CMS/LMS/Library etc Versions Fingerprinter
This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
Inside the cloned repo directory:
$ gem install bundler
$ bundle install
$ sudo pacman -S fingerprinter
<div class="cms_toolbar-item cms_toolbar-item-logo"><a href="/" title="---VERSION---">django CMS</a></div>
-a wordpress-plugin --app-params <plugin-slug>
[WPVulnDB/WPScan]-a wordpress-theme --app-params <theme-slug>
[WPVulnDB/WPScan]angular.version
in the Web Dev console of the Web browser on a page where the lib is loaded$().jquery
or jQuery().jquery
in the Web Dev console of the Web browser on a page where the lib is loaded$.fn.jquery
or jQuery.fn.jquery
in the Web Dev console of the Web browser on a page where the lib is loadedmustache.version
in the filevar v,Aj=
in the filemoment.version
in the Web Dev console of the Web browser on a page where the lib is loaded./fingerprinter.rb --app-name wordpress --fingerprint http://target.com/blog/
With this mode, only the unique Fingerprints (across all the application’s versions files) will be tested.
This mode is faster than the previous one, and more reliable. However it is possible that an application’s version does not have any unique fingerprints (like Apache Icons, which only has 2 unique fingerprints for the version 2.4.4, and none for the others)
./fingerprinter.rb --app-name wordpress --unique-fingerprint http://target.com/blog/
In this mode, the homepage of the target is scanned for included ressources such as JavaScript files, Images and so on which are then checked against the DB.
./fingerprinter.rb --app-name wordpress --passive-fingerprint http://target.com/blog/
-p, --proxy PROXY Proxy to use during the fingerprinting
--timeout SECONDS The number of seconds for the request to be performed, default 20s
--connect-timeout SECONDS The number of seconds for the connection to be established before timeout, default 5s
--cookies-file, --cf FILE-PATH The cookies file to use during the fingerprinting
--cookies-string, --cs COOKIE/S The cookies string to use in requests
--user-agent, --ua UA User-Agent to use in all fingerprinting requests
-d, --db PATH-TO-DB Path to the db of the app-name (default is db/<app-name>.json)
-u, --update Update the db of the app-name
-m, --manual DIRECTORY-PATH To be used along with the --update and --version options. Process the (local) DIRECTORY-PATH and compute the file fingerprints
--version Used with --manual to set the version of the processed fingerprints
--update-all, Update all the apps, except the wordpress plugins and themes
-v, --verbose Verbose Mode
Example: Add the file fingerprints from /tmp/test into the Liferay DB for the v6.2
./fingerprinter -a liferay --update --manual /tmp/test --version 6.2
Along with the --app-name option (or -a), the database can be searched:
--list-version, --lv List all the known versions in the DB for the given app
--list-files, --lf VERSION List all files related to the version for the given app
--list-unique-fingerprints, --luf VERSION List the unique hashes related to the files for the supplied version of the app
--search-hash, --sh HASH Search the hash and output the app-name versions & file
--search-file, --sf FILE Search the file (ie --sf read will return aread.txt, readme.html etc) and output the app-name versions & hashes
Example: List all the unique Fingerprints for WordPress 3.8.1
./fingerprinter.rb -a wordpress --luf 3.8.1
Usage: ./fingerprinter.rb [options]
-p, --proxy PROXY Proxy to use during the fingerprinting
--timeout SECONDS The number of seconds for the request to be performed, default 20s
--cookies-file, --cf FILE-PATH The cookies file to use during the fingerprinting
--cookies-string, --cs COOKIE/S The cookies string to use in requests
--user-agent, --ua UA User-Agent to use in all fingerprinting requests
-a, --app-name APPLICATION The application to fingerprint. Currently supported: apache-icons, chamilo-lms, ckeditor, cms-made-simple, concrete5, django-cms, dnn-cms drupal, fckeditor, joomla, liferay, magento-ce, mantisbt, mediaelement, moodle, phpmyadmin, prestashop, punbb, tinymce, umbraco, wordpress
-d, --db PATH-TO-DB Path to the db of the app-name
-u, --update Update the db of the app-name
--manual DIRECTORY-PATH To be used along with the --update and --version options. Process the (local) DIRECTORY-PATH and compute the file fingerprints
--version VERSION Used with --manual to set the version of the processed fingerprints
--update-all, Update all the apps
--list-versions, --lv List all the known versions in the DB for the given app
--list-files, --lf VERSION List all files related to the version for the given app
--list-unique-fingerprints, --luf VERSION List the unique hashes related to the files for the supplied version of the app
--search-hash, --sh HASH Search the hash and output the app-name versions & file
--search-file, --sf FILE Search the file using a LIKE method (so % can be used, e.g: readme%) and output the app-name versions & hashes
--fingerprint URL Fingerprint the app-name at the given URL using all fingerprints
--unique-fingerprint, --uf URL Fingerprint the app-name at the given URL using unique fingerprints
--passive-fingerprint, --pf URL Passively fingerprint the URL
--db-verbose, --dbv Database Verbose Mode
-v, --verbose Verbose Mode