wpwner.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
#

import re
import sys
import os
import json
import requesocks as requests
import urlparse
import argparse


def is_vuln(installed, vulnerable):
    aux_installed = installed.split('.')
    aux_vulnerable = vulnerable.split('.')
    result = True
    for i, n in enumerate(aux_installed):
        if n > aux_vulnerable[i]:
            result = False
            break
    return result

session = requests.session()
session.proxies = {
    "http": "socks5://127.0.0.1:9050",
    "https": "socks5://127.0.0.1:9050"
}

headers = {'User-Agent':
           'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0', }

wysija = []
url_list = []

parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Target URL http://example.com")
parser.add_argument("-f", "--file", help="File with URLs")
parser.add_argument(
    "-w", "--wpcontent", help="wp-content directory. Default is wp-content/", default="/wp-content")
parser.add_argument(
    "-p", "--plugin", help="Plugins directory. Default is plugins/", default="/plugins")
args = parser.parse_args()


print "  _ _ _ _____                            "
print " | | | |  _  |_ _ _ ___ ___ ___          "
print " | | | |   __| | | |   | -_|  _|         "
print " |_____|__|  |_____|_|_|___|_|   v 0.1.0 "
print "                                         "


if args.url:
    print "\033[92m" + "[+] " + "\033[0m" + "URL: " + args.url
    url_list.append(args.url)

if args.file:
    print "\033[92m" + "[+] " + "\033[0m" + "FILE: " + args.file
    filename = args.file

    with open(filename, "r") as ins:
        url_list = []
        for line in ins:
            url_list.append(line.split('\n')[0])

response = session.get("http://httpbin.org/ip")

print "\033[34m" + "[i] \033[0mPROXY: " + re.findall(r'[\d.-]+', response.text)[0]

for base_url in url_list:
    status = '    '

    for filename in os.listdir('plugins'):
        with open('plugins/' + filename) as json_file:
            plugin = json.load(json_file)
            json_file.close()
            url = base_url + args.wpcontent + args.plugin + plugin['address']

            try:
                resp = session.get(url=url, headers=headers)
                if resp.status_code == 200:
                    # check version
                    matches = re.findall(plugin['regex'], resp.text)
                    if matches:
                        version = matches[0][1]
                        print ""
                        print "\033[92m" + "[!] \033[0m[" + plugin['name'].upper() + " FOUND]"
                        if is_vuln(version, plugin['version']):
                            print '\033[31m' + '!  \033[0m Installed version: ' + version
                        else:
                            print "\033[34m" + "+  \033[0m Installed version: " + version
                        print "\033[34m" + "+  \033[0m Vulnerable version: " + plugin['version']
                        print "\033[34m" + "+  \033[0m Metasploit module: " + plugin['metasploit']
                        print "\033[34m" + "+  \033[0m TARGETURI: " + base_url
            except:
                pass