WPScan基本使用

Posted 2021-09-01 H3rmesk1t

WPScan基本使用

• WPScan 简介
• WPScan 参数
• WPScan 扫描指定站点
• WPScan 扫描指定用户
• WPScan 扫描插件漏洞
• WPScan 扫描主题漏洞
• WPScan 更新数据漏洞库
• WPScan 暴力破解得到密码
• WPScan TimThumbs文件漏洞扫描
• WordPress 防护措施

WPScan 简介

• WPScan是Kali Linux默认自带的一款漏洞扫描工具，它采用Ruby编写，能够扫描WordPress网站中的多种安全漏洞，其中包括WordPress本身的漏洞、插件漏洞和主题漏洞，最新版本WPScan的数据库中包含超过18000种插件漏洞和2600种主题漏洞，并且支持最新版本的WordPress，值得注意的是，它不仅能够扫描类似robots.txt这样的敏感文件，而且还能够检测当前已启用的插件和其他功能
• 该扫描器可以实现获取站点用户名，获取安装的所有插件、主题，以及存在漏洞的插件、主题，并提供漏洞信息，同时还可以实现对未加防护的Wordpress站点暴力破解用户名密码。

WPScan已经被预安装在以下Linux系统中：

• BackBox Linux
• Kali Linux
• Pentoo
• SamuraiWTF
• BlackArch

WPScan 参数

使用wpscan -h可以查看各种参数以及定义

常用选项

• –update 更新到最新版本
• –url | -u <target url> 要扫描的WordPress站点
• –force | -f 不检查网站运行的是不是WordPress
• –enumerate | -e [option(s)] 枚举

其他选项

• u 枚举用户名，默认从1-10
• u[10-20] 枚举用户名，配置从10-20
• p 枚举插件
• vp 只枚举有漏洞的插件
• ap 枚举所有插件，时间较长
• tt 列举缩略图相关的文件
• t 枚举主题信息
• vt 只枚举存在漏洞的主题
• at 枚举所有主题，时间较长
• 可以指定多个扫描选项，例："-e tt,p"
• 如果没有指定选项，默认选项为："vt,tt,u,vp"
• –exclude-content-based "<regexp or string>"
• 当使用枚举选项时，可以使用该参数做一些过滤，基于正则或者字符串，可以不写正则分隔符，但要用单引号或双引号包裹
• –config-file | -c <config file使用指定的配置文件>
• –user-agent | -a <User-Agent指定User-Agent>
• –cookie <String指定cookie>
• –random-agent | -r 使用随机User-Agent
• –follow-redirection 如果目标包含一个重定向，则直接跟随跳转
• –batch 无需用户交互，都使用默认行为
• –no-color 不要采用彩色输出
• –wp-content-dir <wp content dirWPScan会去发现wp-content目录，用户可手动指定>
• –wp-plugins-dir <wp plugins dir指定wp插件目录，默认是wp-content/plugins>
• –proxy <[protocol://]host:port设置一个代理，可以使用HTTP、SOCKS4、SOCKS4A、SOCKS5，如果未设置默认是HTTP协议>
• –proxy-auth <username:password设置代理登陆信息>
• –basic-auth <username:password设置基础认证信息>
• –wordlist | -w <wordlist指定密码字典>
• –username | -U <username指定爆破的用户名>
• –usernames <path-to-file指定爆破用户名字典>
• –threads | -t <number of threads指定多线程>
• –cache-ttl <cache-ttl设置 cache TTL>
• –request-timeout <request-timeout请求超时时间>
• –connect-timeout <connect-timeout连接超时时间>
• –max-threads <max-threads最大线程数>
• –throttle <milliseconds当线程数设置为1时，设置两个请求之间的间隔>
• –help | -h 输出帮助信息
• –verbose | -v 输出Verbose
• –version 输出当前版本

WPScan 扫描指定站点

• 它会扫描给定的WordPress站点的一些信息，并且列出可能是漏洞的地方，注意这里wpscan判断是否有漏洞，是根据wordpress的版本判定的，只要你的版本低于存在漏洞的版本，那么它就认为存在漏洞，所以，这个没有太多的参考性
• 扫描的结果会显示站点的插件信息、主题信息、用户信息等

wpscan --url [wordpress url]

例如：wpscan --url http://192.168.56.103/wordpress

┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url http://192.168.56.103/wordpress
_______________________________________________________________
         __          _______   _____
         \\ \\        / /  __ \\ / ____|
          \\ \\  /\\  / /| |__) | (___   ___  __ _ _ __ ®
           \\ \\/  \\/ / |  ___/ \\___ \\ / __|/ _` | '_ \\
            \\  /\\  /  | |     ____) | (__| (_| | | | |
             \\/  \\/   |_|    |_____/ \\___|\\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Thu Aug  5 11:20:00 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: php/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.103/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.8.1</generator>
 |  - http://192.168.56.103/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8.1</generator>

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Aug  5 11:20:03 2021
[+] Requests Done: 139
[+] Cached Requests: 36
[+] Data Sent: 37.797 KB
[+] Data Received: 19.845 KB
[+] Memory used: 211.109 MB
[+] Elapsed time: 00:00:02

WPScan 扫描指定用户

wpscan --url https://www.xxxxxxx.wiki/ --enumerate u

WPScan 扫描插件漏洞

• 插件可以扩展WordPress站点的功能，但很多插件中都存在安全漏洞，而这也会给攻击者提供可乘之机
• 可以使用下列命令扫描WordPress站点中安装的插件：

wpscan --url https://www.xxxxx.wiki/ --enumerate p
//备注：--url与-u参数相同，下面雷同

可以使用下列命令来扫描目标插件中的安全漏洞：

wpscan --url https://www.xxxxx.wiki/ --enumerate vp

WPScan 扫描主题漏洞

使用下列命令对主题进行扫描：

wpscan --url https://www.xxxxx.wiki --enumerate t

例如：wpscan --url http://192.168.56.103/wordpress --enumerate t

┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url http://192.168.56.103/wordpress --enumerate t                                                                                                                                                                          1 ⨯
_______________________________________________________________
         __          _______   _____
         \\ \\        / /  __ \\ / ____|
          \\ \\  /\\  / /| |__) | (___   ___  __ _ _ __ ®
           \\ \\/  \\/ / |  ___/ \\___ \\ / __|/ _` | '_ \\
            \\  /\\  /  | |     ____) | (__| (_| | | | |
             \\/  \\/   |_|    |_____/ \\___|\\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Thu Aug  5 11:21:49 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.103/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.8.1</generator>
 |  - http://192.168.56.103/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8.1</generator>

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8'

[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:00 <============================================================================================================================================================> (400 / 400) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] twentyfifteen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/, status: 500
 |
 | Version: 1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8'

[+] twentyseventeen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3'

[+] twentysixteen
 | Location: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/style.css
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/, status: 500
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3'

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Aug  5 11:21:50 2021
[+] Requests Done: 411
[+] Cached Requests: 46
[+] Data Sent: 116.627 KB
[+] Data Received: 206.266 KB
[+] Memory used: 167.32 MB
[+] Elapsed time: 00:00:01               

使用下列命令扫描主题中存在的漏洞：

wpscan --url https://www.xxxxxx.wiki --enumerate vt

WPScan 更新数据漏洞库

wpscan --update

WPScan 暴力破解得到密码

在暴力破解之前，需要提供一个字典文件

wpscan --url  https://www.xxxxx.wiki/  -e  u --wordlist 字典文件路径

WPScan TimThumbs文件漏洞扫描

wpscan -u https://www.xxxxxx.wiki/ -enumerate tt

WordPress 防护措施

关于密码爆出防护措施

• 如果你想要避免WordPress用户列表被列举，不要把用户名作为昵称，并且不要使用已经被大众知道的用户名，最好的方式是选择一个包含随机字符的名字做用户名并且使用其他名字作为昵称，WPScan扫描URL来获取用户名，所以如果你不使用这个用户名，你肯定不会被WPScan搜索到
• 防止暴力破解的最好方式是限制一个IP地址的尝试登录次数，WordPress有很多插件可以实现这个功能，列如有一个插件叫Brute Force Login Protection(当然你也可以写一个脚本防止爆出个人密码)

如何防范扫描插件、主题、TimThumb文件

• 使用Block Bad Queries (BBQ)插件，就可以屏蔽和禁止这类扫描