Terminal ouput - Some suggested layout changes

[pvdl]

1 - Introduce 'bold' to distinguish chapters. So e.g. these line become also bold, so you see more easily when a new chapter begins.

[+] URL: http://www.example.com/
[+] WordPress version xxx identified from rss generator
[+] WordPress theme in use: xxx
[+] Enumerating plugins from passive detection ...

2 - Remove indent of the vulnerabilities I like to have it all aligned left. Current:

 | Name: contact-form-7 - v3.5.2
 | Location: http://www.example.com/wp-content/plugins/contact-form-7/
 | Readme: http://www.example.com/wp-content/plugins/contact-form-7/readme.txt
 |
 | * Title: Contact Form 7 3.5.3 - Crafted File Extension Upload Remote Code Execution
 | * Reference: http://packetstormsecurity.com/files/125018/
 | * Reference: http://seclists.org/fulldisclosure/2014/Feb/0
 | * Reference: http://osvdb.org/102776
 |
 | * Title: Contact Form 7 <= 3.5.2 - Arbitrary File Upload Remote Code Execution
 | * Reference: http://packetstormsecurity.com/files/124154/
 | * Reference: http://osvdb.org/100189
 | * Fixed in: 3.5.3

New:

[+] Name: contact-form-7 - v3.5.2
 |  Location: http://www.wel.nl/wp-content/plugins/contact-form-7/
 |  Readme: http://www.wel.nl/wp-content/plugins/contact-form-7/readme.txt
 |
[!] Title: Contact Form 7 3.5.3 - Crafted File Extension Upload Remote Code Execution
 |  Reference: http://packetstormsecurity.com/files/125018/
 |  Reference: http://seclists.org/fulldisclosure/2014/Feb/0
 |  Reference: http://osvdb.org/102776
 |
[!] Title: Contact Form 7 <= 3.5.2 - Arbitrary File Upload Remote Code Execution
 |  Reference: http://packetstormsecurity.com/files/124154/
 |  Reference: http://osvdb.org/100189
 |  Fixed in: 3.5.3

3 - Vulnerability red text to normal color. In some case it is more friendly to read. Only the [!] tag is red.

4 - Introduce some new [] tags I don't have a purpose for now, but maybe useful in the future [-] amber colored. Warning [i] blue colored Informational. (Fixed in?) [*] Chapter xyz. (No color, bold) [?] Question / interaction (BTW there is already one!)

Please share your thoughts...

[erwanlr]

I was and still am against any colour (I know that there is currently colour in WPScan, I lost that fight a while ago :p) in the output for the following reasons:

• If it's not supported by the terminal, it's just solo ugly, see the 'Step 3' there: http://shkspr.mobi/blog/2014/03/2000-nhs-security-vulnerabilities-disclosed/
• What about colour-blind people ? (as we mainly use green / red colours :/)

Having all things align left mean that in your 2) example, a quick look might result in 'there are 3 unrelated findings' which would be wrong: the 2 vulns identified are related to the plugin found

4) - yea new tags !

[firefart]

What about a new cli option --no-colors?

[pvdl]

Yes, a --no-colors or --color is an good idea! Maybe we also need to make a better 'View' part (MVC) in WPScan. It makes it easier to output in more formats also BTW I agree with @erwanlr's comment.

[erwanlr]

The MVC part is planned in the CMSScanner gem (there is a draft of it in the mvc-pattern branch of WPScan), but I am struggling with some dependencies injections & other things which need to be thought first :/

[pvdl]

@erwanlr 2) The '|' characters binds the plugin with the related vulns. It more less unfolds it as one item with its vulns if found.

[pvdl]

I am working on the layout as described. If you want to see it: git checkout layout-423 Do your WPScan stuf here Not happy with the new colors? git checkout master

[pvdl]

@FireFart Can you assist with the --no-color switch? It can be made very basic. Depending on the switch the method 'colorize' in lib/common/common_helper.rb needs to be adjusted. Something like

def colorize(text, color_code)
   if no-color
     "#{text}"
   else
     "\e[#{color_code}m#{text}\e[0m"
end

[pvdl]

By-passing a variable in a method is not correct programming This is a better try:

def colorize(text, color_code, colorswitch)
   if colorswitch
     "\e[#{color_code}m#{text}\e[0m"
   else
     "#{text}"
end

[pvdl]

@FireFart, @erwanlr, @ethicalhack3r, Please try it: This branch is only the second bullet point!! (no-color option can be done later) git checkout layout-423 Switch back: git checkout master

[firefart]

I merged the master branch over because of the typhoeus issue

[pvdl]

Thanks for confirming. I saw a lot 'red errors' on my screen. Is this easy to fix? Or should I do my 'homework' again?

[pvdl]

I am afraid this branch is a little bit messed up now! I will take the good part out of it and remove the messed-up branch afterwards. Focus is on point 2. Remove indent of the vulnerabilities

[firefart]

Yeah it was the red error :D I added a commit to make the color output nicer. Tell me what you think.

Why do you think it's messed up?`The changes are visible here: https://github.com/wpscanteam/wpscan/compare/layout-423

[erwanlr]

I've done some work on the CMSScanner gem and the formatting to show you how easy it will be to create/override a formatter (e.g https://github.com/wpscanteam/CMSScanner/commit/3542828ef02ef460ffe5ff65149d040d0be15012 where the cli-no-colour overrides the cli and disable the colour in all output ;))

[pvdl]

@FireFart, aha. I did not a compare between the branches, but saw all the commits in the layout-branch. All these commits are to make the layout-branch as much equal to the master branch.

A bundele install solved the red errors.

All is fine now!

[pvdl]

No colours: 'Pipe' terminal output through: sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"

This command removes the 'Terminal Escape Sequence codes'

[firefart]

What do you say about @pvdl 's changes to the layout branch? Should me merge it?

[firefart]

Ok there are some merge conflicts :(

[pvdl]

@FireFart , I'll try to solve it and merge it. Be patient. This week less time.