script has discovered another Wordpress content directory - target = wp_autoroot .. "wp-content/plugins/" .. line .. "/" - else - -- Default WP directory is root - target = "/wp-content/plugins/" .. line .. "/" - end - - - target = string.gsub(target, "//", "/") - table.insert(bfqueries, {target, line}) - all = http.pipeline_add(target, nil, all, "GET") - plugin_count = plugin_count + 1 - - end - - -- release hell... - local pipeline_returns = http.pipeline_go(host, port, all) - if not pipeline_returns then - stdnse.debug1("got no answers from pipelined queries") - end - - for i, data in pairs(pipeline_returns) do - -- if it's not a four-'o-four, it probably means that the plugin is present - if http.page_exists(data, result_404, body_404, bfqueries[i][1], true) then - stdnse.debug1("Found a plugin: %s", bfqueries[i][2]) - table.insert(result, bfqueries[i][2]) - end - end - - - if #result > 0 then - result.name = "search amongst the " .. plugin_count .. " most popular plugins" - return stdnse.format_output(true, result) - else - return "nothing found amongst the " .. plugin_count .. " most popular plugins, use --script-args http-wordpress-plugins.search= for deeper analysis)\n" - end - -end -