diff --git a/CHANGELOG b/CHANGELOG index 999072ae9..b51c6ca74 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -168,10 +168,10 @@ o [NSE] Added 27 scripts, bringing the total to 243! You can learn + http-wordpress-brute performs brute force password auditing against Wordpress CMS/blog installations. [Paulino Calderon] - + http-wp-enum enumerates usernames in Wordpress blog/CMS - installations by exploiting an information disclosure vulnerability - existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and - possibly others. [Paulino Calderon] + + http-wordpress-enum enumerates usernames in Wordpress blog/CMS + installations by exploiting an information disclosure + vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and + 3.2-beta2 and possibly others. [Paulino Calderon] + imap-brute performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM @@ -417,6 +417,10 @@ o [NSE] Added the make_array and make_object functions to our json o [NSE] The ip-geolocation-ipinfodb now allows you to specify an IPInfoDB API key using the apikey NSE argument. [Gorjan] +o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for + consistency with http-wordpress-brute and now + http-wordpress-enum. [Fyodor] + Nmap 5.59BETA1 [2011-06-30] o [NSE] Added 40 scripts, bringing the total to 217! You can learn diff --git a/scripts/http-wp-enum.nse b/scripts/http-wordpress-enum.nse similarity index 83% rename from scripts/http-wp-enum.nse rename to scripts/http-wordpress-enum.nse index 5151c2957..07b090050 100644 --- a/scripts/http-wp-enum.nse +++ b/scripts/http-wordpress-enum.nse @@ -7,24 +7,24 @@ Original advisory: --- -- @usage --- nmap -p80 --script http-wp-enum --- nmap -sV --script http-wp-enum --script-args limit=50 +-- nmap -p80 --script http-wordpress-enum +-- nmap -sV --script http-wordpress-enum --script-args limit=50 -- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack --- | http-wp-enum: +-- | http-wordpress-enum: -- | Username found: admin -- | Username found: mauricio -- | Username found: cesar -- | Username found: lean -- | Username found: alex -- | Username found: ricardo --- |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wp-enum.limit' +-- |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-enum.limit' -- --- @args http-wp-enum.limit Upper limit for ID search. Default: 25 --- @args http-wp-enum.basepath Base path to Wordpress. Default: / --- @args http-wp-enum.out If set it saves the username list in this file. +-- @args http-wordpress-enum.limit Upper limit for ID search. Default: 25 +-- @args http-wordpress-enum.basepath Base path to Wordpress. Default: / +-- @args http-wordpress-enum.out If set it saves the username list in this file. --- author = "Paulino Calderon" @@ -96,9 +96,9 @@ end --MAIN --- action = function(host, port) - local basepath = stdnse.get_script_args("http-wp-enum.basepath") or "/" - local limit = stdnse.get_script_args("http-wp-enum.limit") or 25 - local filewrite = stdnse.get_script_args("http-wp-enum.out") + local basepath = stdnse.get_script_args("http-wordpress-enum.basepath") or "/" + local limit = stdnse.get_script_args("http-wordpress-enum.limit") or 25 + local filewrite = stdnse.get_script_args("http-wordpress-enum.out") local output = {""} local users = {} --First, we check this is WP @@ -130,7 +130,7 @@ action = function(host, port) end if #output > 1 then - output[#output+1] = string.format("Search stopped at ID #%s. Increase the upper limit if necessary with 'http-wp-enum.limit'", limit) + output[#output+1] = string.format("Search stopped at ID #%s. Increase the upper limit if necessary with 'http-wordpress-enum.limit'", limit) return stdnse.strjoin("\n", output) end end diff --git a/scripts/http-wp-plugins.nse b/scripts/http-wordpress-plugins.nse similarity index 84% rename from scripts/http-wp-plugins.nse rename to scripts/http-wordpress-plugins.nse index 8feea6f84..1413bc0a0 100644 --- a/scripts/http-wp-plugins.nse +++ b/scripts/http-wordpress-plugins.nse @@ -13,18 +13,18 @@ check the first 100 ones. Users can tweak this with an option (see below). ]] --- --- @args http-wp-plugins.root If set, points to the blog root directory on the website. If not, the script will try to find a WP directory installation or fall back to root. --- @args http-wp-plugins.search As the plugins list contains tens of thousand of plugins, this script will only search the 100 most popular ones by default. +-- @args http-wordpress-plugins.root If set, points to the blog root directory on the website. If not, the script will try to find a WP directory installation or fall back to root. +-- @args http-wordpress-plugins.search As the plugins list contains tens of thousand of plugins, this script will only search the 100 most popular ones by default. -- Use this option with a number or "all" as an argument for a more comprehensive brute force. -- -- @usage --- nmap --script=http-wp-plugins --script-arg http-wp-plugins.root="/blog/",http-wp-plugins.search=500 +-- nmap --script=http-wordpress-plugins --script-arg http-wordpress-plugins.root="/blog/",http-wordpress-plugins.search=500 -- --@output -- Interesting ports on my.woot.blog (123.123.123.123): -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack --- | http-wp-plugins: +-- | http-wordpress-plugins: -- | search amongst the 500 most popular plugins -- | akismet -- | wp-db-backup @@ -66,9 +66,9 @@ action = function(host, port) end local wp_autoroot - local wp_root = stdnse.get_script_args("http-wp-plugins.root") + local wp_root = stdnse.get_script_args("http-wordpress-plugins.root") local plugins_search = DEFAULT_PLUGINS_SEARCH - local plugins_search_arg = stdnse.get_script_args("http-wp-plugins.search") + local plugins_search_arg = stdnse.get_script_args("http-wordpress-plugins.search") if plugins_search_arg == "all" then plugins_search = nil @@ -143,7 +143,7 @@ action = function(host, port) for i, data in pairs(pipeline_returns) do -- if it's not a four-'o-four, it probably means that the plugin is present if http.page_exists(data, result_404, body_404, bfqueries[i][1], true) then - stdnse.print_debug(1, "http-wp-plugins.nse: Found a plugin: %s", bfqueries[i][2]) + stdnse.print_debug(1, "http-wordpress-plugins.nse: Found a plugin: %s", bfqueries[i][2]) table.insert(result, bfqueries[i][2]) end end @@ -153,7 +153,7 @@ action = function(host, port) result.name = "search amongst the " .. plugin_count .. " most popular plugins" return stdnse.format_output(true, result) else - return "nothing found amongst the " .. plugin_count .. " most popular plugins, use --script-arg http-wp-plugins.search= for deeper analysis)\n" + return "nothing found amongst the " .. plugin_count .. " most popular plugins, use --script-arg http-wordpress-plugins.search= for deeper analysis)\n" end end diff --git a/scripts/script.db b/scripts/script.db index 718f4691b..f7af9ed4a 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -101,8 +101,8 @@ Entry { filename = "http-vmware-path-vuln.nse", categories = { "safe", "vuln", } Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-wordpress-brute.nse", categories = { "auth", "intrusive", } } -Entry { filename = "http-wp-enum.nse", categories = { "auth", "discovery", "intrusive", "vuln", } } -Entry { filename = "http-wp-plugins.nse", categories = { "discovery", "intrusive", } } +Entry { filename = "http-wordpress-enum.nse", categories = { "auth", "discovery", "intrusive", "vuln", } } +Entry { filename = "http-wordpress-plugins.nse", categories = { "discovery", "intrusive", } } Entry { filename = "iax2-version.nse", categories = { "version", } } Entry { filename = "imap-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } } @@ -124,6 +124,7 @@ Entry { filename = "ldap-novell-getpass.nse", categories = { "discovery", "safe" Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } } Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } } Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } } +Entry { filename = "lltd-discovery.nse", categories = { "discovery", "safe", } } Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } } Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } }