WordPress Sniper is the latest addition to pWeb Suite. It helps you in creating a list of WordPress specific exploits using the exploit-db.com database and then allows you to test each one.
Click on the image abopve to see full screen
Google Code – pWeb Suite
If you’d like to learn more about the code, keep reading. While pentesting, I come across a TON of WordPress made weblogs. WordPress is like a CMS, or content management system which manages your online life within your weblog. pictures, links, posts, etc. It allows for third party plug-ins and boasts a whopping “22,257 PLUGINS, 371,429,663 DOWNLOADS, AND COUNTING” at the time of this writing. Well, not all of these plugins are installed by everyone and not all are coded with security in mind. In fact, the almost all de-secure the system to enable new functionality. Well, I got tired of searching exploit-db for WordPress and decided to just scrape every single page for the relevant data and then run every exploit – as they are all mostly just HTTP GET requests. This means its not necessarily a bad thing to scan these because they look just like regular HTTP traffic logs – minus the timestamps – which can be overcome by adding -r for a “random” sleep time between requests.
- The User Agent it uses is a simple Mozilla FF: Mozilla/5.0 (Windows; U; Windows NT 6.1 en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18
- If you add a ‘-d’ it will test all accessible default files left over from the initial installation.
- If you add a ‘-r’ it will randomize a wait time between 1-5 seconds between “clicks”
- Assists in updates and is fully dynamic
- Only depends upon Term::ANSIColor and LWP (both of which come with most modern versions of precompiled Perl for OSs)
WordPress Sniper - 2013 WeakNet Laboratories
error: no URL provided.
Usage: ./wp-sniper i
Options: -d (check default files)
-r (random wait (5000ms))
If you have any contributions / comments email me at the address found in the site banner.
~Douglas
