WPScan扫描WordPress漏洞

一、什么是Wpscan?什么是Wordpres?

1.Wpscan

WPScan是一个扫描WordPress漏洞的黑盒子扫描器,可以扫描出wordpress的版本,主题,插件,后台用户以及爆破后台用户密码等。

2.Wordpress

WordPress是一种使用PHP语言和MySQL数据库开发的博客平台,用户可以在支持PHP和MySQL数据库的服务器上架设属于自己的网站。也可以把 WordPress当作一个内容管理系统(CMS)来使用。WordPress有许多第三方开发的免费模板,安装方式简单易用。

二、Wordpress系统的搭建

1.下载Wordpress

TURNKEYLINUX是linux一站式软件站,在浏览器地址栏输入 https://www.turnkeylinux.org/   访问官网下载Wordpress

2.Wordpress的安装配置

详细安装配置教程

https://www.cnblogs.com/WangYiqiang/p/9560325.html

注意:在虚拟机中安装Wordpress前需配置好虚拟机网络等设置

 

WordPress配置好后如图所示

该界面显示了Wordpress应用服务的详细信息,如Web地址,Webshell地址,Webmin地址,PHPMyAdmin的地址和端口号以及SSH/SFTP地址和端口号。

出现此界面表明WordPress Turnkey Linux 搭建完成,可以使用。

三、使用Wpscsn对WordPress进行漏洞扫描

1.利用 “wpscan -h”命令,可查看Wpscan的版本,常用选项,功能介绍,例程等;

[email protected]:~# wpscan -h
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.1 //Wpscan版本信息
Sponsored by Sucuri – https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

Help :

Some values are settable in a config file, see the example.conf.json

–update Update the database to the latest version.
#更新命令 命令“[email protected]:~# wpscan –update”
–url | -u <target url> The WordPress URL/domain to scan.
#指定URL/域进行扫描 命令“[email protected]:~# wpscan –url 地址”或“[email protected]:~# wpscan -u 地址”
–force | -f Forces WPScan to not check if the remote site is running WordPress.
#强制Wpscan不检查远程正在运行WordPress的主机
–enumerate | –
option :
u usernames from id 1 to 10
#默认用户1-用户10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
#默认用户10-20([]中字符必须写)
p plugins

#插件程序
vp only vulnerable plugins

#仅漏洞插件程序
ap all plugins (can take a long time)
#所有插件程序(耗时比较长)
tt timthumbs

#小号
t themes#主题
vt only vulnerable themes

#仅漏洞主题
at all themes (can take a long time)

#所有主题
Multiple values are allowed : “-e tt,p” will enumerate timthumbs and plugi

#多值参数
If no option is supplied, the default is “vt,tt,u,vp”
无参默认
–exclude-content-based “<regexp or string>”
Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.
You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).
–config-file | -c <config file> Use the specified config file, see the example.conf.json.
配置文佳
–user-agent | -a <User-Agent> Use the specified User-Agent.
指定用户代理
–cookie <String> String to read cookies from.
cookie字符串读取
–random-agent | -r Use a random User-Agent.
代理
–follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
跟踪重定向目标网址
–batch Never ask for user input, use the default behaviour.
不请求用户输入使用默认
–no-color Do not use colors in the output.
不在输出中使用颜色
–wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.
Subdirectories are allowed.
WPScan尝试通过扫描索引页面来查找内容目录(即wp-content),但是您可以指定它。允许使用子目录。
–wp-plugins-dir <wp plugins dir> Same thing than –wp-content-dir but for the plugins directory.
If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
ame比–wp-content-dir但是对于plugins目录。 如果没有提供,WPScan将使用wp-content-dir / plugins。 允许子目录
–proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.
If no protocol is given (format host:port), HTTP will be used.
–proxy-auth <username:password> Supply the proxy login credentials.
提供代理登陆凭证
–basic-auth <username:password> Set the HTTP Basic authentication.

设置HTTP基本认证
–wordlist | -w <wordlist> Supply a wordlist for the password brute forcer.
为暴力密码破解指定密码字典
–username | -U <username> Only brute force the supplied username.
指定暴力破解用户
–usernames <path-to-file> Only brute force the usernames from the file.
仅从密码字典中暴力破解用户名
–threads | -t <number of threads> The number of threads to use when multi-threading requests.
多线程指定线程数
–cache-ttl <cache-ttl> Typhoeus cache TTL.
–request-timeout <request-timeout> Request Timeout.
请求时间间隔
–connect-timeout <connect-timeout> Connect Timeout.
连接时间间隔
–max-threads <max-threads> Maximum Threads.
最大线程数
–throttle <milliseconds> Milliseconds to wait before doing another web request. If used, the –threads should be set to 1.
在执行另一个Web请求之前等待的毫秒数。 如果使用,则–threads应设置为1。
–help | -h This help screen.
–verbose | -v Verbose output.
–version Output the current version and exit.

Examples :
帮助
-Further help …
ruby ./wpscan.rb –help
做“非侵入性”检查
-Do ‘non-intrusive’ checks …
ruby ./wpscan.rb –url www.example.com
使用50个线程对枚举的用户做单词列表密码蛮力…
-Do wordlist password brute force on enumerated users using 50 threads …
ruby ./wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50
做单词表密码蛮力上的“管理员”用户名只…
-Do wordlist password brute force on the ‘admin’ username only …
ruby ./wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin
枚举安装的插件…
-Enumerate installed plugins …
ruby ./wpscan.rb –url www.example.com –enumerate p
枚举安装的主题
-Enumerate installed themes …
ruby ./wpscan.rb –url www.example.com –enumerate t
枚举用户
-Enumerate users …
ruby ./wpscan.rb –url www.example.com –enumerate u
枚举安装的TimTrBBS
-Enumerate installed timthumbs …
ruby ./wpscan.rb –url www.example.com –enumerate tt
使用HTTP代理
-Use a HTTP proxy …
ruby ./wpscan.rb –url www.example.com –proxy 127.0.0.1:8118
使用SoCKS5代理
-Use a SOCKS5 proxy … (cURL >= v7.21.7 needed)
ruby ./wpscan.rb –url www.example.com –proxy socks5://127.0.0.1:9000
使用自定义内容目录
-Use custom content directory …
ruby ./wpscan.rb -u www.example.com –wp-content-dir custom-content
使用自定义插件目录
-Use custom plugins directory …
ruby ./wpscan.rb -u www.example.com –wp-plugins-dir wp-content/custom-plugins
更新数据库
-Update the DB …
ruby ./wpscan.rb –update
调试输出
-Debug output …
ruby ./wpscan.rb –url www.example.com –debug-output 2>debug.log

See README for further information.

 2.对配置好的靶机进行扫描

wpscan -u 192.168.64.138 /wpscan --url 192.168.64.138
命令详解:对目标地址进行扫描

[email protected]:~# wpscan -u 192.168.64.138
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri – https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.64.138/
[+] Started: Fri Aug 17 23:20:05 2018

[!] The WordPress ‘http://192.168.64.138/readme.html’ file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.64.138/index.php/wp-json/>; rel=”https://api.w.org/”
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://192.168.64.138/xmlrpc.php

[+] WordPress version 4.7.4 identified from advanced fingerprinting (Released on 2017-04-20)
[!] 25 vulnerabilities identified from the version number

[!] Title: WordPress 2.3-4.8.3 – Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295

[!] Title: WordPress 2.7.0-4.7.4 – Insufficient Redirect Validation
Reference: https://wpvulndb.com/vulnerabilities/8815
Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
[i] Fixed in: 4.7.5

[!] Title: WordPress 2.5.0-4.7.4 – Post Meta Data Values Improper Handling in XML-RPC
Reference: https://wpvulndb.com/vulnerabilities/8816
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
[i] Fixed in: 4.7.5

对具有漏洞的脚本进行扫描····

[+] Finished: Fri Aug 17 23:20:10 2018
[+] Requests Done: 50
[+] Memory used: 50.062 MB 使用内存
[+] Elapsed time: 00:00:04 耗时

3.通过漏洞插件扫描用户
wpscan -u 192.168.64.138 -e u vp
命令详解 -e使用枚举方式  u 扫描ID1-ID10   vp扫描漏洞插件

[email protected]:~# wpscan -u 192.168.64.138 -e u vp
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri – https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.64.138/
[+] Started: Fri Aug 17 23:30:12 2018

[!] The WordPress ‘http://192.168.64.138/readme.html’ file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.64.138/index.php/wp-json/>; rel=”https://api.w.org/”
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://192.168.64.138/xmlrpc.php

[+] WordPress version 4.7.4 identified from advanced fingerprinting (Released on 2017-04-20)
[!] 25 vulnerabilities identified from the version number

[!] Title: WordPress 2.3-4.8.3 – Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295

[!] Title: WordPress 2.7.0-4.7.4 – Insufficient Redirect Validation
Reference: https://wpvulndb.com/vulnerabilities/8815
Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
[i] Fixed in: 4.7.5

[!] Title: WordPress 2.5.0-4.7.4 – Post Meta Data Values Improper Handling in XML-RPC
Reference: https://wpvulndb.com/vulnerabilities/8816
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
[i] Fixed in: 4.7.5

[+] Enumerating usernames …
[+] Identified the following 1 user/s:
+—-+——-+—————–+
| Id | Login | Name |
+—-+——-+—————–+
| 1 | admin | admin – TurnKey |
+—-+——-+—————–+
[!] Default first WordPress username ‘admin’ is still used

[+] Finished: Fri Aug 17 23:30:17 2018
[+] Requests Done: 64
[+] Memory used: 52.52 MB
[+] Elapsed time: 00:00:04

3.使用密码字典对用户进行爆破

wpscan -u 192.168.64.138 -e u –wordlist /root/wordlist.txt

命令详解: -e枚举方式 u 用户ID1-ID10  –wordlist使用指定字典进行密码爆破 /root/wordlist.txt 字典路径及字典文件  wordlist.txt字典文件需自己准备或使用kali自带字典

[email protected]:~# wpscan -u 192.168.64.138 -e u –wordlist /root/wordlist.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri – https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.64.138/
[+] Started: Fri Aug 17 23:37:59 2018

[!] The WordPress ‘http://192.168.64.138/readme.html’ file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.64.138/index.php/wp-json/>; rel=”https://api.w.org/”
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://192.168.64.138/xmlrpc.php

[+] WordPress version 4.7.4 identified from advanced fingerprinting (Released on 2017-04-20)
[!] 25 vulnerabilities identified from the version number

[!] Title: WordPress 2.3-4.8.3 – Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295

[!] Title: WordPress 2.7.0-4.7.4 – Insufficient Redirect Validation
Reference: https://wpvulndb.com/vulnerabilities/8815
Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
[i] Fixed in: 4.7.5
[!] Title: WP Super Cache <= 1.4.4 – PHP Object Injection
Reference: https://wpvulndb.com/vulnerabilities/8198
Reference: http://z9.io/2015/09/25/wp-super-cache-1-4-5/
[i] Fixed in: 1.4.5

[+] Enumerating usernames …
[+] Identified the following 1 user/s:
+—-+——-+—————–+
| Id | Login | Name |
+—-+——-+—————–+
| 1 | admin | admin – TurnKey |
+—-+——-+—————–+
[!] Default first WordPress username ‘admin’ is still used
[+] Starting the password brute forcer
[+] [SUCCESS] Login : admin Password : Root********

Brute Forcing ‘admin’ Time: 00:00:00 <===== > (2 / 3) 66.66% ETA: 00:00:00
+—-+——-+—————–+——————+
| Id | Login | Name | Password |
+—-+——-+—————–+——————+
| 1 | admin | admin – TurnKey | Root********* |
+—-+——-+—————–+——————+

[+] Finished: Fri Aug 17 23:38:06 2018
[+] Requests Done: 72
[+] Memory used: 53.016 MB
[+] Elapsed time: 00:00:06

4.其他常用命令

wpscan -u 192.168.64.138 -e u –wordlist /root/wordlist.txt -t 50

-e枚举方式 u 用户ID1-ID10  –wordlist使用指定字典进行密码爆破 /root/wordlist.txt 字典路径及字典文件  wordlist.txt字典文件需自己准备或使用kali自带字典  -t 指定50个线程数

严正声明:本站只出售html页面效果模板,不提供任何类型的网站内容数据,模板仅供学习交流使用,不得用于任何商业以及触犯国家法律法规的用途,违者需自行承担全部责任,与本站无以及模板设计作者无关,本站以及模板作者不承担任何连带责任!!!!
关爱邦 | 网站源码程序下载_免费商业源码分享! » WPScan扫描WordPress漏洞

发表评论

提供最优质的资源集合

立即查看 了解详情