WPScan uses the complete tutorial to record a penetration process of WordPress

WPScan uses the complete tutorial to record a penetration process of WordPress

WPScan uses the complete tutorial to record a penetration process of WordPress

A piece of slag, a sprouting new one, can row and shout six or six

Personal blog: http://www.cnblogs.com/miraitowa/

This time, you will simply record your own cases about WPScan penetration and actual combat, as well as some usage methods of WPScan. I hope you can correct me (Orz)

1: What is WPScan

WPScan is a black box scanner for scanning WordPress vulnerabilities. It can scan WordPress vulnerabilities for all Web developers and find and solve problems before they develop.

We also used Nikto, which is a great Web server evaluation tool. We think this tool should be part of all penetration tests for WordPress websites.

As one of the three site building templates, WordPress has a large number of users all over the world, which also leads white hat to track the security vulnerabilities of WordPress. Since the birth of WordPress

There are also many vulnerabilities. Wordpress can also use plug-ins and themes. Therefore, when Wordpress itself is difficult to explore any security problems, security researchers began to study the security of its plug-ins and themes

Vulnerabilities. Through plug-ins and theme vulnerabilities to penetrate Wordpress sites, WPScan came into being to collect various vulnerabilities of Wordpress and form a special Wordpress scanner.

The scanner can obtain the site user name, obtain all installed plug-ins and themes, as well as vulnerable plug-ins and themes, and provide vulnerability information. At the same time, it can also realize the protection of unprotected plug-ins

Wordpress sites brutally crack user names and passwords.

WPScan has been preinstalled on the following Linux systems:

1: BackBox Linux

2: Kali Linux

3: Pentoo

4: SamuraiWTF


2: WPscan installation and use of preparatory knowledge

Because Windows does not support WPScan, the latest version of WPScan can be downloaded on Linux or Mac:

Install on Ubuntu

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

Installing on Debian

sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev

Install on Fedora

sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build

Installing on Arch Linux

pacman -Syu ruby
pacman -Syu libyaml

Installing on macOS

Apple Xcode, command line tool and libffi are required (can install FFI gem) Please click here for the specific installation process

Common parameter options:

--update  Update to the latest version

--url   | -u <target url>  To scan`WordPress`site.

--force | -f   Do not check whether the website is running`WordPress`

--enumerate | -e [option(s)]  enumeration


u Enumerate user names, from 1 by default-10

u[10-20] Enumerate user names and configure from 10-20

p Enumeration plug-ins

vp Only vulnerable plug-ins are enumerated

ap Enumerating all plug-ins takes a long time

tt List thumbnail related files

t Enumerate topic information

vt Enumerate only vulnerable topics

at Enumerating all topics takes a long time

You can specify multiple scanning options, for example:"-e tt,p"

If no options are specified, the default options are:"vt,tt,u,vp"

--exclude-content-based "<regexp or string>"

When using the enumeration option, you can use this parameter to filter. Based on the regular or string, you can not write the regular separator, but wrap it in single quotation marks or double quotation marks

--config-file | -c <config file Use the specified profile

--user-agent | -a <User-Agent appoint User-Agent

--cookie <String appoint cookie

--random-agent | -r Use random User-Agent

--follow-redirection If the target contains a redirect, follow the jump directly

--batch The default behavior is used without user interaction

--no-color Do not use color output

--wp-content-dir <wp content dirWPScan Will find out wp-content Directory, which can be specified manually

--wp-plugins-dir <wp plugins dir appoint wp Plug in directory. The default is wp-content/plugins

--proxy <[protocol://]host:port sets a proxy, which can use HTTP, SOCKS4, SOCKS4A and SOCKS5. If it is not set, the default is HTTP protocol

--proxy-auth <username:password Set agent login information

--basic-auth <username:password Set basic authentication information

--wordlist | -w <wordlist Specify password dictionary

--username | -U <username Specifies the user name of the user

--usernames <path-to-file Specify user name dictionary

--threads | -t <number of threads Specify multithreading

--cache-ttl <cache-ttl set up cache TTL

--request-timeout <request-timeout Request timeout

--connect-timeout <connect-timeout Connection timeout

--max-threads <max-threads Maximum number of threads

--throttle <milliseconds When the number of threads is set to 1, set the interval between two requests

--help | -h Output help information

--verbose | -v output Verbose

--version Output current version

3: Penetration site demonstration

Environmental preparation

kali linux

Debian 9

Wpscan (installed in Linux)

Infiltration process

1: Install and update data vulnerability Library

You can use the following command to install WPScan on your device

git clone https://github.com/wpscanteam/wpscan.git

To update the vulnerability library, use the command: wpscan --update

2: Scan WordPress for vulnerabilities

Next, use the following command to scan for possible vulnerable websites:

wpscan --url [wordpress url]

z here I directly use a site of people I don't know as an example to demonstrate (it's my friend HHH)

wpscan --url https://www.xxxxx.wiki/

3: Scan wordpress users

We can enumerate its users:

wpscan --url https://www.xxxxxxx.wiki/ --enumerate u

User information obtained:

4: Brute force crack to get the password

Before the brute force attack, we need to create the corresponding dictionary file

wpscan --url https://www.xxxxx.wiki/ -e u --wordlist /root / desktop / password.txt

The renderings are as follows:

5: Scan plug-in vulnerabilities

Plug ins can extend the functions of WordPress site, but there are security vulnerabilities in many plug-ins, which will also provide opportunities for attackers.

We can scan the plug-ins installed in the WordPress site using the following command:

wpscan -u https://www.xxxxx.wiki/ -enumerate p

We can see that easy WP SMTP and theme my login plug-ins are installed in the website:

Next, we can use the following command to scan for security vulnerabilities in the target plug-in:

wpscan --url https://www.xxxxx.wiki/ --enumerate vp

Effect demonstration:

6: Subject vulnerability scanning

Scan the topic using the following command:

wpscan --url https://www.xxxxx.wiki --enumerate t

Found a topic:

Scan for vulnerabilities in the topic using the following command:

wpscan --url https://www.xxxxxx.wiki --enumerate vt

7:TimThumbs file vulnerability scanning

wpscan -u https://www.xxxxxx.wiki/ -enumerate tt

4: WordPress protection measures

1: Protective measures against password explosion

If you want to avoid listing WordPress users, don't use user names as nicknames, and don't use user names that are already known to the public. The best way is to choose one that contains random words

WPScan scans the URL to get the user name, so if you don't use this user name, you won't be searched by WPScan.

The best way to prevent brute force cracking is to limit the number of attempts to log in to an IP address. WordPress has many plug-ins that can implement this function. For example, a plug-in called

Brute force login protection (of course, you can also write a script to prevent your personal password from breaking out)

2: How to prevent scanning plug-ins, themes and TimThumb files

Using the Block Bad Queries (BBQ) plug-in, you can mask and prohibit such scans

Tags: Web Security

Posted on Tue, 26 Oct 2021 11:59:00 -0400 by oliverj777