I've been reading books on Red Teaming and one of the differences that stands out from Pentesting is the need to be stealthy.  Pentesting tools are very noisy and in a mature, or maybe even not so mature, environment, running stock Kali tools might set off an alert and trigger a ban of some sort.

So I was thinking -- if I wanted to get the WordPress version from a site in a stealthy manner, how would I go about doing that?  Let's paint that picture a bit more -- I'm on a network with my Kali laptop, I don't have access to the Internet, and I found a web server running WordPress.  I want to make as little noise as possible.  As it turns out, I know that I can get the WordPress version from wp-links-opml.php and I'll do it with Python because using a browser is lame.  :)

Read more: Simple Python Scripts: CMS Version Retrieval

#!/usr/bin/python
import urllib2
print "[*] Target URL format = http://www.mydomain.com"
host = raw_input("[*] Enter target URL: ")
path = '/wp-links-opml.php'
combined = host + path
url = urllib2.urlopen(combined)
print
print ("fetching... ") + combined
html = url.readlines()
for line in html:
if 'generator' in line:
print
print line

#!/usr/bin/python
import urllib2
import sys
import re

print "[*] Target URL format = http://www.mydomain.com"
host = raw_input("[*] Enter target URL: ")
path = '/CHANGELOG.txt'
combined = host + path
print
print ("fetching... ") + combined
url = urllib2.urlopen(combined)
html = url.readlines()[:2]
for line in html:
if re.match(r'Drupal', line):
print
sys.stdout.write(line)
print

I came across a web site running a current version of WordPress with the Simple Fields plugin installed.  Searching Exploit-DB, I found:

WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution

“ This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini. ”

Read more: The Reality of Log Contamination

#!/usr/bin/python
import urllib2
import sys
print "[*] Target URL format = http://www.mydomain.com"
host = raw_input("[*] Enter target URL: ")
path = '/README.txt'
combined = host + path
url = urllib2.urlopen(combined)
print
print ("fetching... ") + combined
html = url.readlines()[:10]
for line in html:
if 'Joomla!' in line:
print
sys.stdout.write(line)
print

The first time you find a page with a Local File Inclusion (LFI) vulnerability, it's like magic.  You feed your string in the browser:

http://192.168.150.150/vulnerable.php?page=../../../../../../../../etc/passwd%00

... it spits back the contents of /etc/passwd, you're excited, and you continue enumerating the system. 

Read more: Python: Automating Local File Inclusion (LFI)