Operation n

I released an online version of my WordPress vulnerability scanner. Its still in its initial stages, I will work on risk highlighting, discussion and recommendations shortly.

Go give your blog a test, details here. Feedback most welcome and encouraged.

Just a quick note: A new version of my wp-scanner is available.

Check it out at BlogSecurity.

The command line version is no longer supported but is available here by request.

$ perl -x wp-scanner.pl http://testblog/wordpress/

WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)

Using plugins dir: wp-content/plugins

[*] Initial WordPress Enumeration
[*] Finding WordPress Major Version
[*] Testing WordPress Template for XSS

WordPress Basic Results

        wp-commentsrss2.php =>  Version Leak: WordPress 2.1.3
        wp-links-opml.php =>    Version Leak: WordPress 2.1.3
        wp-major-ver => Version 2.1
        wp-rdf.php =>   Version Leak: WordPress 2.1.3
        wp-rss.php =>   Version Leak: WordPress 2.1.3
        wp-rss2.php =>  Version Leak: WordPress 2.1.3
        wp-server =>    Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
        wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
        wp-title => Test Blog
        wp-version =>   WordPress 2.1.3
        x-Pingback =>   http://testblog/wordpress/xmlrpc.php

WordPress Plugins Found

        wp-plugins[0]    => Akismet

The June 2007 Hacker Anthology Competition kicks off today!

Submissions are now being accepted. Good luck.

pentestmonkey sent me a link to his latest projects, “php-reverse-shell” and “perl-reverse-shell”. He has some great ideas here and I will definately be taking a look at these projects, and hope to add them to the Web Backdoor Compilation in an upcoming release.

There is still alot of work that needs to be done in this area, especially with regards to a standard feature set. I definately think we are moving in the right direction.

Nice work pentestmonkey.

michaeldaw.org is pleased to announce the first “Michael Daw Anthology” award.

For those of you curious, anthology is a collection of published works. The original idea behind the michaeldaw.org website was to build stories upon a fictional hacking icon named, Michael Daw, as well as to host other security related material. As a close friend pointed out to me, the name is very relevant "when pondered upon". Some believe that the archangel Michael holds the keys to the doors of Heaven.

Use cutting-edge security wizardry, use sci-fi… write a hacking story centered around Michael Daw and be 1 of 6 to stand the chance of winning.

The full details of the competition will be provided soon. We are currently seeking sponsors to donate towards the winnings. For more information please contact us.

They say there is a story in each of us…