Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-wp-plugins, retrieve installed Wordpress plugins
From: Henri Doreau <henri.doreau () gmail com>
Date: Mon, 14 Mar 2011 18:30:38 +0100

2011/3/14 Gutek <ange.gutek () gmail com>:
Hash: SHA1

Hi Ron,
Indeed, that was my first intention : I was actually looking for new
fingerprints for it :)
But I kickly realized the potential huge amount of queries, later
confirmed by a quick while-http.get()-end on the plugins list : it took
an hour or so and http.pipeline doesn't help much.
Then, considering the amount of fingerprints already tested by
http-enum, it sounds me a very long scan for someone who just want to
deal with a wordpress blog (or, who does'nt care about wp).

retrieving the wordpress plugins list is a good idea!!

I am wondering whether we could improve http-enum and/or the
fingerprint database to implement a smarter system.

I don't know how hard to implement and desirable that would be but
some paths might activate the detection of other ones (that would have
been skipped otherwise). This way we could avoid to do a complete
plugins research in case we have no wordpress installation detected
for instance.

I am not comfortable with http-enum internals, but I can imagine
something like adding a callback to the fingerprints table, to be
executed when an associated path is detected as valid.

Creating a Wordpress category and using http-enum.category would fix it,
but I've planned to later add a plugin version vs. known threats comparison.
A dependencies-aware system would also give the ability to insert
entries into the registry, for example to perform vulnerability
researches against detected applications or modules.

Anyway, for those reasons I decided to make a separate script, with some
more options than the brute force part (like the hability to find its
path alone to wordpress directory).

But if simpler is better and the need for a separate specialized script
is not obvious, feel free to consider and add the plugins.lst content to
the fingerprints database.

Thanks for your comment !


my 2cts.

Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]