Plecost - WordPress Fingerprinting Tool

Plecost - WordPress Fingerprinting Tool

Plecost is a vulnerability fingerprinting and vulnerability finder for Wordpress blog engine.

Plecost Running

Installation

Using Pypi:
> python3 -m pip install plecost
Remember that Plecost3 only runs in Python 3.

Using Docker:
You can run Plecost using Docker:
> docker run --rm iniqua/plecost {ARGS}
Where {ARGS} is any valid argument of Plecost. A real example could be:
> docker run --rm iniqua/plecost -nb -w plugin_list_10.txt http://SITE.com

Usage:

Scan a website:
> plecost http://SITE.com
A bit complex scan: increasing verbosity exporting results in JSON format and XML:
> plecost -v http://SITE.com -o results.json
> plecost -v http://SITE.com -o results.xml

Advanced scan options:

No check WordPress version, only for plugins:
> plecost -nc http://SITE.com
Force scan, even if not Wordpress was detected:
> plecost -f http://SITE.com
Display only the short banner:
> plecost -nb http://SITE.com
List available wordlists:
> plecost -nb -l
// Plecost - Wordpress finger printer Tool - v1.0.0
Available word lists:
   1 - plugin_list_10.txt
   2 - plugin_list_100.txt
   3 - plugin_list_1000.txt
   4 - plugin_list_250.txt
   5 - plugin_list_50.txt
   6 - plugin_list_huge.txt
Select a wordlist in the list:
> plecost -nb -w plugin_list_10.txt http://SITE.com
Increasing concurrency (USE THIS OPTION WITH CAUTION. CAN SHUTDOWN TESTED SITE!)
> plecost --concurrency 10 http://SITE.com
Or...
> plecost -c 10 http://SITE.com
For more options, consult the --help command:
> plecost -h
Updating vulnerability database:
> plecost --update-cve
Updating plugin list:
> plecost --update-plugins

Plecost has a local vulnerability database of Wordpress and WordPress plugins. You can consult it in off-line mode.

Listing all known plugins with vulnerabilities:
> plecost -nb --show-plugins

// Plecost - Wordpress finger printer Tool - v1.0.0

[*] Plugins with vulnerabilities known:
  { 0 } - acobot_live_chat_%26_contact_form
  { 1 } - activehelper_livehelp_live_chat
  { 2 } - ad-manager
  { 3 } - alipay
  { 4 } - all-video-gallery
  { 5 } - all_in_one_wordpress_security_and_firewall
  { 6 } - another_wordpress_classifieds_plugin
  { 7 } - anyfont
  { 8 } - april%27s_super_functions_pack
  { 9 } - banner_effect_header
  { 10 } - bannerman
  { 11 } - bib2html
  { 12 } - bic_media_widget
  { 13 } - bird_feeder
  { 14 } - blogstand-smart-banner
  { 15 } - blue_wrench_video_widget
  ...

Show vulnerabilities of a concrete plugin:
> plecost -nb -vp google_analytics

// Plecost - Wordpress finger printer Tool - v1.0.0

[*] Associated CVEs for plugin 'google_analytics':

  { 0 } - CVE-2014-9174:

           Affected versions:

           <0> - 5.1.2
           <1> - 5.1.1
           <2> - 5.1
           <3> - 5.1.0
[*] Done!

Show details of a concrete CVE:
> plecost -nb --cve CVE-2014-9174

// Plecost - Wordpress finger printer Tool - v1.0.0

[*] Detail for CVE 'CVE-2014-9174':

  Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast
  (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote
  attackers to inject arbitrary web script or HTML via the "Manually enter your UA
  code" (manual_ua_code_field) field in the General Settings.

[*] Done!




Source: www.effecthacking.com
Plecost - WordPress Fingerprinting Tool Plecost - WordPress Fingerprinting Tool Reviewed by Unknown on 12:51 AM Rating: 5