wpscan_out_parse是用于wpscan输出文件(JSON和CLI)的Python解析器。它分析漏洞、各种警报和警告以及其他发现。
wpscan-out-parse的Python项目详细描述
WPScan输出解析
wpscan_out_parse
是用于WPScan输出文件的Python解析器(JSON和CLI)。
它分析漏洞、各种警报和警告以及其他发现。在
特点
- 支持WPScan JSON和CLI输出文件
- 以CLI、JSON或HTML输出格式将结果显示到stdout
- 生成包含版本和漏洞的wordpress组件摘要表
- 将结果分为“警报”、“警告”和“信息”
- 附加警报取决于查找类型(SQL转储等)
- 通过出口代码的信号结果
- 忽略基于误报字符串的消息
- 简单的Python库用法
- 默认为彩色输出
摘要表的设计很大程度上受到wpscan-analyze(Rust代码)的启发。在
安装
python3 -m pip install wpscan-out-parse
无依赖关系
如何使用
作为CLI工具
运行WPScan
^{pr2}$运行wpscan_out_parse
python3 -m wpscan_out_parse file.json
和过程输出和/或退出代码
退出代码
- 5->;警报:您的WordPress站点易受攻击
- 6->;警告:您的WordPress站点已过时或可能存在漏洞
- 4->错误:WPScan失败
- 1->错误:分析器错误
- 0->;全部正常
示例
以CLI格式显示结果
% python3 -m wpscan_out_parse ./test/output_files/wordpress_many_vuln.json --no_warn --no_color Vulnerabilities have been detected by WPScan. Summary ------- Component | Version | Version State | Vulnerabilities | Status ---------------------------- | ------- | ------------- | --------------- | ------- WordPress 5.2.2 (2019-06-18)|5.2.2 | Latest |0| Ok Main Theme: customizr |4.1.42 | Latest |1| Alert Plugin: youtube-embed-plus | Unknown | N/A |2(potential)| Warning WPScan result summary: alerts=1, warnings=5, infos=9, error=0 Alerts ------ Vulnerability: YouTube Embed <=13.8.1 - Cross-Site Request Forgery (CSRF) Fixed in: 11.8.2 References: - Url: https://security.dxw.com/advisories/csrf-in-youtube-plugin/ - Url: http://seclists.org/fulldisclosure/2017/Jul/64 - WPVulnDB: https://wpvulndb.com/vulnerabilities/8873
以HTML格式显示结果
% python3 -m wpscan_out_parse ./test/output_files/potential_vulns.json --format html > html_output.html
作为Python库
python模块公开helper方法和解析器对象,以方便您解析WPScan结果。在
示例
使用助手方法parse_results_from_file()
。以简单的词法返回所有结果。在
importpprintfromwpscan_out_parseimportparse_results_from_fileresults=parse_results_from_file('./test/output_files/wordpress_many_vuln.json')pprint.pprint(results)
使用WPScanJsonParser
对象。在
importjsonimportpprintfromwpscan_out_parseimportWPScanJsonParserwithopen('./test/output_files/wordpress_one_vuln.json','r')aswpscan_out:parser=WPScanJsonParser(json.load(wpscan_out))pprint.pprint(parser.get_warnings())
一旦WPScanJsonParser
实例化,就可以访问以下属性:
version
main_theme
plugins
(列表)themes
(列表)interesting_findings
(列表)timthumbs
(列表)db_exports
(列表)users
(列表)medias
(列表)config_backups
(列表)password_attack
not_fully_configured
vuln_api
banner
scan_started
scan_finished
所有对象实现get_alerts()
、get_warnings()
和{
请参阅docs.md以获取有关Python对象和库使用的更多技术细节。在
附加警报字符串
当检测到输出文件中的以下字符串时,会引发一些额外的警告和警报。在
警报
"SQL Dump found","Full Path Disclosure found","www.owasp.org/index.php/Full_Path_Disclosure","codex.wordpress.org/Resetting_Your_Password#Using_the_Emergency_Password_Reset_Script","www.exploit-db.com/ghdb/3981/","A backup directory has been found","github.com/wpscanteam/wpscan/issues/422","ThemeMakers migration file found","packetstormsecurity.com/files/131957","Search Replace DB script found","interconnectit.com/products/search-and-replace-for-wordpress-databases/"
警告
"Upload directory has listing enabled","Registration is enabled","Debug Log found","codex.wordpress.org/Debugging_in_WordPress","Fantastico list found","www.acunetix.com/vulnerabilities/fantastico-fileslist/"
全力帮助
% python3 -m wpscan_out_parse -h usage: python3 -m wpscan_out_parse [Options] <File path> wpscan_out_parse is a Python parser for WPScan output files (JSON and CLI). It analyze vulnerabilities, miscellaneous alerts and warnings and other findings. positional arguments: <File path> WPScan output file to parse. optional arguments: -h, --help show this help message and exit --format <Format> output format, choices are: "cli", "html", "json" --summary display ony the summary of issues per component. --inline display only one line like: "WPScan result summary: alerts={}, warnings={}, infos={}, error={}". --no_warnings do not display warnings, only summary and alerts. Implies --no_infos. --no_infos do not display informations and findinds. --no_summary do not display the summary of issues. --show_all show all findings details (found by, confidence, confirmed by). --false_positive String [String ...] consider all matching messages as infos and add "[False positive]" prefix. --no_color do not colorize output. --version print wpscan_out_parse version and exit.
- 项目
标签: