wpscan --update

[9andrea1]

root@kali:~# wpscan --update

---

    __          _______   _____                  
    \ \        / /  __ \ / ____|                 
     \ \  /\  / /| |__) | (___   ___  __ _ _ __  
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team 
                   Version 2.6
      Sponsored by Sucuri - https://sucuri.net

@WPScan, @ethicalhack3r, @erwan_lr, pvdl, @FireFart

---

[i] Updating the Database ...

themes.txt: checksums do not match

[ethicalhack3r]

Hmmm... works for me on a non-Kali install using latest Github code (v.2.7):

$ ./wpscan.rb --update
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[ethicalhack3r]

Confirmed with another Kali user that they get the same error

[ethicalhack3r]

Apologies for the issues. Should be fixed now. Looks like the themes.txt.sha512 file did not get pushed from wpvulndb to our github repo for some reason. This hasn't happened before and the github repo is due to be deprecated but we'll keep an eye on it.

[9andrea1]

got it. it works now. thank you for the quick fix

[grrowl]

I"m having the same issue with plugins_full.txt:

➜  wpscan git:(master) ./wpscan.rb --update
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...

plugins_full.txt: checksums do not match

[ethicalhack3r]

I can't seem to replicate this. I did a fresh git clone and then wpscan update without errors.

git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
./wpscan.rb --update

[SwaroopH]

Can replicate it:

swap@ubuntu:~/code/wpscan$ ./wpscan.rb --update

---

    __          _______   _____                  
    \ \        / /  __ \ / ____|                 
     \ \  /\  / /| |__) | (___   ___  __ _ _ __  
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team 
                   Version 2.7
      Sponsored by Sucuri - https://sucuri.net

@WPScan, @ethicalhack3r, @erwan_lr, pvdl, @FireFart

---

[i] Updating the Database ...

plugins_full.txt: checksums do not match swap@ubuntu:~/code/wpscan$ git status On branch master Your branch is up-to-date with 'origin/master'.

[ethicalhack3r]

There seems to be an issue with exporting the data from wpvulndb:

Mysql2::Error: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation

Happens with plugins/themes with names like addthischina-收藏分享按钮插件.

Looking into it now

[ethicalhack3r]

Is this working for you now?

[grrowl]

➜  wpscan git:(master) ✗ ./wpscan.rb --update --verbose
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[+] Checking local_vulnerable_files.xml
  [i] Already Up-To-Date
[+] Checking local_vulnerable_files.xsd
  [i] Already Up-To-Date
[+] Checking plugins_full.txt
  [i] Needs to be updated
  [i] Backup Created
  [i] Downloading new file
  [i] Downloaded File Checksum: fa918e51bb7f4a02ae41162ff6ba4b771718d984dfbd6597c861f83c8ce3597828f9c4fe114618079fb1dff5afe023ee19237e4fa1709a268aff418eba19cf54
  [i] Database File Checksum: c726664cf7172061a96b38c129db1d0fffa609a7003ab47dba0146bfa74c8aac5dadad3d7f6268c3498d4cd23b3e20bca5315682688aeae5418bf5ec52c37e82
  [i] Restoring Backup due to error
  [i] Deleting Backup

plugins_full.txt: checksums do not match
Trace:
/Users/tom/Documents/repos/wpscan/lib/common/db_updater.rb:105:in `block in update'
/Users/tom/Documents/repos/wpscan/lib/common/db_updater.rb:84:in `each'
/Users/tom/Documents/repos/wpscan/lib/common/db_updater.rb:84:in `update'
./wpscan.rb:50:in `main'
./wpscan.rb:416:in `<main>'

I added the "Database File Checksum" myself. Commenting out the fail command at least allows it to update but I'm unsure which end is miscalculating or caching a checksum

[firefart]

@grrowl can you try to delete the content of your data directory and doing a fresh sync? I just checked the checksum files on the server and they should all match

[grrowl]

Okay, the issue seems to be resolved but not ideally: http://pastebin.com/rieNrcwJ

After deleting data, the subsequent update couldn't connect, then checksums did not match, but the last run with --verbose was successful. It seems like the server returns the wrong checksum some of the time?

[firefart]

@erwanlr can this be caused by typhoeus caching? Maybe typhoeus caches some old sha512 files. The server set's a high expiration date on the data files if that helps.

[erwanlr]

The cache dir is cleared before each scan / update, so nop it's not it (and it does not consider the expiration set by the server)

I was never able to reproduce this issue on Mac OSX nor Debian :/

[firefart]

@grrowl can you maybe try the failed updates with burp as a proxy?

ruby wpscan.rb --proxy http://127.0.0.1:8080 --update

I'm interested in the response when you get a checksum missmatch, and if there are any connect errors in the alert tab in burp.

[SwaroopH]

Tried with burp:

Unable to get https://wpvulndb.com/data/local_vulnerable_files.xml.sha512

It throws that error with/without burp.

I am able to download that file just fine with curl/firefox:

d9075b1f50ded87611d6eef70b2f08e2bdd21ef0eceaeaaff26aa23cbe00731009ccfdf1166eac4537eeb10d83050501222e6cdc3e5fc28daf430ef84156b27b

[firefart]

@SwaroopH @grrowl are you sitting behind a web proxy or are you connected directly(or NAT) to the internet?

[grrowl]

It was only a problem at work, I'll try to recreate at home via burp or Charles, otherwise will try at work on tuesday

[erwanlr]

Might be related to https://github.com/wpscanteam/wpscan/issues/797, i.e slow network causing the update to timeout on some files which is now fixed.

[zyaboutblank]

I met this question and found update my wpscan using apt-get directly is ok.

[gabspecter]

Someone can help me I use the Kali Linux , my WPScan Version 2.9 do not want to update the database, you are accusing an error in PLUGINS.JSON . What should I do to update

root@root:~/wpscan# ruby wpscan.rb -u www.exemple.com -e user

---

    __          _______   _____                  
    \ \        / /  __ \ / ____|                 
     \ \  /\  / /| |__) | (___   ___  __ _ _ __  
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team 
                   Version 2.9
      Sponsored by Sucuri - https://sucuri.net

@WPScan, @ethicalhack3r, @erwan_lr, pvdl, @FireFart

---

[i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]y [i] Updating the Database ... [!] Unable to get https://data.wpscan.org/plugins.json (Timeout was reached) root@root:~/wpscan#

[firefart]

@stifler171 can you please post the output of curl --version and curl -I https://data.wpscan.org/plugins.json? Also how did you get to this version? Have you cloned the github repo or installed some system package?

[gabspecter]

I cloned the github

[firefart]

@stifler171 so can you please post the output of the 2 commands above?

[firefart]

@stifler171 also this is my output on a freshly updated kali box:

root@kali:~# git clone https://github.com/wpscanteam/wpscan.git
Cloning into 'wpscan'...
remote: Counting objects: 15184, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 15184 (delta 0), reused 0 (delta 0), pack-reused 15177
Receiving objects: 100% (15184/15184), 12.98 MiB | 3.36 MiB/s, done.
Resolving deltas: 100% (8974/8974), done.
Checking connectivity... done.
root@kali:~# cd wpscan/
root@kali:~/wpscan# ./wpscan.rb --update
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.
root@kali:~/wpscan# 

[gabspecter]

@FireFart Thank you for your help! But I do not know how I can get the same commands the ones you posted .

I just installed WpScan the command that GitHub offers

more when I ultilizo the camando

wpscan --url www.exemple.com --enumerate -u

well it works, no more calls to make UPDATE he does direct varedura .

[gabspecter]

@FireFart root@root:~/wpscan# ./wpscan.rb --update --verbose

---

    __          _______   _____                  
    \ \        / /  __ \ / ____|                 
     \ \  /\  / /| |__) | (___   ___  __ _ _ __  
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team 
                   Version 2.9
      Sponsored by Sucuri - https://sucuri.net

@WPScan, @ethicalhack3r, @erwan_lr, pvdl, @FireFart

---

[i] Updating the Database ... [+] Checking local_vulnerable_files.xml [i] Already Up-To-Date [+] Checking local_vulnerable_files.xsd [i] Already Up-To-Date [+] Checking timthumbs.txt [i] Already Up-To-Date [+] Checking user-agents.txt [i] Already Up-To-Date [+] Checking wp_versions.xml [i] Already Up-To-Date [+] Checking wp_versions.xsd [i] Already Up-To-Date [+] Checking wordpresses.json [i] Already Up-To-Date [+] Checking plugins.json [i] Needs to be updated [i] Backup Created [i] Downloading new file [i] Restoring Backup due to error

[!] Unable to get https://data.wpscan.org/plugins.json (Timeout was reached) [!] Trace: [!] /root/wpscan/lib/common/db_updater.rb:75:in download' /root/wpscan/lib/common/db_updater.rb:97:inblock in update' /root/wpscan/lib/common/db_updater.rb:82:in each' /root/wpscan/lib/common/db_updater.rb:82:inupdate' ./wpscan.rb:73:in main' ./wpscan.rb:470:in

' root@root:~/wpscan#

[firefart]

@stifler171 as said before, please post the output of curl --version and curl -I https://data.wpscan.org/plugins.json