Updated version detection methods in http-fingerprints.lua #767
Conversation
rewanthtammana
changed the title
|
As mentioned in http://seclists.org/nmap-dev/2017/q1/211 and http://seclists.org/nmap-dev/2017/q1/211, Joomla and Wordpress have fingerprints which cover a wide range of possibilities. Joomla version fingerprints - 8233 Updating them would be a better option to avoid the possibility of duplicate fingerprints |
|
@Varunram You are exactly right and I did the same thing. Please have a look at the modified script and I cross checked the new code against 10 websites and its working good. |
nselib/data/http-fingerprints.lua
Outdated
| output = 'WordPress 3.0.x found' | ||
| }, | ||
| { | ||
| output = 'Wordpress login page.' |
There was a problem hiding this comment.
I'm sure these will be of great help and hence I restored them. Thanks for pointing out.
There was a problem hiding this comment.
Committed as bdce616.
nselib/data/http-fingerprints.lua
Outdated
| }, | ||
| matches = { | ||
| { | ||
| match = '[V|v]ersion ([0-9 .]*)', |
There was a problem hiding this comment.
This is a pretty general match for a page as general as "readme.html". Can we make a more specific match to ensure it is Wordpress before extracting the version? e.g. "WordPress.*[Vv]ersion ([0-9.]+)" (note use of + instead of * to ensure there is something there).
There was a problem hiding this comment.
Committed as b0a2ee5.
nselib/data/http-fingerprints.lua
Outdated
| output = 'WordPress version: \\1' | ||
| }, | ||
| { | ||
| match = '/wp-includes\\/js\\/wp-emoji-release.min.js?ver=([0-9 .]*)', |
There was a problem hiding this comment.
Lots of urls like this could work besides wp-emoji-release. Can we change this to '/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)'? Also note that "/" does not need to be escaped in lua patterns.
There was a problem hiding this comment.
No, Dan. We can't use "/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)" because there are CSS and JS files which are linked in WordPress through external scripts.
For example,
"/wp-includes/js/jquery/jquery.js?ver=1.7.1" also matches the regex proposed above. But this refers to Jquery version not WordPress version, so I think its better to use string instead of regex.
There was a problem hiding this comment.
I still think we should expand this to include other files that may be linked according to WordPress version. Not every site uses the wp-emoji plugin, and they may not use the minified version, either. What other script names could be used here? I see wp-embed in use in more of the sites in wordpress.org's "showcase," so we could at least check for that.
|
This looks good. I do suggest adding more |
|
Added more matches based on |
Detects version by scraping meta tags, rss feed, readme pages, etc..