-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated version detection methods in http-fingerprints.lua #767
Conversation
As mentioned in http://seclists.org/nmap-dev/2017/q1/211 and http://seclists.org/nmap-dev/2017/q1/211, Joomla and Wordpress have fingerprints which cover a wide range of possibilities. Joomla version fingerprints - 8233 Updating them would be a better option to avoid the possibility of duplicate fingerprints |
@Varunram You are exactly right and I did the same thing. Please have a look at the modified script and I cross checked the new code against 10 websites and its working good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few minor changes. Thanks!
nselib/data/http-fingerprints.lua
Outdated
output = 'WordPress 3.0.x found' | ||
}, | ||
{ | ||
output = 'Wordpress login page.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why were these matches removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure these will be of great help and hence I restored them. Thanks for pointing out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Committed as bdce616.
nselib/data/http-fingerprints.lua
Outdated
}, | ||
matches = { | ||
{ | ||
match = '[V|v]ersion ([0-9 .]*)', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pretty general match for a page as general as "readme.html". Can we make a more specific match to ensure it is Wordpress before extracting the version? e.g. "WordPress.*[Vv]ersion ([0-9.]+)" (note use of + instead of * to ensure there is something there).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Committed as b0a2ee5.
nselib/data/http-fingerprints.lua
Outdated
output = 'WordPress version: \\1' | ||
}, | ||
{ | ||
match = '/wp-includes\\/js\\/wp-emoji-release.min.js?ver=([0-9 .]*)', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lots of urls like this could work besides wp-emoji-release. Can we change this to '/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)'
? Also note that "/" does not need to be escaped in lua patterns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, Dan. We can't use "/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)"
because there are CSS and JS files which are linked in WordPress through external scripts.
For example,
"/wp-includes/js/jquery/jquery.js?ver=1.7.1"
also matches the regex proposed above. But this refers to Jquery version not WordPress version, so I think its better to use string instead of regex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think we should expand this to include other files that may be linked according to WordPress version. Not every site uses the wp-emoji plugin, and they may not use the minified version, either. What other script names could be used here? I see wp-embed
in use in more of the sites in wordpress.org's "showcase," so we could at least check for that.
This looks good. I do suggest adding more |
Added more matches based on |
Detects version by scraping meta tags, rss feed, readme pages, etc..