WPScan 2.5 release

[pvdl]

Good moment to release a new version of WPScan. Because: WordPress 4.0, BruCON 2014 is near.

Maybe @ethicalhack3r likes to make some preps before releasing due to the db change. Let us know! E.g. (I found that wpstools --stats is 'broken': [ERROR] nil can't be coerced into Fixnum)

To do List:

• [x] Update theme list
• [x] Update plugin lists
• [x] Update CHANGELOG.md file
• [x] statistics in CHANGELOG

Pre release activities (25th September 12:00)

• [x] Import latest (new) DB changes
• [x] Change CHANGE_ME_BEFORE_MERGE in vdb_intergration branch
• [x] Merge vdb_intergration branch
• [x] Create a zip with the latest db data

Freeze period

Release 2.5 (26 September +/- 12:00)

• [x] Change WPSCAN_VERSION in file wpscan/lib/common/common_helper.rb
• [x] Change release date in file CHANGELOG.md
• [x] Change commits (git shortlog 2.5..master) in file CHANGELOG.md
• [x] Tag / Commit / Release

Afterwards

• [x] :smiley: at BruCON 2014 @ethicalhack3r
• [x] Inform Kali
• [x] Twitter etc
• [x] Add VDB link to wpscan.org
• [x] Add Piwik to wpscan.org

[ethicalhack3r]

:+1:

Release same day as WPVULNDB?

[pvdl]

@ethicalhack3r, do you have a date in mind?

[ethicalhack3r]

Will find out what day the talk is on, will email some people at BruCON.

Will be 25th or 26th I think

[erwanlr]

The error in the --stats is caused by something unexpected in the theme_vulns.json:

{"dailydeal":{"vulnerabilities":[]}}

That should not be in the json :D

[ethicalhack3r]

@erwanlr huh, I will have to look into that

@pvdl Friday 26th September

What do you think of Arachni style license for next release to prevent people commercialising WPScan? - http://www.arachni-scanner.com/license/

[firefart]

:+1: for the updated license. When we switch over to the new DB, we should also update the license to reflect the commercial use.

[erwanlr]

Does github provide a way to have the checksum of a raw file ?

I was thinking to implement the download of the data files with the --update option when the wpscan install does not contain git (i.e for Kali users)

[ethicalhack3r]

The Github API does provide a sha1 hash but i'm not sure if it's the sha1 hash of the actual file - https://developer.github.com/v3/repos/contents/#get-contents

[erwanlr]

Doesn't seem to be the sha1 of the file :(

[firefart]

If we add the database to a seperate GitHub Repo (as discussed before, using submodules), you yould use the latest commit hash of the repo.

[ethicalhack3r]

@FireFart moved repo to https://github.com/wpscanteam/vulndb

Data there currently contains some test data, will update with correct data soon

[ethicalhack3r]

Updated with latest data from this repo

[firefart]

I could set up a seperate branch on wpscan and add the database to it if you like

[ethicalhack3r]

I'm not sure that the API can push to a branch and if the wpvulndb user can be restricted to one. Could submodules work with the https://github.com/wpscanteam/vulndb repo?

[firefart]

I will add a sample to the branch, hang on and you will see :)

[firefart]

@ethicalhack3r https://github.com/wpscanteam/wpscan/tree/submodule

[firefart]

the other files like wp_version.xml and so on need to be added to the new vulndb repo to get this working correctly

[firefart]

another idea would be to provide the database as a GEM and update the gem via travis and a commit hook (or another build system)

[ethicalhack3r]

Ah! cool!

Do all files in /data need moving to vulndb repo?

[firefart]

jeah i currently used the data/ as a submodule, so the other files would need to go there as well

Workflow would be: -) Push changes to wpvulndb repo -) Update db reference to latest commit hash in wpscan repo

On development installations you need to: git clone .... git submodule init git submodule update

a git pull will not update your submodule, so that's a manual step.

But maybe we can enforce the --update switch this way

[ethicalhack3r]

How is this bit done? "Update db reference to latest commit hash in wpscan repo"

[firefart]

http://stackoverflow.com/a/8191413

[ethicalhack3r]

Not sure if that can be done via the API :-/

Might have to just do everything from CLI on the web server (automated)

[firefart]

hm maybe we can file a bug on the github_api gem if a submodule updating can be implemented?

[erwanlr]

@FireFart :

<_Phy_> ethicalhack3r, does the submodule thing will work in Kali ?
<ethicalhack3r> _Phy_ not sure, I don’t see why not, even if it doesn’t it shouldn’t be an issue if we “pre-seed” wpscan with the current databases
<ethicalhack3r> on every release we update the wpscan repo with the latest database, to update before a release can use the —update command
<_Phy_> not sure to correctly understand :D, the point of the DB is to be able to provide updates w/o having to update the wpscan code, right ?
<_Phy_> so, in Kali, if I do a --update, I would expect the DB to be updated
<_Phy_> w/o having to update to wpscan 2.4.2 for example
<_Phy_> 'Do all files in /data need moving to vulndb repo?' -> yea, would be better I think :)
<ethicalhack3r> _Phy_: yea, you’re right, I’m not sure if submodule would work in Kali
<_Phy_> and even if it works, the submodule is linked to a specific commit of the db repo, so it would require to update wpscan anyway ? :/
<ethicalhack3r> hmmm… good point...
<ethicalhack3r> we need FireFart for clarification :)

[ethicalhack3r]

Instead of submodules can WPScan not just grab the raw file?

[erwanlr]

See IRC :p

[n0task]

I recommend when brute force the password, first crack the same password as Username. eg: user:lovecat password:lovecat

most people use password looks like username :)

[pvdl]

@n0task, Please make a new issue of this request. Personally, I like the idea

[pvdl]

Updated To do list

[ethicalhack3r]

wpstools.rb -s should be fixed when using latest database files from https://github.com/wpscanteam/vulndb. Issue was data parsed from XML didn't lowercase the theme names. All old theme & plugin names now lowercased.

[pvdl]

checked: wpstools.rb -s works fine now.

[ethicalhack3r]

Created a vdb_intergration branch which outputs a link to the new DB within the references output. Please merge before release and change "CHANGE_ME_BEFORE_MERGE" string to the actual vdb URL.

I've added the TODOs in pvdl's first comment.

[pvdl]

@wpscanteam/owners Can someone do the Pre release activities (25th September 12:00)?

[erwanlr]

2 of the 4 tasks done

[erwanlr]

vdb_intergration merge will be done tomorrow morning

[ethicalhack3r]

vdb_intergration done

[pvdl]

Will do changelog task now.

[pvdl]

Ok we can: Tag / Commit / Release

[erwanlr]

tagged

[ethicalhack3r]

https://bugs.kali.org/view.php?id=1746