How to use WPScan to easily find your wordpress site vulnerabilities

29/12/2020
Chưa phân loại
More than 35% of the internet runs on WordPress. WordPress contributes to more than 60% to global CMS market with more than 10 million websites built already. Making a website and deploying it with WordPress is so easy and cost-less, that’s why WordPress is widely used. With the rise of wordpress market, its security is also a big concern. More than 8% of internet vulnerabilities are found in WordPress websites, making it a vulnerable target to hackers. There are numerous WordPress vulnerability scanners in the market like WordPress Security Scan, SUCURI, Detectify but WPScan is the scanner to scan your WordPress websites for vulnerable themes, plugins and security misconfigurations.WPScan is an all in one tool for scanning vulnerabilities in websites built using WordPress framework. It can be used to enumerate WordPress plugins and themes, brute-force logins and identify security misconfigurations. Currently. it is available only for Linux (Debian, Fedora, Arch, CentOS) and MacOSX, not for Windows. You can use Windows Subsystem for Linux (WSL) to install WPScan in Windows. In this tutorial, we’ll look at how to install and use WPScan to find security loopholes in your website.

Installation

WPScan comes pre-installed in Kali Linux. For other distros, installing WPScan is very easy, according to official documentation. Type

// To install prerequisites
ubuntu@ubuntu:~$ sudo apt install patch build-essential zlib1g-dev liblzma-dev ruby-dev
ubuntu@ubuntu:~$ gem install nokogiri
Then
ubuntu@ubuntu:~$ gem install wpscan
OR
ubuntu@ubuntu:~$ git clone https://github.com/wpscanteam/wpscan
ubuntu@ubuntu:~$ cd wpscan/
ubuntu@ubuntu:~$ bundle install && rake install

To update installed WPScan to the latest, type

ubuntu@ubuntu:~$ wpscan –update

OR

azad@kali:~$ gem update wpscan

OR in Kali Linux

azad@kali:~$ sudo apt update && sudo apt upgrade

Usage

Now we’ll learn how to perform quick scan of your wordpress website, themes and plugins. WordPress will scan your website with multiple scan options and will show you the vulnerabilities and their details on the terminal. WPScan will also tell you a lot about your wordpress installation details and versions of themes and plugins installed. It can also enumerate usernames registered and brute force them to find passwords.

To perform a scan of your website, type

azad@kali:~$ wpscan –url http://www.redacted.com –rua

[+][32m0m] URL: http://www.redacted.com/
[+][32m0m] Started: Fri Oct 18 20:58:54 2019

Interesting Finding(s):

[+][32m0m] http://www.redacted.com/
| Interesting Entry: Server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+][32m0m] http://www.redacted.com/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
|  – Link Tag (Passive Detection), 30% confidence
|  – Direct Access (Aggressive Detection), 100% confidence
| References:
|  – http://codex.wordpress.org/XML-RPC_Pingback_API
|  – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
|  – https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
|  – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
|  – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+][32m0m] http://www.redacted.com/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+][32m0m]Upload directory has listing enabled: http://www.redacted.com/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+][32m0m] http://www.redacted.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|  – https://www.iplocation.net/defend-wordpress-from-ddos
|  – https://github.com/wpscanteam/wpscan/issues/1299

[+][32m0m] WordPress version 2.7.1 identified (Insecure, released on 2009-02-10).
| Detected By: Unique Fingerprinting (Aggressive Detection)
|- http://www.redacted.com/wp-admin/js/common.js md5sum is 4f0f9bdbe437f850430fae694ca046ba

[+][32m0m] WordPress theme in use: sliding-door
| Location: http://www.redacted.com/wp-content/themes/sliding-door/
| Last Updated: 2016-01-02T00:00:00.000Z
| Readme: http://www.redacted.com/wp-content/themes/sliding-door/README.txt
| [!][33m0m] The version is out of date, the latest version is 3.2.4
| Style URL: http://www.redacted.com/wp-content/themes/sliding-door/style.css
| Style Name: Sliding Door
| Style URI: http://mac-host.com/slidingdoor/
| Description: A template featuring sliding images in the menu, based on Samuel
Birch’s phatfusion image menu….

| Author: Wayne Connor
| Author URI: http://www.macintoshhowto.com/
|
| Detected By: Css Style (Passive Detection)
| Confirmed By: Urls In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Detected By: Style (Passive Detection)
|- http://www.redacted.com/wp-content/themes/sliding-door/style.css, Match: ‘Version: 1.5’

[i][34m0m] Plugin(s) Identified:

[+][32m0m] all-in-one-seo-pack
| Location: http://www.redacted.com/wp-content/plugins/all-in-one-seo-pack/
| Latest Version: 3.2.10
| Last Updated: 2019-10-17T15:07:00.000Z
|
| Detected By: Comment (Passive Detection)
|
| The version could not be determined.

[+][32m0m] google-analyticator
| Location: http://www.redacted.com/wp-content/plugins/google-analyticator/
| Last Updated: 2019-03-04T22:57:00.000Z
| [!][33m0m] The version is out of date, the latest version is 6.5.4
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 4.1.1 (80% confidence)
| Detected By: Readme – Stable Tag (Aggressive Detection)
|  – http://www.redacted.com/wp-content/plugins/google-analyticator/readme.txt

[+][32m0m] nextgen-gallery
| Location: http://www.redacted.com/wp-content/plugins/nextgen-gallery/
| Latest Version: 3.2.18
| Last Updated: 2019-09-18T16:02:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.

[+][32m0m] qtranslate
| Location: http://www.redacted.com/wp-content/plugins/qtranslate/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.3.4 (80% confidence)
| Detected By: Readme – Stable Tag (Aggressive Detection)
|  – http://www.redacted.com/wp-content/plugins/qtranslate/readme.txt

[+][32m0m] wp-spamfree
| Location: http://www.redacted.com/wp-content/plugins/wp-spamfree/
| Last Updated: 2016-09-23T05:22:00.000Z
| [!][33m0m] The version is out of date, the latest version is 2.1.1.6
|
| Detected By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 2.1 (60% confidence)
| Detected By: Comment (Passive Detection)
|  – http://www.redacted.com/, Match: ‘WP-SpamFree v2.1’

[i][34m0m] No Config Backups Found.

[!][33m0m] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!][33m0m] You can get a free API token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up.

[+][32m0m] Finished: Fri Oct 18 21:02:01 2019
[+][32m0m] Requests Done: 89
[+][32m0m] Cached Requests: 8
[+][32m0m] Data Sent: 45.16 KB
[+][32m0m] Data Received: 288.769 KB
[+][32m0m] Memory used: 133.965 MB
[+][32m0m] Elapsed time: 00:03:07

To check for vulnerable plugins

To check for vulnerable plugins, you can add an options ‘–enumerate vp’ to your command. WPScan will show all the plugins used by your WordPress website, highlighting the vulnerable ones along with other details. Type the following

// –rua or –random-user-agent is used to randomly select the user agent
//to list all plugins, use ‘ap’ instead of ‘vp’
azad@kali:~$ wpscan –url http://www.redacted.com –rua –enumerate vp -o
output-plugins.txt

To check for vulnerable Themes

To check for vulnerable plugins, add the option ‘–enumerate vt’ in your terminal command. WPScan will show you the vulnerabilities in your theme. Type the following

//To list all themes, use options ‘at’ instead of ‘vt’
azad@kali:~$ wpscan –url http://www.redacted.com –rua –enumerate vt

To enumerate users in WordPress site

When registered usernames in websites are found, it becomes easier for hackers to brute force their password and compromise the access. After compromising an admin or privileged account, it becomes more easy to gain access to the whole WordPress website. That’s why you should always disable username enumeration in your WordPress configuration.

WPScan can also enumerate registered users in your WordPress installation. Type the following to enumerate users using WPScan

// Using custom dictionary
azad@kali:~$ wpscan –url http://www.redacted.com –rua –enumerate
U /path/to/user-dictionary.txt
// Using default dictionary
azad@kali:~$ wpscan –url http://www.redacted.com –rua –enumerate u
…snip…
[i][34m0m] User(s) Identified:
[+][32m0m] Shani
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+][32m0m] InterSkill
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
…snip…

Brute forcing passwords using WPScan

After getting usernames from the above step, you can guess passwords for these users by brute forcing. Using this method, you can see which user of your website is using poor strength password.

WPScan will need a list of users and a password dictionary of commonly used passwords. Then it will try every combination of usernames and passwords for successful logins. You can download password dictionaries from github repositories but in this tutorial, we’re going to use “rockyou.txt” dictionary which is located by default in Kali Linux in “/usr/share/wordlists” directory.

To download dictionaries in your distro, type

ubuntu@ubuntu:~$ sudo apt install wordlists
ubuntu@ubuntu:~$ ls /usr/share/wordlists/
rockyou.txt.gz
ubuntu@ubuntu:~$ gzip -d rockyou.txt.gz
ubuntu@ubuntu:~$ ls -la /usr/share/wordlists/rockyou.txt
-rw-r–r– 1 root root 139921507 Jul 17 02:59 rockyou.txt

To run a brute force scan on website, type

azad@kali:~$ wpscan –url http://www.redacted.com –rua -P /usr/share/wordlists/rockyou.txt
-U ‘Shani’,’InterSkill’

Conclusion

WPScan is a fantastic tool to add to your security toolbox. Its free, powerful and easy to use utility to discover security vulnerabilities and misconfigurations. Anyone having zero technical knowledge of security can easily install and use it for enhanced security of their website.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Get Premier League and Soccer Scores with LiveScore-CLI on Ubuntu

Get up to date Premier League Live football scores right from the linux terminal with livescore-cli. Livescore is a small...
12/02/2020

Setting up a Debian 10 LAMP Server for PHP Web Development

In this article, I am going to show you how to setup a LAMP (Linux, Apache, MySQL/MariaDB, PHP) server for PHP web development....
29/12/2020

Tổng hợp file iso windows 7 windows 10 vultr siêu nhẹ bản gốc sạch – Windows Server 2016 , Windows Server 2019 Windows Server 2022 vultr

Link tải file iso tất cả các phiên bản ở :  https://tb.rg-adguard.net/public.php Hoặc Windows Server 2012...
28/12/2020
Bài Viết

Bài Viết Mới Cập Nhật

mua Proxy riêng ở đâu, và nó đem lại lợi ích gì cho người sử dụng
22/11/2022

Hướng dẫn sử dụng Proxy Helper Fakeip khi thuê proxy
21/11/2022

PROXY NUÔI TÀI KHOẢN FACEBOOK – KINH NGHIỆM FAKE IP – THUÊ PROXY GIÁ RẺ
14/11/2022

Mua Proxy Nuôi Zalo Giá Rẻ Tại Onet.com.vn
14/11/2022

BẢNG GIÁ MUA PROXY VIỆT NAM và PROXY US Onet.com.vn
14/11/2022