search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.54k stars 1.26k forks source link

Search also for 'sitemap.xml.gz' #695

Closed pvdl closed 9 years ago

pvdl commented 10 years ago

This is the compressed version.

firefart commented 10 years ago

????? What do you mean with this issue? The site is generated using github pages and the sitemap gem.

firefart commented 10 years ago

Or do you mean wpscan should detect a sitemap?

fgeek commented 10 years ago

WPScan of course.

firefart commented 10 years ago

Jeah but the normal sitemap.xml is currently only checked to determine the wordpress version. Did you mean this, or do you want a passive detection of sitemaps?

pvdl commented 10 years ago

I mean: WPScan searches for the existence of sitemap.xml but should also search for sitemap.xml.gz to determine the version. In case a website doesn't have the default sitemap.xml, maybe there is a compressed one: sitemap.xml.gz

ethicalhack3r commented 10 years ago

We only use sitemap.xml for version detection I think, which comes by default with WP. I don't think WP creates a sitemap.xml.gz file by default so I assume it probably won't contain any useful info (wp version) if in the rare cases that it does exist.

erwanlr commented 10 years ago

Do you have an example of sitemap.xml.gz containing the version ?

pvdl commented 10 years ago

Hunting for a real world example. I saw on the internet a discussion about the compressed .gz WordPress sitemap (sorry didn't bookarked it :( )

fgeek commented 10 years ago

I was unable to find sites with sitemap.xml.gz without sitemap.xml file.

pvdl commented 10 years ago

@fgeek. I 'agree' there are not many sites which have ONLY the .gz file. Maybe none have ONLY the .gz file Google dork: inurl:sitemap.xml.gz

Example: http://onespokane.com/sitemap.xml http://onespokane.com/sitemap.xml.gz

The dilemma is: Make a search for 'very unique' circumstances or not.

fgeek commented 10 years ago

Agreed. At least the .gz file should be in "Interesting files" section if not in version detection logic if it is not already there. I have at least noticed that .xml was updated but .xml.gz was not. I'm not sure if this is very useful information. Maybe with verbose mode activated?

Just throwing ideas out in the open :)

pvdl commented 10 years ago

Yeah. That's a good solution. :+1: @fgeek and @erwanlr

ethicalhack3r commented 9 years ago

Being tracked here - https://github.com/wpscanteam/CMSScanner/issues/8

Closing