WPScan uses the complete tutorial to record a penetration process of WordPress
WPScan uses the complete tutorial to record a penetration process of WordPress
A piece of slag, a sprouting new one, can row and shout six or six
Personal blog: http://www.cnblogs.com/miraitowa/
This time, you will simply record your own cases about WPScan penetration and actual combat, as well as some usage methods of WPScan. I hope you can correct me (Orz)
1: What is WPScan
WPScan is a black box scanner for scanning WordPress vulnerabilities. It can scan WordPress vulnerabilities for all Web developers and find and solve problems before they develop.
We also used Nikto, which is a great Web server evaluation tool. We think this tool should be part of all penetration tests for WordPress websites.
As one of the three site building templates, WordPress has a large number of users all over the world, which also leads white hat to track the security vulnerabilities of WordPress. Since the birth of WordPress
There are also many vulnerabilities. Wordpress can also use plug-ins and themes. Therefore, when Wordpress itself is difficult to explore any security problems, security researchers began to study the security of its plug-ins and themes
Vulnerabilities. Through plug-ins and theme vulnerabilities to penetrate Wordpress sites, WPScan came into being to collect various vulnerabilities of Wordpress and form a special Wordpress scanner.
The scanner can obtain the site user name, obtain all installed plug-ins and themes, as well as vulnerable plug-ins and themes, and provide vulnerability information. At the same time, it can also realize the protection of unprotected plug-ins
Wordpress sites brutally crack user names and passwords.
WPScan has been preinstalled on the following Linux systems:
1: BackBox Linux
2: Kali Linux
3: Pentoo
4: SamuraiWTF
5:BlackArch
2: WPscan installation and use of preparatory knowledge
Because Windows does not support WPScan, the latest version of WPScan can be downloaded on Linux or Mac:
Install on Ubuntu
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
Installing on Debian
sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
Install on Fedora
sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build
Installing on Arch Linux
pacman -Syu ruby pacman -Syu libyaml
Installing on macOS
Apple Xcode, command line tool and libffi are required (can install FFI gem) Please click here for the specific installation process
Common parameter options:
--update Update to the latest version --url | -u <target url> To scan`WordPress`site. --force | -f Do not check whether the website is running`WordPress` --enumerate | -e [option(s)] enumeration
option:
u Enumerate user names, from 1 by default-10 u[10-20] Enumerate user names and configure from 10-20 p Enumeration plug-ins vp Only vulnerable plug-ins are enumerated ap Enumerating all plug-ins takes a long time tt List thumbnail related files t Enumerate topic information vt Enumerate only vulnerable topics at Enumerating all topics takes a long time You can specify multiple scanning options, for example:"-e tt,p" If no options are specified, the default options are:"vt,tt,u,vp" --exclude-content-based "<regexp or string>" When using the enumeration option, you can use this parameter to filter. Based on the regular or string, you can not write the regular separator, but wrap it in single quotation marks or double quotation marks --config-file | -c <config file Use the specified profile --user-agent | -a <User-Agent appoint User-Agent --cookie <String appoint cookie --random-agent | -r Use random User-Agent --follow-redirection If the target contains a redirect, follow the jump directly --batch The default behavior is used without user interaction --no-color Do not use color output --wp-content-dir <wp content dirWPScan Will find out wp-content Directory, which can be specified manually --wp-plugins-dir <wp plugins dir appoint wp Plug in directory. The default is wp-content/plugins --proxy <[protocol://]host:port sets a proxy, which can use HTTP, SOCKS4, SOCKS4A and SOCKS5. If it is not set, the default is HTTP protocol --proxy-auth <username:password Set agent login information --basic-auth <username:password Set basic authentication information --wordlist | -w <wordlist Specify password dictionary --username | -U <username Specifies the user name of the user --usernames <path-to-file Specify user name dictionary --threads | -t <number of threads Specify multithreading --cache-ttl <cache-ttl set up cache TTL --request-timeout <request-timeout Request timeout --connect-timeout <connect-timeout Connection timeout --max-threads <max-threads Maximum number of threads --throttle <milliseconds When the number of threads is set to 1, set the interval between two requests --help | -h Output help information --verbose | -v output Verbose --version Output current version
3: Penetration site demonstration
Environmental preparation
kali linux
Debian 9
Wpscan (installed in Linux)
Infiltration process
1: Install and update data vulnerability Library
You can use the following command to install WPScan on your device
git clone https://github.com/wpscanteam/wpscan.git
To update the vulnerability library, use the command: wpscan --update
2: Scan WordPress for vulnerabilities
Next, use the following command to scan for possible vulnerable websites:
wpscan --url [wordpress url]
z here I directly use a site of people I don't know as an example to demonstrate (it's my friend HHH)
wpscan --url https://www.xxxxx.wiki/
3: Scan wordpress users
We can enumerate its users:
wpscan --url https://www.xxxxxxx.wiki/ --enumerate u
User information obtained:
4: Brute force crack to get the password
Before the brute force attack, we need to create the corresponding dictionary file
wpscan --url https://www.xxxxx.wiki/ -e u --wordlist /root / desktop / password.txt
The renderings are as follows:
5: Scan plug-in vulnerabilities
Plug ins can extend the functions of WordPress site, but there are security vulnerabilities in many plug-ins, which will also provide opportunities for attackers.
We can scan the plug-ins installed in the WordPress site using the following command:
wpscan -u https://www.xxxxx.wiki/ -enumerate p
We can see that easy WP SMTP and theme my login plug-ins are installed in the website:
Next, we can use the following command to scan for security vulnerabilities in the target plug-in:
wpscan --url https://www.xxxxx.wiki/ --enumerate vp
Effect demonstration:
6: Subject vulnerability scanning
Scan the topic using the following command:
wpscan --url https://www.xxxxx.wiki --enumerate t
Found a topic:
Scan for vulnerabilities in the topic using the following command:
wpscan --url https://www.xxxxxx.wiki --enumerate vt
7:TimThumbs file vulnerability scanning
wpscan -u https://www.xxxxxx.wiki/ -enumerate tt
4: WordPress protection measures
1: Protective measures against password explosion
If you want to avoid listing WordPress users, don't use user names as nicknames, and don't use user names that are already known to the public. The best way is to choose one that contains random words
WPScan scans the URL to get the user name, so if you don't use this user name, you won't be searched by WPScan.
The best way to prevent brute force cracking is to limit the number of attempts to log in to an IP address. WordPress has many plug-ins that can implement this function. For example, a plug-in called
Brute force login protection (of course, you can also write a script to prevent your personal password from breaking out)
2: How to prevent scanning plug-ins, themes and TimThumb files
Using the Block Bad Queries (BBQ) plug-in, you can mask and prohibit such scans