change static to wp-content ?

Question

change static to wp-content ?

erwanlr opened this issue 12 years ago · comments

Erwan commented 12 years ago

Could it be possible to have the default wp-content directory instead of static ?

ie : /static/twentyeleven/style.css => /wp-content/themes//twentyeleven/style.css

or, at least /static/themes//twentyeleven/style.css (the static will be detected as a custom wp-content dir by wpscan)

In that way, wpscan will be able to work correctly for this pot :)

Futhermore, could be interesting to have a wpscan detection :D (if the pot detected that wpscan is scanning, add it to the log file)

It's really usefull for the wpscan dev, as i can check if the requets are done correctly w/o reading the log file of the wordpress in my VM :D

Gianluca Brindisi · Answer 1 · Tue Jul 10 2012 20:36:27 GMT+0800 (China Standard Time)

@erwanlr yes you are right and I am aware of the static directory problem since It can also be a way to detect the honeypot.

I am still not sure what would be the best way to handle this since putting everything in the same directory structure as wordpress may interfere with the dynamic routes used to detect probes.

Futhermore, could be interesting to have a wpscan detection :D (if the pot detected that wpscan is scanning, add it to the log file)

Seems a nice feature to add but looks like it would be better to implement it as a stand alone app that extract patterns from the log file.

BTW what output are you expecting from this to help you out while developing wpscan?

Gianluca Brindisi · Answer 2 · Thu Jul 12 2012 03:17:32 GMT+0800 (China Standard Time)

I've slightly improved the directory structure.

Now is static/wp-content/theme/THEMENAME/ but WPScan still can't recognize it as valid. The problem is that a correct structure will interfere with the dynamic routes and I havent figured out yet how to properly solve this.

The only idea I came up with is to dumb down the template (removing all the images, etc) and serve a custom css directly from python without using any static file but this would not work well for standard css/images used for the readme.html and wp-login.php.

So I am open to suggestions.

Erwan · Answer 3 · Thu Jul 12 2012 03:44:59 GMT+0800 (China Standard Time)

-> Now is static/wp-content/theme/THEMENAME/ but WPScan still can't
recognize it as valid.

It's because you forgot the "s" to theme ;)
(static/wp-content/themes/THEMENAME/)

-> BTW what output are you expecting from this to help you out while
developing wpscan?

The actual output (in the console) is enough for me, and that's pretty
useful ;) (in one console i have your wordpot running, and in another
wpscan, so i can verify if the requests are done as expected just by
switching console :))

Gianluca Brindisi · Answer 4 · Thu Jul 12 2012 03:59:38 GMT+0800 (China Standard Time)

It's because you forgot the "s" to theme ;)

Yep I misspelled it here but it is actually static/wp-content/themes/THEMENAME/.

The actual output (in the console) is enough for me, and that's pretty useful ;)

Great! 👍

Erwan · Answer 5 · Thu Jul 12 2012 05:14:17 GMT+0800 (China Standard Time)

So, yea it's because the urls used in wordpot are relative (so the detection of the wp-content fails as wordpress use absolute urls.)

Unfortunatly at this time i can not use relative url because it gives wrong values :/

Gianluca Brindisi · Answer 6 · Thu Jul 12 2012 05:33:22 GMT+0800 (China Standard Time)

Bingo! Now WPScan detects the theme correctly 👍

Erwan · Answer 7 · Thu Jul 12 2012 05:39:31 GMT+0800 (China Standard Time)

awesome :)