WPScan基本使用
WPScan 简介
WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏洞,其中包括WordPress本身的漏洞、插件漏洞和主题漏洞,最新版本WPScan的数据库中包含超过18000种插件漏洞和2600种主题漏洞,并且支持最新版本的WordPress,值得注意的是,它不仅能够扫描类似robots.txt这样的敏感文件,而且还能够检测当前已启用的插件和其他功能- 该扫描器可以实现获取站点用户名,获取安装的所有插件、主题,以及存在漏洞的插件、主题,并提供漏洞信息,同时还可以实现对未加防护的
WordPress站点暴力激活成功教程用户名密码。
WPScan已经被预安装在以下Linux系统中:
- BackBox Linux
- Kali Linux
- Pentoo
- SamuraiWTF
- BlackArch
WPScan 参数
使用
wpscan -h可以查看各种参数以及定义
常用选项
- –update 更新到最新版本
- –url |
-u要扫描的WordPress站点
- –force |
-f不检查网站运行的是不是WordPress- –enumerate |
-e [option(s)]枚举
其他选项
- u 枚举用户名,默认从1-10
- u[10-20] 枚举用户名,配置从10-20
- p 枚举插件
- vp 只枚举有漏洞的插件
- ap 枚举所有插件,时间较长
- tt 列举缩略图相关的文件
- t 枚举主题信息
- vt 只枚举存在漏洞的主题
- at 枚举所有主题,时间较长
- 可以指定多个扫描选项,例:
"-e tt,p"- 如果没有指定选项,默认选项为:
"vt,tt,u,vp"- –exclude-content-based
"
"
- 当使用枚举选项时,可以使用该参数做一些过滤,基于正则或者字符串,可以不写正则分隔符,但要用单引号或双引号包裹
- –config-file |
-c
- –user-agent |
-a
- –cookie
- –random-agent |
-r使用随机User-Agent- –follow-redirection 如果目标包含一个重定向,则直接跟随跳转
- –batch 无需用户交互,都使用默认行为
- –no-color 不要采用彩色输出
- –wp-content-dir
- –wp-plugins-dir
- –proxy
<[protocol://]host:port设置一个代理,可以使用HTTP、SOCKS4、SOCKS4A、SOCKS5,如果未设置默认是HTTP协议>- –proxy-auth
- –basic-auth
- –wordlist |
-w
- –username |
-U
- –usernames
- –threads | -t
- –cache-ttl
- –request-timeout
- –connect-timeout
- –max-threads
- –throttle
- –help |
-h输出帮助信息- –verbose |
-v输出Verbose- –version 输出当前版本
WPScan 扫描指定站点
- 它会扫描给定的WordPress站点的一些信息,并且列出可能是漏洞的地方,注意这里wpscan判断是否有漏洞,是根据wordpress的版本判定的,只要你的版本低于存在漏洞的版本,那么它就认为存在漏洞,所以,这个没有太多的参考性
- 扫描的结果会显示站点的插件信息、主题信息、用户信息等
wpscan --url [wordpress url] 例如:
wpscan --url http://192.168.56.103/wordpress
┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url http://192.168.56.103/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Thu Aug 5 11:20:00 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.7 (Ubuntu)
| - X-Powered-By: PHP/5.5.9-1ubuntu4.22
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.103/wordpress/?feed=rss2,
https://wordpress.org/?v=4.8.1
| - http://192.168.56.103/wordpress/?feed=comments-rss2,
https://wordpress.org/?v=4.8.1
[+] WordPress theme in use: twentyfifteen | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 3.0 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1 | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.8 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Aug 5 11:20:03 2021 [+] Requests Done: 139 [+] Cached Requests: 36 [+] Data Sent: 37.797 KB [+] Data Received: 19.845 KB [+] Memory used: 211.109 MB [+] Elapsed time: 00:00:02 WPScan 扫描指定用户
wpscan --url https://www.xxxxxxx.wiki/ --enumerate u WPScan 扫描插件漏洞
- 插件可以扩展WordPress站点的功能,但很多插件中都存在安全漏洞,而这也会给攻击者提供可乘之机
- 可以使用下列命令扫描WordPress站点中安装的插件:
wpscan --url https://www.xxxxx.wiki/ --enumerate p //备注:--url与-u参数相同,下面雷同 可以使用下列命令来扫描目标插件中的安全漏洞:
wpscan --url https://www.xxxxx.wiki/ --enumerate vp WPScan 扫描主题漏洞
使用下列命令对主题进行扫描:
wpscan --url https://www.xxxxx.wiki --enumerate t 例如:
wpscan --url http://192.168.56.103/wordpress --enumerate t
┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url http://192.168.56.103/wordpress --enumerate t 1 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Thu Aug 5 11:21:49 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.7 (Ubuntu)
| - X-Powered-By: PHP/5.5.9-1ubuntu4.22
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.103/wordpress/?feed=rss2,
https://wordpress.org/?v=4.8.1
| - http://192.168.56.103/wordpress/?feed=comments-rss2,
https://wordpress.org/?v=4.8.1
[+] WordPress theme in use: twentyfifteen | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 3.0 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1 | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.8 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8' [+] Enumerating Most Popular Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:00 <============================================================================================================================================================> (400 / 400) 100.00% Time: 00:00:00 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] twentyfifteen | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 3.0 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Known Locations (Aggressive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/, status: 500 | | Version: 1.8 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8' [+] twentyseventeen | Location: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.8 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/, status: 500 | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3' [+] twentysixteen | Location: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 2.5 | Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/style.css | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/, status: 500 | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3' [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Aug 5 11:21:50 2021 [+] Requests Done: 411 [+] Cached Requests: 46 [+] Data Sent: 116.627 KB [+] Data Received: 206.266 KB [+] Memory used: 167.32 MB [+] Elapsed time: 00:00:01 使用下列命令扫描主题中存在的漏洞:
wpscan --url https://www.xxxxxx.wiki --enumerate vt WPScan 更新数据漏洞库
wpscan --update WPScan 暴力激活成功教程得到密码
在暴力激活成功教程之前,需要提供一个字典文件
wpscan --url https://www.xxxxx.wiki/ -e u --wordlist 字典文件路径 WPScan TimThumbs文件漏洞扫描
wpscan -u https://www.xxxxxx.wiki/ -enumerate tt WordPress 防护措施
关于密码爆出防护措施
- 如果你想要避免WordPress用户列表被列举,不要把用户名作为昵称,并且不要使用已经被大众知道的用户名,最好的方式是选择一个包含随机字符的名字做用户名并且使用其他名字作为昵称,WPScan扫描URL来获取用户名,所以如果你不使用这个用户名,你肯定不会被WPScan搜索到
- 防止暴力激活成功教程的最好方式是限制一个IP地址的尝试登录次数,WordPress有很多插件可以实现这个功能,列如有一个插件叫
Brute Force Login Protection(当然你也可以写一个脚本防止爆出个人密码)
如何防范扫描插件、主题、TimThumb文件
- 使用
Block Bad Queries (BBQ)插件,就可以屏蔽和禁止这类扫描
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请联系我们举报,一经查实,本站将立刻删除。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/206269.html原文链接:https://javaforall.net
