Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes false positive if XML-RPC is disabled via server configuration #30

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fixes false positive if XML-RPC is disabled via server configuration #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ca71e8d
Fixes issue with x-frame-options value not recognized
Jul 6, 2021
53d7524
Reports xml-rpc disabled if response from service is 4xx
Jul 6, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions cmsmap/lib/genericchecks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ def DirectoryListing(self, relPath):
report.verbose(msg)
requester.request(self.url + self.relPath, data=None)
dirList = re.search("<title>Index of", requester.htmltext, re.IGNORECASE)
if dirList:
if dirList:
msg = self.url + self.relPath
report.low(msg)

# Check if website is over HTTPS
def HTTPSCheck(self):
msg = "Checking if the website is in HTTPS ..."
Expand Down Expand Up @@ -86,7 +86,7 @@ def HeadersCheck(self):
msg = "X-XSS-Protection Disabled"
report.high(msg)
if not requester.response.info().get('x-frame-options') or (
requester.response.info().get('x-frame-options').lower() != 'sameorigin' or 'deny'):
requester.response.info().get('x-frame-options').lower() not in ['sameorigin', 'deny']):
msg = "X-Frame-Options: Not Enforced"
report.low(msg)
if not requester.response.info().get('strict-transport-security'):
Expand All @@ -98,7 +98,7 @@ def HeadersCheck(self):
if not requester.response.info().get('x-content-type-options'):
msg = "X-Content-Type-Options: Not Enforced"
report.info(msg)

# Check if AutoComplete is set to Off on login pages
def AutocompleteOff(self, relPath):
msg = "Checking Autocomplete Off on the login page ..."
Expand All @@ -109,7 +109,7 @@ def AutocompleteOff(self, relPath):
if not autoComp:
msg = "Autocomplete Off Not Found: " + self.url + self.relPath
report.info(msg)

# Check if robots.txt is available
def RobotsTXT(self):
msg = "Checking Robots.txt File ..."
Expand All @@ -121,7 +121,7 @@ def RobotsTXT(self):
else:
msg = "No Robots.txt Found"
report.low(msg)


# Extract error codes and page length from a not existing web page
def NotExistingURL(self):
Expand Down Expand Up @@ -151,7 +151,7 @@ def CommonFiles(self):
# Add all plugins to the queue
for commFilesIndex, file in enumerate(self.commFiles):
q.put(file + ext)
sys.stdout.write("\r" + str((100 * ((len(self.commFiles) * extIndex) + commFilesIndex) /
sys.stdout.write("\r" + str((100 * ((len(self.commFiles) * extIndex) + commFilesIndex) /
(len(self.commFiles) * len(self.commExt)))) + "% " + file + ext + " ")
sys.stdout.flush()
q.join()
Expand Down
17 changes: 9 additions & 8 deletions cmsmap/lib/wpscan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ def WPVersion(self):
msg = "Wordpress Version: " + self.currentVer[0]
report.info(msg)
else:
requester.request(self.url, data=None)
requester.request(self.url, data=None)
self.currentVer = re.findall('<meta name="generator" content="WordPress (\d+\.\d+[\.\d+]*)"', requester.htmltext)
if self.currentVer:
msg = "Wordpress Version: " + self.currentVer[0]
Expand Down Expand Up @@ -146,7 +146,7 @@ def WPDefaultFiles(self):
def WPFeed(self):
msg = "Enumerating Wordpress usernames via \"Feed\" ..."
report.verbose(msg)
requester.request(self.url + self.feed, data=None)
requester.request(self.url + self.feed, data=None)
wpUsers = re.findall("<dc:creator>[<!\[CDATA\[]*(.+?)[\]\]>]*</dc:creator>",
requester.htmltext)
if wpUsers:
Expand Down Expand Up @@ -178,18 +178,18 @@ def WPForgottenPassword(self):
report.verbose(msg)
# Use an invalid, not-existing, not-registered user
self.postdata = {"user_login": "N0t3xist!1234"}
requester.request(self.url + self.forgottenPsw, data=self.postdata)
requester.request(self.url + self.forgottenPsw, data=self.postdata)
if re.findall(re.compile('Invalid username'), requester.htmltext):
msg = "Forgotten Password Allows Username Enumeration: " + self.url + self.forgottenPsw
report.info(msg)

# Find full path via the default hello plugin
def WPHello(self):
requester.request(self.url + "/wp-content/plugins/hello.php", data=None)
requester.request(self.url + "/wp-content/plugins/hello.php", data=None)
fullPath = re.findall(re.compile('Fatal error.*>/(.+?/)hello.php'), requester.htmltext)
if fullPath:
msg = "Wordpress Hello Plugin Full Path Disclosure: " + "/" + fullPath[0] + "hello.php"
report.low(msg)
report.low(msg)

# Find directory listing in default directories and plugin directories
def WPDirsListing(self):
Expand All @@ -207,7 +207,7 @@ def WPDirsListing(self):
def WPpluginsIndex(self):
msg = "Checking WordPress plugins in the index page"
report.verbose(msg)
requester.request(self.url, data=None)
requester.request(self.url, data=None)
self.pluginsFound = re.findall(re.compile('/wp-content/plugins/(.+?)/'), requester.htmltext)

# Find plugins via a dictionary attack
Expand Down Expand Up @@ -241,7 +241,7 @@ def WPpluginsVersion(self):
requester.request(self.url+self.pluginPath+pluginFound+"/readme.txt", data=None)
pluginVer = re.findall('Stable tag: (\d+\.\d+[\.\d+]*)', requester.htmltext)
# Add plugin version
if pluginVer :
if pluginVer :
self.pluginsFoundVers[pluginFound] = pluginVer[0]
else:
# Match has not been found
Expand Down Expand Up @@ -303,7 +303,8 @@ def WPXMLRPC_check(self):
<param><value><string>ThisIsATest</string></value></param></params></methodCall>
'''
requester.request(self.url + '/xmlrpc.php', data = self.postdata)
if re.search('<value><string>XML-RPC services are disabled', requester.htmltext):
if re.search('<value><string>XML-RPC services are disabled', requester.htmltext) or (
500 > requester.status_code >= 400):
msg = "XML-RPC services are disabled"
report.verbose(msg)
self.XMLRPCEnable = False
Expand Down