Closed pvdl closed 9 years ago
:+1:
Release same day as WPVULNDB?
@ethicalhack3r, do you have a date in mind?
Will find out what day the talk is on, will email some people at BruCON.
Will be 25th or 26th I think
The error in the --stats is caused by something unexpected in the theme_vulns.json:
{"dailydeal":{"vulnerabilities":[]}}
That should not be in the json :D
@erwanlr huh, I will have to look into that
@pvdl Friday 26th September
What do you think of Arachni style license for next release to prevent people commercialising WPScan? - http://www.arachni-scanner.com/license/
:+1: for the updated license. When we switch over to the new DB, we should also update the license to reflect the commercial use.
Does github provide a way to have the checksum of a raw file ?
I was thinking to implement the download of the data files with the --update option when the wpscan install does not contain git (i.e for Kali users)
The Github API does provide a sha1 hash but i'm not sure if it's the sha1 hash of the actual file - https://developer.github.com/v3/repos/contents/#get-contents
Doesn't seem to be the sha1 of the file :(
If we add the database to a seperate GitHub Repo (as discussed before, using submodules), you yould use the latest commit hash of the repo.
@FireFart moved repo to https://github.com/wpscanteam/vulndb
Data there currently contains some test data, will update with correct data soon
Updated with latest data from this repo
I could set up a seperate branch on wpscan and add the database to it if you like
I'm not sure that the API can push to a branch and if the wpvulndb user can be restricted to one. Could submodules work with the https://github.com/wpscanteam/vulndb repo?
I will add a sample to the branch, hang on and you will see :)
@ethicalhack3r https://github.com/wpscanteam/wpscan/tree/submodule
the other files like wp_version.xml and so on need to be added to the new vulndb repo to get this working correctly
another idea would be to provide the database as a GEM and update the gem via travis and a commit hook (or another build system)
Ah! cool!
Do all files in /data need moving to vulndb repo?
jeah i currently used the data/ as a submodule, so the other files would need to go there as well
Workflow would be: -) Push changes to wpvulndb repo -) Update db reference to latest commit hash in wpscan repo
On development installations you need to: git clone .... git submodule init git submodule update
a git pull will not update your submodule, so that's a manual step.
But maybe we can enforce the --update switch this way
How is this bit done? "Update db reference to latest commit hash in wpscan repo"
Not sure if that can be done via the API :-/
Might have to just do everything from CLI on the web server (automated)
hm maybe we can file a bug on the github_api gem if a submodule updating can be implemented?
@FireFart :
<_Phy_> ethicalhack3r, does the submodule thing will work in Kali ?
<ethicalhack3r> _Phy_ not sure, I don’t see why not, even if it doesn’t it shouldn’t be an issue if we “pre-seed” wpscan with the current databases
<ethicalhack3r> on every release we update the wpscan repo with the latest database, to update before a release can use the —update command
<_Phy_> not sure to correctly understand :D, the point of the DB is to be able to provide updates w/o having to update the wpscan code, right ?
<_Phy_> so, in Kali, if I do a --update, I would expect the DB to be updated
<_Phy_> w/o having to update to wpscan 2.4.2 for example
<_Phy_> 'Do all files in /data need moving to vulndb repo?' -> yea, would be better I think :)
<ethicalhack3r> _Phy_: yea, you’re right, I’m not sure if submodule would work in Kali
<_Phy_> and even if it works, the submodule is linked to a specific commit of the db repo, so it would require to update wpscan anyway ? :/
<ethicalhack3r> hmmm… good point...
<ethicalhack3r> we need FireFart for clarification :)
Instead of submodules can WPScan not just grab the raw file?
See IRC :p
I recommend when brute force the password, first crack the same password as Username. eg: user:lovecat password:lovecat
most people use password looks like username :)
@n0task, Please make a new issue of this request. Personally, I like the idea
Updated To do list
wpstools.rb -s
should be fixed when using latest database files from https://github.com/wpscanteam/vulndb. Issue was data parsed from XML didn't lowercase the theme names. All old theme & plugin names now lowercased.
checked: wpstools.rb -s
works fine now.
Created a vdb_intergration branch which outputs a link to the new DB within the references output. Please merge before release and change "CHANGE_ME_BEFORE_MERGE" string to the actual vdb URL.
I've added the TODOs in pvdl's first comment.
@wpscanteam/owners Can someone do the Pre release activities (25th September 12:00)?
2 of the 4 tasks done
vdb_intergration merge will be done tomorrow morning
vdb_intergration done
Will do changelog task now.
Ok we can: Tag / Commit / Release
tagged
Good moment to release a new version of WPScan. Because: WordPress 4.0, BruCON 2014 is near.
Maybe @ethicalhack3r likes to make some preps before releasing due to the db change. Let us know!
E.g. (I found that wpstools --stats is 'broken': [ERROR] nil can't be coerced into Fixnum)To do List:
Pre release activities (25th September 12:00)
Freeze period
Release 2.5 (26 September +/- 12:00)
Afterwards