diff --git a/CHANGELOG b/CHANGELOG index 08e0c05b7..7c922f27d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,13 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added a new version of http-wordpress-enum, it now enumerates + plugins and themes of Wordpress installations. It also attempts to obtain + version information to detect outdated plugins. [Paulino Calderon] + +o [NSE] Renamed http-wordpress-enum to http-wordpress-users in favor of + the new version of the script http-wordpress-enum which enumerates + plugins and themes of Wordpress installations. [Paulino Calderon] + o [NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to http-enum in the 'security' category [Daniel Miller] diff --git a/nselib/data/wp-themes.lst b/nselib/data/wp-themes.lst new file mode 100644 index 000000000..16116d354 --- /dev/null +++ b/nselib/data/wp-themes.lst @@ -0,0 +1,2639 @@ +twentytwelve +sahifa +twentyfourteen +Avada +twentyten +twentyeleven +jarida +Divi +optimizePressTheme +hueman +enfold +canvas +Newspaper +twentythirteen +responsive +OptimizePress +genesis +point +thesis_185 +graphene +suffusion +detube +salient +thesis +atahualpa +news +lifestyle +u-design +dt-the7 +valenti +iconic-one +hottopix +mesocolumn +magazine-pro +headway +arras +default +smart-mag +vantage +premium +simplemag +news-pro +magazine +thesis_18 +pinboard +lifestyle-pro +Nexus +frontier +customizr +foodie +metro-pro +jupiter +mantra +vip +magazine-basic +gonzo +x +prose +pagelines +maxmag +classipress +eleven40-pro +eleven40 +mystique +metro +socrates +Avenue +modernbloggerpro +flatsome +mh-magazine-lite +kallyas +braxton +freshlife +thesis_182 +inovado +weaver-ii +ribbon +clipper +inove +truepixel +Karma +catch-box +newsplus +max-magazine +genesis-sample +mh_magazine +gazette +presso +admired +weaver-ii-pro +virtue +theme +directorypress +sparkling +hiero +evolve +parabola +extranews +Aggregate +thesis_184 +3clicks +itheme2 +striking +tribune +bresponzive +epik +themerush +profitstheme_11 +sugar-and-spice +dante +tempera +expound +Lucid +wt_metro +beautiful-pro +contango +yoko +splash +playbook +mystile +Builder +blogolife +pbtheme +sight +Chameleon +saladmag +goodnews5 +catalyst +multinews +heatmap-adaptive +h4 +spacious +pinstagram +codilight +bazar +arthemia +bucket +balance +parallax-pro +minamaze +ifeature +focus +zenko +platformpro +zbench +adorable +resizable +wp-clear321 +agency +Magazinly +gameday +flat +bridge +portal +newswire +Impreza +fashionistas +explicit +envision +agency-pro +custom +freshnews +thesis_186 +videozoom +magazon-wp +blissful +travelify +simplicity +platform +arthemia-premium +swagger +schema +justlanded +child +flexform +oxygen +cherry +spike +executive-pro +typegrid11 +legatus-theme +Foxy +worldwide-v1-01 +stinger3ver20140327 +powermag +magazine-premium +hickory +fansided_v4 +theretailer +roots +prophoto5 +biz-vektor +TheSource +bombax +Sterling +origin +gamepress +coraline +sensational +dynamik +daily +brooklyn +swift +standard +interface +couponpress +clear-line +montezuma +minimum +canvas-child +boulevard +blog +best +TheStyle +pretty +easel +corporate +truemag +flavor +weaver +twentyeleven-child +silverorchid +sevenmag +surfarama +Nimble +esplanade +bueno +alyeska +Magnificent +innov8tive +fearless +sahifa-wpcity +minimum-pro +made +infocus +Grimag +dynamik-gen +comicpress +f2 +wp-clear +Total +superstore +advanced-newspaper +WPgrosir +outreach-pro +dms +copyblogger +Polished +leaf +custom-community +attitude +refinesnow2 +indostore4-1 +iconic-one-pro +elemental +bliss +unspoken +streamline +responsivepro +wordpress-bootstrap-master +ultimatum +toolbox +refinepro +novavideo +headlines +flyingnews +directory +blankslate +Backstreet +alpha +remal +lightword +jarvis_wp +generate +dynamic +basic +alterna +volt +striking_r +nevada +getnoticed +education +make +keremiyav4 +flare +enterprise +dazzling +Circles +asteroid +wp-pravda +thesis_17 +hemingway +foodie-pro +centric-pro +arras-theme +wp +the-newswire +smartstart +rttheme18 +lightly +city-desk +WPTube4 +TheCorporation +swift-basic +great +the-bootstrap +tema +sixteen-nine-pro +porto +newsroom14 +flexibility3 +DT +blaskan +yeahthemes-sparkle +yamidoo +whitelight +thematic +storm +neighborhood +executive +enterprise-pro +mh-purity-lite +ifeaturepro5 +fungames +elemin +adelle +omega +noteworthy +inspire +DynamiX +doover +bones +betheme +Avada-Child-Theme +skeleton +simple-catch +resportsive +jarida_2.0.0 +alyoum +wt_spirit +NYEOindthemescom +CP +today +throne +stinger3ver20131217 +nominal +modernize +magxp +generatepress +fruitful +boldy +videotube +puzzles +premiumnews +LondonLive +Gameleon +flatnews +Astra +simplemag-child +prophoto4 +newstimes +kleo +keremiya +fp_discover +seowp +orion +maya +hueman-child +delicacy +bigbangwp +arcade-basic +academy +transcript +smart-mag-child +morning +imag-mag +hades +flexsqueeze150 +Evolution +continuum +Vertex +twentyten-child +tasteful +steam +spectrum +original +legenda +greenchilli +goodnews +focus-pro +dw-minion +bretheon +anew +Advanced-Newspaper +zeesynergie +thesis_16 +newspaper +compositio +awake +yaaburnee-themes +x-child-integrity-light +wptoko +Sahifa-Theme +magazinum +forester +elision +apollo +adams +townsquare3-music +refine-snow +pr-news +new +mainstream +hotnews +doa-ibu +xturk +wp-volcano +virtue_premium +SimplePress +rttheme17 +OneTouch +ipin +hueman-child-master +eStore +duena +article-directory +Truemag +thesis_183 +swank +snow-summit +simplefast +parallelus-mingle +nexus +my-sahifa +litepress +graphene-child +fusion +dailypress +channel +bigfeature +allegro-theme +weekly +Trim +serenity +main +magazine-style +justwrite +goodnews47 +forever +dw-focus +breeze +boilerplate +beetube +sportpress +publisher +osage +localnews +jobify +ignite +foodpress +exquisite-wp +Ciola +ab-inspiration +WPTube3 +wplms +worldwide-v1-02 +website +tiga +TheProfessional +ipinpro +gambar +ElegantFusion +delicate +colorway +bresponzive_pro +BlogPress +accentbox +wp-product +the-box +stargazer +resolution +rackhost +quadrum-theme +parallelus-salutation +Nova +News +jobroller +effectivenews +Directory +columns +channelpro +base +ari +zeedynamic +thestory +streamline-pro +square +originmag +optimize +oneup +influence +restimpo +inkzine +suevafree +simone +nirvana +match +fictive +accesspress-lite +church +radiate +hathor +portfolio-press +superhero +simplify +casper +decode +weblizar +onetone +destro +accelerate +bose +sixteen +griffin +coeur +skt-full-width +sundance +coller +bouquet +shopping +origami +i-am-one +pink-touch-2 +fifteen +exclusive +raindrops +sunspot +convac-lite +parament +edin +pilcrow +baskerville +martable +dusk-to-dawn +esquire +firmasite +tracks +beach +duster +chaostheory +embr +next-saturday +eclipse +seasun +catch-evolution +mansar +maxflat-core +smartline-lite +steira +spasalon +pictorico +fukasawa +adamos +engrave-lite +matheson +advertica-lite +news-mix-light +times +asteria-lite +esteem +jshop +goran +hatch +cwp-youit +corpbiz +national-basic +cara +trident-lite +unite +rubine-lite +abaris +seller +minezine +parallax +blanc +restaurateur +fastnews-light +snapshot +nictitate +invert-lite +white +clean-retina +garfunkel +gridster-lite +maryanne +adventurous +smartshop +spun +editor +catch-everest +foodeez-lite +writr +isis +papercuts +anarcho-notepad +news-magazine +eco-gray +discover +eighties +quality +storto +harmonux-core +neuro +ward +wilson +minimatica +formation +bootstrap-canvas-wp +inkness +purple-delight +perfetta +cw-magazine +market +radcliffe +areview +iribbon +hoffman +graphy +first +pinbin +alizee +phogra +brickyard +silverstone +sensitive +flat-bootstrap +verbo +boot-store +preus +boldr-lite +nova-lite +aldehyde +meris +dw-timeline +p2 +business-lite +solon +openstrap +typal-makewp005 +themify-base +radiant +newgamer +celestial-lite +snaps +myknowledgebase +d5-business-line +d5-design +klasik +illustratr +weddings +cleanport-lite +highwind +effect +x2 +customizable +expert +i-transform +temptation +verge +leatherdiary +biznez-lite +intuition +liveride +wp-simple +chocolat +serene +newspress-lite +tonic +itek +midnightcity +sketch +base-wp +food-recipes +rambo +designfolio +padhang +discovery +saga +artikler +infinite +forefront +pho +sporty +tonal +adventure +academica +govpress +stairway +independent-publisher +avenue +some-like-it-neat +frisco-for-buddypress +wp-opulus +green-lantern +family +simple-business-wp +edu-blue +semicolon +volta +quintus +blackbird +smpl-skeleton +selfie +ridizain +flato +storefront-paper +air-balloon-lite +expresscurate +circumference-lite +solo +analytical-lite +codium-grid +photostory +reviewgine-affiliate +singl +busiprof +small-business +salejunction +superb-lite +cyberchimps +opulus-sombre +pitch +restaurante +forceful-lite +nuvioaxis-beige +hero +espied +bushwick +sliding-door +rams +esell +sequel +terrifico +bootstrap-ultimate +nuvioaxis-green +link +white-paper +dw-wallpress +mustang-lite +travel-lite +microfusion +tiny-forge +supernova +semplicemente +cybergames +alhena-lite +visual +lupercalia +being-hueman +soliloquy +puro +xin-magazine +zeeflow +crawford +untitled +fine +cwp-megaresponsive +blogly-lite +quark +theron-lite +circle-lite +sampression-lite +gridiculous +marketer +generator +zeetasty +wp-creativix +one-page +obscura +monaco +bizstudio-lite +ascetica +syntax +vryn-restaurant +kasa +medicine +ravel +green-garden +lifelog +voyage +exhibit +landscape +clearsky +thbusiness +sorbet +viper +uu-2014 +blogbox +pinpress +smartadapt +appliance +promax +split-me +blain +ready-review +capture +copper +tidy +response +birdsite +office +aspen +carzine +columbus +lingonberry +estate +felicity +modern-business +pr-pin +pepmagazine +black-paper +magazino +cleo +ibuddy +genbu +sunrain +mywiki +water-lily +future +welcome +premium-photography +autofocus +daisychain +the-j-a-mortram +zeeminty +blox +fastr +socially-awkward +hexa +spartan +codium-extend +squirrel +photo-book +kirumo +bota +zeestyle +marla +simpleo +wp-knowledge-base +nut +sense +zeebusiness +local-business +carton +andrina-lite +butterbelly +story +figero +fluxipress +simplicity-lite +mobile +hashi +bizway +spine +zeenoble +dellow +wp-jurist +suits +dailypost +zeefocus +digital +mantle +luminescence-lite +themia-lite +jkreativ-lite +zeebizzcard +hellish-simplicity +anjirai +business-pro +wp-advocate +icy +apprise +wrock-metro +caresland-lite +the-landing-page +modern-estate +newbasic +flounder +italian-restaurant +exray +passion +minima-lite +raptor +the-espresso +health-center-lite +zeenews +delivery-lite +celebrate +kage +book-lite +photographic +vortex +devdmbootstrap3 +live-wire +attorney +tesla +desk-mess-mirrored +buttercream +weblizar-brown +prism +neutro +pinblack +advantage +firmness +gold +primo-lite +minimaliste +emphaino +spot +drop +meadowhill +vcard +wpchimp-countdown +wp-rootstrap +hybrid +minimize +lizardbusiness +tatva-lite +finch +gravit +hotel +boot_strap +gridz +annotum-base +semper-fi-lite +fullfolio +my-passion +studio-x +brightnews +sukelius-magazine +personaltrainer +zalive +innovative +sketchpad +classic-chalkboard +raven +tampa +displace +mixfolio +wpstart +onecolumn +hightide +bootstrap-basic +isola +ryu +rectangulum +traffica +diarjo-lite +gump +zippy +freemium +multipurpose +infoway +silverclean-lite +techism +aadya +business-guru +appointment +zeemagazine +lugada +manchester +railgun +bizflare +start-point +orbit +unique +booster +techozoic-fluid +teal +oriental +purple-modena +bosco +shop +blue-planet +golden-eagle-lite +looki-lite +prana +hephaestus +thememagic +strapvert +simon-wp-framework +hapy +path +ever-after +adaption +newschannel +zinnia +newmedia +wind +bandana +formidable-restaurant +sigma +crates +childishly-simple +takeoff +music +rtpanel +aplos +reddle +origami-paper +progeny-mmxiv +bizark +flatbox +discussion +simple-life +rundown +road-fighter +wix +newlife +mobile-first +lobster +newsframe +rhyme +enough +multiloquent +liquorice +technews +target +collerange +startupwp +brightpage +pinzolo +count-down +jbst +musik +careta +wp-flatthirteen +news-flash +cloriato-lite +three-by +current +gridbulletin +ontheside +cleanpress +delighted +shell-lite +d5-socialia +press-start +pandora +retina +bizkit +follet +kavya +orangi +boots +misty-lake +reizend +pratt +chun +tswebiz +naturefox +de-naani +chunk +wiziapp-smooth-touch +d5-corporate-lite +epic +dzonia-lite +athenea +fresh-lite +cirrus +picolight +vision +chooko-lite +hazen +adventure-journal +aura +birdtips +tungsten +medical-center +snowblind +striker +awakening +tdpersona +ugallu +elisium +kippis +tikva +fotogram +mon-cahier +black-rider +startup +forestly +retro-fitted +irex-lite +museum +timeturner +esperanza-lite +leniy-radius +my-blue-construction +cerise +greek-restaurant +food-and-diet +bizsphere +multicolors +columnist +undiscovered +tarski +impulse-press +silesia +travel-planet +alpha-trinity +aletheia +typefocus +evyr +redline +mn-flow +diginews +gray-and-square +refresh +carrington-blog +venom +wordsmith-anvil +restaurant +nuntius +sans-serif +its-a-girl +bold-headline +elegantwhite +zeecorporate +earth-pro +enrichmg +khnum +pachyderm +koenda +osiris +clearly +photolistic +daisy-blue +pepbiz +web-minimalist-200901 +wp-barrister +travel-guide +kelly +gumbo +stitch +constructor +mckinley +narga +three-nine-eight +central +rcg-forest +ex-astris +poloray +cute-frames +purple-pro +typo-o-graphy +dinky +photomaker +madeini +silver-mag-lite +progression +fad +chelonian +mog +publish +d5-colorful +bunny +veryplaintxt +tanzanite +nouveau-riche +colorlight +darke +opus +mygrid2 +zeevision +landline +romangie +pool +the-skeleton +bartleby +kabbo +almasi +whimsical-love +green-eye +bizantine +just-landing +grey-opaque +zeepersonal +absolum +carrington-mobile +pinblue +zeedisplay +nile +creativemag +quickstart +arjuna-x +modularity-lite +smoky +haunted-house +pictorial +picture-perfect +kyan +connections-reloaded +shop-front +origami-evergreen +crangasi +minimagazine +kubrick-2014 +planet-foundation +retention +vertigo +melany +heavenly +book-inspiration +colorful-delight +infinity +mountain-creek +faq +business-mind +infinitano +kotetsu +shprink-one +fragrance +f8-lite +byblos +tycoon +expressions +dark-tt +wpfolio +able +zombie-apocalypse +willingness +pisces +mercury +sunny-blue-sky +adaptive-flat +wpboot +imprint +blueberry +woodpecker +socialize-lite +runo-lite +box-of-boom +espressionista +newsworthy +chinese-restaurant +tdsimple +polar-lite +distinction +clean-black +grisaille +mt-dark +hannari +multi +hudson +bizznis +the-go-green-theme +simply-vision +fruit-shake +rustic +big-city +desire +impulse +shiword +oenology +plaintxtblog +debut +makron +harmony-2-0 +chiron +holi +christmaspress +arunachala +ahimsa +primepress +tally-framework +d5-smartia +bizmo +usha +pixel +winter +elbee-elgee +universal +my-life +nest +toommorel-lite +writerstrap +ezyreader +threadz +duotone +alpha-lite +newdark +m1 +business-casual +sonar +canoe +sneak-lite +vanilj +wordplus +birdflat +dine-with-me +green-apples +greyzed +elements-of-seo +cloudy +floki +newp +activetab +living-journal +cybermag +painter +application +my-way +picturesque +healthy-wp +summit-lite +elmax +museum-core +sempress +launchpad +my-flatonica +tiger +deux-milles-douze +magomra +barthelme +firstyme +frau +neighborly +albinomouse +chip-life +journalist +kingdom +priimo +motion +northern-clouds +convention +lean +radar +shipyard +zeecompany +adroa +presentation-lite +cakifo +penny +toothpaste +codium +webvideo +naya-lite +litesite +city-informer +simplenotes +carrot-lite +simvance +tarali +my-wooden-under-construction +dot-b +flatty +bitter-sweet +clean-yeti-basic +required +satu +brand-new-day +chip-zero +scrappy +leftside +decemberable +multi-color +fiver +responsivitis +panels +bootpress +vintage-camera +best-corporate +strange-little-town +syn +trending +ranunculus +hostmarks +journalism +radius +newtek +glossy-stylo +modern-notepad +ambling-bellows +easy +quickpress +silver-spot +squeezeme +clear +just-pink +tsw-clear-sky +drochilli +oriental-writing +the-final-frontier +rewind +yume +amdhas +ice-fresh +privatebusiness +gommero +foghorn +wu-wei +simplyblack +blue-mist +accessible-zen +counterpoint +hdboilerplate +monster +inkblot +journal-lite +clear-style +bluegray +blossom +realm +cherry-blossom +fastfood +redpro +piano-black +zweig +monochrome +digest +simple-style +stripefolio +tuesday +fishbook-buddypress-buddypack +simple-portal +skylark +premium-style +clear-tranquil +travel-in-italy +color-palette +quickpic +beta +mt-white +skirmish +sweet-tech +prototype +allmed +minimalizine +smartbiz +simple-classic +lovetype +regalway +silver-blue +creare-site +why-hello-there +nuviofuturemag-red +bron +adsticle +k2 +plain-wp +figureground +jbst-masonary +sandbox +daffodil +fresh-ink-magazine +panel +stork +swiftray +cheer +whispy +franklin +darkorange +vertimagazine +camp +indigos +colorsnap +enterprise-lite +azul +ilisa +polaroids +puddle +twentyxs +appointway +the-fundamentals-of-graphic-design +sagan +status +blue-peace +kepler +san-kloud +eino +wortex-lite +atheros +gemer +personal-journal +cwp-robi +alice +linedrawing +polaris +shades +tpsunrise +archy +media-maven +roundtable +inanis-glass +linia +minimalism +something-fishy +chocotheme +jc-one-lite +circa +my-white +my-depressive +tweaker5 +vivacity +orangy +blogotron +cave +bikaner +intrepidity +cobalt-blue +quickchic +ice-breaker +station +orange-techno +dkret3 +medical +slimwriter +b3 +darwin-buddypress-buddypack +modish +baza-noclegowa +modern-multipurpose +liasblueworld +fanwood +obandes +inferno-mf +meta_s2 +redify +green-theme +greener-side +dknote +water +pelham +hypnotist +coffee-time +fiore +coogee +zenlite +bitlumen +twelve-14 +phat +wp-straphero +tydskrif +uptown +bluesky +my-money +doc +planetemo +reposter +writer +sketchbook +zeelinear +baseshine +wp-themingstrap +spirit +tropicala +fancier +gitsta +rembrandt +tuned +layers +dancing-in-the-moonlight +frantic +wsc6 +coffee +blocomo +dark-wood +accessible-onetwo +cuttlefish +sepfyre +smartone +themage +tweaker4 +lazyprof +springfestival +birdmagazine +bwater +skyfall +live-color +limelight +minimal +fixy +light-clean-blue +girl +deepblue +siempel +artcity +avatar +studiopress +oulipo +shaan +takteek01 +redbel +empo +divine +cafe +piedmont +ready2launch +sixhours +desaindigital +cleanr +outset +journal-box +wp-framework +cycnus +auroral-theme +pep +arzine +akyuz +uridimmu +simple-china +relik +bloxy-two +the-night-watch +black-green +evanescence +blogtxt +emerald +scylla-lite +plain-jane +aquarius +curation +developer-2014 +swiss +bicubic +codium-light +engineering-and-machinering +lithium +xin +strawberry-blend +the-erudite +infosource +wp-headr +coffee-desk +screens +utility +librio +epublishing +albizia +newbar +tanzaku +elucidate +yb-auto +planc +burning-bush +crucial +lemuralia +bella +kvarken +hellosexy +mxs +my-contrastica-under-construction +sunshine +persia +a-little-touch-of-purple +generous +vistalicious +greenxi +newsmin +xodogo +timecrunch +shiro +bluebird +weavr +amerifecta +wp-strapthirteen +p3 +voidy +groundwork +aapna +red-modern +lysa +slipstream +citrus-mix +witcher-world +simplr +commune +semprul +redtime +xclusive +azpismis +bw +my-zebra +dfblog +tabula-rosa +dk +here-ya-go +classroom-blog +rostar +nuvioelement-orange +jeans +mybaby +flexi-blue +quadra +blue-with-grey +waterside +nu-white +_second-foundation +nu2013 +alkane +papyrus +german-newspaper +elegant-box +mantel-lite +prosumer +thetalkingfowl +minimag +akasse +fanoe +minicard +ground-floor +blogfolio +codepeople-light +color-shading +newpersonal +simple-and-clean +picoclean +howard-simple +goodtheme-lead +crisp-persona +dark-marble +organik +adsimple +opus-primus +serena +mumrik +pyrmont-v2 +modern-blue +desk +mbius +fluid-blue +renownedmint +bubblepress +luxury +violinesth-forever +eos +happy-cyclope +floristica +generic-framework +elite-lite +galaxy +simplistic +contrast-style +hro +2013-blue-sequence +zeeb +comment-central +simple-wp-community-theme +ghostbird +sienna +atmosphere-2010 +flat-portfolio +tagebuch +mysense1 +floral-belle +a-piece-of-cake +kreativ +hardpressed +dyne +scrapbook +christmas-joy +blocks2 +win7blog +clean-content +jq +2013-blue +page +photosmyth +darkzen +minipress +simple-mag +2013-green-sequence +alibi +ink-and-wash +state-of-mind +simplemarket +cell +biotodoma +zwei-seiten +andrea +tashan +pink-tulip +rgb +four-years +victorian-xmas +japan-style +softlights +embed +organic-theme +dogs-life +superfresh +black-hat +white-xmas +memori-jingga +the-buffet-framework +indore +chinese-love +hanamoto +seasons-theme-autumn +ar +fancy +timeless +cw-red +urban-view +epione +dear-diary +neonglow +warmwinter +dodo +2013-green +enormous +revolt-basic +nano-blogger +buddymatic +mxs2 +tswwide +jaguza +daisy-gray +candid +wordpost +terminally +lightweight-personal +grey-matter +projapoti +bromine +simplest +alpha-nexus +shamatha +nishita +adams-razor +lonelytree +canyon +kwikload +gule +no-frills +trvl +billions +fazyvo +deep-silent +annotum-sans +wp-castle +dum-dum +headless +woodberry +saffron +disconnected +webmagazine +wikiwp +johnloan +machine +therunningstone +mimbolove +wp-strapblogger-lite +justcss +classic +pantheon +76-digital-orange +softly +simpleblue +clear-seo-blue-eng +readr +jet +commodore +varg +sonoichi +emptiness +facade +wood-is-good +jasov +kotenhanagara +charcoal +thinlines +adept +avenue-k9-buddypress-buddypack +northern-web-coders +summ +redtopia +furry-family +squared +neo_wdl +cloudy-night +undistracted-zen +acitpo +twist-of-ten +witcher-mind +soho-serenity +gray-white-black +istudio-theme +nearly-sprung +mnmlist +vista-like +garland-revisited +seismic-slate +thistle +corporate-theme-v2 +heartland +asokay +landzilla +daleri-sweet +blueez +gitem +greenleaf +live +crafty-cart +stripay +breathe +jokkmokk +black-board +breezing +gradient +stardust +panorama +third-style +zack-990 +ma8 +subtleflux +chocolate-lite +belle +icontent +inkmag +swedish-greys +xmark +gray-base-plate +heatmap-adsense-theme +fazio +buddypress-colours +litesta +42k +litethoughts +river-of-silver +caribou +wp-eden +selalu-ceria +glass +distinctpress +brownline +green-hope +vita +ambrosia +sakura +pulsepress +citizen-kane +frente +clean-simple-white +vina +shine +droidpress +extreme-typewriter +dojo +cleanfrog +shades-of-gray +stargazer-colloquium +respon +one-day-at-a-time +portal-colorido +news-leak +palmixio +bad-mojo +aurora +noble +alpha-source +borderpx +silent-film +corner +beauty +viking +ectopudding +blogsimplified +mybook +outside-the-box +idris +wooden-mannequin +krakatau +renegade-ii +simplixity +fresh-editorial +lukoo +the-bizness +batik +pink-orchid +hope +nature_wdl +sidebarssuck +apricot +black-urban +typografia +baris +lunatic-fringe +a-kelleyroo-halloween +written +cupcake-love +softgreen +bp-fakename +khaki-traveler +ani-world +wordsmith +slight +corporate-globe +nightly +bubbles-squared +glossyred +alkimia +patagonia +manhattan +orangelight +social +infoist +rugged +evening-shade +tweetsheep +tech2 +10pad2-rising-sun +wolf +php-ease +magicbackground +maze +less-is-less +liasorangec +baltimore-phototheme +new-balance-of-blue +azure-basic +basic-simplicity +paper3 +curved-air +ghostwriter +cogworks +dynablue +karappo-style +graffitti-wall +wallpapered +simpcalar +pellucid-dashed +jooc +indo-blogazine +devart +blass2 +dark-water-fall +my-buddypress +bbpress-twenty-ten +boldly-go-green +threattocreativity +pinknpurple +northern-lights +jules-joffrin +silver-quantum +blue-and-grey +simplish +phantom +blogaholic-blue +kitten-in-pink +blackbrown +quick-vid +vacuous +fadonet-alien +what-so-proudly-we-hail +airmail-par-avion +iphonelike +ant-magazine +grainyflex +ministry-free +yashfa +kaleidoscope +shelter +descartes +think-me +deerawan-cloudy +stack +respare +blend +zindi +4colourslover +twilight-crown +screwdriver +polos +stheme +idream +thirtyseventyeight +color3 +tyler +half-baked +angler +tdblu +keke +westkitnet +paramitopia +dream-in-infrared +partnerprogramm +embrace +icandy +tswplain +emerald-stretch +blackneon +flint +nature +os-blue-sky +simplue +snc-mono +white-gold +twofile +padangan +color-splash +black-lucas +unnamed-lite +open-sourcerer +red-delicious +turuncu-gemi +minimous +fortissimo +set_sail +jbst-1pxdeep +synergy +7color +spooky +webbutveckling +basic2col +js-o3-lite +tweaker3 +universal-web +translucent-fluidity-2 +colormagic +this-just-in +2013-orange-sequence +night-royale +scruffy +skeletos +baughxie +anfaust +neutica +wp-bats-theme +gold-pot-theme +adstyle +hanging +simply +juicyroo +miscellany +wappos +underwater +inthedistance +eximius +sunset +freedream +superslick +shocking +hypochondria +wp-perfect +love-the-orange +morning-coffee +grunger +irrigation +blue21 +wp-centrik +thatgolf-theme +lenora +ayumi +our-rights +simple-round +secluded +fsk141-framework +cbfour +l2aelba-2 +san-francisco +red-evo-aphelion +factoryreset +rbox +vermillon +clean-press +started +premium-modern-orange +letspanic +regal +greyville +watercolor +8some +celestial-aura +maiden-voyage +blog-design-studio-newblue +nuviorevolt-blue +cleanroar +lamya +magup +fixed-blix +carbonize +live-music +dark-side +coaster +simplex-bright +blocks +default-enhanced +greenblog +pahlawanweb +minimal-georgia +acid-rain +starburst +only-coffee +fam +diabolique-fountain +cloudclutter +christmas-1 +mountain-dawn +width-smasher +brushedmetal +aggiornare +dojuniko +js-paper +gray-and-gold +skulls +modern-style +toronto +old-popular-yolk +dynamiccolor +orangejuice +spanish-translation-us +auto-dezmembrari +midnight-blue +silent-blue +typographywp +sh-trocadero +tremor +modern-blue-style +hello-d +in-berlin +modmat +voodoo-empire-2 +front-page +retweet +webbdesign +shadowbox +businessxpand_loupe +encyclopedia +blueclouds +grassland +aurelia +silverback +the-lord-of-the-rings +philna2 +daily-minefield +cryonie +cubismo +blog-happens +cbone +moonbeams +bluesensation +kasrod +light-and-modern +rubix +plaza +super-light +hamid-bakeri +fidi-2 +wasteland +abcok +la-school-blue +sirup +lazy-sunday +dialogue +metrowp +mzx-static +dark-shadows +edegree +prime +simplebeauty +catastrophe +j2-simple +svelt +xioletter +deep-mix +simpleblocks +reference +noise +jonk +star +sassy-starter +deshnok +metronome +simple-indy +greenie +accountant +notepad-theme +girly +jukt-micronics-buddypress-buddypack +ever-watchful +violinesth +kuulblack +mammoth +subsimple +anand +l2aelba-1 +meadowland +c +businessxpand_twieme +hyaline +music-illustrated +zdark +plain-fields +fresh +i-heart-pc +sharp-orange +ruby-the-diamond +luxury-press +oxydo +fitzgerald +web-20 +wp_edublog +clover +company-website-001 +curve +this-christmas +room-34-baseline +modesty +atmospheric-augmentation +piggie-bank +potala +blue-clean +cb-blog +orange-grey-white +animass +cp-minimal +blue-server +thatsimple +pixilate +writers-blog +mnml +pink-and-purple +corp +guangzhou +looming +fifty-fifth-street +medieval +random-background +cute-bubbles +page-shippou +mini +nanoplex +djupvik +easy-view +gray-lines +downtown-night +artblog +carrington-text +polka-dots +surreal-reality +easyone +finojaho +jester +simple-blog-design-2 +straight-up +gypsy +reclamation +brblack +space +roughdrive +content +orange-coffee +minimoo +smooth +get-some +skinbu +monospace +whispy-blue +page-balloon +integrati +lb-mint +nettigo-brown +lobeira +snag +artistic +the-wall +kuuler-i +vinica +board-blue +moonlight +wild-flower +splix +undedicated +lovelyanimals +minimalistic +31three +wptune +applex +purity-of-soul +cssfever +a +modern-vintage +proslate +blue-grey-white +ractopress +director-theme +tiki-time +cherry-dreams +son-of-blue +crafty +blog-curvo +blue-modern +peruns-weblog +tweetmeblue +abov +parquetry +green-one +blueprint-theme +zsofa +artsavius-blog +eviro +silver-dreams +seismic-manhattan +pink-4-october +dirty-blue +rtmoto +aestival +soccer +neutra +locket +exile +lime-radiance +greymonger-theme +narcissus +sxss-droid +straightforward +blue-design +simplepress-2 +my-sweet-diary +ambergreen +lorem-ipsum +web-20-simplified +alibi3col +colorful-motive +little +very-english +buddytheme +pretty-parchment +philna +e +opor-ayam +mazeld +john-loan-pro +notes-blog-core-theme +translucent-dream +nice-wee-theme +sky-blue +jbst-branding +altis-fx +mydaysofamber +homywhite +trendy +whitepress +iflukantur +valentine +rolas-sepuluh +simple-green +myjournal-theme +bold-life +modernity +misanthropic-realm +untheme-two-column +black-with-orange +waltz-with-bashir +photog +black-glass +page-tiny +macpress +pencil-draw +bluemod +lothlorien +spicy-typography +bwd-2 +simpleindo +disciple +simple-blog-design +smoked +filmix +newsprint +businessxpand_duo +mqb +audacity-of-tanish +blue +basal +mypoker +fishlover +lean-and-clean-arizona +birdie +hinagata +huan +cool-green +news-print +gears-and-wood +wpcomic +magnolia +ggsimplewhite +5-years +pl00 +noir +ultralight +kinyonga +wp-soul +zen-garden +silhouette +bito +wp-portaltheme +under-the-sea +q-press +sidon +3colours +flashcast +greentweet_extend +darkbasic +elegant +anonymous-elegance +wplight-theme +acms +daydreams +plainmagic +pundit +gchrome +zenpro +shades-of-blue +typos +tarimon-black1 +diary-k +graveyard-shift +miniwp +groucho +zfirst +offset-writing +grunge-music +the-content-blue +merry-christmas +nocturnal +nature-theme +blue-taste +tree-house +tsw +bahama +wpelegance2col +so-fresh +namib +quietly-simple +artemis +rhapsody +clean-and-plain +bbv1 +kolorful +imstillrunningdave +freedream2010 +contender +businessxpand_multicol +one +untitled-i +simplev +surreal +aav1 +lavender-dream +tarimon-notse +soft-team +scribblings +freizeitler-nonpurista +serious-blogger +beardsley +videographex +dreamline +ilookgood +in-the-clouds +zkrally +myblogstheme +stupidgenius +digu +sthblue +small-business-seo +leathernote +one-simplemagazine +just-kite-it +simba +anjing +a-daring-inspiration-theme +fluid-blogging +bluejay +bluecube +lb-spring-2009 +first-lego-league-official +underground-film +real-estate-blog +sonne +simply-pink +y +publicizer +musa-sadr +future-day +louisebrooks +aquasunny +tundra-theme +y2k +blueblack-theme +staypressed +dark-temptation +wplatformer +annexation +horisontal +sandfish +white-boxes +minion +vibe +seatlle-night +losemymind-ii +tuaug4 +torn +mmistique +liberty +inblu +bodhi +cammino +impatience +pangea +persephone +bare +ease +light-graffiti +techblue-adsense-ready-theme +tweaker +gormspace +zeta-zip +sepia +ringbinder +lyndi1 +clean-blue +lemming +horizontal-theme +nocss +the-next-lvl +aquablock +tembesi +fluvio +zgrey +seawater +proclouds +food-recipe +flowery +neewee +magazine-drome +tyson-pro +js-o1 diff --git a/scripts/http-wordpress-enum.nse b/scripts/http-wordpress-enum.nse index 87e682b9e..cdf1468fb 100644 --- a/scripts/http-wordpress-enum.nse +++ b/scripts/http-wordpress-enum.nse @@ -1,146 +1,295 @@ +local coroutine = require "coroutine" local http = require "http" local io = require "io" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" +local table = require "table" description = [[ -Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others. +Enumerates themes and plugins of Wordpress installations. The script can also detect + outdated plugins by comparing version numbers with information pulled from api.wordpress.org. -Original advisory: -* http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure +The script works with two separate databases for themes (wp-themes.lst) and plugins (wp-plugins.lst). +The databases are sorted by popularity and the script will search only the top 100 entries by default. +The theme database has around 32,000 entries while the plugin database has around 14,000 entries. + +The script determines the version number of a plugin by looking at the readme.txt file inside the plugin +directory and it uses the file style.css inside a theme directory to determine the theme version. +If the script argument check-latest is set to true, the script will query api.wordpress.org to obtain +the latest version number available. This check is disabled by default since it queries an external service. + +This script is a combination of http-wordpress-plugins.nse and http-wordpress-themes.nse originally +submited by Ange Gutek and Peter Hill. + +TODO: +-Implement version checking for themes. ]] --- --- @usage --- nmap -p80 --script http-wordpress-enum --- nmap -sV --script http-wordpress-enum --script-args limit=50 --- +-- @usage nmap -sV --script http-wordpress-enum +-- @usage nmap --script http-wordpress-enum --script-args check-latest=true,search-limit=10 +-- @usage nmap --script http-wordpress-enum --script-args type="themes" +-- +-- @args http-wordpress-enum.root Base path. By default the script will try to find a WP directory +-- installation or fall back to '/'. +-- @args http-wordpress-enum.search-limit Number of entries or the string "all". Default:100. +-- @args http-wordpress-enum.type Search type. Available options:plugins, themes or all. Default:all. +-- @args http-wordpress-enum.check-latest Enables version check. Default:false. +-- -- @output --- PORT STATE SERVICE REASON --- 80/tcp open http syn-ack --- | http-wordpress-enum: --- | Username found: admin --- | Username found: mauricio --- | Username found: cesar --- | Username found: lean --- | Username found: alex --- | Username found: ricardo --- |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-enum.limit' +-- PORT STATE SERVICE +-- 80/tcp open http +-- | http-wordpress-enum: +-- | Search limited to top 100 themes/plugins +-- | plugins +-- | akismet +-- | contact-form-7 4.1 (latest version:4.1) +-- | all-in-one-seo-pack (latest version:2.2.5.1) +-- | google-sitemap-generator 4.0.7.1 (latest version:4.0.8) +-- | jetpack 3.3 (latest version:3.3) +-- | wordfence 5.3.6 (latest version:5.3.6) +-- | better-wp-security 4.6.4 (latest version:4.6.6) +-- | google-analytics-for-wordpress 5.3 (latest version:5.3) +-- | themes +-- | twentytwelve +-- |_ twentyfourteen -- --- @args http-wordpress-enum.limit Upper limit for ID search. Default: 25 --- @args http-wordpress-enum.basepath Base path to Wordpress. Default: / --- @args http-wordpress-enum.out If set it saves the username list in this file. +-- @xmloutput +-- +-- 5.1 +-- 5.3 +-- google-analytics-for-wordpress +-- /wp-content/plugins/google-analytics-for-wordpress/ +-- plugins +--
+-- +-- themes +-- /wp-content/themes/twentytwelve/ +-- twentytwelve +--
+-- Search limited to top 100 themes/plugins --- -author = "Paulino Calderon " -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" -categories = {"auth", "intrusive", "vuln"} +author = {"Ange Gutek", "Peter Hill", "Gyanendra Mishra", "Paulino Calderon"} +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" + +categories = {"discovery", "intrusive"} + +local DEFAULT_SEARCH_LIMIT = 100 +local DEFAULT_PLUGINS_PATH = '/wp-content/plugins/' +local WORDPRESS_API_URL = 'http://api.wordpress.org/plugins/info/1.0/' portrule = shortport.http ---- --- Returns the username extracted from the url corresponding to the id passed --- If user id doesn't exists returns false --- @param host Host table --- @param port Port table --- @param path Base path to WP --- @param id User id --- @return false if not found otherwise it returns the username ---- -local function get_wp_user(host, port, path, id) - stdnse.debug2("Trying to get username with id %s", id) - local req = http.get(host, port, path.."?author="..id, { no_cache = true}) - if req.status then - stdnse.debug1("User id #%s returned status %s", id, req.status) - if req.status == 301 then - local _, _, user = string.find(req.header.location, 'https?://.*/.*/(.*)/') - return user - elseif req.status == 200 then - -- Users with no posts get a 200 response, but the name is in an RSS link. - -- http://seclists.org/nmap-dev/2011/q3/812 - local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/') - return user +--Reads database +local function read_data_file(file) + return coroutine.wrap(function() + for line in file:lines() do + if not line:match("^%s*#") and not line:match("^%s*$") then + coroutine.yield(line) + end end - end - return false + end) end ---- ---Returns true if WP installation exists. ---We assume an installation exists if wp-login.php is found ---@param host Host table ---@param port Port table ---@param path Path to WP ---@return True if WP was found --- -local function check_wp(host, port, path) - stdnse.debug2("Checking %swp-login.php ", path) - local req = http.get(host, port, path.."wp-login.php", {no_cache=true}) - if req.status and req.status == 200 then - return true +--Checks if the plugin/theme file exists +local function existence_check_assign(act_file) + if not act_file then + return false end - return false + local temp_file = io.open(act_file,"r") + if not temp_file then + return false + end + return temp_file + end + +--Obtains version from readme.txt or style.css +local function get_version(path, typeof, host, port) + local pattern, version, versioncheck + + if typeof == 'plugins' then + path = path .. "readme.txt" + pattern = 'Stable tag: ([.0-9]*)' + else + path = path .. "style.css" + pattern = 'Version: ([.0-9]*)' + end + + stdnse.debug1("Extracting version of path:%s", path) + versioncheck = http.get(host, port, path) + if versioncheck.body then + version = versioncheck.body:match(pattern) + end + stdnse.debug1("Version found:", version) + return version end ---- ---Writes string to file ---Taken from: hostmap.nse ---@param filename Target filename ---@param contents String to save ---@return true when successful -local function write_file(filename, contents) - local f, err = io.open(filename, "w") - if not f then - return f, err - end - f:write(contents) - f:close() - return true -end +-- check if the plugin is the latest +local function get_latest_plugin_version(plugin) + stdnse.debug1("Retrieving the latest version of %s", plugin) + local apiurl = WORDPRESS_API_URL .. plugin .. ".json" + local latestpluginapi = http.get('api.wordpress.org', '80', apiurl) + local latestpluginpattern = '","version":"([.0-9]*)' + local latestpluginversion = latestpluginapi.body:match(latestpluginpattern) + stdnse.debug1("Latest version:%s", latestpluginversion) + return latestpluginversion +end - ---- ---MAIN ---- action = function(host, port) - local basepath = stdnse.get_script_args("http-wordpress-enum.basepath") or "/" - local limit = stdnse.get_script_args("http-wordpress-enum.limit") or 25 - local filewrite = stdnse.get_script_args("http-wordpress-enum.out") - local output = {""} - local users = {} - --First, we check this is WP - if not(check_wp(host, port, basepath)) then - if nmap.verbosity() >= 2 then - return "[Error] Wordpress installation was not found. We couldn't find wp-login.php" + + local result = {} + local file = {} + local all = {} + local bfqueries = {} + local wp_autoroot + local output_table = stdnse.output_table() + + --Read script arguments + local operation_type_arg = stdnse.get_script_args(SCRIPT_NAME .. ".type") or "all" + local apicheck = stdnse.get_script_args(SCRIPT_NAME .. ".check-latest") + local wp_root = stdnse.get_script_args(SCRIPT_NAME .. ".root") + local resource_search_arg = stdnse.get_script_args(SCRIPT_NAME .. ".search-limit") or DEFAULT_SEARCH_LIMIT + + local wp_themes_file = nmap.fetchfile("nselib/data/wp-themes.lst") + local wp_plugins_file = nmap.fetchfile("nselib/data/wp-plugins.lst") + + if operation_type_arg == "themes" or operation_type_arg == "all" then + local theme_db = existence_check_assign(wp_themes_file) + if not theme_db then + return false, "Couldn't find wp-themes.lst in /nselib/data/" else - return + file['themes'] = theme_db end - end - - --Incrementing ids to enum users - for i=1, tonumber(limit) do - local user = get_wp_user(host, port, basepath, i) - if user then - stdnse.debug1("Username found -> %s", user) - output[#output+1] = string.format("Username found: %s", user) - users[#users+1] = user - end - end - - if filewrite and #users>0 then - local status, err = write_file(filewrite, stdnse.strjoin("\n", users)) - if status then - output[#output+1] = string.format("Users saved to %s\n", filewrite) + end + if operation_type_arg == "plugins" or operation_type_arg == "all" then + local plugin_db = existence_check_assign(wp_plugins_file) + if not plugin_db then + return false, "Couldn't find wp-plugins.lst in /nselib/data/" else - output[#output+1] = string.format("Error saving %s: %s\n", filewrite, err) + file['plugins'] = plugin_db + end + end + + if resource_search_arg == "all" then + resource_search = nil + else + resource_search = tonumber(resource_search_arg) + end + + -- search the website root for evidences of a Wordpress path + if not wp_root then + local target_index = http.get(host,port, "/") + + if target_index.status and target_index.body then + wp_autoroot = string.match(target_index.body, "http://[%w%-%.]-/([%w%-%./]-)wp%-content") + if wp_autoroot then + wp_autoroot = "/" .. wp_autoroot + stdnse.debug(1,"WP root directory: %s", wp_autoroot) + else + stdnse.debug(1,"WP root directory: wp_autoroot was unable to find a WP content dir (root page returns %d).", target_index.status) + end end end - if #output > 1 then - output[#output+1] = string.format("Search stopped at ID #%s. Increase the upper limit if necessary with 'http-wordpress-enum.limit'", limit) - return stdnse.strjoin("\n", output) + --identify the 404, the script cant handle ambiguous responses + local status_404, result_404, body_404 = http.identify_404(host, port) + if not status_404 then + return stdnse.format_output(false, SCRIPT_NAME .. " unable to handle 404 pages (" .. result_404 .. ")") end + + + --build a table of both directories to brute force and the corresponding WP resources' name + local resource_count=0 + for key,value in pairs(file) do + local l_file = value + resource_count = 0 + for line in read_data_file(l_file) do + if resource_search and resource_count >= resource_search then + break + end + + local target + if wp_root then + -- Give user-supplied argument the priority + target = wp_root .. string.gsub(DEFAULT_PLUGINS_PATH, "plugins", key) .. line .. "/" + elseif wp_autoroot then + -- Maybe the script has discovered another Wordpress content directory + target = wp_autoroot .. string.gsub(DEFAULT_PLUGINS_PATH, "plugins", key) .. line .. "/" + else + -- Default WP directory is root + target = string.gsub(DEFAULT_PLUGINS_PATH, "plugins", key) .. line .. "/" + end + + + target = string.gsub(target, "//", "/") + table.insert(bfqueries, {target, line}) + all = http.pipeline_add(target, nil, all, "GET") + resource_count = resource_count + 1 + + end + -- release hell... + local pipeline_returns = http.pipeline_go(host, port, all) + if not pipeline_returns then + stdnse.print_verbose(1,"got no answers from pipelined queries") + return nil + end + local response = {} + response['name'] = key + for i, data in pairs(pipeline_returns) do + -- if it's not a four-'o-four, it probably means that the plugin is present + if http.page_exists(data, result_404, body_404, bfqueries[i][1], true) then + stdnse.debug(1,"Found a plugin/theme:%s", bfqueries[i][2]) + local version = get_version(bfqueries[i][1],key,host,port) + local output = nil + + --We format the table for XML output + bfqueries[i].path = bfqueries[i][1] + bfqueries[i].category = key + bfqueries[i].name = bfqueries[i][2] + bfqueries[i][1] = nil + bfqueries[i][2] = nil + + if version then + output = bfqueries[i].name .." ".. version + bfqueries[i].installation_version = version + --Right now we can only get the version number of plugins through api.wordpress.org + if apicheck == "true" and key=="plugins" then + latestversion = get_latest_plugin_version(bfqueries[i].name) + if latestversion then + output = output .. " (latest version:" .. latestversion .. ")" + bfqueries[i].latest_version = latestversion + end + end + else + output = bfqueries[i].name + end + output_table[bfqueries[i].name] = bfqueries[i] + table.insert(response, output) + end + end + table.insert(result, response) + bfqueries={} + all = {} + end + local len = 0 + for i, v in ipairs(result) do len = len >= #v and len or #v end + if len > 0 then + output_table.title = string.format("Search limited to top %s themes/plugins", resource_count) + result.name = output_table.title + return output_table, stdnse.format_output(true, result) + else + if nmap.verbosity()>1 then + return string.format("Nothing found amongst the top %s resources,".. + "use --script-args search-limit= for deeper analysis)", resource_count) + else + return nil + end + end + +end + diff --git a/scripts/http-wordpress-users.nse b/scripts/http-wordpress-users.nse new file mode 100644 index 000000000..808899682 --- /dev/null +++ b/scripts/http-wordpress-users.nse @@ -0,0 +1,146 @@ +local http = require "http" +local io = require "io" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" + +description = [[ +Enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others. + +Original advisory: +* http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure +]] + +--- +-- @usage +-- nmap -p80 --script http-wordpress-users +-- nmap -sV --script http-wordpress-users --script-args limit=50 +-- +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-wordpress-users: +-- | Username found: admin +-- | Username found: mauricio +-- | Username found: cesar +-- | Username found: lean +-- | Username found: alex +-- | Username found: ricardo +-- |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' +-- +-- @args http-wordpress-users.limit Upper limit for ID search. Default: 25 +-- @args http-wordpress-users.basepath Base path to Wordpress. Default: / +-- @args http-wordpress-users.out If set it saves the username list in this file. +--- + +author = "Paulino Calderon " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"auth", "intrusive", "vuln"} + + +portrule = shortport.http + +--- +-- Returns the username extracted from the url corresponding to the id passed +-- If user id doesn't exists returns false +-- @param host Host table +-- @param port Port table +-- @param path Base path to WP +-- @param id User id +-- @return false if not found otherwise it returns the username +--- +local function get_wp_user(host, port, path, id) + stdnse.debug2("Trying to get username with id %s", id) + local req = http.get(host, port, path.."?author="..id, { no_cache = true}) + if req.status then + stdnse.debug1("User id #%s returned status %s", id, req.status) + if req.status == 301 then + local _, _, user = string.find(req.header.location, 'https?://.*/.*/(.*)/') + return user + elseif req.status == 200 then + -- Users with no posts get a 200 response, but the name is in an RSS link. + -- http://seclists.org/nmap-dev/2011/q3/812 + local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/') + return user + end + end + return false +end + +--- +--Returns true if WP installation exists. +--We assume an installation exists if wp-login.php is found +--@param host Host table +--@param port Port table +--@param path Path to WP +--@return True if WP was found +-- +local function check_wp(host, port, path) + stdnse.debug2("Checking %swp-login.php ", path) + local req = http.get(host, port, path.."wp-login.php", {no_cache=true}) + if req.status and req.status == 200 then + return true + end + return false +end + +--- +--Writes string to file +--Taken from: hostmap.nse +--@param filename Target filename +--@param contents String to save +--@return true when successful +local function write_file(filename, contents) + local f, err = io.open(filename, "w") + if not f then + return f, err + end + f:write(contents) + f:close() + return true +end + + +--- +--MAIN +--- +action = function(host, port) + local basepath = stdnse.get_script_args(SCRIPT_NAME .. ".basepath") or "/" + local limit = stdnse.get_script_args(SCRIPT_NAME .. ".limit") or 25 + local filewrite = stdnse.get_script_args(SCRIPT_NAME .. ".out") + local output = {""} + local users = {} + --First, we check this is WP + if not(check_wp(host, port, basepath)) then + if nmap.verbosity() >= 2 then + return "[Error] Wordpress installation was not found. We couldn't find wp-login.php" + else + return + end + end + + --Incrementing ids to enum users + for i=1, tonumber(limit) do + local user = get_wp_user(host, port, basepath, i) + if user then + stdnse.debug1("Username found -> %s", user) + output[#output+1] = string.format("Username found: %s", user) + users[#users+1] = user + end + end + + if filewrite and #users>0 then + local status, err = write_file(filewrite, stdnse.strjoin("\n", users)) + if status then + output[#output+1] = string.format("Users saved to %s\n", filewrite) + else + output[#output+1] = string.format("Error saving %s: %s\n", filewrite, err) + end + end + + if #output > 1 then + output[#output+1] = string.format("Search stopped at ID #%s. Increase the upper limit if necessary with 'http-wordpress-users.limit'", limit) + return stdnse.strjoin("\n", output) + end +end diff --git a/scripts/script.db b/scripts/script.db index a3afdc4bd..8bc5dd87f 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -239,8 +239,8 @@ Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "int Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } } -Entry { filename = "http-wordpress-enum.nse", categories = { "auth", "intrusive", "vuln", } } -Entry { filename = "http-wordpress-plugins.nse", categories = { "discovery", "intrusive", } } +Entry { filename = "http-wordpress-enum.nse", categories = { "discovery", "intrusive", } } +Entry { filename = "http-wordpress-users.nse", categories = { "auth", "intrusive", "vuln", } } Entry { filename = "http-xssed.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "iax2-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "iax2-version.nse", categories = { "version", } }